feat: simplify script

Merge pull request 'feat: add service account' (#6272 ) from tmp/talos-3 into main
Reviewed-on: #6272
2026-04-26 17:38:04 +00:00 · 2026-04-26 17:37:11 +00:00 · 2026-04-26 12:15:08 -05:00
5 changed files with 28 additions and 138 deletions
--- a/clusters/cl01tl/helm/talos/templates/_helpers.tpl
+++ b/clusters/cl01tl/helm/talos/templates/_helpers.tpl
@@ -12,13 +12,3 @@ Selector labels
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
-
-{{/*
-ServiceAccount names
-*/}}
-{{- define "custom.serviceAccountName" -}}
-talos-backup
-{{- end -}}
-{{- define "custom.serviceAccountSecretsName" -}}
-talos-backup-secrets
-{{- end -}}
--- a/clusters/cl01tl/helm/talos/templates/secret-provider-class.yaml
+++ b/clusters/cl01tl/helm/talos/templates/secret-provider-class.yaml
@@ -10,7 +10,7 @@ spec:
  provider: openbao
  parameters:
    baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: {{ include "custom.serviceAccountName" . }}
+    roleName: talos-backup
    objects: |
      - objectName: .s3cfg
        fileName: .s3cfg
@@ -30,7 +30,7 @@ spec:
  provider: openbao
  parameters:
    baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: {{ include "custom.serviceAccountName" . }}
+    roleName: talos-backup
    objects: |
      - objectName: .s3cfg
        fileName: .s3cfg
@@ -50,7 +50,7 @@ spec:
  provider: openbao
  parameters:
    baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: {{ include "custom.serviceAccountName" . }}
+    roleName: talos-backup
    objects: |
      - objectName: .s3cfg
        fileName: .s3cfg
@@ -70,7 +70,7 @@ spec:
  provider: openbao
  parameters:
    baoAddress: "http://openbao-internal.openbao:8200"
-    roleName: {{ include "custom.serviceAccountName" . }}
+    roleName: talos-defrag
    objects: |
      - objectName: config
        fileName: config
--- a/clusters/cl01tl/helm/talos/templates/service-account.yaml
+++ b/clusters/cl01tl/helm/talos/templates/service-account.yaml
@@ -1,20 +1,10 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "custom.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: {{ include "custom.serviceAccountName" . }}
-    {{- include "custom.labels" . | nindent 4 }}
-
---
 apiVersion: talos.dev/v1alpha1
 kind: ServiceAccount
 metadata:
-  name: {{ include "custom.serviceAccountSecretsName" . }}
+  name: talos-backup-secrets
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: {{ include "custom.serviceAccountSecretsName" . }}
+    app.kubernetes.io/name: talos-backup-secrets
    {{- include "custom.labels" . | nindent 4 }}
 spec:
  roles:
--- a/clusters/cl01tl/helm/talos/values.yaml
+++ b/clusters/cl01tl/helm/talos/values.yaml
@@ -264,6 +264,9 @@ etcd-backup:
              value: External
            - name: DATE_RANGE_SECONDS
              value: "1209600"
+  serviceAccount:
+    talos-backup:
+      enabled: true
  persistence:
    secret:
      enabled: true
@@ -399,6 +402,8 @@ etcd-defrag:
        schedule: 0 0 * * 0
        backoffLimit: 3
        parallelism: 1
+      serviceAccount:
+        name: talos-defrag
      containers:
        main:
          image:
@@ -427,6 +432,8 @@ etcd-defrag:
        schedule: 10 0 * * 0
        backoffLimit: 3
        parallelism: 1
+      serviceAccount:
+        name: talos-defrag
      containers:
        main:
          image:
@@ -455,6 +462,8 @@ etcd-defrag:
        schedule: 20 0 * * 0
        backoffLimit: 3
        parallelism: 1
+      serviceAccount:
+        name: talos-defrag
      containers:
        main:
          image:
@@ -468,6 +477,9 @@ etcd-defrag:
          env:
            - name: TALOSCONFIG
              value: /tmp/.talos/config
+  serviceAccount:
+    talos-defrag:
+      enabled: true
  persistence:
    config:
      type: custom
--- a/clusters/cl01tl/helm/vault/templates/config-map.yaml
+++ b/clusters/cl01tl/helm/vault/templates/config-map.yaml
@@ -9,59 +9,29 @@ metadata:
 data:
  snapshot.sh: |
    DATE=$(date +"%Y%m%d-%H-%M")
-    MAX_RETRIES=5
-    SUCCESS=false

    echo " "
    echo ">> Running Vault Snapshot Script ..."

    echo " "
-    echo ">> Verifying required commands ..."
-    echo " "
+    echo ">> Fetching Vault token ..."
+    export VAULT_TOKEN=$(vault write -field=token auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID)

-    for i in $(seq 1 "$MAX_RETRIES"); do
-        if apk update 2>&1 >/dev/null; then
-            echo ">> Attempt $i: Repositories are reachable";
-            SUCCESS=true;
-            break;
-        else
-            echo ">> Attempt $i: Connection failed, retrying in 5 seconds ...";
-            sleep 5;
-        fi;
-    done;
-
-    if [ "$SUCCESS" = false ]; then
-        echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ...";
-        exit 1;
+    if [ -z "$VAULT_TOKEN" ]; then
+        echo ">> ERROR: Failed to fetch Vault token! Exiting..."
+        exit 1
    fi

    echo " "
-
-    if ! command -v jq 2>&1 >/dev/null; then
-        echo ">> Command jq could not be found, installing";
-        apk add --no-cache -q jq;
-        if [ $? -eq 0 ]; then
-            echo ">> Installation successful";
-        else
-            echo ">> Installation failed with exit code $?";
-            exit 1;
-        fi;
-    fi;
-
-    echo " ";
-    echo ">> Fetching Vault token ...";
-    export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
-
-    echo " ";
-    echo ">> Taking Vault snapsot ...";
+    echo ">> Taking Vault snapshot ..."
    vault operator raft snapshot save /opt/backup/vault-snapshot-$DATE.snap

-    echo " ";
-    echo ">> Setting ownership of Vault snapsot ...";
+    echo " "
+    echo ">> Setting ownership of Vault snapshot ..."
    chown 100:1000 /opt/backup/vault-snapshot-$DATE.snap

-    echo " ";
-    echo ">> Completed Vault snapshot";
+    echo " "
+    echo ">> Completed Vault snapshot"

 ---
 apiVersion: v1
@@ -77,75 +47,3 @@ data:
    echo " ";
    echo ">> Running S3 backup for Vault snapshot";
    OUTPUT=$(s3cmd sync --no-check-certificate -v /opt/backup/* "${BUCKET}/cl01tl/cl01tl-vault-snapshots/" 2>&1)
-    STATUS=$?
-
-    if [ $STATUS -ne 0 ]; then
-        if echo "$OUTPUT" | grep -q "403 Forbidden"; then
-            MESSAGE="403 Authentication Error: Your keys are wrong or you don't have permission"
-        elif echo "$OUTPUT" | grep -q "404 Not Found"; then
-            MESSAGE="404 Error: The bucket or folder does not exist"
-        elif echo "$OUTPUT" | grep -q "Connection refused"; then
-            MESSAGE="Network Error: Cannot reach the S3 endpoint"
-        else
-            MESSAGE="Unknown Error"
-            echo " ";
-            echo ">> Unknown Error, output:"
-            echo " "
-            echo "$OUTPUT"
-        fi
-
-        MAX_RETRIES=5
-        SUCCESS=false
-
-        echo " "
-        echo ">> Sending message to ntfy using curl ..."
-
-        echo " "
-        echo ">> Verifying required commands ..."
-
-        for i in $(seq 1 "$MAX_RETRIES"); do
-            if apk update 2>&1 >/dev/null; then
-                echo ">> Attempt $i: Repositories are reachable";
-                SUCCESS=true;
-                break;
-            else
-                echo ">> Attempt $i: Connection failed, retrying in 5 seconds ...";
-                sleep 5;
-            fi;
-        done;
-
-        if [ "$SUCCESS" = false ]; then
-            echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ...";
-            exit 1;
-        fi
-
-        if ! command -v curl 2>&1 >/dev/null; then
-            echo ">> Command curl could not be found, installing";
-            apk add --no-cache -q curl;
-            if [ $? -eq 0 ]; then
-                echo ">> Installation successful";
-            else
-                echo ">> Installation failed with exit code $?";
-                exit 1;
-            fi;
-        fi;
-
-        echo " "
-        echo ">> Sending to NTFY ..."
-        echo ">> Message: $MESSAGE"
-        HTTP_STATUS=$(curl \
-            --silent \
-            --write-out '%{http_code}' \
-            -H "Authorization: Bearer ${NTFY_TOKEN}" \
-            -H "X-Priority: 5" \
-            -H "X-Tags: warning" \
-            -H "X-Title: Vault Backup Failed for ${TARGET}" \
-            -d "$MESSAGE" \
-            ${NTFY_ENDPOINT}/${NTFY_TOPIC}
-        )
-        echo ">> HTTP Status Code: $HTTP_STATUS"
-
-    else
-        echo " ";
-        echo ">> S3 Sync succeeded"
-    fi
Author	SHA1	Message	Date
Alex Lebens	70832243d6	feat: simplify script All checks were successful lint-test-helm / lint-helm (pull_request) Successful in 58s Details lint-test-helm / validate-kubeconform (pull_request) Successful in 27s Details render-manifests / render-manifests (pull_request) Successful in 1m37s Details	2026-04-26 17:38:04 +00:00
Alex Lebens	371047eb41	Merge pull request 'feat: add service account' (#6272 ) from tmp/talos-3 into main Some checks failed lint-test-helm / lint-helm (push) Successful in 33s Details lint-test-helm / validate-kubeconform (push) Has been skipped Details renovate / renovate (push) Has been cancelled Details Reviewed-on: #6272	2026-04-26 17:37:11 +00:00
Alex Lebens	bf108a2beb	feat: add service account All checks were successful lint-test-helm / lint-helm (pull_request) Successful in 30s Details lint-test-helm / validate-kubeconform (pull_request) Successful in 32s Details render-manifests / render-manifests (pull_request) Successful in 57s Details	2026-04-26 12:15:08 -05:00