This is how we make backups of Mikrotik device configurations using Kubernetes Cronjob. This is easy to monitor with Prometheus and integrates well with the rest of our montioring system. Also the script/manifest is less than 100 lines, easy to follow and to fix.

Note that this does not have anything to do with ecadlabs/rosdump we initially used which just generated empty commits and there was no easy way to monitor.

We also considered ytti/oxidized, but it does not export Prometheus metrics either.

Manually trigger cronjob

kubectl create job -n rosdump --from=cronjob/rosdump-cronjob rosdump-job-oneshot

Updating SSH secrets

Secrets live and should be applied through secretspace.

known_hosts

Make sure strong crypto is enabled on Mikrotik side:

/ip ssh set strong-crypto=yes allow-none-crypto=no

For when Mikrotik targets are added/removed and their SSH keys change.

(for j in $(kubectl get cm -n rosdump rosdump-config -o json | jq -r '.data.targets');  do ssh-keyscan -t rsa $j; done) > known_hosts

Replacing SSH private key

The private key is used for both Gitea and Mikrotik targets.

Generate new key:

rm -fv rosdump rosdump.pub
ssh-keygen -P '' -b 2048 -m PEM -t rsa -f rosdump -C rosdump

Proceed to replace the public key in Gitea with rosdump.pub.