Merge pull request #6 from nerc-project/nerc-shift-1

jtriley · web-flow · commit d6650c867469 · 2026-02-12T13:35:47.000-05:00
Move backup deployment to nerc-shift-1
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -21,7 +21,7 @@ jobs:
           python-version: '^3.9'
 
       - name: Configure caching (python)
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         with:
           path: ${{ env.pythonLocation }}
           key: ${{ env.pythonLocation }}-${{ hashFiles('test-requirements.txt') }}
@@ -31,7 +31,7 @@ jobs:
           pip install --upgrade --upgrade-strategy eager -r test-requirements.txt
 
       - name: Configure caching (pre-commit)
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         with:
           path: ~/.cache/pre-commit
           key: precommit-${{ runner.os }}-${{ hashFiles('.pre-commit-config.yaml') }}
@@ -51,7 +51,7 @@ jobs:
         uses: actions/checkout@v2
 
       - name: Configure caching
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         with:
           path: ~/.cache/bin
           key: kustomize-${{ runner.os }}-${{ env.KUSTOMIZE_VERSION }}
diff --git a/k8s/base/openstack-api-backup-cron.yaml b/k8s/base/openstack-api-backup-cron.yaml
@@ -20,6 +20,14 @@ spec:
             - name: openstack-api-backup
               image: ghcr.io/nerc-project/openstack-api-backup:main
               imagePullPolicy: Always
+              securityContext:
+                allowPrivilegeEscalation: false
+                runAsNonRoot: true
+                capabilities:
+                  drop:
+                    - ALL
+                seccompProfile:
+                  type: RuntimeDefault
               env:
                 - name: HOME
                   value: '/tmp'
diff --git a/k8s/overlays/nerc-shift-1/kustomization.yaml b/k8s/overlays/nerc-shift-1/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+namespace: openstack-api-backup
+resources:
+  - ../../base
+  - secrets
+  - pvc.yaml
+
+patchesStrategicMerge:
+  - patches/patch-openstack-api-backup-cron.yaml
diff --git a/k8s/overlays/nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml b/k8s/overlays/nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml
@@ -0,0 +1,53 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: openstack-api-backup
+  namespace: openstack-api-backup
+spec:
+  schedule: 35 * * * *
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: openstack-api-backup
+              env:
+                - name: S3_ENDPOINT
+                  valueFrom:
+                    $patch: replace
+                    secretKeyRef:
+                      name: openstack-api-backup
+                      key: s3_endpoint
+                - name: S3_BUCKET_URI
+                  valueFrom:
+                    $patch: replace
+                    secretKeyRef:
+                      name: openstack-api-backup
+                      key: s3_bucket_uri
+                - name: BACKUP_ROTATE
+                  valueFrom:
+                    $patch: replace
+                    secretKeyRef:
+                      name: openstack-api-backup
+                      key: backup_rotate
+                - name: OS_AUTH_TYPE
+                  value: v3applicationcredential
+                - name: OS_AUTH_URL
+                  valueFrom:
+                    $patch: replace
+                    secretKeyRef:
+                      name: openstack-api-backup
+                      key: os_auth_url
+                - name: OS_APPLICATION_CREDENTIAL_ID
+                  valueFrom:
+                    $patch: replace
+                    secretKeyRef:
+                      name: openstack-api-backup
+                      key: os_application_credential_id
+                - name: OS_APPLICATION_CREDENTIAL_SECRET
+                  valueFrom:
+                    $path: replace
+                    secretKeyRef:
+                      name: openstack-api-backup
+                      key: os_application_credential_secret
diff --git a/k8s/overlays/nerc-shift-1/pvc.yaml b/k8s/overlays/nerc-shift-1/pvc.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: openstack-api-backup
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
diff --git a/k8s/overlays/nerc-shift-1/secrets/kustomization.yaml b/k8s/overlays/nerc-shift-1/secrets/kustomization.yaml
@@ -0,0 +1,3 @@
+---
+resources:
+  - openstack-api-backup.yaml
diff --git a/k8s/overlays/nerc-shift-1/secrets/openstack-api-backup.yaml b/k8s/overlays/nerc-shift-1/secrets/openstack-api-backup.yaml
@@ -0,0 +1,42 @@
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: openstack-api-backup
+  namespace: openstack-api-backup
+spec:
+  refreshInterval: "15s"
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: openstack-api-backup
+  data:
+    - secretKey: aws_credentials
+      remoteRef:
+        key: accounts/holecs
+        property: awscli_credentials
+    - secretKey: backup_rotate
+      remoteRef:
+        key: openstack-api-backup/config
+        property: backup_rotate
+    - secretKey: s3_endpoint
+      remoteRef:
+        key: openstack-api-backup/config
+        property: s3_endpoint
+    - secretKey: s3_bucket_uri
+      remoteRef:
+        key: openstack-api-backup/config
+        property: s3_bucket_uri
+    - secretKey: os_auth_url
+      remoteRef:
+        key: openstack-api-backup/config
+        property: os_auth_url
+    - secretKey: os_application_credential_id
+      remoteRef:
+        key: openstack-api-backup/config
+        property: os_application_credential_id
+    - secretKey: os_application_credential_secret
+      remoteRef:
+        key: openstack-api-backup/config
+        property: os_application_credential_secret

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+---`
	`2`	`+resources:`
	`3`	`+ - openstack-api-backup.yaml`