{"id":50980775,"url":"https://github.com/mitja/hcloud-gardener-backupbucket","last_synced_at":"2026-06-19T14:01:28.780Z","repository":{"id":365036587,"uuid":"1269817348","full_name":"mitja/hcloud-gardener-backupbucket","owner":"mitja","description":"Gardener extension: BackupBucket/BackupEntry for Hetzner Object Storage (provider type hcloud)","archived":false,"fork":false,"pushed_at":"2026-06-15T14:46:21.000Z","size":67,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-15T16:27:17.010Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mitja.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-15T06:01:55.000Z","updated_at":"2026-06-15T14:48:06.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mitja/hcloud-gardener-backupbucket","commit_stats":null,"previous_names":["mitja/hcloud-gardener-backupbucket"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/mitja/hcloud-gardener-backupbucket","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitja%2Fhcloud-gardener-backupbucket","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitja%2Fhcloud-gardener-backupbucket/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitja%2Fhcloud-gardener-backupbucket/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitja%2Fhcloud-gardener-backupbucket/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mitja","download_url":"https://codeload.github.com/mitja/hcloud-gardener-backupbucket/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mitja%2Fhcloud-gardener-backupbucket/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34534278,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-19T02:00:06.005Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-19T14:01:26.380Z","updated_at":"2026-06-19T14:01:28.766Z","avatar_url":"https://github.com/mitja.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# gardener-extension-backupbucket-hcloud\n\nA [Gardener](https://gardener.cloud) extension implementing the **BackupBucket**\nand **BackupEntry** contracts for **Hetzner Object Storage** (S3-compatible). It lets\ngardenlet/etcd-druid back up the virtual-garden and shoot etcds to Hetzner Object\nStorage — the piece `provider-hcloud` does not ship (no native BackupBucket controller).\n\nIt registers the provider type **`S3`** (not `hcloud`): etcd-druid feeds the seed/garden\nbackup provider straight through as the etcd store provider and only accepts a fixed set\n(`aws`/`S3`/`stackit`/…), rejecting `hcloud` as an *\"unsupported storage provider\"*. `S3`\nnames the **protocol**; the implementation underneath is still Hetzner Object Storage\n(custom endpoint via the secret). This is the Hetzner/`hcloud` S3-backup extension.\n\nSibling to [`hcloud-gardener-dnsrecord`](../hcloud-gardener-dnsrecord) and built the\nsame way; pinned to gardener **v1.122.3**.\n\n## What it does\n\n| Resource | Reconcile | Delete |\n|---|---|---|\n| `BackupBucket` (type `S3`) | create the S3 bucket (named after the BackupBucket) + publish a generated secret with the S3 credentials → `status.generatedSecretRef` | delete the generated secret, then empty + delete the bucket |\n| `BackupEntry` (type `S3`) | (generic actuator) write the per-entry etcd-backup-restore secret from `GetETCDSecretData` | delete the entry's `\u003centry\u003e/` prefix from the bucket |\n\nThe S3 client is [minio-go](https://github.com/minio/minio-go) against\n`https://\u003cendpoint\u003e` (TLS, V4 signing).\n\n## Backup secret\n\nThe secret referenced by `Seed.spec.backup.secretRef` (Hetzner Object Storage\ncredentials) must contain — `camelCase` or `UPPER_SNAKE_CASE` accepted:\n\n| key | required | notes |\n|---|---|---|\n| `accessKeyID` / `ACCESS_KEY_ID` | yes | Hetzner Object Storage S3 access key |\n| `secretAccessKey` / `SECRET_ACCESS_KEY` | yes | … secret key |\n| `endpoint` / `ENDPOINT` | yes | host, no scheme — e.g. `nbg1.your-objectstorage.com` |\n| `region` / `REGION` | no | default `nbg1` |\n\nThe extension re-emits these (canonical keys `accessKeyID`/`secretAccessKey`/\n`region`/`endpoint`) into the generated bucket secret and the per-entry\netcd-backup-restore secret.\n\n## Build\n\n```sh\ngo build ./...                                   # compile\ndocker build -t ghcr.io/mitja/hcloud-gardener-backupbucket:dev .\n```\nCI — the image is built + published to **both** registries (policy: every image is kept on\nForgejo so the platform never depends on GHCR uptime; public repos also publish to GHCR):\n- **GHCR (public pull source)** — `.github/workflows/release.yml` (GitHub Actions) runs on\n  a `v*` tag: `go vet`/`go test`, builds + pushes `ghcr.io/mitja/hcloud-gardener-backupbucket:\n  {\u003ctag\u003e,latest}` (what the seed pulls; mirrors `hcloud-gardener-dnsrecord`) via the\n  built-in `GITHUB_TOKEN` (no PAT), and publishes a GitHub release with the generated\n  `controller-registration.yaml`.\n- **Forgejo (always-available fallback)** — `.forgejo/workflows/build.yml` (Forgejo\n  Actions) runs on push to `main`/tags and pushes\n  `git.paasbox.com/paasbox/hcloud-gardener-backupbucket:{\u003csha\u003e,latest}`; secrets\n  `REGISTRY_USER`/`REGISTRY_TOKEN`. Repoint `image.repository` here to fail over.\n\nThe repo lives on **both** git hosts (public GitHub + private Forgejo); push commits and\ntags to both remotes so both CIs build.\n\n## Install (register in the virtual garden)\n\n```sh\nhack/generate-controller-registration.sh   # → example/controller-registration.yaml (chart inlined)\nkubectl apply -f example/controller-registration.yaml   # against the virtual garden\n```\nThe chart defaults to the **public** `ghcr.io/mitja/hcloud-gardener-backupbucket` image,\nso no pull secret is needed. To pull from the private Forgejo registry instead, override\n`image.repository` and set `imagePullSecrets` in the ControllerDeployment `values`.\n\nThen enable seed backups, e.g.:\n```yaml\n# Seed (or the Gardenlet seedConfig)\nspec:\n  backup:\n    provider: S3            # NOT \"hcloud\" — see the note below; etcd-druid requires this\n    region: nbg1\n    secretRef:\n      name: backup-hcloud\n      namespace: garden\n```\n\n## Why the provider type is `S3`, not `hcloud`\n\netcd-druid (v0.30.1, bundled with gardener v1.122.3) derives the etcd-backup-restore\nstore provider **directly** from the seed/garden backup provider — `etcd.go` does\n`StorageProvider(backupConfig.Provider)` with **no translation** — and its\n`storageProviderFromInfraProvider` map only accepts a fixed set:\n`aws`/`S3`, `stackit`→S3, `azure`/`ABS`, `gcp`/`GCS`, `alicloud`/`OSS`,\n`openstack`/`Swift`, `dell`/`ECS`, `openshift`/`OCS`, `Local`. Anything else (e.g.\n`hcloud`) → **`\"unsupported storage provider\"`** and etcd backup never configures.\n\nSo this extension registers the type **`S3`**, which druid maps to its S3 snapstore.\nHetzner-specificity comes entirely through the **secret**: the BackupEntry\n`GetETCDSecretData` supplies `accessKeyID`/`secretAccessKey`/`region`/`endpoint`, and the\nS3 snapstore honours the custom `endpoint` (`nbg1.your-objectstorage.com`). Verified by\nreading the gardener/etcd-druid source; confirm end-to-end on first enablement that a\nsnapshot lands in the bucket.\n\n## License\n\nApache-2.0.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmitja%2Fhcloud-gardener-backupbucket","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmitja%2Fhcloud-gardener-backupbucket","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmitja%2Fhcloud-gardener-backupbucket/lists"}