pieterlange / kube-backup Goto Github PK

:floppy_disk: Kubernetes resource state sync to git

License: MIT License

Shell 85.76% Dockerfile 14.24%

kubernetes backup git gitops

kube-backup's Introduction

kube-backup

Quick 'n dirty kubernetes state backup script, designed to be ran as kubernetes Job. Think of it like RANCID for kubernetes.

Props to @gianrubio for coming up with the idea.

Setup

Use the deployment example (ssh or AWS CodeCommit authentication) and deploy a kubernetes CronJob primitive in your kubernetes (1.5 and up) cluster ensuring backups of kubernetes resource definitions to your private git repo.

Define the following environment parameters:

GIT_REPO - GIT repo url. Required
GIT_PREFIX_PATH - Path to the subdirectory in your repository. Default: .
NAMESPACES - List of namespaces to export. Default: all
GLOBALRESOURCES - List of global resource types to export. Default: namespace
RESOURCETYPES - List of resource types to export. Default: ingress deployment configmap svc rc ds networkpolicy statefulset storageclass cronjob. Notice that Secret objects are intentionally not exported by default (see git-crypt section for details).
GIT_USERNAME - Display name of git user. Default: kube-backup
GIT_EMAIL - Email address of git user. Default: [email protected]
GIT_BRANCH - Use a specific git branch . Default: master
GITCRYPT_ENABLE - Use git-crypt for data encryption. See git-crypt section for details. Default: false
GITCRYPT_PRIVATE_KEY - Path to private gpg key for git-crypt. See git-crypt section for details. Default: /secrets/gpg-private.key
GITCRYPT_SYMMETRIC_KEY - Path to shared symmetric key for git-crypt. See git-crypt section. Default: /secrets/symmetric.key

Choose one of two authentication mechanisms:

When using AWS CodeCommit and policy-based access from AWS, modify your cluster configuration to provide GitPull and GitPush access for that CodeCommit repo to your cluster. If using kops, the configuration will look something like this:

  additionalPolicies:
    node: |
      [
        {
          "Effect": "Allow",
          "Action": [
            "codecommit:GitPull",
            "codecommit:GitPush"
          ],
          "Resource": "arn:aws:codecommit:<region>:<account name>:<repo-name>"
        }
      ]

NOTE: in this deployment, the ssh volume and secret are not present.

When using a different repository (GitHub, BitBucket, etc.), mount a configured ssh directory in /backup/.ssh with the following files:
- known_hosts - Preloaded with SSH host key of $GIT_REPO host.
- id_rsa - SSH private key of user allowed to push to $GIT_REPO.

Easiest way of doing this is:

ssh-keygen -f ./id_rsa
ssh-keyscan $YOUR_GIT_HOST > known_hosts

kubectl create secret generic kube-backup-ssh -n kube-system --from-file=id_rsa --from-file=known_hosts

NOTE: If id_rsa isn't found in your ssh directory, the backup script will assume you're using AWS CodeCommit.

Optional:

Modify the snapshot frequency in spec.schedule using the cron format.
Modify the number of successful and failed finished jobs to retain in spec.successfulJobsHistoryLimit and spec.failedJobsHistoryLimit.
If using RBAC (1.6+), use the ClusterRole and ClusterRoleBindings in rbac.yaml.

git-crypt

For security reasons Secret objects are not exported by default. However there is a possibility to store them safely using the git-crypt project.

Prerequisites

Your repository has to be already initialized with git-crypt. Minimal configuration is listed below. For details and full information see using git-crypt.

cd repo
git-crypt init
cat <<EOF > .gitattributes
*.secret.yaml filter=git-crypt diff=git-crypt
.gitattributes !filter !diff
EOF
git-crypt add-gpg-user <USER_ID>
git add -A
git commit -a -m "initialize git-crypt"

Optional:

You may choose any subdirectory for storing .gitattributes file (useful when using GIT_PREFIX_PATH).
You may encrypt additional files other than secret.yaml. Add additional lines before the .gitattribute filter. You may also use wildcard * to encrypt all files within the directory.

Enable git-crypt

To enable encryption feature:

Set pod environment variable GITCRYPT_ENABLE to true

spec:
  containers:
  - env:
    - name: GITCRYPT_ENABLE
      value: "true"

Create additional Secret object containing either gpg-private or symmetric key

apiVersion: v1
kind: Secret
metadata:
  name: kube-backup-gpg
  namespace: kube-system
data:
  gpg-private.key: <base64_encoded_key>
  symmetric.key: <base64_encoded_key>

Mount keys from Secret as additional volume

spec:
  containers:
  - volumeMounts:
    - mountPath: /secrets
      name: gpgkey
  volumes:
  - name: gpgkey
    secret:
      defaultMode: 420
      secretName: kube-backup-gpg

Add secret object name to RESOURCETYPES variable

spec:
  containers:
  - env:
    - name: RESOURCETYPES
      value: "ingress deployment configmap secret svc rc ds thirdpartyresource networkpolicy statefulset storageclass cronjob"

If using RBAC (1.6+), add secrets to resources

rules:
- apiGroups: ["*"]
  resources: [
    "configmaps",
    "secrets",

(Optional): $GITCRYPT_PRIVATE_KEY and $GITCRYPT_SYMMETRIC_KEY variables are the combination of path where Secret volume is mounted and the name of item key from that object. If you change any value of them from the above example you may need to set this variables accordingly.

Result

All configured resources will be exported into a directory tree structure in YAML format following a $namespace/$name.$type.yaml file structure.

.
├── kube-system
│   ├── attachdetach-controller.serviceaccounts.yaml
│   ├── canal-config.configmap.yaml
│   ├── canal.daemonset.yaml
│   ├── canal.serviceaccounts.yaml
│   ├── certificate-controller.serviceaccounts.yaml
│   ├── cronjob-controller.serviceaccounts.yaml
│   ├── daemon-set-controller.serviceaccounts.yaml
│   ├── default.serviceaccounts.yaml
│   ├── deployment-controller.serviceaccounts.yaml
│   ├── disruption-controller.serviceaccounts.yaml
│   ├── dns-controller.deployment.yaml
│   ├── dns-controller.serviceaccounts.yaml
│   ├── endpoint-controller.serviceaccounts.yaml
│   ├── generic-garbage-collector.serviceaccounts.yaml
│   ├── horizontal-pod-autoscaler.serviceaccounts.yaml
│   ├── job-controller.serviceaccounts.yaml
│   ├── kube-backup-gpg.secret.yaml
│   ├── kube-backup.serviceaccounts.yaml
│   ├── kube-backup-ssh.secret.yaml
│   ├── kube-dns-autoscaler.configmap.yaml
│   ├── kube-dns-autoscaler.deployment.yaml
│   ├── kube-dns-autoscaler.serviceaccounts.yaml
│   ├── kube-dns.deployment.yaml
│   ├── kube-dns.serviceaccounts.yaml
│   ├── kube-dns.service.yaml
│   ├── kubelet.service.yaml
│   ├── kube-prometheus-exporter-kube-controller-manager.service.yaml
│   ├── kube-prometheus-exporter-kube-dns.service.yaml
│   ├── kube-prometheus-exporter-kube-etcd.service.yaml
│   ├── kube-prometheus-exporter-kube-scheduler.service.yaml
│   ├── kube-proxy.serviceaccounts.yaml
│   ├── kube-state-backup-new.cronjob.yaml
│   ├── kube-sysctl.daemonset.yaml
│   ├── letsencrypt-prod.secret.yaml
│   ├── namespace-controller.serviceaccounts.yaml
│   ├── node-controller.serviceaccounts.yaml
│   ├── openvpn-ccd.configmap.yaml
│   ├── openvpn-crl.configmap.yaml
│   ├── openvpn.deployment.yaml
│   ├── openvpn-ingress.service.yaml
│   ├── openvpn-pki.secret.yaml
│   ├── openvpn-portmapping.configmap.yaml
│   ├── openvpn-settings.configmap.yaml
│   ├── persistent-volume-binder.serviceaccounts.yaml
│   ├── pod-garbage-collector.serviceaccounts.yaml
│   ├── replicaset-controller.serviceaccounts.yaml
│   ├── replication-controller.serviceaccounts.yaml
│   ├── resourcequota-controller.serviceaccounts.yaml
│   ├── route53-config.secret.yaml
│   ├── service-account-controller.serviceaccounts.yaml
│   ├── service-controller.serviceaccounts.yaml
│   ├── statefulset-controller.serviceaccounts.yaml
│   ├── sysctl-options.configmap.yaml
│   ├── tiller-deploy.deployment.yaml
│   ├── tiller-deploy.service.yaml
│   ├── tiller.serviceaccounts.yaml
│   └── ttl-controller.serviceaccounts.yaml
├── prd
│   ├── initdb.configmap.yaml
│   ├── example-app.deployment.yaml
│   ├── example-app.ingress.yaml
│   ├── example-app.secret.yaml
│   ├── example-app.service.yaml
│   ├── postgres-admin.secret.yaml
│   ├── postgresql.deployment.yaml
│   ├── postgresql.service.yaml
│   ├── postgres.secret.yaml
│   ├── prd.example.com.secret.yaml
│   ├── redis.service.yaml
│   └── redis-standalone.rc.yaml
└── staging
    ├── initdb.configmap.yaml
    ├── example-app.deployment.yaml
    ├── example-app.ingress.yaml
    ├── example-app.secret.yaml
    ├── example-app.service.yaml
    ├── postgres-admin.secret.yaml
    ├── postgresql.deployment.yaml
    ├── postgresql.service.yaml
    ├── postgres.secret.yaml
    ├── staging.example.com.secret.yaml
    ├── redis.service.yaml
    └── redis-standalone.rc.yaml

3 directories, 80 files

This project is MIT licensed.

kube-backup's People

Contributors

Stargazers

Watchers

Forkers

gianrubio cedbossneo carsonoid rchicoli jhelbling bittorrent comandi krogon-dp felipejfc travmi benmathews beacloudgenius aleksanderllada ypcloud vahit sdscgithub blacksaltit krishnapmv wuzhihui1123 brucewu16899 net-ai captn3m0 palnabarun oip-rnd rgrsoucy lipazsolt rafalbochenski alexey-kruchenok berezins fmacelw pivko radut pasientskyhosting hsz-devops mrmarcsmith arundathigv rozcietrzewiacz leemp lentzi90 endzyme zigmax zifeo amulyamalla tdixonspin aptdamia harishkrishna17 danboucher78 davewang0125 jsidelivereth skyionblue mdeangelo272 youam davidkarlsen markjacksonfishing igcherkaev chenqiangzhishen andolsizied statup-github zeusro memory fsdaniel eumel8 syldej gfk-kube chrisdautume venkypuppala narendravema devopsglobalsolutions starizard ukkii meurig andypeng2015 jackexperts debianmaster srbrcs danmutblix imriss ghoben robertoporfiro lucashalbert hugorh martinohansen clubspark-devops bilalbayasut gisyrus aland-zhang dourvaris westwind-sc mchebitou elfgzp sebastien-helbert xingxiuyi moisescardoso83 joe-speedboat liuwqiang winsopc zacharychang rl7777777 eronana rahimigit

kube-backup's Issues

send alert when backup job failed

Can you add an option to send alert message to slack or sentry when cron job failed?

Thank you for you great work.

Allow for backup of CRD resources

I tried adding cert-manager CRD resources to the backup-list:

- name: GLOBALRESOURCES
              value: "namespace storageclass pv clusterrolebinding clusterrole clusterissuer"
            - name: RESOURCETYPES
              value: "ingress deployment configmap svc rc ds networkpolicy statefulset\
                \ pvc cronjob secret sealedsecret rolebinding role certificate issuer"

but still it won't backup certificates, issuers or cluster-issuers.
Should it work OOTB?

Possibility to turn off GLOBALRESOURCES

I've tried to set GLOBALRESOURCES to null but always the defaults namespace storageclass clusterrole clusterrolebinding customresourcedefinition will get set.

Is there an option to disable GLOBALRESOURCES completely?

As far as I saw there is no possibility to do it with the current code.

images disappeared of docker hub?

https://hub.docker.com/r/ptlange/kube-backup/tags
there used to be a 1.12.0 tag - but the newer tags seems to be gone.
zup?

Pods always complete successfully after restart

If I remove write permission to the git repo then on the first run the pod fails and spits out an error.

However, kubernetes is then restarting the pod and on the second run it passes (without attempting the git push).

I've added a pull request which I think addresses the underlying issue (that we're not starting with a fresh copy of the repo on the second attempt). But I'm aware that I might be missing something obvious, so any thoughts would be appreciated.

PriorityClass backup

The PriorityClass class backup should be added to default.

helm chart

I think that it would be great if there is a helm chart as one could choose between ssh and aws-git and that could be defined in the values.yml.

Shall I create a helm chart and should this be created in this repository or is it fine to add it to this project?

avoid requiring running as root

it would be best-practice to run as a unprivileged user, but when I add a securityContext to runAsUser: 99 it fails with:

kubectl -n kube-backup logs kube-state-backup-1562070000-nd9bk 
error: could not lock config file //.gitconfig: Permission denied

maybe gitconfig could be written to a scratch-dir?

getting errors while executing

Hell

i got errors while running the dockerfilie ? did you test , can you send me scripts

gpg import failing to execute

Already on 'master'
Your branch is up-to-date with 'origin/master'.
No local changes to save
gpg: key XXXXXXXXB95FC: "backend <[email protected]>" not changed
gpg: key XXXXXXXXB95FC/1XXXXXXXXXXB95FC: error sending to agent: Not a tty
gpg: error building skey array: Not a tty
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1

Then job fail.

This is when using with git crypt enabled :/

entrypoint.sh fails

It fails on clusters that don't have one of the resources types specified (or hardcoded in entrypoint.sh) in the cluster, like for example customresourcedefinition or clusterissuer

Automated builds are not working for docker hub

The latest tag is updated 2 months ago.

kube-backup fail with "can not export service account secrets"

hi!

I'm facing the following issue running kube-backup.
I enabled secrets backup (and properly configured gpg).

It seems kube-backup is unable to extract some secretes of kind kubernetes.io/service-account-token

I also tried to upgrade kubectl in kube-system to latest 1.9.2 with no luck.

Our k8s cluster is updated, 1.9.2

I removed the content of "ca.crt" and "token" from the attached log (keeping only first/last chars).

[blaine-prod] Exporting resources: secrets
The Secret "default-token-hmg6k" is invalid: type: Invalid value: core.Secret{TypeMeta:v1.TypeMeta{Kind:"", APIVersion:""}, ObjectMeta:v1.ObjectMeta{Name:"default-token-hmg6k", GenerateName:"", Namespace:"", SelfLink:"", UID:"", ResourceVersion:"", Generation:0, CreationTimestamp:v1.Time{Time:time.Time{wall:0x0, ext:0, loc:(*time.Location)(nil)}}, DeletionTimestamp:(*v1.Time)(nil), DeletionGracePeriodSeconds:(*int64)(nil), Labels:map[string]string(nil), Annotations:map[string]string{"kubernetes.io/service-account.name":"default", "kubernetes.io/service-account.uid":"c39f3d03-f623-11e7-bb88-005056970681"}, OwnerReferences:[]v1.OwnerReference(nil), Initializers:(*v1.Initializers)(nil), Finalizers:[]string(nil), ClusterName:""}, Data:map[string][]uint8{"ca.crt":[]uint8{0x2d, 0xa}, "namespace":[]uint8{0x62, 0x6c, 0x61, 0x69, 0x6e, 0x65, 0x2d, 0x70, 0x72, 0x6f, 0x64}, "token":[]uint8{0x65, 0x41}}, Type:"kubernetes.io/service-account-token"}: can not export service account secrets
Traceback (most recent call last):
  File "&lt;string&gt;", line 1, in &lt;module&gt;
  File "/usr/lib/python2.7/json/__init__.py", line 291, in load
    **kw)
  File "/usr/lib/python2.7/json/__init__.py", line 339, in loads
    return _default_decoder.decode(s)
  File "/usr/lib/python2.7/json/decoder.py", line 364, in decode
    obj, end = self.raw_decode(s, idx=_w(s, 0).end())
  File "/usr/lib/python2.7/json/decoder.py", line 382, in raw_decode
    raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded

thanks for your repo!

Permission denied

Cloning into '/backup/git'...
load pubkey "/backup/.ssh/id_rsa": Permission denied
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Cloning into '/backup/git'...
load pubkey "/backup/.ssh/id_rsa": Permission denied
Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Cut new tagged releases

Operator

Hi Pieter, How are you? I have not talked to you for quite a while and hope to see you again during one of the meetups this year. I was wondering what you think about creating an operator for kube-backup. Then it would be possible to select it in a catalog like the aqua-security-operator for openshift4.2. This operator contains also a logo and perhaps it would also be possible to include the floppy icon to the to be created operator.

License?

I'm interested in using this project as a starting point but feel that I should obtain a license. Could you please add a usage license to the readme or to a separate file?

props for the project

We have created a similar project based on your one, want to tell big thanks for it.
It backups kubernetes state to S3/GCS buckets
https://github.com/StackPointCloud/kube-state-backup

Project status

Hi there! I wanted to reach out and ask about the project status and if it's still considered under active development. The examples in the cronjobs are versioned to 1.5 and the docker hub images only go to 1.9.3. I see some more tags (up to 1.12) so I'm reaching out to see if this is still under development / has regular releases.

.git Not a git repository

Hi !

I try to use kube-backup to backup my k8s cluster and push in my Private Gitlab instance,

I use the cronjob ssh ressource and created the kube-backup-ssh secret from an allowed ssh key.

When the pod is created, I follow the logs, it fetch all ressources and before finish, I got theses errors :

fatal: Not a git repository (or any of the parent directories): .git
fatal: Not a git repository (or any of the parent directories): .git
fatal: Not a git repository (or any of the parent directories): .git

Any idea where I'm wrong ?

            - name: GIT_REPO
              value: "git.private.com:Kubernetes/dev-cluster-rancid.git"
            - name: GIT_USERNAME
              value: "git"
            - name: RESOURCETYPES
              value: "ingress deployment configmap svc rc ds thirdpartyresource networkpolicy statefulset storageclass cronjob"
            volumeMounts:
            - mountPath: /backup/
              name: cache
            - mountPath: /backup/.ssh
              name: sshkey

Update readme for new export paths

Newest versions use a different file naming scheme: instead of simply dumping all resources of $type into $namespace/$type we're also including the resource name now.

This means i need to update the tree example and more importantly, i need to update the documentation for combining this with git-crypt (*.secret.yaml instead of secret.yaml). This was noted in the release notes https://github.com/pieterlange/kube-backup/releases/tag/1.9.1 but not updated in the installation instructions.

clusterroles.rbac.authorization.k8s.io "kube-backup-reader" is forbidden

I am trying to enable kube-backup for one of the clusters that is running on GCP.

cronjob-ssh.yaml has been deployed

kubectl describe job kube-state-backup-1545735000 -n kube-system returns:

Error creating: pods "kube-state-backup-1545736800-" is forbidden: error looking up service account kube-system/kube-backup: serviceaccount "kube-backup" not found

When the rbac.yaml is deployed, the following issue occurs:

kubectl create -f https://raw.githubusercontent.com/pieterlange/kube-backup/master/rbac.yaml --namespace=kube-system
clusterrolebinding.rbac.authorization.k8s.io/kube-backup created
Error from server (Forbidden): error when creating 
"https://raw.githubusercontent.com/pieterlange/kube-backup/master/rbac.yaml": 
clusterroles.rbac.authorization.k8s.io "kube-backup-reader" is forbidden:
attempt to grant extra privileges:

Based on this I tried:

kubectl create clusterrolebinding kube-backup-reader --clusterrole=cluster-admin --user=<email-address>

I ran the commands that are defined in this post https://stackoverflow.com/a/47332612/2777965, but the issue persists.

Now I wonder whether the "Tiller approach" should be used (fnproject/fn-helm#21 (comment)).

Running entrypoint.sh in Cloudshell

Hello, when running entrypoint.sh in Google's Cloudshell it throws the error "No module named 'yaml' The fix for this is to install PyYAML: sudo pip install PyYAML

If you are having other issues to debug the script replace the -e flag on the shebang line with -x to give some clues.

Job has reached the specified backoff limit

I've setup kube-backup in my cluster and followed all the docs. but I got Job has reached the specified backoff limit as soon as I run the cronjobs. any idea ?

this was the describe output of the job

Name:           kube-state-backup-manual-ltt1y
Namespace:      kube-system
Selector:       controller-uid=xxxx
Labels:         app=kube-backup
                controller-uid=xxx
                job-name=kube-state-backup-manual-ltt1y
Annotations:    <none>
Parallelism:    1
Completions:    1
Start Time:     Fri, 05 Mar 2021 02:32:52 +0700
Pods Statuses:  0 Running / 0 Succeeded / 1 Failed
Pod Template:
  Labels:           app=kube-backup
                    controller-uid=xxxx
                    job-name=kube-state-backup-manual-ltt1y
  Service Account:  kube-backup
  Containers:
   backup:
    Image:      xxxx
    Port:       <none>
    Host Port:  <none>
    Environment:
      GIT_REPO:         [email protected]
      GITCRYPT_ENABLE:  true
      GIT_BRANCH:       master
      RESOURCETYPES:    ingress deployment configmap secret svc rc ds thirdpartyresource networkpolicy statefulset storageclass cronjob serviceaccounts persistentvolumes persistentvolumeclaims
    Mounts:
      /backup/ from cache (rw)
      /backup/.ssh from sshkey (rw)
      /secrets from gpgkey (rw)
  Volumes:
   sshkey:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  kube-backup-ssh
    Optional:    false
   cache:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:
    SizeLimit:  <unset>
   gpgkey:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  kube-backup-gpg
    Optional:    false
Events:
  Type     Reason                Age    From            Message
  ----     ------                ----   ----            -------
  Normal   SuccessfulCreate      8m41s  job-controller  Created pod: kube-state-backup-manual-ltt1y-fxgl5
  Warning  BackoffLimitExceeded  8m36s  job-controller  Job has reached the specified backoff limit

manage to get logs of container of job

The connection to the server localhost:8080 was refused - did you specify the right host or port?

Presetting the gpg-agent is necessary prio of git-crypt unlock

Hi @pieterlange ,

I had troubles using your script since anytime I was using the git-crypt unlock, I was asked for the pass-phrase. So I found a way to preset the passphrase prior of calling git-crypt. Not sure if you are interested in the changes. I will not issue a pull requests until you want the changes integrated to your master. You can take a look at

ghoben/kube-backup branch 'origin/gpg-agent-fix'

. Also I added a job-cleanup script which can be called after ./entrypoint.sh in your cron-job without maintaining two jobs with different base images, as you have it in your

job-cleanup.yaml

Why convert it to yaml?

I am wondering why you actually change the output from JSON to Yaml? If you don't you could remove the need for Python, I guess?

kubectl get -o=json "$resource" | jq --sort-keys \
        'del(
          .items[].metadata.annotations."kubectl.kubernetes.io/last-applied-configuration",
          .items[].metadata.annotations."control-plane.alpha.kubernetes.io/leader",
          .items[].metadata.uid,
          .items[].metadata.selfLink,
          .items[].metadata.resourceVersion,
          .items[].metadata.creationTimestamp,
          .items[].metadata.generation
      )' | python -c 'import sys, yaml, json; yaml.safe_dump(json.load(sys.stdin), sys.stdout, default_flow_style=False)' >"$GIT_REPO_PATH/$GIT_PREFIX_PATH/${resource}.yaml"

Could simply be:

kubectl get -o=json "$resource" | jq --sort-keys \
        'del(
          .items[].metadata.annotations."kubectl.kubernetes.io/last-applied-configuration",
          .items[].metadata.annotations."control-plane.alpha.kubernetes.io/leader",
          .items[].metadata.uid,
          .items[].metadata.selfLink,
          .items[].metadata.resourceVersion,
          .items[].metadata.creationTimestamp,
          .items[].metadata.generation
      )' > "$GIT_REPO_PATH/$GIT_PREFIX_PATH/${resource}.json"

git-crypt: error sending to agent: Not a tty BUG

When trying to activate git-crypt I get the following error message:

Already on 'master'
Your branch is up to date with 'origin/master'.
gpg: key BF7B28A1CB694C52: "greple tech <[email protected]>" not changed
gpg: key BF7B28A1CB694C52/BF7B28A1CB694C52: error sending to agent: Not a tty
gpg: error building skey array: Not a tty
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1

Cleanup old jobs

CronJob spawns new jobs, but never removes any finished jobs.

New defaults planned for k8s 1.6 should fix this but i want some workaround in the meantime

Can't get asymetric gpg to work

kubectl -n kube-backup logs kube-state-backup-1562080800-mxpf7  
15:20:11.853030 git.c:344               trace: built-in: git 'config' '--global' 'user.name' 'kube-backup'
15:20:11.854158 git.c:344               trace: built-in: git 'config' '--global' 'user.email' '[email protected]'
15:20:11.855442 git.c:344               trace: built-in: git 'clone' '--depth' '1' 'ssh://[email protected]:7999/tac_jfr/kube-backup-icp-global.git' '/backup/git' '--branch' 'master'
Cloning into '/backup/git'...
15:20:11.857038 run-command.c:626       trace: run_command: 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' '-p' '7999' '[email protected]' 'git-upload-pack '\''/tac_jfr/kube-backup-icp-global.git'\'''
Warning: Permanently added '[fsstash.evry.com]:7999,[10.252.176.54]:7999' (RSA) to the list of known hosts.
15:20:11.957372 run-command.c:626       trace: run_command: '--shallow-file' '/backup/git/.git/shallow.lock' 'index-pack' '--stdin' '--fix-thin' '--keep=fetch-pack 11 on kube-state-backup-1562080800-mxpf7'
15:20:11.958333 git.c:344               trace: built-in: git 'index-pack' '--stdin' '--fix-thin' '--keep=fetch-pack 11 on kube-state-backup-1562080800-mxpf7'
15:20:11.963861 run-command.c:626       trace: run_command: 'rev-list' '--objects' '--stdin' '--not' '--all' '--quiet'
15:20:11.964905 git.c:344               trace: built-in: git 'rev-list' '--objects' '--stdin' '--not' '--all' '--quiet'
Your branch is up to date with 'origin/master'.
15:20:11.968975 git.c:344               trace: built-in: git 'checkout' 'master'
Already on 'master'
gpg: directory '/backup/.gnupg' created
gpg: keybox '/backup/.gnupg/pubring.kbx' created
gpg: /backup/.gnupg/trustdb.gpg: trustdb created
gpg: key F69FBA139F2B6402: public key "kube-backup-icp-global <[email protected]>" imported
gpg: key F69FBA139F2B6402: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
15:20:12.983338 git.c:344               trace: built-in: git 'status' '-uno' '--porcelain'
15:20:12.984997 git.c:344               trace: built-in: git 'rev-parse' '--show-toplevel'
15:20:12.985982 git.c:344               trace: built-in: git 'config' '--get-all' 'git-crypt.repoStateDir'
15:20:12.987026 git.c:344               trace: built-in: git 'config' '--get' 'gpg.program'
Error: no GPG secret key available to unlock this repository.
To unlock with a shared symmetric key instead, specify the path to the symmetric key as an argument to 'git-crypt unlock'.```

no matches for kind "CronJob" in version "batch/v2alpha1"

kubernetes/website#2325 (comment)

I had to change alpha to beta in this https://raw.githubusercontent.com/pieterlange/kube-backup/master/job-cleanup.yaml

Can't download alpine image + questions

I'm still fairly new to this kind of thing but running the Dockerfile seems to fail with the following:

# docker build -t backup .
Sending build context to Docker daemon  139.3kB
Step 1/13 : FROM alpine:3.7
3.7: Pulling from library/alpine
c67f3896b22c: Pull complete 
Digest: sha256:a52b4edb6240d1534d54ee488d7cf15b3778a5cfd0e4161d426c550487cddc5d
Status: Downloaded newer image for alpine:3.7
 ---> 34ea7509dcad
Step 2/13 : RUN apk update &&   apk add --update     bash     easy-rsa     git     openssh-client     curl     ca-certificates     jq     python     py-yaml     py2-pip     libstdc++     gpgme     libressl-dev     make     g++     &&   git clone https://github.com/AGWA/git-crypt.git &&   make --directory git-crypt &&   make --directory git-crypt install &&   rm -rf git-crypt &&   apk del libressl-dev make g++ &&   rm -rf /var/cache/apk/*
 ---> Running in 958dbf103f72
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.7/main: temporary error (try again later)
WARNING: Ignoring APKINDEX.70c88391.tar.gz: No such file or directory
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/community/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.7/community: temporary error (try again later)
WARNING: Ignoring APKINDEX.5022a8a2.tar.gz: No such file or directory
2 errors; 13 distinct packages available
The command '/bin/sh -c apk update &&   apk add --update     bash     easy-rsa     git     openssh-client     curl     ca-certificates     jq     python     py-yaml     py2-pip     libstdc++     gpgme     libressl-dev     make     g++     &&   git clone https://github.com/AGWA/git-crypt.git &&   make --directory git-crypt &&   make --directory git-crypt install &&   rm -rf git-crypt &&   apk del libressl-dev make g++ &&   rm -rf /var/cache/apk/*' returned a non-zero code: 2

I tested to see if it was a network issue specific to my server by changing FROM to 'ubuntu' and that downloaded just fine. The URL is available and I'm able to download the file normally. Am I doing something wrong?

I'm trying to hook my K8 cluster to my BitBucket account but am finding the README a little difficult to decipher.

Where are the environment parameters set? Should they be added into the Dockerfile?
Could you also clarify about mounting /backup/.ssh, I need to create that directory on the host and include a VOLUME /backup/.ssh in the Dockerfile?

Any help and clarification would be much appreciated.

/entrypoint.sh: line 77: [: too many arguments

Hi,

I've download the cronjob-ssh.yaml file and rbac.yaml and the only one what I have changed is the git URL.

$ sudo diff original cronjob.yaml
36c36
<               value: "[email protected]:infra/kube-backup.git"
---
>               value: "git@gitlab.***************:****/kube-backup.git"

When i try to load the yaml file, the container failed with this error:

Cloning into '/backup/git'...
Already on 'master'
Your branch is up to date with 'origin/master'.
Exporting resource: namespace
Exporting resource: storageclass
Exporting resource: clusterrole
Exporting resource: clusterrolebinding
Exporting resource: customresourcedefinition
[default] Exporting resources: ingress
[default] Exporting resources: deployment
[default] Exporting resources: configmap
[default] Exporting resources: svc
[default] Exporting resources: rc
[default] Exporting resources: ds
[default] Exporting resources: customresourcedefinition
/entrypoint.sh: line 77: [: too many arguments
/entrypoint.sh: line 95: /backup/git/./default/is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds type:string],map[description:Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds type:string],map[description:Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds type:string],map[description:The kind attribute of the resource associated with the status StatusReason. On some operations may differ from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds type:string],map[description:Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds type:string],map[type:string description:Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds],map[description:The kind attribute of the resource associated with the status StatusReason. On some operations may differ from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds type:string],map[type:string description:Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds],Alertmanager   alertmanagers.monitoring.coreos.com.customresourcedefinition.yaml: No such file or directory
error: there is no need to specify a resource type as a separate argument when passing arguments in resource/name form (e.g. 'kubectl get resource/<resource_name>' instead of 'kubectl get resource resource/<resource_name>'

Could you please help me to solve this issue?

Our enviroment:

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"12", GitVersion:"v1.12.0", GitCommit:"0ed33881dc4355495f623c6f22e7dd0b7632b7c0", GitTreeState:"clean", BuildDate:"2018-09-27T17:05:32Z", GoVersion:"go1.10.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.3", GitCommit:"a4529464e4629c21224b3d52edfe0ea91b072862", GitTreeState:"clean", BuildDate:"2018-09-09T17:53:03Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}

Thanks!
Zsolt

Security

Would it be possible to run kube-backup in a kube-backup namespace or will this not improve security? This would imply that some RBAC rules have to be added. Or is this a kind of security-through-obscurity question? The question occurred when we were improving the security of the tiller deployment.

Permission Issue (namespaces is forbidden)

Thanks for maintaining this project by the way! It was exactly what I was looking for.

My Setup:
k8s version: 1.12.3
OS: Ubuntu 16.04 LTS

My problem:
my job fails with the following error.

Error from server (Forbidden): namespaces is forbidden: User "system:serviceaccount:kube-system:kube-backup" cannot list resource "namespaces" in API group "" at the cluster scope

Possible Solution:
I'm working on testing a ClusterRole and ClusterRoleBinding being added to the yaml will fix the issue. would you like me to draft up a PR?