From b9e7edc4a157e9b7b7675f53082076586994dd4f Mon Sep 17 00:00:00 2001
From: Frederik Ring <frederik.ring@wikimedia.de>
Date: Tue, 15 Aug 2023 09:18:28 +0200
Subject: [PATCH] chore(backup): update production sql backup to use s3 client
 (#1092)

---
 .../wbaas-backup.values.yaml.gotmpl           | 11 ++++-----
 k8s/helmfile/helmfile.yaml                    |  2 +-
 tf/env/production/secrets-gcs.tf              | 24 +++++++++++++++++++
 3 files changed, 30 insertions(+), 7 deletions(-)
 create mode 100644 tf/env/production/secrets-gcs.tf

diff --git a/k8s/helmfile/env/production/wbaas-backup.values.yaml.gotmpl b/k8s/helmfile/env/production/wbaas-backup.values.yaml.gotmpl
index a08b9c156..6256281ab 100644
--- a/k8s/helmfile/env/production/wbaas-backup.values.yaml.gotmpl
+++ b/k8s/helmfile/env/production/wbaas-backup.values.yaml.gotmpl
@@ -1,17 +1,16 @@
 image:
   repository: ghcr.io/wmde/wbaas-backup
-  tag: v0.2.0
+  tag: v0.3.0
   pullPolicy: Always
 
 job:
   cronSchedule: "0 0 * * *"
 
+scratchDiskSpace: 64Gi
+
 storage:
-  scratchDiskSpace: 64Gi
-  gcs:
-    bucketName: wikibase-cloud-sql-backup
-    serviceAccountSecretName: api-serviceaccount
-    uploadToBucket: true
+  bucketName: wikibase-cloud-sql-backup
+  uploadToBucket: true
 
 db:
   load:
diff --git a/k8s/helmfile/helmfile.yaml b/k8s/helmfile/helmfile.yaml
index b07e1e226..fdefb20c8 100644
--- a/k8s/helmfile/helmfile.yaml
+++ b/k8s/helmfile/helmfile.yaml
@@ -211,7 +211,7 @@ releases:
   - name: wbaas-backup
     namespace: default
     chart: wbstack/wbaas-backup
-    version: {{ ternary "0.1.0" "0.0.6" (ne .Environment.Name "production") }}
+    version: 0.1.0
     <<: *default_release
 
   - name: kube-prometheus-stack
diff --git a/tf/env/production/secrets-gcs.tf b/tf/env/production/secrets-gcs.tf
new file mode 100644
index 000000000..6a2e2ea8a
--- /dev/null
+++ b/tf/env/production/secrets-gcs.tf
@@ -0,0 +1,24 @@
+resource "google_service_account" "production-backup-upload" {
+  account_id = "production-backup-upload"
+}
+
+resource "google_storage_hmac_key" "production-backup-upload-key" {
+  service_account_email = google_service_account.production-backup-upload.email
+}
+
+resource "google_project_iam_member" "production-backup-upload" {
+  role    = "roles/storage.admin"
+  member  = "serviceAccount:${google_service_account.production-backup-upload.email}"
+  project = local.project_id
+}
+
+resource "kubernetes_secret" "gcs-hmac-key" {
+  provider = kubernetes.wbaas-3
+  metadata {
+    name = "gcs-hmac-key"
+  }
+  data = {
+    "access-key" = google_storage_hmac_key.production-backup-upload-key.access_id
+    "secret-key" = google_storage_hmac_key.production-backup-upload-key.secret
+  }
+}