feat(restic): manage users via secret

kubernetes/storage/apps/default/restic/app/helmrelease.yaml

@@ -20,6 +20,19 @@ spec:
       restic:
         annotations:
           reloader.stakater.com/auto: "true"
+        initContainers:
+          init:
+            image:
+              repository: docker.io/restic/rest-server
+              tag: 0.13.0
+            command:
+              - /bin/sh
+            args:
+              - /init.sh
+            securityContext:
+              privileged: true
+              runAsUser: 0
+            workingDir: /data
         containers:
           app:
             image:
@@ -70,12 +83,32 @@ spec:
             tlsConfig:
               insecureSkipVerify: true
     persistence:
+      init-users:
+        type: configMap
+        name: restic-init
+        defaultMode: 0755
+        advancedMounts:
+          restic:
+            init:
+              - path: /init.sh
+                subPath: init.sh
+      users:
+        type: secret
+        name: restic-users
+        defaultMode: 0600
+        advancedMounts:
+          restic:
+            init:
+              - path: /data/users
+                subPath: users
       certs:
         type: secret
         name: restic-tls
-        globalMounts:
-          - path: /certs
-            readOnly: true
+        advancedMounts:
+          restic:
+            app:
+              - path: /certs
+                readOnly: true
       repository:
         type: hostPath
         hostPath: /io/restic

kubernetes/storage/apps/default/restic/app/kustomization.yaml

@@ -5,3 +5,11 @@ kind: Kustomization
 resources:
   - ./certificate.yaml
   - ./helmrelease.yaml
+configMapGenerator:
+  - name: restic-init
+    files:
+      - ./resources/init.sh
+generatorOptions:
+  disableNameSuffixHash: true
+  annotations:
+    kustomize.toolkit.fluxcd.io/substitute: disabled

kubernetes/storage/apps/default/restic/app/resources/init.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -e
+
+users_file="${1:-users}"
+htpasswd_file="${2:-.htpasswd}"
+temp_file="$(mktemp)"
+
+trap 'rm -f "$temp_file"' EXIT INT
+
+chmod 0600 "$temp_file"
+
+while IFS=':' read -r username password; do
+  htpasswd -B -b "$temp_file" "$username" "$password"
+done < "$users_file"
+
+mv "$temp_file" "$htpasswd_file"

kubernetes/storage/apps/default/restic/app/secret.sops.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: restic-users
+stringData:
+    users: ENC[AES256_GCM,data:s/a6QJ6M2XmDUvr9EouvcD5khwGz4GxGcueSN0+kV1E=,iv:rdj9osshb3uEYAhl0JKHno0pDFZQR6cUCMEOWlhToxk=,tag:RpWgg67GzUO1zcwUTNGLhg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1u79ltfzz5k79ddwgv59r76p2532xnaehzz7vggttctudr6gdkvhq33edn6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBcnB5RzYwejc1WGl1dStJ
+            VHpFNFByU1NtWVNIVDdOazFtdCtQZG1HbDFFCjZCNHI1a1ZYV1AyT1diQWRTbjVO
+            RSt2enZlRVJINkJMclZpMjhZaCttUDQKLS0tIGVtK0VncHB0OTJsdEJwUWRuQjR4
+            UFhCSExBK2w5K04xMnNtWXhGUjZ1S3cK4txYg7g9D/lMwEJe27w6GjRZ4od97VgB
+            DRRngPR7fiZb+ev1CWEjrIkpPPi7lcT/E9NQldS8RTeOoUQgfXo4Dg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-18T19:27:50Z"
+    mac: ENC[AES256_GCM,data:uWGMo2kbCfqrPCAUElYfEPRJdFwSrgmUuiZYBXPoxjVhyuQaYXn1iVDR8Po1Hilh7sbwUcLpNjwQ2Q5dCSQSm1NzCfFLLyqGT2+msUzoPfynPZ8CLN3AhdgJJxjOnD/7oonJmakWMa1Gc0PfV3TckShDTeyJsYYu/xZ87/llgnY=,iv:LJdA2VC8R5H2QGsmNOU3TGxkQ6KlPQ/O8X7zEnGHlUQ=,tag:dktmYp7B5+govHXfe+1MxA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.1