From a0bee4b64a0647382a8608b90482ce5859e4100a Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Sat, 20 Dec 2025 04:16:27 +0000 Subject: [PATCH 1/2] chore: Update manifests after change --- .../vault/CronJob-vault-snapshot.yaml | 3 + .../manifests/vault/Deployment-vault.yaml | 58 +++++++++++++++++++ .../vault/Pod-vault-server-test.yaml | 6 -- .../manifests/vault/StatefulSet-vault.yaml | 6 -- 4 files changed, 61 insertions(+), 12 deletions(-) create mode 100644 clusters/cl01tl/manifests/vault/Deployment-vault.yaml diff --git a/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml b/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml index 97b362507..0c5009086 100644 --- a/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml +++ b/clusters/cl01tl/manifests/vault/CronJob-vault-snapshot.yaml @@ -31,6 +31,9 @@ spec: enableServiceLinks: false serviceAccountName: default automountServiceAccountToken: true + securityContext: + runAsGroup: 1000 + runAsUser: 100 hostIPC: false hostNetwork: false hostPID: false diff --git a/clusters/cl01tl/manifests/vault/Deployment-vault.yaml b/clusters/cl01tl/manifests/vault/Deployment-vault.yaml new file mode 100644 index 000000000..7d1895236 --- /dev/null +++ b/clusters/cl01tl/manifests/vault/Deployment-vault.yaml @@ -0,0 +1,58 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vault + labels: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: vault + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vault + helm.sh/chart: temp-4.5.0 + namespace: vault +spec: + revisionHistoryLimit: 3 + replicas: 0 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/controller: main + app.kubernetes.io/name: vault + app.kubernetes.io/instance: vault + template: + metadata: + labels: + app.kubernetes.io/controller: main + app.kubernetes.io/instance: vault + app.kubernetes.io/name: vault + spec: + enableServiceLinks: false + serviceAccountName: default + automountServiceAccountToken: true + hostIPC: false + hostNetwork: false + hostPID: false + dnsPolicy: ClusterFirst + containers: + - command: + - sleep + - infinity + image: ubuntu:resolute-20251208 + imagePullPolicy: IfNotPresent + name: main + resources: + requests: + cpu: 10m + memory: 32Mi + volumeMounts: + - mountPath: /opt/backup + name: backup + - mountPath: /opt/backup-old + name: backup-old + volumes: + - name: backup + persistentVolumeClaim: + claimName: vault-storage-backup + - name: backup-old + persistentVolumeClaim: + claimName: vault-nfs-storage-backup diff --git a/clusters/cl01tl/manifests/vault/Pod-vault-server-test.yaml b/clusters/cl01tl/manifests/vault/Pod-vault-server-test.yaml index ad4e7e18c..623a35c4f 100644 --- a/clusters/cl01tl/manifests/vault/Pod-vault-server-test.yaml +++ b/clusters/cl01tl/manifests/vault/Pod-vault-server-test.yaml @@ -34,16 +34,10 @@ spec: exit 0 volumeMounts: - - mountPath: /opt/backups-old/ - name: vault-nfs-storage-backup - readOnly: true - mountPath: /opt/backups/ name: vault-storage-backup readOnly: false volumes: - - name: vault-nfs-storage-backup - persistentVolumeClaim: - claimName: vault-nfs-storage-backup - name: vault-storage-backup persistentVolumeClaim: claimName: vault-storage-backup diff --git a/clusters/cl01tl/manifests/vault/StatefulSet-vault.yaml b/clusters/cl01tl/manifests/vault/StatefulSet-vault.yaml index 66dc1a003..4f2b1a5c2 100644 --- a/clusters/cl01tl/manifests/vault/StatefulSet-vault.yaml +++ b/clusters/cl01tl/manifests/vault/StatefulSet-vault.yaml @@ -48,9 +48,6 @@ spec: - name: config configMap: name: vault-config - - name: vault-nfs-storage-backup - persistentVolumeClaim: - claimName: vault-nfs-storage-backup - name: vault-storage-backup persistentVolumeClaim: claimName: vault-storage-backup @@ -113,9 +110,6 @@ spec: mountPath: /vault/data - name: config mountPath: /vault/config - - mountPath: /opt/backups-old/ - name: vault-nfs-storage-backup - readOnly: true - mountPath: /opt/backups/ name: vault-storage-backup readOnly: false -- 2.49.1 From 0428a13d16acf9e66a659a5fe855ef420b10b554 Mon Sep 17 00:00:00 2001 From: gitea-bot Date: Sat, 20 Dec 2025 04:24:50 +0000 Subject: [PATCH 2/2] chore: Update manifests after change --- .../vault/ConfigMap-vault-backup-script.yaml | 18 +++++++ .../ConfigMap-vault-snapshot-script.yaml | 48 +++++++++++++++---- 2 files changed, 57 insertions(+), 9 deletions(-) create mode 100644 clusters/cl01tl/manifests/vault/ConfigMap-vault-backup-script.yaml diff --git a/clusters/cl01tl/manifests/vault/ConfigMap-vault-backup-script.yaml b/clusters/cl01tl/manifests/vault/ConfigMap-vault-backup-script.yaml new file mode 100644 index 000000000..177e70baf --- /dev/null +++ b/clusters/cl01tl/manifests/vault/ConfigMap-vault-backup-script.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: vault-backup-script + namespace: vault + labels: + app.kubernetes.io/name: vault-backup-script + app.kubernetes.io/instance: vault + app.kubernetes.io/part-of: vault +data: + backup.sh: | + echo " "; + echo ">> Running S3 backup for Vault snapshot"; + if s3cmd sync --no-check-certificate -v /opt/backup "${BUCKET}/cl01tl/cl01tl-vault-snapshots/"; then + echo ">> Sync succeeded" + else + echo ">> ERROR: Sync failed" + fi diff --git a/clusters/cl01tl/manifests/vault/ConfigMap-vault-snapshot-script.yaml b/clusters/cl01tl/manifests/vault/ConfigMap-vault-snapshot-script.yaml index 8d4149982..8caac4f76 100644 --- a/clusters/cl01tl/manifests/vault/ConfigMap-vault-snapshot-script.yaml +++ b/clusters/cl01tl/manifests/vault/ConfigMap-vault-snapshot-script.yaml @@ -8,15 +8,45 @@ metadata: app.kubernetes.io/instance: vault app.kubernetes.io/part-of: vault data: - update.sh: | - BACKUP_FOLDER=/opt/backup - BACKUP_FILE=$(ls -t $BACKUP_FOLDER | head -n 1) + snapshot.sh: | + MAX_RETRIES=5 + SUCCESS=false + + for ((i=1; i<=$MAX_RETRIES; i++)); do + if apk update --short &> /dev/null; then + echo ">> Attempt $i: Repositories are reachable"; + SUCCESS=true; + break; + else + echo ">> Attempt $i: Connection failed, retrying in 5 seconds ..."; + sleep 5; + fi; + done; + + if [ "$SUCCESS" = false ]; then + echo ">> ERROR: Could not connect to apk repositories after $MAX_RETRIES attempts, exiting ..."; + exit 1; + fi + + if ! command -v jq 2>&1 >/dev/null; + then + echo "jq could not be found, installing"; + apk add --no-cache jq; + if [ $? -eq 0 ]; then + echo ">> Installation successful"; + else + echo ">> Installation failed with exit code $?"; + exit 1; + fi; + fi; echo " "; - echo ">> Running S3 backup for Vault snapshot"; + echo ">> Fetching Vault token"; + export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token); - if s3cmd put --no-check-md5 --no-check-certificate -v "$BACKUP_FOLDER/$BACKUP_FILE" "${BUCKET}/cl01tl/cl01tl-vault-snapshots/$BACKUP_FILE"; then - echo ">> Upload succeeded" - else - echo ">> ERROR: Upload failed" - fi + echo " "; + echo ">> Taking Vault snapsot ..."; + vault operator raft snapshot save /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap + + echo " "; + echo ">> Completed Vault snapshot"; -- 2.49.1