feat: add rclone for bucket mirror

.gitea/workflows/release-charts-rclone-bucket.yml

@@ -0,0 +1,128 @@
+name: release-charts-rclone-bucket
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "charts/rclone-bucket/**"
+
+  workflow_dispatch:
+
+env:
+  WORKFLOW_DIR: "charts/rclone-bucket"
+
+jobs:
+  release:
+    runs-on: ubuntu-js
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v5
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          version: v3.19.2
+
+      - name: Add Repositories
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Adding repositories for chart dependencies ..."
+          helm dependency list --max-col-width 120 2> /dev/null \
+            | tail +2 | head -n -1 \
+            | awk '{ print "helm repo add " $1 " " $3 }' \
+            | while read cmd; do echo "$cmd" | sh; done || true
+
+          if helm repo list | tail +2 | read -r; then
+            echo ">> Update repository cache ..."
+            helm repo update
+          fi
+
+          echo "----"
+
+      - name: Package Helm Chart
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Building helm dependency ..."
+          helm dependency build --skip-refresh --debug
+
+          echo "----"
+
+          echo "PACKAGE_PATH=$(helm package . | awk '{print $NF}')" >> $GITEA_ENV
+
+      - name: Publish Helm Chart to Harbor
+        run: |
+          echo ">> Logging into Harbor ..."
+          helm registry login ${{ vars.REGISTRY_HOST }} -u ${{ vars.REGISTRY_USER }} -p ${{ secrets.REGISTRY_SECRET }} --debug
+
+          echo ""
+          echo ">> Publishing chart to Harbor ..."
+          helm push ${{ env.PACKAGE_PATH }} oci://${{ vars.REGISTRY_HOST }}/helm-charts --debug
+
+          echo "----"
+
+      - name: Publish Helm Chart to Gitea
+        run: |
+          echo ">> Installing Chart Museum plugin ..."
+          helm plugin install https://github.com/chartmuseum/helm-push --debug
+
+          echo ""
+          echo ">> Adding Gitea repository ..."
+          helm repo add --username ${{ gitea.actor }} --password ${{ secrets.REPOSITORY_TOKEN }} helm-charts https://${{ vars.REPOSITORY_HOST }}/api/packages/alexlebens/helm --debug
+
+          echo ""
+          echo ">> Pushing chart to gitea"
+          helm cm-push ${{ env.PACKAGE_PATH }} helm-charts --debug
+
+      - name: Extract Chart Metadata
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Adding Chart metadata to workflow ENV ..."
+          echo ""
+          echo ">> Chart Version: $(yq '.version' Chart.yaml)"
+          echo ">> Chart Name: $(yq '.name' Chart.yaml)"
+
+          echo "----"
+
+          echo "CHART_VERSION=$(yq '.version' Chart.yaml)" >> $GITEA_ENV
+          echo "CHART_NAME=$(yq '.name' Chart.yaml)" >> $GITEA_ENV
+
+      - name: Release Helm Chart
+        uses: akkuman/gitea-release-action@v1
+        with:
+          name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}
+          tag_name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}
+          files: |-
+            ${{ env.PACKAGE_PATH }}
+
+      - name: ntfy Success
+        uses: niniyas/ntfy-action@master
+        if: success()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Release Success - ${{ env.CHART_NAME }}'
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: 'Helm Chart ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }} has been released!'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Release Failure - ${{ env.CHART_NAME }}'
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: 'Helm Chart ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }} has failed to be released.'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/helm-charts/actions?workflow=release-charts-rclone-bucket.yml", "clear": true}]'
+          image: true

charts/generic-device-plugin/README.md

@@ -1,6 +1,6 @@
 # generic-device-plugin
 
-![Version: 0.20.29](https://img.shields.io/badge/Version-0.20.29-informational?style=flat-square) ![AppVersion: 0.20.17](https://img.shields.io/badge/AppVersion-0.20.17-informational?style=flat-square)
+![Version: 0.20.31](https://img.shields.io/badge/Version-0.20.31-informational?style=flat-square) ![AppVersion: 0.20.17](https://img.shields.io/badge/AppVersion-0.20.17-informational?style=flat-square)
 
 Generic Device Plugin
 
@@ -28,7 +28,7 @@ Generic Device Plugin
 | config | object | `{"data":"devices:\n  - name: serial\n    groups:\n      - paths:\n          - path: /dev/ttyUSB*\n      - paths:\n          - path: /dev/ttyACM*\n      - paths:\n          - path: /dev/tty.usb*\n      - paths:\n          - path: /dev/cu.*\n      - paths:\n          - path: /dev/cuaU*\n      - paths:\n          - path: /dev/rfcomm*\n  - name: video\n    groups:\n      - paths:\n          - path: /dev/video0\n  - name: fuse\n    groups:\n      - count: 10\n        paths:\n          - path: /dev/fuse\n  - name: audio\n    groups:\n      - count: 10\n        paths:\n          - path: /dev/snd\n  - name: capture\n    groups:\n      - paths:\n          - path: /dev/snd/controlC0\n          - path: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC1\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC1D0c\n            mountPath: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC2\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC2D0c\n            mountPath: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC3\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC3D0c\n            mountPath: /dev/snd/pcmC0D0c\n","enabled":true}` | Config map |
 | config.data | string | See [values.yaml](./values.yaml) | generic-device-plugin config file [[ref]](https://github.com/squat/generic-device-plugin#usage) |
 | deviceDomain | string | `"devic.es"` | Domain used by devices for identifcation |
-| image | object | `{"pullPolicy":"Always","repository":"ghcr.io/squat/generic-device-plugin","tag":"latest@sha256:c4e3a24a5f20449e027b9de2c3cee790169ab42220818315f5f8ee9830788981"}` | Default image |
+| image | object | `{"pullPolicy":"Always","repository":"ghcr.io/squat/generic-device-plugin","tag":"latest@sha256:d9e098e33a20c32a561adb1ef8cace7d5912cd5ffb38f07dd9f83af4bdf38505"}` | Default image |
 | name | string | `"generic-device-plugin"` | Name override of release |
 | resources | object | `{"requests":{"cpu":"50m","memory":"10Mi"}}` | Default resources |
 | service | object | `{"listenPort":8080}` | Service port |

charts/postgres-cluster/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: postgres-cluster
-version: 7.11.2
+version: 7.12.1
 description: Cloudnative-pg Cluster
 keywords:
   - database

charts/postgres-cluster/README.md

@@ -1,6 +1,6 @@
 # postgres-cluster
 
-![Version: 7.11.2](https://img.shields.io/badge/Version-7.11.2-informational?style=flat-square) ![AppVersion: v1.29.0](https://img.shields.io/badge/AppVersion-v1.29.0-informational?style=flat-square)
+![Version: 7.12.1](https://img.shields.io/badge/Version-7.12.1-informational?style=flat-square) ![AppVersion: v1.29.0](https://img.shields.io/badge/AppVersion-v1.29.0-informational?style=flat-square)
 
 Cloudnative-pg Cluster
 

charts/postgres-cluster/templates/external-secret.yaml

@@ -16,28 +16,19 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: ACCESS_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: ACCESS_SECRET_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .externalSecretCredentialPath| required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
 {{ end -}}
 {{ end }}
@@ -58,27 +49,18 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: ACCESS_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: ACCESS_SECRET_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
 {{- end }}

charts/rclone-bucket/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: common
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 4.6.2
+digest: sha256:35e8f4e5d15d878c246a04eb51de580291f31203fa10e9e4d2318f16026b2061
+generated: "2026-04-25T20:40:50.27544-05:00"

charts/rclone-bucket/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+name: rclone-bucket
+version: 0.1.0
+description: Rclone CronJob to replicate buckets
+keywords:
+  - rclone-bucket
+  - rclone
+  - storage
+sources:
+  - https://github.com/rclone/rclone
+  - https://hub.docker.com/r/rclone/rclone
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: common
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.6.2
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/rclone.png
+# renovate: datasource=github-releases depName=rclone/rclone
+appVersion: v1.73.5

charts/rclone-bucket/README.md

@@ -0,0 +1,44 @@
+# rclone-bucket
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![AppVersion: v1.73.5](https://img.shields.io/badge/AppVersion-v1.73.5-informational?style=flat-square)
+
+Rclone CronJob to replicate buckets
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| alexlebens |  |  |
+
+## Source Code
+
+* <https://github.com/rclone/rclone>
+* <https://hub.docker.com/r/rclone/rclone>
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://bjw-s-labs.github.io/helm-charts/ | common | 4.6.2 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| additionalLabels | object | `{}` | Add additional labels |
+| cronJob | object | `{"backoffLimit":3,"parallelism":1,"schedule":"0 0 * * *","suspend":false,"timeZone":"America/Chicago"}` | CronJob configuration |
+| image | object | `{"pullPolicy":"IfNotPresent","repository":"rclone/rclone","tag":"1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96"}` | Default image |
+| nameOverride | string | `""` | Default pattern follows <pvcTarget>-backup |
+| prune | object | `{"ageToPrune":"90d","enabled":false}` | Enable prune job |
+| rclone | object | `{"destination":{"bucketName":"bucket","forcePathStyle":true,"providerType":"Other"},"providerType":"Other","source":{"bucketName":"bucket","forcePathStyle":true,"providerType":"Other"}}` | rclone configuration |
+| rclone.destination | object | `{"bucketName":"bucket","forcePathStyle":true,"providerType":"Other"}` | Destination configuration |
+| rclone.source | object | `{"bucketName":"bucket","forcePathStyle":true,"providerType":"Other"}` | Source configuration |
+| secret | object | `{"existingSecretDestination":{"name":"rclone-destination-secret"},"existingSecretSource":{"name":"rclone-source-secret"},"externalSecret":{"additionalLabels":{},"destination":{"config":{"endpointProperty":"ENDPOINT_REMOTE","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""},"enabled":true,"source":{"config":{"endpointProperty":"ENDPOINT_LOCAL","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""},"storeName":"openbao"}}` | Secret configuration |
+| secret.existingSecretSource | object | `{"name":"rclone-source-secret"}` | Name of existing secret that contains the configuration |
+| secret.externalSecret | object | `{"additionalLabels":{},"destination":{"config":{"endpointProperty":"ENDPOINT_REMOTE","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""},"enabled":true,"source":{"config":{"endpointProperty":"ENDPOINT_LOCAL","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""},"storeName":"openbao"}` | External Secret configuration |
+| secret.externalSecret.additionalLabels | object | `{}` | Add additional labels |
+| secret.externalSecret.destination | object | `{"config":{"endpointProperty":"ENDPOINT_REMOTE","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""}` | Destination configuration |
+| secret.externalSecret.source | object | `{"config":{"endpointProperty":"ENDPOINT_LOCAL","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""}` | Source configuration |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/rclone-bucket/templates/_helpers.tpl

@@ -0,0 +1,90 @@
+{{/*
+Generate the root name
+*/}}
+{{- define "rclone.name" -}}
+  {{- if .Values.nameOverride }}
+    {{- .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    {{- printf "%s-rclone" .Values.rclone.source.bucketName | trunc 63 | trimSuffix "-" -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate the secret name
+*/}}
+{{- define "rclone.sourceSecretName" -}}
+  {{- if .Values.secret.externalSecret.enabled }}
+    {{- if .Values.secret.externalSecret.source.nameOverride }}
+      {{- .Values.secret.externalSecret.source.nameOverride | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+      {{- printf "%s-rclone-config" .Values.rclone.source.bucketName -}}
+    {{- end }}
+  {{- else if .Values.secret.existingSecretSource.name }}
+    {{- printf "%s" .Values.secret.existingSecretSource.name -}}
+  {{- else }}
+    {{ fail "No Secret Name Found!" }}
+  {{- end }}
+{{- end }}
+
+{{- define "rclone.destinationSecretName" -}}
+  {{- if .Values.secret.externalSecret.enabled }}
+    {{- if .Values.secret.externalSecret.destination.nameOverride }}
+      {{- .Values.secret.externalSecret.destination.nameOverride | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+      {{- printf "%s-rclone-config" .Values.rclone.destination.bucketName -}}
+    {{- end }}
+  {{- else if .Values.secret.existingSecretDestination.name }}
+    {{- printf "%s" .Values.secret.existingSecretDestination.name -}}
+  {{- else }}
+    {{ fail "No Secret Name Found!" }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Common env names
+*/}}
+{{- define "secret.envAccessKey" -}}
+ACCESS_KEY_ID
+{{- end }}
+{{- define "secret.envSecretKey" -}}
+ACCESS_SECRET_KEY
+{{- end }}
+{{- define "secret.envRegion" -}}
+ACCESS_REGION
+{{- end }}
+{{- define "secret.envSrcEndpoint" -}}
+SRC_ENDPOINT
+{{- end }}
+{{- define "secret.envDestEndpoint" -}}
+DEST_ENDPOINT
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "secret.chart" -}}
+  {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "secret.labels" -}}
+helm.sh/chart: {{ include "secret.chart" $ }}
+{{ include "secret.selectorLabels" $ }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.Version | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.secret.externalSecret.additionalLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "secret.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

charts/rclone-bucket/templates/common.yaml

@@ -0,0 +1,131 @@
+{{- include "bjw-s.common.loader.init" . }}
+
+{{- define "rclone.hardcodedValues" -}}
+global:
+  nameOverride: {{ include "rclone.name" . }}
+  fullNameOverride: {{ include "rclone.name" . }}
+controllers:
+  main:
+    type: cronjob
+    {{- with .Values.cronJob }}
+    cronjob:
+      {{- toYaml . | nindent 6 }}
+    {{ end }}
+    containers:
+      sync:
+        image:
+          repository: {{ .Values.image.repository }}
+          tag: {{ .Values.image.tag }}
+          pullPolicy: {{ .Values.image.pullPolicy }}
+        args:
+          - sync
+          - src:{{ .Values.rclone.source.bucketName }}
+          - dest:{{ .Values.rclone.destination.bucketName }}
+          - --s3-no-check-bucket
+          - --verbose
+        env:
+          - name: RCLONE_S3_PROVIDER
+            value: {{ .Values.rclone.providerType }}
+          - name: RCLONE_CONFIG_SRC_TYPE
+            value: s3
+          - name: RCLONE_CONFIG_SRC_PROVIDER
+            value: {{ .Values.rclone.source.providerType }}
+          - name: RCLONE_CONFIG_SRC_ENV_AUTH
+            value: false
+          - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.sourceSecretName" . }}
+                key: {{ include "secret.envAccessKey" . }}
+          - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.sourceSecretName" . }}
+                key: {{ include "secret.envSecretKey" . }}
+          - name: RCLONE_CONFIG_SRC_REGION
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.sourceSecretName" . }}
+                key: {{ include "secret.envRegion" . }}
+          - name: RCLONE_CONFIG_SRC_ENDPOINT
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.sourceSecretName" . }}
+                key: {{ include "secret.envSrcEndpoint" . }}
+          - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
+            value: {{ .Values.rclone.source.forcePathStyle }}
+          - name: RCLONE_CONFIG_DEST_TYPE
+            value: s3
+          - name: RCLONE_CONFIG_DEST_PROVIDER
+            value: {{ .Values.rclone.destination.providerType }}
+          - name: RCLONE_CONFIG_DEST_ENV_AUTH
+            value: false
+          - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secret.envAccessKey" . }}
+          - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secret.envSecretKey" . }}
+          - name: RCLONE_CONFIG_DEST_REGION
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secret.envRegion" . }}
+          - name: RCLONE_CONFIG_DEST_ENDPOINT
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secret.envDestEndpoint" . }}
+          - name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE
+            value: {{ .Values.rclone.destination.forcePathStyle }}
+      {{- if .Values.prune.enabled }}
+      prune:
+        image:
+          repository: {{ .Values.image.repository }}
+          tag: {{ .Values.image.tag }}
+          pullPolicy: {{ .Values.image.pullPolicy }}
+        args:
+          - delete
+          - dest:{{ .Values.rclone.destination.bucketName }}
+          - --min-age
+          - {{ .Values.prune.ageToPrune }}
+          - --verbose
+        env:
+          - name: RCLONE_CONFIG_DEST_TYPE
+            value: s3
+          - name: RCLONE_CONFIG_DEST_PROVIDER
+            value: {{ .Values.rclone.destination.providerType }}
+          - name: RCLONE_CONFIG_DEST_ENV_AUTH
+            value: false
+          - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secret.envAccessKey" . }}
+          - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secret.envSecretKey" . }}
+          - name: RCLONE_CONFIG_DEST_REGION
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secret.envRegion" . }}
+          - name: RCLONE_CONFIG_DEST_ENDPOINT
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secret.envDestEndpoint" . }}
+          - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE
+            value: {{ .Values.rclone.destination.forcePathStyle }}
+      {{- end }}
+{{- end -}}
+{{- $_ := mergeOverwrite .Values (include "rclone.hardcodedValues" . | fromYaml) -}}
+
+{{/* Render the templates */}}
+{{ include "bjw-s.common.loader.generate" . }}

charts/rclone-bucket/templates/external-secret.yaml

@@ -0,0 +1,69 @@
+{{- if .Values.secret.externalSecret.enabled }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "rclone.sourceSecretName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "secret.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "rclone.sourceSecretName" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: {{ .Values.secret.externalSecret.storeName | required "External Secret store name is required" }}
+  data:
+    - secretKey: {{ include "secret.envAccessKey" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.source.credentials.path }}
+        property: {{ .Values.secret.externalSecret.source.credentials.keyIdProperty }}
+    - secretKey: {{ include "secret.envSecretKey" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.source.credentials.path }}
+        property: {{ .Values.secret.externalSecret.source.credentials.secretKeyProperty }}
+    - secretKey: {{ include "secret.envRegion" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.source.credentials.path }}
+        property: {{ .Values.secret.externalSecret.source.credentials.regionProperty }}
+    - secretKey: {{ include "secret.envSrcEndpoint" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.source.config.path }}
+        property: {{ .Values.secret.externalSecret.source.config.endpointProperty }}
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "rclone.destinationSecretName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "secret.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "rclone.destinationSecretName" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: {{ .Values.secret.externalSecret.storeName | required "External Secret store name is required" }}
+  data:
+    - secretKey: {{ include "secret.envAccessKey" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.destination.credentials.path }}
+        property: {{ .Values.secret.externalSecret.destination.credentials.keyIdProperty }}
+    - secretKey: {{ include "secret.envSecretKey" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.destination.credentials.path }}
+        property: {{ .Values.secret.externalSecret.destination.credentials.keyIdProperty }}
+    - secretKey: {{ include "secret.envRegion" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.destination.credentials.path }}
+        property: {{ .Values.secret.externalSecret.destination.credentials.keyIdProperty }}
+    - secretKey: {{ include "secret.envDestEndpoint" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.destination.config.path }}
+        property: {{ .Values.secret.externalSecret.destination.config.endpointProperty }}
+{{- end }}

charts/rclone-bucket/values.yaml

@@ -0,0 +1,82 @@
+# -- Default pattern follows <pvcTarget>-backup
+nameOverride: ""
+
+# -- Add additional labels
+additionalLabels: {}
+
+# -- Default image
+image:
+  repository: rclone/rclone
+  tag: 1.73.5@sha256:1619a625f845e169c34b952cf40c483c0392965b821c5155cde8cbfd35254a96
+  pullPolicy: IfNotPresent
+
+# -- CronJob configuration
+cronJob:
+  suspend: false
+  timeZone: America/Chicago
+  schedule: 0 0 * * *
+  backoffLimit: 3
+  parallelism: 1
+
+# -- rclone configuration
+rclone:
+  providerType: Other
+
+  # -- Source configuration
+  source:
+    providerType: Other
+    bucketName: bucket
+    forcePathStyle: true
+
+  # -- Destination configuration
+  destination:
+    providerType: Other
+    bucketName: bucket
+    forcePathStyle: true
+
+# -- Enable prune job
+prune:
+  enabled: false
+  ageToPrune: 90d
+
+# -- Secret configuration
+secret:
+
+  # -- External Secret configuration
+  externalSecret:
+    enabled: true
+    storeName: openbao
+
+    # -- Source configuration
+    source:
+      nameOverride: ""
+      credentials:
+        path: /credential
+        keyIdProperty: ACCESS_KEY_ID
+        secretKeyProperty: ACCESS_SECRET_KEY
+        regionProperty: ACCESS_REGION
+      config:
+        path: /config
+        endpointProperty: ENDPOINT_LOCAL
+
+    # -- Destination configuration
+    destination:
+      nameOverride: ""
+      credentials:
+        path: /credential
+        keyIdProperty: ACCESS_KEY_ID
+        secretKeyProperty: ACCESS_SECRET_KEY
+        regionProperty: ACCESS_REGION
+      config:
+        path: /config
+        endpointProperty: ENDPOINT_REMOTE
+
+    # -- Add additional labels
+    additionalLabels: {}
+
+  # -- Name of existing secret that contains the configuration
+  existingSecretSource:
+    name: rclone-source-secret
+
+  existingSecretDestination:
+    name: rclone-destination-secret

charts/valkey/README.md

@@ -1,6 +1,6 @@
 # valkey
 
-![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![AppVersion: 9.0.3](https://img.shields.io/badge/AppVersion-9.0.3-informational?style=flat-square)
+![Version: 0.6.1](https://img.shields.io/badge/Version-0.6.1-informational?style=flat-square) ![AppVersion: 9.0.3](https://img.shields.io/badge/AppVersion-9.0.3-informational?style=flat-square)
 
 Valkey chart with preconfigured settings
 
@@ -22,7 +22,7 @@ Valkey chart with preconfigured settings
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://valkey.io/valkey-helm/ | valkey | 0.9.3 |
+| https://valkey.io/valkey-helm/ | valkey | 0.9.4 |
 
 ## Values
 

charts/volsync-target/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: volsync-target
-version: 0.8.0
+version: 1.0.0
 description: Volsync Replication set to target specific PVC with preconfigured settings
 keywords:
   - volsync-target

charts/volsync-target/README.md

@@ -1,6 +1,6 @@
 # volsync-target
 
-![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square)
+![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square)
 
 Volsync Replication set to target specific PVC with preconfigured settings
 
@@ -20,21 +20,22 @@ Volsync Replication set to target specific PVC with preconfigured settings
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | additionalLabels | object | `{}` | Add additional labels |
-| external | object | `{"enabled":true,"externalSecret":{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 9 * * *"}` | External backup configuration |
+| external | object | `{"enabled":true,"externalSecret":{"bucketPath":"/digital-ocean/config","credentialPath":"/digital-ocean/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 9 * * *"}` | External backup configuration |
-| external.externalSecret | object | `{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"}` | External Secret configuration |
+| external.externalSecret | object | `{"bucketPath":"/digital-ocean/config","credentialPath":"/digital-ocean/home-infra/volsync-backups"}` | External Secret configuration |
 | external.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
 | external.schedule | string | `"0 9 * * *"` | 5 character cron schedule |
 | externalSecrets | object | `{"enabled":true}` | Use external secrets |
-| local | object | `{"enabled":false,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 8 * * *"}` | Local backup configuration |
+| kubernetesClusterName | string | `"cl01tl"` | Kubernetes cluster name |
-| local.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"}` | External Secret configuration |
+| local | object | `{"enabled":false,"externalSecret":{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 8 * * *"}` | Local backup configuration |
+| local.externalSecret | object | `{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"}` | External Secret configuration |
 | local.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
 | local.schedule | string | `"0 8 * * *"` | 5 character cron schedule |
 | moverSecurityContext | object | `{}` | Glocal security context for restic mover |
 | nameOverride | string | `""` | Default pattern follows <pvcTarget>-backup |
 | namespaceOverride | string | `""` | Override the namespace of the chart |
 | pvcTarget | string | `"data"` | Name of the PVC target |
-| remote | object | `{"enabled":false,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 10 * * *"}` | Remote backup configuration |
+| remote | object | `{"enabled":false,"externalSecret":{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 10 * * *"}` | Remote backup configuration |
-| remote.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"}` | External Secret configuration |
+| remote.externalSecret | object | `{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"}` | External Secret configuration |
 | remote.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
 | remote.schedule | string | `"0 10 * * *"` | 5 character cron schedule |
 

charts/volsync-target/templates/external-secret.yaml

@@ -14,48 +14,37 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   target:
     template:
       mergePolicy: Merge
       engineVersion: v2
       data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+        RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
   data:
-    - secretKey: BUCKET_ENDPOINT
+    - secretKey: ENDPOINT
       remoteRef:
-        conversionStrategy: Default
+        key: {{ .Values.local.externalSecret.bucketPath | required "External Secret Volsync local path is required" }}
-        decodingStrategy: None
+        property: ENDPOINT_LOCAL
-        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync local path is required" }}
+    - secretKey: BUCKET
-        metadataPolicy: None
+      remoteRef:
-        property: BUCKET_ENDPOINT
+        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: BUCKET
     - secretKey: RESTIC_PASSWORD
       remoteRef:
-        conversionStrategy: Default
+        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
-        decodingStrategy: None
+        property: RESTIC_PASSWORD_LOCAL
-        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync local path is required" }}
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
     - secretKey: AWS_DEFAULT_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: AWS_ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: AWS_SECRET_ACCESS_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
 {{- end }}
 
@@ -75,48 +64,37 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   target:
     template:
       mergePolicy: Merge
       engineVersion: v2
       data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+        RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
   data:
-    - secretKey: BUCKET_ENDPOINT
+    - secretKey: ENDPOINT
       remoteRef:
-        conversionStrategy: Default
+        key: {{ .Values.remote.externalSecret.bucketPath | required "External Secret Volsync local path is required" }}
-        decodingStrategy: None
+        property: ENDPOINT_REMOTE
-        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
+    - secretKey: BUCKET
-        metadataPolicy: None
+      remoteRef:
-        property: BUCKET_ENDPOINT
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: BUCKET
     - secretKey: RESTIC_PASSWORD
       remoteRef:
-        conversionStrategy: Default
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
-        decodingStrategy: None
+        property: RESTIC_PASSWORD_REMOTE
-        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
     - secretKey: AWS_DEFAULT_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
-        metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: AWS_ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: AWS_SECRET_ACCESS_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
 {{- end }}
 
@@ -136,47 +114,36 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   target:
     template:
       mergePolicy: Merge
       engineVersion: v2
       data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+        RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
   data:
-    - secretKey: BUCKET_ENDPOINT
+    - secretKey: ENDPOINT
       remoteRef:
-        conversionStrategy: Default
+        key: {{ .Values.external.externalSecret.bucketPath | required "External Secret Volsync external path is required" }}
-        decodingStrategy: None
+        property: ENDPOINT
-        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
+    - secretKey: BUCKET
-        metadataPolicy: None
+      remoteRef:
-        property: BUCKET_ENDPOINT
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: BUCKET
     - secretKey: RESTIC_PASSWORD
       remoteRef:
-        conversionStrategy: Default
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Volsync external path is required" }}
-        decodingStrategy: None
-        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
-        metadataPolicy: None
         property: RESTIC_PASSWORD
     - secretKey: AWS_DEFAULT_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
-        metadataPolicy: None
+        property: AWS_REGION
-        property: AWS_DEFAULT_REGION
     - secretKey: AWS_ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
-        metadataPolicy: None
         property: AWS_ACCESS_KEY_ID
     - secretKey: AWS_SECRET_ACCESS_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
-        metadataPolicy: None
         property: AWS_SECRET_ACCESS_KEY
 {{- end }}

charts/volsync-target/values.yaml

@@ -4,6 +4,9 @@ nameOverride: ""
 # -- Override the namespace of the chart
 namespaceOverride: ""
 
+# -- Kubernetes cluster name
+kubernetesClusterName: cl01tl
+
 # -- Add additional labels
 additionalLabels: {}
 
@@ -41,9 +44,9 @@ local:
 
   # -- External Secret configuration
   externalSecret:
-    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
+    # This path must contain the BUCKET_ENDPOINT
-    volsyncPath: /volsync/restic/garage-local
+    bucketPath: /garage/config
-    # This path must contain the AWS/S3 credentials
+    # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD
     credentialPath: /garage/home-infra/volsync-backups
 
 # -- Remote backup configuration
@@ -70,9 +73,9 @@ remote:
 
   # -- External Secret configuration
   externalSecret:
-    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
+    # This path must contain the BUCKET_ENDPOINT
-    volsyncPath: /volsync/restic/garage-remote
+    bucketPath: /garage/config
-    # This path must contain the AWS/S3 credentials
+    # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD
     credentialPath: /garage/home-infra/volsync-backups
 
 # -- External backup configuration
@@ -99,7 +102,7 @@ external:
 
   # -- External Secret configuration
   externalSecret:
-    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
+    # This path must contain the ENDPOINT
-    volsyncPath: /volsync/restic/digital-ocean
+    bucketPath: /digital-ocean/config
-    # This path must contain the AWS/S3 credentials
+    # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD
     credentialPath: /digital-ocean/home-infra/volsync-backups