pieced/pieced-threema-gateway-public
Public Access
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync chart from pieced-threema-gateway 0.1.8

Browse Source
This commit is contained in:
pieced-ci
2026-05-19 18:42:31 +00:00
parent 834bed88e0
commit 342f5728f4
5 changed files with 292 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

139
deploy/helm/pieced-threema-gateway/templates/database-backup-cleanup.yaml Normal file
View File

@@ -0,0 +1,139 @@
{{- if and .Values.postgres.enabled .Values.postgres.backup.enabled .Values.postgres.backup.cleanup.enabled }}
# =============================================================================
# Backup CR cleanup CronJob.
#
# The Cluster has barmanObjectStore.retentionPolicy set, but that only
# prunes the actual backup data (base + WAL) in the MinIO bucket. CNPG
# does NOT delete the Kubernetes `Backup` CRs that ScheduledBackup keeps
# creating, so without this job they accumulate one per day forever and
# bloat the ArgoCD resource tree under the ScheduledBackup parent.
#
# Strategy:
# List all Backup CRs for cluster=pieced-threema-gateway-db, sort by
# creationTimestamp ascending, drop the last N entries (newest),
# delete the rest. Keep ~2x the S3 retention so we never delete a CR
# whose data is still on disk.
#
# Same shape as apps/litellm-pg-backup-cleanup.yaml in pieced-gitops.
# =============================================================================
apiVersion: v1
kind: ServiceAccount
metadata:
name: pieced-threema-gateway-db-backup-cleanup
namespace: {{ .Values.namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pieced-threema-gateway-db-backup-cleanup
namespace: {{ .Values.namespace }}
rules:
- apiGroups: ["postgresql.cnpg.io"]
resources: ["backups"]
verbs: ["get", "list", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pieced-threema-gateway-db-backup-cleanup
namespace: {{ .Values.namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pieced-threema-gateway-db-backup-cleanup
subjects:
- kind: ServiceAccount
name: pieced-threema-gateway-db-backup-cleanup
namespace: {{ .Values.namespace }}
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: pieced-threema-gateway-db-backup-cleanup
namespace: {{ .Values.namespace }}
labels:
app.kubernetes.io/name: pieced-threema-gateway-db-backup-cleanup
app.kubernetes.io/part-of: pieced-platform
spec:
schedule: {{ .Values.postgres.backup.cleanup.schedule | quote }}
concurrencyPolicy: Forbid
successfulJobsHistoryLimit: 1
failedJobsHistoryLimit: 1
startingDeadlineSeconds: 600
jobTemplate:
spec:
# Auto-clean the Job object 1h after completion so it doesn't
# also pile up in ArgoCD's tree.
ttlSecondsAfterFinished: 3600
backoffLimit: 1
template:
metadata:
labels:
app.kubernetes.io/name: pieced-threema-gateway-db-backup-cleanup
spec:
serviceAccountName: pieced-threema-gateway-db-backup-cleanup
restartPolicy: OnFailure
securityContext:
runAsNonRoot: true
runAsUser: 1001
runAsGroup: 1001
seccompProfile:
type: RuntimeDefault
containers:
- name: cleanup
image: {{ .Values.postgres.backup.cleanup.image | quote }}
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 100m
memory: 128Mi
env:
- name: NAMESPACE
value: {{ .Values.namespace | quote }}
- name: CLUSTER
value: pieced-threema-gateway-db
- name: KEEP
value: {{ .Values.postgres.backup.cleanup.keep | quote }}
command:
- /bin/bash
- -c
- |
set -euo pipefail
echo "Listing Backup CRs for cluster=${CLUSTER} in ns=${NAMESPACE}"
mapfile -t all < <(
kubectl -n "${NAMESPACE}" get backups.postgresql.cnpg.io \
-l "cnpg.io/cluster=${CLUSTER}" \
--sort-by=.metadata.creationTimestamp \
-o name
)
total=${#all[@]}
echo "Found ${total} backup CR(s); keeping newest ${KEEP}"
if (( total <= KEEP )); then
echo "Nothing to prune."
exit 0
fi
prune_count=$(( total - KEEP ))
to_delete=("${all[@]:0:${prune_count}}")
echo "Deleting ${prune_count} old backup CR(s):"
printf ' %s\n' "${to_delete[@]}"
# Delete in chunks to keep the kubectl command line sane
# even if the historical backlog is in the hundreds.
printf '%s\n' "${to_delete[@]}" \
| xargs -r -n 50 kubectl -n "${NAMESPACE}" delete --ignore-not-found
echo "Done."
{{- end }}

59
deploy/helm/pieced-threema-gateway/templates/database-backup.yaml Normal file
View File

@@ -0,0 +1,59 @@
{{- if and .Values.postgres.enabled .Values.postgres.backup.enabled }}
# =============================================================================
# S3 credentials for the CNPG Cluster's barmanObjectStore.
#
# Projects the in-cluster MinIO root credentials out of OpenBao
# (.Values.postgres.backup.s3.credentialsPath) into a Secret in this
# namespace. Referenced by spec.backup.barmanObjectStore.s3Credentials
# on the Cluster CR (see templates/database.yaml).
#
# Same shape and convention as the chart's other ExternalSecrets
# (templates/externalsecret.yaml) — KV v2 path without /data/ segment.
# =============================================================================
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: cnpg-s3-credentials
namespace: {{ .Values.namespace }}
spec:
refreshInterval: 1h
secretStoreRef:
name: openbao-backend
kind: ClusterSecretStore
target:
name: cnpg-s3-credentials
creationPolicy: Owner
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
key: {{ .Values.postgres.backup.s3.credentialsPath }}
property: {{ .Values.postgres.backup.s3.accessKeyProperty }}
- secretKey: ACCESS_SECRET_KEY
remoteRef:
key: {{ .Values.postgres.backup.s3.credentialsPath }}
property: {{ .Values.postgres.backup.s3.secretKeyProperty }}
---
# =============================================================================
# Daily backup of the pieced-threema-gateway-db CNPG cluster.
#
# IMPORTANT — cron format:
# CNPG ScheduledBackup uses a SIX-field Go-style cron expression
# (sec min hour dom mon dow), NOT the 5-field Unix crontab format. The
# CNPG controller silently accepts 5-field expressions but reinterprets
# them — see https://github.com/cloudnative-pg/cloudnative-pg/issues/5380
# Default schedule (.Values.postgres.backup.schedule.cron) is set
# accordingly.
# =============================================================================
apiVersion: postgresql.cnpg.io/v1
kind: ScheduledBackup
metadata:
name: pieced-threema-gateway-db-daily
namespace: {{ .Values.namespace }}
spec:
schedule: {{ .Values.postgres.backup.schedule.cron | quote }}
backupOwnerReference: self
cluster:
name: pieced-threema-gateway-db
method: barmanObjectStore
immediate: {{ .Values.postgres.backup.schedule.immediate }}
{{- end }}

19
deploy/helm/pieced-threema-gateway/templates/database.yaml
View File

@@ -17,4 +17,23 @@ spec:
{{- toYaml .Values.postgres.resources | nindent 4 }}
monitoring:
enablePodMonitor: true
{{- if .Values.postgres.backup.enabled }}
backup:
barmanObjectStore:
destinationPath: s3://{{ .Values.postgres.backup.s3.bucket }}/pieced-threema-gateway-db/
endpointURL: {{ .Values.postgres.backup.s3.endpointURL | quote }}
s3Credentials:
accessKeyId:
name: cnpg-s3-credentials
key: ACCESS_KEY_ID
secretAccessKey:
name: cnpg-s3-credentials
key: ACCESS_SECRET_KEY
wal:
compression: {{ .Values.postgres.backup.wal.compression }}
maxParallel: {{ .Values.postgres.backup.wal.maxParallel }}
data:
compression: {{ .Values.postgres.backup.data.compression }}
retentionPolicy: {{ .Values.postgres.backup.retentionPolicy | quote }}
{{- end }}
{{- end }}