Sync chart from pieced-threema-gateway 0.1.8

deploy/helm/pieced-threema-gateway/values.yaml

@@ -6,7 +6,7 @@ namespace: threema-gateway
 
 image:
   repository: registry.c5ai.ch/pieced/pieced-threema-gateway
-  tag: "0.1.7"
+  tag: "0.1.8"
   pullPolicy: IfNotPresent
 
 # Pull from registry.c5ai.ch — matches operator + portal pattern.
@@ -49,6 +49,78 @@ postgres:
       cpu: 100m
       memory: 256Mi
 
+  # ---------------------------------------------------------------------------
+  # Daily backup to in-cluster MinIO via barmanObjectStore.
+  #
+  # When enabled, the chart renders:
+  #   - spec.backup on the CNPG Cluster (templates/database.yaml)
+  #   - ExternalSecret "cnpg-s3-credentials" pulling MinIO root creds
+  #     from OpenBao (templates/database-backup.yaml)
+  #   - ScheduledBackup "pieced-threema-gateway-db-daily" (templates/database-backup.yaml)
+  #   - CronJob "pieced-threema-gateway-db-backup-cleanup" that prunes
+  #     old Backup CRs so the ArgoCD resource tree stays tidy
+  #     (templates/database-backup-cleanup.yaml)
+  #
+  # Note on Cilium: this chart's CiliumNetworkPolicy only restricts the
+  # relay pod (endpointSelector matches app.kubernetes.io/name=
+  # pieced-threema-gateway). The CNPG postgres pod is NOT covered by
+  # that policy, so its egress to MinIO works freely as long as there
+  # is no namespace-level default-deny CNP in threema-gateway. If you
+  # later add one, you'll also need to allow egress to
+  # minio.minio-pieced.svc:80 from pods labelled cnpg.io/cluster=
+  # pieced-threema-gateway-db.
+  backup:
+    enabled: true
+
+    # Where backups land. The destinationPath is hard-coded to use the
+    # cluster name so per-cluster paths don't collide in the shared
+    # cnpg-backups bucket (matches portal-db, litellm-pg, etc.).
+    s3:
+      bucket: cnpg-backups
+      endpointURL: http://minio.minio-pieced.svc:80
+      # OpenBao path containing MinIO root_user / root_password.
+      # ESO's openbao-backend ClusterSecretStore rewrites KV v2 paths
+      # automatically, so no `/data/` segment is needed (matches the
+      # convention used by the chart's other ExternalSecrets above).
+      credentialsPath: secret/platform/minio-pieced
+      accessKeyProperty: root_user
+      secretKeyProperty: root_password
+
+    wal:
+      compression: gzip
+      maxParallel: 2
+    data:
+      compression: gzip
+
+    # Barman retains backup *data* in S3 for this many days. The Backup
+    # CR cleanup CronJob below independently keeps roughly twice this
+    # many Backup CRs in Kubernetes so we never delete a CR whose data
+    # is still on disk.
+    retentionPolicy: "7d"
+
+    schedule:
+      # CNPG ScheduledBackup uses a SIX-field Go-style cron expression
+      # (sec min hour dom mon dow), NOT the 5-field Unix crontab format.
+      # See https://github.com/cloudnative-pg/cloudnative-pg/issues/5380
+      # for the silent-misinterpretation footgun.
+      # Slot: 02:45:00 daily — between litellm-pg (02:30) and portal-db
+      # (03:00) so the daily snapshot wave is staggered.
+      cron: "0 45 2 * * *"
+      # Trigger an immediate backup when the ScheduledBackup is created.
+      # Useful on first deploy so the `cnpg_collector_last_available_backup_timestamp`
+      # metric ticks immediately and PieCedCNPGBackupFailed clears.
+      immediate: true
+
+    # Backup CR cleanup CronJob. Same shape as
+    # apps/litellm-pg-backup-cleanup.yaml in pieced-gitops.
+    cleanup:
+      enabled: true
+      # Daily at 04:45 — runs ~2h after the ScheduledBackup so the day's
+      # new CR exists and is preserved in the "newest N" window.
+      schedule: "45 4 * * *"
+      keep: 14
+      image: bitnami/kubectl:1.31.6
+
 # Secrets sourced from OpenBao via External Secrets Operator.
 # Paths use the same convention as apps/portal/external-secrets.yaml:
 # full key path starting with the KV v2 mount name (`secret/`), no