alexlebens/helm-charts
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Releases 449 Activity

bundle external secret for recovery

Browse Source
This commit is contained in:
Alex Lebens
2025-12-22 21:40:58 -06:00
parent 45ddc3fdf3
commit 27caefbd86
6 changed files with 105 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
charts/postgres-cluster/Chart.yaml
View File

@@ -1,6 +1,6 @@
apiVersion: v2 apiVersion: v2
name: postgres-cluster name: postgres-cluster
version: 7.1.4 version: 7.2.0
description: Cloudnative-pg Cluster description: Cloudnative-pg Cluster
keywords: keywords:
- database - database

15
charts/postgres-cluster/README.md
View File

@@ -1,6 +1,6 @@
# postgres-cluster # postgres-cluster
![Version: 7.1.4](https://img.shields.io/badge/Version-7.1.4-informational?style=flat-square) ![AppVersion: v1.28.0](https://img.shields.io/badge/AppVersion-v1.28.0-informational?style=flat-square) ![Version: 7.2.0](https://img.shields.io/badge/Version-7.2.0-informational?style=flat-square) ![AppVersion: v1.28.0](https://img.shields.io/badge/AppVersion-v1.28.0-informational?style=flat-square)
Cloudnative-pg Cluster Cloudnative-pg Cluster
@@ -59,11 +59,12 @@ Cloudnative-pg Cluster
| cluster.services | object | `{}` | Customization of service definitions. Please refer to https://cloudnative-pg.io/documentation/current/service_management/ | | cluster.services | object | `{}` | Customization of service definitions. Please refer to https://cloudnative-pg.io/documentation/current/service_management/ |
| cluster.storage | object | `{"size":"10Gi","storageClass":""}` | Default storage size | | cluster.storage | object | `{"size":"10Gi","storageClass":""}` | Default storage size |
| databases | list | `[]` | Database management configuration | | databases | list | `[]` | Database management configuration |
| kubernetesClusterName | string | `"cl01tl"` | Kubernetes cluster name |
| mode | string | `"standalone"` | Cluster mode of operation. Available modes: * `standalone` - Default mode. Creates new or updates an existing CNPG cluster. * `recovery` - Same as standalone but creates a cluster from a backup, object store or via pg_basebackup | | mode | string | `"standalone"` | Cluster mode of operation. Available modes: * `standalone` - Default mode. Creates new or updates an existing CNPG cluster. * `recovery` - Same as standalone but creates a cluster from a backup, object store or via pg_basebackup |
| nameOverride | string | `""` | Override the name of the cluster | | nameOverride | string | `""` | Override the name of the cluster |
| namespaceOverride | string | `""` | Override the namespace of the chart | | namespaceOverride | string | `""` | Override the namespace of the chart |
| poolers | list | `[]` | List of PgBouncer poolers | | poolers | list | `[]` | List of PgBouncer poolers |
| recovery | object | `{"backup":{"backupName":"","database":"app","owner":"","pitrTarget":{"time":""}},"import":{"databases":[],"pgDumpExtraOptions":[],"pgRestoreExtraOptions":[],"postImportApplicationSQL":[],"roles":[],"schemaOnly":false,"source":{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"verify-full","sslRootCertSecret":{"key":"","name":""},"username":"app"},"type":"microservice"},"method":"backup","objectStore":{"clusterName":"","data":{"compression":"snappy","encryption":"","jobs":1},"database":"app","destinationPath":"","endpointCA":{"create":false,"key":"","name":""},"endpointCredentials":"","endpointURL":"https://nyc3.digitaloceanspaces.com","index":1,"name":"recovery","owner":"","pitrTarget":{"time":""},"wal":{"compression":"snappy","encryption":"","maxParallel":1}},"pgBaseBackup":{"database":"app","owner":"","secret":"","source":{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"disable","sslRootCertSecret":{"key":"","name":""},"username":""}}}` | Recovery settings when booting cluster from external cluster | | recovery | object | `{"backup":{"backupName":"","database":"app","owner":"","pitrTarget":{"time":""}},"import":{"databases":[],"pgDumpExtraOptions":[],"pgRestoreExtraOptions":[],"postImportApplicationSQL":[],"roles":[],"schemaOnly":false,"source":{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"verify-full","sslRootCertSecret":{"key":"","name":""},"username":"app"},"type":"microservice"},"method":"backup","objectStore":{"clusterName":"","data":{"compression":"snappy","encryption":"","jobs":1},"database":"app","destinationBucket":"postgres-backups","destinationPathOverride":"","endpointCA":{"create":false,"key":"","name":""},"endpointCredentials":"","endpointCredentialsIncludeRegion":true,"endpointURL":"http://garage-main.garage:3900","externalSecret":{"credentialPath":"/garage/home-infra/postgres-backups","enabled":true},"index":1,"owner":"","pitrTarget":{"time":""},"wal":{"compression":"snappy","encryption":"","maxParallel":1}},"pgBaseBackup":{"database":"app","owner":"","secret":"","source":{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"disable","sslRootCertSecret":{"key":"","name":""},"username":""}}}` | Recovery settings when booting cluster from external cluster |
| recovery.backup.backupName | string | `""` | Name of the backup to recover from. | | recovery.backup.backupName | string | `""` | Name of the backup to recover from. |
| recovery.backup.database | string | `"app"` | Name of the database used by the application. Default: `app`. | | recovery.backup.database | string | `"app"` | Name of the database used by the application. Default: `app`. |
| recovery.backup.owner | string | `""` | Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. | | recovery.backup.owner | string | `""` | Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. |
@@ -87,13 +88,15 @@ Cloudnative-pg Cluster
| recovery.objectStore.data.encryption | string | `""` | Whether to instruct the storage provider to encrypt data files. One of `` (use the storage container default), `AES256` or `aws:kms`. | | recovery.objectStore.data.encryption | string | `""` | Whether to instruct the storage provider to encrypt data files. One of `` (use the storage container default), `AES256` or `aws:kms`. |
| recovery.objectStore.data.jobs | int | `1` | Number of data files to be archived or restored in parallel. | | recovery.objectStore.data.jobs | int | `1` | Number of data files to be archived or restored in parallel. |
| recovery.objectStore.database | string | `"app"` | Name of the database used by the application. Default: `app`. | | recovery.objectStore.database | string | `"app"` | Name of the database used by the application. Default: `app`. |
| recovery.objectStore.destinationPath | string | `""` | Overrides the provider specific default path. Defaults to: S3: s3://<bucket><path> Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path> Google: gs://<bucket><path> | | recovery.objectStore.destinationBucket | string | `"postgres-backups"` | Desitination bucket |
| recovery.objectStore.destinationPathOverride | string | `""` | Overrides the provider specific default path. Defaults to: S3: s3://<bucket><path> Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path> Google: gs://<bucket><path> |
| recovery.objectStore.endpointCA | object | `{"create":false,"key":"","name":""}` | Specifies a CA bundle to validate a privately signed certificate. | | recovery.objectStore.endpointCA | object | `{"create":false,"key":"","name":""}` | Specifies a CA bundle to validate a privately signed certificate. |
| recovery.objectStore.endpointCA.create | bool | `false` | Creates a secret with the given value if true, otherwise uses an existing secret. | | recovery.objectStore.endpointCA.create | bool | `false` | Creates a secret with the given value if true, otherwise uses an existing secret. |
| recovery.objectStore.endpointCredentials | string | `""` | Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY | | recovery.objectStore.endpointCredentials | string | `""` | Defaults to <cluster name>-recovery-secret for the existing secret |
| recovery.objectStore.endpointURL | string | `"https://nyc3.digitaloceanspaces.com"` | Overrides the provider specific default endpoint. Defaults to: S3: https://s3.<region>.amazonaws.com" Leave empty if using the default S3 endpoint | | recovery.objectStore.endpointCredentialsIncludeRegion | bool | `true` | If the S3 endpoint require the ACCESS_REGION variable set in credentials |
| recovery.objectStore.endpointURL | string | `"http://garage-main.garage:3900"` | Overrides the provider specific default endpoint. Defaults to: S3: https://s3.<region>.amazonaws.com" Leave empty if using the default S3 endpoint |
| recovery.objectStore.externalSecret | object | `{"credentialPath":"/garage/home-infra/postgres-backups","enabled":true}` | Use generated External Secrets, credentialPath points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY |
| recovery.objectStore.index | int | `1` | Generate external cluster name, uses: {{ .Release.Name }}-postgresql-<major version>-backup-index-{{ index }} | | recovery.objectStore.index | int | `1` | Generate external cluster name, uses: {{ .Release.Name }}-postgresql-<major version>-backup-index-{{ index }} |
| recovery.objectStore.name | string | `"recovery"` | Object store backup name |
| recovery.objectStore.owner | string | `""` | Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. | | recovery.objectStore.owner | string | `""` | Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. |
| recovery.objectStore.pitrTarget | object | `{"time":""}` | Point in time recovery target. Specify one of the following: | | recovery.objectStore.pitrTarget | object | `{"time":""}` | Point in time recovery target. Specify one of the following: |
| recovery.objectStore.pitrTarget.time | string | `""` | Time in RFC3339 format | | recovery.objectStore.pitrTarget.time | string | `""` | Time in RFC3339 format |

22
charts/postgres-cluster/templates/_helpers.tpl
View File

@@ -83,3 +83,25 @@ Generate recovery server name
{{- printf "%s-backup-%s" (include "cluster.name" .) (toString .Values.recovery.objectStore.index) | trunc 63 | trimSuffix "-" -}} {{- printf "%s-backup-%s" (include "cluster.name" .) (toString .Values.recovery.objectStore.index) | trunc 63 | trimSuffix "-" -}}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{/*
Generate recovery destination path
*/}}
{{- define "cluster.recoveryDestinationPath" -}}
{{- if .Values.recovery.objectStore.destinationPathOverride -}}
{{- .Values.recovery.objectStore.destinationPathOverride -}}
{{- else -}}
{{- printf "s3://%s/%s/%s/%s" (.Values.recovery.objectStore.destinationBucket) (.Values.kubernetesClusterName) (include "cluster.namespace" .) (include "cluster.name" .) | trunc 63 | trimSuffix "-" -}}
{{- end }}
{{- end }}
{{/*
Generate recovery credentials name
*/}}
{{- define "cluster.recoverySecretName" -}}
{{- if and (.Values.recovery.objectStore.endpointCredentials) (not .Values.recovery.objectStore.externalSecret.enabled) }}
{{- .Values.recovery.objectStore.endpointCredentials | trunc 63 | trimSuffix "-" }}
{{- else -}}
{{- printf "%s-recovery-secret" (include "cluster.name" .) -}}
{{- end }}
{{- end }}

40
charts/postgres-cluster/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,40 @@
{{- if and (eq .Values.recovery.method "objectStore") (.Values.recovery.objectStore.externalSecret.enabled) }}
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: {{ include "cluster.recoverySecretName" . }}
namespace: {{ include "cluster.namespace" . }}
labels:
{{- include "cluster.labels" . | nindent 4 }}
app.kubernetes.io/name: {{ include "cluster.recoverySecretName" . }}
{{- with .Values.cluster.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
metadataPolicy: None
property: ACCESS_REGION
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
metadataPolicy: None
property: ACCESS_SECRET_KEY
{{- end }}

21
charts/postgres-cluster/templates/object-store.yaml
View File

@@ -9,6 +9,10 @@ metadata:
namespace: {{ include "cluster.namespace" $context }} namespace: {{ include "cluster.namespace" $context }}
labels: labels:
{{- include "cluster.labels" $context | nindent 4 }} {{- include "cluster.labels" $context | nindent 4 }}
app.kubernetes.io/name: "{{ include "cluster.name" $context }}-{{ .name }}-backup"
{{- with .Values.cluster.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec: spec:
retentionPolicy: {{ .retentionPolicy | default "30d" }} retentionPolicy: {{ .retentionPolicy | default "30d" }}
configuration: configuration:
@@ -55,13 +59,17 @@ spec:
apiVersion: barmancloud.cnpg.io/v1 apiVersion: barmancloud.cnpg.io/v1
kind: ObjectStore kind: ObjectStore
metadata: metadata:
name: "{{ include "cluster.name" . }}-{{ .Values.recovery.objectStore.name }}" name: "{{ include "cluster.name" . }}-recovery"
namespace: {{ include "cluster.namespace" . }} namespace: {{ include "cluster.namespace" . }}
labels: labels:
{{- include "cluster.labels" . | nindent 4 }} {{- include "cluster.labels" . | nindent 4 }}
app.kubernetes.io/name: "{{ include "cluster.name" . }}-recovery"
{{- with .Values.cluster.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec: spec:
configuration: configuration:
destinationPath: {{ .Values.recovery.objectStore.destinationPath }} destinationPath: {{ include "cluster.recoveryDestinationPath" . }}
endpointURL: {{ .Values.recovery.objectStore.endpointURL }} endpointURL: {{ .Values.recovery.objectStore.endpointURL }}
{{- if .Values.recovery.objectStore.endpointCA.name }} {{- if .Values.recovery.objectStore.endpointCA.name }}
endpointCA: endpointCA:
@@ -82,9 +90,14 @@ spec:
jobs: {{ .Values.recovery.objectStore.data.jobs }} jobs: {{ .Values.recovery.objectStore.data.jobs }}
s3Credentials: s3Credentials:
accessKeyId: accessKeyId:
name: {{ .Values.recovery.objectStore.endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" .) | trunc 63 | trimSuffix "-") }} name: {{ include "cluster.recoverySecretName" . }}
key: ACCESS_KEY_ID key: ACCESS_KEY_ID
secretAccessKey: secretAccessKey:
name: {{ .Values.recovery.objectStore.endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" .) | trunc 63 | trimSuffix "-") }} name: {{ include "cluster.recoverySecretName" . }}
key: ACCESS_SECRET_KEY key: ACCESS_SECRET_KEY
{{- if .Values.recovery.objectStore.endpointCredentialsIncludeRegion }}
region:
name: {{ include "cluster.recoverySecretName" . }}
key: ACCESS_REGION
{{- end }}
{{ end }} {{ end }}

20
charts/postgres-cluster/values.yaml
View File

@@ -4,6 +4,9 @@ nameOverride: ""
# -- Override the namespace of the chart # -- Override the namespace of the chart
namespaceOverride: "" namespaceOverride: ""
# -- Kubernetes cluster name
kubernetesClusterName: cl01tl
# -- Type of the CNPG database. Available types: # -- Type of the CNPG database. Available types:
# * `postgresql` # * `postgresql`
type: postgresql type: postgresql
@@ -259,19 +262,19 @@ recovery:
# -- Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. # -- Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key.
owner: "" owner: ""
# -- Object store backup name # -- Desitination bucket
name: recovery destinationBucket: postgres-backups
# -- Overrides the provider specific default path. Defaults to: # -- Overrides the provider specific default path. Defaults to:
# S3: s3://<bucket><path> # S3: s3://<bucket><path>
# Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path> # Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path>
# Google: gs://<bucket><path> # Google: gs://<bucket><path>
destinationPath: "" destinationPathOverride: ""
# -- Overrides the provider specific default endpoint. Defaults to: # -- Overrides the provider specific default endpoint. Defaults to:
# S3: https://s3.<region>.amazonaws.com" # S3: https://s3.<region>.amazonaws.com"
# Leave empty if using the default S3 endpoint # Leave empty if using the default S3 endpoint
endpointURL: "https://nyc3.digitaloceanspaces.com" endpointURL: "http://garage-main.garage:3900"
# -- Specifies a CA bundle to validate a privately signed certificate. # -- Specifies a CA bundle to validate a privately signed certificate.
endpointCA: endpointCA:
@@ -287,9 +290,18 @@ recovery:
# -- Override the name of the backup cluster, defaults to "cluster.name" # -- Override the name of the backup cluster, defaults to "cluster.name"
clusterName: "" clusterName: ""
# -- Use generated External Secrets, credentialPath points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
externalSecret:
enabled: true
credentialPath: /garage/home-infra/postgres-backups
# -- Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY # -- Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
# -- Defaults to <cluster name>-recovery-secret for the existing secret
endpointCredentials: "" endpointCredentials: ""
# -- If the S3 endpoint require the ACCESS_REGION variable set in credentials
endpointCredentialsIncludeRegion: true
# -- Storage # -- Storage
wal: wal: