DevFW-CICD/stacks
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(secrets-backup): 🔥 remove client-side openssl encryption
Some checks failed
Build secrets-backup image / build-and-push (push) Failing after 3s
Details

Browse source 
OBS bucket has server-side KMS encryption. Client-side openssl was
redundant and caused failures (Alpine CDN unreachable at 03:30 UTC).

Changes:
- Dockerfile: remove openssl apk install (no longer needed)
- CronJob: remove openssl enc step, upload .tar.gz directly
- CronJob: remove secrets-backup-config Secret (encryption passphrase)
- CronJob: remove ENCRYPTION_PASSPHRASE env var
- Bump image tag to 1.0.1, update workflow and manifest reference

Flow: kubectl export → tar.gz → upload to OBS (SSE-KMS handles rest)

Ref: IPCEICIS-9317
This commit is contained in:
Daniel Sy 2026-06-12 13:01:24 +02:00
parent 6b29aa3916
commit 81b721bb5a
Signed by untrusted user: danielsy
GPG key ID: 1F39A8BBCD2EE3D3
3 changed files with 43 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

35
template/stacks/core/secrets-backup/manifests/secrets-backup-cronjob.yaml
View file

@ -29,17 +29,6 @@ roleRef:
name: secrets-backup-reader
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Secret
metadata:
name: secrets-backup-config
namespace: gitea
type: Opaque
stringData:
# IMPORTANT: Replace this placeholder with a strong passphrase per environment.
# This secret should be managed via external-secrets or manually set after initial deploy.
encryption-passphrase: "CHANGE-ME-SET-PER-ENVIRONMENT"
---
apiVersion: batch/v1
kind: CronJob
metadata:
@ -61,7 +50,7 @@ spec:
serviceAccountName: secrets-backup
containers:
- name: secrets-backup
image: alpine/k8s:1.32.0
image: edp.buildth.ing/devfw-cicd/secrets-backup:1.0.1
imagePullPolicy: IfNotPresent
env:
- name: AWS_ACCESS_KEY_ID
@ -74,11 +63,6 @@ spec:
secretKeyRef:
name: forgejo-cloud-credentials
key: secret-key
- name: ENCRYPTION_PASSPHRASE
valueFrom:
secretKeyRef:
name: secrets-backup-config
key: encryption-passphrase
- name: SOURCE_BUCKET
valueFrom:
secretKeyRef:
@ -92,9 +76,6 @@ spec:
- |
set -euo pipefail
# Ensure openssl is available (not bundled in alpine/k8s image)
apk add --no-cache openssl --quiet
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
BACKUP_DIR="/tmp/secrets-backup-${TIMESTAMP}"
NAMESPACES="argocd cert-manager external-secrets"
@ -110,20 +91,14 @@ spec:
> "${BACKUP_DIR}/${NS}-secrets.json"
done
echo "=== Encrypting backup with AES-256-CBC ==="
echo "=== Creating compressed archive ==="
ARCHIVE="${BACKUP_DIR}/secrets-backup-${TIMESTAMP}.tar.gz"
tar -czf "${ARCHIVE}" -C "${BACKUP_DIR}" \
$(ls "${BACKUP_DIR}"/*.json 2>/dev/null | xargs -n1 basename)
ENCRYPTED="${BACKUP_DIR}/secrets-backup-${TIMESTAMP}.tar.gz.enc"
openssl enc -aes-256-cbc -salt -pbkdf2 -iter 100000 \
-in "${ARCHIVE}" \
-out "${ENCRYPTED}" \
-pass env:ENCRYPTION_PASSPHRASE
echo "=== Uploading to OBS ==="
aws s3 cp "${ENCRYPTED}" \
"s3://${SOURCE_BUCKET}/cluster-secrets-backup/${TIMESTAMP}/secrets-backup.tar.gz.enc" \
echo "=== Uploading to OBS (SSE-KMS encryption at rest) ==="
aws s3 cp "${ARCHIVE}" \
"s3://${SOURCE_BUCKET}/cluster-secrets-backup/${TIMESTAMP}/secrets-backup.tar.gz" \
--endpoint-url "https://${OBS_ENDPOINT}"
echo "=== Cleanup ==="