{{- if and .Values.postgres.enabled .Values.postgres.backup.enabled }}
# =============================================================================
# S3 credentials for the CNPG Cluster's barmanObjectStore.
#
# Projects the in-cluster MinIO root credentials out of OpenBao
# (.Values.postgres.backup.s3.credentialsPath) into a Secret in this
# namespace. Referenced by spec.backup.barmanObjectStore.s3Credentials
# on the Cluster CR (see templates/database.yaml).
#
# Same shape and convention as the chart's other ExternalSecrets
# (templates/externalsecret.yaml) — KV v2 path without /data/ segment.
# =============================================================================
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: cnpg-s3-credentials
  namespace: {{ .Values.namespace }}
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: openbao-backend
    kind: ClusterSecretStore
  target:
    name: cnpg-s3-credentials
    creationPolicy: Owner
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        key: {{ .Values.postgres.backup.s3.credentialsPath }}
        property: {{ .Values.postgres.backup.s3.accessKeyProperty }}
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        key: {{ .Values.postgres.backup.s3.credentialsPath }}
        property: {{ .Values.postgres.backup.s3.secretKeyProperty }}
---
# =============================================================================
# Daily backup of the pieced-threema-gateway-db CNPG cluster.
#
# IMPORTANT — cron format:
# CNPG ScheduledBackup uses a SIX-field Go-style cron expression
# (sec min hour dom mon dow), NOT the 5-field Unix crontab format. The
# CNPG controller silently accepts 5-field expressions but reinterprets
# them — see https://github.com/cloudnative-pg/cloudnative-pg/issues/5380
# Default schedule (.Values.postgres.backup.schedule.cron) is set
# accordingly.
# =============================================================================
apiVersion: postgresql.cnpg.io/v1
kind: ScheduledBackup
metadata:
  name: pieced-threema-gateway-db-daily
  namespace: {{ .Values.namespace }}
spec:
  schedule: {{ .Values.postgres.backup.schedule.cron | quote }}
  backupOwnerReference: self
  cluster:
    name: pieced-threema-gateway-db
  method: barmanObjectStore
  immediate: {{ .Values.postgres.backup.schedule.immediate }}
{{- end }}