From 8f94cd7e743836c7383d8236984c3286dbddda0d Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Sat, 18 Apr 2026 22:59:40 +0000 Subject: [PATCH] chore: Update manifests after change --- ...onJob-rclone-openbao-backups-external.yaml | 141 +++++++++++++++++ ...CronJob-rclone-openbao-backups-remote.yaml | 145 ++++++++++++++++++ ...ecret-external-openbao-backups-secret.yaml | 30 ++++ ...ExternalSecret-garage-directus-secret.yaml | 15 -- ...ExternalSecret-garage-karakeep-secret.yaml | 15 -- ...Secret-garage-ntfy-attachments-secret.yaml | 15 -- ...lSecret-garage-openbao-backups-secret.yaml | 34 ++++ ...Secret-garage-postgres-backups-secret.yaml | 15 -- ...nalSecret-garage-talos-backups-secret.yaml | 15 -- ...ternalSecret-garage-web-assets-secret.yaml | 15 -- 10 files changed, 350 insertions(+), 90 deletions(-) create mode 100644 clusters/cl01tl/manifests/rclone/CronJob-rclone-openbao-backups-external.yaml create mode 100644 clusters/cl01tl/manifests/rclone/CronJob-rclone-openbao-backups-remote.yaml create mode 100644 clusters/cl01tl/manifests/rclone/ExternalSecret-external-openbao-backups-secret.yaml create mode 100644 clusters/cl01tl/manifests/rclone/ExternalSecret-garage-openbao-backups-secret.yaml diff --git a/clusters/cl01tl/manifests/rclone/CronJob-rclone-openbao-backups-external.yaml b/clusters/cl01tl/manifests/rclone/CronJob-rclone-openbao-backups-external.yaml new file mode 100644 index 000000000..c887e048c --- /dev/null +++ b/clusters/cl01tl/manifests/rclone/CronJob-rclone-openbao-backups-external.yaml @@ -0,0 +1,141 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: rclone-openbao-backups-external + labels: + app.kubernetes.io/controller: openbao-backups-external + app.kubernetes.io/instance: rclone + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: rclone + helm.sh/chart: rclone-4.6.2 + namespace: rclone +spec: + suspend: false + concurrencyPolicy: Forbid + startingDeadlineSeconds: 30 + timeZone: America/Chicago + schedule: "10 1 * * *" + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + parallelism: 1 + backoffLimit: 3 + template: + metadata: + labels: + app.kubernetes.io/controller: openbao-backups-external + app.kubernetes.io/instance: rclone + app.kubernetes.io/name: rclone + spec: + enableServiceLinks: false + serviceAccountName: default + automountServiceAccountToken: true + hostIPC: false + hostNetwork: false + hostPID: false + dnsPolicy: ClusterFirst + restartPolicy: Never + containers: + - args: + - delete + - dest:openbao-backups-6e088aad5fad110b + - --min-age + - 90d + - --verbose + env: + - name: RCLONE_CONFIG_DEST_TYPE + value: s3 + - name: RCLONE_CONFIG_DEST_PROVIDER + value: DigitalOcean + - name: RCLONE_CONFIG_DEST_ENV_AUTH + value: "false" + - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: ACCESS_KEY_ID + name: external-openbao-backups-secret + - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: ACCESS_SECRET_KEY + name: external-openbao-backups-secret + - name: RCLONE_CONFIG_DEST_REGION + valueFrom: + secretKeyRef: + key: ACCESS_REGION + name: external-openbao-backups-secret + - name: RCLONE_CONFIG_DEST_ENDPOINT + valueFrom: + secretKeyRef: + key: ENDPOINT + name: external-openbao-backups-secret + image: rclone/rclone:1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef + name: prune + - args: + - sync + - src:openbao-backups + - dest:openbao-backups-6e088aad5fad110b + - --s3-no-check-bucket + - --max-age + - 90d + - --verbose + env: + - name: RCLONE_S3_PROVIDER + value: Other + - name: RCLONE_CONFIG_SRC_TYPE + value: s3 + - name: RCLONE_CONFIG_SRC_PROVIDER + value: Other + - name: RCLONE_CONFIG_SRC_ENV_AUTH + value: "false" + - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: ACCESS_KEY_ID + name: garage-openbao-backups-secret + - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: ACCESS_SECRET_KEY + name: garage-openbao-backups-secret + - name: RCLONE_CONFIG_SRC_REGION + valueFrom: + secretKeyRef: + key: ACCESS_REGION + name: garage-openbao-backups-secret + - name: RCLONE_CONFIG_SRC_ENDPOINT + valueFrom: + secretKeyRef: + key: ENDPOINT_LOCAL + name: garage-openbao-backups-secret + - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE + value: "true" + - name: RCLONE_CONFIG_DEST_TYPE + value: s3 + - name: RCLONE_CONFIG_DEST_PROVIDER + value: DigitalOcean + - name: RCLONE_CONFIG_DEST_ENV_AUTH + value: "false" + - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: ACCESS_KEY_ID + name: external-openbao-backups-secret + - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: ACCESS_SECRET_KEY + name: external-openbao-backups-secret + - name: RCLONE_CONFIG_DEST_REGION + valueFrom: + secretKeyRef: + key: ACCESS_REGION + name: external-openbao-backups-secret + - name: RCLONE_CONFIG_DEST_ENDPOINT + valueFrom: + secretKeyRef: + key: ENDPOINT + name: external-openbao-backups-secret + image: rclone/rclone:1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef + name: sync diff --git a/clusters/cl01tl/manifests/rclone/CronJob-rclone-openbao-backups-remote.yaml b/clusters/cl01tl/manifests/rclone/CronJob-rclone-openbao-backups-remote.yaml new file mode 100644 index 000000000..27dcbd231 --- /dev/null +++ b/clusters/cl01tl/manifests/rclone/CronJob-rclone-openbao-backups-remote.yaml @@ -0,0 +1,145 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: rclone-openbao-backups-remote + labels: + app.kubernetes.io/controller: openbao-backups-remote + app.kubernetes.io/instance: rclone + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: rclone + helm.sh/chart: rclone-4.6.2 + namespace: rclone +spec: + suspend: false + concurrencyPolicy: Forbid + startingDeadlineSeconds: 30 + timeZone: America/Chicago + schedule: "0 1 * * *" + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + parallelism: 1 + backoffLimit: 3 + template: + metadata: + labels: + app.kubernetes.io/controller: openbao-backups-remote + app.kubernetes.io/instance: rclone + app.kubernetes.io/name: rclone + spec: + enableServiceLinks: false + serviceAccountName: default + automountServiceAccountToken: true + hostIPC: false + hostNetwork: false + hostPID: false + dnsPolicy: ClusterFirst + restartPolicy: Never + containers: + - args: + - delete + - dest:openbao-backups + - --min-age + - 90d + - --verbose + env: + - name: RCLONE_CONFIG_DEST_TYPE + value: s3 + - name: RCLONE_CONFIG_DEST_PROVIDER + value: Other + - name: RCLONE_CONFIG_DEST_ENV_AUTH + value: "false" + - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: ACCESS_KEY_ID + name: garage-openbao-backups-secret + - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: ACCESS_SECRET_KEY + name: garage-openbao-backups-secret + - name: RCLONE_CONFIG_DEST_REGION + valueFrom: + secretKeyRef: + key: ACCESS_REGION + name: garage-openbao-backups-secret + - name: RCLONE_CONFIG_DEST_ENDPOINT + valueFrom: + secretKeyRef: + key: ENDPOINT_REMOTE + name: garage-openbao-backups-secret + - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE + value: "true" + image: rclone/rclone:1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef + name: prune + - args: + - sync + - src:openbao-backups + - dest:openbao-backups + - --s3-no-check-bucket + - --max-age + - 90d + - --verbose + env: + - name: RCLONE_S3_PROVIDER + value: Other + - name: RCLONE_CONFIG_SRC_TYPE + value: s3 + - name: RCLONE_CONFIG_SRC_PROVIDER + value: Other + - name: RCLONE_CONFIG_SRC_ENV_AUTH + value: "false" + - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: ACCESS_KEY_ID + name: garage-openbao-backups-secret + - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: ACCESS_SECRET_KEY + name: garage-openbao-backups-secret + - name: RCLONE_CONFIG_SRC_REGION + valueFrom: + secretKeyRef: + key: ACCESS_REGION + name: garage-openbao-backups-secret + - name: RCLONE_CONFIG_SRC_ENDPOINT + valueFrom: + secretKeyRef: + key: ENDPOINT_LOCAL + name: garage-openbao-backups-secret + - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE + value: "true" + - name: RCLONE_CONFIG_DEST_TYPE + value: s3 + - name: RCLONE_CONFIG_DEST_PROVIDER + value: Other + - name: RCLONE_CONFIG_DEST_ENV_AUTH + value: "false" + - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: ACCESS_KEY_ID + name: garage-openbao-backups-secret + - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: ACCESS_SECRET_KEY + name: garage-openbao-backups-secret + - name: RCLONE_CONFIG_DEST_REGION + valueFrom: + secretKeyRef: + key: ACCESS_REGION + name: garage-openbao-backups-secret + - name: RCLONE_CONFIG_DEST_ENDPOINT + valueFrom: + secretKeyRef: + key: ENDPOINT_REMOTE + name: garage-openbao-backups-secret + - name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE + value: "true" + image: rclone/rclone:1.73.4@sha256:654f6517c7aaec7e377690b2caf7c272dbe5f3b8200afbc14a00df6b4a9aa6ef + name: sync diff --git a/clusters/cl01tl/manifests/rclone/ExternalSecret-external-openbao-backups-secret.yaml b/clusters/cl01tl/manifests/rclone/ExternalSecret-external-openbao-backups-secret.yaml new file mode 100644 index 000000000..3f7dd073e --- /dev/null +++ b/clusters/cl01tl/manifests/rclone/ExternalSecret-external-openbao-backups-secret.yaml @@ -0,0 +1,30 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: external-openbao-backups-secret + namespace: rclone + labels: + app.kubernetes.io/name: external-openbao-backups-secret + app.kubernetes.io/instance: rclone + app.kubernetes.io/part-of: rclone +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: ACCESS_KEY_ID + remoteRef: + key: /digital-ocean/home-infra/openbao-backups + property: ACCESS_KEY_ID + - secretKey: ACCESS_REGION + remoteRef: + key: /digital-ocean/home-infra/openbao-backups + property: ACCESS_REGION + - secretKey: ACCESS_SECRET_KEY + remoteRef: + key: /digital-ocean/home-infra/openbao-backups + property: ACCESS_SECRET_KEY + - secretKey: ENDPOINT + remoteRef: + key: /digital-ocean/home-infra/openbao-backups + property: ENDPOINT diff --git a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-directus-secret.yaml b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-directus-secret.yaml index 92d1a2cfe..973e80d6a 100644 --- a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-directus-secret.yaml +++ b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-directus-secret.yaml @@ -14,36 +14,21 @@ spec: data: - secretKey: ACCESS_KEY_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/directus-assets - metadataPolicy: None property: ACCESS_KEY_ID - secretKey: ACCESS_REGION remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/directus-assets - metadataPolicy: None property: ACCESS_REGION - secretKey: ACCESS_SECRET_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/directus-assets - metadataPolicy: None property: ACCESS_SECRET_KEY - secretKey: SRC_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/local - metadataPolicy: None property: ENDPOINT - secretKey: DEST_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/remote - metadataPolicy: None property: ENDPOINT diff --git a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-karakeep-secret.yaml b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-karakeep-secret.yaml index e2a42791e..bd83a8583 100644 --- a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-karakeep-secret.yaml +++ b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-karakeep-secret.yaml @@ -14,36 +14,21 @@ spec: data: - secretKey: ACCESS_KEY_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/karakeep-assets - metadataPolicy: None property: ACCESS_KEY_ID - secretKey: ACCESS_REGION remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/karakeep-assets - metadataPolicy: None property: ACCESS_REGION - secretKey: ACCESS_SECRET_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/karakeep-assets - metadataPolicy: None property: ACCESS_SECRET_KEY - secretKey: SRC_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/local - metadataPolicy: None property: ENDPOINT - secretKey: DEST_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/remote - metadataPolicy: None property: ENDPOINT diff --git a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-ntfy-attachments-secret.yaml b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-ntfy-attachments-secret.yaml index 41b2b6259..f37ce9217 100644 --- a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-ntfy-attachments-secret.yaml +++ b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-ntfy-attachments-secret.yaml @@ -14,36 +14,21 @@ spec: data: - secretKey: ACCESS_KEY_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/ntfy-attachments - metadataPolicy: None property: ACCESS_KEY_ID - secretKey: ACCESS_REGION remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/ntfy-attachments - metadataPolicy: None property: ACCESS_REGION - secretKey: ACCESS_SECRET_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/ntfy-attachments - metadataPolicy: None property: ACCESS_SECRET_KEY - secretKey: SRC_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/local - metadataPolicy: None property: ENDPOINT - secretKey: DEST_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/remote - metadataPolicy: None property: ENDPOINT diff --git a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-openbao-backups-secret.yaml b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-openbao-backups-secret.yaml new file mode 100644 index 000000000..abf63a4c5 --- /dev/null +++ b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-openbao-backups-secret.yaml @@ -0,0 +1,34 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: garage-openbao-backups-secret + namespace: rclone + labels: + app.kubernetes.io/name: garage-openbao-backups-secret + app.kubernetes.io/instance: rclone + app.kubernetes.io/part-of: rclone +spec: + secretStoreRef: + kind: ClusterSecretStore + name: openbao + data: + - secretKey: ACCESS_KEY_ID + remoteRef: + key: /garage/home-infra/openbao-backups + property: ACCESS_KEY_ID + - secretKey: ACCESS_REGION + remoteRef: + key: /garage/home-infra/openbao-backups + property: ACCESS_REGION + - secretKey: ACCESS_SECRET_KEY + remoteRef: + key: /garage/home-infra/openbao-backups + property: ACCESS_SECRET_KEY + - secretKey: ENDPOINT_LOCAL + remoteRef: + key: /garage/home-infra/openbao-backups + property: ENDPOINT_LOCAL + - secretKey: ENDPOINT_REMOTE + remoteRef: + key: /garage/home-infra/openbao-backups + property: ENDPOINT_REMOTE diff --git a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-postgres-backups-secret.yaml b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-postgres-backups-secret.yaml index 086d8ef83..6a102cab9 100644 --- a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-postgres-backups-secret.yaml +++ b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-postgres-backups-secret.yaml @@ -14,36 +14,21 @@ spec: data: - secretKey: ACCESS_KEY_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/postgres-backups - metadataPolicy: None property: ACCESS_KEY_ID - secretKey: ACCESS_REGION remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/postgres-backups - metadataPolicy: None property: ACCESS_REGION - secretKey: ACCESS_SECRET_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/postgres-backups - metadataPolicy: None property: ACCESS_SECRET_KEY - secretKey: SRC_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/local - metadataPolicy: None property: ENDPOINT - secretKey: DEST_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/remote - metadataPolicy: None property: ENDPOINT diff --git a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-talos-backups-secret.yaml b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-talos-backups-secret.yaml index cdf0899b8..3988592c2 100644 --- a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-talos-backups-secret.yaml +++ b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-talos-backups-secret.yaml @@ -14,36 +14,21 @@ spec: data: - secretKey: ACCESS_KEY_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/talos-backups - metadataPolicy: None property: ACCESS_KEY_ID - secretKey: ACCESS_REGION remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/talos-backups - metadataPolicy: None property: ACCESS_REGION - secretKey: ACCESS_SECRET_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/talos-backups - metadataPolicy: None property: ACCESS_SECRET_KEY - secretKey: SRC_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/local - metadataPolicy: None property: ENDPOINT - secretKey: DEST_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/remote - metadataPolicy: None property: ENDPOINT diff --git a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-web-assets-secret.yaml b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-web-assets-secret.yaml index aef7dcfe8..c9064e65a 100644 --- a/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-web-assets-secret.yaml +++ b/clusters/cl01tl/manifests/rclone/ExternalSecret-garage-web-assets-secret.yaml @@ -14,36 +14,21 @@ spec: data: - secretKey: ACCESS_KEY_ID remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/web-assets - metadataPolicy: None property: ACCESS_KEY_ID - secretKey: ACCESS_REGION remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/web-assets - metadataPolicy: None property: ACCESS_REGION - secretKey: ACCESS_SECRET_KEY remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/home-infra/web-assets - metadataPolicy: None property: ACCESS_SECRET_KEY - secretKey: SRC_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/local - metadataPolicy: None property: ENDPOINT - secretKey: DEST_ENDPOINT remoteRef: - conversionStrategy: Default - decodingStrategy: None key: /garage/config/remote - metadataPolicy: None property: ENDPOINT