add vault secret of gitea backups
This commit is contained in:
@@ -7,17 +7,17 @@ spec:
|
|||||||
backend:
|
backend:
|
||||||
# Manually adding secrets for now
|
# Manually adding secrets for now
|
||||||
repoPasswordSecretRef:
|
repoPasswordSecretRef:
|
||||||
name: restic-repo
|
name: gitea-backup-restic
|
||||||
key: password
|
key: password
|
||||||
s3:
|
s3:
|
||||||
endpoint: https://s3.eu-central-003.backblazeb2.com
|
endpoint: https://s3.eu-central-003.backblazeb2.com
|
||||||
bucket: lumpiasty-backups
|
bucket: lumpiasty-backups
|
||||||
accessKeyIDSecretRef:
|
accessKeyIDSecretRef:
|
||||||
name: backblaze
|
name: gitea-backup-backblaze
|
||||||
key: keyid
|
key: aws_access_key_id
|
||||||
secretAccessKeySecretRef:
|
secretAccessKeySecretRef:
|
||||||
name: backblaze
|
name: gitea-backup-backblaze
|
||||||
key: secret
|
key: aws_secret_access_key
|
||||||
backup:
|
backup:
|
||||||
schedule: "@daily-random"
|
schedule: "@daily-random"
|
||||||
failedJobsHistoryLimit: 2
|
failedJobsHistoryLimit: 2
|
||||||
|
|||||||
@@ -4,4 +4,5 @@ resources:
|
|||||||
- namespace.yaml
|
- namespace.yaml
|
||||||
- postgres-cluster.yaml
|
- postgres-cluster.yaml
|
||||||
- release.yaml
|
- release.yaml
|
||||||
|
- secret.yaml
|
||||||
- backups.yaml
|
- backups.yaml
|
||||||
|
|||||||
58
apps/gitea/secret.yaml
Normal file
58
apps/gitea/secret.yaml
Normal file
@@ -0,0 +1,58 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: backup
|
||||||
|
namespace: gitea
|
||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultAuth
|
||||||
|
metadata:
|
||||||
|
name: backup
|
||||||
|
namespace: gitea
|
||||||
|
spec:
|
||||||
|
method: kubernetes
|
||||||
|
mount: kubernetes
|
||||||
|
kubernetes:
|
||||||
|
role: backup
|
||||||
|
serviceAccount: backup
|
||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: gitea-backup-restic
|
||||||
|
namespace: gitea
|
||||||
|
spec:
|
||||||
|
type: kv-v2
|
||||||
|
|
||||||
|
mount: secret
|
||||||
|
path: restic
|
||||||
|
|
||||||
|
destination:
|
||||||
|
create: true
|
||||||
|
name: gitea-backup-restic
|
||||||
|
type: Opaque
|
||||||
|
transformation:
|
||||||
|
excludeRaw: true
|
||||||
|
|
||||||
|
vaultAuthRef: backup
|
||||||
|
---
|
||||||
|
apiVersion: secrets.hashicorp.com/v1beta1
|
||||||
|
kind: VaultStaticSecret
|
||||||
|
metadata:
|
||||||
|
name: gitea-backup-backblaze
|
||||||
|
namespace: gitea
|
||||||
|
spec:
|
||||||
|
type: kv-v2
|
||||||
|
|
||||||
|
mount: secret
|
||||||
|
path: backblaze
|
||||||
|
|
||||||
|
destination:
|
||||||
|
create: true
|
||||||
|
name: gitea-backup-backblaze
|
||||||
|
type: Opaque
|
||||||
|
transformation:
|
||||||
|
excludeRaw: true
|
||||||
|
|
||||||
|
vaultAuthRef: backup
|
||||||
6
vault/kubernetes-roles/backup.yaml
Normal file
6
vault/kubernetes-roles/backup.yaml
Normal file
@@ -0,0 +1,6 @@
|
|||||||
|
bound_service_account_names:
|
||||||
|
- backup
|
||||||
|
bound_service_account_namespaces:
|
||||||
|
- gitea
|
||||||
|
token_policies:
|
||||||
|
- backup
|
||||||
7
vault/policy/backup.hcl
Normal file
7
vault/policy/backup.hcl
Normal file
@@ -0,0 +1,7 @@
|
|||||||
|
path "secret/data/restic" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
|
||||||
|
path "secret/data/backblaze" {
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user