add restic backup and configure oidc

soerenschneider · soerenschneider · commit 0bacbf98ca48 · 2025-04-16T20:21:56.000+02:00
diff --git a/clusters/svc.dd.soeren.cloud/mealie/external-secret-mealie-postgres-restic.yaml b/clusters/svc.dd.soeren.cloud/mealie/external-secret-mealie-postgres-restic.yaml
@@ -0,0 +1,34 @@
+---
+apiVersion: "external-secrets.io/v1beta1"
+kind: "ExternalSecret"
+metadata:
+  name: "mealie-restic-postgres"
+spec:
+  refreshInterval: "1h"
+  secretStoreRef:
+    name: "vault"
+    kind: "ClusterSecretStore"
+  target:
+    name: "mealie-restic-postgres"
+    creationPolicy: "Owner"
+  data:
+    - secretKey: "AWS_ACCESS_KEY_ID"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/restic/mealie-postgres/aws-credentials"
+        property: "AWS_ACCESS_KEY_ID"
+    - secretKey: "AWS_SECRET_ACCESS_KEY"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/restic/mealie-postgres/aws-credentials"
+        property: "AWS_SECRET_ACCESS_KEY"
+    - secretKey: "RESTIC_PASSWORD"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/restic/mealie-postgres/restic"
+        property: "pass"
+    - secretKey: "POSTGRES_USER"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/mealie"
+        property: "POSTGRES_USER"
+    - secretKey: "POSTGRES_PASSWORD"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/mealie"
+        property: "POSTGRES_PASSWORD"
diff --git a/clusters/svc.dd.soeren.cloud/mealie/external-secret-mealie.yaml b/clusters/svc.dd.soeren.cloud/mealie/external-secret-mealie.yaml
@@ -24,3 +24,11 @@ spec:
       remoteRef:
         key: "secret/soeren.cloud/env/prod/mealie"
         property: "POSTGRES_USER"
+    - secretKey: "OIDC_CLIENT_ID"
+      remoteRef:
+        key: "soeren.cloud/env/prod/keycloak/soerencloud/clients/mealie"
+        property: "client_id"
+    - secretKey: "OIDC_CLIENT_SECRET"
+      remoteRef:
+        key: "soeren.cloud/env/prod/keycloak/soerencloud/clients/mealie"
+        property: "secret_id"
diff --git a/clusters/svc.dd.soeren.cloud/mealie/kustomization.yaml b/clusters/svc.dd.soeren.cloud/mealie/kustomization.yaml
@@ -9,6 +9,7 @@ resources:
   - postgres-pv.yaml
   - external-secret-mealie.yaml
   - external-secret-mealie-postgres.yaml
+  - external-secret-mealie-postgres-restic.yaml
 components:
   - ../../../apps/mealie/components/mealie-pvc
   - ../../../apps/mealie/components/oidc
@@ -40,7 +41,10 @@ configMapGenerator:
       - "BASE_URL=https://mealie.svc.dd.soeren.cloud"
   - name: "mealie-oidc"  # TODO: https://github.com/kubernetes-sigs/kustomize/issues/4402
     literals:
-      - "OIDC_CONFIGURATION_URL=https://keycloak.svc.dd.soeren.cloud/realms/myrealm/.well-known/openid-configuration"
-      - "OIDC_USER_GROUP=mealie_user"
-      - "OIDC_ADMIN_GROUP=mealie_admin"
+      - "OIDC_CONFIGURATION_URL=https://auth.dd.soeren.cloud/realms/soerencloud/.well-known/openid-configuration"
       - "OIDC_PROVIDER_NAME=keycloak"
+      - "OIDC_ADMIN_GROUP=/admins"
+      - "OIDC_GROUPS_CLAIM=groups"
+  - name: "mealie-restic-postgres"
+    literals:
+      - "RESTIC_REPOSITORY=s3:https://s3.amazonaws.com/soerenschneider-restic-prod/mealie-postgres"
