From 49107211e24c4dfb0bb22a69d2dd97493cad116f Mon Sep 17 00:00:00 2001
From: gitea-bot <gitea-bot@alexlebens.net>
Date: Sat, 20 Dec 2025 04:57:26 +0000
Subject: [PATCH] Automated Manifest Update (#2747)

This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow.

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/2747
Co-authored-by: gitea-bot <gitea-bot@alexlebens.net>
Co-committed-by: gitea-bot <gitea-bot@alexlebens.net>
---
 .../vault/ConfigMap-vault-backup-script.yaml  | 33 ++++++++++-
 .../vault/CronJob-vault-snapshot.yaml         | 15 +++++
 .../manifests/vault/Deployment-vault.yaml     | 58 -------------------
 ...ternalSecret-vault-backup-ntfy-secret.yaml | 35 +++++++++++
 4 files changed, 80 insertions(+), 61 deletions(-)
 delete mode 100644 clusters/cl01tl/manifests/vault/Deployment-vault.yaml
 create mode 100644 clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-ntfy-secret.yaml

diff --git a/clusters/cl01tl/manifests/vault/ConfigMap-vault-backup-script.yaml b/clusters/cl01tl/manifests/vault/ConfigMap-vault-backup-script.yaml
index 177e70baf..3c729af30 100644
--- a/clusters/cl01tl/manifests/vault/ConfigMap-vault-backup-script.yaml
+++ b/clusters/cl01tl/manifests/vault/ConfigMap-vault-backup-script.yaml
@@ -11,8 +11,35 @@ data:
   backup.sh: |
     echo " ";
     echo ">> Running S3 backup for Vault snapshot";
-    if s3cmd sync --no-check-certificate -v /opt/backup "${BUCKET}/cl01tl/cl01tl-vault-snapshots/"; then
-        echo ">> Sync succeeded"
+    OUTPUT=$(s3cmd sync --no-check-certificate -v /opt/backup "${BUCKET}/cl01tl/cl01tl-vault-snapshots/" 2>&1)
+    STATUS=$?
+
+    echo " ";
+    if [ $STATUS -ne 0 ]; then
+        if echo "$OUTPUT" | grep -q "403 Forbidden"; then
+            MESSAGE="403 Authentication Error: Your keys are wrong or you don't have permission"
+        elif echo "$OUTPUT" | grep -q "404 Not Found"; then
+            MESSAGE="404 Error: The bucket or folder does not exist"
+        elif echo "$OUTPUT" | grep -q "Connection refused"; then
+            MESSAGE="Network Error: Cannot reach the S3 endpoint"
+        else
+            MESSAGE="Unknown Error: $OUTPUT"
+            echo ">> Unknown Error, output:"
+            echo " "
+            echo "$OUTPUT"
+            echo " "
+        fi
+
+        echo ">> Message: $MESSAGE"
+
+        echo ">> Sending to NTFY ..."
+        curl \
+            -H "Authorization: Bearer ${NTFY_TOKEN}" \
+            -H "X-Priority: 5" \
+            -H "X-Tags: warning" \
+            -H "X-Title: Vault Backup Failed for ${TARGET}" \
+            -d "$MESSAGE" \
+            ${NTFY_ENDPOINT}/${NTFY_TOPIC}
     else
-        echo ">> ERROR: Sync failed"
+        echo ">> S3 Sync succeeded"
     fi
diff --git a/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml b/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml
index 0c5009086..5eaff918d 100644
--- a/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml
+++ b/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml
@@ -72,6 +72,11 @@ spec:
                     secretKeyRef:
                       key: BUCKET
                       name: vault-s3cmd-external-config
+                - name: TARGET
+                  value: External
+              envFrom:
+                - secretRef:
+                    name: vault-backup-ntfy-secret
               image: d3fk/s3cmd:latest@sha256:ed348a0fae5723d2e62636c175baf4dfaf732a790179ca675d1f24f863d0d68f
               imagePullPolicy: IfNotPresent
               name: s3-backup-external
@@ -97,6 +102,11 @@ spec:
                     secretKeyRef:
                       key: BUCKET
                       name: vault-s3cmd-local-config
+                - name: TARGET
+                  value: Local
+              envFrom:
+                - secretRef:
+                    name: vault-backup-ntfy-secret
               image: d3fk/s3cmd:latest@sha256:ed348a0fae5723d2e62636c175baf4dfaf732a790179ca675d1f24f863d0d68f
               imagePullPolicy: IfNotPresent
               name: s3-backup-local
@@ -122,6 +132,11 @@ spec:
                     secretKeyRef:
                       key: BUCKET
                       name: vault-s3cmd-remote-config
+                - name: TARGET
+                  value: Remote
+              envFrom:
+                - secretRef:
+                    name: vault-backup-ntfy-secret
               image: d3fk/s3cmd:latest@sha256:ed348a0fae5723d2e62636c175baf4dfaf732a790179ca675d1f24f863d0d68f
               imagePullPolicy: IfNotPresent
               name: s3-backup-remote
diff --git a/clusters/cl01tl/manifests/vault/Deployment-vault.yaml b/clusters/cl01tl/manifests/vault/Deployment-vault.yaml
deleted file mode 100644
index a16b1e4d0..000000000
--- a/clusters/cl01tl/manifests/vault/Deployment-vault.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: vault
-  labels:
-    app.kubernetes.io/controller: main
-    app.kubernetes.io/instance: vault
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: vault
-    helm.sh/chart: temp-4.5.0
-  namespace: vault
-spec:
-  revisionHistoryLimit: 3
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app.kubernetes.io/controller: main
-      app.kubernetes.io/name: vault
-      app.kubernetes.io/instance: vault
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/controller: main
-        app.kubernetes.io/instance: vault
-        app.kubernetes.io/name: vault
-    spec:
-      enableServiceLinks: false
-      serviceAccountName: default
-      automountServiceAccountToken: true
-      hostIPC: false
-      hostNetwork: false
-      hostPID: false
-      dnsPolicy: ClusterFirst
-      containers:
-        - command:
-            - sleep
-            - infinity
-          image: ubuntu:resolute-20251208
-          imagePullPolicy: IfNotPresent
-          name: main
-          resources:
-            requests:
-              cpu: 10m
-              memory: 32Mi
-          volumeMounts:
-            - mountPath: /opt/backup
-              name: backup
-            - mountPath: /opt/backup-old
-              name: backup-old
-      volumes:
-        - name: backup
-          persistentVolumeClaim:
-            claimName: vault-storage-backup
-        - name: backup-old
-          persistentVolumeClaim:
-            claimName: vault-nfs-storage-backup
diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-ntfy-secret.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-ntfy-secret.yaml
new file mode 100644
index 000000000..248bb6cc9
--- /dev/null
+++ b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-backup-ntfy-secret.yaml
@@ -0,0 +1,35 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-backup-ntfy-secret
+  namespace: vault
+  labels:
+    app.kubernetes.io/name: vault-backup-ntfy-secret
+    app.kubernetes.io/instance: vault
+    app.kubernetes.io/part-of: vault
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: NTFY_TOKEN
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /ntfy/user/cl01tl
+        metadataPolicy: None
+        property: token
+    - secretKey: NTFY_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /ntfy/user/cl01tl
+        metadataPolicy: None
+        property: endpoint
+    - secretKey: NTFY_TOPIC
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/vault/snapshot
+        metadataPolicy: None
+        property: NTFY_TOPIC