metal-stack · Gerrit91 · Oct 23, 2024 · Oct 24, 2024
@@ -17,6 +17,7 @@ auditing_meili_backup_restore_sidecar_backup_cron_schedule: "0 * * * *"
 auditing_meili_backup_restore_sidecar_log_level: debug
 auditing_meili_backup_restore_sidecar_object_prefix: "{{ auditing_meili_name }}-{{ metal_control_plane_stage_name }}"
 auditing_meili_backup_restore_sidecar_object_max_keep:
+auditing_meili_backup_restore_sidecar_encryption_key:
 
 auditing_meili_backup_restore_sidecar_gcp_bucket_name:
 auditing_meili_backup_restore_sidecar_gcp_backup_location:

@@ -41,3 +41,4 @@
     meilisearch_backup_restore_sidecar_gcp_serviceaccount_json: "{{ auditing_meili_backup_restore_sidecar_gcp_serviceaccount_json }}"
     meilisearch_resources: "{{ auditing_meili_resources }}"
     meilisearch_backup_restore_sidecar_object_max_keep: "{{ auditing_meili_backup_restore_sidecar_object_max_keep }}"
+    meilisearch_backup_restore_sidecar_encryption_key: "{{ auditing_meili_backup_restore_sidecar_encryption_key }}"
@@ -12,6 +12,7 @@ headscale_db_backup_restore_sidecar_provider: local
 headscale_db_backup_restore_sidecar_backup_cron_schedule: "0 0 * * *"
 headscale_db_backup_restore_sidecar_log_level: debug
 headscale_db_backup_restore_sidecar_object_prefix: "{{ headscale_db_name }}"
+headscale_db_backup_restore_sidecar_encryption_key:
 
 headscale_db_backup_restore_sidecar_gcp_bucket_name:
 headscale_db_backup_restore_sidecar_gcp_backup_location:

@@ -50,6 +50,7 @@
     postgres_backup_restore_sidecar_gcp_backup_location: "{{ headscale_db_backup_restore_sidecar_gcp_backup_location }}"
     postgres_backup_restore_sidecar_gcp_project_id: "{{ headscale_db_backup_restore_sidecar_gcp_project_id }}"
     postgres_backup_restore_sidecar_gcp_serviceaccount_json: "{{ headscale_db_backup_restore_sidecar_gcp_serviceaccount_json }}"
+    postgres_backup_restore_sidecar_encryption_key: "{{ headscale_db_backup_restore_sidecar_encryption_key }}"
     postgres_resources: "{{ headscale_db_resources }}"
 
 - name: Deploy headscale

@@ -17,6 +17,7 @@ ipam_db_backup_restore_sidecar_backup_cron_schedule: "*/3 * * * *"
 ipam_db_backup_restore_sidecar_log_level: debug
 ipam_db_backup_restore_sidecar_object_prefix: "{{ ipam_db_name }}-{{ metal_control_plane_stage_name }}"
 ipam_db_backup_restore_sidecar_object_max_keep:
+ipam_db_backup_restore_sidecar_encryption_key:
 
 ipam_db_backup_restore_sidecar_gcp_bucket_name:
 ipam_db_backup_restore_sidecar_gcp_backup_location:

@@ -42,4 +42,4 @@
     postgres_backup_restore_sidecar_gcp_serviceaccount_json: "{{ ipam_db_backup_restore_sidecar_gcp_serviceaccount_json }}"
     postgres_resources: "{{ ipam_db_resources }}"
     postgres_backup_restore_sidecar_object_max_keep: "{{ ipam_db_backup_restore_sidecar_object_max_keep }}"
-
+    postgres_backup_restore_sidecar_encryption_key: "{{ ipam_db_backup_restore_sidecar_encryption_key }}"
@@ -17,6 +17,7 @@ masterdata_db_backup_restore_sidecar_backup_cron_schedule: "*/3 * * * *"
 masterdata_db_backup_restore_sidecar_log_level: debug
 masterdata_db_backup_restore_sidecar_object_prefix: "{{ masterdata_db_name }}-{{ metal_control_plane_stage_name }}"
 masterdata_db_backup_restore_sidecar_object_max_keep:
+masterdata_db_backup_restore_sidecar_encryption_key:
 
 masterdata_db_backup_restore_sidecar_gcp_bucket_name:
 masterdata_db_backup_restore_sidecar_gcp_backup_location:

@@ -42,3 +42,4 @@
     postgres_backup_restore_sidecar_gcp_serviceaccount_json: "{{ masterdata_db_backup_restore_sidecar_gcp_serviceaccount_json }}"
     postgres_resources: "{{ masterdata_db_resources }}"
     postgres_backup_restore_sidecar_object_max_keep: "{{ masterdata_db_backup_restore_sidecar_object_max_keep }}"
+    postgres_backup_restore_sidecar_encryption_key: "{{ masterdata_db_backup_restore_sidecar_encryption_key }}"
@@ -8,27 +8,29 @@ This role uses variables from [control-plane-defaults](/control-plane). So, make
 
 You can look up all the default values of this role [here](defaults/main/main.yaml).
 
-| Name                                                       | Mandatory | Description                                                             |
-| ---------------------------------------------------------- | --------- | ----------------------------------------------------------------------- |
-| meilisearch_image_name                                     | yes       | Image version of the meilisearch                                        |
-| meilisearch_image_tag                                      | yes       | Image tag of the meilisearch                                            |
-| meilisearch_registry_auth_enabled                          |           | Enables registry authentication                                         |
-| meilisearch_registry_auth                                  |           | The dockerconfigjson content used for registry authentication           |
-| meilisearch_image_pull_policy                              |           | Image pull policy (defaults to IfNotPresent)                            |
-| meilisearch_name                                           |           | The name of the meilisearch instance                                    |
-| meilisearch_namespace                                      |           | The deployment's target namespace                                       |
-| meilisearch_storage_size                                   |           | The size of the PVC                                                     |
-| meilisearch_storage_class                                  |           | The storage class of the PVC                                            |
-| meilisearch_api_key                                        |           | The api key for meilisearch                                             |
-| meilisearch_environment                                    |           | Sets the environment configuration for meilisearch                      |
-| meilisearch_no_analytics                                   |           | Sets the no analytics configuration for meilisearch                     |
-| meilisearch_backup_restore_sidecar_image_name              | yes       | Image version of the backup-restore-sidecar                             |
-| meilisearch_backup_restore_sidecar_image_tag               | yes       | Image tag of the backup-restore-sidecar                                 |
-| meilisearch_backup_restore_sidecar_provider                |           | The backup provider                                                     |
-| meilisearch_backup_restore_sidecar_backup_cron_schedule    |           | The backup cron schedule                                                |
-| meilisearch_backup_restore_sidecar_log_level               |           | The log level of the sidecar                                            |
-| meilisearch_backup_restore_sidecar_gcp_bucket_name         |           | Bucket name of the GCP bucket                                           |
-| meilisearch_backup_restore_sidecar_gcp_backup_location     |           | Location of the GCP bucket                                              |
-| meilisearch_backup_restore_sidecar_gcp_project_id          |           | GCP project name                                                        |
-| meilisearch_backup_restore_sidecar_gcp_serviceaccount_json |           | GCP Serviceaccount JSON string (service account requires bucket access) |
-| meilisearch_resources                                      |           | The kubernetes resources for the actual meilisearch container           |
+| Name                                                       | Mandatory | Description                                                                                                       |
+| ---------------------------------------------------------- | --------- | ----------------------------------------------------------------------------------------------------------------- |
+| meilisearch_image_name                                     | yes       | Image version of the meilisearch                                                                                  |
+| meilisearch_image_tag                                      | yes       | Image tag of the meilisearch                                                                                      |
+| meilisearch_registry_auth_enabled                          |           | Enables registry authentication                                                                                   |
+| meilisearch_registry_auth                                  |           | The dockerconfigjson content used for registry authentication                                                     |
+| meilisearch_image_pull_policy                              |           | Image pull policy (defaults to IfNotPresent)                                                                      |
+| meilisearch_name                                           |           | The name of the meilisearch instance                                                                              |
+| meilisearch_namespace                                      |           | The deployment's target namespace                                                                                 |
+| meilisearch_storage_size                                   |           | The size of the PVC                                                                                               |
+| meilisearch_storage_class                                  |           | The storage class of the PVC                                                                                      |
+| meilisearch_api_key                                        |           | The api key for meilisearch                                                                                       |
+| meilisearch_environment                                    |           | Sets the environment configuration for meilisearch                                                                |
+| meilisearch_no_analytics                                   |           | Sets the no analytics configuration for meilisearch                                                               |
+| meilisearch_backup_restore_sidecar_image_name              | yes       | Image version of the backup-restore-sidecar                                                                       |
+| meilisearch_backup_restore_sidecar_image_tag               | yes       | Image tag of the backup-restore-sidecar                                                                           |
+| meilisearch_backup_restore_sidecar_provider                |           | The backup provider                                                                                               |
+| meilisearch_backup_restore_sidecar_backup_cron_schedule    |           | The backup cron schedule                                                                                          |
+| meilisearch_backup_restore_sidecar_log_level               |           | The log level of the sidecar                                                                                      |
+| meilisearch_backup_restore_sidecar_gcp_bucket_name         |           | Bucket name of the GCP bucket                                                                                     |
+| meilisearch_backup_restore_sidecar_gcp_backup_location     |           | Location of the GCP bucket                                                                                        |
+| meilisearch_backup_restore_sidecar_gcp_project_id          |           | GCP project name                                                                                                  |
+| meilisearch_backup_restore_sidecar_gcp_serviceaccount_json |           | GCP Serviceaccount JSON string (service account requires bucket access)                                           |
+| meilisearch_resources                                      |           | The kubernetes resources for the actual meilisearch container                                                     |
+| meilisearch_backup_restore_sidecar_object_max_keep         |           | The number of objects to keep at the cloud provider bucket                                                        |
+| meilisearch_backup_restore_sidecar_encryption_key          |           | An optional encryption key to AES-encrypt the backups before uploading them to the backup provider (length == 32) |
@@ -17,6 +17,7 @@ meilisearch_backup_restore_sidecar_backup_cron_schedule: "0 * * * *"
 meilisearch_backup_restore_sidecar_log_level: debug
 meilisearch_backup_restore_sidecar_object_prefix: "{{ meilisearch_name }}-{{ metal_control_plane_stage_name }}"
 meilisearch_backup_restore_sidecar_object_max_keep:
+meilisearch_backup_restore_sidecar_encryption_key:
 
 meilisearch_backup_restore_sidecar_gcp_bucket_name:
 meilisearch_backup_restore_sidecar_gcp_backup_location:

@@ -11,6 +11,7 @@
       - meilisearch_image_tag is defined
       - meilisearch_backup_restore_sidecar_image_name is defined
       - meilisearch_backup_restore_sidecar_image_tag is defined
+      - meilisearch_backup_restore_sidecar_encryption_key is none or meilisearch_backup_restore_sidecar_encryption_key | length == 32
 
 - name: Deploy meilisearch (backup-restore)
   k8s:

@@ -231,6 +231,9 @@ data:
     compression-method: targz
 {% if meilisearch_backup_restore_sidecar_object_max_keep %}
     object-max-keep: {{ meilisearch_backup_restore_sidecar_object_max_keep }}
+{% endif %}
+{% if meilisearch_backup_restore_sidecar_encryption_key %}
+    encryption-key: {{ meilisearch_backup_restore_sidecar_encryption_key }}
 {% endif %}
     post-exec-cmds:
       - meilisearch --db-path=/data/data.ms/ --dump-dir=/backup/upload/files

@@ -14,6 +14,7 @@ metal_db_backup_restore_sidecar_backup_cron_schedule: "*/3 * * * *"
 metal_db_backup_restore_sidecar_log_level: debug
 
 metal_db_backup_restore_sidecar_object_max_keep:
+metal_db_backup_restore_sidecar_encryption_key:
 
 metal_db_backup_restore_sidecar_gcp_bucket_name:
 metal_db_backup_restore_sidecar_gcp_backup_location:

@@ -40,3 +40,4 @@
     rethinkdb_ingress_dns: "{{ metal_db_ingress_dns }}"
     rethinkdb_resources: "{{ metal_db_resources }}"
     rethinkdb_backup_restore_sidecar_object_max_keep: "{{ metal_db_backup_restore_sidecar_object_max_keep }}"
+    rethinkdb_backup_restore_sidecar_encryption_key: "{{ metal_db_backup_restore_sidecar_encryption_key }}"