forked from k-space/kube
128 lines
3.4 KiB
YAML
128 lines
3.4 KiB
YAML
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: rosdump-config
|
|
data:
|
|
script.sh: |
|
|
#!/bin/sh
|
|
set -e
|
|
mkdir -p /root/.ssh
|
|
cp /config/ssh_identity /root/.ssh/id_ecdsa
|
|
chmod 600 /root/.ssh/id_ecdsa
|
|
ssh-keyscan git.k-space.ee > /root/.ssh/known_hosts
|
|
if [ -d rosdump ]; then
|
|
echo "Pulling Git repo"
|
|
cd rosdump
|
|
git pull
|
|
else
|
|
echo "Cloning Git repo"
|
|
git clone git@git.k-space.ee:secretspace/rosdump.git
|
|
cd rosdump
|
|
fi
|
|
git config user.name rosdumo
|
|
git config user.email rosdump@k-space.ee
|
|
git rm *.k-space.ee
|
|
for target in $(cat /config/targets | grep -v '^#'); do
|
|
echo "Exporting configuration for $target"
|
|
ssh-keyscan $target >> /root/.ssh/known_hosts
|
|
ssh rosdump@$target '/export' | grep -v '^# serial number =' | grep -v '^#.* by RouterOS' > $target
|
|
git add $target
|
|
done
|
|
if git status --porcelain | read; then
|
|
echo "Attempting Git check in"
|
|
git commit -m "$(git diff --cached --shortstat)"
|
|
git push
|
|
else
|
|
echo "No changes to commit"
|
|
fi
|
|
targets: |
|
|
router.sec.k-space.ee
|
|
sw_core01.sec.k-space.ee
|
|
sw_core02.sec.k-space.ee
|
|
sw_mgmt.mgmt.k-space.ee
|
|
sw_poe.sec.k-space.ee
|
|
sw_ha.sec.k-space.ee
|
|
sw_cyber.sec.k-space.ee
|
|
sw_chaos.sec.k-space.ee
|
|
sw_asocial.sec.k-space.ee
|
|
sw_kitchen.sec.k-space.ee
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: CronJob
|
|
metadata:
|
|
name: rosdump
|
|
spec:
|
|
schedule: "*/5 * * * *"
|
|
concurrencyPolicy: Forbid
|
|
startingDeadlineSeconds: 100
|
|
jobTemplate:
|
|
spec:
|
|
activeDeadlineSeconds: 300
|
|
template:
|
|
metadata:
|
|
name: rosdump
|
|
spec:
|
|
restartPolicy: OnFailure
|
|
containers:
|
|
- name: rosdump
|
|
image: mirror.gcr.io/alpine/git
|
|
imagePullPolicy: IfNotPresent
|
|
command:
|
|
- sh
|
|
- /config/script.sh
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: /config
|
|
volumes:
|
|
- name: config
|
|
projected:
|
|
sources:
|
|
- secret:
|
|
name: rosdump-secrets
|
|
items:
|
|
- key: ssh_identity
|
|
path: ssh_identity
|
|
mode: 0600
|
|
- configMap:
|
|
name: rosdump-known-hosts
|
|
items:
|
|
- key: ssh_known_hosts
|
|
path: ssh_known_hosts
|
|
- configMap:
|
|
name: rosdump-config
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: rosdump
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: gitea
|
|
- ipBlock:
|
|
cidr: 172.23.0.0/24
|
|
- ipBlock:
|
|
cidr: 100.102.0.0/16
|
|
|
|
---
|
|
apiVersion: monitoring.coreos.com/v1
|
|
kind: PrometheusRule
|
|
metadata:
|
|
name: rosdump
|
|
spec:
|
|
groups:
|
|
- name: rosdump
|
|
rules:
|
|
- alert: MikrotikBackupsBroken
|
|
expr: absent(kube_cronjob_status_last_successful_time{cronjob="rosdump-cronjob"}) or time() - kube_cronjob_status_last_successful_time{cronjob="rosdump-cronjob"} > 3600
|
|
for: 4h
|
|
labels:
|
|
severity: warning
|
|
annotations:
|
|
summary: Mikrotik backups are broken
|