From 6a3e28020e1f8e36dcd531ba2b21f6ae2b9b714c Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Sat, 20 Dec 2025 03:59:55 +0000 Subject: [PATCH] Automated Manifest Update (#2743) This PR contains newly rendered Kubernetes manifests automatically generated by the CI workflow. Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/2743 Co-authored-by: gitea-bot Co-committed-by: gitea-bot --- .../ConfigMap-glutun-update-script.yaml | 38 +++++- .../ConfigMap-vault-snapshot-script.yaml | 22 ++++ .../vault/CronJob-vault-snapshot.yaml | 111 +++++++++++++----- ...alSecret-vault-s3cmd-external-config.yaml} | 4 +- ...ternalSecret-vault-s3cmd-local-config.yaml | 28 +++++ ...ernalSecret-vault-s3cmd-remote-config.yaml | 28 +++++ ...stentVolumeClaim-vault-storage-backup.yaml | 17 +++ .../vault/Pod-vault-server-test.yaml | 8 +- .../manifests/vault/StatefulSet-vault.yaml | 8 +- 9 files changed, 226 insertions(+), 38 deletions(-) create mode 100644 clusters/cl01tl/manifests/vault/ConfigMap-vault-snapshot-script.yaml rename clusters/cl01tl/manifests/vault/{ExternalSecret-vault-s3cmd-config.yaml => ExternalSecret-vault-s3cmd-external-config.yaml} (87%) create mode 100644 clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-local-config.yaml create mode 100644 clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-remote-config.yaml create mode 100644 clusters/cl01tl/manifests/vault/PersistentVolumeClaim-vault-storage-backup.yaml diff --git a/clusters/cl01tl/manifests/qbittorrent/ConfigMap-glutun-update-script.yaml b/clusters/cl01tl/manifests/qbittorrent/ConfigMap-glutun-update-script.yaml index 6252bae4a..c1550d3aa 100644 --- a/clusters/cl01tl/manifests/qbittorrent/ConfigMap-glutun-update-script.yaml +++ b/clusters/cl01tl/manifests/qbittorrent/ConfigMap-glutun-update-script.yaml @@ -9,20 +9,50 @@ metadata: app.kubernetes.io/part-of: qbittorrent data: update.sh: | + API_ENDPOINT="http://localhost:8080/api/v2"; + MAX_RETRIES=5 + SUCCESS=false + + for ((i=1; i<=$MAX_RETRIES; i++)); do + if apk update --short &> /dev/null; then + echo ">> Attempt $i: Repositories are reachable" + SUCCESS=true + break + else + echo ">> Attempt $i: Connection failed, retrying in 5 seconds ..." + sleep 5 + fi + done + + if [ "$SUCCESS" = false ]; then + echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ..." + exit 1 + fi + if ! command -v curl 2>&1 >/dev/null then echo "curl could not be found, installing"; - apk add curl; + apk add --no-cache curl; + if [ $? -eq 0 ]; then + echo ">> Installation successful" + else + echo ">> Installation failed with exit code $?" + exit 1 + fi fi; if ! command -v jq 2>&1 >/dev/null then echo "jq could not be found, installing"; - apk add jq; + apk add --no-cache jq; + if [ $? -eq 0 ]; then + echo ">> Installation successful" + else + echo ">> Installation failed with exit code $?" + exit 1 + fi fi; - API_ENDPOINT="http://localhost:8080/api/v2"; - # echo " "; # echo ">> Authentication ..."; # curl -i --silent --header 'Referer: http://localhost:8080' --output response_body_auth.json --data 'username=admin&password=adminadmin' "${API_ENDPOINT}/auth/login" -c cookie; diff --git a/clusters/cl01tl/manifests/vault/ConfigMap-vault-snapshot-script.yaml b/clusters/cl01tl/manifests/vault/ConfigMap-vault-snapshot-script.yaml new file mode 100644 index 000000000..8d4149982 --- /dev/null +++ b/clusters/cl01tl/manifests/vault/ConfigMap-vault-snapshot-script.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: vault-snapshot-script + namespace: vault + labels: + app.kubernetes.io/name: vault-snapshot-script + app.kubernetes.io/instance: vault + app.kubernetes.io/part-of: vault +data: + update.sh: | + BACKUP_FOLDER=/opt/backup + BACKUP_FILE=$(ls -t $BACKUP_FOLDER | head -n 1) + + echo " "; + echo ">> Running S3 backup for Vault snapshot"; + + if s3cmd put --no-check-md5 --no-check-certificate -v "$BACKUP_FOLDER/$BACKUP_FILE" "${BUCKET}/cl01tl/cl01tl-vault-snapshots/$BACKUP_FILE"; then + echo ">> Upload succeeded" + else + echo ">> ERROR: Upload failed" + fi diff --git a/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml b/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml index 87a48a5ff..97b362507 100644 --- a/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml +++ b/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml @@ -39,14 +39,7 @@ spec: initContainers: - args: - -ec - - | - apk add --no-cache jq; - echo ">> Running Vault snapshot" - export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token); - vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap; - cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; - cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap; - echo ">> Completed Vault snapshot" + - /scripts/snapshot.sh command: - /bin/ash env: @@ -58,21 +51,16 @@ spec: image: hashicorp/vault:1.21.1 imagePullPolicy: IfNotPresent name: snapshot - resources: - requests: - cpu: 10m - memory: 64Mi volumeMounts: - mountPath: /opt/backup - name: config + name: backup + - mountPath: /scripts/snapshot.sh + name: snapshot-script + subPath: snapshot.sh containers: - args: - -ec - - | - echo ">> Running S3 backup for Vault snapshot" - s3cmd put --no-check-md5 --no-check-certificate -v /opt/backup/vault-snapshot-s3.snap ${BUCKET}/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; - rm -f /opt/backup/vault-snapshot-s3.snap; - echo ">> Completed S3 backup for Vault snapshot" + - /scripts/backup.sh command: - /bin/sh env: @@ -80,26 +68,89 @@ spec: valueFrom: secretKeyRef: key: BUCKET - name: vault-s3cmd-config + name: vault-s3cmd-external-config image: d3fk/s3cmd:latest@sha256:ed348a0fae5723d2e62636c175baf4dfaf732a790179ca675d1f24f863d0d68f imagePullPolicy: IfNotPresent - name: s3-backup - resources: - requests: - cpu: 100m - memory: 128Mi + name: s3-backup-external volumeMounts: - mountPath: /opt/backup - name: config + name: backup + - mountPath: /scripts/backup.sh + name: backup-script + subPath: backup.sh - mountPath: /root/.s3cfg mountPropagation: None - name: s3cmd-config + name: s3cmd-external-config + readOnly: true + subPath: .s3cfg + - args: + - -ec + - /scripts/backup.sh + command: + - /bin/sh + env: + - name: BUCKET + valueFrom: + secretKeyRef: + key: BUCKET + name: vault-s3cmd-local-config + image: d3fk/s3cmd:latest@sha256:ed348a0fae5723d2e62636c175baf4dfaf732a790179ca675d1f24f863d0d68f + imagePullPolicy: IfNotPresent + name: s3-backup-local + volumeMounts: + - mountPath: /opt/backup + name: backup + - mountPath: /scripts/backup.sh + name: backup-script + subPath: backup.sh + - mountPath: /root/.s3cfg + mountPropagation: None + name: s3cmd-local-config + readOnly: true + subPath: .s3cfg + - args: + - -ec + - /scripts/backup.sh + command: + - /bin/sh + env: + - name: BUCKET + valueFrom: + secretKeyRef: + key: BUCKET + name: vault-s3cmd-remote-config + image: d3fk/s3cmd:latest@sha256:ed348a0fae5723d2e62636c175baf4dfaf732a790179ca675d1f24f863d0d68f + imagePullPolicy: IfNotPresent + name: s3-backup-remote + volumeMounts: + - mountPath: /opt/backup + name: backup + - mountPath: /scripts/backup.sh + name: backup-script + subPath: backup.sh + - mountPath: /root/.s3cfg + mountPropagation: None + name: s3cmd-remote-config readOnly: true subPath: .s3cfg volumes: - - name: config + - name: backup persistentVolumeClaim: - claimName: vault-nfs-storage-backup - - name: s3cmd-config + claimName: vault-storage-backup + - configMap: + defaultMode: 493 + name: vault-backup-script + name: backup-script + - name: s3cmd-external-config secret: - secretName: vault-s3cmd-config + secretName: vault-s3cmd-external-config + - name: s3cmd-local-config + secret: + secretName: vault-s3cmd-local-config + - name: s3cmd-remote-config + secret: + secretName: vault-s3cmd-remote-config + - configMap: + defaultMode: 493 + name: vault-snapshot-script + name: snapshot-script diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-config.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-external-config.yaml similarity index 87% rename from clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-config.yaml rename to clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-external-config.yaml index 1c3ae0cc0..8401592c2 100644 --- a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-config.yaml +++ b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-external-config.yaml @@ -1,10 +1,10 @@ apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: - name: vault-s3cmd-config + name: vault-s3cmd-external-config namespace: vault labels: - app.kubernetes.io/name: vault-s3cmd-config + app.kubernetes.io/name: vault-s3cmd-external-config app.kubernetes.io/instance: vault app.kubernetes.io/part-of: vault spec: diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-local-config.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-local-config.yaml new file mode 100644 index 000000000..3dc60610e --- /dev/null +++ b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-local-config.yaml @@ -0,0 +1,28 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: vault-s3cmd-local-config + namespace: vault + labels: + app.kubernetes.io/name: vault-s3cmd-local-config + app.kubernetes.io/instance: vault + app.kubernetes.io/part-of: vault +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: .s3cfg + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/vault-backups + metadataPolicy: None + property: s3cfg-local + - secretKey: BUCKET + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/vault-backups + metadataPolicy: None + property: BUCKET diff --git a/clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-remote-config.yaml b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-remote-config.yaml new file mode 100644 index 000000000..d7e371ed1 --- /dev/null +++ b/clusters/cl01tl/manifests/vault/ExternalSecret-vault-s3cmd-remote-config.yaml @@ -0,0 +1,28 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: vault-s3cmd-remote-config + namespace: vault + labels: + app.kubernetes.io/name: vault-s3cmd-remote-config + app.kubernetes.io/instance: vault + app.kubernetes.io/part-of: vault +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: .s3cfg + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/vault-backups + metadataPolicy: None + property: s3cfg-remote + - secretKey: BUCKET + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/vault-backups + metadataPolicy: None + property: BUCKET diff --git a/clusters/cl01tl/manifests/vault/PersistentVolumeClaim-vault-storage-backup.yaml b/clusters/cl01tl/manifests/vault/PersistentVolumeClaim-vault-storage-backup.yaml new file mode 100644 index 000000000..21ff4c017 --- /dev/null +++ b/clusters/cl01tl/manifests/vault/PersistentVolumeClaim-vault-storage-backup.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: vault-storage-backup + namespace: vault + labels: + app.kubernetes.io/name: vault-storage-backup + app.kubernetes.io/instance: vault + app.kubernetes.io/part-of: vault +spec: + volumeMode: Filesystem + storageClassName: ceph-filesystem + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi diff --git a/clusters/cl01tl/manifests/vault/Pod-vault-server-test.yaml b/clusters/cl01tl/manifests/vault/Pod-vault-server-test.yaml index 94f413314..44be7b300 100644 --- a/clusters/cl01tl/manifests/vault/Pod-vault-server-test.yaml +++ b/clusters/cl01tl/manifests/vault/Pod-vault-server-test.yaml @@ -34,11 +34,17 @@ spec: exit 0 volumeMounts: - - mountPath: /opt/backups/ + - mountPath: /opt/backups-old/ name: vault-nfs-storage-backup + readOnly: true + - mountPath: /opt/backups/ + name: vault-storage-backup readOnly: false volumes: - name: vault-nfs-storage-backup persistentVolumeClaim: claimName: vault-nfs-storage-backup + - name: vault-nfs-storage-backup + persistentVolumeClaim: + claimName: vault-nfs-storage-backup restartPolicy: Never diff --git a/clusters/cl01tl/manifests/vault/StatefulSet-vault.yaml b/clusters/cl01tl/manifests/vault/StatefulSet-vault.yaml index 8926c5ab1..0c0725fff 100644 --- a/clusters/cl01tl/manifests/vault/StatefulSet-vault.yaml +++ b/clusters/cl01tl/manifests/vault/StatefulSet-vault.yaml @@ -51,6 +51,9 @@ spec: - name: vault-nfs-storage-backup persistentVolumeClaim: claimName: vault-nfs-storage-backup + - name: vault-nfs-storage-backup + persistentVolumeClaim: + claimName: vault-nfs-storage-backup - name: home emptyDir: {} containers: @@ -110,8 +113,11 @@ spec: mountPath: /vault/data - name: config mountPath: /vault/config - - mountPath: /opt/backups/ + - mountPath: /opt/backups-old/ name: vault-nfs-storage-backup + readOnly: true + - mountPath: /opt/backups/ + name: vault-storage-backup readOnly: false - name: home mountPath: /home/vault