From e7d14a89cdd6b5d097a6db0d2e1f698469d5e131 Mon Sep 17 00:00:00 2001
From: Daniel Sy <daniel.sy@noreply.edp.buildth.ing>
Date: Wed, 30 Jul 2025 14:35:42 +0200
Subject: [PATCH 1/4] =?UTF-8?q?feat(manifest):=20=F0=9F=8E=89=20WIP=20Add?=
 =?UTF-8?q?=20CronJob=20and=20Secret=20for=20S3=20backups?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a new CronJob for scheduled S3 backups using rclone, along with a corresponding Secret for AWS credentials. This introduces automated backup functionality for the Forgejo server, enhancing data protection and recovery capabilities.
---
 .../manifests/forgejo-s3-backup-cronjob.yaml  | 64 +++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml

diff --git a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml
new file mode 100644
index 0000000..769cd0d
--- /dev/null
+++ b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml
@@ -0,0 +1,64 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: forgejo-s3-backup
+  namespace: gitea
+spec:
+  schedule: "24 * * * *"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+          - name: rclone
+            image: rclone/rclone:1.70
+            imagePullPolicy: IfNotPresent
+            env:
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-cloud-credentials
+                  key: access-key
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-cloud-credentials
+                  key: secret-key
+            volumeMounts:
+            - name: rclone-config
+              mountPath: /etc/rclone
+              readOnly: true
+            command:
+            - /bin/sh
+            - -c
+            - |
+              sleep 7d
+              # rclone sync remote-source:packages remote-destination:packages --config /etc/rclone/config
+          restartPolicy: OnFailure
+          volumes:
+          - name: rclone-config
+            secret:
+              secretName: forgejo-s3-backup
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: forgejo-s3-backup
+  namespace: gitea
+type: Opaque
+stringData:
+  config: |
+    [remote-source]
+    type = s3
+    provider = AWS
+    env_auth = true
+    endpoint = https://edp-forgejo-non-prod-observability.obs.eu-de.otc.t-systems.com
+    region = eu-de
+
+    [remote-destination]
+    type = s3
+    provider = AWS
+    env_auth = true
+    endpoint = https://edp-forgejo-backup-test-manu.obs.eu-de.otc.t-systems.com 
+    region = eu-de

From 491be80842ee8f525e7c90b4e8e0cf955ce0a3a8 Mon Sep 17 00:00:00 2001
From: Richard Robert Reitz <richard-robert.reitz@telekom.de>
Date: Thu, 31 Jul 2025 15:24:39 +0200
Subject: [PATCH 2/4] fix(s3backup): doing a local backup first and then push
 it to remote, which is still on the same OBS store

---
 .../manifests/forgejo-s3-backup-cronjob.yaml  | 43 ++++++++++++++-----
 1 file changed, 33 insertions(+), 10 deletions(-)

diff --git a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml
index 769cd0d..d7b78e6 100644
--- a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml
+++ b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml
@@ -4,7 +4,7 @@ metadata:
   name: forgejo-s3-backup
   namespace: gitea
 spec:
-  schedule: "24 * * * *"
+  schedule: "0 2 * * *"
   jobTemplate:
     spec:
       template:
@@ -26,20 +26,41 @@ spec:
                   key: secret-key
             volumeMounts:
             - name: rclone-config
-              mountPath: /etc/rclone
+              mountPath: /config/rclone
               readOnly: true
+            - name: backup-dir
+              mountPath: /backup_dir
+              readOnly: false
             command:
             - /bin/sh
             - -c
             - |
-              sleep 7d
-              # rclone sync remote-source:packages remote-destination:packages --config /etc/rclone/config
+              rm -Rf /backup_dir/backup || true
+              mkdir -p /backup_dir/backup
+              rclone sync remote-source:/edp-forgejo-non-prod-observability/packages /backup_dir/backup -v --ignore-checksum
+              rclone sync /backup_dir/backup remote-destination:/edp-forgejo-non-prod-observability/hackathon3 -v --ignore-checksum
+              rm -Rf /backup_dir/backup || true
           restartPolicy: OnFailure
           volumes:
           - name: rclone-config
             secret:
               secretName: forgejo-s3-backup
-
+          - name: backup-dir
+            persistentVolumeClaim:
+              claimName: s3-temp-data
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: s3-temp-data
+  namespace: gitea
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 50Gi
 ---
 apiVersion: v1
 kind: Secret
@@ -48,17 +69,19 @@ metadata:
   namespace: gitea
 type: Opaque
 stringData:
-  config: |
+  rclone.conf: |
     [remote-source]
     type = s3
-    provider = AWS
+    provider = HuaweiOBS
     env_auth = true
-    endpoint = https://edp-forgejo-non-prod-observability.obs.eu-de.otc.t-systems.com
+    endpoint = obs.eu-de.otc.t-systems.com
     region = eu-de
+    acl = private
 
     [remote-destination]
     type = s3
-    provider = AWS
+    provider = HuaweiOBS
     env_auth = true
-    endpoint = https://edp-forgejo-backup-test-manu.obs.eu-de.otc.t-systems.com 
+    endpoint = obs.eu-de.otc.t-systems.com
     region = eu-de
+    acl = private

From 55d9a06dc74deaa326c04bff92e99175d5eada38 Mon Sep 17 00:00:00 2001
From: "Fritz-Leo.Ochsmann" <fritz-leo.ochsmann@telekom.de>
Date: Thu, 31 Jul 2025 15:59:25 +0200
Subject: [PATCH 3/4] feat(forgejo): backup s3 directly to pvc

---
 .../manifests/forgejo-s3-backup-cronjob.yaml  | 25 +++++--------------
 .../stacks/forgejo/forgejo-server/values.yaml |  1 +
 2 files changed, 7 insertions(+), 19 deletions(-)

diff --git a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml
index d7b78e6..223188a 100644
--- a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml
+++ b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml
@@ -4,7 +4,7 @@ metadata:
   name: forgejo-s3-backup
   namespace: gitea
 spec:
-  schedule: "0 2 * * *"
+  schedule: "0 1 * * *"
   jobTemplate:
     spec:
       template:
@@ -29,17 +29,13 @@ spec:
               mountPath: /config/rclone
               readOnly: true
             - name: backup-dir
-              mountPath: /backup_dir
+              mountPath: /backup
               readOnly: false
             command:
             - /bin/sh
             - -c
             - |
-              rm -Rf /backup_dir/backup || true
-              mkdir -p /backup_dir/backup
-              rclone sync remote-source:/edp-forgejo-non-prod-observability/packages /backup_dir/backup -v --ignore-checksum
-              rclone sync /backup_dir/backup remote-destination:/edp-forgejo-non-prod-observability/hackathon3 -v --ignore-checksum
-              rm -Rf /backup_dir/backup || true
+              rclone sync source:/${SOURCE_BUCKET}/packages /backup -v --ignore-checksum
           restartPolicy: OnFailure
           volumes:
           - name: rclone-config
@@ -47,17 +43,16 @@ spec:
               secretName: forgejo-s3-backup
           - name: backup-dir
             persistentVolumeClaim:
-              claimName: s3-temp-data
+              claimName: s3-backup
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: s3-temp-data
+  name: s3-backup
   namespace: gitea
 spec:
   accessModes:
     - ReadWriteOnce
-  volumeMode: Filesystem
   resources:
     requests:
       storage: 50Gi
@@ -70,15 +65,7 @@ metadata:
 type: Opaque
 stringData:
   rclone.conf: |
-    [remote-source]
-    type = s3
-    provider = HuaweiOBS
-    env_auth = true
-    endpoint = obs.eu-de.otc.t-systems.com
-    region = eu-de
-    acl = private
-
-    [remote-destination]
+    [source]
     type = s3
     provider = HuaweiOBS
     env_auth = true
diff --git a/template/stacks/forgejo/forgejo-server/values.yaml b/template/stacks/forgejo/forgejo-server/values.yaml
index 55ccfe9..d777b28 100644
--- a/template/stacks/forgejo/forgejo-server/values.yaml
+++ b/template/stacks/forgejo/forgejo-server/values.yaml
@@ -1,3 +1,4 @@
+# This is only used for deploying older versions of infra-catalogue where the bucket name is not an output of the terragrunt modules
 {{{- define "BUCKET_NAME" -}}}
 {{{- if (getenv "FORGEJO_BUCKET_NAME") -}}}
 {{{ getenv "FORGEJO_BUCKET_NAME" }}}

From 6af5ce71cd67e480d9db50e9318e4fff94bf48fd Mon Sep 17 00:00:00 2001
From: evdo <evgenii.dominov@telekom.de>
Date: Fri, 1 Aug 2025 10:18:38 +0200
Subject: [PATCH 4/4] feat(forgejo): updated secret ref for a bucket name

---
 .../forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml  | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml
index 223188a..ba0aebd 100644
--- a/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml
+++ b/template/stacks/forgejo/forgejo-server/manifests/forgejo-s3-backup-cronjob.yaml
@@ -14,6 +14,11 @@ spec:
             image: rclone/rclone:1.70
             imagePullPolicy: IfNotPresent
             env:
+            - name: SOURCE_BUCKET
+              valueFrom:
+                secretKeyRef:
+                  name: forgejo-cloud-credentials
+                  key: bucket-name
             - name: AWS_ACCESS_KEY_ID
               valueFrom:
                 secretKeyRef: