soteria/README.md

# soteria

Soteria is a small in-cluster service that launches restic Jobs to back up PVCs. It is intended to be called by Ariadne (or another controller) and focuses on:

- Encrypted restic backups to an S3-compatible backend (Backblaze B2 by default).
- On-demand restore tests into an emptyDir or a target PVC.
- Minimal long-running footprint (the backup work happens in Jobs).

Snapshots are not implemented yet; backups are crash-consistent for the PVC as mounted.

## API

### POST /v1/backup

```json
{
  "namespace": "ai",
  "pvc": "llm-cache",
  "tags": ["namespace=ai", "service=llm"],
  "dry_run": false
}
```

Response:

```json
{
  "job_name": "soteria-backup-llm-cache-20260131-013001",
  "namespace": "ai",
  "secret": "soteria-soteria-backup-llm-cache-20260131-013001-restic",
  "dry_run": false
}
```

### POST /v1/restore-test

```json
{
  "namespace": "ai",
  "snapshot": "latest",
  "target_pvc": "restore-sandbox",
  "dry_run": false
}
```

## Configuration

Environment variables:

- `SOTERIA_RESTIC_REPOSITORY` (required) Example: `s3:s3.us-west-004.backblazeb2.com/atlas-backups`
- `SOTERIA_RESTIC_SECRET_NAME` (default: `soteria-restic`)
- `SOTERIA_SECRET_NAMESPACE` (default: service namespace)
- `SOTERIA_RESTIC_IMAGE` (default: `restic/restic:0.16.4`)
- `SOTERIA_RESTIC_BACKUP_ARGS` (optional) Extra args for `restic backup`
- `SOTERIA_RESTIC_FORGET_ARGS` (optional) Extra args for `restic forget` (include `--prune` if desired)
- `SOTERIA_S3_ENDPOINT` (optional) Example: `s3.us-west-004.backblazeb2.com`
- `SOTERIA_S3_REGION` (optional) Example: `us-west-004`
- `SOTERIA_JOB_TTL_SECONDS` (default: 86400)
- `SOTERIA_JOB_SERVICE_ACCOUNT` (optional) ServiceAccount for backup Jobs
- `SOTERIA_LISTEN_ADDR` (default: `:8080`)

The restic repository is encrypted with `RESTIC_PASSWORD` from the secret below.

## Secrets

Create a secret named `soteria-restic` in the Soteria namespace (or set `SOTERIA_RESTIC_SECRET_NAME`). Keys required:

- `AWS_ACCESS_KEY_ID`
- `AWS_SECRET_ACCESS_KEY`
- `RESTIC_PASSWORD`

The service copies this secret into the target namespace per job and attaches an owner reference so it gets cleaned up with the Job.

A template is in `deploy/secret-example.yaml` (do not commit real credentials).

## Deployment

The `deploy/` folder includes Kustomize-ready manifests:

- `namespace.yaml`
- `configmap.yaml` (set your repository and endpoint)
- `serviceaccount.yaml`
- `clusterrole.yaml`
- `clusterrolebinding.yaml`
- `deployment.yaml`
- `service.yaml`

Apply with:

```sh
kubectl apply -k deploy
```

## Notes

- Backups mount the PVC read-only at `/data` and run `restic backup /data`.
- Restore tests write into `/restore` (either an emptyDir or a target PVC).
- For Backblaze B2, use the S3 endpoint and region for your bucket (example: `s3.us-west-004.backblazeb2.com`).
init soteria service 2026-01-31 03:34:34 -03:00			`# soteria`

			`Soteria is a small in-cluster service that launches restic Jobs to back up PVCs. It is intended to be called by Ariadne (or another controller) and focuses on:`

			`- Encrypted restic backups to an S3-compatible backend (Backblaze B2 by default).`
			`- On-demand restore tests into an emptyDir or a target PVC.`
			`- Minimal long-running footprint (the backup work happens in Jobs).`

			`Snapshots are not implemented yet; backups are crash-consistent for the PVC as mounted.`

			`## API`

			`### POST /v1/backup`

			```json
			`{`
			`"namespace": "ai",`
			`"pvc": "llm-cache",`
			`"tags": ["namespace=ai", "service=llm"],`
			`"dry_run": false`
			`}`
			```

			`Response:`

			```json
			`{`
			`"job_name": "soteria-backup-llm-cache-20260131-013001",`
			`"namespace": "ai",`
			`"secret": "soteria-soteria-backup-llm-cache-20260131-013001-restic",`
			`"dry_run": false`
			`}`
			```

			`### POST /v1/restore-test`

			```json
			`{`
			`"namespace": "ai",`
			`"snapshot": "latest",`
			`"target_pvc": "restore-sandbox",`
			`"dry_run": false`
			`}`
			```

			`## Configuration`

			`Environment variables:`

			- `SOTERIA_RESTIC_REPOSITORY` (required) Example: `s3:s3.us-west-004.backblazeb2.com/atlas-backups`
			- `SOTERIA_RESTIC_SECRET_NAME` (default: `soteria-restic`)
			- `SOTERIA_SECRET_NAMESPACE` (default: service namespace)
			- `SOTERIA_RESTIC_IMAGE` (default: `restic/restic:0.16.4`)
			- `SOTERIA_RESTIC_BACKUP_ARGS` (optional) Extra args for `restic backup`
			- `SOTERIA_RESTIC_FORGET_ARGS` (optional) Extra args for `restic forget` (include `--prune` if desired)
			- `SOTERIA_S3_ENDPOINT` (optional) Example: `s3.us-west-004.backblazeb2.com`
			- `SOTERIA_S3_REGION` (optional) Example: `us-west-004`
			- `SOTERIA_JOB_TTL_SECONDS` (default: 86400)
			- `SOTERIA_JOB_SERVICE_ACCOUNT` (optional) ServiceAccount for backup Jobs
			- `SOTERIA_LISTEN_ADDR` (default: `:8080`)

			The restic repository is encrypted with `RESTIC_PASSWORD` from the secret below.

			`## Secrets`

			Create a secret named `soteria-restic` in the Soteria namespace (or set `SOTERIA_RESTIC_SECRET_NAME`). Keys required:

			- `AWS_ACCESS_KEY_ID`
			- `AWS_SECRET_ACCESS_KEY`
			- `RESTIC_PASSWORD`

			`The service copies this secret into the target namespace per job and attaches an owner reference so it gets cleaned up with the Job.`

			A template is in `deploy/secret-example.yaml` (do not commit real credentials).

			`## Deployment`

			The `deploy/` folder includes Kustomize-ready manifests:

			- `namespace.yaml`
			- `configmap.yaml` (set your repository and endpoint)
			- `serviceaccount.yaml`
			- `clusterrole.yaml`
			- `clusterrolebinding.yaml`
			- `deployment.yaml`
			- `service.yaml`

			`Apply with:`

			```sh
			`kubectl apply -k deploy`
			```

			`## Notes`

			- Backups mount the PVC read-only at `/data` and run `restic backup /data`.
			- Restore tests write into `/restore` (either an emptyDir or a target PVC).
			- For Backblaze B2, use the S3 endpoint and region for your bucket (example: `s3.us-west-004.backblazeb2.com`).