Initial upload

2025-07-04 08:11:43 +00:00 · 2025-07-04 08:11:43 +00:00 · 5a9a782227
commit 5a9a782227
parent 59c2c63b0b
121 changed files with 18614 additions and 0 deletions
--- a/otc/ssh-test.t09.de/stacks/local-backup/minio/helm/values.yaml
+++ b/otc/ssh-test.t09.de/stacks/local-backup/minio/helm/values.yaml
@ -0,0 +1,17 @@
+replicas: 1
+mode: standalone
+
+resources:
+  requests:
+    memory: 128Mi
+
+persistence:
+  enabled: true
+  storageClass: standard
+  size: 512Mi
+  # volumeName: backup # re-enable this to mount a local host path, see minio-pv.yaml
+
+buckets:
+  - name: edfbuilder-backups
+
+existingSecret: root-creds
--- a/otc/ssh-test.t09.de/stacks/local-backup/minio/manifests/minio-pv.yaml
+++ b/otc/ssh-test.t09.de/stacks/local-backup/minio/manifests/minio-pv.yaml
@ -0,0 +1,13 @@
+# re-enable this config to mount a local host path, see `../helm/values.yaml`
+# apiVersion: v1
+# kind: PersistentVolume
+# metadata:
+#   name: backup
+# spec:
+#   storageClassName: standard
+#   accessModes:
+#     - ReadWriteOnce
+#   capacity:
+#     storage: 512Mi
+#   hostPath:
+#     path: /backup
--- a/otc/ssh-test.t09.de/stacks/local-backup/minio/manifests/secret-sync.yaml
+++ b/otc/ssh-test.t09.de/stacks/local-backup/minio/manifests/secret-sync.yaml
@ -0,0 +1,154 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: secret-sync
+  namespace: minio-backup
+  annotations:
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/sync-wave: "-20"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: secret-sync
+  namespace: minio-backup
+  annotations:
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/sync-wave: "-20"
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: secret-sync
+  namespace: minio-backup
+  annotations:
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/sync-wave: "-20"
+subjects:
+  - kind: ServiceAccount
+    name: secret-sync
+    namespace: minio-backup
+roleRef:
+  kind: Role
+  name: secret-sync
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: secret-sync
+  namespace: velero
+  annotations:
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/sync-wave: "-20"
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: secret-sync
+  namespace: velero
+  annotations:
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/sync-wave: "-20"
+subjects:
+  - kind: ServiceAccount
+    name: secret-sync
+    namespace: minio-backup
+roleRef:
+  kind: Role
+  name: secret-sync
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: secret-sync
+  namespace: minio-backup
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+spec:
+  template:
+    metadata:
+      generateName: secret-sync
+    spec:
+      serviceAccountName: secret-sync
+      restartPolicy: Never
+      containers:
+        - name: kubectl
+          image: docker.io/bitnami/kubectl
+          command: ["/bin/bash", "-c"]
+          args:
+            - |
+              set -e
+              kubectl get secrets -n minio-backup root-creds -o json > /tmp/secret
+              ACCESS=$(jq -r '.data.rootUser | @base64d'  /tmp/secret)
+              SECRET=$(jq -r '.data.rootPassword | @base64d'  /tmp/secret)
+              
+              echo \
+              "apiVersion: v1
+              kind: Secret
+              metadata:
+                name: secret-key
+                namespace: velero
+              type: Opaque
+              stringData:
+                aws: |
+                  [default]
+                    aws_access_key_id=${ACCESS}
+                    aws_secret_access_key=${SECRET}
+              " > /tmp/secret.yaml
+              
+              kubectl apply -f /tmp/secret.yaml
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: minio-root-creds
+  namespace: minio-backup
+  annotations:
+    argocd.argoproj.io/hook: Sync
+    argocd.argoproj.io/sync-wave: "-10"
+spec:
+  template:
+    metadata:
+      generateName: minio-root-creds
+    spec:
+      serviceAccountName: secret-sync
+      restartPolicy: Never
+      containers:
+        - name: kubectl
+          image: docker.io/bitnami/kubectl
+          command: ["/bin/bash", "-c"]
+          args:
+            - |
+              kubectl get secrets -n minio-backup root-creds
+              if [ $? -eq 0 ]; then
+                exit 0
+              fi
+              
+              set -e
+              
+              NAME=$(openssl rand -base64 24)
+              PASS=$(openssl rand -base64 36)
+              
+              echo \
+              "apiVersion: v1
+              kind: Secret
+              metadata:
+                name: root-creds
+                namespace: minio-backup
+              type: Opaque
+              stringData:
+                rootUser: "${NAME}"
+                rootPassword: "${PASS}"
+              " > /tmp/secret.yaml
+              
+              kubectl apply -f /tmp/secret.yaml