diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 5c48647..23c425e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -21,7 +21,7 @@ jobs: python-version: '^3.9' - name: Configure caching (python) - uses: actions/cache@v2 + uses: actions/cache@v4 with: path: ${{ env.pythonLocation }} key: ${{ env.pythonLocation }}-${{ hashFiles('test-requirements.txt') }} @@ -31,7 +31,7 @@ jobs: pip install --upgrade --upgrade-strategy eager -r test-requirements.txt - name: Configure caching (pre-commit) - uses: actions/cache@v2 + uses: actions/cache@v4 with: path: ~/.cache/pre-commit key: precommit-${{ runner.os }}-${{ hashFiles('.pre-commit-config.yaml') }} @@ -51,7 +51,7 @@ jobs: uses: actions/checkout@v2 - name: Configure caching - uses: actions/cache@v2 + uses: actions/cache@v4 with: path: ~/.cache/bin key: kustomize-${{ runner.os }}-${{ env.KUSTOMIZE_VERSION }} diff --git a/k8s/base/openstack-api-backup-cron.yaml b/k8s/base/openstack-api-backup-cron.yaml index d8fb613..0d85708 100644 --- a/k8s/base/openstack-api-backup-cron.yaml +++ b/k8s/base/openstack-api-backup-cron.yaml @@ -20,6 +20,14 @@ spec: - name: openstack-api-backup image: ghcr.io/nerc-project/openstack-api-backup:main imagePullPolicy: Always + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault env: - name: HOME value: '/tmp' diff --git a/k8s/overlays/nerc-shift-1/kustomization.yaml b/k8s/overlays/nerc-shift-1/kustomization.yaml new file mode 100644 index 0000000..abba317 --- /dev/null +++ b/k8s/overlays/nerc-shift-1/kustomization.yaml @@ -0,0 +1,9 @@ +--- +namespace: openstack-api-backup +resources: + - ../../base + - secrets + - pvc.yaml + +patchesStrategicMerge: + - patches/patch-openstack-api-backup-cron.yaml diff --git a/k8s/overlays/nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml b/k8s/overlays/nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml new file mode 100644 index 0000000..6260fdd --- /dev/null +++ b/k8s/overlays/nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: openstack-api-backup + namespace: openstack-api-backup +spec: + schedule: 35 * * * * + jobTemplate: + spec: + template: + spec: + containers: + - name: openstack-api-backup + env: + - name: S3_ENDPOINT + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: s3_endpoint + - name: S3_BUCKET_URI + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: s3_bucket_uri + - name: BACKUP_ROTATE + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: backup_rotate + - name: OS_AUTH_TYPE + value: v3applicationcredential + - name: OS_AUTH_URL + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: os_auth_url + - name: OS_APPLICATION_CREDENTIAL_ID + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: os_application_credential_id + - name: OS_APPLICATION_CREDENTIAL_SECRET + valueFrom: + $path: replace + secretKeyRef: + name: openstack-api-backup + key: os_application_credential_secret diff --git a/k8s/overlays/nerc-shift-1/pvc.yaml b/k8s/overlays/nerc-shift-1/pvc.yaml new file mode 100644 index 0000000..4cc03e6 --- /dev/null +++ b/k8s/overlays/nerc-shift-1/pvc.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: openstack-api-backup +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi diff --git a/k8s/overlays/nerc-shift-1/secrets/kustomization.yaml b/k8s/overlays/nerc-shift-1/secrets/kustomization.yaml new file mode 100644 index 0000000..247f4f9 --- /dev/null +++ b/k8s/overlays/nerc-shift-1/secrets/kustomization.yaml @@ -0,0 +1,3 @@ +--- +resources: + - openstack-api-backup.yaml diff --git a/k8s/overlays/nerc-shift-1/secrets/openstack-api-backup.yaml b/k8s/overlays/nerc-shift-1/secrets/openstack-api-backup.yaml new file mode 100644 index 0000000..755ef03 --- /dev/null +++ b/k8s/overlays/nerc-shift-1/secrets/openstack-api-backup.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: external-secrets.io/v1alpha1 +kind: ExternalSecret +metadata: + name: openstack-api-backup + namespace: openstack-api-backup +spec: + refreshInterval: "15s" + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + target: + name: openstack-api-backup + data: + - secretKey: aws_credentials + remoteRef: + key: accounts/holecs + property: awscli_credentials + - secretKey: backup_rotate + remoteRef: + key: openstack-api-backup/config + property: backup_rotate + - secretKey: s3_endpoint + remoteRef: + key: openstack-api-backup/config + property: s3_endpoint + - secretKey: s3_bucket_uri + remoteRef: + key: openstack-api-backup/config + property: s3_bucket_uri + - secretKey: os_auth_url + remoteRef: + key: openstack-api-backup/config + property: os_auth_url + - secretKey: os_application_credential_id + remoteRef: + key: openstack-api-backup/config + property: os_application_credential_id + - secretKey: os_application_credential_secret + remoteRef: + key: openstack-api-backup/config + property: os_application_credential_secret