Sync chart from pieced-threema-gateway 0.1.8

2026-05-19 18:42:31 +00:00
parent 834bed88e0
commit 342f5728f4
5 changed files with 292 additions and 3 deletions
--- a/deploy/helm/pieced-threema-gateway/templates/database-backup.yaml
+++ b/deploy/helm/pieced-threema-gateway/templates/database-backup.yaml
@@ -0,0 +1,59 @@
+{{- if and .Values.postgres.enabled .Values.postgres.backup.enabled }}
+# =============================================================================
+# S3 credentials for the CNPG Cluster's barmanObjectStore.
+#
+# Projects the in-cluster MinIO root credentials out of OpenBao
+# (.Values.postgres.backup.s3.credentialsPath) into a Secret in this
+# namespace. Referenced by spec.backup.barmanObjectStore.s3Credentials
+# on the Cluster CR (see templates/database.yaml).
+#
+# Same shape and convention as the chart's other ExternalSecrets
+# (templates/externalsecret.yaml) — KV v2 path without /data/ segment.
+# =============================================================================
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: cnpg-s3-credentials
+  namespace: {{ .Values.namespace }}
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: openbao-backend
+    kind: ClusterSecretStore
+  target:
+    name: cnpg-s3-credentials
+    creationPolicy: Owner
+  data:
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        key: {{ .Values.postgres.backup.s3.credentialsPath }}
+        property: {{ .Values.postgres.backup.s3.accessKeyProperty }}
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        key: {{ .Values.postgres.backup.s3.credentialsPath }}
+        property: {{ .Values.postgres.backup.s3.secretKeyProperty }}
+---
+# =============================================================================
+# Daily backup of the pieced-threema-gateway-db CNPG cluster.
+#
+# IMPORTANT — cron format:
+# CNPG ScheduledBackup uses a SIX-field Go-style cron expression
+# (sec min hour dom mon dow), NOT the 5-field Unix crontab format. The
+# CNPG controller silently accepts 5-field expressions but reinterprets
+# them — see https://github.com/cloudnative-pg/cloudnative-pg/issues/5380
+# Default schedule (.Values.postgres.backup.schedule.cron) is set
+# accordingly.
+# =============================================================================
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: pieced-threema-gateway-db-daily
+  namespace: {{ .Values.namespace }}
+spec:
+  schedule: {{ .Values.postgres.backup.schedule.cron | quote }}
+  backupOwnerReference: self
+  cluster:
+    name: pieced-threema-gateway-db
+  method: barmanObjectStore
+  immediate: {{ .Values.postgres.backup.schedule.immediate }}
+{{- end }}