feat: add openbao backup rclone

clusters/cl01tl/helm/rclone/templates/external-secret.yaml

@@ -14,38 +14,23 @@ spec:
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/directus-assets
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: ACCESS_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/directus-assets
-        metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: ACCESS_SECRET_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/directus-assets
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
     - secretKey: SRC_ENDPOINT
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/config/local
-        metadataPolicy: None
         property: ENDPOINT
     - secretKey: DEST_ENDPOINT
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/config/remote
-        metadataPolicy: None
         property: ENDPOINT
 
 ---
@@ -65,38 +50,23 @@ spec:
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/karakeep-assets
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: ACCESS_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/karakeep-assets
-        metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: ACCESS_SECRET_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/karakeep-assets
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
     - secretKey: SRC_ENDPOINT
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/config/local
-        metadataPolicy: None
         property: ENDPOINT
     - secretKey: DEST_ENDPOINT
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/config/remote
-        metadataPolicy: None
         property: ENDPOINT
 
 ---
@@ -116,38 +86,23 @@ spec:
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/talos-backups
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: ACCESS_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/talos-backups
-        metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: ACCESS_SECRET_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/talos-backups
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
     - secretKey: SRC_ENDPOINT
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/config/local
-        metadataPolicy: None
         property: ENDPOINT
     - secretKey: DEST_ENDPOINT
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/config/remote
-        metadataPolicy: None
         property: ENDPOINT
 
 ---
@@ -167,38 +122,23 @@ spec:
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/web-assets
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: ACCESS_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/web-assets
-        metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: ACCESS_SECRET_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/web-assets
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
     - secretKey: SRC_ENDPOINT
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/config/local
-        metadataPolicy: None
         property: ENDPOINT
     - secretKey: DEST_ENDPOINT
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/config/remote
-        metadataPolicy: None
         property: ENDPOINT
 
 ---
@@ -218,38 +158,23 @@ spec:
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: ACCESS_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: ACCESS_SECRET_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/postgres-backups
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
     - secretKey: SRC_ENDPOINT
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/config/local
-        metadataPolicy: None
         property: ENDPOINT
     - secretKey: DEST_ENDPOINT
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/config/remote
-        metadataPolicy: None
         property: ENDPOINT
 
 ---
@@ -269,36 +194,89 @@ spec:
   data:
     - secretKey: ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/ntfy-attachments
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: ACCESS_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/ntfy-attachments
-        metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: ACCESS_SECRET_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/home-infra/ntfy-attachments
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
     - secretKey: SRC_ENDPOINT
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/config/local
-        metadataPolicy: None
         property: ENDPOINT
     - secretKey: DEST_ENDPOINT
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /garage/config/remote
-        metadataPolicy: None
+        property: ENDPOINT
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: garage-openbao-backups-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: garage-openbao-backups-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        key: /garage/home-infra/openbao-backups
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        key: /garage/home-infra/openbao-backups
+        property: ACCESS_REGION
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        key: /garage/home-infra/openbao-backups
+        property: ACCESS_SECRET_KEY
+    - secretKey: ENDPOINT_LOCAL
+      remoteRef:
+        key: /garage/home-infra/openbao-backups
+        property: ENDPOINT_LOCAL
+    - secretKey: ENDPOINT_REMOTE
+      remoteRef:
+        key: /garage/home-infra/openbao-backups
+        property: ENDPOINT_REMOTE
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: external-openbao-backups-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: external-openbao-backups-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: openbao
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        key: /digital-ocean/home-infra/openbao-backups
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        key: /digital-ocean/home-infra/openbao-backups
+        property: ACCESS_REGION
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        key: /digital-ocean/home-infra/openbao-backups
+        property: ACCESS_SECRET_KEY
+    - secretKey: ENDPOINT
+      remoteRef:
+        key: /digital-ocean/home-infra/openbao-backups
         property: ENDPOINT

clusters/cl01tl/helm/rclone/values.yaml

@@ -554,3 +554,237 @@ rclone:
                   key: DEST_ENDPOINT
             - name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE
               value: true
+    openbao-backups-remote:
+      type: cronjob
+      cronjob:
+        suspend: false
+        timeZone: America/Chicago
+        schedule: 0 1 * * *
+        backoffLimit: 3
+        parallelism: 1
+      containers:
+        sync:
+          image:
+            repository: rclone/rclone
+            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+          args:
+            - sync
+            - src:openbao-backups
+            - dest:openbao-backups
+            - --s3-no-check-bucket
+            - --max-age
+            - 90d
+            - --verbose
+          env:
+            - name: RCLONE_S3_PROVIDER
+              value: Other
+            - name: RCLONE_CONFIG_SRC_TYPE
+              value: s3
+            - name: RCLONE_CONFIG_SRC_PROVIDER
+              value: Other
+            - name: RCLONE_CONFIG_SRC_ENV_AUTH
+              value: false
+            - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: garage-openbao-backups-secret
+                  key: ACCESS_KEY_ID
+            - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: garage-openbao-backups-secret
+                  key: ACCESS_SECRET_KEY
+            - name: RCLONE_CONFIG_SRC_REGION
+              valueFrom:
+                secretKeyRef:
+                  name: garage-openbao-backups-secret
+                  key: ACCESS_REGION
+            - name: RCLONE_CONFIG_SRC_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: garage-openbao-backups-secret
+                  key: ENDPOINT_LOCAL
+            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
+              value: true
+            - name: RCLONE_CONFIG_DEST_TYPE
+              value: s3
+            - name: RCLONE_CONFIG_DEST_PROVIDER
+              value: Other
+            - name: RCLONE_CONFIG_DEST_ENV_AUTH
+              value: false
+            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: garage-openbao-backups-secret
+                  key: ACCESS_KEY_ID
+            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: garage-openbao-backups-secret
+                  key: ACCESS_SECRET_KEY
+            - name: RCLONE_CONFIG_DEST_REGION
+              valueFrom:
+                secretKeyRef:
+                  name: garage-openbao-backups-secret
+                  key: ACCESS_REGION
+            - name: RCLONE_CONFIG_DEST_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: garage-openbao-backups-secret
+                  key: ENDPOINT_REMOTE
+            - name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE
+              value: true
+        prune:
+          image:
+            repository: rclone/rclone
+            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+          args:
+            - delete
+            - dest:openbao-backups
+            - --min-age
+            - 90d
+            - --verbose
+          env:
+            - name: RCLONE_CONFIG_DEST_TYPE
+              value: s3
+            - name: RCLONE_CONFIG_DEST_PROVIDER
+              value: Other
+            - name: RCLONE_CONFIG_DEST_ENV_AUTH
+              value: false
+            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: garage-openbao-backups-secret
+                  key: ACCESS_KEY_ID
+            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: garage-openbao-backups-secret
+                  key: ACCESS_SECRET_KEY
+            - name: RCLONE_CONFIG_DEST_REGION
+              valueFrom:
+                secretKeyRef:
+                  name: garage-openbao-backups-secret
+                  key: ACCESS_REGION
+            - name: RCLONE_CONFIG_DEST_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: garage-openbao-backups-secret
+                  key: ENDPOINT_REMOTE
+            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
+              value: true
+    openbao-backups-external:
+      type: cronjob
+      cronjob:
+        suspend: false
+        timeZone: America/Chicago
+        schedule: 10 1 * * *
+        backoffLimit: 3
+        parallelism: 1
+      containers:
+        sync:
+          image:
+            repository: rclone/rclone
+            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+          args:
+            - sync
+            - src:openbao-backups
+            - dest:openbao-backups-6e088aad5fad110b
+            - --s3-no-check-bucket
+            - --max-age
+            - 90d
+            - --verbose
+          env:
+            - name: RCLONE_S3_PROVIDER
+              value: Other
+            - name: RCLONE_CONFIG_SRC_TYPE
+              value: s3
+            - name: RCLONE_CONFIG_SRC_PROVIDER
+              value: Other
+            - name: RCLONE_CONFIG_SRC_ENV_AUTH
+              value: false
+            - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: garage-openbao-backups-secret
+                  key: ACCESS_KEY_ID
+            - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: garage-openbao-backups-secret
+                  key: ACCESS_SECRET_KEY
+            - name: RCLONE_CONFIG_SRC_REGION
+              valueFrom:
+                secretKeyRef:
+                  name: garage-openbao-backups-secret
+                  key: ACCESS_REGION
+            - name: RCLONE_CONFIG_SRC_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: garage-openbao-backups-secret
+                  key: ENDPOINT_LOCAL
+            - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
+              value: true
+            - name: RCLONE_CONFIG_DEST_TYPE
+              value: s3
+            - name: RCLONE_CONFIG_DEST_PROVIDER
+              value: DigitalOcean
+            - name: RCLONE_CONFIG_DEST_ENV_AUTH
+              value: false
+            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: external-openbao-backups-secret
+                  key: ACCESS_KEY_ID
+            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: external-openbao-backups-secret
+                  key: ACCESS_SECRET_KEY
+            - name: RCLONE_CONFIG_DEST_REGION
+              valueFrom:
+                secretKeyRef:
+                  name: external-openbao-backups-secret
+                  key: ACCESS_REGION
+            - name: RCLONE_CONFIG_DEST_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: external-openbao-backups-secret
+                  key: ENDPOINT
+        prune:
+          image:
+            repository: rclone/rclone
+            tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef
+          args:
+            - delete
+            - dest:openbao-backups-6e088aad5fad110b
+            - --min-age
+            - 90d
+            - --verbose
+          env:
+            - name: RCLONE_CONFIG_DEST_TYPE
+              value: s3
+            - name: RCLONE_CONFIG_DEST_PROVIDER
+              value: DigitalOcean
+            - name: RCLONE_CONFIG_DEST_ENV_AUTH
+              value: false
+            - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: external-openbao-backups-secret
+                  key: ACCESS_KEY_ID
+            - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: external-openbao-backups-secret
+                  key: ACCESS_SECRET_KEY
+            - name: RCLONE_CONFIG_DEST_REGION
+              valueFrom:
+                secretKeyRef:
+                  name: external-openbao-backups-secret
+                  key: ACCESS_REGION
+            - name: RCLONE_CONFIG_DEST_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: external-openbao-backups-secret
+                  key: ENDPOINT