(fleet/k8up) add k8up deployment

fleet/lib/k8up-crds/fleet.yaml

@@ -0,0 +1,13 @@
+---
+defaultNamespace: k8up
+namespaceLabels:
+  lsst.io/discover: "true"
+  k8up-enabled: "true"
+labels:
+  bundle: &name k8up-crds
+helm:
+  releaseName: *name
+  takeOwnership: true
+  force: true
+  timeoutSeconds: 60
+  waitForJobs: true

fleet/lib/k8up-post/fleet.yaml

@@ -0,0 +1,16 @@
+labels:
+  bundle: &name k8up-post
+dependsOn:
+  - selector:
+      matchLabels:
+        bundle: k8up
+targetCustomizations:
+  - name: ruka
+    clusterSelector:
+      matchExpressions:
+        - key: management.cattle.io/cluster-display-name
+          operator: In
+          values:
+            - ruka
+    kustomize:
+      dir: overlays/ruka

fleet/lib/k8up-post/overlays/ruka/backup-daily.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: k8up.io/v1
+kind: Schedule
+metadata:
+  name: schedule-test
+  namespace: nexus
+spec:
+  backend:
+    s3:
+      endpoint: s3.gaw.ls.lsst.org
+      bucket: ruka-k8up
+      accessKeyIDSecretRef:
+        name: k8up-s3-credentials
+        key: access_key
+      secretAccessKeySecretRef:
+        name: k8up-s3-credentials
+        key: secret_key
+    repoPasswordSecretRef:
+      name: k8up-s3-credentials
+      key: restic_password
+  backup:
+    schedule: 0 2 * * *
+    failedJobsHistoryLimit: 2
+    successfulJobsHistoryLimit: 2
+  prune:
+    schedule: 0 1 * * 0
+    retention:
+      keepLast: 10

fleet/lib/k8up-post/overlays/ruka/kustomization.yaml

@@ -0,0 +1,2 @@
+resources:
+  - backup-daily.yaml

fleet/lib/k8up-pre/clusterexternal-secret-k8up.yaml

@@ -0,0 +1,30 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterExternalSecret
+metadata:
+  name: k8up-credentials
+spec:
+  externalSecretName: k8up-s3-credentials
+  refreshTime: 1m
+  namespaceSelector:
+    matchLabels:
+      k8up-enabled: "true"
+  externalSecretSpec:
+    secretStoreRef:
+      kind: ClusterSecretStore
+      name: onepassword
+    target:
+      name: k8up-s3-credentials
+      creationPolicy: Owner
+    data:
+      - secretKey: access_key
+        remoteRef:
+          key: k8up-credentials
+          property: access_key
+      - secretKey: secret_key
+        remoteRef:
+          key: k8up-credentials
+          property: secret_key
+      - secretKey: restic_password
+        remoteRef:
+          key: k8up-credentials
+          property: restic_password

fleet/lib/k8up-pre/fleet.yaml

@@ -0,0 +1,11 @@
+---
+defaultNamespace: k8up
+labels:
+  bundle: &name k8up-pre
+namespaceLabels:
+  lsst.io/discover: "true"
+  k8up-enabled: "true"
+helm:
+  releaseName: *name
+  timeoutSeconds: 60
+  waitForJobs: true

fleet/lib/k8up/README.MD

@@ -0,0 +1,107 @@
+# 🔄 K8up Backup with Rancher Fleet
+
+This repository configures [K8up](https://k8up.io/) via Rancher Fleet to automate persistent volume backups in Kubernetes using restic and an external S3-compatible object store.
+
+---
+
+## 📦 Repository Structure
+
+| Path | Purpose |
+|------|---------|
+| `k8up-crds/`   | Deploys K8up CustomResourceDefinitions (CRDs) |
+| `k8up-pre/`    | Creates `ClusterExternalSecret` to sync S3 credentials into backup-enabled namespaces |
+| `k8up/`        | Installs the K8up Helm chart and configures the backup environment (S3 endpoint, restic password, etc.) |
+| `k8up-post/`   | Applies `Schedule` resources to trigger automated backups in selected namespaces |
+
+---
+
+## 🚀 How It Works
+
+1. Any namespace labeled `k8up-enabled=true` will:
+   - Receive the `k8up-s3-credentials` secret via `ClusterExternalSecret`.
+   - Be eligible for backup if its PVCs are annotated.
+2. Backup schedules (defined in `k8up-post/`) trigger periodic restic jobs that back up PVC contents to the configured S3 bucket.
+
+---
+
+## 🧪 Sample Output: Querying Backups and Snapshots
+
+### 🔍 View current backups (Example)
+
+```bash
+kubectl get backup
+
+NAME                         SCHEDULE REF    COMPLETION   PREBACKUP              AGE
+demo-backup                                  Succeeded    NoPreBackupPodsFound   3m20s
+schedule-test-backup-b6bxz   schedule-test                NoPreBackupPodsFound   20s
+schedule-test-backup-sj5rt   schedule-test                NoPreBackupPodsFound   80s
+schedule-test-backup-whnkl   schedule-test   Failed       NoPreBackupPodsFound   2m20s
+
+```
+
+### 🔍 View available snapshots (Example)
+
+```bash
+kubectl get snapshots.k8up.io -n nexus
+
+NAME       DATE TAKEN             PATHS                       REPOSITORY
+00dcfddc   2025-07-09T16:41:08Z   /data/data-nexus-nexus3-0   s3:s3.gaw.ls.lsst.org/ruka-k8up
+0292e48c   2025-07-09T16:37:30Z   /data/data-nexus-nexus3-0   s3:s3.gaw.ls.lsst.org/ruka-k8up
+0369a833   2025-07-09T16:41:14Z   /data/data-nexus-nexus3-0   s3:s3.gaw.ls.lsst.org/ruka-k8up
+05869032   2025-07-09T16:32:54Z   /data/data-nexus-nexus3-0   s3:s3.gaw.ls.lsst.org/ruka-k8up
+0644f76f   2025-07-09T16:31:58Z   /data/data-nexus-nexus3-0   s3:s3.gaw.ls.lsst.org/ruka-k8up
+
+```
+
+## 🧪 Sample Output: Restore a backup.
+
+### 🔍 Restore a PVC in a Namespace (Example)
+
+```yaml
+
+Create new pvc first
+
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: restore-test-pvc
+  namespace: k8up
+  annotations:
+    k8up.io/backup: "false"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 250Mi
+---
+Create restore job, to dump the lastest backup to that pvc
+
+apiVersion: k8up.io/v1
+kind: Restore
+metadata:
+  name: restore-testv2
+  namespace: k8up
+spec:
+  restoreMethod:
+    folder:
+      claimName: restore-test-pvc
+  backend:
+    repoPasswordSecretRef:
+      name: k8up-s3-credentials
+      key: restic_password
+    s3:
+      endpoint: s3.ruka.dev.lsst.org
+      bucket: rubinobs-k8up-dev
+      accessKeyIDSecretRef:
+        name: k8up-s3-credentials
+        key: access-key-id
+      secretAccessKeySecretRef:
+        name: k8up-s3-credentials
+        key: secret-access-key
+
+Then bind the pvc to a pod to view its contents
+```
+
+> Backups created by K8up are fully compatible with the [Restic CLI documentation](https://docs.k8up.io/k8up/2.12/how-tos/restore.html). You can use the Restic client directly to inspect, restore, or manage snapshots outside of K8up workflows.

fleet/lib/k8up/fleet.yaml

@@ -0,0 +1,32 @@
+---
+defaultNamespace: &name k8up
+namespaceLabels:
+  lsst.io/discover: "true"
+  k8up-enabled: "true"
+labels:
+  bundle: *name
+dependsOn:
+  - selector:
+      matchLabels:
+        bundle: k8up-pre
+  - selector:
+      matchLabels:
+        bundle: k8up-crds
+helm:
+  chart: *name
+  releaseName: *name
+  repo: https://k8up-io.github.io/k8up
+  version: 4.8.4
+  timeoutSeconds: 60
+  waitForJobs: true
+targetCustomizations:
+  - name: ruka
+    clusterSelector:
+      matchExpressions:
+        - key: management.cattle.io/cluster-display-name
+          operator: In
+          values:
+            - ruka
+    helm:
+      valuesFiles:
+        - overlays/ruka/values.yaml

fleet/lib/k8up/overlays/ruka/values.yaml

@@ -0,0 +1,34 @@
+k8up:
+  envVars:
+    - name: BACKUP_S3_ENDPOINT
+      value: s3.gaw.ls.lsst.org
+    - name: BACKUP_GLOBALACCESSKEYID
+      valueFrom:
+        secretKeyRef:
+          name: k8up-s3-credentials
+          key: access_key
+    - name: BACKUP_GLOBALSECRETACCESSKEY
+      valueFrom:
+        secretKeyRef:
+          name: k8up-s3-credentials
+          key: secret_key
+    - name: RESTIC_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: k8up-s3-credentials
+          key: restic_password
+
+  timezone: America/Santiago
+
+resources:
+  limits:
+    memory: 2Gi
+  requests:
+    cpu: 1
+    memory: 1Gi
+
+metrics:
+  serviceMonitor:
+    enabled: true
+    additionalLabels:
+      lsst.io/monitor: "true"

fleet/s/dev/c/ruka/k8up

@@ -0,0 +1 @@
+../../../../lib/k8up

fleet/s/dev/c/ruka/k8up-crds

@@ -0,0 +1 @@
+../../../../lib/k8up-crds

fleet/s/dev/c/ruka/k8up-post

@@ -0,0 +1 @@
+../../../../lib/k8up-post

fleet/s/dev/c/ruka/k8up-pre

@@ -0,0 +1 @@
+../../../../lib/k8up-pre