Compare commits

...

6 commits

5 changed files with 96 additions and 28 deletions

3
.gitignore vendored
View file

@ -110,4 +110,5 @@ venv.bak/
.clj-kondo/
.lsp/
.calva/
.cpcache/
.cpcache/
infrastructure/backup/image/resources/backup-repository-state.edn

View file

@ -0,0 +1,44 @@
## Init Statemachine
### Inputs
1. `restic-password: ""`
2. `restic-password-to-rotate: ""`
### Manual init the restic repository for the first time
1. apply backup-and-restore pod:
`kubectl scale deployment backup-restore --replicas=1`
2. exec into pod and execute restore pod (press tab to get your exact pod name)
`kubectl exec -it backup-restore-... -- /usr/local/bin/init.sh`
3. remove backup-and-restore pod:
`kubectl scale deployment backup-restore --replicas=0`
### Password Rotation
1. apply backup-and-restore pod:
`kubectl scale deployment backup-restore --replicas=1`
2. add new password to restic repository
`restic key add ....`
=> Trigger ::
field (1) credential current
filed (2) credential new
3. replace field (1) with (2) & clear (2)
4. remove old key - ???
`restic remove ....`
```mermaid
stateDiagram-v2
[*] --> init
init --> backup_ready: trigger, restic-password !empty
backup_ready --> new_password_added: restic-password !empty && restic-password-to-rotate !empty
new_password_added --> backup_ready: restic-password !empty && restic-password-to-rotate empty
```
### First Steps
1. Cloud Testserver hochfahren
2. Dort backup-restore deployment (leeres Secret mgl.?), neues Secret "rotation-credential-secret" als Daten
3. mounten von angelegtem Secret in Pod backup-restore
4. ba*bash*ka Skript in pod starten -> liest Secret ?leer
5. Micha cons.

View file

@ -0,0 +1,33 @@
#! /usr/bin/env bb
(ns restic-management
(:require
[clojure.spec.alpha :as s]
[clojure.java.io :as io]
[clojure.edn :as edn]))
(s/def ::state string?)
(s/def ::backup-repository-state
(s/keys :req-un [::state]))
(def state {:state ""})
(defn store-backup-repository-state [s]
(spit "backup-repository-state.edn" s))
(defn read-backup-repository-state []
(try
(with-open [r (io/reader "backup-repository-state.edn")]
(edn/read (java.io.PushbackReader. r)))
(catch java.io.IOException e
(printf "Couldn't open '%s': %s\n" "backup-repository-state.edn" (.getMessage e)))
(catch RuntimeException e
(printf "Error parsing edn file '%s': %s\n" "backup-repository-state.edn" (.getMessage e)))))
(println (read-backup-repository-state))
(println (:state (read-backup-repository-state)))
(println (s/valid? ::backup-repository-state (read-backup-repository-state)))

View file

@ -6,7 +6,7 @@ function main() {
upgradeSystem
mkdir -p /usr/share/man/man1
apt-get -qqy install openjdk-17-jre-headless leiningen curl
apt-get -qqy install curl openjdk-17-jre-headless leiningen
# shadow-cljs
npm install -g npm
@ -15,14 +15,14 @@ function main() {
# download kubeconform & graalvm
kubeconform_version="0.6.4"
curl -SsLo /tmp/kubeconform.tar.gz https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/kubeconform-linux-amd64.tar.gz
curl -SsLo /tmp/kubeconform-linux-amd64.tar.gz https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/kubeconform-linux-amd64.tar.gz
curl -SsLo /tmp/CHECKSUMS https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/CHECKSUMS
# checksum kubeconform
checksum
# install kubeconform
tar -C /usr/local/bin -xf /tmp/kubeconform.tar.gz --exclude=LICENSE
tar -C /usr/local/bin -xf /tmp/kubeconform-linux-amd64.tar.gz --exclude=LICENSE
#install pyb
apt-get -qqy install python3 python3-pip git
@ -36,15 +36,9 @@ function main() {
}
function checksum() {
checksum_var=$(awk '{print $1}' /tmp/CHECKSUMS|sed -n '2p')
sha256sum_var=$(sha256sum /tmp/kubeconform.tar.gz|awk '{print $1}')
if [ $checksum_var == $sha256sum_var ]; then
echo "Kubeconform checksum verification succesful"
else
echo "Failure in kubeconform checksum verification"
exit 1
fi
awk '{print $1 " /tmp/" $2}' /tmp/CHECKSUMS|sed -n '2p' > /tmp/kubeconform-checksum
cat /tmp/kubeconform-checksum
sha256sum -c --status /tmp/kubeconform-checksum
}
source /tmp/install_functions_debian.sh

View file

@ -12,7 +12,7 @@ function main() {
kubeconform_version="0.6.4"
graalvm_jdk_version="21.0.2"
curl -SsLo /tmp/kubeconform.tar.gz https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/kubeconform-linux-amd64.tar.gz
curl -SsLo /tmp/kubeconform-linux-amd64.tar.gz https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/kubeconform-linux-amd64.tar.gz
curl -SsLo /tmp/CHECKSUMS https://github.com/yannh/kubeconform/releases/download/v${kubeconform_version}/CHECKSUMS
curl -SsLo /tmp/graalvm-community-jdk.tar.gz https://github.com/graalvm/graalvm-ce-builds/releases/download/jdk-${graalvm_jdk_version}/graalvm-community-jdk-${graalvm_jdk_version}_linux-x64_bin.tar.gz
curl -SsLo /tmp/graalvm-checksum https://github.com/graalvm/graalvm-ce-builds/releases/download/jdk-${graalvm_jdk_version}/graalvm-community-jdk-${graalvm_jdk_version}_linux-x64_bin.tar.gz.sha256
@ -21,7 +21,7 @@ function main() {
checksum
# install kubeconform
tar -C /usr/local/bin -xf /tmp/kubeconform.tar.gz --exclude=LICENSE
tar -C /usr/local/bin -xf /tmp/kubeconform-linux-amd64.tar.gz --exclude=LICENSE
# install graalvm
tar -C /usr/lib/jvm/ -xf /tmp/graalvm-community-jdk.tar.gz
@ -36,25 +36,21 @@ function main() {
pip3 install pybuilder 'ddadevops>=4.7.0' deprecation dda-python-terraform boto3 pyyaml inflection --break-system-packages
#check
native-image --help
lein --help
native-image --version
lein -v
cleanupDocker
} > /dev/null
}
function checksum() {
checksum_kubeconform=$(awk '{print $1}' /tmp/CHECKSUMS|sed -n '2p')
sha256sum_kubeconform=$(sha256sum /tmp/kubeconform.tar.gz|awk '{print $1}')
checksum_graalvm_jdk=$(awk '{print $1}' /tmp/graalvm-checksum)
sha256sum_graalvm_jdk=$(sha256sum /tmp/graalvm-community-jdk.tar.gz|awk '{print $1}')
if [ $checksum_kubeconform == $sha256sum_kubeconform -a $checksum_graalvm_jdk == $sha256sum_graalvm_jdk ]; then
echo "Kubeconform & graalvm_jdk checksum verification succesful"
else
echo "Failure in kubeconform|graalvm_jdk checksum verification"
exit 1
fi
#kubeconform
awk '{print $1 " /tmp/" $2}' /tmp/CHECKSUMS|sed -n '2p' > /tmp/kubeconform-checksum
sha256sum -c --status /tmp/kubeconform-checksum
#graalvm
echo " /tmp/graalvm-community-jdk.tar.gz"|tee -a /tmp/graalvm-checksum
sha256sum -c --status /tmp/graalvm-checksum
}
source /tmp/install_functions_debian.sh