feat: etcd snapshot service for kubernetes

We add a program that accepts S3 configurations, gets an etcd snapshot,
encrypts it with `age` and uploads it to S3. Optionally users may supply
a custom endpoint to an S3 compatible storage.

Signed-off-by: Philipp Sauter <[email protected]>

.drone.yml

@@ -1,7 +1,7 @@
 ---
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2022-01-13T16:08:44Z by kres latest.
+# Generated on 2022-10-19T13:48:11Z by kres latest.
 
 kind: pipeline
 type: kubernetes
@@ -105,11 +105,11 @@ steps:
   depends_on:
   - unit-tests
 
-- name: talos-backup
+- name: etcd-snapshot-k8s-service
   pull: always
   image: autonomy/build-container:latest
   commands:
-  - make talos-backup
+  - make etcd-snapshot-k8s-service
   volumes:
   - name: outer-docker-socket
     path: /var/outer-run
@@ -139,6 +139,100 @@ steps:
   depends_on:
   - base
 
+- name: image-etcd-snapshot-k8s-service
+  pull: always
+  image: autonomy/build-container:latest
+  commands:
+  - make image-etcd-snapshot-k8s-service
+  volumes:
+  - name: outer-docker-socket
+    path: /var/outer-run
+  - name: docker-socket
+    path: /var/run
+  - name: buildx
+    path: /root/.docker/buildx
+  - name: ssh
+    path: /root/.ssh
+  depends_on:
+  - etcd-snapshot-k8s-service
+  - lint
+  - unit-tests
+
+- name: push-etcd-snapshot-k8s-service
+  pull: always
+  image: autonomy/build-container:latest
+  commands:
+  - docker login ghcr.io --username "$${GHCR_USERNAME}" --password "$${GHCR_PASSWORD}"
+  - make image-etcd-snapshot-k8s-service
+  environment:
+    GHCR_PASSWORD:
+      from_secret: ghcr_token
+    GHCR_USERNAME:
+      from_secret: ghcr_username
+    PUSH: true
+  volumes:
+  - name: outer-docker-socket
+    path: /var/outer-run
+  - name: docker-socket
+    path: /var/run
+  - name: buildx
+    path: /root/.docker/buildx
+  - name: ssh
+    path: /root/.ssh
+  when:
+    event:
+      exclude:
+      - pull_request
+  depends_on:
+  - image-etcd-snapshot-k8s-service
+
+- name: push-etcd-snapshot-k8s-service-latest
+  pull: always
+  image: autonomy/build-container:latest
+  commands:
+  - docker login ghcr.io --username "$${GHCR_USERNAME}" --password "$${GHCR_PASSWORD}"
+  - make image-etcd-snapshot-k8s-service TAG=latest
+  environment:
+    GHCR_PASSWORD:
+      from_secret: ghcr_token
+    GHCR_USERNAME:
+      from_secret: ghcr_username
+    PUSH: true
+  volumes:
+  - name: outer-docker-socket
+    path: /var/outer-run
+  - name: docker-socket
+    path: /var/run
+  - name: buildx
+    path: /root/.docker/buildx
+  - name: ssh
+    path: /root/.ssh
+  when:
+    branch:
+    - main
+    event:
+      exclude:
+      - pull_request
+  depends_on:
+  - push-etcd-snapshot-k8s-service
+
+- name: talos-backup
+  pull: always
+  image: autonomy/build-container:latest
+  commands:
+  - make talos-backup
+  volumes:
+  - name: outer-docker-socket
+    path: /var/outer-run
+  - name: docker-socket
+    path: /var/run
+  - name: buildx
+    path: /root/.docker/buildx
+  - name: ssh
+    path: /root/.ssh
+  depends_on:
+  - base
+
 - name: image-talos-backup
   pull: always
   image: autonomy/build-container:latest
@@ -209,7 +303,7 @@ steps:
     path: /root/.ssh
   when:
     branch:
-    - master
+    - main
     event:
       exclude:
       - pull_request
@@ -236,6 +330,8 @@ steps:
   depends_on:
   - unit-tests
   - coverage
+  - etcd-snapshot-k8s-service
+  - image-etcd-snapshot-k8s-service
   - talos-backup
   - image-talos-backup
   - lint
@@ -303,6 +399,12 @@ volumes:
   temp:
     medium: memory
 
+trigger:
+  branch:
+    exclude:
+    - renovate/*
+    - dependabot/*
+
 ---
 kind: pipeline
 type: kubernetes
@@ -330,6 +432,10 @@ steps:
     - failure
 
 trigger:
+  branch:
+    exclude:
+    - renovate/*
+    - dependabot/*
   status:
   - success
   - failure

.golangci.yml

@@ -1,6 +1,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2022-08-24T20:10:08Z by kres latest.
+# Generated on 2022-10-19T13:40:41Z by kres latest.
 
 # options for analysis running
 run:

Dockerfile

@@ -2,21 +2,21 @@
 
 # THIS FILE WAS AUTOMATICALLY GENERATED, PLEASE DO NOT EDIT.
 #
-# Generated on 2022-08-24T20:10:08Z by kres latest.
+# Generated on 2022-10-19T13:48:11Z by kres latest.
 
 ARG TOOLCHAIN
 
 # cleaned up specs and compiled versions
 FROM scratch AS generate
 
-FROM ghcr.io/siderolabs/ca-certificates:v1.1.0 AS image-ca-certificates
+FROM ghcr.io/siderolabs/ca-certificates:v1.2.0 AS image-ca-certificates
 
-FROM ghcr.io/siderolabs/fhs:v1.1.0 AS image-fhs
+FROM ghcr.io/siderolabs/fhs:v1.2.0 AS image-fhs
 
 # runs markdownlint
-FROM node:18.7.0-alpine AS lint-markdown
+FROM docker.io/node:18.10.0-alpine3.16 AS lint-markdown
 WORKDIR /src
-RUN npm i -g markdownlint-cli@0.31.1
+RUN npm i -g markdownlint-cli@0.32.2
 RUN npm i [email protected]
 COPY .markdownlint.json .
 COPY ./README.md ./README.md
@@ -27,16 +27,19 @@ FROM ${TOOLCHAIN} AS toolchain
 RUN apk --update --no-cache add bash curl build-base protoc protobuf-dev
 
 # build tools
-FROM toolchain AS tools
+FROM --platform=${BUILDPLATFORM} toolchain AS tools
 ENV GO111MODULE on
-ENV CGO_ENABLED 0
+ARG CGO_ENABLED
+ENV CGO_ENABLED ${CGO_ENABLED}
 ENV GOPATH /go
 ARG GOLANGCILINT_VERSION
 RUN go install github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCILINT_VERSION} \
 	&& mv /go/bin/golangci-lint /bin/golangci-lint
 ARG GOFUMPT_VERSION
 RUN go install mvdan.cc/gofumpt@${GOFUMPT_VERSION} \
 	&& mv /go/bin/gofumpt /bin/gofumpt
+RUN go install golang.org/x/vuln/cmd/govulncheck@latest \
+	&& mv /go/bin/govulncheck /bin/govulncheck
 ARG GOIMPORTS_VERSION
 RUN go install golang.org/x/tools/cmd/goimports@${GOIMPORTS_VERSION} \
 	&& mv /go/bin/goimports /bin/goimports
@@ -55,6 +58,22 @@ COPY ./cmd ./cmd
 COPY ./pkg ./pkg
 RUN --mount=type=cache,target=/go/pkg go list -mod=readonly all >/dev/null
 
+# builds etcd-snapshot-k8s-service-linux-amd64
+FROM base AS etcd-snapshot-k8s-service-linux-amd64-build
+COPY --from=generate / /
+WORKDIR /src/cmd/etcd-snapshot-k8s-service
+ARG GO_BUILDFLAGS
+ARG GO_LDFLAGS
+RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg GOARCH=amd64 GOOS=linux go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /etcd-snapshot-k8s-service-linux-amd64
+
+# builds etcd-snapshot-k8s-service-linux-arm64
+FROM base AS etcd-snapshot-k8s-service-linux-arm64-build
+COPY --from=generate / /
+WORKDIR /src/cmd/etcd-snapshot-k8s-service
+ARG GO_BUILDFLAGS
+ARG GO_LDFLAGS
+RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg GOARCH=arm64 GOOS=linux go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /etcd-snapshot-k8s-service-linux-arm64
+
 # runs gofumpt
 FROM base AS lint-gofumpt
 RUN FILES="$(gofumpt -l .)" && test -z "${FILES}" || (echo -e "Source code is not formatted with 'gofumpt -w .':\n${FILES}"; exit 1)
@@ -69,17 +88,25 @@ COPY .golangci.yml .
 ENV GOGC 50
 RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/root/.cache/golangci-lint --mount=type=cache,target=/go/pkg golangci-lint run --config .golangci.yml
 
+# runs govulncheck
+FROM base AS lint-govulncheck
+RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg govulncheck ./...
+
 # builds talos-backup-linux-amd64
 FROM base AS talos-backup-linux-amd64-build
 COPY --from=generate / /
 WORKDIR /src/cmd/talos-backup
-RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg GOARCH=amd64 GOOS=linux go build -ldflags "-s -w" -o /talos-backup-linux-amd64
+ARG GO_BUILDFLAGS
+ARG GO_LDFLAGS
+RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg GOARCH=amd64 GOOS=linux go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /talos-backup-linux-amd64
 
 # builds talos-backup-linux-arm64
 FROM base AS talos-backup-linux-arm64-build
 COPY --from=generate / /
 WORKDIR /src/cmd/talos-backup
-RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg GOARCH=arm64 GOOS=linux go build -ldflags "-s -w" -o /talos-backup-linux-arm64
+ARG GO_BUILDFLAGS
+ARG GO_LDFLAGS
+RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg GOARCH=arm64 GOOS=linux go build ${GO_BUILDFLAGS} -ldflags "${GO_LDFLAGS}" -o /talos-backup-linux-arm64
 
 # runs unit-tests with race detector
 FROM base AS unit-tests-race
@@ -91,6 +118,12 @@ FROM base AS unit-tests-run
 ARG TESTPKGS
 RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg --mount=type=cache,target=/tmp go test -v -covermode=atomic -coverprofile=coverage.txt -coverpkg=${TESTPKGS} -count 1 ${TESTPKGS}
 
+FROM scratch AS etcd-snapshot-k8s-service-linux-amd64
+COPY --from=etcd-snapshot-k8s-service-linux-amd64-build /etcd-snapshot-k8s-service-linux-amd64 /etcd-snapshot-k8s-service-linux-amd64
+
+FROM scratch AS etcd-snapshot-k8s-service-linux-arm64
+COPY --from=etcd-snapshot-k8s-service-linux-arm64-build /etcd-snapshot-k8s-service-linux-arm64 /etcd-snapshot-k8s-service-linux-arm64
+
 FROM scratch AS talos-backup-linux-amd64
 COPY --from=talos-backup-linux-amd64-build /talos-backup-linux-amd64 /talos-backup-linux-amd64
 
@@ -100,8 +133,18 @@ COPY --from=talos-backup-linux-arm64-build /talos-backup-linux-arm64 /talos-back
 FROM scratch AS unit-tests
 COPY --from=unit-tests-run /src/coverage.txt /coverage.txt
 
+FROM etcd-snapshot-k8s-service-linux-${TARGETARCH} AS etcd-snapshot-k8s-service
+
 FROM talos-backup-linux-${TARGETARCH} AS talos-backup
 
+FROM scratch AS image-etcd-snapshot-k8s-service
+ARG TARGETARCH
+COPY --from=etcd-snapshot-k8s-service etcd-snapshot-k8s-service-linux-${TARGETARCH} /etcd-snapshot-k8s-service
+COPY --from=image-fhs / /
+COPY --from=image-ca-certificates / /
+LABEL org.opencontainers.image.source https://github.com/siderolabs/talos-backup
+ENTRYPOINT ["/etcd-snapshot-k8s-service"]
+
 FROM scratch AS image-talos-backup
 ARG TARGETARCH
 COPY --from=talos-backup talos-backup-linux-${TARGETARCH} /talos-backup