messing around with testing contabo storage and getting bws secrets

infrastructure/velero/contabosecret.yaml

@@ -1,20 +1,24 @@
-apiVersion: external-secrets.io/v1
+apiVersion: k8s.bitwarden.com/v1
-kind: ExternalSecret
+kind: BitwardenSecret
 metadata:
   name: contabo-s3-creds
   namespace: backups
 spec:
-  refreshInterval: 1h
+  secretName: contabo-s3-creds
-  secretStoreRef:
+  organizationId: 0df293ad-6afb-4d0b-b3ff-b41000581de5
-    name: your-secret-store
+  # This references infrastructure/bitwarden/bitwardenaccesstoken.enc.yaml.
-    kind: ClusterSecretStore
+  # The auth token secret must exist in the same namespace as this BitwardenSecret.
-  target:
+  authToken:
-    name: contabo-s3-creds
+    secretName: bitwarden-access-token
-    creationPolicy: Owner
+    secretKey: token
-  data:
+  useSecretNames: false
-    - secretKey: AWS_ACCESS_KEY_ID
+  onlyMappedSecrets: true
-      remoteRef:
+  map:
-        key: contabo-access-key
+    - bwSecretId: cd2d61e8-2e6e-46e8-870e-b410005a2e1e
-    - secretKey: AWS_SECRET_ACCESS_KEY
+      secretKeyName: AWS_ACCESS_KEY_ID
-      remoteRef:
+    - bwSecretId: 17195fbc-89e9-45be-a3ab-b410005a4a5d
-        key: contabo-secret-key
+      secretKeyName: AWS_SECRET_ACCESS_KEY
+    - bwSecretId: 3b71b5f9-0ce3-4036-8096-b4100059cc75
+      secretKeyName: CONTABO_CLIENT_ID
+    - bwSecretId: e88eabb8-36bd-4f4d-b0c7-b410005a0d61
+      secretKeyName: CONTABO_CLIENT_SECRET

infrastructure/velero/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: backups

secrets/test.yaml

@@ -2,29 +2,51 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: contabo-test
-  namespace: security
+  namespace: backups
 spec:
+  backoffLimit: 0
   template:
     spec:
       restartPolicy: Never
       containers:
-      - name: test
+      - name: s3-test
-        image: ppatlabs/bitwarden-cli
+        image: amazon/aws-cli:2.17.37
         command:
-          - sh
+          - /bin/sh
-          - -c
+          - -ec
           - |
-            echo "Logging into Bitwarden..."
+            test -n "$AWS_ACCESS_KEY_ID"
-            bw login --apikey || true
+            test -n "$AWS_SECRET_ACCESS_KEY"
+            test -n "$CONTABO_ENDPOINT"
+            test -n "$CONTABO_BUCKET"
 
-            echo "Fetching secrets..."
+            TS="$(date +%s)"
-            bw list secrets > /tmp/secrets.json
+            KEY="k8s-contabo-test/${TS}.txt"
+            BODY="contabo write test from ${HOSTNAME} at ${TS}"
 
-            echo "Secrets output:"
+            printf '%s\n' "$BODY" > /tmp/test.txt
-            cat /tmp/secrets.json
+
+            aws --endpoint-url "$CONTABO_ENDPOINT" s3 cp /tmp/test.txt "s3://$CONTABO_BUCKET/$KEY"
+            aws --endpoint-url "$CONTABO_ENDPOINT" s3 cp "s3://$CONTABO_BUCKET/$KEY" /tmp/test-read.txt
+
+            grep -F "$BODY" /tmp/test-read.txt
+
+            aws --endpoint-url "$CONTABO_ENDPOINT" s3 rm "s3://$CONTABO_BUCKET/$KEY"
+            echo "Contabo object storage write/read/delete test passed."
         env:
-        - name: BW_ACCESS_TOKEN
+        - name: AWS_ACCESS_KEY_ID
           valueFrom:
             secretKeyRef:
-              name: bitwarden-access-token
+              name: contabo-s3-creds
-              key: token
+              key: AWS_ACCESS_KEY_ID
+        - name: AWS_SECRET_ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              name: contabo-s3-creds
+              key: AWS_SECRET_ACCESS_KEY
+        - name: CONTABO_ENDPOINT
+          value: "https://eu2.contabostorage.com"
+        - name: CONTABO_BUCKET
+          value: "test"
+        - name: AWS_DEFAULT_REGION
+          value: "us-east-1"