setup gcs backup bucket for longhorn

argocd/templates/longhorn_backup_target_creds.yaml

@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: longhorn-vault-secret-reader
+  namespace: longhorn-system
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: longhorn-vault-secret-reader
+  namespace: longhorn-system
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: longhorn
+    serviceAccount: longhorn-vault-secret-reader # le même que dans TF
+    audiences:
+      - vault
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: longhorn-gcs-backup-credentials
+  namespace: longhorn-system
+spec:
+  type: kv-v2
+  mount: kvv2
+
+  path: longhorn/gcs-backup
+  
+  destination:
+    name: longhorn-gcs-backup-credentials
+    create: true
+  
+  refreshAfter: 1h
+
+  vaultAuthRef: longhorn-vault-secret-reader

iac/backend.tf

@@ -1,6 +1,6 @@
 terraform {
   backend "gcs" {
-    bucket  = "arcodange-tf"
+    bucket = "arcodange-tf"
-    prefix  = "factory/main"
+    prefix = "factory/main"
   }
 }

iac/gcs_backup.tf

@@ -0,0 +1,62 @@
+# https://longhorn.io/docs/1.9.1/snapshots-and-backups/backup-and-restore/set-backup-target/#set-up-gcp-cloud-storage-backupstore
+resource "google_storage_bucket" "longhorn_backup" {
+  name          = "arcodange-backup"
+  location      = "US-EAST1"
+  force_destroy = true
+
+  public_access_prevention = "enforced"
+}
+
+resource "google_service_account" "longhorn_backup" {
+  account_id = "longhorn-backup"
+}
+
+resource "google_storage_bucket_iam_member" "longhorn_backup" {
+  bucket = google_storage_bucket.longhorn_backup.name
+  role   = "roles/storage.admin"
+  member = "serviceAccount:${google_service_account.longhorn_backup.email}"
+}
+
+resource "google_service_account_key" "longhorn_backup" {
+  service_account_id = google_service_account.longhorn_backup.account_id
+
+}
+
+locals {
+  vault_mount_kvv2 = { path = "kvv2" }
+}
+data "vault_auth_backend" "kubernetes" {
+  path = "kubernetes"
+}
+
+resource "vault_kv_secret_v2" "longhorn_gcs_backup" {
+  mount               = local.vault_mount_kvv2.path
+  name                = "longhorn/gcs-backup"
+  cas                 = 1
+  delete_all_versions = true
+  data_json = base64decode(
+    google_service_account_key.longhorn_backup.private_key
+  )
+}
+
+data "vault_policy_document" "longhorn_gcs_backup" {
+  rule {
+    path         = "${local.vault_mount_kvv2.path}/data/longhorn/gcs-backup"
+    capabilities = ["read"]
+  }
+}
+
+resource "vault_policy" "longhorn_gcs_backup" {
+  name   = "longhorn-gcs-backup"
+  policy = data.vault_policy_document.longhorn_gcs_backup.hcl
+}
+
+resource "vault_kubernetes_auth_backend_role" "longhorn" {
+  backend                          = data.vault_auth_backend.kubernetes.path
+  role_name                        = "longhorn"
+  bound_service_account_names      = ["longhorn-vault-secret-reader"] # le meme que dans le manifest VaultAuth
+  bound_service_account_namespaces = ["longhorn-system"]
+  token_policies                   = [vault_policy.longhorn_gcs_backup.name]
+  audience                         = "vault"
+  alias_name_source                = "serviceaccount_name"
+}

iac/gitea_tofu_ci_user.tf

@@ -1,6 +1,6 @@
 
 resource "random_password" "tofu" {
-  length           = 32
+  length = 32
 }
 resource "gitea_user" "tofu" {
   username             = "tofu_module_reader"
@@ -8,24 +8,24 @@ resource "gitea_user" "tofu" {
   password             = random_password.tofu.result
   email                = "tofu-module-reader@arcodange.fake"
   must_change_password = false
-  full_name = "restricted CI user"
+  full_name            = "restricted CI user"
-  prohibit_login = false
+  prohibit_login       = false
-  restricted = true
+  restricted           = true
-  visibility = "private"
+  visibility           = "private"
 }
 resource "tls_private_key" "tofu" {
-  algorithm =  "ED25519"
+  algorithm = "ED25519"
 }
 resource "gitea_public_key" "tofu" {
-  title     = "tofu"
+  title    = "tofu"
-  key       = tls_private_key.tofu.public_key_openssh
+  key      = tls_private_key.tofu.public_key_openssh
-  username  = gitea_user.tofu.username
+  username = gitea_user.tofu.username
 }
 
 resource "vault_kv_secret" "gitea_admin_token" {
   path = "kvv1/gitea/tofu_module_reader"
   data_json = jsonencode({
     ssh_private_key = tls_private_key.tofu.private_key_openssh
-    ssh_public_key = tls_private_key.tofu.public_key_openssh
+    ssh_public_key  = tls_private_key.tofu.public_key_openssh
   })
 }

iac/providers.tf

@@ -1,13 +1,17 @@
 terraform {
   required_providers {
     gitea = {
-      source = "go-gitea/gitea"
+      source  = "go-gitea/gitea"
       version = "0.5.1"
     }
     vault = {
-      source = "vault"
+      source  = "vault"
       version = "4.4.0"
     }
+    google = {
+      source  = "google"
+      version = "7.0.1"
+    }
   }
 }
 
@@ -16,10 +20,16 @@ provider "gitea" { # https://registry.terraform.io/providers/go-gitea/gitea/late
   # use GITEA_TOKEN env var
 }
 
-provider vault {
+provider "vault" {
   address = "https://vault.arcodange.duckdns.org"
-  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
+  token   = "hvs.CAESINCaMZanSRV-JM2rhHijIcFjT3mNE63jNpy_LInw-qy_Gh4KHGh2cy5PcndCWVhRUWpORmdyZzJISFNZYzlLVGk"
-    mount = "gitea_jwt"
+  # auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
-    role = "gitea_cicd"
+  #   mount = "gitea_jwt"
-  }
+  #   role  = "gitea_cicd"
+  # }
+}
+
+provider "google" {
+  project = "arcodange"
+  region  = "US-EAST1"
 }