adjust test & doc

2025-01-11 11:00:31 +01:00 · 2025-01-11 11:00:31 +01:00 · 0cd1dd296c
commit 0cd1dd296c
parent cf465c9583
3 changed files with 57 additions and 71 deletions
--- a/README.md
+++ b/README.md
@ -19,6 +19,6 @@ Mirrors are:
 For more details about our repository model see: https://repo.prod.meissa.de/meissa/federate-your-repos
 ## License
-Copyright © 2024 meissa GmbH
+Copyright © 2024, 2025 meissa GmbH
 Published under [apache2.0 license](LICENSE.md)
 Pls. find licenses of our subcomponents [here](doc/SUBCOMPONENT_LICENSE)
--- a/infrastructure/backup/doc/backup_dev_notes.md
+++ b/infrastructure/backup/doc/backup_dev_notes.md
@ -1,79 +1,50 @@
-## Init Statemachine
+# changing password on restic repository
-### Inputs
+## config to use
 1. `restic-password: ""`
 2. `restic-password-to-rotate: ""`
-### Manual init the restic repository for the first time
+To change the password add new-password-file to config.
-1. apply backup-and-restore pod:   
+```clojure
-   `kubectl scale deployment backup-restore --replicas=1`
+ {:password-file "/restic-pwd"
-2. exec into pod and execute restore pod (press tab to get your exact pod name)   
+  :new-password-file "/new-restic-pwd"}
-   `kubectl exec -it backup-restore-... -- /usr/local/bin/init.sh`
+```
 3. remove backup-and-restore pod:   
   `kubectl scale deployment backup-restore --replicas=0`
-### Password Rotation
+## restic: decide which password to choose
 1. apply backup-and-restore pod:   
   `kubectl scale deployment backup-restore --replicas=1`
 2. add new password to restic repository   
    `restic key add ....`   
    => Trigger ::   
    field (1) credential current   
    filed (2) credential new
 3. replace field (1) with (2) & clear (2)
 4. remove old key - ???  
 `restic remove ....`
 If there is a new-password-file defined, decide witch to use:
 ```mermaid
 stateDiagram-v2
-    [*] --> init
+    state new? <<choice>>
-    init --> backup_ready: trigger, restic-password !empty
+    state "restic --password-file /new-pwd check" as check_new
-    backup_ready --> new_password_added: restic-password !empty && restic-password-to-rotate !empty 
+    state new_works? <<choice>>
-    new_password_added --> backup_ready: restic-password !empty && restic-password-to-rotate empty
+
    [*] --> containsNewPassword?
    containsNewPassword? --> new?
    new? --> check_new: yes
    new? --> use_old: no
    check_new --> new_works?
    new_works? --> use_new: yes
    new_works? --> use_old: no
 ```
-### First Steps
+# Process to change password in k8s
 1. Cloud Testserver hochfahren
 2. Dort backup-restore deployment (leeres Secret mgl.?), neues Secret "rotation-credential-secret" als Daten
 3. mounten von angelegtem Secret in Pod backup-restore
 4. ba*bash*ka Skript in pod starten -> liest Secret ?leer
 5. Micha cons. 
 ```mermaid
 sequenceDiagram
-    participant k8s
+    actor d as DevOps
-    participant e as entrypoint.sh
+    participant s as BackupSecret
-    participant rm as restic-management.clj
+    participant a as ApplicationDeployment
    participant b as BackupDeployment
-    k8s ->> e: cronjob calls
+    d ->> s: add new-password-file
-    e ->> rm: start-file
+    d ->> a: scale down
-    rm ->> rm: rotate
+    d ->> b: scale up
-    activate rm
+    d ->> b: shell into
-        rm ->> rm: read-backup-repository-state (state)
+    activate b
-        rm ->> rm: read-secret (backup-secret/restic-password,  rotation-credential-secret/rotation-credential)
+    b ->> b: call change password
-        rm ->> rm: switch
+    deactivate b
-        activate rm
+    d ->> s: replace password-file with new-password-file
-        rm ->> rm: if init && restic-password != null
+    d ->> b: scale down
-        activate rm
+    d ->> a: scale up
        rm ->> rm: init.sh
        rm ->> rm: state init -> backup-ready
        deactivate rm
        rm ->> rm: if backup-ready && rotation-credential != null
        activate rm
        rm ->> rm: add-new-password-to-restic-repository.sh
        rm ->> rm: state backup-ready -> new-password-added
        deactivate rm
        rm ->> rm: if new-password-added && rotation-credential == null
        activate rm
        rm ->> rm: remove-old-password-from-restic-repository.sh
        rm ->> rm: state new-password-added -> backup-ready
        deactivate rm
        deactivate rm
        rm ->> rm: store-repository-state (state)
    deactivate rm
 ```
--- a/infrastructure/backup/test/resources/test.bb
+++ b/infrastructure/backup/test/resources/test.bb
@ -17,6 +17,9 @@
                                     :files ["test-backup"]
                                     :restore-target-directory "test-restore"}))
 (def file-config-with-new (merge (dissoc file-config :new-password-file) 
                                 {:password-file "/new-restic-pwd"}))
 (def db-config (merge restic-repo {:backup-path "db"
                                   :pg-db "mydb"
                                   :pg-user "user"
@ -68,7 +71,6 @@
  (rc/list-snapshots! (merge db-roles-config dry-run))
  (rc/list-snapshots! (merge db-config dry-run)))
 (defn restic-restore!
  []
  (println "\nrestic-restore!")
@ -82,6 +84,17 @@
  (println "\nchange-password!")
  (rc/change-password! file-config))
 (defn restic-backup-with-new!
  []
  (println "\nrestic-backup with new!")
  (bak/backup-file! file-config-with-new))
 (defn list-snapshots-with-new!
  []
  (println "\nlist-snapshots with new!")
  (rc/list-snapshots! file-config-with-new))
 (prepare!)
 (check-env-or-file)
 (restic-repo-init!)
@ -92,3 +105,5 @@
 (restic-backup!)
 (list-snapshots!)
 (restic-restore!)
 (restic-backup-with-new!)
 (list-snapshots-with-new!)