46 lines
1.4 KiB
Markdown
46 lines
1.4 KiB
Markdown
# Intro
|
|
|
|
This is how we make backups of Mikrotik device configurations using Kubernetes
|
|
Cronjob. This is easy to monitor with Prometheus and integrates well with the
|
|
rest of our montioring system. Also the script/manifest is less than 100 lines,
|
|
easy to follow and to fix.
|
|
|
|
Note that this does not have anything to do with
|
|
[ecadlabs/rosdump](https://github.com/ecadlabs/rosdump)
|
|
we initially used which just generated empty commits and
|
|
there was no easy way to monitor.
|
|
|
|
We also considered [ytti/oxidized](https://github.com/ytti/oxidized),
|
|
but it does not export Prometheus metrics either.
|
|
|
|
|
|
## Manually trigger cronjob
|
|
```sh
|
|
kubectl create job -n rosdump --from=cronjob/rosdump-cronjob rosdump-job-oneshot
|
|
```
|
|
|
|
## Updating SSH secrets
|
|
Secrets live and should be applied through secretspace.
|
|
|
|
### known_hosts
|
|
Make sure strong crypto is enabled on Mikrotik side:
|
|
```
|
|
/ip ssh set strong-crypto=yes allow-none-crypto=no
|
|
```
|
|
|
|
For when Mikrotik targets are added/removed and their SSH keys change.
|
|
```
|
|
(for j in $(kubectl get cm -n rosdump rosdump-config -o json | jq -r '.data.targets'); do ssh-keyscan -t rsa $j; done) > known_hosts
|
|
```
|
|
|
|
# Replacing SSH private key
|
|
The private key is used for both Gitea and Mikrotik targets.
|
|
|
|
Generate new key:
|
|
```
|
|
rm -fv rosdump rosdump.pub
|
|
ssh-keygen -P '' -b 2048 -m PEM -t rsa -f rosdump -C rosdump
|
|
```
|
|
|
|
Proceed to replace the public key in Gitea with `rosdump.pub`.
|