maintenance: add soteria service

services/maintenance/image.yaml

@@ -21,3 +21,26 @@ spec:
   policy:
     semver:
       range: ">=0.1.0-0"
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta2
+kind: ImageRepository
+metadata:
+  name: soteria
+  namespace: maintenance
+spec:
+  image: registry.bstein.dev/infra/soteria
+  interval: 1m0s
+  secretRef:
+    name: harbor-regcred
+---
+apiVersion: image.toolkit.fluxcd.io/v1beta2
+kind: ImagePolicy
+metadata:
+  name: soteria
+  namespace: maintenance
+spec:
+  imageRepositoryRef:
+    name: soteria
+  policy:
+    semver:
+      range: ">=0.1.0-0"

services/maintenance/kustomization.yaml

@@ -5,6 +5,7 @@ resources:
   - namespace.yaml
   - image.yaml
   - secretproviderclass.yaml
+  - soteria-configmap.yaml
   - vault-serviceaccount.yaml
   - vault-sync-deployment.yaml
   - ariadne-serviceaccount.yaml
@@ -13,9 +14,12 @@ resources:
   - k3s-traefik-cleanup-rbac.yaml
   - node-nofile-serviceaccount.yaml
   - pod-cleaner-rbac.yaml
+  - soteria-serviceaccount.yaml
+  - soteria-rbac.yaml
   - ariadne-deployment.yaml
   - oneoffs/ariadne-migrate-job.yaml
   - ariadne-service.yaml
+  - soteria-deployment.yaml
   - disable-k3s-traefik-daemonset.yaml
   - oneoffs/k3s-traefik-cleanup-job.yaml
   - node-nofile-daemonset.yaml
@@ -24,9 +28,12 @@ resources:
   - node-image-sweeper-serviceaccount.yaml
   - node-image-sweeper-daemonset.yaml
   - image-sweeper-cronjob.yaml
+  - soteria-service.yaml
 images:
   - name: registry.bstein.dev/bstein/ariadne
     newTag: 0.1.0-86 # {"$imagepolicy": "maintenance:ariadne:tag"}
+  - name: registry.bstein.dev/infra/soteria
+    newTag: 0.1.0-0 # {"$imagepolicy": "maintenance:soteria:tag"}
 configMapGenerator:
   - name: disable-k3s-traefik-script
     namespace: maintenance

services/maintenance/secretproviderclass.yaml

@@ -13,9 +13,27 @@ spec:
       - objectName: "harbor-pull__dockerconfigjson"
         secretPath: "kv/data/atlas/shared/harbor-pull"
         secretKey: "dockerconfigjson"
+      - objectName: "soteria_restic__AWS_ACCESS_KEY_ID"
+        secretPath: "kv/data/atlas/maintenance/soteria-restic"
+        secretKey: "AWS_ACCESS_KEY_ID"
+      - objectName: "soteria_restic__AWS_SECRET_ACCESS_KEY"
+        secretPath: "kv/data/atlas/maintenance/soteria-restic"
+        secretKey: "AWS_SECRET_ACCESS_KEY"
+      - objectName: "soteria_restic__RESTIC_PASSWORD"
+        secretPath: "kv/data/atlas/maintenance/soteria-restic"
+        secretKey: "RESTIC_PASSWORD"
   secretObjects:
     - secretName: harbor-regcred
       type: kubernetes.io/dockerconfigjson
       data:
         - objectName: harbor-pull__dockerconfigjson
           key: .dockerconfigjson
+    - secretName: soteria-restic
+      type: Opaque
+      data:
+        - objectName: soteria_restic__AWS_ACCESS_KEY_ID
+          key: AWS_ACCESS_KEY_ID
+        - objectName: soteria_restic__AWS_SECRET_ACCESS_KEY
+          key: AWS_SECRET_ACCESS_KEY
+        - objectName: soteria_restic__RESTIC_PASSWORD
+          key: RESTIC_PASSWORD

services/maintenance/soteria-configmap.yaml

@@ -0,0 +1,12 @@
+# services/maintenance/soteria-configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: soteria
+  namespace: maintenance
+data:
+  SOTERIA_RESTIC_REPOSITORY: "s3:s3.us-west-004.backblazeb2.com/atlas-soteria"
+  SOTERIA_S3_ENDPOINT: "s3.us-west-004.backblazeb2.com"
+  SOTERIA_S3_REGION: "us-west-004"
+  SOTERIA_RESTIC_BACKUP_ARGS: ""
+  SOTERIA_RESTIC_FORGET_ARGS: ""

services/maintenance/soteria-deployment.yaml

@@ -0,0 +1,62 @@
+# services/maintenance/soteria-deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: soteria
+  namespace: maintenance
+spec:
+  replicas: 1
+  revisionHistoryLimit: 3
+  selector:
+    matchLabels:
+      app: soteria
+  template:
+    metadata:
+      labels:
+        app: soteria
+    spec:
+      serviceAccountName: soteria
+      containers:
+        - name: soteria
+          image: registry.bstein.dev/infra/soteria:latest
+          imagePullPolicy: Always
+          ports:
+            - name: http
+              containerPort: 8080
+          envFrom:
+            - configMapRef:
+                name: soteria
+          env:
+            - name: SOTERIA_SECRET_NAMESPACE
+              value: "maintenance"
+            - name: SOTERIA_RESTIC_SECRET_NAME
+              value: "soteria-restic"
+            - name: SOTERIA_JOB_TTL_SECONDS
+              value: "86400"
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 2
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: http
+            initialDelaySeconds: 2
+            periodSeconds: 5
+            timeoutSeconds: 2
+          resources:
+            requests:
+              cpu: 50m
+              memory: 64Mi
+            limits:
+              cpu: 200m
+              memory: 256Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            runAsUser: 65532
+            capabilities:
+              drop: ["ALL"]

services/maintenance/soteria-rbac.yaml

@@ -0,0 +1,25 @@
+# services/maintenance/soteria-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: soteria
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "create", "update", "delete"]
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "list", "create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: soteria
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: soteria
+subjects:
+  - kind: ServiceAccount
+    name: soteria
+    namespace: maintenance

services/maintenance/soteria-service.yaml

@@ -0,0 +1,14 @@
+# services/maintenance/soteria-service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: soteria
+  namespace: maintenance
+spec:
+  type: ClusterIP
+  selector:
+    app: soteria
+  ports:
+    - name: http
+      port: 80
+      targetPort: http

services/maintenance/soteria-serviceaccount.yaml

@@ -0,0 +1,8 @@
+# services/maintenance/soteria-serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: soteria
+  namespace: maintenance
+imagePullSecrets:
+  - name: harbor-regcred

services/vault/scripts/vault_k8s_auth_configure.sh

@@ -247,7 +247,7 @@ write_policy_and_role "crypto" "crypto" "crypto-vault-sync" \
 write_policy_and_role "health" "health" "health-vault-sync" \
   "health/*" ""
 write_policy_and_role "maintenance" "maintenance" "ariadne,maintenance-vault-sync" \
-  "maintenance/ariadne-db portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin vault/vault-oidc-config shared/harbor-pull" ""
+  "maintenance/ariadne-db maintenance/soteria-restic portal/atlas-portal-db portal/bstein-dev-home-keycloak-admin mailu/mailu-db-secret mailu/mailu-initial-account-secret nextcloud/nextcloud-db nextcloud/nextcloud-admin health/wger-admin finance/firefly-secrets comms/mas-admin-client-runtime comms/atlasbot-credentials-runtime comms/synapse-db comms/synapse-admin vault/vault-oidc-config shared/harbor-pull" ""
 write_policy_and_role "finance" "finance" "finance-vault" \
   "finance/* shared/postmark-relay" ""
 write_policy_and_role "finance-secrets" "finance" "finance-secrets-ensure" \