109 lines
2.9 KiB
HCL
109 lines
2.9 KiB
HCL
locals {
|
|
secrets-labels = merge(local.common_labels, {
|
|
"app.kubernetes.io/component" = "backup-secret"
|
|
})
|
|
secret-labels = merge(local.secrets-labels, {
|
|
"k8up.io/backup" = "true"
|
|
})
|
|
}
|
|
|
|
resource "kubectl_manifest" "authentik_secret" {
|
|
ignore_fields = ["metadata.annotations"]
|
|
yaml_body = <<-EOF
|
|
apiVersion: "secretgenerator.mittwald.de/v1alpha1"
|
|
kind: "StringSecret"
|
|
metadata:
|
|
name: "${var.component}"
|
|
namespace: "${var.namespace}"
|
|
labels: ${jsonencode(local.secret-labels)}
|
|
spec:
|
|
forceRegenerate: false
|
|
fields:
|
|
- fieldName: "AUTHENTIK_SECRET_KEY"
|
|
length: "128"
|
|
- fieldName: "AUTHENTIK_BOOTSTRAP_PASSWORD"
|
|
length: "32"
|
|
- fieldName: "AUTHENTIK_BOOTSTRAP_TOKEN"
|
|
length: "64"
|
|
- fieldName: "AUTHENTIK_REDIS__PASSWORD"
|
|
length: "32"
|
|
EOF
|
|
}
|
|
resource "kubectl_manifest" "pre_backup_sa" {
|
|
count = var.backups.enable?1:0
|
|
ignore_fields = ["metadata.annotations"]
|
|
yaml_body = <<-EOF
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: backup-secret
|
|
namespace: "${var.namespace}"
|
|
labels: ${jsonencode(local.secrets-labels)}
|
|
EOF
|
|
}
|
|
resource "kubectl_manifest" "pre_backup_role" {
|
|
count = var.backups.enable?1:0
|
|
ignore_fields = ["metadata.annotations"]
|
|
yaml_body = <<-EOF
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: backup-secret
|
|
namespace: "${var.namespace}"
|
|
labels: ${jsonencode(local.secrets-labels)}
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- get
|
|
- list
|
|
EOF
|
|
}
|
|
resource "kubectl_manifest" "pre_backup_rb" {
|
|
count = var.backups.enable?1:0
|
|
ignore_fields = ["metadata.annotations"]
|
|
yaml_body = <<-EOF
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: backup-secret
|
|
namespace: "${var.namespace}"
|
|
labels: ${jsonencode(local.secrets-labels)}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: backup-secret
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: backup-secret
|
|
namespace: "${var.namespace}"
|
|
EOF
|
|
}
|
|
resource "kubectl_manifest" "pre_backup_pod" {
|
|
count = var.backups.enable?1:0
|
|
ignore_fields = ["metadata.annotations"]
|
|
yaml_body = <<-EOF
|
|
apiVersion: k8up.io/v1
|
|
kind: PreBackupPod
|
|
metadata:
|
|
name: secret
|
|
namespace: "${var.namespace}"
|
|
labels: ${jsonencode(local.secrets-labels)}
|
|
spec:
|
|
backupCommand: kubectl get secrets -o yaml -l k8up.io/backup=true
|
|
pod:
|
|
spec:
|
|
containers:
|
|
- command:
|
|
- cat
|
|
image: "${var.images.kubectl.registry}/${var.images.kubectl.repository}:${var.images.kubectl.tag}"
|
|
imagePullPolicy: "${var.images.kubectl.pull_policy}"
|
|
name: secret
|
|
tty: true
|
|
serviceAccount: backup-secret
|
|
serviceAccountName: backup-secret
|
|
EOF
|
|
}
|