-
Notifications
You must be signed in to change notification settings - Fork 130
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #146 from documentat/YCDOCIO-2198-k8s-valero-backup
YCDOCIO-2198: K8S Velero backup
- Loading branch information
Showing
1 changed file
with
300 additions
and
0 deletions.
There are no files selected for viewing
300 changes: 300 additions & 0 deletions
300
tutorials/terraform/managed-kubernetes/velero-backup.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,300 @@ | ||
# Infrastructure for Yandex Cloud Managed Service for Kubernetes cluster | ||
# | ||
# Set the configuration of Managed Service for Kubernetes cluster | ||
|
||
locals { | ||
folder_id = "" # Set your cloud folder ID. | ||
k8s_version = "" # Set the Kubernetes version 1.22 or higher. | ||
zone_a_v4_cidr_blocks = "10.1.0.0/16" # Set the CIDR block for subnet in the ru-central1-a availability zone. | ||
sa_name_k8s = "" # Set a service account name for k8s clusters. It must be unique in a cloud. | ||
sa_name_velero = "" # Set a service account name for Velero. It must be unique in a cloud. | ||
storage_sa_id = "" # Service account ID for creating a bucket in Object Storage. | ||
bucket_name = "" # Set a Object Storage bucket name. It must be unique throughout Object Storage. | ||
} | ||
|
||
resource "yandex_vpc_network" "k8s-network" { | ||
description = "Network for the Managed Service for Kubernetes cluster" | ||
name = "k8s-network" | ||
} | ||
|
||
resource "yandex_vpc_subnet" "subnet-a" { | ||
description = "Subnet in ru-central1-a availability zone" | ||
name = "subnet-a" | ||
zone = "ru-central1-a" | ||
network_id = yandex_vpc_network.k8s-network.id | ||
v4_cidr_blocks = [local.zone_a_v4_cidr_blocks] | ||
} | ||
|
||
resource "yandex_vpc_security_group" "k8s-main-sg" { | ||
description = "Group rules ensure the basic performance of the cluster. Apply it to the cluster and node groups." | ||
name = "k8s-main-sg" | ||
network_id = yandex_vpc_network.k8s-network.id | ||
ingress { | ||
description = "The rule allows availability checks from the load balancer's range of addresses. It is required for the operation of a fault-tolerant cluster and load balancer services." | ||
protocol = "TCP" | ||
v4_cidr_blocks = ["198.18.235.0/24", "198.18.248.0/24"] # The load balancer's address range | ||
from_port = 0 | ||
to_port = 65535 | ||
} | ||
ingress { | ||
description = "The rule allows the master-node and node-node interaction within the security group." | ||
protocol = "ANY" | ||
predefined_target = "self_security_group" | ||
from_port = 0 | ||
to_port = 65535 | ||
} | ||
ingress { | ||
description = "The rule allows the pod-pod and service-service interaction. Specify the subnets of your cluster and services." | ||
protocol = "ANY" | ||
v4_cidr_blocks = [local.zone_a_v4_cidr_blocks] | ||
from_port = 0 | ||
to_port = 65535 | ||
} | ||
ingress { | ||
description = "The rule allows receipt of debugging ICMP packets from internal subnets." | ||
protocol = "ICMP" | ||
v4_cidr_blocks = [local.zone_a_v4_cidr_blocks] | ||
} | ||
|
||
ingress { | ||
description = "The rule allows connection to Kubernetes API on 6443 port from specified network." | ||
protocol = "TCP" | ||
v4_cidr_blocks = ["0.0.0.0/0"] | ||
port = 6443 | ||
} | ||
|
||
ingress { | ||
description = "The rule allows connection to Kubernetes API on 443 port from specified network." | ||
protocol = "TCP" | ||
v4_cidr_blocks = ["0.0.0.0/0"] | ||
port = 443 | ||
} | ||
|
||
egress { | ||
description = "The rule allows all outgoing traffic. Nodes can connect to Yandex Container Registry, Object Storage, Docker Hub, and more." | ||
protocol = "ANY" | ||
v4_cidr_blocks = ["0.0.0.0/0"] | ||
from_port = 0 | ||
to_port = 65535 | ||
} | ||
} | ||
|
||
resource "yandex_vpc_security_group" "k8s-public-services" { | ||
name = "k8s-public-services" | ||
description = "Group rules allow connections to services from the internet. Apply the rules only for node groups." | ||
network_id = yandex_vpc_network.k8s-network.id | ||
|
||
ingress { | ||
protocol = "TCP" | ||
description = "Rule allows incoming traffic from the internet to the NodePort port range. Add ports or change existing ones to the required ports." | ||
v4_cidr_blocks = ["0.0.0.0/0"] | ||
from_port = 30000 | ||
to_port = 32767 | ||
} | ||
} | ||
|
||
resource "yandex_iam_service_account" "k8s-sa" { | ||
description = "Service account to manage the Kubernetes cluster" | ||
name = local.sa_name_k8s | ||
} | ||
|
||
resource "yandex_resourcemanager_folder_iam_binding" "editor" { | ||
# Assign "editor" role to service account. | ||
folder_id = local.folder_id | ||
role = "editor" | ||
members = [ | ||
"serviceAccount:${yandex_iam_service_account.k8s-sa.id}" | ||
] | ||
} | ||
|
||
resource "yandex_resourcemanager_folder_iam_binding" "images-puller" { | ||
# Assign "container-registry.images.puller" role to service account. | ||
folder_id = local.folder_id | ||
role = "container-registry.images.puller" | ||
members = [ | ||
"serviceAccount:${yandex_iam_service_account.k8s-sa.id}" | ||
] | ||
} | ||
|
||
resource "yandex_kubernetes_cluster" "k8s-cluster-1" { | ||
description = "Managed Service for Kubernetes cluster for create backup" | ||
name = "k8s-cluster-1" | ||
cluster_ipv4_range = "10.2.0.0/16" | ||
service_ipv4_range = "10.3.0.0/16" | ||
network_id = yandex_vpc_network.k8s-network.id | ||
|
||
master { | ||
version = local.k8s_version | ||
zonal { | ||
zone = yandex_vpc_subnet.subnet-a.zone | ||
subnet_id = yandex_vpc_subnet.subnet-a.id | ||
} | ||
|
||
public_ip = true | ||
security_group_ids = [yandex_vpc_security_group.k8s-main-sg.id] | ||
|
||
} | ||
service_account_id = yandex_iam_service_account.k8s-sa.id # Cluster service account ID | ||
node_service_account_id = yandex_iam_service_account.k8s-sa.id # Node group service account ID | ||
depends_on = [ | ||
yandex_resourcemanager_folder_iam_binding.editor, | ||
yandex_resourcemanager_folder_iam_binding.images-puller | ||
] | ||
} | ||
|
||
resource "yandex_kubernetes_node_group" "k8s-node-group-1" { | ||
description = "Node group for Managed Service for Kubernetes cluster" | ||
name = "k8s-node-group-1" | ||
cluster_id = yandex_kubernetes_cluster.k8s-cluster-1.id | ||
version = local.k8s_version | ||
|
||
scale_policy { | ||
fixed_scale { | ||
size = 1 # Number of hosts | ||
} | ||
} | ||
|
||
allocation_policy { | ||
location { | ||
zone = "ru-central1-a" | ||
} | ||
} | ||
|
||
instance_template { | ||
platform_id = "standard-v2" | ||
|
||
network_interface { | ||
nat = true | ||
subnet_ids = [yandex_vpc_subnet.subnet-a.id] | ||
security_group_ids = [yandex_vpc_security_group.k8s-main-sg.id, yandex_vpc_security_group.k8s-public-services.id] | ||
} | ||
|
||
resources { | ||
memory = 4 # RAM quantity in GB | ||
cores = 4 # Number of CPU cores | ||
} | ||
|
||
boot_disk { | ||
type = "network-hdd" | ||
size = 64 # Disk size in GB | ||
} | ||
} | ||
} | ||
|
||
# Managed Service for Kubernetes cluster | ||
resource "yandex_kubernetes_cluster" "k8s-cluster-2" { | ||
description = "Managed Service for Kubernetes cluster for restore backup" | ||
name = "k8s-cluster-2" | ||
cluster_ipv4_range = "10.4.0.0/16" | ||
service_ipv4_range = "10.5.0.0/16" | ||
network_id = yandex_vpc_network.k8s-network.id | ||
|
||
master { | ||
version = local.k8s_version | ||
zonal { | ||
zone = yandex_vpc_subnet.subnet-a.zone | ||
subnet_id = yandex_vpc_subnet.subnet-a.id | ||
} | ||
|
||
public_ip = true | ||
|
||
security_group_ids = [yandex_vpc_security_group.k8s-main-sg.id] | ||
|
||
} | ||
service_account_id = yandex_iam_service_account.k8s-sa.id # Cluster service account ID | ||
node_service_account_id = yandex_iam_service_account.k8s-sa.id # Node group service account ID | ||
depends_on = [ | ||
yandex_resourcemanager_folder_iam_binding.editor, | ||
yandex_resourcemanager_folder_iam_binding.images-puller | ||
] | ||
} | ||
|
||
resource "yandex_kubernetes_node_group" "k8s-node-group-2" { | ||
description = "Node group for Managed Service for Kubernetes cluster" | ||
name = "k8s-node-group-2" | ||
cluster_id = yandex_kubernetes_cluster.k8s-cluster-2.id | ||
version = local.k8s_version | ||
|
||
scale_policy { | ||
fixed_scale { | ||
size = 1 # Number of hosts | ||
} | ||
} | ||
|
||
allocation_policy { | ||
location { | ||
zone = "ru-central1-a" | ||
} | ||
} | ||
|
||
instance_template { | ||
platform_id = "standard-v2" | ||
|
||
network_interface { | ||
nat = true | ||
subnet_ids = [yandex_vpc_subnet.subnet-a.id] | ||
security_group_ids = [yandex_vpc_security_group.k8s-main-sg.id, yandex_vpc_security_group.k8s-public-services.id] | ||
} | ||
|
||
resources { | ||
memory = 4 # RAM quantity in GB | ||
cores = 4 # Number of CPU cores | ||
} | ||
|
||
boot_disk { | ||
type = "network-hdd" | ||
size = 64 # Disk size in GB | ||
} | ||
} | ||
} | ||
|
||
resource "yandex_iam_service_account" "velero-sa" { | ||
description = "Service account for Velero" | ||
name = local.sa_name_velero | ||
} | ||
|
||
resource "yandex_resourcemanager_folder_iam_binding" "compute.admin" { | ||
# Assign "compute.admin" role to Velero service account. | ||
folder_id = local.folder_id | ||
role = "compute.admin" | ||
members = [ | ||
"serviceAccount:${yandex_iam_service_account.velero-sa.id}" | ||
] | ||
} | ||
|
||
resource "yandex_iam_service_account_static_access_key" "sa-static-key-k8s" { | ||
description = "Object Storage bucket static key" | ||
service_account_id = local.storage_sa_id | ||
} | ||
|
||
# Object Storage bucket | ||
resource "yandex_storage_bucket" "storage-bucket" { | ||
bucket = local.bucket_name | ||
access_key = yandex_iam_service_account_static_access_key.sa-static-key-k8s.access_key | ||
secret_key = yandex_iam_service_account_static_access_key.sa-static-key-k8s.secret_key | ||
|
||
grant { | ||
id = yandex_iam_service_account.velero-sa.id | ||
type = "CanonicalUser" | ||
permissions = ["READ", "WRITE"] | ||
} | ||
} | ||
|
||
resource "yandex_iam_service_account_static_access_key" "sa-static-key-velero" { | ||
description = "Static key for Velero service account" | ||
service_account_id = yandex_iam_service_account.velero-sa.id | ||
} | ||
|
||
output "access_key" { | ||
value = yandex_iam_service_account_static_access_key.sa-static-key-velero.access_key | ||
sensitive = true | ||
} | ||
|
||
#Use 'terraform output -raw access_key' to get the key ID. | ||
|
||
output "secret_key" { | ||
value = yandex_iam_service_account_static_access_key.sa-static-key-velero.secret_key | ||
sensitive = true | ||
} | ||
|
||
#Use 'terraform output -raw secret_key' to get the key value. |