From 29828d4aae09c5932fbb018e50faf69fd9ee231f Mon Sep 17 00:00:00 2001 From: Augustine Abaris Date: Mon, 9 Feb 2026 13:20:55 -0500 Subject: [PATCH 1/5] Add backup deployment to nerc-shift-1 --- k8s/base/openstack-api-backup-cron.yaml | 11 ++++ k8s/overlays/nerc-shift-1/kustomization.yaml | 9 ++++ .../patch-openstack-api-backup-cron.yaml | 53 +++++++++++++++++++ k8s/overlays/nerc-shift-1/pvc.yaml | 11 ++++ .../nerc-shift-1/secrets/kustomization.yaml | 3 ++ .../secrets/openstack-api-backup.yaml | 42 +++++++++++++++ k8s/overlays/ocp-aa-test/kustomization.yaml | 9 ++++ .../patch-openstack-api-backup-cron.yaml | 52 ++++++++++++++++++ k8s/overlays/ocp-aa-test/pvc.yaml | 11 ++++ .../ocp-aa-test/secrets/kustomization.yaml | 3 ++ .../secrets/openstack-api-backup.yaml | 42 +++++++++++++++ 11 files changed, 246 insertions(+) create mode 100644 k8s/overlays/nerc-shift-1/kustomization.yaml create mode 100644 k8s/overlays/nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml create mode 100644 k8s/overlays/nerc-shift-1/pvc.yaml create mode 100644 k8s/overlays/nerc-shift-1/secrets/kustomization.yaml create mode 100644 k8s/overlays/nerc-shift-1/secrets/openstack-api-backup.yaml create mode 100644 k8s/overlays/ocp-aa-test/kustomization.yaml create mode 100644 k8s/overlays/ocp-aa-test/patches/patch-openstack-api-backup-cron.yaml create mode 100644 k8s/overlays/ocp-aa-test/pvc.yaml create mode 100644 k8s/overlays/ocp-aa-test/secrets/kustomization.yaml create mode 100644 k8s/overlays/ocp-aa-test/secrets/openstack-api-backup.yaml diff --git a/k8s/base/openstack-api-backup-cron.yaml b/k8s/base/openstack-api-backup-cron.yaml index d8fb613..c32e100 100644 --- a/k8s/base/openstack-api-backup-cron.yaml +++ b/k8s/base/openstack-api-backup-cron.yaml @@ -16,10 +16,21 @@ spec: runAsUser: 1001 runAsGroup: 1001 fsGroup: 1001 + runAsNonRoot: true + seccompProfileProfile: + type: RuntimeDefault containers: - name: openstack-api-backup image: ghcr.io/nerc-project/openstack-api-backup:main imagePullPolicy: Always + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault env: - name: HOME value: '/tmp' diff --git a/k8s/overlays/nerc-shift-1/kustomization.yaml b/k8s/overlays/nerc-shift-1/kustomization.yaml new file mode 100644 index 0000000..6a9051f --- /dev/null +++ b/k8s/overlays/nerc-shift-1/kustomization.yaml @@ -0,0 +1,9 @@ +--- +namespace: default +resources: + - ../../base + - secrets + - pvc.yaml + +patchesStrategicMerge: + - patches/patch-openstack-api-backup-cron.yaml diff --git a/k8s/overlays/nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml b/k8s/overlays/nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml new file mode 100644 index 0000000..8183e7b --- /dev/null +++ b/k8s/overlays/nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: openstack-api-backup + namespace: openstack-api-backup +spec: + schedule: 4 * * * * + jobTemplate: + spec: + template: + spec: + containers: + - name: openstack-api-backup + env: + - name: S3_ENDPOINT + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: s3_endpoint + - name: S3_BUCKET_URI + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: s3_bucket_uri + - name: BACKUP_ROTATE + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: backup_rotate + - name: OS_AUTH_TYPE + value: v3applicationcredential + - name: OS_AUTH_URL + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: os_auth_url + - name: OS_APPLICATION_CREDENTIAL_ID + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: os_application_credential_id + - name: OS_APPLICATION_CREDENTIAL_SECRET + valueFrom: + $path: replace + secretKeyRef: + name: openstack-api-backup + key: os_application_credential_secret diff --git a/k8s/overlays/nerc-shift-1/pvc.yaml b/k8s/overlays/nerc-shift-1/pvc.yaml new file mode 100644 index 0000000..4cc03e6 --- /dev/null +++ b/k8s/overlays/nerc-shift-1/pvc.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: openstack-api-backup +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi diff --git a/k8s/overlays/nerc-shift-1/secrets/kustomization.yaml b/k8s/overlays/nerc-shift-1/secrets/kustomization.yaml new file mode 100644 index 0000000..247f4f9 --- /dev/null +++ b/k8s/overlays/nerc-shift-1/secrets/kustomization.yaml @@ -0,0 +1,3 @@ +--- +resources: + - openstack-api-backup.yaml diff --git a/k8s/overlays/nerc-shift-1/secrets/openstack-api-backup.yaml b/k8s/overlays/nerc-shift-1/secrets/openstack-api-backup.yaml new file mode 100644 index 0000000..755ef03 --- /dev/null +++ b/k8s/overlays/nerc-shift-1/secrets/openstack-api-backup.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: external-secrets.io/v1alpha1 +kind: ExternalSecret +metadata: + name: openstack-api-backup + namespace: openstack-api-backup +spec: + refreshInterval: "15s" + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + target: + name: openstack-api-backup + data: + - secretKey: aws_credentials + remoteRef: + key: accounts/holecs + property: awscli_credentials + - secretKey: backup_rotate + remoteRef: + key: openstack-api-backup/config + property: backup_rotate + - secretKey: s3_endpoint + remoteRef: + key: openstack-api-backup/config + property: s3_endpoint + - secretKey: s3_bucket_uri + remoteRef: + key: openstack-api-backup/config + property: s3_bucket_uri + - secretKey: os_auth_url + remoteRef: + key: openstack-api-backup/config + property: os_auth_url + - secretKey: os_application_credential_id + remoteRef: + key: openstack-api-backup/config + property: os_application_credential_id + - secretKey: os_application_credential_secret + remoteRef: + key: openstack-api-backup/config + property: os_application_credential_secret diff --git a/k8s/overlays/ocp-aa-test/kustomization.yaml b/k8s/overlays/ocp-aa-test/kustomization.yaml new file mode 100644 index 0000000..abba317 --- /dev/null +++ b/k8s/overlays/ocp-aa-test/kustomization.yaml @@ -0,0 +1,9 @@ +--- +namespace: openstack-api-backup +resources: + - ../../base + - secrets + - pvc.yaml + +patchesStrategicMerge: + - patches/patch-openstack-api-backup-cron.yaml diff --git a/k8s/overlays/ocp-aa-test/patches/patch-openstack-api-backup-cron.yaml b/k8s/overlays/ocp-aa-test/patches/patch-openstack-api-backup-cron.yaml new file mode 100644 index 0000000..250fdfc --- /dev/null +++ b/k8s/overlays/ocp-aa-test/patches/patch-openstack-api-backup-cron.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: openstack-api-backup + namespace: openstack-api-backup +spec: + jobTemplate: + spec: + template: + spec: + containers: + - name: openstack-api-backup + env: + - name: S3_ENDPOINT + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: s3_endpoint + - name: S3_BUCKET_URI + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: s3_bucket_uri + - name: BACKUP_ROTATE + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: backup_rotate + - name: OS_AUTH_TYPE + value: v3applicationcredential + - name: OS_AUTH_URL + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: os_auth_url + - name: OS_APPLICATION_CREDENTIAL_ID + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: os_application_credential_id + - name: OS_APPLICATION_CREDENTIAL_SECRET + valueFrom: + $path: replace + secretKeyRef: + name: openstack-api-backup + key: os_application_credential_secret diff --git a/k8s/overlays/ocp-aa-test/pvc.yaml b/k8s/overlays/ocp-aa-test/pvc.yaml new file mode 100644 index 0000000..4cc03e6 --- /dev/null +++ b/k8s/overlays/ocp-aa-test/pvc.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: openstack-api-backup +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi diff --git a/k8s/overlays/ocp-aa-test/secrets/kustomization.yaml b/k8s/overlays/ocp-aa-test/secrets/kustomization.yaml new file mode 100644 index 0000000..247f4f9 --- /dev/null +++ b/k8s/overlays/ocp-aa-test/secrets/kustomization.yaml @@ -0,0 +1,3 @@ +--- +resources: + - openstack-api-backup.yaml diff --git a/k8s/overlays/ocp-aa-test/secrets/openstack-api-backup.yaml b/k8s/overlays/ocp-aa-test/secrets/openstack-api-backup.yaml new file mode 100644 index 0000000..755ef03 --- /dev/null +++ b/k8s/overlays/ocp-aa-test/secrets/openstack-api-backup.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: external-secrets.io/v1alpha1 +kind: ExternalSecret +metadata: + name: openstack-api-backup + namespace: openstack-api-backup +spec: + refreshInterval: "15s" + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + target: + name: openstack-api-backup + data: + - secretKey: aws_credentials + remoteRef: + key: accounts/holecs + property: awscli_credentials + - secretKey: backup_rotate + remoteRef: + key: openstack-api-backup/config + property: backup_rotate + - secretKey: s3_endpoint + remoteRef: + key: openstack-api-backup/config + property: s3_endpoint + - secretKey: s3_bucket_uri + remoteRef: + key: openstack-api-backup/config + property: s3_bucket_uri + - secretKey: os_auth_url + remoteRef: + key: openstack-api-backup/config + property: os_auth_url + - secretKey: os_application_credential_id + remoteRef: + key: openstack-api-backup/config + property: os_application_credential_id + - secretKey: os_application_credential_secret + remoteRef: + key: openstack-api-backup/config + property: os_application_credential_secret From 9a5bc74cbb6812e2de50dcf88fbbbf8242a269b9 Mon Sep 17 00:00:00 2001 From: Augustine Abaris Date: Thu, 12 Feb 2026 10:18:22 -0500 Subject: [PATCH 2/5] Bump cache action version --- .github/workflows/ci.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 5c48647..23c425e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -21,7 +21,7 @@ jobs: python-version: '^3.9' - name: Configure caching (python) - uses: actions/cache@v2 + uses: actions/cache@v4 with: path: ${{ env.pythonLocation }} key: ${{ env.pythonLocation }}-${{ hashFiles('test-requirements.txt') }} @@ -31,7 +31,7 @@ jobs: pip install --upgrade --upgrade-strategy eager -r test-requirements.txt - name: Configure caching (pre-commit) - uses: actions/cache@v2 + uses: actions/cache@v4 with: path: ~/.cache/pre-commit key: precommit-${{ runner.os }}-${{ hashFiles('.pre-commit-config.yaml') }} @@ -51,7 +51,7 @@ jobs: uses: actions/checkout@v2 - name: Configure caching - uses: actions/cache@v2 + uses: actions/cache@v4 with: path: ~/.cache/bin key: kustomize-${{ runner.os }}-${{ env.KUSTOMIZE_VERSION }} From e602a112cddac3e52d316ffe482b3a2ca01753b4 Mon Sep 17 00:00:00 2001 From: Augustine Abaris Date: Thu, 12 Feb 2026 10:38:01 -0500 Subject: [PATCH 3/5] remove redundant security context setup from template --- k8s/base/openstack-api-backup-cron.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/k8s/base/openstack-api-backup-cron.yaml b/k8s/base/openstack-api-backup-cron.yaml index c32e100..0d85708 100644 --- a/k8s/base/openstack-api-backup-cron.yaml +++ b/k8s/base/openstack-api-backup-cron.yaml @@ -16,9 +16,6 @@ spec: runAsUser: 1001 runAsGroup: 1001 fsGroup: 1001 - runAsNonRoot: true - seccompProfileProfile: - type: RuntimeDefault containers: - name: openstack-api-backup image: ghcr.io/nerc-project/openstack-api-backup:main From 65c9ddfdf7c6093bf7a97e9fe2bd693200b63b7c Mon Sep 17 00:00:00 2001 From: Augustine Abaris Date: Thu, 12 Feb 2026 10:41:22 -0500 Subject: [PATCH 4/5] Clean up test overlay and schedule shift-1 backup for 4am --- k8s/overlays/nerc-shift-1/kustomization.yaml | 2 +- k8s/overlays/ocp-aa-test/kustomization.yaml | 9 ---- .../patch-openstack-api-backup-cron.yaml | 52 ------------------- k8s/overlays/ocp-aa-test/pvc.yaml | 11 ---- .../ocp-aa-test/secrets/kustomization.yaml | 3 -- .../secrets/openstack-api-backup.yaml | 42 --------------- 6 files changed, 1 insertion(+), 118 deletions(-) delete mode 100644 k8s/overlays/ocp-aa-test/kustomization.yaml delete mode 100644 k8s/overlays/ocp-aa-test/patches/patch-openstack-api-backup-cron.yaml delete mode 100644 k8s/overlays/ocp-aa-test/pvc.yaml delete mode 100644 k8s/overlays/ocp-aa-test/secrets/kustomization.yaml delete mode 100644 k8s/overlays/ocp-aa-test/secrets/openstack-api-backup.yaml diff --git a/k8s/overlays/nerc-shift-1/kustomization.yaml b/k8s/overlays/nerc-shift-1/kustomization.yaml index 6a9051f..abba317 100644 --- a/k8s/overlays/nerc-shift-1/kustomization.yaml +++ b/k8s/overlays/nerc-shift-1/kustomization.yaml @@ -1,5 +1,5 @@ --- -namespace: default +namespace: openstack-api-backup resources: - ../../base - secrets diff --git a/k8s/overlays/ocp-aa-test/kustomization.yaml b/k8s/overlays/ocp-aa-test/kustomization.yaml deleted file mode 100644 index abba317..0000000 --- a/k8s/overlays/ocp-aa-test/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -namespace: openstack-api-backup -resources: - - ../../base - - secrets - - pvc.yaml - -patchesStrategicMerge: - - patches/patch-openstack-api-backup-cron.yaml diff --git a/k8s/overlays/ocp-aa-test/patches/patch-openstack-api-backup-cron.yaml b/k8s/overlays/ocp-aa-test/patches/patch-openstack-api-backup-cron.yaml deleted file mode 100644 index 250fdfc..0000000 --- a/k8s/overlays/ocp-aa-test/patches/patch-openstack-api-backup-cron.yaml +++ /dev/null @@ -1,52 +0,0 @@ ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: openstack-api-backup - namespace: openstack-api-backup -spec: - jobTemplate: - spec: - template: - spec: - containers: - - name: openstack-api-backup - env: - - name: S3_ENDPOINT - valueFrom: - $patch: replace - secretKeyRef: - name: openstack-api-backup - key: s3_endpoint - - name: S3_BUCKET_URI - valueFrom: - $patch: replace - secretKeyRef: - name: openstack-api-backup - key: s3_bucket_uri - - name: BACKUP_ROTATE - valueFrom: - $patch: replace - secretKeyRef: - name: openstack-api-backup - key: backup_rotate - - name: OS_AUTH_TYPE - value: v3applicationcredential - - name: OS_AUTH_URL - valueFrom: - $patch: replace - secretKeyRef: - name: openstack-api-backup - key: os_auth_url - - name: OS_APPLICATION_CREDENTIAL_ID - valueFrom: - $patch: replace - secretKeyRef: - name: openstack-api-backup - key: os_application_credential_id - - name: OS_APPLICATION_CREDENTIAL_SECRET - valueFrom: - $path: replace - secretKeyRef: - name: openstack-api-backup - key: os_application_credential_secret diff --git a/k8s/overlays/ocp-aa-test/pvc.yaml b/k8s/overlays/ocp-aa-test/pvc.yaml deleted file mode 100644 index 4cc03e6..0000000 --- a/k8s/overlays/ocp-aa-test/pvc.yaml +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: openstack-api-backup -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 2Gi diff --git a/k8s/overlays/ocp-aa-test/secrets/kustomization.yaml b/k8s/overlays/ocp-aa-test/secrets/kustomization.yaml deleted file mode 100644 index 247f4f9..0000000 --- a/k8s/overlays/ocp-aa-test/secrets/kustomization.yaml +++ /dev/null @@ -1,3 +0,0 @@ ---- -resources: - - openstack-api-backup.yaml diff --git a/k8s/overlays/ocp-aa-test/secrets/openstack-api-backup.yaml b/k8s/overlays/ocp-aa-test/secrets/openstack-api-backup.yaml deleted file mode 100644 index 755ef03..0000000 --- a/k8s/overlays/ocp-aa-test/secrets/openstack-api-backup.yaml +++ /dev/null @@ -1,42 +0,0 @@ ---- -apiVersion: external-secrets.io/v1alpha1 -kind: ExternalSecret -metadata: - name: openstack-api-backup - namespace: openstack-api-backup -spec: - refreshInterval: "15s" - secretStoreRef: - name: vault-backend - kind: ClusterSecretStore - target: - name: openstack-api-backup - data: - - secretKey: aws_credentials - remoteRef: - key: accounts/holecs - property: awscli_credentials - - secretKey: backup_rotate - remoteRef: - key: openstack-api-backup/config - property: backup_rotate - - secretKey: s3_endpoint - remoteRef: - key: openstack-api-backup/config - property: s3_endpoint - - secretKey: s3_bucket_uri - remoteRef: - key: openstack-api-backup/config - property: s3_bucket_uri - - secretKey: os_auth_url - remoteRef: - key: openstack-api-backup/config - property: os_auth_url - - secretKey: os_application_credential_id - remoteRef: - key: openstack-api-backup/config - property: os_application_credential_id - - secretKey: os_application_credential_secret - remoteRef: - key: openstack-api-backup/config - property: os_application_credential_secret From 91ea395caf5d08fcbd30fc4d49559f853384c4f9 Mon Sep 17 00:00:00 2001 From: Augustine Abaris Date: Thu, 12 Feb 2026 13:26:09 -0500 Subject: [PATCH 5/5] change cron time to 35 mins after the hour --- .../nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/overlays/nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml b/k8s/overlays/nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml index 8183e7b..6260fdd 100644 --- a/k8s/overlays/nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml +++ b/k8s/overlays/nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml @@ -5,7 +5,7 @@ metadata: name: openstack-api-backup namespace: openstack-api-backup spec: - schedule: 4 * * * * + schedule: 35 * * * * jobTemplate: spec: template: