Skip to content
/ sealed-secrets-backup-cron Public

This is a Sealed Secret backup image for safely backing up and encrypting your cluster certificate secret to a persistent volume mount.

License

Apache-2.0 license
0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

tylerhoadley/sealed-secrets-backup-cron

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
CODEOWNERS
CODEOWNERS
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
setup.sh
setup.sh
 
 

Repository files navigation

sealed-secrets-backup-cron

Getting started

Setup your CI pipeline and use the provided Dockerfile

Description

This application runs on a base debian bulleye image with the latest kubectl and p7zip-full packages at build. Its designed to run as a k8s cron job to backup a single targetted k8s clusters', Sealed Secret TLS Secrets to a persistant volume for offsite disaster recovery. Ive also added an extra layer of security with 7zip encryption plus archiving. This can add an additional layer of protection for backups on Networks services like NFS or cloud storage. The longer and more complex the ENCRYPTION_KEY the stronger protection you will have if an unwanted actor steals these backup files. This tool was created to recover clusters in a disaster or migrate IaC declaration from one cluster to another without having to reseal an entire clusters sealed secrets.

Protect these backups!

Installation

This is a k8s cron job based workload, Run and done. It also requires a persistant volume claim as a backup location for the job.

Usage

This image requires 2 environment variables, 1 secret set as an environment variable and 1 secret set then mounted as the `KUBECONFIG`` file content in order to backup the k8s SS Certificate secrets plus encrypt them.

Secret

This should be set and recorded in a Password Manager or in another safe and secure location. 7zip allows lenghty and complex password schemas.

ENCRYPTION_KEY=mcfOnGcJHqJU07llS89dOi4N1rmrXK7pxUV9eEAk2hnFdV6sqdEe0ychjU8lWyUMwLrMYYK5NkaB4XVX1MuwrkjVIWv34ZjGO1gaEJNAOiLlr1QnclEEwbFF4L_TixAe

ENV

This should be set to a persistant volume location. I recommend setting this to a secure and avaiable location in case of disaster. This location should enforce high security access rights. 7Zip encyrption offers some, but not all protection against being compromised. These keys decrypt your Sealed Secrets within your cluster, Protect these backups.

BACKUP_DIR=/opt/backup/${clustername}

This is not the file, but the location of where the file resides. Create a secret (any env name) then mount that secret to this location. This is required in order to communicate with your cluster. It will query for the sealedsecrets.bitnami.com/sealed-secrets-key selectors obkjects.

KUBECONFIG=/opt/kube/config

Secret Mount

Mount to echo $KUBECONFIG

KUBECONFIG_FILECONTENT=CONTENT of cluster config

TO-DO

Setup rotation within the backup job, or create another cron based job to clean up backups over X days or until X, then X past that.

About

This is a Sealed Secret backup image for safely backing up and encrypting your cluster certificate secret to a persistent volume mount.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages