@@ -6,16 +6,62 @@ metadata:
66 argocd.argoproj.io/sync-wave : " 2"
77 policies.kyverno.io/title : Generate VolSync Backup Resources
88 policies.kyverno.io/description : >-
9- Automatically generates ReplicationSource and ReplicationDestination
9+ Automatically generates ExternalSecret, ReplicationSource, and ReplicationDestination
1010 for PVCs labeled with backup=hourly or backup=daily.
11- Requires namespace annotation: volsync.backube/privileged-movers: "true"
11+ User only needs: 1) PVC with backup label, 2) namespace annotation volsync.backube/privileged-movers: "true"
1212spec :
1313 generateExisting : true
1414 rules :
1515 # ============================================
1616 # HOURLY BACKUP TIER (Critical Apps)
1717 # ============================================
1818
19+ # Rule 0a: Generate ExternalSecret for hourly backups (S3 credentials)
20+ - name : generate-hourly-externalsecret
21+ match :
22+ any :
23+ - resources :
24+ kinds :
25+ - PersistentVolumeClaim
26+ selector :
27+ matchLabels :
28+ backup : " hourly"
29+ generate :
30+ apiVersion : external-secrets.io/v1
31+ kind : ExternalSecret
32+ name : " {{request.object.metadata.name}}-volsync-secret"
33+ namespace : " {{request.object.metadata.namespace}}"
34+ synchronize : true
35+ data :
36+ spec :
37+ refreshInterval : " 1h"
38+ secretStoreRef :
39+ kind : ClusterSecretStore
40+ name : 1password
41+ target :
42+ name : " {{request.object.metadata.name}}-volsync-secret"
43+ creationPolicy : Owner
44+ template :
45+ engineVersion : v2
46+ data :
47+ RESTIC_REPOSITORY : " s3:http://192.168.10.133:30292/volsync/{{request.object.metadata.namespace}}-{{request.object.metadata.name}}"
48+ RESTIC_PASSWORD : " {{ `{{ .restic_password }}` }}"
49+ AWS_ACCESS_KEY_ID : " {{ `{{ .access_key }}` }}"
50+ AWS_SECRET_ACCESS_KEY : " {{ `{{ .secret_key }}` }}"
51+ data :
52+ - secretKey : access_key
53+ remoteRef :
54+ key : rustfs
55+ property : access_key
56+ - secretKey : secret_key
57+ remoteRef :
58+ key : rustfs
59+ property : secret_key
60+ - secretKey : restic_password
61+ remoteRef :
62+ key : rustfs
63+ property : restic_password
64+
1965 # Rule 1: Generate ReplicationSource for hourly backups
2066 - name : generate-hourly-replicationsource
2167 match :
4995 cacheStorageClassName : longhorn
5096
5197 # Rule 2: Generate ReplicationDestination for hourly backups
98+ # NOTE: synchronize: false means RD persists when PVC is deleted (for restore)
99+ # Uses manual trigger - sync-cronjob.yaml handles coordinated syncing of ALL RDs
52100 - name : generate-hourly-replicationdestination
53101 match :
54102 any :
@@ -63,14 +111,15 @@ spec:
63111 kind : ReplicationDestination
64112 name : " {{request.object.metadata.name}}-restore"
65113 namespace : " {{request.object.metadata.namespace}}"
66- synchronize : true
114+ synchronize : false
67115 data :
68116 spec :
69117 trigger :
70- schedule : " 30 * * * *"
118+ # Manual trigger - sync-cronjob patches this every 15 min
119+ manual : restore-once
71120 restic :
72121 repository : " {{request.object.metadata.name}}-volsync-secret"
73- copyMethod : Snapshot
122+ copyMethod : Direct
74123 volumeSnapshotClassName : longhorn
75124 storageClassName : longhorn
76125 accessModes :
@@ -87,6 +136,52 @@ spec:
87136 # DAILY BACKUP TIER (Non-Critical Apps)
88137 # ============================================
89138
139+ # Rule 0b: Generate ExternalSecret for daily backups (S3 credentials)
140+ - name : generate-daily-externalsecret
141+ match :
142+ any :
143+ - resources :
144+ kinds :
145+ - PersistentVolumeClaim
146+ selector :
147+ matchLabels :
148+ backup : " daily"
149+ generate :
150+ apiVersion : external-secrets.io/v1
151+ kind : ExternalSecret
152+ name : " {{request.object.metadata.name}}-volsync-secret"
153+ namespace : " {{request.object.metadata.namespace}}"
154+ synchronize : true
155+ data :
156+ spec :
157+ refreshInterval : " 1h"
158+ secretStoreRef :
159+ kind : ClusterSecretStore
160+ name : 1password
161+ target :
162+ name : " {{request.object.metadata.name}}-volsync-secret"
163+ creationPolicy : Owner
164+ template :
165+ engineVersion : v2
166+ data :
167+ RESTIC_REPOSITORY : " s3:http://192.168.10.133:30292/volsync/{{request.object.metadata.namespace}}-{{request.object.metadata.name}}"
168+ RESTIC_PASSWORD : " {{ `{{ .restic_password }}` }}"
169+ AWS_ACCESS_KEY_ID : " {{ `{{ .access_key }}` }}"
170+ AWS_SECRET_ACCESS_KEY : " {{ `{{ .secret_key }}` }}"
171+ data :
172+ - secretKey : access_key
173+ remoteRef :
174+ key : rustfs
175+ property : access_key
176+ - secretKey : secret_key
177+ remoteRef :
178+ key : rustfs
179+ property : secret_key
180+ - secretKey : restic_password
181+ remoteRef :
182+ key : rustfs
183+ property : restic_password
184+
90185 # Rule 3: Generate ReplicationSource for daily backups
91186 - name : generate-daily-replicationsource
92187 match :
@@ -119,6 +214,8 @@ spec:
119214 cacheStorageClassName : longhorn
120215
121216 # Rule 4: Generate ReplicationDestination for daily backups
217+ # NOTE: synchronize: false means RD persists when PVC is deleted (for restore)
218+ # Uses manual trigger - sync-cronjob.yaml handles coordinated syncing of ALL RDs
122219 - name : generate-daily-replicationdestination
123220 match :
124221 any :
@@ -133,14 +230,15 @@ spec:
133230 kind : ReplicationDestination
134231 name : " {{request.object.metadata.name}}-restore"
135232 namespace : " {{request.object.metadata.namespace}}"
136- synchronize : true
233+ synchronize : false
137234 data :
138235 spec :
139236 trigger :
140- schedule : " 30 2 * * *"
237+ # Manual trigger - sync-cronjob patches this every 15 min
238+ manual : restore-once
141239 restic :
142240 repository : " {{request.object.metadata.name}}-volsync-secret"
143- copyMethod : Snapshot
241+ copyMethod : Direct
144242 volumeSnapshotClassName : longhorn
145243 storageClassName : longhorn
146244 accessModes :
0 commit comments