add final components for backup-restore deployment

src/_nebari/stages/kubernetes_services/__init__.py

@@ -192,10 +192,14 @@ def check_default(cls, value):
 
 class BackupRestoreStorage(schema.Base):
     type: str
+    config: Dict[str, Any] = {}
 
 
 class BackupRestore(schema.Base):
+    enabled: bool = False
     storage: BackupRestoreStorage = BackupRestoreStorage(type="s3")
+    image: str = "nebari/nebari-backup-restore"
+    image_tag: str = "main"
 
 
 class CondaEnvironment(schema.Base):
@@ -375,6 +379,7 @@ class InputSchema(schema.Base):
     jupyterlab: JupyterLab = JupyterLab()
     jhub_apps: JHubApps = JHubApps()
     ceph: RookCeph = RookCeph()
+    backup_restore: BackupRestore = BackupRestore()
 
     def _set_storage_type_default_value(self):
         if self.storage.type is None:
@@ -525,6 +530,13 @@ class ArgoWorkflowsInputVars(schema.Base):
     )
 
 
+class BackupRestoreInputVars(schema.Base):
+    backup_restore_enabled: bool = Field(alias="backup-restore-enabled")
+    backup_restore_storage: BackupRestoreStorage = Field(alias="backup-restore-storage")
+    backup_restore_image: str = Field(alias="backup-restore-image")
+    backup_restore_image_tag: str = Field(alias="backup-restore-image-tag")
+
+
 class KubernetesServicesStage(NebariTerraformStage):
     name = "07-kubernetes-services"
     priority = 70
@@ -692,6 +704,14 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]):
             keycloak_read_only_user_credentials=keycloak_read_only_user_credentials,
         )
 
+        backup_restore_vars = BackupRestoreInputVars(
+            backup_restore_enabled=self.config.backup_restore.enabled,
+            backup_restore_storage=self.config.backup_restore.storage,
+            backup_restore_services=self.config.backup_restore.services,
+            backup_restore_image=self.config.backup_restore.image,
+            backup_restore_image_tag=self.config.backup_restore.image_tag,
+        )
+
         return {
             **kubernetes_services_vars.model_dump(by_alias=True),
             **rook_ceph_vars.model_dump(by_alias=True),
@@ -701,6 +721,7 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]):
             **monitoring_vars.model_dump(by_alias=True),
             **argo_workflows_vars.model_dump(by_alias=True),
             **telemetry_vars.model_dump(by_alias=True),
+            **backup_restore_vars.model_dump(by_alias=True),
         }
 
     def check(

src/_nebari/stages/kubernetes_services/template/backup_restore.tf

@@ -0,0 +1,34 @@
+variable "backup-restore-enabled" {
+  description = "Enable backup-restore service"
+  type        = bool
+  default     = false
+}
+
+variable "backup-restore-storage" {
+  description = "Storage backend for backup-restore"
+  type        = map(string)
+  default     = {}
+}
+
+variable "backup-restore-image" {
+  description = "The image to use for the backup-restore service"
+  type        = string
+}
+
+variable "backup-restore-image-tag" {
+  description = "The tag of the image to use for the backup-restore service"
+  type        = string
+}
+
+module "nebari-backup-restore" {
+  count  = var.backup-restore-enabled ? 1 : 0
+  source = "./modules/kubernetes/services/backup-restore"
+
+  external-url = var.endpoint
+  realm_id     = "nebari"
+  image        = var.backup-restore-image
+  storage      = var.backup-restore-storage
+  image_tag    = var.backup-restore-image-tag
+  namespace    = var.environment
+  clients      = ["nebari-cli"]
+}

src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/backup-restore/main.tf

@@ -1,7 +1,31 @@
+module "jupyterhub-openid-client" {
+  source = "../keycloak-client"
+
+  realm_id                 = var.realm_id
+  client_id                = "nebari-cli"
+  external-url             = var.external-url
+  role_mapping             = {}
+  client_roles             = []
+  callback-url-paths       = []
+  service-accounts-enabled = true
+  service-account-roles    = ["realm-admin"]
+}
+
 locals {
   clients = {
     for client in var.clients : client => client
   }
+  services = {
+    "keycloak.json" = jsonencode({
+      "auth" : {
+        "auth_url" : "https://${var.external-url}/auth",
+        "realm" : var.realm_id,
+        "client_id" : "nebari-cli",
+        "client_secret" : module.jupyterhub-openid-client.client_secret,
+        "verify_ssl" : false
+      }
+    })
+  }
 }
 
 resource "random_password" "backup_restore_service_token" {
@@ -22,6 +46,17 @@ resource "kubernetes_secret" "backup_restore_service_token" {
   }
 }
 
+resource "kubernetes_config_map" "backup-restore-etc" {
+  metadata {
+    name      = "backup-restore-etc"
+    namespace = var.namespace
+  }
+
+  # Merge local.services with the storage.json entry
+  data = merge(local.services, {
+    "storage.json" = jsonencode(var.storage)
+  })
+}
 
 resource "kubernetes_service" "backup_restore" {
   metadata {
@@ -41,73 +76,13 @@ resource "kubernetes_service" "backup_restore" {
   }
 }
 
-resource "kubernetes_config_map" "backup-restore-etc" {
-  metadata {
-    name      = "backup-restore-etc"
-    namespace = var.namespace
-  }
-
-  data = {
-    "keycloak.json" = jsonencode({})
-    "storage.json"  = jsonencode({})
-  }
-}
-
 resource "kubernetes_service_account" "backup_restore" {
   metadata {
     name      = "backup-restore"
     namespace = var.namespace
   }
 }
 
-resource "kubernetes_manifest" "backup_restore" {
-  manifest = {
-    apiVersion = "traefik.containo.us/v1alpha1"
-    kind       = "IngressRoute"
-    metadata = {
-      name      = "backup-restore"
-      namespace = var.namespace
-    }
-    spec = {
-      entryPoints = ["websecure"]
-      routes = [
-        {
-          kind  = "Rule"
-          match = "Host(`${var.external-url}`) && PathPrefix(`/backup-restore/`)"
-
-          middlewares = [
-            {
-              name      = "nebari-backup-restore-api"
-              namespace = var.namespace
-            }
-          ]
-
-          services = [
-            {
-              name = kubernetes_service.backup_restore.metadata.0.name
-              port = 8000
-            }
-          ]
-        }
-      ]
-    }
-  }
-}
-
-
-module "jupyterhub-openid-client" {
-  source = "../keycloak-client"
-
-  realm_id                 = var.realm_id
-  client_id                = "nebari-cli"
-  external-url             = var.external-url
-  role_mapping             = {}
-  client_roles             = []
-  callback-url-paths       = []
-  service-accounts-enabled = true
-  service-account-roles    = ["realm-admin"]
-}
-
 resource "kubernetes_deployment" "backup_restore" {
   metadata {
     name      = "backup-restore"
@@ -135,7 +110,7 @@ resource "kubernetes_deployment" "backup_restore" {
 
         container {
           name              = "backup-restore"
-          image             = "${var.backup-restore-image}:${var.backup-restore-image-tag}"
+          image             = "${var.image}:${var.image_tag}"
           image_pull_policy = "Always"
 
           env {

src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/backup-restore/variables.tf

@@ -24,12 +24,20 @@ variable "realm_id" {
   type        = string
 }
 
-variable "backup-restore-image" {
-  description = "Backup-restore image"
+variable "storage" {
+  description = "Storage configuration for backup-restore server"
+  type = object({
+    type   = string
+    config = map(string)
+  })
+}
+
+variable "image" {
+  description = "The image to use for the backup-restore service"
   type        = string
 }
 
-variable "backup-restore-image-tag" {
-  description = "Version of backup-restore to use"
+variable "image_tag" {
+  description = "The tag of the image to use for the backup-restore service"
   type        = string
 }