5 changed files with 77 additions and 5 deletions
--- a/apps/gitea/backups.yaml
+++ b/apps/gitea/backups.yaml
@@ -7,17 +7,17 @@ spec:
  backend:
    # Manually adding secrets for now
    repoPasswordSecretRef:
-      name: restic-repo
+      name: gitea-backup-restic
      key: password
    s3:
      endpoint: https://s3.eu-central-003.backblazeb2.com
      bucket: lumpiasty-backups
      accessKeyIDSecretRef:
-        name: backblaze
-        key: keyid
+        name: gitea-backup-backblaze
+        key: aws_access_key_id
      secretAccessKeySecretRef:
-        name: backblaze
-        key: secret
+        name: gitea-backup-backblaze
+        key: aws_secret_access_key
  backup:
    schedule: "@daily-random"
    failedJobsHistoryLimit: 2
--- a/apps/gitea/kustomization.yaml
+++ b/apps/gitea/kustomization.yaml
@@ -4,4 +4,5 @@ resources:
  - namespace.yaml
  - postgres-cluster.yaml
  - release.yaml
+  - secret.yaml
  - backups.yaml
--- a/apps/gitea/secret.yaml
+++ b/apps/gitea/secret.yaml
@@ -0,0 +1,58 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: backup
+  namespace: gitea
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: backup
+  namespace: gitea
+spec:
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: backup
+    serviceAccount: backup
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-backup-restic
+  namespace: gitea
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: restic
+
+  destination:
+    create: true
+    name: gitea-backup-restic
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: backup
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: gitea-backup-backblaze
+  namespace: gitea
+spec:
+  type: kv-v2
+
+  mount: secret
+  path: backblaze
+
+  destination:
+    create: true
+    name: gitea-backup-backblaze
+    type: Opaque
+    transformation:
+      excludeRaw: true
+
+  vaultAuthRef: backup
--- a/vault/kubernetes-roles/backup.yaml
+++ b/vault/kubernetes-roles/backup.yaml
@@ -0,0 +1,6 @@
+bound_service_account_names:
+  - backup
+bound_service_account_namespaces:
+  - gitea
+token_policies:
+  - backup
--- a/vault/policy/backup.hcl
+++ b/vault/policy/backup.hcl
@@ -0,0 +1,7 @@
+path "secret/data/restic" {
+    capabilities = ["read"]
+}
+
+path "secret/data/backblaze" {
+    capabilities = ["read"]
+}