fix

2024-04-05 17:51:26 +02:00
parent 8e3e12a7ef
commit 1d819f1d88
3 changed files with 301 additions and 118 deletions
--- a/share/authentik/secret.tf
+++ b/share/authentik/secret.tf
@@ -1,3 +1,11 @@
+locals {
+  secrets-labels = merge(local.common-labels, {
+    "app.kubernetes.io/component" = "backup-secret"
+  })
+  secret-labels = merge(local.secrets-labels, {
+    "k8up.io/backup" = "true"
+  })
+}

 resource "kubectl_manifest" "authentik_secret" {
  ignore_fields = ["metadata.annotations"]
@@ -7,7 +15,7 @@ resource "kubectl_manifest" "authentik_secret" {
    metadata:
      name: "${var.component}"
      namespace: "${var.namespace}"
-      labels: ${jsonencode(local.common-labels)}
+      labels: ${jsonencode(local.secret-labels)}
    spec:
      forceRegenerate: false
      fields:
@@ -21,3 +29,76 @@ resource "kubectl_manifest" "authentik_secret" {
        length: "32"
  EOF
 }
+resource "kubectl_manifest" "pre_backup_sa" {
+  count = var.backups.enable?1:0
+  ignore_fields = ["metadata.annotations"]
+  yaml_body  = <<-EOF
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: backup-secret
+      namespace: "${var.namespace}"
+  EOF
+}
+resource "kubectl_manifest" "pre_backup_role" {
+  count = var.backups.enable?1:0
+  ignore_fields = ["metadata.annotations"]
+  yaml_body  = <<-EOF
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: Role
+    metadata:
+      name: backup-secret
+      namespace: "${var.namespace}"
+    rules:
+    - apiGroups:
+      - ""
+      resources:
+      - secrets
+      verbs:
+      - get
+      - list
+  EOF
+}
+resource "kubectl_manifest" "pre_backup_rb" {
+  count = var.backups.enable?1:0
+  ignore_fields = ["metadata.annotations"]
+  yaml_body  = <<-EOF
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: backup-secret
+      namespace: "${var.namespace}"
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: Role
+      name: backup-secret
+    subjects:
+    - kind: ServiceAccount
+      name: backup-secret
+      namespace: "${var.namespace}"
+  EOF
+}
+resource "kubectl_manifest" "pre_backup_pod" {
+  count = var.backups.enable?1:0
+  ignore_fields = ["metadata.annotations"]
+  yaml_body  = <<-EOF
+    apiVersion: k8up.io/v1
+    kind: PreBackupPod
+    metadata:
+      name: secret
+      namespace: "${var.namespace}"
+    spec:
+      backupCommand: kubectl get secrets -o yaml -l k8up.io/backup=true
+      pod:
+        spec:
+          containers:
+          - command:
+            - cat
+            image: "${var.images.kubectl.registry}/${var.images.kubectl.repository}:${var.images.kubectl.tag}"
+            imagePullPolicy: "${var.images.kubectl.pull_policy}"
+            name: secret
+            tty: true
+          serviceAccount: backup-secret
+          serviceAccountName: backup-secret
+  EOF
+}