From 5eefb67caea2a3dc446d749afff72b1ed3f11011 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Tue, 8 Jul 2025 18:23:43 -0500 Subject: [PATCH] update config --- .../vault/templates/external-secret.yaml | 46 ++++--------------- clusters/cl01tl/platform/vault/values.yaml | 28 +++++++---- 2 files changed, 27 insertions(+), 47 deletions(-) diff --git a/clusters/cl01tl/platform/vault/templates/external-secret.yaml b/clusters/cl01tl/platform/vault/templates/external-secret.yaml index 3873f8bdc..5b90c8646 100644 --- a/clusters/cl01tl/platform/vault/templates/external-secret.yaml +++ b/clusters/cl01tl/platform/vault/templates/external-secret.yaml @@ -27,43 +27,6 @@ spec: metadataPolicy: None property: VAULT_APPROLE_SECRET_ID ---- -apiVersion: external-secrets.io/v1 -kind: ExternalSecret -metadata: - name: vault-snapshot-s3 - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/name: vault-snapshot-s3 - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/part-of: {{ .Release.Name }} -spec: - secretStoreRef: - kind: ClusterSecretStore - name: vault - data: - - secretKey: AWS_ACCESS_KEY_ID - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/vault-backup - metadataPolicy: None - property: AWS_ACCESS_KEY_ID - - secretKey: AWS_SECRET_ACCESS_KEY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/vault-backup - metadataPolicy: None - property: AWS_SECRET_ACCESS_KEY - - secretKey: S3_REPOSITORY - remoteRef: - conversionStrategy: Default - decodingStrategy: None - key: /digital-ocean/home-infra/vault-backup - metadataPolicy: None - property: S3_REPOSITORY - --- apiVersion: external-secrets.io/v1 kind: ExternalSecret @@ -83,9 +46,16 @@ spec: remoteRef: conversionStrategy: Default decodingStrategy: None - key: /cl01tl/vault/snapshot + key: /digital-ocean/home-infra/vault-backup metadataPolicy: None property: s3cfg + - secretKey: BUCKET + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/vault-backup + metadataPolicy: None + property: BUCKET --- apiVersion: external-secrets.io/v1 diff --git a/clusters/cl01tl/platform/vault/values.yaml b/clusters/cl01tl/platform/vault/values.yaml index a550c002f..8f8db541f 100644 --- a/clusters/cl01tl/platform/vault/values.yaml +++ b/clusters/cl01tl/platform/vault/values.yaml @@ -206,12 +206,15 @@ snapshot: - -ec - | echo ">> Running S3 backup for Vault snapshot" - s3cmd put --no-check-md5 --no-check-certificate -v /opt/backup/vault-snapshot-s3.snap ${S3_REPOSITORY}/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; + s3cmd put --no-check-md5 --no-check-certificate -v /opt/backup/vault-snapshot-s3.snap ${BUCKET}/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; rm -f /opt/backup/vault-snapshot-s3.snap; echo ">> Completed S3 backup for Vault snapshot" - envFrom: - - secretRef: - name: vault-snapshot-s3 + env: + - name: BUCKET + valueFrom: + secretKeyRef: + name: gitea-s3cmd-config + key: BUCKET resources: requests: cpu: 100m @@ -227,17 +230,24 @@ snapshot: - -ec - | export MONTH_AGO=$(date -d @$(( $(date +%s) - 2592000 )) +%Y-%m-%d\ %H:%M:%S); + export TIME_RANGE="$MONTH_AGO" echo ">> Running S3 prune for Vault snapshot repository" - echo ">> Backups prior to '$MONTH_AGO' will be removed" - s3cmd ls -v $S3_REPOSITORY | + echo ">> Backups prior to '$TIME_RANGE' will be removed" + echo ">> File list:" + s3cmd ls -v ${BUCKET}/cl01tl/cl01tl-vault-snapshots/ + echo ">> Deleting ..." + s3cmd ls -v ${BUCKET}/cl01tl/cl01tl-vault-snapshots/ | awk -v month_ago="$MONTH_AGO" '$1 < month_ago {print $4}' | while read file; do s3cmd del -v "$file"; done; echo ">> Completed S3 prune for Vault snapshot repository" - envFrom: - - secretRef: - name: vault-snapshot-s3 + env: + - name: BUCKET + valueFrom: + secretKeyRef: + name: gitea-s3cmd-config + key: BUCKET resources: requests: cpu: 100m