Skip to content

XS✔ ◾ feat: add backup sidecar with restic for scheduled snapshots#1

Open
dimoschi wants to merge 13 commits intomainfrom
feat/backup-sidecar
Open

XS✔ ◾ feat: add backup sidecar with restic for scheduled snapshots#1
dimoschi wants to merge 13 commits intomainfrom
feat/backup-sidecar

Conversation

@dimoschi
Copy link
Collaborator

@dimoschi dimoschi commented Mar 19, 2026
edited
Loading

Summary

  • Add optional backup sidecar using restic for scheduled Typesense data snapshots
  • Backup runs only on pod-0 via cron, uploads to any restic-compatible backend (S3, GCS, Azure Blob, etc.)
  • Auto-initializes restic repository on first run, handles stale locks
  • Configurable schedule, retention policy, image, and credentials via env/envFrom
  • Bump chart version to 1.1.0
  • Remove hardcoded chart.version from test files to avoid manual updates on version bumps

Changes

  • New template: backup-scripts-configmap.yaml (entrypoint.sh + backup.sh)
  • Modified template: statefulset.yaml (backup sidecar container + volume mounts)
  • Values: backup.* block (enabled, schedule, image, retention, env, envFrom, resources)
  • Tests: 13 new backup test cases (84 total, all passing)
  • Tests cleanup: Removed chart.version from all test files, use regex for helm.sh/chart label assertion
  • Docs: README backup section, ACKNOWLEDGMENTS (restic), Changelog, ArtifactHub images

Test plan

  • mise run test -- 84 tests passing
  • mise run lint -- clean
  • No HTB-specific references in backup code
  • Validated against internal PR hackthebox/helm-charts#345
  • CI passes on PR

@github-actions
Copy link

github-actions bot commented Mar 19, 2026
edited
Loading

PR Metrics

Thanks for keeping your pull request small.
Thanks for adding tests.

Lines
Product Code 171
Test Code 257
Subtotal 428
Ignored Code 260
Total 688

Metrics computed by PR Metrics. Add it to your Azure DevOps and GitHub PRs!

@github-actions github-actions bot changed the title feat: add backup sidecar with restic for scheduled snapshots XS✔ ◾ feat: add backup sidecar with restic for scheduled snapshots Mar 19, 2026
@dimoschi dimoschi force-pushed the feat/backup-sidecar branch from 75998f3 to ceb9df3 Compare March 19, 2026 15:49
dimoschi added 4 commits March 19, 2026 18:06
@dimoschi
chore: bump chart version to 1.1.0 in all test files
fecd660
@dimoschi
chore: remove hardcoded chart.version from test files
692e1d6 
Let tests inherit the version from Chart.yaml instead of duplicating
it in every test file. Use matchRegex for the helm.sh/chart label
assertion to avoid version-dependent test updates.
@dimoschi
fix(backup): replace crond with sleep loop, run as non-root
fe92da0 
Replace crond-based scheduling with a sleep-based interval loop. This
eliminates the root requirement entirely: the backup sidecar now runs
as UID 10000 (same as Typesense) with read-only root filesystem and
all capabilities dropped.

This fixes a bug where snapshot cleanup failed because root without
DAC_OVERRIDE capability could not delete files owned by UID 10000.
Running as the same UID resolves this without adding capabilities.

Also adds snapshot success validation before uploading to restic.

Breaking change: backup.schedule (cron expression) is replaced by
backup.intervalSeconds (integer, default 86400 = 24h).
@dimoschi
fix(backup): add tmp emptyDir and RESTIC_CACHE_DIR for read-only rootfs
2160d94 
Restic needs writable /tmp for temp packs and /.cache for its cache.
Mount an emptyDir at /tmp and set RESTIC_CACHE_DIR to /tmp/.cache/restic.
Validated on EKS dev cluster with rc.9 of the internal chart.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dimoschi