From 2195e3561ebac79110b4e37255885f8967a527dc Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Sat, 18 Apr 2026 17:53:36 -0500 Subject: [PATCH] feat: add openbao backup rclone --- .../rclone/templates/external-secret.yaml | 158 +++++------- clusters/cl01tl/helm/rclone/values.yaml | 234 ++++++++++++++++++ 2 files changed, 302 insertions(+), 90 deletions(-) diff --git a/clusters/cl01tl/helm/rclone/templates/external-secret.yaml b/clusters/cl01tl/helm/rclone/templates/external-secret.yaml index a310d151e..f79997299 100644 --- a/clusters/cl01tl/helm/rclone/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/rclone/templates/external-secret.yaml @@ -14,38 +14,23 @@ spec: data: - secretKey: ACCESS_KEY_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/directus-assets - metadataPolicy: None property: ACCESS_KEY_ID - secretKey: ACCESS_REGION remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/directus-assets - metadataPolicy: None property: ACCESS_REGION - secretKey: ACCESS_SECRET_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/directus-assets - metadataPolicy: None property: ACCESS_SECRET_KEY - secretKey: SRC_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/local - metadataPolicy: None property: ENDPOINT - secretKey: DEST_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/remote - metadataPolicy: None property: ENDPOINT --- @@ -65,38 +50,23 @@ spec: data: - secretKey: ACCESS_KEY_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/karakeep-assets - metadataPolicy: None property: ACCESS_KEY_ID - secretKey: ACCESS_REGION remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/karakeep-assets - metadataPolicy: None property: ACCESS_REGION - secretKey: ACCESS_SECRET_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/karakeep-assets - metadataPolicy: None property: ACCESS_SECRET_KEY - secretKey: SRC_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/local - metadataPolicy: None property: ENDPOINT - secretKey: DEST_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/remote - metadataPolicy: None property: ENDPOINT --- @@ -116,38 +86,23 @@ spec: data: - secretKey: ACCESS_KEY_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/talos-backups - metadataPolicy: None property: ACCESS_KEY_ID - secretKey: ACCESS_REGION remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/talos-backups - metadataPolicy: None property: ACCESS_REGION - secretKey: ACCESS_SECRET_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/talos-backups - metadataPolicy: None property: ACCESS_SECRET_KEY - secretKey: SRC_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/local - metadataPolicy: None property: ENDPOINT - secretKey: DEST_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/remote - metadataPolicy: None property: ENDPOINT --- @@ -167,38 +122,23 @@ spec: data: - secretKey: ACCESS_KEY_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/web-assets - metadataPolicy: None property: ACCESS_KEY_ID - secretKey: ACCESS_REGION remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/web-assets - metadataPolicy: None property: ACCESS_REGION - secretKey: ACCESS_SECRET_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/web-assets - metadataPolicy: None property: ACCESS_SECRET_KEY - secretKey: SRC_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/local - metadataPolicy: None property: ENDPOINT - secretKey: DEST_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/remote - metadataPolicy: None property: ENDPOINT --- @@ -218,38 +158,23 @@ spec: data: - secretKey: ACCESS_KEY_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/postgres-backups - metadataPolicy: None property: ACCESS_KEY_ID - secretKey: ACCESS_REGION remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/postgres-backups - metadataPolicy: None property: ACCESS_REGION - secretKey: ACCESS_SECRET_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/postgres-backups - metadataPolicy: None property: ACCESS_SECRET_KEY - secretKey: SRC_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/local - metadataPolicy: None property: ENDPOINT - secretKey: DEST_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/remote - metadataPolicy: None property: ENDPOINT --- @@ -269,36 +194,89 @@ spec: data: - secretKey: ACCESS_KEY_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/ntfy-attachments - metadataPolicy: None property: ACCESS_KEY_ID - secretKey: ACCESS_REGION remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/ntfy-attachments - metadataPolicy: None property: ACCESS_REGION - secretKey: ACCESS_SECRET_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/ntfy-attachments - metadataPolicy: None property: ACCESS_SECRET_KEY - secretKey: SRC_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/local - metadataPolicy: None property: ENDPOINT - secretKey: DEST_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/remote - metadataPolicy: None + property: ENDPOINT + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: garage-openbao-backups-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: garage-openbao-backups-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: ACCESS_KEY_ID + remoteRef: + key: /garage/home-infra/openbao-backups + property: ACCESS_KEY_ID + - secretKey: ACCESS_REGION + remoteRef: + key: /garage/home-infra/openbao-backups + property: ACCESS_REGION + - secretKey: ACCESS_SECRET_KEY + remoteRef: + key: /garage/home-infra/openbao-backups + property: ACCESS_SECRET_KEY + - secretKey: ENDPOINT_LOCAL + remoteRef: + key: /garage/home-infra/openbao-backups + property: ENDPOINT_LOCAL + - secretKey: ENDPOINT_REMOTE + remoteRef: + key: /garage/home-infra/openbao-backups + property: ENDPOINT_REMOTE + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: external-openbao-backups-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: external-openbao-backups-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: ACCESS_KEY_ID + remoteRef: + key: /digital-ocean/home-infra/openbao-backups + property: ACCESS_KEY_ID + - secretKey: ACCESS_REGION + remoteRef: + key: /digital-ocean/home-infra/openbao-backups + property: ACCESS_REGION + - secretKey: ACCESS_SECRET_KEY + remoteRef: + key: /digital-ocean/home-infra/openbao-backups + property: ACCESS_SECRET_KEY + - secretKey: ENDPOINT + remoteRef: + key: /digital-ocean/home-infra/openbao-backups property: ENDPOINT diff --git a/clusters/cl01tl/helm/rclone/values.yaml b/clusters/cl01tl/helm/rclone/values.yaml index 247b704fe..a2eb96665 100644 --- a/clusters/cl01tl/helm/rclone/values.yaml +++ b/clusters/cl01tl/helm/rclone/values.yaml @@ -554,3 +554,237 @@ rclone: key: DEST_ENDPOINT - name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE value: true + openbao-backups-remote: + type: cronjob + cronjob: + suspend: false + timeZone: America/Chicago + schedule: 0 1 * * * + backoffLimit: 3 + parallelism: 1 + containers: + sync: + image: + repository: rclone/rclone + tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef + args: + - sync + - src:openbao-backups + - dest:openbao-backups + - --s3-no-check-bucket + - --max-age + - 90d + - --verbose + env: + - name: RCLONE_S3_PROVIDER + value: Other + - name: RCLONE_CONFIG_SRC_TYPE + value: s3 + - name: RCLONE_CONFIG_SRC_PROVIDER + value: Other + - name: RCLONE_CONFIG_SRC_ENV_AUTH + value: false + - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: garage-openbao-backups-secret + key: ACCESS_KEY_ID + - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: garage-openbao-backups-secret + key: ACCESS_SECRET_KEY + - name: RCLONE_CONFIG_SRC_REGION + valueFrom: + secretKeyRef: + name: garage-openbao-backups-secret + key: ACCESS_REGION + - name: RCLONE_CONFIG_SRC_ENDPOINT + valueFrom: + secretKeyRef: + name: garage-openbao-backups-secret + key: ENDPOINT_LOCAL + - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE + value: true + - name: RCLONE_CONFIG_DEST_TYPE + value: s3 + - name: RCLONE_CONFIG_DEST_PROVIDER + value: Other + - name: RCLONE_CONFIG_DEST_ENV_AUTH + value: false + - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: garage-openbao-backups-secret + key: ACCESS_KEY_ID + - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: garage-openbao-backups-secret + key: ACCESS_SECRET_KEY + - name: RCLONE_CONFIG_DEST_REGION + valueFrom: + secretKeyRef: + name: garage-openbao-backups-secret + key: ACCESS_REGION + - name: RCLONE_CONFIG_DEST_ENDPOINT + valueFrom: + secretKeyRef: + name: garage-openbao-backups-secret + key: ENDPOINT_REMOTE + - name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE + value: true + prune: + image: + repository: rclone/rclone + tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef + args: + - delete + - dest:openbao-backups + - --min-age + - 90d + - --verbose + env: + - name: RCLONE_CONFIG_DEST_TYPE + value: s3 + - name: RCLONE_CONFIG_DEST_PROVIDER + value: Other + - name: RCLONE_CONFIG_DEST_ENV_AUTH + value: false + - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: garage-openbao-backups-secret + key: ACCESS_KEY_ID + - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: garage-openbao-backups-secret + key: ACCESS_SECRET_KEY + - name: RCLONE_CONFIG_DEST_REGION + valueFrom: + secretKeyRef: + name: garage-openbao-backups-secret + key: ACCESS_REGION + - name: RCLONE_CONFIG_DEST_ENDPOINT + valueFrom: + secretKeyRef: + name: garage-openbao-backups-secret + key: ENDPOINT_REMOTE + - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE + value: true + openbao-backups-external: + type: cronjob + cronjob: + suspend: false + timeZone: America/Chicago + schedule: 10 1 * * * + backoffLimit: 3 + parallelism: 1 + containers: + sync: + image: + repository: rclone/rclone + tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef + args: + - sync + - src:openbao-backups + - dest:openbao-backups-6e088aad5fad110b + - --s3-no-check-bucket + - --max-age + - 90d + - --verbose + env: + - name: RCLONE_S3_PROVIDER + value: Other + - name: RCLONE_CONFIG_SRC_TYPE + value: s3 + - name: RCLONE_CONFIG_SRC_PROVIDER + value: Other + - name: RCLONE_CONFIG_SRC_ENV_AUTH + value: false + - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: garage-openbao-backups-secret + key: ACCESS_KEY_ID + - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: garage-openbao-backups-secret + key: ACCESS_SECRET_KEY + - name: RCLONE_CONFIG_SRC_REGION + valueFrom: + secretKeyRef: + name: garage-openbao-backups-secret + key: ACCESS_REGION + - name: RCLONE_CONFIG_SRC_ENDPOINT + valueFrom: + secretKeyRef: + name: garage-openbao-backups-secret + key: ENDPOINT_LOCAL + - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE + value: true + - name: RCLONE_CONFIG_DEST_TYPE + value: s3 + - name: RCLONE_CONFIG_DEST_PROVIDER + value: DigitalOcean + - name: RCLONE_CONFIG_DEST_ENV_AUTH + value: false + - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: external-openbao-backups-secret + key: ACCESS_KEY_ID + - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: external-openbao-backups-secret + key: ACCESS_SECRET_KEY + - name: RCLONE_CONFIG_DEST_REGION + valueFrom: + secretKeyRef: + name: external-openbao-backups-secret + key: ACCESS_REGION + - name: RCLONE_CONFIG_DEST_ENDPOINT + valueFrom: + secretKeyRef: + name: external-openbao-backups-secret + key: ENDPOINT + prune: + image: + repository: rclone/rclone + tag: 1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef + args: + - delete + - dest:openbao-backups-6e088aad5fad110b + - --min-age + - 90d + - --verbose + env: + - name: RCLONE_CONFIG_DEST_TYPE + value: s3 + - name: RCLONE_CONFIG_DEST_PROVIDER + value: DigitalOcean + - name: RCLONE_CONFIG_DEST_ENV_AUTH + value: false + - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: external-openbao-backups-secret + key: ACCESS_KEY_ID + - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: external-openbao-backups-secret + key: ACCESS_SECRET_KEY + - name: RCLONE_CONFIG_DEST_REGION + valueFrom: + secretKeyRef: + name: external-openbao-backups-secret + key: ACCESS_REGION + - name: RCLONE_CONFIG_DEST_ENDPOINT + valueFrom: + secretKeyRef: + name: external-openbao-backups-secret + key: ENDPOINT