Add Velero configuration to .env.sample, README.md, and Ansible playbooks. Update group_vars to include noble_velero_install variable. Enhance documentation for optional Velero installation and S3 integration, improving clarity for backup and restore processes.

2026-03-28 18:39:22 -04:00
parent a4b9913b7e
commit 33a10dc7e9
14 changed files with 378 additions and 8 deletions
--- a/ansible/README.md
+++ b/ansible/README.md
@@ -65,11 +65,12 @@ Override with `-e` when needed, e.g. **`-e noble_talos_skip_bootstrap=true`** if
 ```bash
 ansible-playbook playbooks/noble.yml --tags cilium,metallb
 ansible-playbook playbooks/noble.yml --skip-tags newt
+ansible-playbook playbooks/noble.yml --tags velero -e noble_velero_install=true -e noble_velero_s3_bucket=... -e noble_velero_s3_url=...
 ```

 ### Variables — `group_vars/all.yml`

- **`noble_newt_install`**, **`noble_cert_manager_require_cloudflare_secret`**, **`noble_apply_vault_cluster_secret_store`**, **`noble_k8s_api_server_override`**, **`noble_k8s_api_server_auto_fallback`**, **`noble_k8s_api_server_fallback`**, **`noble_skip_k8s_health_check`**.
+- **`noble_newt_install`**, **`noble_velero_install`**, **`noble_cert_manager_require_cloudflare_secret`**, **`noble_apply_vault_cluster_secret_store`**, **`noble_k8s_api_server_override`**, **`noble_k8s_api_server_auto_fallback`**, **`noble_k8s_api_server_fallback`**, **`noble_skip_k8s_health_check`**.

 ## Roles

@@ -77,7 +78,7 @@ ansible-playbook playbooks/noble.yml --skip-tags newt
 |------|----------|
 | `talos_phase_a` | Talos genconfig, apply-config, bootstrap, kubeconfig |
 | `helm_repos` | `helm repo add` / `update` |
-| `noble_*` | Cilium, metrics-server, Longhorn, MetalLB (20m Helm wait), kube-vip, Traefik, cert-manager, Newt, Argo CD, Kyverno, platform stack |
+| `noble_*` | Cilium, metrics-server, Longhorn, MetalLB (20m Helm wait), kube-vip, Traefik, cert-manager, Newt, Argo CD, Kyverno, platform stack, Velero (optional) |
 | `noble_landing_urls` | Writes **`ansible/output/noble-lab-ui-urls.md`** — URLs, service names, and (optional) Argo/Grafana passwords from Secrets |
 | `noble_post_deploy` | Post-install reminders |
 | `talos_bootstrap` | Genconfig-only (used by older playbook) |
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -21,3 +21,6 @@ noble_cert_manager_require_cloudflare_secret: true

 # post_deploy.yml — apply Vault ClusterSecretStore only after Vault is initialized and K8s auth is configured
 noble_apply_vault_cluster_secret_store: false
+
+# Velero — set **noble_velero_install: true** plus S3 bucket/URL (and credentials — see clusters/noble/bootstrap/velero/README.md)
+noble_velero_install: false
--- a/ansible/playbooks/noble.yml
+++ b/ansible/playbooks/noble.yml
@@ -4,7 +4,7 @@
 # Run from repo **ansible/** directory:  ansible-playbook playbooks/noble.yml
 #
 # Tags: repos, cilium, metrics, longhorn, metallb, kube_vip, traefik, cert_manager, newt,
-#       argocd, kyverno, kyverno_policies, platform, all (default)
+#       argocd, kyverno, kyverno_policies, platform, velero, all (default)
 - name: Noble cluster — platform stack (Ansible-managed)
  hosts: localhost
  connection: local
@@ -224,5 +224,7 @@
      tags: [kyverno_policies, policy]
    - role: noble_platform
      tags: [platform, observability, apps]
+    - role: noble_velero
+      tags: [velero, backups]
    - role: noble_landing_urls
      tags: [landing, platform, observability, apps]
--- a/ansible/roles/helm_repos/defaults/main.yml
+++ b/ansible/roles/helm_repos/defaults/main.yml
@@ -16,3 +16,4 @@ noble_helm_repos:
  - { name: fluent, url: "https://fluent.github.io/helm-charts" }
  - { name: headlamp, url: "https://kubernetes-sigs.github.io/headlamp/" }
  - { name: kyverno, url: "https://kyverno.github.io/kyverno/" }
+  - { name: vmware-tanzu, url: "https://vmware-tanzu.github.io/helm-charts" }
--- a/ansible/roles/noble_velero/defaults/main.yml
+++ b/ansible/roles/noble_velero/defaults/main.yml
@@ -0,0 +1,13 @@
+---
+# **noble_velero_install** is in **ansible/group_vars/all.yml**. Override S3 fields via extra-vars or group_vars.
+noble_velero_chart_version: "12.0.0"
+
+noble_velero_s3_bucket: ""
+noble_velero_s3_url: ""
+noble_velero_s3_region: "us-east-1"
+noble_velero_s3_force_path_style: "true"
+noble_velero_s3_prefix: ""
+
+# Optional — if unset, Ansible expects Secret **velero/velero-cloud-credentials** (key **cloud**) to exist.
+noble_velero_aws_access_key_id: ""
+noble_velero_aws_secret_access_key: ""
--- a/ansible/roles/noble_velero/tasks/from_env.yml
+++ b/ansible/roles/noble_velero/tasks/from_env.yml
@@ -0,0 +1,68 @@
+---
+# See repository **.env.sample** — copy to **.env** (gitignored).
+- name: Stat repository .env for Velero
+  ansible.builtin.stat:
+    path: "{{ noble_repo_root }}/.env"
+  register: noble_deploy_env_file
+  changed_when: false
+
+- name: Load NOBLE_VELERO_S3_BUCKET from .env when unset
+  ansible.builtin.shell: |
+    set -a
+    . "{{ noble_repo_root }}/.env"
+    set +a
+    echo "${NOBLE_VELERO_S3_BUCKET:-}"
+  register: noble_velero_s3_bucket_from_env
+  when:
+    - noble_deploy_env_file.stat.exists | default(false)
+    - noble_velero_s3_bucket | default('') | length == 0
+  changed_when: false
+
+- name: Apply NOBLE_VELERO_S3_BUCKET from .env
+  ansible.builtin.set_fact:
+    noble_velero_s3_bucket: "{{ noble_velero_s3_bucket_from_env.stdout | trim }}"
+  when:
+    - noble_velero_s3_bucket_from_env is defined
+    - (noble_velero_s3_bucket_from_env.stdout | default('') | trim | length) > 0
+
+- name: Load NOBLE_VELERO_S3_URL from .env when unset
+  ansible.builtin.shell: |
+    set -a
+    . "{{ noble_repo_root }}/.env"
+    set +a
+    echo "${NOBLE_VELERO_S3_URL:-}"
+  register: noble_velero_s3_url_from_env
+  when:
+    - noble_deploy_env_file.stat.exists | default(false)
+    - noble_velero_s3_url | default('') | length == 0
+  changed_when: false
+
+- name: Apply NOBLE_VELERO_S3_URL from .env
+  ansible.builtin.set_fact:
+    noble_velero_s3_url: "{{ noble_velero_s3_url_from_env.stdout | trim }}"
+  when:
+    - noble_velero_s3_url_from_env is defined
+    - (noble_velero_s3_url_from_env.stdout | default('') | trim | length) > 0
+
+- name: Create velero-cloud-credentials from .env when keys present
+  ansible.builtin.shell: |
+    set -euo pipefail
+    set -a
+    . "{{ noble_repo_root }}/.env"
+    set +a
+    if [ -z "${NOBLE_VELERO_AWS_ACCESS_KEY_ID:-}" ] || [ -z "${NOBLE_VELERO_AWS_SECRET_ACCESS_KEY:-}" ]; then
+      echo SKIP
+      exit 0
+    fi
+    CLOUD="$(printf '[default]\naws_access_key_id=%s\naws_secret_access_key=%s\n' \
+      "${NOBLE_VELERO_AWS_ACCESS_KEY_ID}" "${NOBLE_VELERO_AWS_SECRET_ACCESS_KEY}")"
+    kubectl -n velero create secret generic velero-cloud-credentials \
+      --from-literal=cloud="${CLOUD}" \
+      --dry-run=client -o yaml | kubectl apply -f -
+    echo APPLIED
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  when: noble_deploy_env_file.stat.exists | default(false)
+  no_log: true
+  register: noble_velero_secret_from_env
+  changed_when: "'APPLIED' in (noble_velero_secret_from_env.stdout | default(''))"
--- a/ansible/roles/noble_velero/tasks/main.yml
+++ b/ansible/roles/noble_velero/tasks/main.yml
@@ -0,0 +1,85 @@
+---
+# Velero — S3 backup target + built-in CSI snapshots (Longhorn: label VolumeSnapshotClass per README).
+- name: Apply velero namespace
+  ansible.builtin.command:
+    argv:
+      - kubectl
+      - apply
+      - -f
+      - "{{ noble_repo_root }}/clusters/noble/bootstrap/velero/namespace.yaml"
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  when: noble_velero_install | default(false) | bool
+  changed_when: true
+
+- name: Include Velero settings from repository .env (S3 bucket, URL, credentials)
+  ansible.builtin.include_tasks: from_env.yml
+  when: noble_velero_install | default(false) | bool
+
+- name: Require S3 bucket and endpoint for Velero
+  ansible.builtin.assert:
+    that:
+      - noble_velero_s3_bucket | default('') | length > 0
+      - noble_velero_s3_url | default('') | length > 0
+    fail_msg: >-
+      Set NOBLE_VELERO_S3_BUCKET and NOBLE_VELERO_S3_URL in .env, or noble_velero_s3_bucket / noble_velero_s3_url
+      (e.g. -e ...), or group_vars when noble_velero_install is true.
+  when: noble_velero_install | default(false) | bool
+
+- name: Create velero-cloud-credentials from Ansible vars
+  ansible.builtin.shell: |
+    set -euo pipefail
+    CLOUD="$(printf '[default]\naws_access_key_id=%s\naws_secret_access_key=%s\n' \
+      "${AWS_ACCESS_KEY_ID}" "${AWS_SECRET_ACCESS_KEY}")"
+    kubectl -n velero create secret generic velero-cloud-credentials \
+      --from-literal=cloud="${CLOUD}" \
+      --dry-run=client -o yaml | kubectl apply -f -
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+    AWS_ACCESS_KEY_ID: "{{ noble_velero_aws_access_key_id }}"
+    AWS_SECRET_ACCESS_KEY: "{{ noble_velero_aws_secret_access_key }}"
+  when:
+    - noble_velero_install | default(false) | bool
+    - noble_velero_aws_access_key_id | default('') | length > 0
+    - noble_velero_aws_secret_access_key | default('') | length > 0
+  no_log: true
+  changed_when: true
+
+- name: Check velero-cloud-credentials Secret
+  ansible.builtin.command:
+    argv:
+      - kubectl
+      - -n
+      - velero
+      - get
+      - secret
+      - velero-cloud-credentials
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  register: noble_velero_secret_check
+  failed_when: false
+  changed_when: false
+  when: noble_velero_install | default(false) | bool
+
+- name: Require velero-cloud-credentials before Helm
+  ansible.builtin.assert:
+    that:
+      - noble_velero_secret_check.rc == 0
+    fail_msg: >-
+      Velero needs Secret velero/velero-cloud-credentials (key cloud). Set NOBLE_VELERO_AWS_ACCESS_KEY_ID and
+      NOBLE_VELERO_AWS_SECRET_ACCESS_KEY in .env, or noble_velero_aws_* extra-vars, or create the Secret manually
+      (see clusters/noble/bootstrap/velero/README.md).
+  when: noble_velero_install | default(false) | bool
+
+- name: Optional object prefix argv for Helm
+  ansible.builtin.set_fact:
+    noble_velero_helm_prefix_argv: "{{ ['--set-string', 'configuration.backupStorageLocation[0].prefix=' ~ (noble_velero_s3_prefix | default(''))] if (noble_velero_s3_prefix | default('') | length > 0) else [] }}"
+  when: noble_velero_install | default(false) | bool
+
+- name: Install Velero
+  ansible.builtin.command:
+    argv: "{{ ['helm', 'upgrade', '--install', 'velero', 'vmware-tanzu/velero', '--namespace', 'velero', '--version', noble_velero_chart_version, '-f', noble_repo_root ~ '/clusters/noble/bootstrap/velero/values.yaml', '--set-string', 'configuration.backupStorageLocation[0].bucket=' ~ noble_velero_s3_bucket, '--set-string', 'configuration.backupStorageLocation[0].config.s3Url=' ~ noble_velero_s3_url, '--set-string', 'configuration.backupStorageLocation[0].config.region=' ~ noble_velero_s3_region, '--set-string', 'configuration.backupStorageLocation[0].config.s3ForcePathStyle=' ~ noble_velero_s3_force_path_style] + (noble_velero_helm_prefix_argv | default([])) + ['--wait'] }}"
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  when: noble_velero_install | default(false) | bool
+  changed_when: true