From 2e0db37db3a6a5a90e70844419a98909e9fdaf3a Mon Sep 17 00:00:00 2001
From: Sebastian Widmer <sebastian.widmer@vshn.net>
Date: Thu, 7 Apr 2022 10:42:08 +0200
Subject: [PATCH] Fix backup tmpfile permissions on OCP

---
 component/backup.jsonnet                      |  6 ++
 tests/defaults.yml                            | 13 +++-
 .../vault/vault/30_backup/31_schedule.yaml    | 56 +++++++++++++++++
 .../vault/vault/30_backup/32_backup.yaml      | 63 +++++++++++++++++++
 4 files changed, 137 insertions(+), 1 deletion(-)
 create mode 100644 tests/golden/defaults/vault/vault/30_backup/31_schedule.yaml
 create mode 100644 tests/golden/defaults/vault/vault/30_backup/32_backup.yaml

diff --git a/component/backup.jsonnet b/component/backup.jsonnet
index faf64d8..48fe41f 100644
--- a/component/backup.jsonnet
+++ b/component/backup.jsonnet
@@ -96,6 +96,9 @@ local backupPod = backup.PreBackupPod(
               config: {
                 mountPath: '/etc/vault/',
               },
+              home: {
+                mountPath: '/home/vault',
+              },
             },
           },
         },
@@ -105,6 +108,9 @@ local backupPod = backup.PreBackupPod(
               name: backupConfig.metadata.name,
             },
           },
+          home: {
+            emptyDir: {},
+          },
         },
         serviceAccountName: backupSA.metadata.name,
       },
diff --git a/tests/defaults.yml b/tests/defaults.yml
index 204b973..67fddfd 100644
--- a/tests/defaults.yml
+++ b/tests/defaults.yml
@@ -1,5 +1,16 @@
 ---
 parameters:
+  kapitan:
+    dependencies:
+      - type: https
+        source: https://raw.githubusercontent.com/projectsyn/component-backup-k8up/v3.0.1/lib/backup-k8up.libjsonnet
+        output_path: vendor/lib/backup-k8up.libjsonnet
+
+  backup_k8up:
+    global_backup_config:
+      s3_endpoint: null
+    prometheus_push_gateway: null
+
   _instance: vault
   vault:
     name: foobar
@@ -17,7 +28,7 @@ parameters:
         memory: 9001Mi
         cpu: 1000m
     backup:
-      enabled: false
+      enabled: true
     x_forwarded_for:
       authorized_addrs: "198.51.100.0/24" # TEST-NET-2
       reject_not_authorized: "true"
diff --git a/tests/golden/defaults/vault/vault/30_backup/31_schedule.yaml b/tests/golden/defaults/vault/vault/30_backup/31_schedule.yaml
new file mode 100644
index 0000000..1347f54
--- /dev/null
+++ b/tests/golden/defaults/vault/vault/30_backup/31_schedule.yaml
@@ -0,0 +1,56 @@
+apiVersion: v1
+data: {}
+kind: Secret
+metadata:
+  annotations: {}
+  labels:
+    name: foobar-backup-password
+  name: foobar-backup-password
+stringData:
+  password: t-silent-test-1234/c-green-test-1234/vault/vault/backup/password
+type: Opaque
+---
+apiVersion: v1
+data: {}
+kind: Secret
+metadata:
+  annotations: {}
+  labels:
+    name: foobar-backup-s3-credentials
+  name: foobar-backup-s3-credentials
+stringData:
+  password: t-silent-test-1234/c-green-test-1234/vault/vault/backup/s3_secret_key
+  username: t-silent-test-1234/c-green-test-1234/vault/vault/backup/s3_access_key
+type: Opaque
+---
+apiVersion: k8up.io/v1
+kind: Schedule
+metadata:
+  name: foobar
+  namespace: vault
+spec:
+  backend:
+    repoPasswordSecretRef:
+      key: password
+      name: foobar-backup-password
+    s3:
+      accessKeyIDSecretRef:
+        key: username
+        name: foobar-backup-s3-credentials
+      bucket: vault-backup
+      endpoint: null
+      secretAccessKeySecretRef:
+        key: password
+        name: foobar-backup-s3-credentials
+  backup:
+    keepJobs: 5
+    promURL: null
+    schedule: '*/13 * * * *'
+  check:
+    promURL: null
+    schedule: 30 3 * * *
+  prune:
+    retention:
+      keepDaily: 30
+      keepLast: 20
+    schedule: 23 * * * *
diff --git a/tests/golden/defaults/vault/vault/30_backup/32_backup.yaml b/tests/golden/defaults/vault/vault/30_backup/32_backup.yaml
new file mode 100644
index 0000000..2f96fa7
--- /dev/null
+++ b/tests/golden/defaults/vault/vault/30_backup/32_backup.yaml
@@ -0,0 +1,63 @@
+apiVersion: v1
+data:
+  vault-agent-config.hcl: "exit_after_auth = false\nauto_auth {\n    method \"kubernetes\"\
+    \ {\n        config = {\n            role = \"backup\"\n        }\n    }\n   \
+    \ sink \"file\" {\n        config = {\n            path = \"/home/vault/.vault-token\"\
+    \n            mode = 0644\n        }\n    }\n}\n"
+kind: ConfigMap
+metadata:
+  annotations: {}
+  labels:
+    name: foobar-backup
+  name: foobar-backup
+  namespace: vault
+---
+apiVersion: k8up.io/v1
+kind: PreBackupPod
+metadata:
+  name: foobar
+  namespace: vault
+spec:
+  backupCommand: vault operator raft snapshot save /dev/stdout
+  fileExtension: .snapshot
+  pod:
+    spec:
+      containers:
+        - args: []
+          env:
+            - name: HOME
+              value: /home/vault
+            - name: SKIP_SETCAP
+              value: 'true'
+            - name: VAULT_ADDR
+              value: http://foobar-active:8200
+          image: docker.io/vault:1.7.3
+          imagePullPolicy: IfNotPresent
+          name: backup
+          ports: []
+          stdin: false
+          tty: false
+          volumeMounts:
+            - mountPath: /etc/vault/
+              name: config
+            - mountPath: /home/vault
+              name: home
+      imagePullSecrets: []
+      initContainers: []
+      serviceAccountName: foobar-backup
+      terminationGracePeriodSeconds: 30
+      volumes:
+        - configMap:
+            name: foobar-backup
+          name: config
+        - emptyDir: {}
+          name: home
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations: {}
+  labels:
+    name: foobar-backup
+  name: foobar-backup
+  namespace: vault