feat(infrastructure): add backups

feat(models): add basic database structure

6design/design.md

@@ -45,11 +45,11 @@ flowchart LR
     proc_cron[Task planner] --> proc_queue
     proc_queue_worker --> ext_bank[(Bank API)]
     proc_queue_worker --> db
-    client[Client/UI] --> api[API Gateway / Web Server]
-    api --> svc[Web API]
+    client[Client/UI] <--> api[API Gateway / Web Server]
+    api <--> svc[Web API]
     svc --> proc_queue
-    svc --> db[(Database)]
-    svc --> cache[(Cache)]
+    svc <--> db[(Database)]
+    svc <--> cache[(Cache)]
 ```
 
 - Components and responsibilities: What does each box do?

7project/tofu/main.tf

@@ -96,6 +96,13 @@ module "database" {
 
   phpmyadmin_enabled = var.phpmyadmin_enabled
   cloudflare_domain  = var.cloudflare_domain
+
+  s3_enabled = var.s3_enabled
+  s3_bucket = var.s3_bucket
+  s3_region = var.s3_region
+  s3_endpoint = var.s3_endpoint
+  s3_key_id = var.s3_key_id
+  s3_key_secret = var.s3_key_secret
 }
 
 #module "argocd" {

7project/tofu/modules/maxscale/charts/maxscale-helm/Chart.yaml

@@ -1,4 +1,4 @@
 apiVersion: v2
 name: maxscale-helm
-version: 1.0.8
+version: 1.0.14
 description: Helm chart for MaxScale related Kubernetes manifests

7project/tofu/modules/maxscale/charts/maxscale-helm/templates/backup.yaml

@@ -0,0 +1,42 @@
+{{- if .Values.s3.enabled }}
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Backup
+metadata:
+  name: backup
+  namespace: mariadb-operator
+spec:
+  mariaDbRef:
+    name: mariadb-repl
+    namespace: mariadb-operator
+  schedule:
+    cron: "0 */3 * * *"
+    suspend: false
+  timeZone: "Europe/Prague"
+  maxRetention: 720h # 30 days
+  compression: bzip2
+  storage:
+    s3:
+      bucket: {{ .Values.s3.bucket | quote }}
+      endpoint: {{ .Values.s3.endpoint | quote }}
+      accessKeyIdSecretKeyRef:
+        name: s3-credentials
+        key: key_id
+      secretAccessKeySecretKeyRef:
+        name: s3-credentials
+        key: secret_key
+      region: {{ .Values.s3.region | quote }}
+      tls:
+        enabled: true
+  # Define a PVC to use as staging area for keeping the backups while they are being processed.
+  stagingStorage:
+    persistentVolumeClaim:
+      resources:
+        requests:
+          storage: 10Gi
+      accessModes:
+        - ReadWriteOnce
+  args:
+    - --single-transaction
+    - --all-databases
+  logLevel: info
+{{- end }}

7project/tofu/modules/maxscale/charts/maxscale-helm/templates/config.yaml

@@ -60,6 +60,8 @@ spec:
         scrapeTimeout: 10s
         prometheusRelease: kube-prometheus-stack
         jobLabel: mariadb-monitoring
+    auth:
+      generate: true
 
     tls:
       enabled: true

7project/tofu/modules/maxscale/charts/maxscale-helm/templates/garage.yaml

@@ -0,0 +1,11 @@
+{{- if .Values.s3.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: s3-credentials
+  namespace: mariadb-operator
+type: Opaque
+stringData:
+  key_id: "{{ .Values.s3.key_id }}"
+  secret_key: "{{ .Values.s3.key_secret }}"
+{{- end }}

7project/tofu/modules/maxscale/charts/maxscale-helm/values.yaml

@@ -14,4 +14,12 @@ metallb:
 phpmyadmin:
   enabled: true
 
+s3:
+  enabled: false
+  endpoint: ""
+  region: ""
+  bucket: ""
+  key_id: ""
+  key_secret: ""
+
 base_domain: example.com

7project/tofu/modules/maxscale/main.tf

@@ -9,16 +9,16 @@ terraform {
       version = "3.0.2"
     }
     kubernetes = {
-      source = "hashicorp/kubernetes"
+      source  = "hashicorp/kubernetes"
       version = "2.38.0"
     }
   }
 }
 
 resource "kubernetes_namespace" "mariadb-operator" {
-    metadata {
-      name = "mariadb-operator"
-    }
+  metadata {
+    name = "mariadb-operator"
+  }
 }
 
 locals {
@@ -30,46 +30,53 @@ locals {
 }
 
 resource "kubectl_manifest" "secrets" {
-   yaml_body  = local.mariadb_secret_yaml
-   depends_on = [ kubernetes_namespace.mariadb-operator ]
+  yaml_body  = local.mariadb_secret_yaml
+  depends_on = [kubernetes_namespace.mariadb-operator]
 }
 
 
 resource "helm_release" "mariadb-operator-crds" {
-    name             = "mariadb-operator-crds"
-    repository       = "https://helm.mariadb.com/mariadb-operator"
-    chart            = "mariadb-operator-crds"
-    namespace        = "mariadb-operator"
-    version          = "25.8.4"
-    depends_on       = [ kubectl_manifest.secrets ]
-    timeout          = 3600
+  name       = "mariadb-operator-crds"
+  repository = "https://helm.mariadb.com/mariadb-operator"
+  chart      = "mariadb-operator-crds"
+  namespace  = "mariadb-operator"
+  version    = "25.8.4"
+  depends_on = [kubectl_manifest.secrets]
+  timeout    = 3600
 }
 
 
 resource "helm_release" "mariadb-operator" {
-    name             = "mariadb-operator"
-    repository       = "https://helm.mariadb.com/mariadb-operator"
-    chart            = "mariadb-operator"
-    depends_on       = [ helm_release.mariadb-operator-crds, kubectl_manifest.secrets ]
-    namespace        = "mariadb-operator"
-    timeout          = 3600
+  name       = "mariadb-operator"
+  repository = "https://helm.mariadb.com/mariadb-operator"
+  chart      = "mariadb-operator"
+  depends_on = [helm_release.mariadb-operator-crds, kubectl_manifest.secrets]
+  namespace  = "mariadb-operator"
+  version    = "25.8.3"
+  timeout    = 3600
 }
 
 resource "helm_release" "maxscale_helm" {
   name       = "maxscale-helm"
   chart      = "${path.module}/charts/maxscale-helm"
-  version    = "1.0.8"
-  depends_on = [ helm_release.mariadb-operator-crds, kubectl_manifest.secrets ]
+  version    = "1.0.14"
+  depends_on = [helm_release.mariadb-operator-crds, kubectl_manifest.secrets]
   timeout    = 3600
 
   set = [
-    { name = "user.name",             value = var.mariadb_user_name },
-    { name = "user.host",             value = var.mariadb_user_host },
-    { name = "metallb.maxscale_ip",   value = var.maxscale_ip },
-    { name = "metallb.service_ip",    value = var.service_ip },
-    { name = "metallb.primary_ip",    value = var.primary_ip },
-    { name = "metallb.secondary_ip",  value = var.secondary_ip },
-    { name = "phpmyadmin.enabled",    value = tostring(var.phpmyadmin_enabled) },
-    { name = "base_domain", value = var.cloudflare_domain }
+    { name = "user.name", value = var.mariadb_user_name },
+    { name = "user.host", value = var.mariadb_user_host },
+    { name = "metallb.maxscale_ip", value = var.maxscale_ip },
+    { name = "metallb.service_ip", value = var.service_ip },
+    { name = "metallb.primary_ip", value = var.primary_ip },
+    { name = "metallb.secondary_ip", value = var.secondary_ip },
+    { name = "phpmyadmin.enabled", value = tostring(var.phpmyadmin_enabled) },
+    { name = "base_domain", value = var.cloudflare_domain },
+    { name = "s3.key_id", value = var.s3_key_id },
+    { name = "s3.key_secret", value = var.s3_key_secret },
+    { name = "s3.enabled", value = var.s3_enabled },
+    { name = "s3.endpoint", value = var.s3_endpoint },
+    { name = "s3.region", value = var.s3_region },
+    { name = "s3.bucket", value = var.s3_bucket },
   ]
 }

7project/tofu/modules/maxscale/variables.tf

@@ -52,7 +52,39 @@ variable "mariadb_user_password" {
 }
 
 variable "cloudflare_domain" {
-  type = string
-  default = "Base cloudflare domain, e.g. example.com"
+  type     = string
+  default  = "Base cloudflare domain, e.g. example.com"
   nullable = false
 }
+
+variable "s3_key_id" {
+  description = "S3 Key ID for backups"
+  type        = string
+  sensitive   = true
+}
+
+variable "s3_key_secret" {
+  description = "S3 Key Secret for backups"
+  type        = string
+  sensitive   = true
+}
+
+variable "s3_enabled" {
+  description = "Enable S3 backups"
+  type        = bool
+}
+
+variable "s3_endpoint" {
+  description = "S3 endpoint for backups"
+  type        = string
+}
+
+variable "s3_region" {
+  description = "S3 region for backups"
+  type        = string
+}
+
+variable "s3_bucket" {
+  description = "S3 bucket name for backups"
+  type        = string
+}

7project/tofu/modules/metrics-server/values.yaml

@@ -0,0 +1,15 @@
+# Values overriding defaults for metrics-server Helm chart
+# Fix TLS and address selection issues when scraping kubelets (common on Talos)
+args:
+  - --kubelet-insecure-tls
+  - --kubelet-preferred-address-types=InternalIP,Hostname,InternalDNS,ExternalDNS,ExternalIP
+  - --kubelet-use-node-status-port=true
+
+# Using hostNetwork often helps in restricted CNI/DNS environments
+#hostNetwork: true
+# Required when hostNetwork is true so DNS works as expected
+#dnsPolicy: ClusterFirstWithHostNet
+
+# Enable metrics API service monitor if Prometheus Operator is present (optional)
+# serviceMonitor:
+#   enabled: true

7project/tofu/modules/rabbitmq/main.tf

@@ -16,6 +16,12 @@ terraform {
   }
 }
 
+resource "kubernetes_namespace" "rabbitmq_namespace" {
+  metadata {
+    name = "rabbitmq-system"
+  }
+}
+
 
 resource "helm_release" "rabbitmq_operator" {
   name       = "rabbitmq-cluster-operator"
@@ -24,8 +30,7 @@ resource "helm_release" "rabbitmq_operator" {
 
   version = "4.4.34"
 
-  namespace        = "rabbitmq-system"
-  create_namespace = true
+  namespace = "rabbitmq-system"
 
   # Zde můžete přepsat výchozí hodnoty chartu, pokud by bylo potřeba
   # Například sledovat jen určité namespace, nastavit tolerations atd.
@@ -59,6 +64,7 @@ resource "helm_release" "rabbitmq_operator" {
       value = "true"
     }
   ]
+  depends_on = [kubernetes_namespace.rabbitmq_namespace]
 }
 
 

7project/tofu/modules/rabbitmq/rabbit-cluster.yaml

@@ -2,4 +2,4 @@ apiVersion: rabbitmq.com/v1beta1
 kind: RabbitmqCluster
 metadata:
   name: 'rabbitmq-cluster'
-  namespace: "rabbitmq"
+  namespace: "rabbitmq-system"

7project/tofu/modules/rabbitmq/rabbit-ui.yaml

@@ -2,7 +2,7 @@ apiVersion: networking.cfargotunnel.com/v1alpha1
 kind: TunnelBinding
 metadata:
   name: rabbit-tunnel-binding
-  namespace: rabbitmq
+  namespace: rabbitmq-system
 subjects:
   - name: rabbit-gui
     spec:

7project/tofu/variables.tf

@@ -108,3 +108,40 @@ variable "rabbitmq-password" {
   sensitive   = true
   description = "Admin password for RabbitMQ user"
 }
+
+variable "s3_key_id" {
+  description = "S3 Key ID for backups"
+  type        = string
+  sensitive   = true
+  nullable    = false
+}
+
+variable "s3_key_secret" {
+  description = "S3 Key Secret for backups"
+  type        = string
+  sensitive   = true
+  nullable    = false
+}
+
+variable "s3_enabled" {
+  description = "Enable S3 backups"
+  type        = bool
+}
+
+variable "s3_endpoint" {
+  description = "S3 endpoint for backups"
+  type        = string
+}
+
+variable "s3_region" {
+  description = "S3 region for backups"
+  type        = string
+}
+
+variable "s3_bucket" {
+  description = "S3 bucket name for backups"
+  type        = string
+}
+
+
+