Compare commits
No commits in common. "4fa849b72bf172bbfa7a3f41df97831183d76126" and "678b75ae6f8e280d02a629a73cf5978f24f0115e" have entirely different histories.
4fa849b72b
...
678b75ae6f
5 changed files with 28 additions and 96 deletions
3
.gitignore
vendored
3
.gitignore
vendored
|
|
@ -110,5 +110,4 @@ venv.bak/
|
||||||
.clj-kondo/
|
.clj-kondo/
|
||||||
.lsp/
|
.lsp/
|
||||||
.calva/
|
.calva/
|
||||||
.cpcache/
|
.cpcache/
|
||||||
infrastructure/backup/image/resources/backup-repository-state.edn
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
||||||
## Init Statemachine
|
|
||||||
|
|
||||||
### Inputs
|
|
||||||
1. `restic-password: ""`
|
|
||||||
2. `restic-password-to-rotate: ""`
|
|
||||||
|
|
||||||
### Manual init the restic repository for the first time
|
|
||||||
|
|
||||||
1. apply backup-and-restore pod:
|
|
||||||
`kubectl scale deployment backup-restore --replicas=1`
|
|
||||||
2. exec into pod and execute restore pod (press tab to get your exact pod name)
|
|
||||||
`kubectl exec -it backup-restore-... -- /usr/local/bin/init.sh`
|
|
||||||
3. remove backup-and-restore pod:
|
|
||||||
`kubectl scale deployment backup-restore --replicas=0`
|
|
||||||
|
|
||||||
### Password Rotation
|
|
||||||
|
|
||||||
1. apply backup-and-restore pod:
|
|
||||||
`kubectl scale deployment backup-restore --replicas=1`
|
|
||||||
2. add new password to restic repository
|
|
||||||
`restic key add ....`
|
|
||||||
=> Trigger ::
|
|
||||||
field (1) credential current
|
|
||||||
filed (2) credential new
|
|
||||||
3. replace field (1) with (2) & clear (2)
|
|
||||||
4. remove old key - ???
|
|
||||||
`restic remove ....`
|
|
||||||
|
|
||||||
|
|
||||||
```mermaid
|
|
||||||
stateDiagram-v2
|
|
||||||
[*] --> init
|
|
||||||
init --> backup_ready: trigger, restic-password !empty
|
|
||||||
backup_ready --> new_password_added: restic-password !empty && restic-password-to-rotate !empty
|
|
||||||
new_password_added --> backup_ready: restic-password !empty && restic-password-to-rotate empty
|
|
||||||
```
|
|
||||||
|
|
||||||
### First Steps
|
|
||||||
|
|
||||||
1. Cloud Testserver hochfahren
|
|
||||||
2. Dort backup-restore deployment (leeres Secret mgl.?), neues Secret "rotation-credential-secret" als Daten
|
|
||||||
3. mounten von angelegtem Secret in Pod backup-restore
|
|
||||||
4. ba*bash*ka Skript in pod starten -> liest Secret ?leer
|
|
||||||
5. Micha cons.
|
|
||||||
|
|
@ -1,33 +0,0 @@
|
||||||
#! /usr/bin/env bb
|
|
||||||
|
|
||||||
(ns restic-management
|
|
||||||
(:require
|
|
||||||
[clojure.spec.alpha :as s]
|
|
||||||
[clojure.java.io :as io]
|
|
||||||
[clojure.edn :as edn]))
|
|
||||||
|
|
||||||
(s/def ::state string?)
|
|
||||||
|
|
||||||
(s/def ::backup-repository-state
|
|
||||||
(s/keys :req-un [::state]))
|
|
||||||
|
|
||||||
(def state {:state ""})
|
|
||||||
|
|
||||||
(defn store-backup-repository-state [s]
|
|
||||||
(spit "backup-repository-state.edn" s))
|
|
||||||
|
|
||||||
(defn read-backup-repository-state []
|
|
||||||
(try
|
|
||||||
(with-open [r (io/reader "backup-repository-state.edn")]
|
|
||||||
(edn/read (java.io.PushbackReader. r)))
|
|
||||||
|
|
||||||
(catch java.io.IOException e
|
|
||||||
(printf "Couldn't open '%s': %s\n" "backup-repository-state.edn" (.getMessage e)))
|
|
||||||
(catch RuntimeException e
|
|
||||||
(printf "Error parsing edn file '%s': %s\n" "backup-repository-state.edn" (.getMessage e)))))
|
|
||||||
|
|
||||||
(println (read-backup-repository-state))
|
|
||||||
|
|
||||||
(println (:state (read-backup-repository-state)))
|
|
||||||
|
|
||||||
(println (s/valid? ::backup-repository-state (read-backup-repository-state)))
|
|
||||||
|
|
@ -6,7 +6,7 @@ function main() {
|
||||||
upgradeSystem
|
upgradeSystem
|
||||||
|
|
||||||
mkdir -p /usr/share/man/man1
|
mkdir -p /usr/share/man/man1
|
||||||
apt-get -qqy install curl openjdk-17-jre-headless leiningen
|
apt-get -qqy install openjdk-17-jre-headless leiningen curl
|
||||||
|
|
||||||
# shadow-cljs
|
# shadow-cljs
|
||||||
npm install -g npm
|
npm install -g npm
|
||||||
|
|
@ -15,14 +15,14 @@ function main() {
|
||||||
# download kubeconform & graalvm
|
# download kubeconform & graalvm
|
||||||
kubeconform_version="0.6.4"
|
kubeconform_version="0.6.4"
|
||||||
|
|
||||||
curl -SsLo /tmp/kubeconform-linux-amd64.tar.gz https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/kubeconform-linux-amd64.tar.gz
|
curl -SsLo /tmp/kubeconform.tar.gz https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/kubeconform-linux-amd64.tar.gz
|
||||||
curl -SsLo /tmp/CHECKSUMS https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/CHECKSUMS
|
curl -SsLo /tmp/CHECKSUMS https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/CHECKSUMS
|
||||||
|
|
||||||
# checksum kubeconform
|
# checksum kubeconform
|
||||||
checksum
|
checksum
|
||||||
|
|
||||||
# install kubeconform
|
# install kubeconform
|
||||||
tar -C /usr/local/bin -xf /tmp/kubeconform-linux-amd64.tar.gz --exclude=LICENSE
|
tar -C /usr/local/bin -xf /tmp/kubeconform.tar.gz --exclude=LICENSE
|
||||||
|
|
||||||
#install pyb
|
#install pyb
|
||||||
apt-get -qqy install python3 python3-pip git
|
apt-get -qqy install python3 python3-pip git
|
||||||
|
|
@ -36,9 +36,15 @@ function main() {
|
||||||
}
|
}
|
||||||
|
|
||||||
function checksum() {
|
function checksum() {
|
||||||
awk '{print $1 " /tmp/" $2}' /tmp/CHECKSUMS|sed -n '2p' > /tmp/kubeconform-checksum
|
checksum_var=$(awk '{print $1}' /tmp/CHECKSUMS|sed -n '2p')
|
||||||
cat /tmp/kubeconform-checksum
|
sha256sum_var=$(sha256sum /tmp/kubeconform.tar.gz|awk '{print $1}')
|
||||||
sha256sum -c --status /tmp/kubeconform-checksum
|
|
||||||
|
if [ $checksum_var == $sha256sum_var ]; then
|
||||||
|
echo "Kubeconform checksum verification succesful"
|
||||||
|
else
|
||||||
|
echo "Failure in kubeconform checksum verification"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
source /tmp/install_functions_debian.sh
|
source /tmp/install_functions_debian.sh
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,7 @@ function main() {
|
||||||
kubeconform_version="0.6.4"
|
kubeconform_version="0.6.4"
|
||||||
graalvm_jdk_version="21.0.2"
|
graalvm_jdk_version="21.0.2"
|
||||||
|
|
||||||
curl -SsLo /tmp/kubeconform-linux-amd64.tar.gz https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/kubeconform-linux-amd64.tar.gz
|
curl -SsLo /tmp/kubeconform.tar.gz https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/kubeconform-linux-amd64.tar.gz
|
||||||
curl -SsLo /tmp/CHECKSUMS https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/CHECKSUMS
|
curl -SsLo /tmp/CHECKSUMS https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/CHECKSUMS
|
||||||
curl -SsLo /tmp/graalvm-community-jdk.tar.gz https://github.com/graalvm/graalvm-ce-builds/releases/download/jdk-${graalvm_jdk_version}/graalvm-community-jdk-${graalvm_jdk_version}_linux-x64_bin.tar.gz
|
curl -SsLo /tmp/graalvm-community-jdk.tar.gz https://github.com/graalvm/graalvm-ce-builds/releases/download/jdk-${graalvm_jdk_version}/graalvm-community-jdk-${graalvm_jdk_version}_linux-x64_bin.tar.gz
|
||||||
curl -SsLo /tmp/graalvm-checksum https://github.com/graalvm/graalvm-ce-builds/releases/download/jdk-${graalvm_jdk_version}/graalvm-community-jdk-${graalvm_jdk_version}_linux-x64_bin.tar.gz.sha256
|
curl -SsLo /tmp/graalvm-checksum https://github.com/graalvm/graalvm-ce-builds/releases/download/jdk-${graalvm_jdk_version}/graalvm-community-jdk-${graalvm_jdk_version}_linux-x64_bin.tar.gz.sha256
|
||||||
|
|
@ -21,7 +21,7 @@ function main() {
|
||||||
checksum
|
checksum
|
||||||
|
|
||||||
# install kubeconform
|
# install kubeconform
|
||||||
tar -C /usr/local/bin -xf /tmp/kubeconform-linux-amd64.tar.gz --exclude=LICENSE
|
tar -C /usr/local/bin -xf /tmp/kubeconform.tar.gz --exclude=LICENSE
|
||||||
|
|
||||||
# install graalvm
|
# install graalvm
|
||||||
tar -C /usr/lib/jvm/ -xf /tmp/graalvm-community-jdk.tar.gz
|
tar -C /usr/lib/jvm/ -xf /tmp/graalvm-community-jdk.tar.gz
|
||||||
|
|
@ -36,21 +36,25 @@ function main() {
|
||||||
pip3 install pybuilder 'ddadevops>=4.7.0' deprecation dda-python-terraform boto3 pyyaml inflection --break-system-packages
|
pip3 install pybuilder 'ddadevops>=4.7.0' deprecation dda-python-terraform boto3 pyyaml inflection --break-system-packages
|
||||||
|
|
||||||
#check
|
#check
|
||||||
native-image --version
|
native-image --help
|
||||||
lein -v
|
lein --help
|
||||||
|
|
||||||
cleanupDocker
|
cleanupDocker
|
||||||
} > /dev/null
|
} > /dev/null
|
||||||
}
|
}
|
||||||
|
|
||||||
function checksum() {
|
function checksum() {
|
||||||
#kubeconform
|
checksum_kubeconform=$(awk '{print $1}' /tmp/CHECKSUMS|sed -n '2p')
|
||||||
awk '{print $1 " /tmp/" $2}' /tmp/CHECKSUMS|sed -n '2p' > /tmp/kubeconform-checksum
|
sha256sum_kubeconform=$(sha256sum /tmp/kubeconform.tar.gz|awk '{print $1}')
|
||||||
sha256sum -c --status /tmp/kubeconform-checksum
|
checksum_graalvm_jdk=$(awk '{print $1}' /tmp/graalvm-checksum)
|
||||||
|
sha256sum_graalvm_jdk=$(sha256sum /tmp/graalvm-community-jdk.tar.gz|awk '{print $1}')
|
||||||
#graalvm
|
|
||||||
echo " /tmp/graalvm-community-jdk.tar.gz"|tee -a /tmp/graalvm-checksum
|
if [ $checksum_kubeconform == $sha256sum_kubeconform -a $checksum_graalvm_jdk == $sha256sum_graalvm_jdk ]; then
|
||||||
sha256sum -c --status /tmp/graalvm-checksum
|
echo "Kubeconform & graalvm_jdk checksum verification succesful"
|
||||||
|
else
|
||||||
|
echo "Failure in kubeconform|graalvm_jdk checksum verification"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
source /tmp/install_functions_debian.sh
|
source /tmp/install_functions_debian.sh
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue
