messing around with testing contabo storage and getting bws secrets

2026-03-19 22:32:10 +13:00 · 2026-03-19 22:32:10 +13:00 · 0e30028db0
parent 6b9cb13f65
commit 0e30028db0
3 changed files with 60 additions and 30 deletions
--- a/infrastructure/velero/contabosecret.yaml
+++ b/infrastructure/velero/contabosecret.yaml
@ -1,20 +1,24 @@
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
+apiVersion: k8s.bitwarden.com/v1
+kind: BitwardenSecret
 metadata:
  name: contabo-s3-creds
  namespace: backups
 spec:
-  refreshInterval: 1h
-  secretStoreRef:
-    name: your-secret-store
-    kind: ClusterSecretStore
-  target:
-    name: contabo-s3-creds
-    creationPolicy: Owner
-  data:
-    - secretKey: AWS_ACCESS_KEY_ID
-      remoteRef:
-        key: contabo-access-key
-    - secretKey: AWS_SECRET_ACCESS_KEY
-      remoteRef:
-        key: contabo-secret-key
+  secretName: contabo-s3-creds
+  organizationId: 0df293ad-6afb-4d0b-b3ff-b41000581de5
+  # This references infrastructure/bitwarden/bitwardenaccesstoken.enc.yaml.
+  # The auth token secret must exist in the same namespace as this BitwardenSecret.
+  authToken:
+    secretName: bitwarden-access-token
+    secretKey: token
+  useSecretNames: false
+  onlyMappedSecrets: true
+  map:
+    - bwSecretId: cd2d61e8-2e6e-46e8-870e-b410005a2e1e
+      secretKeyName: AWS_ACCESS_KEY_ID
+    - bwSecretId: 17195fbc-89e9-45be-a3ab-b410005a4a5d
+      secretKeyName: AWS_SECRET_ACCESS_KEY
+    - bwSecretId: 3b71b5f9-0ce3-4036-8096-b4100059cc75
+      secretKeyName: CONTABO_CLIENT_ID
+    - bwSecretId: e88eabb8-36bd-4f4d-b0c7-b410005a0d61
+      secretKeyName: CONTABO_CLIENT_SECRET
--- a/infrastructure/velero/namespace.yaml
+++ b/infrastructure/velero/namespace.yaml
@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: backups
--- a/secrets/test.yaml
+++ b/secrets/test.yaml
@ -2,29 +2,51 @@ apiVersion: batch/v1
 kind: Job
 metadata:
  name: contabo-test
-  namespace: security
+  namespace: backups
 spec:
+  backoffLimit: 0
  template:
    spec:
      restartPolicy: Never
      containers:
-      - name: test
-        image: ppatlabs/bitwarden-cli
+      - name: s3-test
+        image: amazon/aws-cli:2.17.37
        command:
-          - sh
-          - -c
+          - /bin/sh
+          - -ec
          - |
-            echo "Logging into Bitwarden..."
-            bw login --apikey || true
+            test -n "$AWS_ACCESS_KEY_ID"
+            test -n "$AWS_SECRET_ACCESS_KEY"
+            test -n "$CONTABO_ENDPOINT"
+            test -n "$CONTABO_BUCKET"

-            echo "Fetching secrets..."
-            bw list secrets > /tmp/secrets.json
+            TS="$(date +%s)"
+            KEY="k8s-contabo-test/${TS}.txt"
+            BODY="contabo write test from ${HOSTNAME} at ${TS}"

-            echo "Secrets output:"
-            cat /tmp/secrets.json
+            printf '%s\n' "$BODY" > /tmp/test.txt
+
+            aws --endpoint-url "$CONTABO_ENDPOINT" s3 cp /tmp/test.txt "s3://$CONTABO_BUCKET/$KEY"
+            aws --endpoint-url "$CONTABO_ENDPOINT" s3 cp "s3://$CONTABO_BUCKET/$KEY" /tmp/test-read.txt
+
+            grep -F "$BODY" /tmp/test-read.txt
+
+            aws --endpoint-url "$CONTABO_ENDPOINT" s3 rm "s3://$CONTABO_BUCKET/$KEY"
+            echo "Contabo object storage write/read/delete test passed."
        env:
-        - name: BW_ACCESS_TOKEN
+        - name: AWS_ACCESS_KEY_ID
          valueFrom:
            secretKeyRef:
-              name: bitwarden-access-token
-              key: token
+              name: contabo-s3-creds
+              key: AWS_ACCESS_KEY_ID
+        - name: AWS_SECRET_ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              name: contabo-s3-creds
+              key: AWS_SECRET_ACCESS_KEY
+        - name: CONTABO_ENDPOINT
+          value: "https://eu2.contabostorage.com"
+        - name: CONTABO_BUCKET
+          value: "test"
+        - name: AWS_DEFAULT_REGION
+          value: "us-east-1"