From 617b14b7aa16e164d62664a11c155225af450248 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Fri, 24 Apr 2026 15:38:27 -0500 Subject: [PATCH] feat: switch to openbao --- charts/volsync-target/Chart.yaml | 2 +- charts/volsync-target/README.md | 15 +-- .../templates/external-secret.yaml | 99 +++++++------------ charts/volsync-target/values.yaml | 21 ++-- 4 files changed, 54 insertions(+), 83 deletions(-) diff --git a/charts/volsync-target/Chart.yaml b/charts/volsync-target/Chart.yaml index ab288b0..a5d8aa9 100644 --- a/charts/volsync-target/Chart.yaml +++ b/charts/volsync-target/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: volsync-target -version: 0.8.0 +version: 1.0.0 description: Volsync Replication set to target specific PVC with preconfigured settings keywords: - volsync-target diff --git a/charts/volsync-target/README.md b/charts/volsync-target/README.md index 798fdbc..4bc5e92 100644 --- a/charts/volsync-target/README.md +++ b/charts/volsync-target/README.md @@ -1,6 +1,6 @@ # volsync-target -![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square) +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square) Volsync Replication set to target specific PVC with preconfigured settings @@ -20,21 +20,22 @@ Volsync Replication set to target specific PVC with preconfigured settings | Key | Type | Default | Description | |-----|------|---------|-------------| | additionalLabels | object | `{}` | Add additional labels | -| external | object | `{"enabled":true,"externalSecret":{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 9 * * *"}` | External backup configuration | -| external.externalSecret | object | `{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"}` | External Secret configuration | +| external | object | `{"enabled":true,"externalSecret":{"bucketPath":"/digital-ocean/config","credentialPath":"/digital-ocean/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 9 * * *"}` | External backup configuration | +| external.externalSecret | object | `{"bucketPath":"/digital-ocean/config","credentialPath":"/digital-ocean/home-infra/volsync-backups"}` | External Secret configuration | | external.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml | | external.schedule | string | `"0 9 * * *"` | 5 character cron schedule | | externalSecrets | object | `{"enabled":true}` | Use external secrets | -| local | object | `{"enabled":false,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 8 * * *"}` | Local backup configuration | -| local.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"}` | External Secret configuration | +| kubernetesClusterName | string | `"cl01tl"` | Kubernetes cluster name | +| local | object | `{"enabled":false,"externalSecret":{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 8 * * *"}` | Local backup configuration | +| local.externalSecret | object | `{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"}` | External Secret configuration | | local.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml | | local.schedule | string | `"0 8 * * *"` | 5 character cron schedule | | moverSecurityContext | object | `{}` | Glocal security context for restic mover | | nameOverride | string | `""` | Default pattern follows -backup | | namespaceOverride | string | `""` | Override the namespace of the chart | | pvcTarget | string | `"data"` | Name of the PVC target | -| remote | object | `{"enabled":false,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 10 * * *"}` | Remote backup configuration | -| remote.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"}` | External Secret configuration | +| remote | object | `{"enabled":false,"externalSecret":{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 10 * * *"}` | Remote backup configuration | +| remote.externalSecret | object | `{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"}` | External Secret configuration | | remote.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml | | remote.schedule | string | `"0 10 * * *"` | 5 character cron schedule | diff --git a/charts/volsync-target/templates/external-secret.yaml b/charts/volsync-target/templates/external-secret.yaml index 9ee00b6..ee0a64a 100644 --- a/charts/volsync-target/templates/external-secret.yaml +++ b/charts/volsync-target/templates/external-secret.yaml @@ -14,48 +14,37 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao target: template: mergePolicy: Merge engineVersion: v2 data: - RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}" + RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}" data: - - secretKey: BUCKET_ENDPOINT + - secretKey: ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync local path is required" }} - metadataPolicy: None - property: BUCKET_ENDPOINT + key: {{ .Values.local.externalSecret.bucketPath | required "External Secret Volsync local path is required" }} + property: ENDPOINT_LOCAL + - secretKey: BUCKET + remoteRef: + key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Volsync local path is required" }} + property: BUCKET - secretKey: RESTIC_PASSWORD remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync local path is required" }} - metadataPolicy: None - property: RESTIC_PASSWORD + key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Volsync local path is required" }} + property: RESTIC_PASSWORD_LOCAL - secretKey: AWS_DEFAULT_REGION remoteRef: - conversionStrategy: Default - decodingStrategy: None key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }} - metadataPolicy: None property: ACCESS_REGION - secretKey: AWS_ACCESS_KEY_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }} - metadataPolicy: None property: ACCESS_KEY_ID - secretKey: AWS_SECRET_ACCESS_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }} - metadataPolicy: None property: ACCESS_SECRET_KEY {{- end }} @@ -75,48 +64,37 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao target: template: mergePolicy: Merge engineVersion: v2 data: - RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}" + RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}" data: - - secretKey: BUCKET_ENDPOINT + - secretKey: ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }} - metadataPolicy: None - property: BUCKET_ENDPOINT + key: {{ .Values.remote.externalSecret.bucketPath | required "External Secret Volsync local path is required" }} + property: ENDPOINT_REMOTE + - secretKey: BUCKET + remoteRef: + key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Volsync local path is required" }} + property: BUCKET - secretKey: RESTIC_PASSWORD remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }} - metadataPolicy: None - property: RESTIC_PASSWORD + key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Volsync local path is required" }} + property: RESTIC_PASSWORD_REMOTE - secretKey: AWS_DEFAULT_REGION remoteRef: - conversionStrategy: Default - decodingStrategy: None key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }} - metadataPolicy: None property: ACCESS_REGION - secretKey: AWS_ACCESS_KEY_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }} - metadataPolicy: None property: ACCESS_KEY_ID - secretKey: AWS_SECRET_ACCESS_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }} - metadataPolicy: None property: ACCESS_SECRET_KEY {{- end }} @@ -136,47 +114,36 @@ metadata: spec: secretStoreRef: kind: ClusterSecretStore - name: vault + name: openbao target: template: mergePolicy: Merge engineVersion: v2 data: - RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}" + RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}" data: - - secretKey: BUCKET_ENDPOINT + - secretKey: ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }} - metadataPolicy: None - property: BUCKET_ENDPOINT + key: {{ .Values.external.externalSecret.bucketPath | required "External Secret Volsync external path is required" }} + property: ENDPOINT + - secretKey: BUCKET + remoteRef: + key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Volsync local path is required" }} + property: BUCKET - secretKey: RESTIC_PASSWORD remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }} - metadataPolicy: None + key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Volsync external path is required" }} property: RESTIC_PASSWORD - secretKey: AWS_DEFAULT_REGION remoteRef: - conversionStrategy: Default - decodingStrategy: None key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }} - metadataPolicy: None - property: AWS_DEFAULT_REGION + property: AWS_REGION - secretKey: AWS_ACCESS_KEY_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }} - metadataPolicy: None property: AWS_ACCESS_KEY_ID - secretKey: AWS_SECRET_ACCESS_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }} - metadataPolicy: None property: AWS_SECRET_ACCESS_KEY {{- end }} diff --git a/charts/volsync-target/values.yaml b/charts/volsync-target/values.yaml index 1620e19..aff3e01 100644 --- a/charts/volsync-target/values.yaml +++ b/charts/volsync-target/values.yaml @@ -4,6 +4,9 @@ nameOverride: "" # -- Override the namespace of the chart namespaceOverride: "" +# -- Kubernetes cluster name +kubernetesClusterName: cl01tl + # -- Add additional labels additionalLabels: {} @@ -41,9 +44,9 @@ local: # -- External Secret configuration externalSecret: - # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD - volsyncPath: /volsync/restic/garage-local - # This path must contain the AWS/S3 credentials + # This path must contain the BUCKET_ENDPOINT + bucketPath: /garage/config + # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD credentialPath: /garage/home-infra/volsync-backups # -- Remote backup configuration @@ -70,9 +73,9 @@ remote: # -- External Secret configuration externalSecret: - # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD - volsyncPath: /volsync/restic/garage-remote - # This path must contain the AWS/S3 credentials + # This path must contain the BUCKET_ENDPOINT + bucketPath: /garage/config + # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD credentialPath: /garage/home-infra/volsync-backups # -- External backup configuration @@ -99,7 +102,7 @@ external: # -- External Secret configuration externalSecret: - # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD - volsyncPath: /volsync/restic/digital-ocean - # This path must contain the AWS/S3 credentials + # This path must contain the ENDPOINT + bucketPath: /digital-ocean/config + # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD credentialPath: /digital-ocean/home-infra/volsync-backups