Add backup deployment to nerc-shift-1

aabaris · aabaris · commit 29828d4aae09 · 2026-02-09T13:20:55.000-05:00
diff --git a/k8s/base/openstack-api-backup-cron.yaml b/k8s/base/openstack-api-backup-cron.yaml
@@ -16,10 +16,21 @@ spec:
             runAsUser: 1001
             runAsGroup: 1001
             fsGroup: 1001
+            runAsNonRoot: true
+            seccompProfileProfile:
+              type: RuntimeDefault
           containers:
             - name: openstack-api-backup
               image: ghcr.io/nerc-project/openstack-api-backup:main
               imagePullPolicy: Always
+              securityContext:
+                allowPrivilegeEscalation: false
+                runAsNonRoot: true
+                capabilities:
+                  drop:
+                    - ALL
+                seccompProfile:
+                  type: RuntimeDefault
               env:
                 - name: HOME
                   value: '/tmp'
diff --git a/k8s/overlays/nerc-shift-1/kustomization.yaml b/k8s/overlays/nerc-shift-1/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+namespace: default
+resources:
+  - ../../base
+  - secrets
+  - pvc.yaml
+
+patchesStrategicMerge:
+  - patches/patch-openstack-api-backup-cron.yaml
diff --git a/k8s/overlays/nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml b/k8s/overlays/nerc-shift-1/patches/patch-openstack-api-backup-cron.yaml
@@ -0,0 +1,53 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: openstack-api-backup
+  namespace: openstack-api-backup
+spec:
+  schedule: 4 * * * *
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: openstack-api-backup
+              env:
+                - name: S3_ENDPOINT
+                  valueFrom:
+                    $patch: replace
+                    secretKeyRef:
+                      name: openstack-api-backup
+                      key: s3_endpoint
+                - name: S3_BUCKET_URI
+                  valueFrom:
+                    $patch: replace
+                    secretKeyRef:
+                      name: openstack-api-backup
+                      key: s3_bucket_uri
+                - name: BACKUP_ROTATE
+                  valueFrom:
+                    $patch: replace
+                    secretKeyRef:
+                      name: openstack-api-backup
+                      key: backup_rotate
+                - name: OS_AUTH_TYPE
+                  value: v3applicationcredential
+                - name: OS_AUTH_URL
+                  valueFrom:
+                    $patch: replace
+                    secretKeyRef:
+                      name: openstack-api-backup
+                      key: os_auth_url
+                - name: OS_APPLICATION_CREDENTIAL_ID
+                  valueFrom:
+                    $patch: replace
+                    secretKeyRef:
+                      name: openstack-api-backup
+                      key: os_application_credential_id
+                - name: OS_APPLICATION_CREDENTIAL_SECRET
+                  valueFrom:
+                    $path: replace
+                    secretKeyRef:
+                      name: openstack-api-backup
+                      key: os_application_credential_secret
diff --git a/k8s/overlays/nerc-shift-1/pvc.yaml b/k8s/overlays/nerc-shift-1/pvc.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: openstack-api-backup
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
diff --git a/k8s/overlays/nerc-shift-1/secrets/kustomization.yaml b/k8s/overlays/nerc-shift-1/secrets/kustomization.yaml
@@ -0,0 +1,3 @@
+---
+resources:
+  - openstack-api-backup.yaml
diff --git a/k8s/overlays/nerc-shift-1/secrets/openstack-api-backup.yaml b/k8s/overlays/nerc-shift-1/secrets/openstack-api-backup.yaml
@@ -0,0 +1,42 @@
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: openstack-api-backup
+  namespace: openstack-api-backup
+spec:
+  refreshInterval: "15s"
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: openstack-api-backup
+  data:
+    - secretKey: aws_credentials
+      remoteRef:
+        key: accounts/holecs
+        property: awscli_credentials
+    - secretKey: backup_rotate
+      remoteRef:
+        key: openstack-api-backup/config
+        property: backup_rotate
+    - secretKey: s3_endpoint
+      remoteRef:
+        key: openstack-api-backup/config
+        property: s3_endpoint
+    - secretKey: s3_bucket_uri
+      remoteRef:
+        key: openstack-api-backup/config
+        property: s3_bucket_uri
+    - secretKey: os_auth_url
+      remoteRef:
+        key: openstack-api-backup/config
+        property: os_auth_url
+    - secretKey: os_application_credential_id
+      remoteRef:
+        key: openstack-api-backup/config
+        property: os_application_credential_id
+    - secretKey: os_application_credential_secret
+      remoteRef:
+        key: openstack-api-backup/config
+        property: os_application_credential_secret
diff --git a/k8s/overlays/ocp-aa-test/kustomization.yaml b/k8s/overlays/ocp-aa-test/kustomization.yaml
@@ -0,0 +1,9 @@
+---
+namespace: openstack-api-backup
+resources:
+  - ../../base
+  - secrets
+  - pvc.yaml
+
+patchesStrategicMerge:
+  - patches/patch-openstack-api-backup-cron.yaml
diff --git a/k8s/overlays/ocp-aa-test/patches/patch-openstack-api-backup-cron.yaml b/k8s/overlays/ocp-aa-test/patches/patch-openstack-api-backup-cron.yaml
@@ -0,0 +1,52 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: openstack-api-backup
+  namespace: openstack-api-backup
+spec:
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: openstack-api-backup
+              env:
+                - name: S3_ENDPOINT
+                  valueFrom:
+                    $patch: replace
+                    secretKeyRef:
+                      name: openstack-api-backup
+                      key: s3_endpoint
+                - name: S3_BUCKET_URI
+                  valueFrom:
+                    $patch: replace
+                    secretKeyRef:
+                      name: openstack-api-backup
+                      key: s3_bucket_uri
+                - name: BACKUP_ROTATE
+                  valueFrom:
+                    $patch: replace
+                    secretKeyRef:
+                      name: openstack-api-backup
+                      key: backup_rotate
+                - name: OS_AUTH_TYPE
+                  value: v3applicationcredential
+                - name: OS_AUTH_URL
+                  valueFrom:
+                    $patch: replace
+                    secretKeyRef:
+                      name: openstack-api-backup
+                      key: os_auth_url
+                - name: OS_APPLICATION_CREDENTIAL_ID
+                  valueFrom:
+                    $patch: replace
+                    secretKeyRef:
+                      name: openstack-api-backup
+                      key: os_application_credential_id
+                - name: OS_APPLICATION_CREDENTIAL_SECRET
+                  valueFrom:
+                    $path: replace
+                    secretKeyRef:
+                      name: openstack-api-backup
+                      key: os_application_credential_secret
diff --git a/k8s/overlays/ocp-aa-test/pvc.yaml b/k8s/overlays/ocp-aa-test/pvc.yaml
@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: openstack-api-backup
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
diff --git a/k8s/overlays/ocp-aa-test/secrets/kustomization.yaml b/k8s/overlays/ocp-aa-test/secrets/kustomization.yaml
@@ -0,0 +1,3 @@
+---
+resources:
+  - openstack-api-backup.yaml
diff --git a/k8s/overlays/ocp-aa-test/secrets/openstack-api-backup.yaml b/k8s/overlays/ocp-aa-test/secrets/openstack-api-backup.yaml
@@ -0,0 +1,42 @@
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: openstack-api-backup
+  namespace: openstack-api-backup
+spec:
+  refreshInterval: "15s"
+  secretStoreRef:
+    name: vault-backend
+    kind: ClusterSecretStore
+  target:
+    name: openstack-api-backup
+  data:
+    - secretKey: aws_credentials
+      remoteRef:
+        key: accounts/holecs
+        property: awscli_credentials
+    - secretKey: backup_rotate
+      remoteRef:
+        key: openstack-api-backup/config
+        property: backup_rotate
+    - secretKey: s3_endpoint
+      remoteRef:
+        key: openstack-api-backup/config
+        property: s3_endpoint
+    - secretKey: s3_bucket_uri
+      remoteRef:
+        key: openstack-api-backup/config
+        property: s3_bucket_uri
+    - secretKey: os_auth_url
+      remoteRef:
+        key: openstack-api-backup/config
+        property: os_auth_url
+    - secretKey: os_application_credential_id
+      remoteRef:
+        key: openstack-api-backup/config
+        property: os_application_credential_id
+    - secretKey: os_application_credential_secret
+      remoteRef:
+        key: openstack-api-backup/config
+        property: os_application_credential_secret

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+---`
	`2`	`+resources:`
	`3`	`+ - openstack-api-backup.yaml`