setup gcs backup bucket for longhorn

2025-08-31 20:50:28 +02:00
parent b9a46afb82
commit 2d4cb5d8a5
5 changed files with 129 additions and 19 deletions
--- a/iac/gcs_backup.tf
+++ b/iac/gcs_backup.tf
@@ -0,0 +1,62 @@
+# https://longhorn.io/docs/1.9.1/snapshots-and-backups/backup-and-restore/set-backup-target/#set-up-gcp-cloud-storage-backupstore
+resource "google_storage_bucket" "longhorn_backup" {
+  name          = "arcodange-backup"
+  location      = "US-EAST1"
+  force_destroy = true
+
+  public_access_prevention = "enforced"
+}
+
+resource "google_service_account" "longhorn_backup" {
+  account_id = "longhorn-backup"
+}
+
+resource "google_storage_bucket_iam_member" "longhorn_backup" {
+  bucket = google_storage_bucket.longhorn_backup.name
+  role   = "roles/storage.admin"
+  member = "serviceAccount:${google_service_account.longhorn_backup.email}"
+}
+
+resource "google_service_account_key" "longhorn_backup" {
+  service_account_id = google_service_account.longhorn_backup.account_id
+
+}
+
+locals {
+  vault_mount_kvv2 = { path = "kvv2" }
+}
+data "vault_auth_backend" "kubernetes" {
+  path = "kubernetes"
+}
+
+resource "vault_kv_secret_v2" "longhorn_gcs_backup" {
+  mount               = local.vault_mount_kvv2.path
+  name                = "longhorn/gcs-backup"
+  cas                 = 1
+  delete_all_versions = true
+  data_json = base64decode(
+    google_service_account_key.longhorn_backup.private_key
+  )
+}
+
+data "vault_policy_document" "longhorn_gcs_backup" {
+  rule {
+    path         = "${local.vault_mount_kvv2.path}/data/longhorn/gcs-backup"
+    capabilities = ["read"]
+  }
+}
+
+resource "vault_policy" "longhorn_gcs_backup" {
+  name   = "longhorn-gcs-backup"
+  policy = data.vault_policy_document.longhorn_gcs_backup.hcl
+}
+
+resource "vault_kubernetes_auth_backend_role" "longhorn" {
+  backend                          = data.vault_auth_backend.kubernetes.path
+  role_name                        = "longhorn"
+  bound_service_account_names      = ["longhorn-vault-secret-reader"] # le meme que dans le manifest VaultAuth
+  bound_service_account_namespaces = ["longhorn-system"]
+  token_policies                   = [vault_policy.longhorn_gcs_backup.name]
+  audience                         = "vault"
+  alias_name_source                = "serviceaccount_name"
+}