diff --git a/k8s/base/openstack-api-backup-cron.yaml b/k8s/base/openstack-api-backup-cron.yaml index d8fb613..c32e100 100644 --- a/k8s/base/openstack-api-backup-cron.yaml +++ b/k8s/base/openstack-api-backup-cron.yaml @@ -16,10 +16,21 @@ spec: runAsUser: 1001 runAsGroup: 1001 fsGroup: 1001 + runAsNonRoot: true + seccompProfileProfile: + type: RuntimeDefault containers: - name: openstack-api-backup image: ghcr.io/nerc-project/openstack-api-backup:main imagePullPolicy: Always + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault env: - name: HOME value: '/tmp' diff --git a/k8s/overlays/nerc-shift-1/kustomization.yaml b/k8s/overlays/nerc-shift-1/kustomization.yaml new file mode 100644 index 0000000..6a9051f --- /dev/null +++ b/k8s/overlays/nerc-shift-1/kustomization.yaml @@ -0,0 +1,9 @@ +--- +namespace: default +resources: + - ../../base + - secrets + - pvc.yaml + +patchesStrategicMerge: + - patches/patch-openstack-api-backup-cron.yaml diff --git a/k8s/overlays/nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml b/k8s/overlays/nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml new file mode 100644 index 0000000..8183e7b --- /dev/null +++ b/k8s/overlays/nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: openstack-api-backup + namespace: openstack-api-backup +spec: + schedule: 4 * * * * + jobTemplate: + spec: + template: + spec: + containers: + - name: openstack-api-backup + env: + - name: S3_ENDPOINT + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: s3_endpoint + - name: S3_BUCKET_URI + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: s3_bucket_uri + - name: BACKUP_ROTATE + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: backup_rotate + - name: OS_AUTH_TYPE + value: v3applicationcredential + - name: OS_AUTH_URL + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: os_auth_url + - name: OS_APPLICATION_CREDENTIAL_ID + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: os_application_credential_id + - name: OS_APPLICATION_CREDENTIAL_SECRET + valueFrom: + $path: replace + secretKeyRef: + name: openstack-api-backup + key: os_application_credential_secret diff --git a/k8s/overlays/nerc-shift-1/pvc.yaml b/k8s/overlays/nerc-shift-1/pvc.yaml new file mode 100644 index 0000000..4cc03e6 --- /dev/null +++ b/k8s/overlays/nerc-shift-1/pvc.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: openstack-api-backup +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi diff --git a/k8s/overlays/nerc-shift-1/secrets/kustomization.yaml b/k8s/overlays/nerc-shift-1/secrets/kustomization.yaml new file mode 100644 index 0000000..247f4f9 --- /dev/null +++ b/k8s/overlays/nerc-shift-1/secrets/kustomization.yaml @@ -0,0 +1,3 @@ +--- +resources: + - openstack-api-backup.yaml diff --git a/k8s/overlays/nerc-shift-1/secrets/openstack-api-backup.yaml b/k8s/overlays/nerc-shift-1/secrets/openstack-api-backup.yaml new file mode 100644 index 0000000..755ef03 --- /dev/null +++ b/k8s/overlays/nerc-shift-1/secrets/openstack-api-backup.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: external-secrets.io/v1alpha1 +kind: ExternalSecret +metadata: + name: openstack-api-backup + namespace: openstack-api-backup +spec: + refreshInterval: "15s" + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + target: + name: openstack-api-backup + data: + - secretKey: aws_credentials + remoteRef: + key: accounts/holecs + property: awscli_credentials + - secretKey: backup_rotate + remoteRef: + key: openstack-api-backup/config + property: backup_rotate + - secretKey: s3_endpoint + remoteRef: + key: openstack-api-backup/config + property: s3_endpoint + - secretKey: s3_bucket_uri + remoteRef: + key: openstack-api-backup/config + property: s3_bucket_uri + - secretKey: os_auth_url + remoteRef: + key: openstack-api-backup/config + property: os_auth_url + - secretKey: os_application_credential_id + remoteRef: + key: openstack-api-backup/config + property: os_application_credential_id + - secretKey: os_application_credential_secret + remoteRef: + key: openstack-api-backup/config + property: os_application_credential_secret diff --git a/k8s/overlays/ocp-aa-test/kustomization.yaml b/k8s/overlays/ocp-aa-test/kustomization.yaml new file mode 100644 index 0000000..abba317 --- /dev/null +++ b/k8s/overlays/ocp-aa-test/kustomization.yaml @@ -0,0 +1,9 @@ +--- +namespace: openstack-api-backup +resources: + - ../../base + - secrets + - pvc.yaml + +patchesStrategicMerge: + - patches/patch-openstack-api-backup-cron.yaml diff --git a/k8s/overlays/ocp-aa-test/patches/patch-openstack-api-backup-cron.yaml b/k8s/overlays/ocp-aa-test/patches/patch-openstack-api-backup-cron.yaml new file mode 100644 index 0000000..250fdfc --- /dev/null +++ b/k8s/overlays/ocp-aa-test/patches/patch-openstack-api-backup-cron.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: openstack-api-backup + namespace: openstack-api-backup +spec: + jobTemplate: + spec: + template: + spec: + containers: + - name: openstack-api-backup + env: + - name: S3_ENDPOINT + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: s3_endpoint + - name: S3_BUCKET_URI + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: s3_bucket_uri + - name: BACKUP_ROTATE + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: backup_rotate + - name: OS_AUTH_TYPE + value: v3applicationcredential + - name: OS_AUTH_URL + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: os_auth_url + - name: OS_APPLICATION_CREDENTIAL_ID + valueFrom: + $patch: replace + secretKeyRef: + name: openstack-api-backup + key: os_application_credential_id + - name: OS_APPLICATION_CREDENTIAL_SECRET + valueFrom: + $path: replace + secretKeyRef: + name: openstack-api-backup + key: os_application_credential_secret diff --git a/k8s/overlays/ocp-aa-test/pvc.yaml b/k8s/overlays/ocp-aa-test/pvc.yaml new file mode 100644 index 0000000..4cc03e6 --- /dev/null +++ b/k8s/overlays/ocp-aa-test/pvc.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: openstack-api-backup +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi diff --git a/k8s/overlays/ocp-aa-test/secrets/kustomization.yaml b/k8s/overlays/ocp-aa-test/secrets/kustomization.yaml new file mode 100644 index 0000000..247f4f9 --- /dev/null +++ b/k8s/overlays/ocp-aa-test/secrets/kustomization.yaml @@ -0,0 +1,3 @@ +--- +resources: + - openstack-api-backup.yaml diff --git a/k8s/overlays/ocp-aa-test/secrets/openstack-api-backup.yaml b/k8s/overlays/ocp-aa-test/secrets/openstack-api-backup.yaml new file mode 100644 index 0000000..755ef03 --- /dev/null +++ b/k8s/overlays/ocp-aa-test/secrets/openstack-api-backup.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: external-secrets.io/v1alpha1 +kind: ExternalSecret +metadata: + name: openstack-api-backup + namespace: openstack-api-backup +spec: + refreshInterval: "15s" + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + target: + name: openstack-api-backup + data: + - secretKey: aws_credentials + remoteRef: + key: accounts/holecs + property: awscli_credentials + - secretKey: backup_rotate + remoteRef: + key: openstack-api-backup/config + property: backup_rotate + - secretKey: s3_endpoint + remoteRef: + key: openstack-api-backup/config + property: s3_endpoint + - secretKey: s3_bucket_uri + remoteRef: + key: openstack-api-backup/config + property: s3_bucket_uri + - secretKey: os_auth_url + remoteRef: + key: openstack-api-backup/config + property: os_auth_url + - secretKey: os_application_credential_id + remoteRef: + key: openstack-api-backup/config + property: os_application_credential_id + - secretKey: os_application_credential_secret + remoteRef: + key: openstack-api-backup/config + property: os_application_credential_secret