80 lines
3 KiB
Text
80 lines
3 KiB
Text
|
# System backup contracts — declarative description of how out-of-cluster
|
||
|
|
# artefacts are backed up: etcd, k8s certs, host configs, external DNS,
|
||
|
|
# builder environment, provisioning state itself, log archives, vault state.
|
||
|
|
# Disparado por system cron / systemd timer / daemon coordinator.
|
||
|
|
|
||
|
|
let bp = import "backup_policy.ncl" in
|
||
|
|
let vault = import "vault_refs.ncl" in
|
||
|
|
|
||
|
|
{
|
||
|
|
# Selector for the host(s) where the backup runs. Either an explicit list
|
||
|
|
# of hostnames, a control-plane role selector, or a single primary.
|
||
|
|
HostSelector = {
|
||
|
|
kind | [| 'cp_only, 'cp_first, 'control_planes, 'workers, 'all_servers, 'list |],
|
||
|
|
members | Array String | doc "Hostnames when kind = 'list" | default = [],
|
||
|
|
},
|
||
|
|
|
||
|
|
# Discriminated target: what kind of off-cluster artefact is being captured.
|
||
|
|
SystemBackupTarget = {
|
||
|
|
kind | [| 'etcd, 'k8s_certs, 'cluster_resources, 'longhorn_engine, 'host_configs,
|
||
|
|
'external_dns, 'builder_env, 'provisioning_state, 'logs_archive,
|
||
|
|
'sops_keys, 'vault_state |],
|
||
|
|
|
||
|
|
# 'etcd
|
||
|
|
endpoints | Array String | default = [],
|
||
|
|
ca_ref | vault.VaultCredRef | optional,
|
||
|
|
cert_ref | vault.VaultCredRef | optional,
|
||
|
|
key_ref | vault.VaultCredRef | optional,
|
||
|
|
|
||
|
|
# 'k8s_certs / 'host_configs / 'logs_archive (paths)
|
||
|
|
paths | Array String | default = [],
|
||
|
|
exclude | Array String | default = [],
|
||
|
|
|
||
|
|
# 'cluster_resources
|
||
|
|
namespaces | Array String | default = [],
|
||
|
|
kinds | Array String | default = [],
|
||
|
|
|
||
|
|
# 'longhorn_engine
|
||
|
|
components | Array String | default = [],
|
||
|
|
|
||
|
|
# 'external_dns
|
||
|
|
source_kind | [| 'coredns, 'powerdns, 'unbound, 'loki, 'journald, 'files |] | optional,
|
||
|
|
config_paths| Array String | default = [],
|
||
|
|
zones_paths | Array String | default = [],
|
||
|
|
|
||
|
|
# 'builder_env
|
||
|
|
tools | Array String | default = [],
|
||
|
|
secrets | Array String | doc "Secret names that must accompany the artefact" | default = [],
|
||
|
|
|
||
|
|
# 'provisioning_state
|
||
|
|
definitions_path | String | optional,
|
||
|
|
state_path | String | optional,
|
||
|
|
lock_path | String | optional,
|
||
|
|
|
||
|
|
# 'logs_archive
|
||
|
|
selector | String | optional,
|
||
|
|
format | [| 'jsonl_gz, 'tar_gz, 'restic_native |] | optional,
|
||
|
|
|
||
|
|
# 'sops_keys / 'vault_state
|
||
|
|
age_keys | Array String | default = [],
|
||
|
|
recipients | Array String | default = [],
|
||
|
|
vault_endpoint | String | optional,
|
||
|
|
vault_paths | Array String | default = [],
|
||
|
|
},
|
||
|
|
|
||
|
|
SystemBackupDef = {
|
||
|
|
name | String | doc "Identifier (used in CLI: prvng-backup one-shot backup <name>)",
|
||
|
|
target | SystemBackupTarget,
|
||
|
|
host_selector | HostSelector,
|
||
|
|
provider | bp.BackupProviderRef,
|
||
|
|
schedule | bp.Schedule,
|
||
|
|
retention | bp.RetentionPolicy,
|
||
|
|
destinations | Array bp.Destination,
|
||
|
|
encryption | vault.VaultKeyRef,
|
||
|
|
tag_strategy | bp.TagStrategy,
|
||
|
|
verify | bp.VerifyPolicyRef | optional,
|
||
|
|
hooks | bp.Hooks | optional,
|
||
|
|
throttle | bp.Throttle | optional,
|
||
|
|
},
|
||
|
|
}
|