feat: update common chart

feat: increase default shared buffers
feat: change template formatting
2026-05-17 20:56:50 -05:00 · 2026-05-17 20:54:58 -05:00 · 2026-05-17 20:54:58 -05:00 · 2026-05-17 20:54:58 -05:00 · 2026-05-16 00:02:19 +00:00 · 2026-05-16 00:01:59 +00:00
43 changed files with 1281 additions and 232 deletions
@@ -0,0 +1,128 @@
+name: release-charts-rclone-bucket
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "charts/rclone-bucket/**"
+
+  workflow_dispatch:
+
+env:
+  WORKFLOW_DIR: "charts/rclone-bucket"
+
+jobs:
+  release:
+    runs-on: ubuntu-js
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v5
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          version: v3.19.2
+
+      - name: Add Repositories
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Adding repositories for chart dependencies ..."
+          helm dependency list --max-col-width 120 2> /dev/null \
+            | tail +2 | head -n -1 \
+            | awk '{ print "helm repo add " $1 " " $3 }' \
+            | while read cmd; do echo "$cmd" | sh; done || true
+
+          if helm repo list | tail +2 | read -r; then
+            echo ">> Update repository cache ..."
+            helm repo update
+          fi
+
+          echo "----"
+
+      - name: Package Helm Chart
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Building helm dependency ..."
+          helm dependency build --skip-refresh --debug
+
+          echo "----"
+
+          echo "PACKAGE_PATH=$(helm package . | awk '{print $NF}')" >> $GITEA_ENV
+
+      - name: Publish Helm Chart to Harbor
+        run: |
+          echo ">> Logging into Harbor ..."
+          helm registry login ${{ vars.REGISTRY_HOST }} -u ${{ vars.REGISTRY_USER }} -p ${{ secrets.REGISTRY_SECRET }} --debug
+
+          echo ""
+          echo ">> Publishing chart to Harbor ..."
+          helm push ${{ env.PACKAGE_PATH }} oci://${{ vars.REGISTRY_HOST }}/helm-charts --debug
+
+          echo "----"
+
+      - name: Publish Helm Chart to Gitea
+        run: |
+          echo ">> Installing Chart Museum plugin ..."
+          helm plugin install https://github.com/chartmuseum/helm-push --debug
+
+          echo ""
+          echo ">> Adding Gitea repository ..."
+          helm repo add --username ${{ gitea.actor }} --password ${{ secrets.REPOSITORY_TOKEN }} helm-charts https://${{ vars.REPOSITORY_HOST }}/api/packages/alexlebens/helm --debug
+
+          echo ""
+          echo ">> Pushing chart to gitea"
+          helm cm-push ${{ env.PACKAGE_PATH }} helm-charts --debug
+
+      - name: Extract Chart Metadata
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Adding Chart metadata to workflow ENV ..."
+          echo ""
+          echo ">> Chart Version: $(yq '.version' Chart.yaml)"
+          echo ">> Chart Name: $(yq '.name' Chart.yaml)"
+
+          echo "----"
+
+          echo "CHART_VERSION=$(yq '.version' Chart.yaml)" >> $GITEA_ENV
+          echo "CHART_NAME=$(yq '.name' Chart.yaml)" >> $GITEA_ENV
+
+      - name: Release Helm Chart
+        uses: akkuman/gitea-release-action@v1
+        with:
+          name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}
+          tag_name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}
+          files: |-
+            ${{ env.PACKAGE_PATH }}
+
+      - name: ntfy Success
+        uses: niniyas/ntfy-action@master
+        if: success()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Release Success - ${{ env.CHART_NAME }}'
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: 'Helm Chart ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }} has been released!'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Release Failure - ${{ env.CHART_NAME }}'
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: 'Helm Chart ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }} has failed to be released.'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/helm-charts/actions?workflow=release-charts-rclone-bucket.yml", "clear": true}]'
+          image: true
@@ -1,6 +1,6 @@
 dependencies:
 - name: common
  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.6.2
-digest: sha256:35e8f4e5d15d878c246a04eb51de580291f31203fa10e9e4d2318f16026b2061
-generated: "2026-01-16T13:29:29.385123-06:00"
+  version: 5.0.1
+digest: sha256:754f21ee6fca6dc4a85e91384ff0b919b715234d764ef344bd3bbe93414275d3
+generated: "2026-05-17T20:56:16.253838-05:00"
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: cloudflared
-version: 2.5.0
+version: 3.3.1
 description: Cloudflared Tunnel
 keywords:
  - cloudflare
@@ -14,7 +14,7 @@ maintainers:
 dependencies:
  - name: common
    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.6.2
+    version: 5.0.1
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/cloudflare.png
 # renovate: datasource=docker depName=cloudflare/cloudflared
-appVersion: 2026.3.0
+appVersion: 2026.5.0
@@ -1,6 +1,6 @@
 # cloudflared

-![Version: 2.5.0](https://img.shields.io/badge/Version-2.5.0-informational?style=flat-square) ![AppVersion: 2026.3.0](https://img.shields.io/badge/AppVersion-2026.3.0-informational?style=flat-square)
+![Version: 3.3.1](https://img.shields.io/badge/Version-3.3.1-informational?style=flat-square) ![AppVersion: 2026.5.0](https://img.shields.io/badge/AppVersion-2026.5.0-informational?style=flat-square)

 Cloudflared Tunnel

@@ -20,20 +20,22 @@ Cloudflared Tunnel

 | Repository | Name | Version |
 |------------|------|---------|
-| https://bjw-s-labs.github.io/helm-charts/ | common | 4.6.2 |
+| https://bjw-s-labs.github.io/helm-charts/ | common | 5.0.1 |

 ## Values

 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| image | object | `{"pullPolicy":"IfNotPresent","repository":"cloudflare/cloudflared","tag":"2026.3.0@sha256:6b599ca3e974349ead3286d178da61d291961182ec3fe9c505e1dd02c8ac31b0"}` | Default image |
+| image | object | `{"pullPolicy":"IfNotPresent","repository":"cloudflare/cloudflared","tag":"2026.5.0@sha256:59bab8d3aceec09bf6bdb07d6beca0225ca5cd7ab79436a87ea97978fe1dc4f9"}` | Default image |
+| metrics | object | `{"enabled":true}` | Metrics |
 | name | string | `""` | Name override of release |
+| protocol | string | `"auto"` | Protocol - Available values are auto, http2, and quic. |
 | resources | object | `{"requests":{"cpu":"1m","memory":"20Mi"}}` | Default resources |
-| secret | object | `{"existingSecret":{"key":"cf-tunnel-token","name":"cloudflared-secret"},"externalSecret":{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"vault","path":"/cloudflare/tunnels","property":"token"}}}` | Secret configuration |
+| secret | object | `{"existingSecret":{"key":"cf-tunnel-token","name":"cloudflared-secret"},"externalSecret":{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"openbao","path":"/cloudflare/tunnels","property":"token"}}}` | Secret configuration |
 | secret.existingSecret | object | `{"key":"cf-tunnel-token","name":"cloudflared-secret"}` | Name of existing secret that contains Cloudflare token |
-| secret.externalSecret | object | `{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"vault","path":"/cloudflare/tunnels","property":"token"}}` | External Secret configuration |
+| secret.externalSecret | object | `{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"openbao","path":"/cloudflare/tunnels","property":"token"}}` | External Secret configuration |
 | secret.externalSecret.additionalLabels | object | `{}` | Add additional labels |
-| secret.externalSecret.store | object | `{"name":"vault","path":"/cloudflare/tunnels","property":"token"}` | Cluster store config |
+| secret.externalSecret.store | object | `{"name":"openbao","path":"/cloudflare/tunnels","property":"token"}` | Cluster store config |

 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
@@ -4,10 +4,14 @@
 global:
  nameOverride: {{ include "cloudflared.name" . }}
  fullNameOverride: {{ include "cloudflared.name" . }}
+  createDefaultServiceAccount: true
 controllers:
  main:
    type: deployment
+    replicas: 1
    strategy: Recreate
+    serviceAccount:
+      identifier: {{ .Release.Name }}
    containers:
      main:
        image:
@@ -17,8 +21,12 @@ controllers:
        args:
          - tunnel
          - --protocol
-          - http2
+          - {{ .Values.protocol }}
          - --no-autoupdate
+          {{- if .Values.metrics.enabled }}
+          - --metrics
+          - 0.0.0.0:20241
+          {{- end }}
          - run
          - --token
          - $(CF_MANAGED_TUNNEL_TOKEN)
@@ -30,9 +38,29 @@ controllers:
                key: {{ include "secret.key" . }}
        resources:
          {{- with .Values.resources }}
-        resources:
          {{- toYaml . | nindent 10 }}
          {{ end }}
+{{- if .Values.metrics.enabled }}
+service:
+  main:
+    controller: main
+    ports:
+      metrics:
+        port: 20241
+        targetPort: 20241
+serviceMonitor:
+  main:
+    selector:
+      matchLabels:
+        app.kubernetes.io/name: {{ include "cloudflared.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Namespace }}
+    serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
+    endpoints:
+      - port: metrics
+        interval: 30s
+        scrapeTimeout: 10s
+        path: /metrics
+{{- end }}
 {{- end -}}
 {{- $_ := mergeOverwrite .Values (include "cloudflared.hardcodedValues" . | fromYaml) -}}

@@ -14,10 +14,6 @@ spec:
  data:
    - secretKey: {{ include "secret.key" . }}
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ include "secret.path" . }}
-        metadataPolicy: None
        property: {{ .Values.secret.externalSecret.store.property | required "External Secret store property is required" }}
-
 {{- end }}
@@ -1,6 +1,13 @@
 # -- Name override of release
 name: ""

+# -- Protocol - Available values are auto, http2, and quic.
+protocol: auto
+
+# -- Metrics
+metrics:
+  enabled: true
+
 # -- Secret configuration
 secret:

@@ -11,7 +18,7 @@ secret:

    # -- Cluster store config
    store:
-      name: vault
+      name: openbao
      path: /cloudflare/tunnels
      property: token

@@ -26,7 +33,7 @@ secret:
 # -- Default image
 image:
  repository: cloudflare/cloudflared
-  tag: 2026.3.0@sha256:6b599ca3e974349ead3286d178da61d291961182ec3fe9c505e1dd02c8ac31b0
+  tag: 2026.5.0@sha256:59bab8d3aceec09bf6bdb07d6beca0225ca5cd7ab79436a87ea97978fe1dc4f9
  pullPolicy: IfNotPresent

 # -- Default resources
@@ -1,6 +1,6 @@
 dependencies:
 - name: common
  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.6.2
-digest: sha256:35e8f4e5d15d878c246a04eb51de580291f31203fa10e9e4d2318f16026b2061
-generated: "2026-01-16T13:29:01.760344-06:00"
+  version: 5.0.1
+digest: sha256:754f21ee6fca6dc4a85e91384ff0b919b715234d764ef344bd3bbe93414275d3
+generated: "2026-05-17T20:56:28.479119-05:00"
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: generic-device-plugin
-version: 0.20.29
+version: 0.21.6
 description: Generic Device Plugin
 keywords:
  - generic-device-plugin
@@ -14,5 +14,5 @@ maintainers:
 dependencies:
  - name: common
    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.6.2
-appVersion: 0.20.17
+    version: 5.0.1
+appVersion: 0.21.1
@@ -1,6 +1,6 @@
 # generic-device-plugin

-![Version: 0.20.27](https://img.shields.io/badge/Version-0.20.27-informational?style=flat-square) ![AppVersion: 0.20.17](https://img.shields.io/badge/AppVersion-0.20.17-informational?style=flat-square)
+![Version: 0.21.6](https://img.shields.io/badge/Version-0.21.6-informational?style=flat-square) ![AppVersion: 0.21.1](https://img.shields.io/badge/AppVersion-0.21.1-informational?style=flat-square)

 Generic Device Plugin

@@ -19,7 +19,7 @@ Generic Device Plugin

 | Repository | Name | Version |
 |------------|------|---------|
-| https://bjw-s-labs.github.io/helm-charts/ | common | 4.6.2 |
+| https://bjw-s-labs.github.io/helm-charts/ | common | 5.0.1 |

 ## Values

@@ -28,7 +28,7 @@ Generic Device Plugin
 | config | object | `{"data":"devices:\n  - name: serial\n    groups:\n      - paths:\n          - path: /dev/ttyUSB*\n      - paths:\n          - path: /dev/ttyACM*\n      - paths:\n          - path: /dev/tty.usb*\n      - paths:\n          - path: /dev/cu.*\n      - paths:\n          - path: /dev/cuaU*\n      - paths:\n          - path: /dev/rfcomm*\n  - name: video\n    groups:\n      - paths:\n          - path: /dev/video0\n  - name: fuse\n    groups:\n      - count: 10\n        paths:\n          - path: /dev/fuse\n  - name: audio\n    groups:\n      - count: 10\n        paths:\n          - path: /dev/snd\n  - name: capture\n    groups:\n      - paths:\n          - path: /dev/snd/controlC0\n          - path: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC1\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC1D0c\n            mountPath: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC2\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC2D0c\n            mountPath: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC3\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC3D0c\n            mountPath: /dev/snd/pcmC0D0c\n","enabled":true}` | Config map |
 | config.data | string | See [values.yaml](./values.yaml) | generic-device-plugin config file [[ref]](https://github.com/squat/generic-device-plugin#usage) |
 | deviceDomain | string | `"devic.es"` | Domain used by devices for identifcation |
-| image | object | `{"pullPolicy":"Always","repository":"ghcr.io/squat/generic-device-plugin","tag":"latest@sha256:e85f9637ea93f0e9a8d477b0e136783cd6fb8f1a5426cf84ef05ab4c88661c8c"}` | Default image |
+| image | object | `{"pullPolicy":"Always","repository":"ghcr.io/squat/generic-device-plugin","tag":"latest@sha256:dc192e164c69b03f156765793a1be62ca437709ae477b27ca7d8f3dcf5021576"}` | Default image |
 | name | string | `"generic-device-plugin"` | Name override of release |
 | resources | object | `{"requests":{"cpu":"50m","memory":"10Mi"}}` | Default resources |
 | service | object | `{"listenPort":8080}` | Service port |
@@ -4,7 +4,7 @@ name: generic-device-plugin
 # -- Default image
 image:
  repository: ghcr.io/squat/generic-device-plugin
-  tag: latest@sha256:c4e3a24a5f20449e027b9de2c3cee790169ab42220818315f5f8ee9830788981
+  tag: latest@sha256:dc192e164c69b03f156765793a1be62ca437709ae477b27ca7d8f3dcf5021576
  pullPolicy: Always

 # -- Domain used by devices for identifcation
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: postgres-cluster
-version: 7.11.2
+version: 7.13.1
 description: Cloudnative-pg Cluster
 keywords:
  - database
@@ -12,4 +12,4 @@ maintainers:
  - name: alexlebens
 icon: https://avatars.githubusercontent.com/u/100373852?s=48&v=4
 # renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg
-appVersion: v1.29.0
+appVersion: v1.29.1
@@ -1,6 +1,6 @@
 # postgres-cluster

-![Version: 7.11.2](https://img.shields.io/badge/Version-7.11.2-informational?style=flat-square) ![AppVersion: v1.29.0](https://img.shields.io/badge/AppVersion-v1.29.0-informational?style=flat-square)
+![Version: 7.13.1](https://img.shields.io/badge/Version-7.13.1-informational?style=flat-square) ![AppVersion: v1.29.1](https://img.shields.io/badge/AppVersion-v1.29.1-informational?style=flat-square)

 Cloudnative-pg Cluster

@@ -24,7 +24,7 @@ Cloudnative-pg Cluster
 | backup.method | string | `"objectStore"` | Method to create backups, options currently are only objectStore |
 | backup.objectStore | string | `nil` | Options for object store backups |
 | backup.scheduledBackups | list | `[]` | List of scheduled backups |
-| cluster | object | `{"additionalLabels":{},"affinity":{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"},"annotations":{},"certificates":{},"enablePDB":true,"enableSuperuserAccess":false,"image":{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"18.3-standard-trixie"},"imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"initdb":{"database":"app","owner":"app"},"instances":3,"logLevel":"info","monitoring":{"customQueries":[],"customQueriesSecret":[],"disableDefaultQueries":false,"enabled":true,"podMonitor":{"enabled":true,"metricRelabelings":[],"relabelings":[]},"prometheusRule":{"enabled":true,"excludeRules":["CNPGClusterLastFailedArchiveTimeWarning"]}},"postgresGID":-1,"postgresUID":-1,"postgresql":{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"128MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}},"primaryUpdateMethod":"switchover","primaryUpdateStrategy":"unsupervised","priorityClassName":"","resources":{"limits":{"hugepages-2Mi":"256Mi"},"requests":{"cpu":"20m","memory":"80Mi"}},"roles":[],"serviceAccountTemplate":{},"services":{},"storage":{"size":"10Gi","storageClass":"local-path"},"superuserSecret":"","walStorage":{"enabled":true,"size":"2Gi","storageClass":"local-path"}}` | Cluster settings |
+| cluster | object | `{"additionalLabels":{},"affinity":{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"},"annotations":{},"certificates":{},"enablePDB":true,"enableSuperuserAccess":false,"image":{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"18.3-standard-trixie"},"imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"initdb":{"database":"app","owner":"app"},"instances":3,"logLevel":"info","monitoring":{"customQueries":[],"customQueriesSecret":[],"disableDefaultQueries":false,"enabled":true,"podMonitor":{"enabled":true,"metricRelabelings":[],"relabelings":[]},"prometheusRule":{"enabled":true,"excludeRules":["CNPGClusterLastFailedArchiveTimeWarning"]}},"postgresGID":-1,"postgresUID":-1,"postgresql":{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"512MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}},"primaryUpdateMethod":"switchover","primaryUpdateStrategy":"unsupervised","priorityClassName":"","resources":{"limits":{"hugepages-2Mi":"256Mi"},"requests":{"cpu":"20m","memory":"80Mi"}},"roles":[],"serviceAccountTemplate":{},"services":{},"storage":{"size":"10Gi","storageClass":"local-path"},"superuserSecret":"","walStorage":{"enabled":true,"size":"2Gi","storageClass":"local-path"}}` | Cluster settings |
 | cluster.affinity | object | `{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"}` | Affinity/Anti-affinity rules for Pods. See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-AffinityConfiguration |
 | cluster.certificates | object | `{}` | The configuration for the CA and related certificates. See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-CertificatesConfiguration |
 | cluster.enablePDB | bool | `true` | Allow to disable PDB, mainly useful for upgrade of single-instance clusters or development purposes See: https://cloudnative-pg.io/documentation/current/kubernetes_upgrade/#pod-disruption-budgets |
@@ -42,12 +42,13 @@ Cloudnative-pg Cluster
 | cluster.monitoring.podMonitor.enabled | bool | `true` | Whether to enable the PodMonitor |
 | cluster.monitoring.podMonitor.metricRelabelings | list | `[]` | The list of metric relabelings for the PodMonitor. Applied to samples before ingestion. |
 | cluster.monitoring.podMonitor.relabelings | list | `[]` | The list of relabelings for the PodMonitor. Applied to samples before scraping. |
+| cluster.monitoring.prometheusRule | object | `{"enabled":true,"excludeRules":["CNPGClusterLastFailedArchiveTimeWarning"]}` | Prometheus rule |
 | cluster.monitoring.prometheusRule.enabled | bool | `true` | Whether to enable the PrometheusRule automated alerts |
 | cluster.monitoring.prometheusRule.excludeRules | list | `["CNPGClusterLastFailedArchiveTimeWarning"]` | Exclude specified rules |
 | cluster.postgresUID | int | `-1` | The UID and GID of the postgres user inside the image, defaults to 26 |
-| cluster.postgresql | object | `{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"128MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}}` | Parameters to be set for the database itself See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-PostgresConfiguration |
+| cluster.postgresql | object | `{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"512MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}}` | Parameters to be set for the database itself See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-PostgresConfiguration |
 | cluster.postgresql.ldap | object | `{}` | PostgreSQL LDAP configuration (see https://cloudnative-pg.io/documentation/current/postgresql_conf/#ldap-configuration) |
-| cluster.postgresql.parameters | object | `{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"128MB"}` | PostgreSQL configuration options (postgresql.conf) |
+| cluster.postgresql.parameters | object | `{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"512MB"}` | PostgreSQL configuration options (postgresql.conf) |
 | cluster.postgresql.pg_hba | list | `[]` | PostgreSQL Host Based Authentication rules (lines to be appended to the pg_hba.conf file) |
 | cluster.postgresql.pg_ident | list | `[]` | PostgreSQL User Name Maps rules (lines to be appended to the pg_ident.conf file) |
 | cluster.postgresql.shared_preload_libraries | list | `[]` | Lists of shared preload libraries to add to the default ones |
@@ -0,0 +1,346 @@
+---
+# Source: postgres-cluster/templates/cluster.yaml
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: release-name-postgresql-18-cluster
+  namespace: gitea
+  labels:
+    app.kubernetes.io/name: release-name-postgresql-18-cluster
+    helm.sh/chart: postgres-cluster-7.13.1
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/part-of: release-name
+    app.kubernetes.io/version: "7.13.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  instances: 3
+  imageName: "ghcr.io/cloudnative-pg/postgresql:18.3-standard-trixie"
+  imagePullPolicy: IfNotPresent
+  postgresUID: 26
+  postgresGID: 26
+  storage:
+    size: 10Gi
+    storageClass: local-path
+  walStorage:
+    size: 2Gi
+    storageClass: local-path
+  resources:
+    limits:
+      hugepages-2Mi: 256Mi
+    requests:
+      cpu: 20m
+      memory: 80Mi
+  affinity:
+    enablePodAntiAffinity: true
+    topologyKey: kubernetes.io/hostname
+  primaryUpdateMethod: switchover
+  primaryUpdateStrategy: unsupervised
+  logLevel: info
+  enableSuperuserAccess: false
+  enablePDB: true
+  postgresql:
+    parameters:
+      hot_standby_feedback: "on"
+      max_slot_wal_keep_size: 2000MB
+      shared_buffers: 128MB
+  monitoring:
+    enablePodMonitor: false
+    disableDefaultQueries: false
+
+  bootstrap:
+    initdb:
+      database: app
+      owner: app
+---
+# Source: postgres-cluster/templates/pod-monitor.yaml
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: release-name-postgresql-18
+  namespace: gitea
+  labels:
+    app.kubernetes.io/name: release-name-postgresql-18
+    helm.sh/chart: postgres-cluster-7.13.1
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/part-of: release-name
+    app.kubernetes.io/version: "7.13.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  selector:
+    matchLabels:
+      cnpg.io/cluster: release-name-postgresql-18
+      cnpg.io/podRole: instance
+  podMetricsEndpoints:
+    - port: metrics
+---
+# Source: postgres-cluster/templates/prometheus-rule.yaml
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: release-name-postgresql-18-alert-rules
+  namespace: gitea
+  labels:
+    app.kubernetes.io/name: release-name-postgresql-18-alert-rules
+    helm.sh/chart: postgres-cluster-7.13.1
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/part-of: release-name
+    app.kubernetes.io/version: "7.13.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  groups:
+    - name: cloudnative-pg/release-name-postgresql-18
+      rules:
+        - alert: CNPGClusterBackendsWaitingWarning
+          annotations:
+            summary: CNPG Cluster a backend is waiting for longer than 5 minutes.
+            description: |-
+              Pod {{ $labels.pod }}
+              has been waiting for longer than 5 minutes
+          expr: |
+            cnpg_backends_waiting_total{namespace="gitea"} > 300
+          for: 1m
+          labels:
+            severity: warning
+            namespace: gitea
+            cnpg_cluster: release-name-postgresql-18-cluster
+        - alert: CNPGClusterDatabaseDeadlockConflictsWarning
+          annotations:
+            summary: CNPG Cluster has over 10 deadlock conflicts.
+            description: |-
+              There are over 10 deadlock conflicts in
+              {{ $labels.pod }}
+          expr: |
+            cnpg_pg_stat_database_deadlocks{namespace="gitea"} > 10
+          for: 1m
+          labels:
+            severity: warning
+            namespace: gitea
+            cnpg_cluster: release-name-postgresql-18-cluster
+        - alert: CNPGClusterHACritical
+          annotations:
+            summary: CNPG Cluster has no standby replicas!
+            description: |-
+              CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has no ready standby replicas. Your cluster at a severe
+              risk of data loss and downtime if the primary instance fails.
+
+              The primary instance is still online and able to serve queries, although connections to the `-ro` endpoint
+              will fail. The `-r` endpoint os operating at reduced capacity and all traffic is being served by the main.
+
+              This can happen during a normal fail-over or automated minor version upgrades in a cluster with 2 or less
+              instances. The replaced instance may need some time to catch-up with the cluster primary instance.
+
+              This alarm will be always trigger if your cluster is configured to run with only 1 instance. In this
+              case you may want to silence it.
+            runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHACritical.md
+          expr: |
+            max by (job) (cnpg_pg_replication_streaming_replicas{namespace="gitea"} - cnpg_pg_replication_is_wal_receiver_up{namespace="gitea"}) < 1
+          for: 5m
+          labels:
+            severity: critical
+            namespace: gitea
+            cnpg_cluster: release-name-postgresql-18-cluster
+        - alert: CNPGClusterHAWarning
+          annotations:
+            summary: CNPG Cluster less than 2 standby replicas.
+            description: |-
+              CloudNativePG Cluster "{{`{{`}} $labels.job {{`}}`}}" has only {{`{{`}} $value {{`}}`}} standby replicas, putting
+              your cluster at risk if another instance fails. The cluster is still able to operate normally, although
+              the `-ro` and `-r` endpoints operate at reduced capacity.
+
+              This can happen during a normal fail-over or automated minor version upgrades. The replaced instance may
+              need some time to catch-up with the cluster primary instance.
+
+              This alarm will be constantly triggered if your cluster is configured to run with less than 3 instances.
+              In this case you may want to silence it.
+            runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHAWarning.md
+          expr: |
+            max by (job) (cnpg_pg_replication_streaming_replicas{namespace="gitea"} - cnpg_pg_replication_is_wal_receiver_up{namespace="gitea"}) < 2
+          for: 5m
+          labels:
+            severity: warning
+            namespace: gitea
+            cnpg_cluster: release-name-postgresql-18-cluster
+        - alert: CNPGClusterHighConnectionsCritical
+          annotations:
+            summary: CNPG Instance maximum number of connections critical!
+            description: |-
+              CloudNativePG Cluster "gitea/release-name-postgresql-18-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of
+              the maximum number of connections.
+            runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsCritical.md
+          expr: |
+            sum by (pod) (cnpg_backends_total{namespace="gitea", pod=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="gitea", pod=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$"}) * 100 > 95
+          for: 5m
+          labels:
+            severity: critical
+            namespace: gitea
+            cnpg_cluster: release-name-postgresql-18-cluster
+        - alert: CNPGClusterHighConnectionsWarning
+          annotations:
+            summary: CNPG Instance is approaching the maximum number of connections.
+            description: |-
+              CloudNativePG Cluster "gitea/release-name-postgresql-18-cluster" instance {{`{{`}} $labels.pod {{`}}`}} is using {{`{{`}} $value {{`}}`}}% of
+              the maximum number of connections.
+            runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighConnectionsWarning.md
+          expr: |
+            sum by (pod) (cnpg_backends_total{namespace="gitea", pod=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$"}) / max by (pod) (cnpg_pg_settings_setting{name="max_connections", namespace="gitea", pod=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$"}) * 100 > 80
+          for: 5m
+          labels:
+            severity: warning
+            namespace: gitea
+            cnpg_cluster: release-name-postgresql-18-cluster
+        - alert: CNPGClusterHighReplicationLag
+          annotations:
+            summary: CNPG Cluster high replication lag
+            description: |-
+              CloudNativePG Cluster "gitea/release-name-postgresql-18-cluster" is experiencing a high replication lag of
+              {{`{{`}} $value {{`}}`}}ms.
+
+              High replication lag indicates network issues, busy instances, slow queries or suboptimal configuration.
+            runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterHighReplicationLag.md
+          expr: |
+            max(cnpg_pg_replication_lag{namespace="gitea",pod=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$"}) * 1000 > 1000
+          for: 5m
+          labels:
+            severity: warning
+            namespace: gitea
+            cnpg_cluster: release-name-postgresql-18-cluster
+        - alert: CNPGClusterInstancesOnSameNode
+          annotations:
+            summary: CNPG Cluster instances are located on the same node.
+            description: |-
+              CloudNativePG Cluster "gitea/release-name-postgresql-18-cluster" has {{`{{`}} $value {{`}}`}}
+              instances on the same node {{`{{`}} $labels.node {{`}}`}}.
+
+              A failure or scheduled downtime of a single node will lead to a potential service disruption and/or data loss.
+            runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterInstancesOnSameNode.md
+          expr: |
+            count by (node) (kube_pod_info{namespace="gitea", pod=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$"}) > 1
+          for: 5m
+          labels:
+            severity: warning
+            namespace: gitea
+            cnpg_cluster: release-name-postgresql-18-cluster
+        - alert: CNPGClusterLongRunningTransactionWarning
+          annotations:
+            summary: CNPG Cluster query is taking longer than 5 minutes.
+            description: |-
+              CloudNativePG Cluster Pod {{ $labels.pod }}
+              is taking more than 5 minutes (300 seconds) for a query.
+          expr: |-
+            cnpg_backends_max_tx_duration_seconds{namespace="gitea"} > 300
+          for: 1m
+          labels:
+            severity: warning
+            namespace: gitea
+            cnpg_cluster: release-name-postgresql-18-cluster
+        - alert: CNPGClusterLowDiskSpaceCritical
+          annotations:
+            summary: CNPG Instance is running out of disk space!
+            description: |-
+              CloudNativePG Cluster "gitea/release-name-postgresql-18-cluster" is running extremely low on disk space. Check attached PVCs!
+            runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceCritical.md
+          expr: |
+            max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="gitea", persistentvolumeclaim=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="gitea", persistentvolumeclaim=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$"})) > 0.9 OR
+            max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="gitea", persistentvolumeclaim=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="gitea", persistentvolumeclaim=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$-wal"})) > 0.9 OR
+            max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="gitea", persistentvolumeclaim=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"})
+                /
+                sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="gitea", persistentvolumeclaim=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"})
+                *
+                on(namespace, persistentvolumeclaim) group_left(volume)
+                kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$"}
+            ) > 0.9
+          for: 5m
+          labels:
+            severity: critical
+            namespace: gitea
+            cnpg_cluster: release-name-postgresql-18-cluster
+        - alert: CNPGClusterLowDiskSpaceWarning
+          annotations:
+            summary: CNPG Instance is running out of disk space.
+            description: |-
+              CloudNativePG Cluster "gitea/release-name-postgresql-18-cluster" is running low on disk space. Check attached PVCs.
+            runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterLowDiskSpaceWarning.md
+          expr: |
+            max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="gitea", persistentvolumeclaim=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$"} / kubelet_volume_stats_capacity_bytes{namespace="gitea", persistentvolumeclaim=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$"})) > 0.7 OR
+            max(max by(persistentvolumeclaim) (1 - kubelet_volume_stats_available_bytes{namespace="gitea", persistentvolumeclaim=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$-wal"} / kubelet_volume_stats_capacity_bytes{namespace="gitea", persistentvolumeclaim=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$-wal"})) > 0.7 OR
+            max(sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_used_bytes{namespace="gitea", persistentvolumeclaim=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"})
+                /
+                sum by (namespace,persistentvolumeclaim) (kubelet_volume_stats_capacity_bytes{namespace="gitea", persistentvolumeclaim=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$-tbs.*"})
+                *
+                on(namespace, persistentvolumeclaim) group_left(volume)
+                kube_pod_spec_volumes_persistentvolumeclaims_info{pod=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$"}
+            ) > 0.7
+          for: 5m
+          labels:
+            severity: warning
+            namespace: gitea
+            cnpg_cluster: release-name-postgresql-18-cluster
+        - alert: CNPGClusterOffline
+          annotations:
+            summary: CNPG Cluster has no running instances!
+            description: |-
+              CloudNativePG Cluster "gitea/release-name-postgresql-18-cluster" has no ready instances.
+
+              Having an offline cluster means your applications will not be able to access the database, leading to
+              potential service disruption and/or data loss.
+            runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterOffline.md
+          expr: |
+            (count(cnpg_collector_up{namespace="gitea",pod=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$"}) OR on() vector(0)) == 0
+          for: 5m
+          labels:
+            severity: critical
+            namespace: gitea
+            cnpg_cluster: release-name-postgresql-18-cluster
+        - alert: CNPGClusterPGDatabaseXidAgeWarning
+          annotations:
+            summary: CNPG Cluster has a number of transactions from the frozen XID to the current one.
+            description: |-
+              Over 300,000,000 transactions from frozen xid
+              on pod {{ $labels.pod }}
+          expr: |
+            cnpg_pg_database_xid_age{namespace="gitea"} > 300000000
+          for: 1m
+          labels:
+            severity: warning
+            namespace: gitea
+            cnpg_cluster: release-name-postgresql-18-cluster
+        - alert: CNPGClusterPGReplicationWarning
+          annotations:
+            summary: CNPG Cluster standby is lagging behind the primary.
+            description: |-
+              Standby is lagging behind by over 300 seconds (5 minutes)
+          expr: |
+            cnpg_pg_replication_lag{namespace="gitea"} > 300
+          for: 1m
+          labels:
+            severity: warning
+            namespace: gitea
+            cnpg_cluster: release-name-postgresql-18-cluster
+        - alert: CNPGClusterReplicaFailingReplicationWarning
+          annotations:
+            summary: CNPG Cluster has a replica is failing to replicate.
+            description: |-
+              Replica {{ $labels.pod }}
+              is failing to replicate
+          expr: |
+            cnpg_pg_replication_in_recovery{namespace="gitea"} > cnpg_pg_replication_is_wal_receiver_up{namespace="gitea"}
+          for: 1m
+          labels:
+            severity: warning
+            namespace: gitea
+            cnpg_cluster: release-name-postgresql-18-cluster
+        - alert: CNPGClusterZoneSpreadWarning
+          annotations:
+            summary: CNPG Cluster instances in the same zone.
+            description: |-
+              CloudNativePG Cluster "gitea/release-name-postgresql-18-cluster" has instances in the same availability zone.
+
+              A disaster in one availability zone will lead to a potential service disruption and/or data loss.
+            runbook_url: https://github.com/cloudnative-pg/charts/blob/main/charts/cluster/docs/runbooks/CNPGClusterZoneSpreadWarning.md
+          expr: |
+            3 > count(count by (label_topology_kubernetes_io_zone) (kube_pod_info{namespace="gitea", pod=~"release-name-postgresql-18-cluster-([1-9][0-9]*)$"} * on(node,instance) group_left(label_topology_kubernetes_io_zone) kube_node_labels)) < 3
+          for: 5m
+          labels:
+            severity: warning
+            namespace: gitea
+            cnpg_cluster: release-name-postgresql-18-cluster
@@ -1,5 +1,4 @@
-{{- define "cluster.bootstrap" -}}
-
+{{- define "cluster.bootstrap" }}
 {{- if eq .Values.mode "standalone" }}
 bootstrap:
  initdb:
@@ -16,13 +15,11 @@ bootstrap:
      {{- with .Values.cluster.initdb }}
      {{- range .postInitApplicationSQL }}
      {{- printf "- %s" . | nindent 6 }}
-        {{- end -}}
      {{- end }}
      {{- end }}
-
-{{- else if eq .Values.mode "recovery" -}}
+    {{- end }}
+{{- else if eq .Values.mode "recovery" }}
 bootstrap:
-
  {{- if eq .Values.recovery.method "import" }}
  initdb:
    {{- with .Values.cluster.initdb }}
@@ -66,7 +63,6 @@ bootstrap:
      pgRestoreExtraOptions:
        {{- . | toYaml | nindent 8 }}
      {{- end }}
-
  {{- else if eq .Values.recovery.method "backup" }}
  recovery:
    {{- with .Values.recovery.backup.pitrTarget.time }}
@@ -81,7 +77,6 @@ bootstrap:
    {{- end }}
    backup:
      name: {{ .Values.recovery.backup.backupName }}
-
  {{- else if eq .Values.recovery.method "objectStore" }}
  recovery:
    {{- with .Values.recovery.objectStore.pitrTarget.time }}
@@ -95,13 +90,10 @@ bootstrap:
    owner: {{ . }}
    {{- end }}
    source: {{ include "cluster.recoveryServerName" . }}
-
  {{- else }}
    {{ fail "Invalid recovery mode!" }}
  {{- end }}
-
 {{- else }}
  {{ fail "Invalid cluster mode!" }}
 {{- end }}
-
 {{- end }}
@@ -1,4 +1,4 @@
-{{- define "cluster.externalClusters" -}}
+{{- define "cluster.externalClusters" }}
 {{- if eq .Values.mode "standalone" }}
 {{- else if eq .Values.mode "recovery" }}
 externalClusters:
@@ -18,4 +18,4 @@ externalClusters:
 {{- else }}
  {{ fail "Invalid cluster mode!" }}
 {{- end }}
-{{ end }}
+{{- end }}
@@ -30,4 +30,4 @@
    name: {{ $config.sslRootCertSecret.name }}
    key: {{ $config.sslRootCertSecret.key }}
  {{- end }}
-{{- end }}
+{{- end -}}
@@ -35,7 +35,7 @@ spec:
  {{- with .Values.cluster.resources }}
  resources:
    {{- toYaml . | nindent 4 }}
-  {{ end }}
+  {{- end }}
  {{- with .Values.cluster.affinity }}
  affinity:
    {{- toYaml . | nindent 4 }}
@@ -43,7 +43,6 @@ spec:
  {{- if .Values.cluster.priorityClassName }}
  priorityClassName: {{ .Values.cluster.priorityClassName }}
  {{- end }}
-
  primaryUpdateMethod: {{ .Values.cluster.primaryUpdateMethod }}
  primaryUpdateStrategy: {{ .Values.cluster.primaryUpdateStrategy }}
  logLevel: {{ .Values.cluster.logLevel }}
@@ -57,7 +56,6 @@ spec:
    name: {{ . }}
  {{ end }}
  enablePDB: {{ .Values.cluster.enablePDB }}
-
  postgresql:
    {{- if .Values.cluster.postgresql.shared_preload_libraries }}
    shared_preload_libraries:
@@ -85,7 +83,6 @@ spec:
    parameters:
      {{- toYaml . | nindent 6 }}
    {{- end }}
-
  {{- if not (and (empty .Values.cluster.roles) (empty .Values.cluster.services)) }}
  managed:
    {{- with .Values.cluster.services }}
@@ -97,14 +94,12 @@ spec:
      {{- toYaml . | nindent 6 }}
    {{ end }}
  {{- end }}
-
  {{- with .Values.cluster.serviceAccountTemplate }}
  serviceAccountTemplate:
    {{- toYaml . | nindent 4 }}
  {{- end }}
-
  monitoring:
-    enablePodMonitor: {{ and .Values.cluster.monitoring.enabled .Values.cluster.monitoring.podMonitor.enabled }}
+    enablePodMonitor: false
    disableDefaultQueries: {{ .Values.cluster.monitoring.disableDefaultQueries }}
    {{- if not (empty .Values.cluster.monitoring.customQueries) }}
    customQueriesConfigMap:
@@ -127,9 +122,9 @@ spec:
    {{- with .Values.cluster.monitoring.podMonitor.metricRelabelings }}
    podMonitorMetricRelabelings:
      {{- toYaml . | nindent 6 }}
-    {{ end }}
    {{- end }}
-
+    {{- end }}
+  {{- if not (empty .Values.backup.objectStore) -}}
  plugins:
  {{- range $objectStore := .Values.backup.objectStore }}
    - name: barman-cloud.cloudnative-pg.io
@@ -146,7 +141,7 @@ spec:
        {{- else }}
        serverName: "{{ include "cluster.name" $ }}-backup-{{ $objectStore.index }}"
        {{- end }}
-  {{- end }}
-
-  {{ include "cluster.bootstrap" . | nindent 2 }}
-  {{ include "cluster.externalClusters" . | nindent 2 }}
+  {{- end -}}
+  {{- end -}}
+  {{- include "cluster.bootstrap" . | nindent 2 -}}
+  {{- include "cluster.externalClusters" . | nindent 2 -}}
@@ -1,6 +1,6 @@
-{{ if and (eq .Values.backup.method "objectStore") (.Values.backup.externalSecret.enabled) }}
-{{ $context := . -}}
-{{ range .Values.backup.objectStore -}}
+{{- if and (eq .Values.backup.method "objectStore") (.Values.backup.externalSecret.enabled) }}
+{{- $context := . }}
+{{- range .Values.backup.objectStore }}
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -16,31 +16,22 @@ metadata:
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: ACCESS_REGION
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: ACCESS_KEY_ID
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .externalSecretCredentialPath| required "External Secret Credential local path is required" }}
-        metadataPolicy: None
        property: ACCESS_SECRET_KEY
-{{ end -}}
-{{ end }}
+{{- end }}
+{{- end }}

 {{- if and (eq .Values.recovery.method "objectStore") (.Values.recovery.objectStore.externalSecret.enabled) }}
 ---
@@ -58,27 +49,18 @@ metadata:
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: ACCESS_REGION
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: ACCESS_KEY_ID
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
        property: ACCESS_SECRET_KEY
 {{- end }}
@@ -1,6 +1,6 @@
-{{ if (eq .Values.backup.method "objectStore") }}
-{{ $context := . -}}
-{{ range .Values.backup.objectStore -}}
+{{- if (eq .Values.backup.method "objectStore") }}
+{{- $context := . }}
+{{- range .Values.backup.objectStore }}
 ---
 apiVersion: barmancloud.cnpg.io/v1
 kind: ObjectStore
@@ -57,10 +57,9 @@ spec:
      region:
        name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
        key: ACCESS_REGION
-{{ end -}}
-{{ end }}
-
-{{ if eq .Values.recovery.method "objectStore" }}
+{{- end }}
+{{- end }}
+{{- if eq .Values.recovery.method "objectStore" }}
 ---
 apiVersion: barmancloud.cnpg.io/v1
 kind: ObjectStore
@@ -104,4 +103,4 @@ spec:
      region:
        name: {{ include "cluster.recoverySecretName" . }}
        key: ACCESS_REGION
-{{ end }}
+{{- end }}
@@ -0,0 +1,18 @@
+{{- if and .Values.cluster.monitoring.enabled .Values.cluster.monitoring.podMonitor.enabled }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: {{ include "cluster.name" $ }}
+  namespace: {{ include "cluster.namespace" $ }}
+  labels:
+    app.kubernetes.io/name: {{ include "cluster.name" $ }}
+    {{- include "cluster.labels" $ | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      cnpg.io/cluster: {{ include "cluster.name" $ }}
+      cnpg.io/podRole: instance
+  podMetricsEndpoints:
+    - port: metrics
+{{- end }}
@@ -47,6 +47,6 @@ spec:
  {{- end }}
  {{- with .template }}
  template:
-    {{- . | toYaml | nindent 4 }}
+    {{ . | toYaml | nindent 4 }}
  {{- end }}
 {{- end }}
@@ -1,4 +1,5 @@
-{{- if and .Values.cluster.monitoring.enabled .Values.cluster.monitoring.prometheusRule.enabled -}}
+{{- if and .Values.cluster.monitoring.enabled .Values.cluster.monitoring.prometheusRule.enabled }}
+---
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
@@ -25,4 +26,4 @@ spec:
        - {{ $tpl }}
        {{- end -}}
        {{- end }}
-{{ end }}
+{{- end }}
@@ -1,5 +1,5 @@
-{{ $context := . -}}
-{{ range .Values.backup.scheduledBackups -}}
+{{- $context := . }}
+{{- range .Values.backup.scheduledBackups }}
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: ScheduledBackup
@@ -21,4 +21,4 @@ spec:
    name: {{ .plugin | default "barman-cloud.cloudnative-pg.io" }}
    parameters:
      barmanObjectName: "{{ include "cluster.name" $context }}-backup-{{ .backupName }}"
-{{ end -}}
+{{- end }}
@@ -127,6 +127,7 @@ cluster:
      # Applied to samples before ingestion.
      metricRelabelings: []

+    # -- Prometheus rule
    prometheusRule:

      # -- Whether to enable the PrometheusRule automated alerts
@@ -164,7 +165,7 @@ cluster:

    # -- PostgreSQL configuration options (postgresql.conf)
    parameters:
-      shared_buffers: 128MB
+      shared_buffers: 512MB
      max_slot_wal_keep_size: 2000MB
      hot_standby_feedback: "on"

@@ -0,0 +1,6 @@
+dependencies:
+- name: common
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 5.0.1
+digest: sha256:754f21ee6fca6dc4a85e91384ff0b919b715234d764ef344bd3bbe93414275d3
+generated: "2026-05-17T20:56:33.77714-05:00"
@@ -0,0 +1,20 @@
+apiVersion: v2
+name: rclone-bucket
+version: 0.11.4
+description: Rclone CronJob to replicate buckets
+keywords:
+  - rclone-bucket
+  - rclone
+  - storage
+sources:
+  - https://github.com/rclone/rclone
+  - https://hub.docker.com/r/rclone/rclone
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: common
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 5.0.1
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/rclone.png
+# renovate: datasource=github-releases depName=rclone/rclone
+appVersion: v1.74.1
@@ -0,0 +1,46 @@
+# rclone-bucket
+
+![Version: 0.11.4](https://img.shields.io/badge/Version-0.11.4-informational?style=flat-square) ![AppVersion: v1.74.1](https://img.shields.io/badge/AppVersion-v1.74.1-informational?style=flat-square)
+
+Rclone CronJob to replicate buckets
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| alexlebens |  |  |
+
+## Source Code
+
+* <https://github.com/rclone/rclone>
+* <https://hub.docker.com/r/rclone/rclone>
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://bjw-s-labs.github.io/helm-charts/ | common | 5.0.1 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| additionalLabels | object | `{}` | Add additional labels |
+| cronJob | object | `{"backoffLimit":3,"parallelism":1,"schedule":"0 0 * * *","suspend":false,"timeZone":"America/Chicago"}` | CronJob configuration |
+| image | object | `{"pullPolicy":"IfNotPresent","repository":"rclone/rclone","tag":"1.74.1@sha256:eb8788b795f0009324e9572b0e2acb9b56885327c2746b07d67a9d3b893a6602"}` | Default image |
+| metrics | object | `{"enabled":true}` | Metrics |
+| nameOverride | string | `""` | Default pattern follows <pvcTarget>-backup |
+| prometheusRule | object | `{"enabled":true}` | Prometheus Rule |
+| prune | object | `{"ageToPrune":"90d","enabled":false,"exclude":"","include":""}` | Enable prune job |
+| rclone | object | `{"destination":{"bucketName":"bucket","forcePathStyle":true,"providerType":"Other"},"providerType":"Other","source":{"bucketName":"bucket","forcePathStyle":true,"providerType":"Other"}}` | rclone configuration |
+| rclone.destination | object | `{"bucketName":"bucket","forcePathStyle":true,"providerType":"Other"}` | Destination configuration |
+| rclone.source | object | `{"bucketName":"bucket","forcePathStyle":true,"providerType":"Other"}` | Source configuration |
+| secret | object | `{"existingSecretDestination":{"name":"rclone-destination-secret"},"existingSecretSource":{"name":"rclone-source-secret"},"externalSecret":{"additionalLabels":{},"destination":{"config":{"endpointProperty":"ENDPOINT_REMOTE","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""},"enabled":true,"source":{"config":{"endpointProperty":"ENDPOINT_LOCAL","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""},"storeName":"openbao"}}` | Secret configuration |
+| secret.existingSecretSource | object | `{"name":"rclone-source-secret"}` | Name of existing secret that contains the configuration |
+| secret.externalSecret | object | `{"additionalLabels":{},"destination":{"config":{"endpointProperty":"ENDPOINT_REMOTE","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""},"enabled":true,"source":{"config":{"endpointProperty":"ENDPOINT_LOCAL","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""},"storeName":"openbao"}` | External Secret configuration |
+| secret.externalSecret.additionalLabels | object | `{}` | Add additional labels |
+| secret.externalSecret.destination | object | `{"config":{"endpointProperty":"ENDPOINT_REMOTE","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""}` | Destination configuration |
+| secret.externalSecret.source | object | `{"config":{"endpointProperty":"ENDPOINT_LOCAL","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""}` | Source configuration |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
@@ -0,0 +1,90 @@
+{{/*
+Generate the root name
+*/}}
+{{- define "rclone.name" -}}
+  {{- if .Values.nameOverride }}
+    {{- .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    {{- printf "%s-rclone" .Values.rclone.source.bucketName | trunc 63 | trimSuffix "-" -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate the secret name
+*/}}
+{{- define "rclone.sourceSecretName" -}}
+  {{- if .Values.secret.externalSecret.enabled }}
+    {{- if .Values.secret.externalSecret.source.nameOverride }}
+      {{- .Values.secret.externalSecret.source.nameOverride | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+      {{- printf "%s-rclone-source-config" .Values.rclone.source.bucketName -}}
+    {{- end }}
+  {{- else if .Values.secret.existingSecretSource.name }}
+    {{- printf "%s" .Values.secret.existingSecretSource.name -}}
+  {{- else }}
+    {{ fail "No Secret Name Found!" }}
+  {{- end }}
+{{- end }}
+
+{{- define "rclone.destinationSecretName" -}}
+  {{- if .Values.secret.externalSecret.enabled }}
+    {{- if .Values.secret.externalSecret.destination.nameOverride }}
+      {{- .Values.secret.externalSecret.destination.nameOverride | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+      {{- printf "%s-rclone-destination-config" .Values.rclone.destination.bucketName -}}
+    {{- end }}
+  {{- else if .Values.secret.existingSecretDestination.name }}
+    {{- printf "%s" .Values.secret.existingSecretDestination.name -}}
+  {{- else }}
+    {{ fail "No Secret Name Found!" }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Common env names
+*/}}
+{{- define "secretRclone.envAccessKey" -}}
+ACCESS_KEY_ID
+{{- end }}
+{{- define "secretRclone.envSecretKey" -}}
+ACCESS_SECRET_KEY
+{{- end }}
+{{- define "secretRclone.envRegion" -}}
+ACCESS_REGION
+{{- end }}
+{{- define "secretRclone.envSrcEndpoint" -}}
+SRC_ENDPOINT
+{{- end }}
+{{- define "secretRclone.envDestEndpoint" -}}
+DEST_ENDPOINT
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "rclone.chart" -}}
+  {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "rclone.labels" -}}
+helm.sh/chart: {{ include "rclone.chart" $ }}
+{{ include "rclone.selectorLabels" $ }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.Version | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.secret.externalSecret.additionalLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "rclone.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
@@ -0,0 +1,186 @@
+{{- include "bjw-s.common.loader.init" . }}
+
+{{- define "rclone.hardcodedValues" -}}
+global:
+  nameOverride: {{ include "rclone.name" . }}
+  fullNameOverride: {{ include "rclone.name" . }}
+  createDefaultServiceAccount: true
+controllers:
+  main:
+    type: cronjob
+    {{- with .Values.cronJob }}
+    cronjob:
+      {{- toYaml . | nindent 6 }}
+    {{ end }}
+    serviceAccount:
+      identifier: {{ .Release.Name }}
+    containers:
+      sync:
+        image:
+          repository: {{ .Values.image.repository }}
+          tag: {{ .Values.image.tag }}
+          pullPolicy: {{ .Values.image.pullPolicy }}
+        args:
+          - sync
+          - src:{{ .Values.rclone.source.bucketName }}
+          - dest:{{ .Values.rclone.destination.bucketName }}
+          - --s3-no-check-bucket
+          {{- if .Values.prune.enabled }}
+          - --max-age
+          - {{ .Values.prune.ageToPrune | quote }}
+          {{- end }}
+          {{- if .Values.prune.include }}
+          - --include
+          - {{ .Values.prune.include | quote }}
+          {{- end }}
+          {{- if .Values.prune.exclude }}
+          - --exclude
+          - {{ .Values.prune.exclude | quote }}
+          {{- end }}
+          {{- if .Values.metrics.enabled }}
+          - --rc
+          - --rc-addr=0.0.0.0:5572
+          - --rc-enable-metrics
+          - --rc-no-auth
+          {{- end }}
+          - --verbose
+        env:
+          - name: RCLONE_S3_PROVIDER
+            value: {{ .Values.rclone.providerType }}
+          - name: RCLONE_CONFIG_SRC_TYPE
+            value: s3
+          - name: RCLONE_CONFIG_SRC_PROVIDER
+            value: {{ .Values.rclone.source.providerType }}
+          - name: RCLONE_CONFIG_SRC_ENV_AUTH
+            value: "false"
+          - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.sourceSecretName" . }}
+                key: {{ include "secretRclone.envAccessKey" . }}
+          - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.sourceSecretName" . }}
+                key: {{ include "secretRclone.envSecretKey" . }}
+          - name: RCLONE_CONFIG_SRC_REGION
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.sourceSecretName" . }}
+                key: {{ include "secretRclone.envRegion" . }}
+          - name: RCLONE_CONFIG_SRC_ENDPOINT
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.sourceSecretName" . }}
+                key: {{ include "secretRclone.envSrcEndpoint" . }}
+          - name: RCLONE_CONFIG_SRC_FORCE_PATH_STYLE
+            value: {{ .Values.rclone.source.forcePathStyle | quote }}
+          - name: RCLONE_CONFIG_DEST_TYPE
+            value: s3
+          - name: RCLONE_CONFIG_DEST_PROVIDER
+            value: {{ .Values.rclone.destination.providerType }}
+          - name: RCLONE_CONFIG_DEST_ENV_AUTH
+            value: "false"
+          - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secretRclone.envAccessKey" . }}
+          - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secretRclone.envSecretKey" . }}
+          - name: RCLONE_CONFIG_DEST_REGION
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secretRclone.envRegion" . }}
+          - name: RCLONE_CONFIG_DEST_ENDPOINT
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secretRclone.envDestEndpoint" . }}
+          - name: RCLONE_CONFIG_DEST_FORCE_PATH_STYLE
+            value: {{ .Values.rclone.destination.forcePathStyle | quote }}
+      {{- if .Values.prune.enabled }}
+      prune:
+        image:
+          repository: {{ .Values.image.repository }}
+          tag: {{ .Values.image.tag }}
+          pullPolicy: {{ .Values.image.pullPolicy }}
+        args:
+          - delete
+          - dest:{{ .Values.rclone.destination.bucketName }}
+          - --min-age
+          - {{ .Values.prune.ageToPrune | quote }}
+          - --verbose
+          {{- if .Values.metrics.enabled }}
+          - --rc
+          - --rc-addr=0.0.0.0:5573
+          - --rc-enable-metrics
+          - --rc-no-auth
+          {{- end }}
+        env:
+          - name: RCLONE_CONFIG_DEST_TYPE
+            value: s3
+          - name: RCLONE_CONFIG_DEST_PROVIDER
+            value: {{ .Values.rclone.destination.providerType }}
+          - name: RCLONE_CONFIG_DEST_ENV_AUTH
+            value: "false"
+          - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secretRclone.envAccessKey" . }}
+          - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secretRclone.envSecretKey" . }}
+          - name: RCLONE_CONFIG_DEST_REGION
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secretRclone.envRegion" . }}
+          - name: RCLONE_CONFIG_DEST_ENDPOINT
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secretRclone.envDestEndpoint" . }}
+          - name: RCLONE_CONFIG_DEST_FORCE_PATH_STYLE
+            value: {{ .Values.rclone.destination.forcePathStyle | quote }}
+      {{- end }}
+{{- if .Values.metrics.enabled }}
+service:
+  main:
+    controller: main
+    ports:
+      rc-sync:
+        port: 5572
+        targetPort: 5572
+      rc-prune:
+        port: 5573
+        targetPort: 5573
+serviceMonitor:
+  main:
+    selector:
+      matchLabels:
+        app.kubernetes.io/name: {{ include "rclone.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Namespace }}
+    serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
+    endpoints:
+      - port: rc-sync
+        interval: 10s
+        scrapeTimeout: 5s
+        path: /metrics
+      - port: rc-prune
+        interval: 10s
+        scrapeTimeout: 5s
+        path: /metrics
+{{- end }}
+{{- end -}}
+{{- $_ := mergeOverwrite .Values (include "rclone.hardcodedValues" . | fromYaml) -}}
+
+{{/* Render the templates */}}
+{{ include "bjw-s.common.loader.generate" . }}
@@ -0,0 +1,69 @@
+{{- if .Values.secret.externalSecret.enabled }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "rclone.sourceSecretName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "rclone.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "rclone.sourceSecretName" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: {{ .Values.secret.externalSecret.storeName | required "External Secret store name is required" }}
+  data:
+    - secretKey: {{ include "secretRclone.envAccessKey" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.source.credentials.path }}
+        property: {{ .Values.secret.externalSecret.source.credentials.keyIdProperty }}
+    - secretKey: {{ include "secretRclone.envSecretKey" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.source.credentials.path }}
+        property: {{ .Values.secret.externalSecret.source.credentials.secretKeyProperty }}
+    - secretKey: {{ include "secretRclone.envRegion" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.source.credentials.path }}
+        property: {{ .Values.secret.externalSecret.source.credentials.regionProperty }}
+    - secretKey: {{ include "secretRclone.envSrcEndpoint" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.source.config.path }}
+        property: {{ .Values.secret.externalSecret.source.config.endpointProperty }}
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "rclone.destinationSecretName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "rclone.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "rclone.destinationSecretName" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: {{ .Values.secret.externalSecret.storeName | required "External Secret store name is required" }}
+  data:
+    - secretKey: {{ include "secretRclone.envAccessKey" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.destination.credentials.path }}
+        property: {{ .Values.secret.externalSecret.destination.credentials.keyIdProperty }}
+    - secretKey: {{ include "secretRclone.envSecretKey" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.destination.credentials.path }}
+        property: {{ .Values.secret.externalSecret.destination.credentials.secretKeyProperty }}
+    - secretKey: {{ include "secretRclone.envRegion" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.destination.credentials.path }}
+        property: {{ .Values.secret.externalSecret.destination.credentials.regionProperty }}
+    - secretKey: {{ include "secretRclone.envDestEndpoint" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.destination.config.path }}
+        property: {{ .Values.secret.externalSecret.destination.config.endpointProperty }}
+{{- end }}
@@ -0,0 +1,32 @@
+{{- if .Values.prometheusRule.enabled }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ include "rclone.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "rclone.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "rclone.name" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  groups:
+    - name: rclone.alerts
+      rules:
+        - alert: RclonePodFailed
+          expr: |
+            (kube_pod_container_status_last_terminated_exitcode > 0)
+            * on(pod, namespace) group_left(owner_name)
+            kube_pod_owner{owner_kind="Job", owner_name=~"rclone-.*"}
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: "Rclone Pod failed in {{ `{{ $labels.namespace }}` }}"
+            description: |
+              A pod for the Rclone sync of s3 bucket '{{ .Values.rclone.source.bucketName }}' failed with exit code {{ `{{ $value }}` }}.
+              Job: {{ `{{ $labels.owner_name }}` }}
+              Namespace: {{ `{{ $labels.namespace }}` }}
+{{- end }}
@@ -0,0 +1,92 @@
+# -- Default pattern follows <pvcTarget>-backup
+nameOverride: ""
+
+# -- Add additional labels
+additionalLabels: {}
+
+# -- Default image
+image:
+  repository: rclone/rclone
+  tag: 1.74.1@sha256:eb8788b795f0009324e9572b0e2acb9b56885327c2746b07d67a9d3b893a6602
+  pullPolicy: IfNotPresent
+
+# -- CronJob configuration
+cronJob:
+  suspend: false
+  timeZone: America/Chicago
+  schedule: 0 0 * * *
+  backoffLimit: 3
+  parallelism: 1
+
+# -- rclone configuration
+rclone:
+  providerType: Other
+
+  # -- Source configuration
+  source:
+    providerType: Other
+    bucketName: bucket
+    forcePathStyle: true
+
+  # -- Destination configuration
+  destination:
+    providerType: Other
+    bucketName: bucket
+    forcePathStyle: true
+
+# -- Enable prune job
+prune:
+  enabled: false
+  ageToPrune: 90d
+  include: ""
+  exclude: ""
+
+# -- Secret configuration
+secret:
+
+  # -- External Secret configuration
+  externalSecret:
+    enabled: true
+    storeName: openbao
+
+    # -- Source configuration
+    source:
+      nameOverride: ""
+      credentials:
+        path: /credential
+        keyIdProperty: ACCESS_KEY_ID
+        secretKeyProperty: ACCESS_SECRET_KEY
+        regionProperty: ACCESS_REGION
+      config:
+        path: /config
+        endpointProperty: ENDPOINT_LOCAL
+
+    # -- Destination configuration
+    destination:
+      nameOverride: ""
+      credentials:
+        path: /credential
+        keyIdProperty: ACCESS_KEY_ID
+        secretKeyProperty: ACCESS_SECRET_KEY
+        regionProperty: ACCESS_REGION
+      config:
+        path: /config
+        endpointProperty: ENDPOINT_REMOTE
+
+    # -- Add additional labels
+    additionalLabels: {}
+
+  # -- Name of existing secret that contains the configuration
+  existingSecretSource:
+    name: rclone-source-secret
+
+  existingSecretDestination:
+    name: rclone-destination-secret
+
+# -- Metrics
+metrics:
+  enabled: true
+
+# -- Prometheus Rule
+prometheusRule:
+  enabled: true
@@ -1,6 +1,6 @@
 dependencies:
 - name: valkey
  repository: https://valkey.io/valkey-helm/
-  version: 0.9.3
-digest: sha256:705fdaa1d456e55dd1a8aba698e17b2309a336f614cba8fd3cdb7e072b323b36
-generated: "2026-03-03T16:02:43.407652-06:00"
+  version: 0.9.4
+digest: sha256:84e2e4a944be7f69b6819215a53c068a126fc9d62383a90e22b33751ec5d2810
+generated: "2026-04-13T00:01:51.952023667Z"
@@ -1,21 +1,22 @@
 apiVersion: v2
 name: valkey
-version: 0.5.0
+version: 0.8.0
 description: Valkey chart with preconfigured settings
 keywords:
  - valkey
-  - redis
-  - storage
-  - kubernetes
+  - redis-compatible
 sources:
  - https://github.com/valkey-io/valkey
+  - https://github.com/oliver006/redis_exporter
+  - https://hub.docker.com/r/valkey/valkey
+  - https://github.com/oliver006/redis_exporter/pkgs/container/redis_exporter
  - https://github.com/valkey-io/valkey-helm
 maintainers:
  - name: alexlebens
 dependencies:
  - name: valkey
    repository: https://valkey.io/valkey-helm/
-    version: 0.9.3
-icon: https://dyltqmyl993wv.cloudfront.net/assets/stacks/valkey/img/valkey-stack-220x234.png
+    version: 0.9.4
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/valkey.png
 # renovate: datasource=github-releases depName=valkey-io/valkey
-appVersion: 9.0.3
+appVersion: 9.0.4
@@ -1,6 +1,6 @@
 # valkey

-![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![AppVersion: 9.0.3](https://img.shields.io/badge/AppVersion-9.0.3-informational?style=flat-square)
+![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![AppVersion: 9.0.4](https://img.shields.io/badge/AppVersion-9.0.4-informational?style=flat-square)

 Valkey chart with preconfigured settings

@@ -13,13 +13,16 @@ Valkey chart with preconfigured settings
 ## Source Code

 * <https://github.com/valkey-io/valkey>
+* <https://github.com/oliver006/redis_exporter>
+* <https://hub.docker.com/r/valkey/valkey>
+* <https://github.com/oliver006/redis_exporter/pkgs/container/redis_exporter>
 * <https://github.com/valkey-io/valkey-helm>

 ## Requirements

 | Repository | Name | Version |
 |------------|------|---------|
-| https://valkey.io/valkey-helm/ | valkey | 0.9.3 |
+| https://valkey.io/valkey-helm/ | valkey | 0.9.4 |

 ## Values

@@ -32,11 +35,11 @@ Valkey chart with preconfigured settings
 | valkey.dataStorage.requestedSize | string | `"1Gi"` |  |
 | valkey.image.registry | string | `"docker.io"` |  |
 | valkey.image.repository | string | `"valkey/valkey"` |  |
-| valkey.image.tag | string | `"9.0.3"` |  |
+| valkey.image.tag | string | `"9.0.4@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193"` |  |
 | valkey.metrics.enabled | bool | `true` |  |
 | valkey.metrics.exporter.image.registry | string | `"ghcr.io"` |  |
 | valkey.metrics.exporter.image.repository | string | `"oliver006/redis_exporter"` |  |
-| valkey.metrics.exporter.image.tag | string | `"v1.82.0"` |  |
+| valkey.metrics.exporter.image.tag | string | `"v1.83.0@sha256:e8c209894d4c0cc55b1259ddd47e0b769ad1ff864b356736ee885462a3b0e48c"` |  |
 | valkey.metrics.exporter.resources.requests.cpu | string | `"1m"` |  |
 | valkey.metrics.exporter.resources.requests.memory | string | `"10M"` |  |
 | valkey.metrics.podMonitor.enabled | bool | `true` |  |
@@ -3,7 +3,7 @@ valkey:
  image:
    registry: docker.io
    repository: valkey/valkey
-    tag: 9.0.3
+    tag: 9.0.4@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193
  serviceAccount:
    create: true
  resources:
@@ -31,7 +31,7 @@ valkey:
      image:
        registry: ghcr.io
        repository: oliver006/redis_exporter
-        tag: v1.82.0
+        tag: v1.83.0@sha256:e8c209894d4c0cc55b1259ddd47e0b769ad1ff864b356736ee885462a3b0e48c
      resources:
        requests:
          cpu: 1m
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: volsync-target
-version: 0.8.0
+version: 2.0.0
 description: Volsync Replication set to target specific PVC with preconfigured settings
 keywords:
  - volsync-target
@@ -1,6 +1,6 @@
 # volsync-target

-![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square)
+![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square)

 Volsync Replication set to target specific PVC with preconfigured settings

@@ -20,23 +20,25 @@ Volsync Replication set to target specific PVC with preconfigured settings
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | additionalLabels | object | `{}` | Add additional labels |
-| external | object | `{"enabled":true,"externalSecret":{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 9 * * *"}` | External backup configuration |
-| external.externalSecret | object | `{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"}` | External Secret configuration |
-| external.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
-| external.schedule | string | `"0 9 * * *"` | 5 character cron schedule |
+| external | object | `{"enabled":true,"externalSecret":{"bucketPath":"/backblaze/config","credentialPath":"/backblaze/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":35,"repository":"","retain":{"daily":0,"hourly":0,"monthly":0,"weekly":12,"yearly":0},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 9 * * 0"}` | External backup configuration |
+| external.externalSecret | object | `{"bucketPath":"/backblaze/config","credentialPath":"/backblaze/home-infra/volsync-backups"}` | External Secret configuration |
+| external.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":35,"repository":"","retain":{"daily":0,"hourly":0,"monthly":0,"weekly":12,"yearly":0},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| external.schedule | string | `"0 9 * * 0"` | 5 character cron schedule |
 | externalSecrets | object | `{"enabled":true}` | Use external secrets |
-| local | object | `{"enabled":false,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 8 * * *"}` | Local backup configuration |
-| local.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"}` | External Secret configuration |
-| local.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| kubernetesClusterName | string | `"cl01tl"` | Kubernetes cluster name |
+| local | object | `{"enabled":false,"externalSecret":{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":0,"weekly":4,"yearly":0},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 8 * * *"}` | Local backup configuration |
+| local.externalSecret | object | `{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"}` | External Secret configuration |
+| local.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":0,"weekly":4,"yearly":0},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
 | local.schedule | string | `"0 8 * * *"` | 5 character cron schedule |
 | moverSecurityContext | object | `{}` | Glocal security context for restic mover |
 | nameOverride | string | `""` | Default pattern follows <pvcTarget>-backup |
 | namespaceOverride | string | `""` | Override the namespace of the chart |
+| prometheusRule | object | `{"enabled":true}` | Prometheus Rule |
 | pvcTarget | string | `"data"` | Name of the PVC target |
-| remote | object | `{"enabled":false,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 10 * * *"}` | Remote backup configuration |
-| remote.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"}` | External Secret configuration |
-| remote.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
-| remote.schedule | string | `"0 10 * * *"` | 5 character cron schedule |
+| remote | object | `{"enabled":false,"externalSecret":{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":0,"hourly":0,"monthly":0,"weekly":12,"yearly":0},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 10 * * 0"}` | Remote backup configuration |
+| remote.externalSecret | object | `{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"}` | External Secret configuration |
+| remote.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":0,"hourly":0,"monthly":0,"weekly":12,"yearly":0},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| remote.schedule | string | `"0 10 * * 0"` | 5 character cron schedule |

 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
@@ -14,48 +14,37 @@ metadata:
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+        RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
  data:
-    - secretKey: BUCKET_ENDPOINT
+    - secretKey: ENDPOINT
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync local path is required" }}
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
+        key: {{ .Values.local.externalSecret.bucketPath | required "External Secret Volsync local path is required" }}
+        property: ENDPOINT_LOCAL
+    - secretKey: BUCKET
+      remoteRef:
+        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: BUCKET
    - secretKey: RESTIC_PASSWORD
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync local path is required" }}
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
+        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: RESTIC_PASSWORD_LOCAL
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
        property: ACCESS_SECRET_KEY
 {{- end }}

@@ -75,48 +64,37 @@ metadata:
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+        RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
  data:
-    - secretKey: BUCKET_ENDPOINT
+    - secretKey: ENDPOINT
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
+        key: {{ .Values.remote.externalSecret.bucketPath | required "External Secret Volsync local path is required" }}
+        property: ENDPOINT_REMOTE
+    - secretKey: BUCKET
+      remoteRef:
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: BUCKET
    - secretKey: RESTIC_PASSWORD
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: RESTIC_PASSWORD_REMOTE
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
-        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
-        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
-        metadataPolicy: None
        property: ACCESS_SECRET_KEY
 {{- end }}

@@ -136,47 +114,36 @@ metadata:
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+        RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
  data:
-    - secretKey: BUCKET_ENDPOINT
+    - secretKey: ENDPOINT
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
+        key: {{ .Values.external.externalSecret.bucketPath | required "External Secret Volsync external path is required" }}
+        property: ENDPOINT
+    - secretKey: BUCKET
+      remoteRef:
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: BUCKET
    - secretKey: RESTIC_PASSWORD
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
-        metadataPolicy: None
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Volsync external path is required" }}
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
+        property: AWS_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
-        metadataPolicy: None
        property: AWS_ACCESS_KEY_ID
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
-        metadataPolicy: None
        property: AWS_SECRET_ACCESS_KEY
 {{- end }}
@@ -0,0 +1,32 @@
+{{- if .Values.prometheusRule.enabled }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ include "volsync.name" . }}-source-local
+  namespace: {{ include "volsync.namespace" . }}
+  labels:
+    {{- include "volsync.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "volsync.name" . }}-source-local
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  groups:
+    - name: volsync.alerts
+      rules:
+        - alert: VolSyncBackupPodFailed
+          expr: |
+            (kube_pod_container_status_last_terminated_exitcode > 0)
+            * on(pod, namespace) group_left(owner_name)
+            kube_pod_owner{owner_kind="Job", owner_name=~"volsync-.*"}
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: "VolSync Backup Pod failed in {{ `{{ $labels.namespace }}` }}"
+            description: |
+              A pod for the VolSync backup of PVC '{{ .Values.pvcTarget }}' failed with exit code {{ `{{ $value }}` }}.
+              Job: {{ `{{ $labels.owner_name }}` }}
+              Namespace: {{ `{{ $labels.namespace }}` }}
+{{- end }}
@@ -7,7 +7,7 @@ metadata:
  namespace: {{ include "volsync.namespace" . }}
  labels:
    {{- include "volsync.labels" . | nindent 4 }}
-    app.kubernetes.io/name: {{ include "volsync.name" . }}
+    app.kubernetes.io/name: {{ include "volsync.name" . }}-source-local
    {{- with .Values.additionalLabels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
@@ -4,6 +4,9 @@ nameOverride: ""
 # -- Override the namespace of the chart
 namespaceOverride: ""

+# -- Kubernetes cluster name
+kubernetesClusterName: cl01tl
+
 # -- Add additional labels
 additionalLabels: {}

@@ -13,6 +16,10 @@ pvcTarget: "data"
 # -- Glocal security context for restic mover
 moverSecurityContext: {}

+# -- Prometheus Rule
+prometheusRule:
+  enabled: true
+
 # -- Use external secrets
 externalSecrets:
  enabled: true
@@ -32,8 +39,8 @@ local:
      hourly: 0
      daily: 7
      weekly: 4
-      monthly: 3
-      yearly: 1
+      monthly: 0
+      yearly: 0
    copyMethod: Snapshot
    storageClassName: ceph-block
    volumeSnapshotClassName: ceph-blockpool-snapshot
@@ -41,9 +48,9 @@ local:

  # -- External Secret configuration
  externalSecret:
-    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
-    volsyncPath: /volsync/restic/garage-local
-    # This path must contain the AWS/S3 credentials
+    # This path must contain the BUCKET_ENDPOINT
+    bucketPath: /garage/config
+    # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD
    credentialPath: /garage/home-infra/volsync-backups

 # -- Remote backup configuration
@@ -51,7 +58,7 @@ remote:
  enabled: false

  # -- 5 character cron schedule
-  schedule: 0 10 * * *
+  schedule: 0 10 * * 0

  # -- Backup configuration, inserted directly into the yaml
  restic:
@@ -59,10 +66,10 @@ remote:
    repository: ""
    retain:
      hourly: 0
-      daily: 7
-      weekly: 4
-      monthly: 3
-      yearly: 1
+      daily: 0
+      weekly: 12
+      monthly: 0
+      yearly: 0
    copyMethod: Snapshot
    storageClassName: ceph-block
    volumeSnapshotClassName: ceph-blockpool-snapshot
@@ -70,9 +77,9 @@ remote:

  # -- External Secret configuration
  externalSecret:
-    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
-    volsyncPath: /volsync/restic/garage-remote
-    # This path must contain the AWS/S3 credentials
+    # This path must contain the BUCKET_ENDPOINT
+    bucketPath: /garage/config
+    # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD
    credentialPath: /garage/home-infra/volsync-backups

 # -- External backup configuration
@@ -80,18 +87,18 @@ external:
  enabled: true

  # -- 5 character cron schedule
-  schedule: 0 9 * * *
+  schedule: 0 9 * * 0

  # -- Backup configuration, inserted directly into the yaml
  restic:
-    pruneIntervalDays: 7
+    pruneIntervalDays: 35
    repository: ""
    retain:
      hourly: 0
-      daily: 7
-      weekly: 4
-      monthly: 3
-      yearly: 1
+      daily: 0
+      weekly: 12
+      monthly: 0
+      yearly: 0
    copyMethod: Snapshot
    storageClassName: ceph-block
    volumeSnapshotClassName: ceph-blockpool-snapshot
@@ -99,7 +106,7 @@ external:

  # -- External Secret configuration
  externalSecret:
-    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
-    volsyncPath: /volsync/restic/digital-ocean
-    # This path must contain the AWS/S3 credentials
-    credentialPath: /digital-ocean/home-infra/volsync-backups
+    # This path must contain the ENDPOINT
+    bucketPath: /backblaze/config
+    # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD
+    credentialPath: /backblaze/home-infra/volsync-backups