restic-exporter: Point at chromie.p.b

Restic backups are now stored in MinIO on _chromie.pyrocufflink.blue_. All data have been migrated from _burp1.p.b_, which is being decommissioned. The instance of MinIO on _chromie_ uses a certificate signed by DCH CA, rather than the _pyrocufflink.blue_ wildcard certificate signed by ZeroSSL. As such, we need to configure `restic` to trust the DCH Root CA certificate in order to use the MinIO S3 API.
2024-09-08 20:24:43 -05:00 · 2024-09-08 20:24:43 -05:00 · 26422d9f3c
parent f17ad4f779
commit 26422d9f3c
4 changed files with 17 additions and 5 deletions
--- a/restic-exporter/kustomization.yaml
+++ b/restic-exporter/kustomization.yaml
@ -12,6 +12,7 @@ resources:
 - network-policy.yaml
 - restic-exporter.yaml
 - secrets.yaml
+- ../dch-root-ca

 configMapGenerator:
 - name: restic-exporter
@ -29,8 +30,19 @@ patches:
        spec:
          containers:
          - name: restic-exporter
+            env:
+            - name: RESTIC_CACERT
+              value: /run/dch-ca/dch-root-ca.crt
            envFrom:
            - secretRef:
                name: restic-s3
            - configMapRef:
                name: restic-exporter
+            volumeMounts:
+            - mountPath: /run/dch-ca
+              name: dch-ca
+              readOnly: true
+          volumes:
+          - name: dch-ca
+            configMap:
+              name: dch-root-ca
--- a/restic-exporter/network-policy.yaml
+++ b/restic-exporter/network-policy.yaml
@ -21,9 +21,9 @@ spec:
      protocol: TCP
  - to:
    - ipBlock:
-        cidr: 172.30.0.30/32
+        cidr: 172.30.0.15/32
    ports:
-    - port: 9000
+    - port: 443
  ingress:
  - from:
    - namespaceSelector:
--- a/restic-exporter/restic-exporter.env
+++ b/restic-exporter/restic-exporter.env
@ -1,4 +1,4 @@
 TZ=America/Chicago
-RESTIC_REPOSITORY=s3:https://burp.pyrocufflink.blue:9000/restic
+RESTIC_REPOSITORY=s3:s3.backups.pyrocufflink.blue/restic
 INCLUDE_PATHS=True
 REFRESH_INTERVAL=3600
--- a/restic-exporter/secrets.yaml
+++ b/restic-exporter/secrets.yaml
@ -31,8 +31,8 @@ metadata:
    app.kubernetes.io/part-of: restic-exporter
 spec:
  encryptedData:
-    AWS_ACCESS_KEY_ID: AgCiUz6l8sPPSxh8lmtH4HEiQEu2EWN8zpS3Farh4/CxWVn01HufAU7n7xxPjMTkkoCfa42ux/WNLl3Gl539CgAoyaudlAfuzl+Uq5w3S1XesL/lTwBqYr3mF0ZeGxeHBh2h+S9IaTPef9SWFTV/F+X3rDOKw6OfMLSI3TZAarVuvNJ9GnK8vTu5MoE+4IhHfJRBor4qI9TGKOQQDtoQP9xcwWrOQJOKvyXGtOmz/u+H4K5VVsGvPpIWYDHS3V1HIzCaVLDEulL13dyNofXKmQB7mW7yPhRIn/MJGfuAvUXAE5Or1bgamftCujtl1nR8/K5Gq6h5212hVCtY2F8YMBZSt5G+GmitTSz7PJrjTB6OzXy1Uu+bNGWgjtck6bxzm/pkO44bC5/ZvhB0AESDSBIkpBSm1o7LMl6rCF+mUybsGNmRq9mcMvtMwAbUgzEewlMbdA+zN/YqEJFMZWcE9fYHms9pil3O+mDB1LilBMUczPD/zzpP88b2m36XmT3nSRBCTcfx8nqaqB6dvYK2AYjmM9iDPM0jRxZOaA6WZy3PsTUeJvfzxNapfE72lWREtaTVP3wfhwt2BcoiIxWqc7i/9LplcEOl62S2WhMtP0wJGXMSWmzxOPHno98u1aA4r/2K3LBk+9gSzA9grwi3VpK9NsADf1vFbLmd25eDqSe6zQl5YNk+Ty20uHqK53fdqwkM2WlvOmakXlw9dBr1CWGr
-    AWS_SECRET_ACCESS_KEY: AgCJ3K0gt8GqI3go1fQ/pMjFjpW0Z+j/YElaPqTUp8dpuhEdRS3MybCOjLhKwfpQN/nufRXbk0hLZYgloGznjEpdJvP4EEb3uwwdfZ2oP+h8YVyHpHsh7DlnuHUk7RwGJiL+wb+Xnh6ChsYKQQ2HfWnIQ+JZMGKDMQqaq0CwaQAde8MUZlJyqu7tZjD5wP3PFf6WxG2lwQiwD7vMi+M/r8h0a5Sf4TVdXIrRSPE9nvVmuaN7+4eAmOmzRmVqUxXqHhSL0/yMichOFGXXOCWryQlM/gm0BETEj8g9RdhqyJ6iXvgR8/ObZUQ4zoOeonaQQNZYOjgcZ+oWD+8n0gayziCIQz1Czf3HeGyXFpmVRCcQKOFb+Pz/U308zefDT/sCg4ggH8Le/7VVBYqKjUZWPFrJrhVju1IU3BZDs8PZhjaFWDIHvL7IuI9QLLKhhHHNWQ1IQSZgSyQUNYGK0lLbOWpID14w1FgIBI9+JhLSGtue+KwKgZxgrmE9QUI1CEhEPVXCZDCSmjY629QNLiVmNG/SiEL9uJAj2BlXkMpPtZuI4b9iINcw+vS8yYifdiRxcBpCZQTD9DiEf9NRh8pvC4YuwTkFVN8++vQyDtPiJPigJpZo3Uuz2S7dEcsRD28Y2sSiLMOdzTzRwovUigkUUSONCecNWhWeMWneFx7u97PvNMK1ogDOAzjDxvM13I8dw/eK6uXB9XNKZh3NkC/18RsIqdHhLhZKeAzx3VOtbvTOIw==
+    AWS_ACCESS_KEY_ID: AgAhNzhHnjDoEopNvdZaVxe84VhtxMiwxzYbwrFNvBkWMTF3aHbVjB2/qsWMjNU+a/jFFgFJZQzzfGK6Y9o0G3xFZaMwiBvBKBxRAOS6c2J8ClB7enCPD8HkAW/6BeuY3KsUW9wSEbGBlx8oW9tRWEOVFsRv6KHZwwh/vNfvSCiCXsZgBFAPorFy0Bh9FX+3PyZhANH6AAugWzGnxZGlRcNEgYx8ZnQovlFhhSxZsmUnSwyKzpZP2h+A48N3q+aUooFQlWuq6zGMEJqrFpMwiYg0M4A+60LBXneZGzc13FibWpbWpwEoX7YljnYYVnsat002U1qgkxSCoU75EKn3nay3vO6jT8lV5CUMGzbhxdNnaKbKevpaZgRZlUirrh+KGvG6pU8JghsiCKsP+HAuFRPTVfUYM2L13v5WDqOyVvLFT7S1Z1fl+LDwm1u7SPr8HYkEdgI/7ALD+vEBDUKmSCiQ8/sR3HGz9roDu8Lh0+HFZyUeuW27mEaDtSI5c/jKpWR8exN6ltClRS7vNyWuNGe1Jq3v7qyWrLEziTwxd2vunmvE/0bS6U4VgrkAvct0e6OUycuKP2Aaik/3tJA5OGYcw6x9hymc0y+XHszrIrkxJ6n4dtYP1Ymsf8OiqMTj3SOrP3+zUaFlSLi3474KlxmBR3GN/9W3wJx0nFhceXvoZVETtjdJXsfgXgMJ874WxC3YGld3weYqVSrIIs2BdjjTAc2j5g==
+    AWS_SECRET_ACCESS_KEY: AgC26kXxZxlGlIUTFVu1aG/4c+UhCnudcOmHfmqXqwDqkY4OSEuFkdpp2uTdziT3oGGLlNxcjYUJRD1Jkn+d8TAuqMfKqaosILne6SwRzAFFn1+hYyntwuV4gvCjNn6dpI5uaweX2tpwqS8RG+aGhesugLD2XpRqh+iLrqEf6vJrfJHuURmrnHmU+zl3+3RrsjFf3BaUBOHBJRA/b/QoyBsrZ/ABbp9MVP8b7g7N7+2WVE4XMvlaVfax8J49XekMISKvqnw4oEV/UB471q6wODlQC+uSzepcFX+kBrwpkGGDrtYdPISeVtYdPQ1QDRX7XVw35s1wA67hh8UuNkp2CxMJ8VUz/uVIoMPv9EdnLiWZC2/OO84jLWcFPz/w7/LyBiicmWgaCd+A9HtODBW6Gdg8s6+8mmD3u4YQW3PgYVuI1tTWccn1FCLd3O5U3V8pS88aNRqg2c9FdQ853SNv6CJwm5CjeHW7go6KaJlbElVpqy3Vi3WY+/76HVBrfo6T6RtDc18wcBLpfDh1DiVwpVHqiVwNTPMLgalnX+VuohU6LsnRzQo0jvzx9OfwhdNA+pHGgfQt2nrKHr8pSqnPsaJBlXzm4N2Su2MeXVn962RYU1KtcciClKG70WdRxUxZ/EGKqCgleUS+1kSC488XYWSwg44zCEHqfzJxgF1ykCAF6oG5FT+rKpB4845OHsFKEn2X9gDb3UExNSuyzdQeyxSQSVo1EivjQbh2jK3vtdGckkmfJ8Nlxmoi
  template:
    metadata:
      name: restic-s3