adjust test & doc

README.md

@@ -19,6 +19,6 @@ Mirrors are:
 For more details about our repository model see: https://repo.prod.meissa.de/meissa/federate-your-repos
 
 ## License
-Copyright © 2024 meissa GmbH
+Copyright © 2024, 2025 meissa GmbH
 Published under [apache2.0 license](LICENSE.md)
 Pls. find licenses of our subcomponents [here](doc/SUBCOMPONENT_LICENSE)

infrastructure/backup/doc/backup_dev_notes.md

@@ -1,79 +1,50 @@
-## Init Statemachine
+# changing password on restic repository
 
-### Inputs
-1. `restic-password: ""`
-2. `restic-password-to-rotate: ""`
+## config to use
 
-### Manual init the restic repository for the first time
+To change the password add new-password-file to config.
 
-1. apply backup-and-restore pod:   
-   `kubectl scale deployment backup-restore --replicas=1`
-2. exec into pod and execute restore pod (press tab to get your exact pod name)   
-   `kubectl exec -it backup-restore-... -- /usr/local/bin/init.sh`
-3. remove backup-and-restore pod:   
-   `kubectl scale deployment backup-restore --replicas=0`
+```clojure
+ {:password-file "/restic-pwd"
+  :new-password-file "/new-restic-pwd"}
+```
 
-### Password Rotation
-
-1. apply backup-and-restore pod:   
-   `kubectl scale deployment backup-restore --replicas=1`
-2. add new password to restic repository   
-    `restic key add ....`   
-    => Trigger ::   
-    field (1) credential current   
-    filed (2) credential new
-3. replace field (1) with (2) & clear (2)
-4. remove old key - ???  
-`restic remove ....`
+## restic: decide which password to choose
 
+If there is a new-password-file defined, decide witch to use:
 
 ```mermaid
 stateDiagram-v2
-    [*] --> init
-    init --> backup_ready: trigger, restic-password !empty
-    backup_ready --> new_password_added: restic-password !empty && restic-password-to-rotate !empty 
-    new_password_added --> backup_ready: restic-password !empty && restic-password-to-rotate empty
+    state new? <<choice>>
+    state "restic --password-file /new-pwd check" as check_new
+    state new_works? <<choice>>
+
+    [*] --> containsNewPassword?
+    containsNewPassword? --> new?
+    new? --> check_new: yes
+    new? --> use_old: no
+    check_new --> new_works?
+    new_works? --> use_new: yes
+    new_works? --> use_old: no
 ```
 
-### First Steps
-
-1. Cloud Testserver hochfahren
-2. Dort backup-restore deployment (leeres Secret mgl.?), neues Secret "rotation-credential-secret" als Daten
-3. mounten von angelegtem Secret in Pod backup-restore
-4. ba*bash*ka Skript in pod starten -> liest Secret ?leer
-5. Micha cons. 
+# Process to change password in k8s
 
 ```mermaid
 sequenceDiagram
-    participant k8s
-    participant e as entrypoint.sh
-    participant rm as restic-management.clj
-
-    k8s ->> e: cronjob calls
-    e ->> rm: start-file
-    rm ->> rm: rotate
-    activate rm
-        rm ->> rm: read-backup-repository-state (state)
-        rm ->> rm: read-secret (backup-secret/restic-password,  rotation-credential-secret/rotation-credential)
-        rm ->> rm: switch
-        activate rm
-        rm ->> rm: if init && restic-password != null
-        activate rm
-        rm ->> rm: init.sh
-        rm ->> rm: state init -> backup-ready
-        deactivate rm
-        rm ->> rm: if backup-ready && rotation-credential != null
-        activate rm
-        rm ->> rm: add-new-password-to-restic-repository.sh
-        rm ->> rm: state backup-ready -> new-password-added
-        deactivate rm
-        rm ->> rm: if new-password-added && rotation-credential == null
-        activate rm
-        rm ->> rm: remove-old-password-from-restic-repository.sh
-        rm ->> rm: state new-password-added -> backup-ready
-        deactivate rm
-        deactivate rm
-
-        rm ->> rm: store-repository-state (state)
-    deactivate rm
-```
+    actor d as DevOps
+    participant s as BackupSecret
+    participant a as ApplicationDeployment
+    participant b as BackupDeployment
+    
+    d ->> s: add new-password-file
+    d ->> a: scale down
+    d ->> b: scale up
+    d ->> b: shell into
+    activate b
+    b ->> b: call change password
+    deactivate b
+    d ->> s: replace password-file with new-password-file
+    d ->> b: scale down
+    d ->> a: scale up
+```

infrastructure/backup/test/resources/test.bb

@@ -17,15 +17,18 @@
                                      :files ["test-backup"]
                                      :restore-target-directory "test-restore"}))
 
+(def file-config-with-new (merge (dissoc file-config :new-password-file) 
+                                 {:password-file "/new-restic-pwd"}))
+
 (def db-config (merge restic-repo {:backup-path "db"
                                    :pg-db "mydb"
                                    :pg-user "user"
                                    :pg-password "password"}))
 
 (def db-roles-config (merge restic-repo {:backup-path "db-roles"
-                                   :pg-db "mydb"
-                                   :pg-user "user"
-                                   :pg-password "password"}))
+                                         :pg-db "mydb"
+                                         :pg-user "user"
+                                         :pg-password "password"}))
 
 (def dry-run {:dry-run true :debug true})
 
@@ -68,7 +71,6 @@
   (rc/list-snapshots! (merge db-roles-config dry-run))
   (rc/list-snapshots! (merge db-config dry-run)))
 
-
 (defn restic-restore!
   []
   (println "\nrestic-restore!")
@@ -82,6 +84,17 @@
   (println "\nchange-password!")
   (rc/change-password! file-config))
 
+(defn restic-backup-with-new!
+  []
+  (println "\nrestic-backup with new!")
+  (bak/backup-file! file-config-with-new))
+
+(defn list-snapshots-with-new!
+  []
+  (println "\nlist-snapshots with new!")
+  (rc/list-snapshots! file-config-with-new))
+
+
 (prepare!)
 (check-env-or-file)
 (restic-repo-init!)
@@ -92,3 +105,5 @@
 (restic-backup!)
 (list-snapshots!)
 (restic-restore!)
+(restic-backup-with-new!)
+(list-snapshots-with-new!)