bendilley · October 21, 2024 10:11
diff --git a/shred.bash b/shred.bash
 #!/bin/bash
 if (( ${#@} != 1 )); then
    echo -e '\nusage: shred.bash <volume_name>\n'
    exit 2
 fi

 vol=$1
 linode_vol=`echo $vol | sed -r -e 's/-//g'`
 linode_vol_id=`linode-cli volumes ls | grep $linode_vol | awk '{print $2}'`
 size=`kubectl get pv $vol -o "custom-columns=SIZE:.spec.capacity.storage" | tail -n +2`
 kc="kubectl -n default"

 # Bail-out if any of the following steps fail:
 # * Claim the PersistentVolume (pv) for the shredder
 # * Create the shredder job
 # * Update the pv to refer back to the PersistentVolumeClaim (pvc)
 # * Wait for the shredder to start running
 # * Tail the log from beginning to end
 # * Confirm that the job completed
 # * Delete the Job and pvc so the volume is unbound
 # * Delete the pv from kubernetes
 # * Delete the volume from linode

 sed -r -e "s/VOLUME_NAME/$vol/g" -e "s/VOLUME_SIZE/$size/g" shredder-claim.yml | $kc create -f - && \
 $kc apply -f shredder.yml --wait && \
 $kc patch pv $vol --type json -p '[{"op":"replace","path":"/spec/claimRef","value":{"name":"sensitive-data","namespace":"default"}}]' && \
 $kc get pod -l "task=shred" && \
 echo "The volume can take 30+ seconds to attach, please wait..." && \
 $kc wait --for condition=ContainersReady pod -l "task=shred" --timeout=60s && \
 echo '--------------------------------------------------------------------------------' && \
 $kc logs --follow -l "task=shred" --tail=-1 --pod-running-timeout=1h && \
 echo '--------------------------------------------------------------------------------' && \
 $kc wait --for condition=Complete job/shredder --timeout=10s && \
 $kc describe job shredder | grep -i status && \
 $kc delete job,pvc -l task=shred --wait && \
 kubectl delete pv $vol && \
 linode-cli volumes delete $linode_vol_id
diff --git a/shredder-claim.yml b/shredder-claim.yml
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  namespace: default
  name: sensitive-data
  labels:
    task: shred
 spec:
  volumeName: VOLUME_NAME
  accessModes: ["ReadWriteOnce"]
  resources:
    requests:
      storage: VOLUME_SIZE
diff --git a/shredder.yml b/shredder.yml
 apiVersion: batch/v1
 kind: Job
 metadata:
  namespace: default
  name: shredder
  labels:
    task: shred
 spec:
  backoffLimit: 0 # don't retry if it fails
  template:
    metadata:
      labels:
        task: shred
    spec:
      restartPolicy: Never
      containers:
      - name: shredder
        image: debian:bookworm-slim
        command: ["/bin/sh"]
        args:
        - -c
        - find /sensitive-data -type f -exec shred --verbose '{}' \;
        resources:
          requests:
            cpu: 10m
          limits:
            cpu: 100m
            memory: 100Mi
        volumeMounts:
          - name: sensitive-data
            mountPath: /sensitive-data
      volumes:
      - name: sensitive-data
        persistentVolumeClaim:
          claimName: sensitive-data
	#!/bin/bash
	if (( ${#@} != 1 )); then
	echo -e '\nusage: shred.bash <volume_name>\n'
	exit 2
	fi

	vol=$1
	linode_vol=`echo $vol \| sed -r -e 's/-//g'`
	linode_vol_id=`linode-cli volumes ls \| grep $linode_vol \| awk '{print $2}'`
	size=`kubectl get pv $vol -o "custom-columns=SIZE:.spec.capacity.storage" \| tail -n +2`
	kc="kubectl -n default"

	# Bail-out if any of the following steps fail:
	# * Claim the PersistentVolume (pv) for the shredder
	# * Create the shredder job
	# * Update the pv to refer back to the PersistentVolumeClaim (pvc)
	# * Wait for the shredder to start running
	# * Tail the log from beginning to end
	# * Confirm that the job completed
	# * Delete the Job and pvc so the volume is unbound
	# * Delete the pv from kubernetes
	# * Delete the volume from linode

	sed -r -e "s/VOLUME_NAME/$vol/g" -e "s/VOLUME_SIZE/$size/g" shredder-claim.yml \| $kc create -f - && \
	$kc apply -f shredder.yml --wait && \
	$kc patch pv $vol --type json -p '[{"op":"replace","path":"/spec/claimRef","value":{"name":"sensitive-data","namespace":"default"}}]' && \
	$kc get pod -l "task=shred" && \
	echo "The volume can take 30+ seconds to attach, please wait..." && \
	$kc wait --for condition=ContainersReady pod -l "task=shred" --timeout=60s && \
	echo '--------------------------------------------------------------------------------' && \
	$kc logs --follow -l "task=shred" --tail=-1 --pod-running-timeout=1h && \
	echo '--------------------------------------------------------------------------------' && \
	$kc wait --for condition=Complete job/shredder --timeout=10s && \
	$kc describe job shredder \| grep -i status && \
	$kc delete job,pvc -l task=shred --wait && \
	kubectl delete pv $vol && \
	linode-cli volumes delete $linode_vol_id
	apiVersion: v1
	kind: PersistentVolumeClaim
	metadata:
	namespace: default
	name: sensitive-data
	labels:
	task: shred
	spec:
	volumeName: VOLUME_NAME
	accessModes: ["ReadWriteOnce"]
	resources:
	requests:
	storage: VOLUME_SIZE
	apiVersion: batch/v1
	kind: Job
	metadata:
	namespace: default
	name: shredder
	labels:
	task: shred
	spec:
	backoffLimit: 0 # don't retry if it fails
	template:
	metadata:
	labels:
	task: shred
	spec:
	restartPolicy: Never
	containers:
	- name: shredder
	image: debian:bookworm-slim
	command: ["/bin/sh"]
	args:
	- -c
	- find /sensitive-data -type f -exec shred --verbose '{}' \;
	resources:
	requests:
	cpu: 10m
	limits:
	cpu: 100m
	memory: 100Mi
	volumeMounts:
	- name: sensitive-data
	mountPath: /sensitive-data
	volumes:
	- name: sensitive-data
	persistentVolumeClaim:
	claimName: sensitive-data