diff --git a/app-of-apps/keycloak-backup.yaml b/app-of-apps/keycloak-backup.yaml new file mode 100644 index 0000000..7fffa8c --- /dev/null +++ b/app-of-apps/keycloak-backup.yaml @@ -0,0 +1,146 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: keycloak-backup + namespace: keycloak +spec: + # Arbitrary non-midnight time. + schedule: "10 2 * * *" + jobTemplate: + spec: + template: + spec: + initContainers: + - args: + - -ec + - | + #!/bin/bash + cp -r /opt/bitnami/keycloak/lib/quarkus/* /quarkus + command: + - /bin/bash + image: docker.io/bitnami/keycloak:24.0.2 + imagePullPolicy: IfNotPresent + name: init-quarkus-directories + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: false + runAsGroup: 0 + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /tmp + name: empty-dir + subPath: tmp-dir + - mountPath: /quarkus + name: empty-dir + subPath: app-quarkus-dir + containers: + - args: + - /opt/bitnami/keycloak/bin/kc.sh + - export + - --file + - /backup/realm-export.json + - --realm + - avril + - --db + - postgres + - --db-url + - jdbc:postgresql://keycloak-postgresql-hl/bitnami_keycloak + - --db-password + - $(KEYCLOAK_DATABASE_PASSWORD) + - --db-username + - bn_keycloak + env: + - name: KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: BITNAMI_DEBUG + value: "false" + - name: KEYCLOAK_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + key: admin-password + name: keycloak + - name: KEYCLOAK_DATABASE_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: keycloak-postgresql + - name: KEYCLOAK_HTTP_RELATIVE_PATH + value: / + - name: KEYCLOAK_CACHE_TYPE + value: local + envFrom: + - configMapRef: + name: keycloak-env-vars + image: docker.io/bitnami/keycloak:24.0.2 + imagePullPolicy: IfNotPresent + name: backup-container + ports: + - containerPort: 8080 + name: http + protocol: TCP + - containerPort: 7800 + name: infinispan + protocol: TCP + volumeMounts: + - mountPath: /tmp + name: empty-dir + subPath: tmp-dir + - mountPath: /opt/bitnami/keycloak/conf + name: empty-dir + subPath: app-conf-dir + - mountPath: /opt/bitnami/keycloak/lib/quarkus + name: empty-dir + subPath: app-quarkus-dir + - mountPath: /backup + name: backup-dir + restartPolicy: Never + securityContext: + # https://stackoverflow.com/questions/50156124/kubernetes-nfs-persistent-volumes-permission-denied + runAsUser: 501 + fsGroup: 501 + volumes: + - emptyDir: {} + name: empty-dir + - name: backup-dir + persistentVolumeClaim: + claimName: backup-dir-pvc +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: backup-dir-pv +spec: + capacity: + storage: 2M + accessModes: + - ReadWriteMany + nfs: + server: galactus.avril + path: /mnt/high-resiliency/manual-nfs/backups/keycloak/ + mountOptions: + - nfsvers=4.2 +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: backup-dir-pvc +spec: + storageClassName: "" + volumeName: backup-dir-pv + accessModes: + - ReadWriteMany + volumeMode: Filesystem + resources: + requests: + storage: 2M