From fd0ff2880da8c2f7d26b63a5c744f3a96639a714 Mon Sep 17 00:00:00 2001 From: Michael Jerger <michael.jerger@meissa-gmbh.de> Date: Mon, 13 Jan 2025 16:04:12 +0100 Subject: [PATCH 1/4] infra work --- doc/BackupAndRestore.md | 68 ++++++++++++++----- infrastructure/backup/image/Dockerfile | 3 +- .../backup/image/resources/backup.bb | 33 +++------ .../backup/image/resources/bb-backup.edn | 1 + infrastructure/backup/image/resources/bb.edn | 2 +- .../backup/image/resources/change-password.bb | 24 +++++++ .../backup/image/resources/install.bb | 3 + .../backup/image/resources/list-snapshots.bb | 18 ++--- .../backup/image/resources/restore.bb | 32 ++++----- infrastructure/backup/image/resources/wait.bb | 18 ++--- infrastructure/backup/test/Dockerfile | 2 +- infrastructure/backup/test/resources/bb.edn | 1 + .../backup/test/resources/file_password | 1 + .../backup/test/resources/new_file_password | 1 + infrastructure/backup/test/resources/test.bb | 63 +++++++++-------- 15 files changed, 150 insertions(+), 120 deletions(-) create mode 100755 infrastructure/backup/image/resources/change-password.bb create mode 100644 infrastructure/backup/test/resources/file_password create mode 100644 infrastructure/backup/test/resources/new_file_password diff --git a/doc/BackupAndRestore.md b/doc/BackupAndRestore.md index 50b9658..62d91b4 100644 --- a/doc/BackupAndRestore.md +++ b/doc/BackupAndRestore.md @@ -7,35 +7,67 @@ * Forgejo stores files in `/data/gitea` and `/data/git/repositories`, these files are backed up. * The postgres db is also backed up -## Manual init the restic repository for the first time +## Manual backup -1. apply backup-and-restore pod: - `kubectl -n forgejo scale deployment backup-restore --replicas=1` -2. exec into pod and execute restore pod (press tab to get your exact pod name) - `kubectl -n forgejo exec -it backup-restore-... -- /usr/local/bin/init.bb` -3. remove backup-and-restore pod: - `kubectl -n forgejo scale deployment backup-restore --replicas=0` - - -## Manual backup the restic repository for the first time - -1. apply backup-and-restore pod: +1. Scale down forgejo deployment: + `kubectl -n forgejo scale deployment forgejo --replicas=0` +2. apply backup-and-restore pod: `kubectl -n forgejo scale deployment backup-restore --replicas=1` -2. exec into pod and execute backup pod (press tab to get your exact pod name) +3. exec into pod and execute backup pod (press tab to get your exact pod name) `kubectl -n forgejo exec -it backup-restore-... -- /usr/local/bin/backup.bb` -3. remove backup-and-restore pod: +4. remove backup-and-restore pod: `kubectl -n forgejo scale deployment backup-restore --replicas=0` - +5. Scale up forgejo deployment: + `kubectl -n forgejo scale deployment forgejo --replicas=1` ## Manual restore -1. apply backup-and-restore pod: - `kubectl -n forgejo scale deployment backup-restore --replicas=1` -2. Scale down forgejo deployment: +1. Scale down forgejo deployment: `kubectl -n forgejo scale deployment forgejo --replicas=0` +2. apply backup-and-restore pod: + `kubectl -n forgejo scale deployment backup-restore --replicas=1` 3. exec into pod and execute restore pod (press tab to get your exact pod name) `kubectl -n forgejo exec -it backup-restore-... -- /usr/local/bin/restore.bb` 4. Start forgejo again: `kubectl -n forgejo scale deployment forgejo --replicas=1` 5. remove backup-and-restore pod: `kubectl -n forgejo scale deployment backup-restore --replicas=0` + +## Change Password + +1. Check restic-new-password env is set in backup deployment + ``` + kind: Deployment + metadata: + name: backup-restore + spec: + spec: + containers: + - name: backup-app + env: + - name: RESTIC_NEW_PASSWORD_FILE + value: /var/run/secrets/backup-secrets/restic-new-password + ``` +2. Add restic-new-password to secret + ``` + kind: Secret + metadata: + name: backup-secret + data: + restic-password: old + restic-new-password: new + ``` +3. Scale backup-restore deployment up: + `kubectl -n nextcloud scale deployment backup-restore --replicas=1` +4. exec into pod and execute restore pod + `kubectl -n nextcloud exec -it backup-restore -- change-password.bb` +5. Scale backup-restore deployment down: + `kubectl -n nextcloud scale deployment backup-restore --replicas=0` +6. Replace restic-password with restic-new-password in secret + ``` + kind: Secret + metadata: + name: backup-secret + data: + restic-password: new + ``` diff --git a/infrastructure/backup/image/Dockerfile b/infrastructure/backup/image/Dockerfile index 47e2d41..59a99c5 100644 --- a/infrastructure/backup/image/Dockerfile +++ b/infrastructure/backup/image/Dockerfile @@ -1,4 +1,5 @@ -FROM domaindrivenarchitecture/dda-backup:latest +FROM domaindrivenarchitecture/dda-backup:5.3.0 ADD resources /tmp RUN /tmp/install.bb +RUN init.bb diff --git a/infrastructure/backup/image/resources/backup.bb b/infrastructure/backup/image/resources/backup.bb index ce54f71..6509399 100755 --- a/infrastructure/backup/image/resources/backup.bb +++ b/infrastructure/backup/image/resources/backup.bb @@ -2,44 +2,27 @@ (require '[dda.backup.core :as bc] + '[dda.backup.config :as cfg] '[dda.backup.restic :as rc] '[dda.backup.postgresql :as pg] '[dda.backup.backup :as bak]) -(def restic-repo {:password-file (bc/env-or-file "RESTIC_PASSWORD_FILE") - :restic-repository (bc/env-or-file "RESTIC_REPOSITORY")}) - -(def file-config (merge restic-repo {:backup-path "files" - :execution-directory "/var/backups/" - :files ["gitea/" "git/repositories/"]})) - - -(def db-config (merge restic-repo {:backup-path "pg-database" - :pg-host (bc/env-or-file "POSTGRES_SERVICE") - :pg-port (bc/env-or-file "POSTGRES_PORT") - :pg-db (bc/env-or-file "POSTGRES_DB") - :pg-user (bc/env-or-file "POSTGRES_USER") - :pg-password (bc/env-or-file "POSTGRES_PASSWORD")})) - -(def aws-config {:aws-access-key-id (bc/env-or-file "AWS_ACCESS_KEY_ID") - :aws-secret-access-key (bc/env-or-file "AWS_SECRET_ACCESS_KEY")}) - -(def dry-run {:dry-run true :debug true}) +(def config (cfg/read-config "/usr/local/bin/config.edn")) (defn prepare! [] - (bc/create-aws-credentials! aws-config) - (pg/create-pg-pass! db-config)) + (bc/create-aws-credentials! (:aws-config config)) + (pg/create-pg-pass! (:db-config config))) (defn restic-repo-init! [] - (rc/init! file-config) - (rc/init! db-config)) + (rc/init! (:file-config config)) + (rc/init! (:db-config config))) (defn restic-backup! [] - (bak/backup-file! file-config) - (bak/backup-db! db-config)) + (bak/backup-file! (:file-config config)) + (bak/backup-db! (:db-config config))) (prepare!) (restic-repo-init!) diff --git a/infrastructure/backup/image/resources/bb-backup.edn b/infrastructure/backup/image/resources/bb-backup.edn index 1a7297a..11e9d9c 100644 --- a/infrastructure/backup/image/resources/bb-backup.edn +++ b/infrastructure/backup/image/resources/bb-backup.edn @@ -1,3 +1,4 @@ {:deps {org.clojure/spec.alpha {:mvn/version "0.4.233"} orchestra/orchestra {:mvn/version "2021.01.01-1"} + aero/aero {:mvn/version "1.1.6"} org.domaindrivenarchitecture/dda-backup {:local/root "/usr/local/lib/dda-backup"}}} diff --git a/infrastructure/backup/image/resources/bb.edn b/infrastructure/backup/image/resources/bb.edn index 1c6458c..da7e0df 100644 --- a/infrastructure/backup/image/resources/bb.edn +++ b/infrastructure/backup/image/resources/bb.edn @@ -1,3 +1,3 @@ {:deps {org.clojure/spec.alpha {:mvn/version "0.4.233"} orchestra/orchestra {:mvn/version "2021.01.01-1"} - org.domaindrivenarchitecture/dda-build {:mvn/version "0.1.1-SNAPSHOT"}}} + org.domaindrivenarchitecture/dda-build {:mvn/version "0.2.0"}}} diff --git a/infrastructure/backup/image/resources/change-password.bb b/infrastructure/backup/image/resources/change-password.bb new file mode 100755 index 0000000..3f26735 --- /dev/null +++ b/infrastructure/backup/image/resources/change-password.bb @@ -0,0 +1,24 @@ +#!/usr/bin/env bb +(require + '[dda.backup.core :as bc] + '[dda.backup.config :as cfg] + '[dda.backup.restic :as rc]) + +(def config (cfg/read-config "/usr/local/bin/config.edn")) + +(def file-pw-change-config (merge (:file-config config) + {:new-password-file (bc/env-or-file "RESTIC_NEW_PASSWORD_FILE")})) +(def db-pw-change-config (merge (:db-config config) + {:new-password-file (bc/env-or-file "RESTIC_NEW_PASSWORD_FILE")})) + +(defn prepare! + [] + (bc/create-aws-credentials! (:aws-config config))) + +(defn change-password! + [] + (rc/change-password! file-pw-change-config) + (rc/change-password! db-pw-change-config)) + +(prepare!) +(change-password!) diff --git a/infrastructure/backup/image/resources/install.bb b/infrastructure/backup/image/resources/install.bb index 3ec49fb..3f96494 100755 --- a/infrastructure/backup/image/resources/install.bb +++ b/infrastructure/backup/image/resources/install.bb @@ -7,8 +7,11 @@ (ub/upgrade-system!) (in/install! "bb-backup.edn" :target-name "bb.edn" :mod "0400") +(in/install! "config.edn" :mod "0440") +(in/install! "init.bb") (in/install! "backup.bb") (in/install! "restore.bb") (in/install! "list-snapshots.bb") +(in/install! "change-password.bb") (in/install! "wait.bb") (ub/cleanup-container!) \ No newline at end of file diff --git a/infrastructure/backup/image/resources/list-snapshots.bb b/infrastructure/backup/image/resources/list-snapshots.bb index 349db38..f7f86bf 100755 --- a/infrastructure/backup/image/resources/list-snapshots.bb +++ b/infrastructure/backup/image/resources/list-snapshots.bb @@ -2,27 +2,19 @@ (require '[dda.backup.core :as bc] + '[dda.backup.config :as cfg] '[dda.backup.restic :as rc]) -(def restic-repo {:password-file (bc/env-or-file "RESTIC_PASSWORD_FILE") - :restic-repository (bc/env-or-file "RESTIC_REPOSITORY")}) - -(def file-config (merge restic-repo {:backup-path "files"})) - - -(def db-config (merge restic-repo {:backup-path "pg-database"})) - -(def aws-config {:aws-access-key-id (bc/env-or-file "AWS_ACCESS_KEY_ID") - :aws-secret-access-key (bc/env-or-file "AWS_SECRET_ACCESS_KEY")}) +(def config (cfg/read-config "/usr/local/bin/config.edn")) (defn prepare! [] - (bc/create-aws-credentials! aws-config)) + (bc/create-aws-credentials! (:aws-config config))) (defn list-snapshots! [] - (rc/list-snapshots! file-config) - (rc/list-snapshots! db-config)) + (rc/list-snapshots! (:file-config config)) + (rc/list-snapshots! (:db-config config))) (prepare!) (list-snapshots!) diff --git a/infrastructure/backup/image/resources/restore.bb b/infrastructure/backup/image/resources/restore.bb index c8a9cd1..6b790ae 100755 --- a/infrastructure/backup/image/resources/restore.bb +++ b/infrastructure/backup/image/resources/restore.bb @@ -2,34 +2,28 @@ (require '[babashka.tasks :as tasks] '[dda.backup.core :as bc] + '[dda.backup.config :as cfg] '[dda.backup.postgresql :as pg] '[dda.backup.restore :as rs]) -(def restic-repo {:password-file (bc/env-or-file "RESTIC_PASSWORD_FILE") - :restic-repository (bc/env-or-file "RESTIC_REPOSITORY")}) +(def config (cfg/read-config "/usr/local/bin/config.edn")) -(def file-config (merge restic-repo {:backup-path "files" - :restore-target-directory "/var/backups/restore" - :snapshot-id "latest"})) +(def file-config (merge + (:restic-repo config) + {:backup-path "files" + :restore-target-directory "/var/backups/restore" + :snapshot-id "latest"})) +(def db-config (merge (:db-config config) + {:snapshot-id "latest"})) -(def db-config (merge restic-repo {:backup-path "pg-database" - :pg-host (bc/env-or-file "POSTGRES_SERVICE") - :pg-port (bc/env-or-file "POSTGRES_PORT") - :pg-db (bc/env-or-file "POSTGRES_DB") - :pg-user (bc/env-or-file "POSTGRES_USER") - :pg-password (bc/env-or-file "POSTGRES_PASSWORD") - :snapshot-id "latest"})) - -(def aws-config {:aws-access-key-id (bc/env-or-file "AWS_ACCESS_KEY_ID") - :aws-secret-access-key (bc/env-or-file "AWS_SECRET_ACCESS_KEY")}) (def dry-run {:dry-run true :debug true}) (defn prepare! [] - (pg/create-pg-pass! db-config) - (bc/create-aws-credentials! aws-config)) + (bc/create-aws-credentials! (:aws-config config)) + (pg/create-pg-pass! db-config)) (defn restic-restore! [] @@ -39,8 +33,8 @@ (tasks/shell ["mv" "/var/backups/restore/gitea" "/var/backups/"]) (tasks/shell ["mv" "/var/backups/restore/git/repositories" "/var/backups/git/"]) (tasks/shell ["chown" "-R" "1000:1000" "/var/backups"]) - (pg/drop-create-db! (merge db-config {:debug true})) - (rs/restore-db! (merge db-config {:debug true}))) + (pg/drop-create-db! db-config) + (rs/restore-db! db-config)) (prepare!) (restic-restore!) diff --git a/infrastructure/backup/image/resources/wait.bb b/infrastructure/backup/image/resources/wait.bb index 2bb9e3f..bd0ecd9 100755 --- a/infrastructure/backup/image/resources/wait.bb +++ b/infrastructure/backup/image/resources/wait.bb @@ -1,27 +1,19 @@ #!/usr/bin/env bb - (require '[dda.backup.core :as bc] + '[dda.backup.config :as cfg] '[dda.backup.postgresql :as pg]) - -(def restic-repo {:password-file (bc/env-or-file "RESTIC_PASSWORD_FILE") - :restic-repository (bc/env-or-file "RESTIC_REPOSITORY")}) - -(def db-config (merge restic-repo {:backup-path "pg-database" - :pg-host (bc/env-or-file "POSTGRES_SERVICE") - :pg-port (bc/env-or-file "POSTGRES_PORT") - :pg-db (bc/env-or-file "POSTGRES_DB") - :pg-user (bc/env-or-file "POSTGRES_USER") - :pg-password (bc/env-or-file "POSTGRES_PASSWORD")})) +(def config (cfg/read-config "/usr/local/bin/config.edn")) (defn prepare! [] - (pg/create-pg-pass! db-config)) + (bc/create-aws-credentials! (:aws-config config)) + (pg/create-pg-pass! (:db-config config))) (defn wait! [] (while true (Thread/sleep 1000))) (prepare!) -(wait!) \ No newline at end of file +(wait!) diff --git a/infrastructure/backup/test/Dockerfile b/infrastructure/backup/test/Dockerfile index 91b7719..d05cd5a 100644 --- a/infrastructure/backup/test/Dockerfile +++ b/infrastructure/backup/test/Dockerfile @@ -1,4 +1,4 @@ FROM c4k-forgejo-backup:latest ADD resources /tmp/ -RUN ENV_PASSWORD=env-password FILE_PASSWORD_FILE=/tmp/file_password /tmp/test.bb +RUN RESTIC_PASSWORD_FILE=/tmp/file_password RESTIC_NEW_PASSWORD_FILE=/tmp/new_file_password RESTIC_REPOSITORY=/tmp/restic-repo POSTGRES_SERVICE=dummy POSTGRES_PORT=dummy POSTGRES_DB=dummy POSTGRES_USER=dummy POSTGRES_PASSWORD=dummy AWS_ACCESS_KEY_ID=dummy AWS_SECRET_ACCESS_KEY=dummy /tmp/test.bb diff --git a/infrastructure/backup/test/resources/bb.edn b/infrastructure/backup/test/resources/bb.edn index 1a7297a..11e9d9c 100644 --- a/infrastructure/backup/test/resources/bb.edn +++ b/infrastructure/backup/test/resources/bb.edn @@ -1,3 +1,4 @@ {:deps {org.clojure/spec.alpha {:mvn/version "0.4.233"} orchestra/orchestra {:mvn/version "2021.01.01-1"} + aero/aero {:mvn/version "1.1.6"} org.domaindrivenarchitecture/dda-backup {:local/root "/usr/local/lib/dda-backup"}}} diff --git a/infrastructure/backup/test/resources/file_password b/infrastructure/backup/test/resources/file_password new file mode 100644 index 0000000..f0890e1 --- /dev/null +++ b/infrastructure/backup/test/resources/file_password @@ -0,0 +1 @@ +oldPassword \ No newline at end of file diff --git a/infrastructure/backup/test/resources/new_file_password b/infrastructure/backup/test/resources/new_file_password new file mode 100644 index 0000000..d97747c --- /dev/null +++ b/infrastructure/backup/test/resources/new_file_password @@ -0,0 +1 @@ +newPassword \ No newline at end of file diff --git a/infrastructure/backup/test/resources/test.bb b/infrastructure/backup/test/resources/test.bb index 5ac0474..db59380 100755 --- a/infrastructure/backup/test/resources/test.bb +++ b/infrastructure/backup/test/resources/test.bb @@ -2,61 +2,66 @@ (require '[babashka.tasks :as tasks] '[dda.backup.core :as bc] + '[dda.backup.config :as cfg] '[dda.backup.restic :as rc] '[dda.backup.postgresql :as pg] '[dda.backup.backup :as bak] '[dda.backup.restore :as rs]) -(def restic-repo {:password-file "restic-pwd" - :restic-repository "restic-repo"}) +(def config (cfg/read-config "/usr/local/bin/config.edn")) -(def file-config (merge restic-repo {:backup-path "files" - :files ["test-backup"] - :restore-target-directory "test-restore"})) +(def file-pw-change-config (merge (:file-config config) + {:new-password-file (bc/env-or-file "RESTIC_NEW_PASSWORD_FILE")})) - -(def db-config (merge restic-repo {:backup-path "db" - :pg-db "mydb" - :pg-user "user" - :pg-password "password"})) - -(def dry-run {:dry-run true :debug true}) +(def file-restore-config (merge + (:restic-repo config) + {:backup-path "files" + :restore-target-directory "/var/backups/restore" + :snapshot-id "latest"})) (defn prepare! [] - (spit "/tmp/file_password" "file-password") - (println (bc/env-or-file "FILE_PASSWORD")) - (println (bc/env-or-file "ENV_PASSWORD")) - (spit "restic-pwd" "ThePassword") - (tasks/shell "mkdir" "-p" "test-backup") - (spit "test-backup/file" "I was here") - (tasks/shell "mkdir" "-p" "test-restore") - (pg/create-pg-pass! db-config)) + (tasks/shell "mkdir" "-p" "/tmp/restic-repo") + (tasks/shell "mkdir" "-p" "/var/backups/gitea") + (tasks/shell "mkdir" "-p" "/var/backups/git/repositories") + (spit "/var/backups/gitea/file" "I was here") + (tasks/shell "mkdir" "-p" "test-restore")) (defn restic-repo-init! [] - (rc/init! file-config) - (rc/init! (merge db-config dry-run))) + (rc/init! (:file-config config)) + (rc/init! (merge (:db-config config) + (:dry-run config)))) (defn restic-backup! [] - (bak/backup-file! file-config) - (bak/backup-db! (merge db-config dry-run))) + (bak/backup-file! (:file-config config)) + (bak/backup-db! (merge (:db-config config) + (:dry-run config)))) (defn list-snapshots! [] - (rc/list-snapshots! file-config) - (rc/list-snapshots! (merge db-config dry-run))) + (rc/list-snapshots! (:file-config config)) + (rc/list-snapshots! (merge (:db-config config) + (:dry-run config)))) (defn restic-restore! [] - (rs/restore-file! file-config) - (pg/drop-create-db! (merge db-config dry-run)) - (rs/restore-db! (merge db-config dry-run))) + (pg/drop-create-db! (merge (:db-config config) + (:dry-run config))) + (rs/restore-db! (merge (:db-config config) + (:dry-run config))) + (rs/restore-file! file-restore-config)) + +(defn change-password! + [] + (println "change-password!") + (rc/change-password! file-pw-change-config)) (prepare!) (restic-repo-init!) (restic-backup!) (list-snapshots!) (restic-restore!) +(change-password!) From 6f61c7dd7b1a8c1ca1a2b986451becbe3ba24f75 Mon Sep 17 00:00:00 2001 From: Michael Jerger <michael.jerger@meissa-gmbh.de> Date: Mon, 13 Jan 2025 17:20:42 +0100 Subject: [PATCH 2/4] update versions --- package.json | 4 ++-- project.clj | 6 +++--- shadow-cljs.edn | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/package.json b/package.json index 9f7f06a..3f3575c 100644 --- a/package.json +++ b/package.json @@ -27,7 +27,7 @@ "js-yaml": "^4.0.0" }, "devDependencies": { - "shadow-cljs": "^2.11.18", - "source-map-support": "^0.5.19" + "shadow-cljs": "^2.28.20", + "source-map-support": "^0.5.21" } } \ No newline at end of file diff --git a/project.clj b/project.clj index c5e9386..24966a5 100644 --- a/project.clj +++ b/project.clj @@ -3,9 +3,9 @@ :url "https://domaindrivenarchitecture.org" :license {:name "Apache License, Version 2.0" :url "https://www.apache.org/licenses/LICENSE-2.0.html"} - :dependencies [[org.clojure/clojure "1.11.4" :scope "provided"] + :dependencies [[org.clojure/clojure "1.12.0" :scope "provided"] [org.clojure/tools.reader "1.5.0"] - [org.domaindrivenarchitecture/c4k-common-clj "8.0.0"] + [org.domaindrivenarchitecture/c4k-common-clj "9.0.1"] [hickory "0.7.1" :exclusions [viebel/codox-klipse-theme]]] :target-path "target/%s/" :source-paths ["src/main/cljc" @@ -24,7 +24,7 @@ :main dda.c4k-forgejo.uberjar :uberjar-name "c4k-forgejo-standalone.jar" :dependencies [[org.clojure/tools.cli "1.1.230"] - [ch.qos.logback/logback-classic "1.5.7" + [ch.qos.logback/logback-classic "1.5.16" :exclusions [com.sun.mail/javax.mail]] [org.slf4j/jcl-over-slf4j "2.0.16"] [com.github.clj-easy/graal-build-time "1.0.5"]]}} diff --git a/shadow-cljs.edn b/shadow-cljs.edn index 4c3f005..4e238fd 100644 --- a/shadow-cljs.edn +++ b/shadow-cljs.edn @@ -4,7 +4,7 @@ "src/test/cljc" "src/test/cljs" "src/test/resources"] - :dependencies [[org.domaindrivenarchitecture/c4k-common-cljs "8.0.0"] + :dependencies [[org.domaindrivenarchitecture/c4k-common-cljs "9.0.1"] [hickory "0.7.1"]] :builds {:frontend {:target :browser :modules {:main {:init-fn dda.c4k-forgejo.browser/init}} From aa0d8d3a2e08c61b158b6c21f7a4a9ad625c769b Mon Sep 17 00:00:00 2001 From: Michael Jerger <michael.jerger@meissa-gmbh.de> Date: Mon, 13 Jan 2025 17:20:58 +0100 Subject: [PATCH 3/4] add password rotation to generation --- src/main/cljc/dda/c4k_forgejo/backup.cljc | 38 ++++++++++--------- src/main/cljc/dda/c4k_forgejo/core.cljc | 1 + .../cljc/dda/c4k_forgejo/backup_test.cljc | 15 +++++++- .../resources/forgejo-test/valid-auth.yaml | 3 +- 4 files changed, 38 insertions(+), 19 deletions(-) diff --git a/src/main/cljc/dda/c4k_forgejo/backup.cljc b/src/main/cljc/dda/c4k_forgejo/backup.cljc index e52f04b..bb884ea 100644 --- a/src/main/cljc/dda/c4k_forgejo/backup.cljc +++ b/src/main/cljc/dda/c4k_forgejo/backup.cljc @@ -1,17 +1,18 @@ (ns dda.c4k-forgejo.backup - (:require - [clojure.spec.alpha :as s] - #?(:clj [orchestra.core :refer [defn-spec]] - :cljs [orchestra.core :refer-macros [defn-spec]]) - [dda.c4k-common.yaml :as yaml] - [dda.c4k-common.base64 :as b64] - [dda.c4k-common.common :as cm] - [dda.c4k-common.predicate :as p] - #?(:cljs [dda.c4k-common.macros :refer-macros [inline-resources]]))) + (:require + [clojure.spec.alpha :as s] + #?(:clj [orchestra.core :refer [defn-spec]] + :cljs [orchestra.core :refer-macros [defn-spec]]) + [dda.c4k-common.yaml :as yaml] + [dda.c4k-common.base64 :as b64] + [dda.c4k-common.common :as cm] + [dda.c4k-common.predicate :as p] + #?(:cljs [dda.c4k-common.macros :refer-macros [inline-resources]]))) (s/def ::aws-access-key-id p/bash-env-string?) (s/def ::aws-secret-access-key p/bash-env-string?) (s/def ::restic-password p/bash-env-string?) +(s/def ::restic-new-password p/bash-env-string?) (s/def ::restic-repository p/bash-env-string?) (s/def ::config (s/keys :req-un [::restic-repository])) @@ -32,17 +33,20 @@ (defn-spec generate-cron p/map-or-seq? [] - (yaml/from-string (yaml/load-resource "backup/cron.yaml"))) + (yaml/from-string (yaml/load-resource "backup/cron.yaml"))) (defn-spec generate-backup-restore-deployment p/map-or-seq? [my-conf ::config] (yaml/from-string (yaml/load-resource "backup/backup-restore-deployment.yaml"))) (defn-spec generate-secret p/map-or-seq? - [my-auth ::auth] - (let [{:keys [aws-access-key-id aws-secret-access-key restic-password]} my-auth] - (-> - (yaml/from-string (yaml/load-resource "backup/secret.yaml")) - (cm/replace-key-value :aws-access-key-id (b64/encode aws-access-key-id)) - (cm/replace-key-value :aws-secret-access-key (b64/encode aws-secret-access-key)) - (cm/replace-key-value :restic-password (b64/encode restic-password))))) + [auth ::auth] + (let [{:keys [aws-access-key-id aws-secret-access-key + restic-password restic-new-password]} auth] + (as-> (yaml/from-string (yaml/load-resource "backup/secret.yaml")) res + (cm/replace-key-value res :aws-access-key-id (b64/encode aws-access-key-id)) + (cm/replace-key-value res :aws-secret-access-key (b64/encode aws-secret-access-key)) + (cm/replace-key-value res :restic-password (b64/encode restic-password)) + (if (contains? auth :restic-new-password) + (assoc-in res [:data :restic-new-password] (b64/encode restic-new-password)) + res)))) diff --git a/src/main/cljc/dda/c4k_forgejo/core.cljc b/src/main/cljc/dda/c4k_forgejo/core.cljc index acfa473..2a1d136 100644 --- a/src/main/cljc/dda/c4k_forgejo/core.cljc +++ b/src/main/cljc/dda/c4k_forgejo/core.cljc @@ -43,6 +43,7 @@ ::forgejo/mailer-user ::forgejo/mailer-pw ::backup/aws-access-key-id ::backup/aws-secret-access-key] :opt-un [::backup/restic-password + ::backup/restic-new-password ::mon/mon-auth])) (defn-spec config-objects p/map-or-seq? diff --git a/src/test/cljc/dda/c4k_forgejo/backup_test.cljc b/src/test/cljc/dda/c4k_forgejo/backup_test.cljc index 876614a..3faee7e 100644 --- a/src/test/cljc/dda/c4k_forgejo/backup_test.cljc +++ b/src/test/cljc/dda/c4k_forgejo/backup_test.cljc @@ -19,7 +19,20 @@ :restic-password "cmVzdGljLXB3"}} (cut/generate-secret {:aws-access-key-id "aws-id" :aws-secret-access-key "aws-secret" - :restic-password "restic-pw"})))) + :restic-password "restic-pw"}))) + (is (= {:apiVersion "v1", + :kind "Secret", + :metadata {:name "backup-secret", :namespace "forgejo"}, + :type "Opaque", + :data + {:aws-access-key-id "YXdzLWlk", + :aws-secret-access-key "YXdzLXNlY3JldA==", + :restic-password "b2xk", + :restic-new-password "bmV3"}} + (cut/generate-secret {:aws-access-key-id "aws-id" + :aws-secret-access-key "aws-secret" + :restic-password "old" + :restic-new-password "new"})))) (deftest should-generate-backup-config (testing "federated" diff --git a/src/test/resources/forgejo-test/valid-auth.yaml b/src/test/resources/forgejo-test/valid-auth.yaml index cf1efb9..0f8fca6 100644 --- a/src/test/resources/forgejo-test/valid-auth.yaml +++ b/src/test/resources/forgejo-test/valid-auth.yaml @@ -4,7 +4,8 @@ mailer-user: "" mailer-pw: "" aws-access-key-id: "AWS_KEY_ID" aws-secret-access-key: "AWS_KEY_SECRET" -restic-password: "" +restic-password: "old" +restic-new-password: "new" mon-auth: grafana-cloud-user: "user" grafana-cloud-password: "password" From 0310db05a336510bbecd7bb36cfca377f9b054d5 Mon Sep 17 00:00:00 2001 From: Michael Jerger <michael.jerger@meissa-gmbh.de> Date: Tue, 14 Jan 2025 10:15:04 +0100 Subject: [PATCH 4/4] add doc & env for backup deployment --- README.md | 3 +-- doc/FirstSteps.md | 8 ++++++++ src/main/resources/backup/backup-restore-deployment.yaml | 2 ++ 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 doc/FirstSteps.md diff --git a/README.md b/README.md index f37fbaa..a794450 100644 --- a/README.md +++ b/README.md @@ -52,9 +52,8 @@ Mirrors are: For more details about our repository model see: https://repo.prod.meissa.de/meissa/federate-your-repos - ## License -Copyright © 2023, 2024 meissa GmbH +Copyright © 2023, 2024, 2025 meissa GmbH Licensed under the [Apache License, Version 2.0](LICENSE) (the "License") Pls. find licenses of our subcomponents [here](doc/SUBCOMPONENT_LICENSE) \ No newline at end of file diff --git a/doc/FirstSteps.md b/doc/FirstSteps.md new file mode 100644 index 0000000..bc474fb --- /dev/null +++ b/doc/FirstSteps.md @@ -0,0 +1,8 @@ +# First Steps + +## Create admin user + +1. exec into pod and execute restore pod (press tab to get your exact pod name) + `kubectl -n forgejo exec -it backup-restore-... -- bash` +2. create admin user + `su git -c "gitea admin user create --username [login] --password [password] -email "email"--admin"` diff --git a/src/main/resources/backup/backup-restore-deployment.yaml b/src/main/resources/backup/backup-restore-deployment.yaml index 623207f..46f1343 100644 --- a/src/main/resources/backup/backup-restore-deployment.yaml +++ b/src/main/resources/backup/backup-restore-deployment.yaml @@ -57,6 +57,8 @@ spec: key: restic-repository - name: RESTIC_PASSWORD_FILE value: /var/run/secrets/backup-secrets/restic-password + - name: RESTIC_NEW_PASSWORD_FILE + value: /var/run/secrets/backup-secrets/restic-new-password - name: CERTIFICATE_FILE value: "" volumeMounts: