Compare commits

..

No commits in common. "4fa849b72bf172bbfa7a3f41df97831183d76126" and "678b75ae6f8e280d02a629a73cf5978f24f0115e" have entirely different histories.

5 changed files with 28 additions and 96 deletions

1
.gitignore vendored
View file

@ -111,4 +111,3 @@ venv.bak/
.lsp/ .lsp/
.calva/ .calva/
.cpcache/ .cpcache/
infrastructure/backup/image/resources/backup-repository-state.edn

View file

@ -1,44 +0,0 @@
## Init Statemachine
### Inputs
1. `restic-password: ""`
2. `restic-password-to-rotate: ""`
### Manual init the restic repository for the first time
1. apply backup-and-restore pod:
`kubectl scale deployment backup-restore --replicas=1`
2. exec into pod and execute restore pod (press tab to get your exact pod name)
`kubectl exec -it backup-restore-... -- /usr/local/bin/init.sh`
3. remove backup-and-restore pod:
`kubectl scale deployment backup-restore --replicas=0`
### Password Rotation
1. apply backup-and-restore pod:
`kubectl scale deployment backup-restore --replicas=1`
2. add new password to restic repository
`restic key add ....`
=> Trigger ::
field (1) credential current
filed (2) credential new
3. replace field (1) with (2) & clear (2)
4. remove old key - ???
`restic remove ....`
```mermaid
stateDiagram-v2
[*] --> init
init --> backup_ready: trigger, restic-password !empty
backup_ready --> new_password_added: restic-password !empty && restic-password-to-rotate !empty
new_password_added --> backup_ready: restic-password !empty && restic-password-to-rotate empty
```
### First Steps
1. Cloud Testserver hochfahren
2. Dort backup-restore deployment (leeres Secret mgl.?), neues Secret "rotation-credential-secret" als Daten
3. mounten von angelegtem Secret in Pod backup-restore
4. ba*bash*ka Skript in pod starten -> liest Secret ?leer
5. Micha cons.

View file

@ -1,33 +0,0 @@
#! /usr/bin/env bb
(ns restic-management
(:require
[clojure.spec.alpha :as s]
[clojure.java.io :as io]
[clojure.edn :as edn]))
(s/def ::state string?)
(s/def ::backup-repository-state
(s/keys :req-un [::state]))
(def state {:state ""})
(defn store-backup-repository-state [s]
(spit "backup-repository-state.edn" s))
(defn read-backup-repository-state []
(try
(with-open [r (io/reader "backup-repository-state.edn")]
(edn/read (java.io.PushbackReader. r)))
(catch java.io.IOException e
(printf "Couldn't open '%s': %s\n" "backup-repository-state.edn" (.getMessage e)))
(catch RuntimeException e
(printf "Error parsing edn file '%s': %s\n" "backup-repository-state.edn" (.getMessage e)))))
(println (read-backup-repository-state))
(println (:state (read-backup-repository-state)))
(println (s/valid? ::backup-repository-state (read-backup-repository-state)))

View file

@ -6,7 +6,7 @@ function main() {
upgradeSystem upgradeSystem
mkdir -p /usr/share/man/man1 mkdir -p /usr/share/man/man1
apt-get -qqy install curl openjdk-17-jre-headless leiningen apt-get -qqy install openjdk-17-jre-headless leiningen curl
# shadow-cljs # shadow-cljs
npm install -g npm npm install -g npm
@ -15,14 +15,14 @@ function main() {
# download kubeconform & graalvm # download kubeconform & graalvm
kubeconform_version="0.6.4" kubeconform_version="0.6.4"
curl -SsLo /tmp/kubeconform-linux-amd64.tar.gz https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/kubeconform-linux-amd64.tar.gz curl -SsLo /tmp/kubeconform.tar.gz https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/kubeconform-linux-amd64.tar.gz
curl -SsLo /tmp/CHECKSUMS https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/CHECKSUMS curl -SsLo /tmp/CHECKSUMS https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/CHECKSUMS
# checksum kubeconform # checksum kubeconform
checksum checksum
# install kubeconform # install kubeconform
tar -C /usr/local/bin -xf /tmp/kubeconform-linux-amd64.tar.gz --exclude=LICENSE tar -C /usr/local/bin -xf /tmp/kubeconform.tar.gz --exclude=LICENSE
#install pyb #install pyb
apt-get -qqy install python3 python3-pip git apt-get -qqy install python3 python3-pip git
@ -36,9 +36,15 @@ function main() {
} }
function checksum() { function checksum() {
awk '{print $1 " /tmp/" $2}' /tmp/CHECKSUMS|sed -n '2p' > /tmp/kubeconform-checksum checksum_var=$(awk '{print $1}' /tmp/CHECKSUMS|sed -n '2p')
cat /tmp/kubeconform-checksum sha256sum_var=$(sha256sum /tmp/kubeconform.tar.gz|awk '{print $1}')
sha256sum -c --status /tmp/kubeconform-checksum
if [ $checksum_var == $sha256sum_var ]; then
echo "Kubeconform checksum verification succesful"
else
echo "Failure in kubeconform checksum verification"
exit 1
fi
} }
source /tmp/install_functions_debian.sh source /tmp/install_functions_debian.sh

View file

@ -12,7 +12,7 @@ function main() {
kubeconform_version="0.6.4" kubeconform_version="0.6.4"
graalvm_jdk_version="21.0.2" graalvm_jdk_version="21.0.2"
curl -SsLo /tmp/kubeconform-linux-amd64.tar.gz https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/kubeconform-linux-amd64.tar.gz curl -SsLo /tmp/kubeconform.tar.gz https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/kubeconform-linux-amd64.tar.gz
curl -SsLo /tmp/CHECKSUMS https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/CHECKSUMS curl -SsLo /tmp/CHECKSUMS https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/CHECKSUMS
curl -SsLo /tmp/graalvm-community-jdk.tar.gz https://github.com/graalvm/graalvm-ce-builds/releases/download/jdk-${graalvm_jdk_version}/graalvm-community-jdk-${graalvm_jdk_version}_linux-x64_bin.tar.gz curl -SsLo /tmp/graalvm-community-jdk.tar.gz https://github.com/graalvm/graalvm-ce-builds/releases/download/jdk-${graalvm_jdk_version}/graalvm-community-jdk-${graalvm_jdk_version}_linux-x64_bin.tar.gz
curl -SsLo /tmp/graalvm-checksum https://github.com/graalvm/graalvm-ce-builds/releases/download/jdk-${graalvm_jdk_version}/graalvm-community-jdk-${graalvm_jdk_version}_linux-x64_bin.tar.gz.sha256 curl -SsLo /tmp/graalvm-checksum https://github.com/graalvm/graalvm-ce-builds/releases/download/jdk-${graalvm_jdk_version}/graalvm-community-jdk-${graalvm_jdk_version}_linux-x64_bin.tar.gz.sha256
@ -21,7 +21,7 @@ function main() {
checksum checksum
# install kubeconform # install kubeconform
tar -C /usr/local/bin -xf /tmp/kubeconform-linux-amd64.tar.gz --exclude=LICENSE tar -C /usr/local/bin -xf /tmp/kubeconform.tar.gz --exclude=LICENSE
# install graalvm # install graalvm
tar -C /usr/lib/jvm/ -xf /tmp/graalvm-community-jdk.tar.gz tar -C /usr/lib/jvm/ -xf /tmp/graalvm-community-jdk.tar.gz
@ -36,21 +36,25 @@ function main() {
pip3 install pybuilder 'ddadevops>=4.7.0' deprecation dda-python-terraform boto3 pyyaml inflection --break-system-packages pip3 install pybuilder 'ddadevops>=4.7.0' deprecation dda-python-terraform boto3 pyyaml inflection --break-system-packages
#check #check
native-image --version native-image --help
lein -v lein --help
cleanupDocker cleanupDocker
} > /dev/null } > /dev/null
} }
function checksum() { function checksum() {
#kubeconform checksum_kubeconform=$(awk '{print $1}' /tmp/CHECKSUMS|sed -n '2p')
awk '{print $1 " /tmp/" $2}' /tmp/CHECKSUMS|sed -n '2p' > /tmp/kubeconform-checksum sha256sum_kubeconform=$(sha256sum /tmp/kubeconform.tar.gz|awk '{print $1}')
sha256sum -c --status /tmp/kubeconform-checksum checksum_graalvm_jdk=$(awk '{print $1}' /tmp/graalvm-checksum)
sha256sum_graalvm_jdk=$(sha256sum /tmp/graalvm-community-jdk.tar.gz|awk '{print $1}')
#graalvm if [ $checksum_kubeconform == $sha256sum_kubeconform -a $checksum_graalvm_jdk == $sha256sum_graalvm_jdk ]; then
echo " /tmp/graalvm-community-jdk.tar.gz"|tee -a /tmp/graalvm-checksum echo "Kubeconform & graalvm_jdk checksum verification succesful"
sha256sum -c --status /tmp/graalvm-checksum else
echo "Failure in kubeconform|graalvm_jdk checksum verification"
exit 1
fi
} }
source /tmp/install_functions_debian.sh source /tmp/install_functions_debian.sh