restic-exporter: Deploy Restic Prometheus exporter

The [restic-exporter][0] exposes metrics about Restic snapshots as
Prometheus metrics.  This allows us to get similar data as we have for
BURP backups.  Chiefly important among the metrics are last backup time
and size, which we can use to determine if backups are working
correctly.

[0]: https://github.com/ngosang/restic-exporter

restic-exporter/.gitignore

@@ -0,0 +1,2 @@
+password
+restic-s3

restic-exporter/kustomization.yaml

@@ -0,0 +1,36 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: restic-exporter
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: restic-exporter
+
+resources:
+- namespace.yaml
+- network-policy.yaml
+- restic-exporter.yaml
+- secrets.yaml
+
+configMapGenerator:
+- name: restic-exporter
+  envs:
+  - restic-exporter.env
+
+patches:
+- patch: |-
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: restic-exporter
+    spec:
+      template:
+        spec:
+          containers:
+          - name: restic-exporter
+            envFrom:
+            - secretRef:
+                name: restic-s3
+            - configMapRef:
+                name: restic-exporter

restic-exporter/namespace.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: restic-exporter
+  labels:
+    app.kubernetes.io/component: restic-exporter
+    app.kubernetes.io/name: restic-exporter
+    app.kubernetes.io/part-of: restic-exporter

restic-exporter/network-policy.yaml

@@ -0,0 +1,39 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: restic-exporter
+  labels:
+    app.kubernetes.io/name: restic-exporter
+    app.kubernetes.io/component: restic-exporter
+spec:
+  egress:
+  - to:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+      podSelector:
+        matchLabels:
+          k8s-app: kube-dns
+    ports:
+    - port: 53
+      protocol: UDP
+    - port: 53
+      protocol: TCP
+  - to:
+    - ipBlock:
+        cidr: 172.30.0.30/32
+    ports:
+    - port: 9000
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: victoria-metrics
+      podSelector:
+        matchLabels:
+          app.kubernetes.io/name: vmagent
+    ports:
+    - port: metrics
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/component: restic-exporter

restic-exporter/restic-exporter.env

@@ -0,0 +1,4 @@
+TZ=America/Chicago
+RESTIC_REPOSITORY=s3:https://burp.pyrocufflink.blue:9000/restic
+INCLUDE_PATHS=True
+REFRESH_INTERVAL=3600

restic-exporter/restic-exporter.yaml

@@ -0,0 +1,57 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: restic-exporter
+  labels:
+    app.kubernetes.io/name: restic-exporter
+    app.kubernetes.io/component: restic-exporter
+    app.kubernetes.io/part-of: restic-exporter
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: restic-exporter
+      app.kubernetes.io/component: restic-exporter
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: restic-exporter
+        app.kubernetes.io/component: restic-exporter
+        app.kubernetes.io/part-of: restic-exporter
+    spec:
+      containers:
+      - name: restic-exporter
+        image: git.pyrocufflink.net/containerimages/restic-exporter
+        ports:
+        - containerPort: 8001
+          name: metrics
+        envFrom:
+        - configMapRef:
+            name: restic-exporter
+            optional: true
+        env:
+        - name: RESTIC_PASSWORD_FILE
+          value: /run/secrets/restic/password
+        - name: XDG_CACHE_HOME
+          value: /var/cache
+        securityContext:
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        - mountPath: /run/secrets/restic
+          name: secrets
+        - mountPath: /tmp
+          name: tmp
+          subPath: tmp
+        - mountPath: /var/cache
+          name: tmp
+          subPath: cache
+      securityContext:
+        fsGroup: 8001
+        runAsGroup: 8001
+        runAsNonRoot: true
+        runAsUser: 8001
+      volumes:
+      - name: secrets
+        secret:
+          secretName: restic-exporter
+      - name: tmp
+        emptyDir: {}

restic-exporter/secrets.yaml

@@ -0,0 +1,43 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: restic-exporter
+  namespace: restic-exporter
+  labels:
+    app.kubernetes.io/name: restic-exporter
+    app.kubernetes.io/component: restic-exporter
+    app.kubernetes.io/part-of: restic-exporter
+spec:
+  encryptedData:
+    password: AgCpMgAhyZTIoqWaH7LdC+OOZdywr8c50WyAdd+f6IBUERfV6Wq8mYcpAIqXoCRqputyiK29+BxkBk4OPSHzEPh1HMUZZg8Hl0x0E4PG+MCLxV4UEbTRkhbHxRkN74X7dPQFtli5yFugiA+WNIi8PD8Ez8G9yGO5Iziud+OLo15iB18ThaSppdYYwtE3J9yOqlc9wez0dfFC63M2xfZtlv2gqh0fuK0CR4eDckk93t1aNcKZMR/QvzCryZnxi1xIs82thl5pszvI9qaHZv2Emvupwuq3MzWqluDhVme8wSoanOHCtq3hiTsGeO1+d+PMxnDVcaAXO1m13Gt6Ck0S3Oz5OoTi0mpjADG+O/TXA4NI1xwqfgE4VV7mHv7yvWIgpWRyD56x/igrpsDRAE4OIlxczVa99eaZHUhw9zsF9NeEene5k5G1BDQCzyFFXSsCZ9jfodZB/gaRqjHCbAM3F2JbFB6vo7zuQZrCRETIS+570NC8yKlDsitG1kGBHJ1Opm9y9lnFyJeGfp1G71Mw3GkF7hwxIC76pltjZob5ZHHgons+9AxOvRVLJJK9nu6MI5FwuJl6CAA+Obh/tjSRkc98wUnJay3qQ09O0AMk6xhSwVpdNs87h3Z2j5yj7SXFDb0LZDpUtipRChh/VPZK6s+DWT3PkhK5RO8w+2ZFr/0s1bo6fQbsfOeqGXdieV2MsVxLSeQARJTNkqhxuohORlUwgsImzmstoI62Ro4MjAkE9JPPGz/zfXdA2IPomrPYy/VXX2sNGdyhYBsURWEfJO46
+  template:
+    metadata:
+      name: restic-exporter
+      namespace: restic-exporter
+      labels:
+        app.kubernetes.io/name: restic-exporter
+        app.kubernetes.io/component: restic-exporter
+        app.kubernetes.io/part-of: restic-exporter
+
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: restic-s3
+  namespace: restic-exporter
+  labels:
+    app.kubernetes.io/name: restic-s3
+    app.kubernetes.io/component: restic-exporter
+    app.kubernetes.io/part-of: restic-exporter
+spec:
+  encryptedData:
+    AWS_ACCESS_KEY_ID: AgCiUz6l8sPPSxh8lmtH4HEiQEu2EWN8zpS3Farh4/CxWVn01HufAU7n7xxPjMTkkoCfa42ux/WNLl3Gl539CgAoyaudlAfuzl+Uq5w3S1XesL/lTwBqYr3mF0ZeGxeHBh2h+S9IaTPef9SWFTV/F+X3rDOKw6OfMLSI3TZAarVuvNJ9GnK8vTu5MoE+4IhHfJRBor4qI9TGKOQQDtoQP9xcwWrOQJOKvyXGtOmz/u+H4K5VVsGvPpIWYDHS3V1HIzCaVLDEulL13dyNofXKmQB7mW7yPhRIn/MJGfuAvUXAE5Or1bgamftCujtl1nR8/K5Gq6h5212hVCtY2F8YMBZSt5G+GmitTSz7PJrjTB6OzXy1Uu+bNGWgjtck6bxzm/pkO44bC5/ZvhB0AESDSBIkpBSm1o7LMl6rCF+mUybsGNmRq9mcMvtMwAbUgzEewlMbdA+zN/YqEJFMZWcE9fYHms9pil3O+mDB1LilBMUczPD/zzpP88b2m36XmT3nSRBCTcfx8nqaqB6dvYK2AYjmM9iDPM0jRxZOaA6WZy3PsTUeJvfzxNapfE72lWREtaTVP3wfhwt2BcoiIxWqc7i/9LplcEOl62S2WhMtP0wJGXMSWmzxOPHno98u1aA4r/2K3LBk+9gSzA9grwi3VpK9NsADf1vFbLmd25eDqSe6zQl5YNk+Ty20uHqK53fdqwkM2WlvOmakXlw9dBr1CWGr
+    AWS_SECRET_ACCESS_KEY: AgCJ3K0gt8GqI3go1fQ/pMjFjpW0Z+j/YElaPqTUp8dpuhEdRS3MybCOjLhKwfpQN/nufRXbk0hLZYgloGznjEpdJvP4EEb3uwwdfZ2oP+h8YVyHpHsh7DlnuHUk7RwGJiL+wb+Xnh6ChsYKQQ2HfWnIQ+JZMGKDMQqaq0CwaQAde8MUZlJyqu7tZjD5wP3PFf6WxG2lwQiwD7vMi+M/r8h0a5Sf4TVdXIrRSPE9nvVmuaN7+4eAmOmzRmVqUxXqHhSL0/yMichOFGXXOCWryQlM/gm0BETEj8g9RdhqyJ6iXvgR8/ObZUQ4zoOeonaQQNZYOjgcZ+oWD+8n0gayziCIQz1Czf3HeGyXFpmVRCcQKOFb+Pz/U308zefDT/sCg4ggH8Le/7VVBYqKjUZWPFrJrhVju1IU3BZDs8PZhjaFWDIHvL7IuI9QLLKhhHHNWQ1IQSZgSyQUNYGK0lLbOWpID14w1FgIBI9+JhLSGtue+KwKgZxgrmE9QUI1CEhEPVXCZDCSmjY629QNLiVmNG/SiEL9uJAj2BlXkMpPtZuI4b9iINcw+vS8yYifdiRxcBpCZQTD9DiEf9NRh8pvC4YuwTkFVN8++vQyDtPiJPigJpZo3Uuz2S7dEcsRD28Y2sSiLMOdzTzRwovUigkUUSONCecNWhWeMWneFx7u97PvNMK1ogDOAzjDxvM13I8dw/eK6uXB9XNKZh3NkC/18RsIqdHhLhZKeAzx3VOtbvTOIw==
+  template:
+    metadata:
+      name: restic-s3
+      namespace: restic-exporter
+      labels:
+        app.kubernetes.io/name: restic-s3
+        app.kubernetes.io/component: restic-exporter
+        app.kubernetes.io/part-of: restic-exporter