alexlebens/helm-charts
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Releases 449 Activity

bundle external secrets for backups

Browse Source
This commit is contained in:
Alex Lebens
2025-12-22 22:46:37 -06:00
parent 6be08af21d
commit d70eecc096
6 changed files with 106 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
charts/postgres-cluster/templates/_helpers.tpl
View File

@@ -91,7 +91,7 @@ Generate recovery destination path
{{- if .Values.recovery.objectStore.destinationPathOverride -}}
{{- .Values.recovery.objectStore.destinationPathOverride -}}
{{- else -}}
{{- printf "s3://%s/%s/%s/%s" (.Values.recovery.objectStore.destinationBucket) (.Values.kubernetesClusterName) (include "cluster.namespace" .) (include "cluster.name" .) | trunc 63 | trimSuffix "-" -}}
{{- printf "s3://%s/%s/%s/%s-cluster" (.Values.recovery.objectStore.destinationBucket) (.Values.kubernetesClusterName) (include "cluster.namespace" .) (include "cluster.name" .) | trimSuffix "-" -}}
{{- end }}
{{- end }}
@@ -105,3 +105,29 @@ Generate recovery credentials name
{{- printf "%s-recovery-secret" (include "cluster.name" .) -}}
{{- end }}
{{- end }}
{{/*
Generate backup destination path
*/}}
{{- define "cluster.backupDestinationPath" -}}
{{- if .instance.destinationPathOverride -}}
{{- .instance.destinationPathOverride -}}
{{- else if .instance.destinationBucket -}}
{{- printf "s3://%s/%s/%s/%s-cluster" .instance.destinationBucket .global.Values.kubernetesClusterName (include "cluster.namespace" .global) (include "cluster.name" .global) | trimSuffix "-" -}}
{{- else -}}
{{ fail "Invalid destination path!" }}
{{- end -}}
{{- end }}
{{/*
Generate backup destination path
*/}}
{{- define "cluster.backupSecretName" -}}
{{- if .instance.endpointCredentialsOverride -}}
{{- .instance.endpointCredentialsOverride -}}
{{- else if .instance.name -}}
{{- printf "%s-backup-%s-secret" (include "cluster.name" .global) .instance.name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{ fail "Invalid backup secret name!" }}
{{- end -}}
{{- end }}

44
charts/postgres-cluster/templates/external-secret.yaml
View File

@@ -1,3 +1,47 @@
{{ if and (eq .Values.backup.method "objectStore") (.Values.backup.externalSecret.enabled) }}
{{ $context := . -}}
{{ range .Values.backup.objectStore -}}
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
namespace: {{ include "cluster.namespace" $context }}
labels:
{{- include "cluster.labels" $context | nindent 4 }}
app.kubernetes.io/name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
{{- with $context.Values.cluster.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_REGION
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
metadataPolicy: None
property: ACCESS_REGION
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
metadataPolicy: None
property: ACCESS_KEY_ID
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: {{ .externalSecretCredentialPath| required "External Secret Credential local path is required" }}
metadataPolicy: None
property: ACCESS_SECRET_KEY
{{ end -}}
{{ end }}
{{- if and (eq .Values.recovery.method "objectStore") (.Values.recovery.objectStore.externalSecret.enabled) }}
---
apiVersion: external-secrets.io/v1

16
charts/postgres-cluster/templates/object-store.yaml
View File

@@ -5,19 +5,19 @@
apiVersion: barmancloud.cnpg.io/v1
kind: ObjectStore
metadata:
name: "{{ include "cluster.name" $context }}-{{ .name }}-backup"
name: {{ include "cluster.name" $context }}-backup-{{ .name }}
namespace: {{ include "cluster.namespace" $context }}
labels:
{{- include "cluster.labels" $context | nindent 4 }}
app.kubernetes.io/name: "{{ include "cluster.name" $context }}-{{ .name }}-backup"
{{- with .Values.cluster.additionalLabels }}
app.kubernetes.io/name: {{ include "cluster.name" $context }}-backup-{{ .name }}
{{- with $context.Values.cluster.additionalLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
retentionPolicy: {{ .retentionPolicy | default "30d" }}
configuration:
destinationPath: {{ .destinationPath | required "Destination path is required" }}
endpointURL: {{ .endpointURL | default "https://nyc3.digitaloceanspaces.com" }}
destinationPath: {{ include "cluster.backupDestinationPath" (dict "instance" . "global" $context) }}
endpointURL: {{ .endpointURL | default "http://garage-main.garage:3900" }}
{{- if .endpointCA }}
endpointCA:
name: {{ .endpointCA.name }}
@@ -41,14 +41,14 @@ spec:
{{- end }}
s3Credentials:
accessKeyId:
name: {{ .endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" $context) | trunc 63 | trimSuffix "-") }}
name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
key: ACCESS_KEY_ID
secretAccessKey:
name: {{ .endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" $context) | trunc 63 | trimSuffix "-") }}
name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
key: ACCESS_SECRET_KEY
{{- if .endpointCredentialsIncludeRegion }}
region:
name: {{ .endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" $context) | trunc 63 | trimSuffix "-") }}
name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
key: ACCESS_REGION
{{- end }}
{{ end -}}