bundle external secret for recovery

2025-12-22 21:40:58 -06:00
parent 45ddc3fdf3
commit 27caefbd86
6 changed files with 105 additions and 15 deletions
--- a/charts/postgres-cluster/templates/_helpers.tpl
+++ b/charts/postgres-cluster/templates/_helpers.tpl
@@ -83,3 +83,25 @@ Generate recovery server name
    {{- printf "%s-backup-%s" (include "cluster.name" .) (toString .Values.recovery.objectStore.index) | trunc 63 | trimSuffix "-" -}}
  {{- end }}
 {{- end }}
+
+{{/*
+Generate recovery destination path
+*/}}
+{{- define "cluster.recoveryDestinationPath" -}}
+  {{- if .Values.recovery.objectStore.destinationPathOverride -}}
+    {{- .Values.recovery.objectStore.destinationPathOverride -}}
+  {{- else -}}
+    {{- printf "s3://%s/%s/%s/%s" (.Values.recovery.objectStore.destinationBucket) (.Values.kubernetesClusterName) (include "cluster.namespace" .) (include "cluster.name" .) | trunc 63 | trimSuffix "-" -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate recovery credentials name
+*/}}
+{{- define "cluster.recoverySecretName" -}}
+  {{- if and (.Values.recovery.objectStore.endpointCredentials) (not .Values.recovery.objectStore.externalSecret.enabled) }}
+    {{- .Values.recovery.objectStore.endpointCredentials | trunc 63 | trimSuffix "-" }}
+  {{- else -}}
+    {{- printf "%s-recovery-secret" (include "cluster.name" .) -}}
+  {{- end }}
+{{- end }}
--- a/charts/postgres-cluster/templates/external-secret.yaml
+++ b/charts/postgres-cluster/templates/external-secret.yaml
@@ -0,0 +1,40 @@
+{{- if and (eq .Values.recovery.method "objectStore") (.Values.recovery.objectStore.externalSecret.enabled) }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "cluster.recoverySecretName" . }}
+  namespace: {{ include "cluster.namespace" . }}
+  labels:
+    {{- include "cluster.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "cluster.recoverySecretName" . }}
+    {{- with .Values.cluster.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_REGION
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+{{- end }}
--- a/charts/postgres-cluster/templates/object-store.yaml
+++ b/charts/postgres-cluster/templates/object-store.yaml
@@ -9,6 +9,10 @@ metadata:
  namespace: {{ include "cluster.namespace" $context }}
  labels:
    {{- include "cluster.labels" $context | nindent 4 }}
+    app.kubernetes.io/name: "{{ include "cluster.name" $context }}-{{ .name }}-backup"
+    {{- with .Values.cluster.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
  retentionPolicy: {{ .retentionPolicy | default "30d" }}
  configuration:
@@ -55,13 +59,17 @@ spec:
 apiVersion: barmancloud.cnpg.io/v1
 kind: ObjectStore
 metadata:
-  name: "{{ include "cluster.name" . }}-{{ .Values.recovery.objectStore.name }}"
+  name: "{{ include "cluster.name" . }}-recovery"
  namespace: {{ include "cluster.namespace" . }}
  labels:
    {{- include "cluster.labels" . | nindent 4 }}
+    app.kubernetes.io/name: "{{ include "cluster.name" . }}-recovery"
+    {{- with .Values.cluster.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
  configuration:
-    destinationPath: {{ .Values.recovery.objectStore.destinationPath }}
+    destinationPath: {{ include "cluster.recoveryDestinationPath" . }}
    endpointURL: {{ .Values.recovery.objectStore.endpointURL }}
    {{- if .Values.recovery.objectStore.endpointCA.name }}
    endpointCA:
@@ -82,9 +90,14 @@ spec:
      jobs: {{ .Values.recovery.objectStore.data.jobs }}
    s3Credentials:
      accessKeyId:
-        name: {{ .Values.recovery.objectStore.endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" .) | trunc 63 | trimSuffix "-") }}
+        name: {{ include "cluster.recoverySecretName" . }}
        key: ACCESS_KEY_ID
      secretAccessKey:
-        name: {{ .Values.recovery.objectStore.endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" .) | trunc 63 | trimSuffix "-") }}
+        name: {{ include "cluster.recoverySecretName" . }}
        key: ACCESS_SECRET_KEY
+      {{- if .Values.recovery.objectStore.endpointCredentialsIncludeRegion }}
+      region:
+        name: {{ include "cluster.recoverySecretName" . }}
+        key: ACCESS_REGION
+      {{- end }}
 {{ end }}