feat: update image

Reviewed-on: #210

.gitea/workflows/lint-test.yaml

@@ -26,7 +26,7 @@ jobs:
           fetch-depth: 0
 
       - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@v5
         with:
           token: ${{ secrets.GITEA_TOKEN }}
           version: v3.19.2
@@ -118,7 +118,7 @@ jobs:
       - name: Check Branch Exists
         id: check-branch-exists
         if: github.event_name == 'pull_request'
-        uses: GuillaumeFalourd/branch-exists@v1.1
+        uses: GuillaumeFalourd/branch-exists@v1.2
         with:
           branch: ${{ gitea.base_ref }}
 
@@ -139,7 +139,7 @@ jobs:
           echo "exists=true" >> $GITEA_OUTPUT
 
       - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@v5
         if: steps.branch-exists.outputs.exists == 'true'
         with:
           token: ${{ secrets.GITEA_TOKEN }}

.gitea/workflows/release-charts-cloudflared.yml

@@ -20,7 +20,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@v5
         with:
           token: ${{ secrets.GITEA_TOKEN }}
           version: v3.19.2

.gitea/workflows/release-charts-generic-device-plugin.yml

@@ -20,7 +20,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@v5
         with:
           token: ${{ secrets.GITEA_TOKEN }}
           version: v3.19.2

.gitea/workflows/release-charts-postgres-cluster.yml

@@ -20,7 +20,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@v5
         with:
           token: ${{ secrets.GITEA_TOKEN }}
           version: v3.19.2

.gitea/workflows/release-charts-rclone-bucket.yml

@@ -0,0 +1,128 @@
+name: release-charts-rclone-bucket
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "charts/rclone-bucket/**"
+
+  workflow_dispatch:
+
+env:
+  WORKFLOW_DIR: "charts/rclone-bucket"
+
+jobs:
+  release:
+    runs-on: ubuntu-js
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v5
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          version: v3.19.2
+
+      - name: Add Repositories
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Adding repositories for chart dependencies ..."
+          helm dependency list --max-col-width 120 2> /dev/null \
+            | tail +2 | head -n -1 \
+            | awk '{ print "helm repo add " $1 " " $3 }' \
+            | while read cmd; do echo "$cmd" | sh; done || true
+
+          if helm repo list | tail +2 | read -r; then
+            echo ">> Update repository cache ..."
+            helm repo update
+          fi
+
+          echo "----"
+
+      - name: Package Helm Chart
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Building helm dependency ..."
+          helm dependency build --skip-refresh --debug
+
+          echo "----"
+
+          echo "PACKAGE_PATH=$(helm package . | awk '{print $NF}')" >> $GITEA_ENV
+
+      - name: Publish Helm Chart to Harbor
+        run: |
+          echo ">> Logging into Harbor ..."
+          helm registry login ${{ vars.REGISTRY_HOST }} -u ${{ vars.REGISTRY_USER }} -p ${{ secrets.REGISTRY_SECRET }} --debug
+
+          echo ""
+          echo ">> Publishing chart to Harbor ..."
+          helm push ${{ env.PACKAGE_PATH }} oci://${{ vars.REGISTRY_HOST }}/helm-charts --debug
+
+          echo "----"
+
+      - name: Publish Helm Chart to Gitea
+        run: |
+          echo ">> Installing Chart Museum plugin ..."
+          helm plugin install https://github.com/chartmuseum/helm-push --debug
+
+          echo ""
+          echo ">> Adding Gitea repository ..."
+          helm repo add --username ${{ gitea.actor }} --password ${{ secrets.REPOSITORY_TOKEN }} helm-charts https://${{ vars.REPOSITORY_HOST }}/api/packages/alexlebens/helm --debug
+
+          echo ""
+          echo ">> Pushing chart to gitea"
+          helm cm-push ${{ env.PACKAGE_PATH }} helm-charts --debug
+
+      - name: Extract Chart Metadata
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Adding Chart metadata to workflow ENV ..."
+          echo ""
+          echo ">> Chart Version: $(yq '.version' Chart.yaml)"
+          echo ">> Chart Name: $(yq '.name' Chart.yaml)"
+
+          echo "----"
+
+          echo "CHART_VERSION=$(yq '.version' Chart.yaml)" >> $GITEA_ENV
+          echo "CHART_NAME=$(yq '.name' Chart.yaml)" >> $GITEA_ENV
+
+      - name: Release Helm Chart
+        uses: akkuman/gitea-release-action@v1
+        with:
+          name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}
+          tag_name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}
+          files: |-
+            ${{ env.PACKAGE_PATH }}
+
+      - name: ntfy Success
+        uses: niniyas/ntfy-action@master
+        if: success()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Release Success - ${{ env.CHART_NAME }}'
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: 'Helm Chart ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }} has been released!'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Release Failure - ${{ env.CHART_NAME }}'
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: 'Helm Chart ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }} has failed to be released.'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/helm-charts/actions?workflow=release-charts-rclone-bucket.yml", "clear": true}]'
+          image: true

.gitea/workflows/release-charts-valkey.yml

@@ -20,7 +20,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@v5
         with:
           token: ${{ secrets.GITEA_TOKEN }}
           version: v3.19.2

.gitea/workflows/release-charts-volsync-target.yml

@@ -20,7 +20,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Set up Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@v5
         with:
           token: ${{ secrets.GITEA_TOKEN }}
           version: v3.19.2

charts/cloudflared/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: common
   repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.6.2
+  version: 5.0.1
-digest: sha256:35e8f4e5d15d878c246a04eb51de580291f31203fa10e9e4d2318f16026b2061
+digest: sha256:754f21ee6fca6dc4a85e91384ff0b919b715234d764ef344bd3bbe93414275d3
-generated: "2026-01-16T13:29:29.385123-06:00"
+generated: "2026-05-17T20:56:16.253838-05:00"

charts/cloudflared/Chart.yaml

@@ -1,19 +1,20 @@
 apiVersion: v2
 name: cloudflared
-version: 2.4.0
+version: 3.3.1
 description: Cloudflared Tunnel
 keywords:
   - cloudflare
   - tunnel
 sources:
   - https://github.com/cloudflare/cloudflared
+  - https://hub.docker.com/r/cloudflare/cloudflared
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/library/common
 maintainers:
   - name: alexlebens
 dependencies:
   - name: common
     repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.6.2
+    version: 5.0.1
-icon: https://avatars.githubusercontent.com/u/314135?s=48&v=4
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/cloudflare.png
-# renovate: datasource=github-releases depName=cloudflare/cloudflared
+# renovate: datasource=docker depName=cloudflare/cloudflared
-appVersion: "2026.3.0"
+appVersion: 2026.5.0

charts/cloudflared/README.md

@@ -1,6 +1,6 @@
 # cloudflared
 
-![Version: 2.4.0](https://img.shields.io/badge/Version-2.4.0-informational?style=flat-square) ![AppVersion: 2026.3.0](https://img.shields.io/badge/AppVersion-2026.3.0-informational?style=flat-square)
+![Version: 3.3.1](https://img.shields.io/badge/Version-3.3.1-informational?style=flat-square) ![AppVersion: 2026.5.0](https://img.shields.io/badge/AppVersion-2026.5.0-informational?style=flat-square)
 
 Cloudflared Tunnel
 
@@ -13,26 +13,29 @@ Cloudflared Tunnel
 ## Source Code
 
 * <https://github.com/cloudflare/cloudflared>
+* <https://hub.docker.com/r/cloudflare/cloudflared>
 * <https://github.com/bjw-s-labs/helm-charts/tree/main/charts/library/common>
 
 ## Requirements
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://bjw-s-labs.github.io/helm-charts/ | common | 4.6.2 |
+| https://bjw-s-labs.github.io/helm-charts/ | common | 5.0.1 |
 
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| image | object | `{"pullPolicy":"IfNotPresent","repository":"cloudflare/cloudflared","tag":"2026.3.0"}` | Default image |
+| image | object | `{"pullPolicy":"IfNotPresent","repository":"cloudflare/cloudflared","tag":"2026.5.0@sha256:59bab8d3aceec09bf6bdb07d6beca0225ca5cd7ab79436a87ea97978fe1dc4f9"}` | Default image |
+| metrics | object | `{"enabled":true}` | Metrics |
 | name | string | `""` | Name override of release |
-| resources | object | `{"requests":{"cpu":"10m","memory":"128Mi"}}` | Default resources |
+| protocol | string | `"auto"` | Protocol - Available values are auto, http2, and quic. |
-| secret | object | `{"existingSecret":{"key":"cf-tunnel-token","name":"cloudflared-secret"},"externalSecret":{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"vault","path":"/cloudflare/tunnels","property":"token"}}}` | Secret configuration |
+| resources | object | `{"requests":{"cpu":"1m","memory":"20Mi"}}` | Default resources |
+| secret | object | `{"existingSecret":{"key":"cf-tunnel-token","name":"cloudflared-secret"},"externalSecret":{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"openbao","path":"/cloudflare/tunnels","property":"token"}}}` | Secret configuration |
 | secret.existingSecret | object | `{"key":"cf-tunnel-token","name":"cloudflared-secret"}` | Name of existing secret that contains Cloudflare token |
-| secret.externalSecret | object | `{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"vault","path":"/cloudflare/tunnels","property":"token"}}` | External Secret configuration |
+| secret.externalSecret | object | `{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"openbao","path":"/cloudflare/tunnels","property":"token"}}` | External Secret configuration |
 | secret.externalSecret.additionalLabels | object | `{}` | Add additional labels |
-| secret.externalSecret.store | object | `{"name":"vault","path":"/cloudflare/tunnels","property":"token"}` | Cluster store config |
+| secret.externalSecret.store | object | `{"name":"openbao","path":"/cloudflare/tunnels","property":"token"}` | Cluster store config |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/cloudflared/templates/common.yaml

@@ -4,10 +4,14 @@
 global:
   nameOverride: {{ include "cloudflared.name" . }}
   fullNameOverride: {{ include "cloudflared.name" . }}
+  createDefaultServiceAccount: true
 controllers:
   main:
     type: deployment
+    replicas: 1
     strategy: Recreate
+    serviceAccount:
+      identifier: {{ .Release.Name }}
     containers:
       main:
         image:
@@ -17,8 +21,12 @@ controllers:
         args:
           - tunnel
           - --protocol
-          - http2
+          - {{ .Values.protocol }}
           - --no-autoupdate
+          {{- if .Values.metrics.enabled }}
+          - --metrics
+          - 0.0.0.0:20241
+          {{- end }}
           - run
           - --token
           - $(CF_MANAGED_TUNNEL_TOKEN)
@@ -29,10 +37,30 @@ controllers:
                 name: {{ include "secret.name" . }}
                 key: {{ include "secret.key" . }}
         resources:
-        {{- with .Values.resources }}
+          {{- with .Values.resources }}
-        resources:
           {{- toYaml . | nindent 10 }}
-        {{ end }}
+          {{ end }}
+{{- if .Values.metrics.enabled }}
+service:
+  main:
+    controller: main
+    ports:
+      metrics:
+        port: 20241
+        targetPort: 20241
+serviceMonitor:
+  main:
+    selector:
+      matchLabels:
+        app.kubernetes.io/name: {{ include "cloudflared.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Namespace }}
+    serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
+    endpoints:
+      - port: metrics
+        interval: 30s
+        scrapeTimeout: 10s
+        path: /metrics
+{{- end }}
 {{- end -}}
 {{- $_ := mergeOverwrite .Values (include "cloudflared.hardcodedValues" . | fromYaml) -}}
 

charts/cloudflared/templates/external-secret.yaml

@@ -14,10 +14,6 @@ spec:
   data:
     - secretKey: {{ include "secret.key" . }}
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ include "secret.path" . }}
-        metadataPolicy: None
         property: {{ .Values.secret.externalSecret.store.property | required "External Secret store property is required" }}
-
 {{- end }}

charts/cloudflared/values.yaml

@@ -1,6 +1,13 @@
 # -- Name override of release
 name: ""
 
+# -- Protocol - Available values are auto, http2, and quic.
+protocol: auto
+
+# -- Metrics
+metrics:
+  enabled: true
+
 # -- Secret configuration
 secret:
 
@@ -11,7 +18,7 @@ secret:
 
     # -- Cluster store config
     store:
-      name: vault
+      name: openbao
       path: /cloudflare/tunnels
       property: token
 
@@ -26,11 +33,11 @@ secret:
 # -- Default image
 image:
   repository: cloudflare/cloudflared
-  tag: "2026.3.0"
+  tag: 2026.5.0@sha256:59bab8d3aceec09bf6bdb07d6beca0225ca5cd7ab79436a87ea97978fe1dc4f9
   pullPolicy: IfNotPresent
 
 # -- Default resources
 resources:
   requests:
-    cpu: 10m
+    cpu: 1m
-    memory: 128Mi
+    memory: 20Mi

charts/generic-device-plugin/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: common
   repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.6.2
+  version: 5.0.1
-digest: sha256:35e8f4e5d15d878c246a04eb51de580291f31203fa10e9e4d2318f16026b2061
+digest: sha256:754f21ee6fca6dc4a85e91384ff0b919b715234d764ef344bd3bbe93414275d3
-generated: "2026-01-16T13:29:01.760344-06:00"
+generated: "2026-05-17T20:56:28.479119-05:00"

charts/generic-device-plugin/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: generic-device-plugin
-version: 0.20.25
+version: 0.21.6
 description: Generic Device Plugin
 keywords:
   - generic-device-plugin
@@ -14,5 +14,5 @@ maintainers:
 dependencies:
   - name: common
     repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.6.2
+    version: 5.0.1
-appVersion: 0.20.17
+appVersion: 0.21.1

charts/generic-device-plugin/README.md

@@ -1,6 +1,6 @@
 # generic-device-plugin
 
-![Version: 0.20.21](https://img.shields.io/badge/Version-0.20.21-informational?style=flat-square) ![AppVersion: 0.20.17](https://img.shields.io/badge/AppVersion-0.20.17-informational?style=flat-square)
+![Version: 0.21.6](https://img.shields.io/badge/Version-0.21.6-informational?style=flat-square) ![AppVersion: 0.21.1](https://img.shields.io/badge/AppVersion-0.21.1-informational?style=flat-square)
 
 Generic Device Plugin
 
@@ -19,7 +19,7 @@ Generic Device Plugin
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://bjw-s-labs.github.io/helm-charts/ | common | 4.6.2 |
+| https://bjw-s-labs.github.io/helm-charts/ | common | 5.0.1 |
 
 ## Values
 
@@ -28,7 +28,7 @@ Generic Device Plugin
 | config | object | `{"data":"devices:\n  - name: serial\n    groups:\n      - paths:\n          - path: /dev/ttyUSB*\n      - paths:\n          - path: /dev/ttyACM*\n      - paths:\n          - path: /dev/tty.usb*\n      - paths:\n          - path: /dev/cu.*\n      - paths:\n          - path: /dev/cuaU*\n      - paths:\n          - path: /dev/rfcomm*\n  - name: video\n    groups:\n      - paths:\n          - path: /dev/video0\n  - name: fuse\n    groups:\n      - count: 10\n        paths:\n          - path: /dev/fuse\n  - name: audio\n    groups:\n      - count: 10\n        paths:\n          - path: /dev/snd\n  - name: capture\n    groups:\n      - paths:\n          - path: /dev/snd/controlC0\n          - path: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC1\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC1D0c\n            mountPath: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC2\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC2D0c\n            mountPath: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC3\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC3D0c\n            mountPath: /dev/snd/pcmC0D0c\n","enabled":true}` | Config map |
 | config.data | string | See [values.yaml](./values.yaml) | generic-device-plugin config file [[ref]](https://github.com/squat/generic-device-plugin#usage) |
 | deviceDomain | string | `"devic.es"` | Domain used by devices for identifcation |
-| image | object | `{"pullPolicy":"Always","repository":"ghcr.io/squat/generic-device-plugin","tag":"latest@sha256:5acdaa40af84adf8b6f7bb1b8930d4e7be1ebe7f0109f00211ce3df43217b3b7"}` | Default image |
+| image | object | `{"pullPolicy":"Always","repository":"ghcr.io/squat/generic-device-plugin","tag":"latest@sha256:dc192e164c69b03f156765793a1be62ca437709ae477b27ca7d8f3dcf5021576"}` | Default image |
 | name | string | `"generic-device-plugin"` | Name override of release |
 | resources | object | `{"requests":{"cpu":"50m","memory":"10Mi"}}` | Default resources |
 | service | object | `{"listenPort":8080}` | Service port |

charts/generic-device-plugin/values.yaml

@@ -4,7 +4,7 @@ name: generic-device-plugin
 # -- Default image
 image:
   repository: ghcr.io/squat/generic-device-plugin
-  tag: latest@sha256:5ff359bfbac2983afe9ccf4ecee1d11243745755a02981b8bd913ee3b76fde57
+  tag: latest@sha256:dc192e164c69b03f156765793a1be62ca437709ae477b27ca7d8f3dcf5021576
   pullPolicy: Always
 
 # -- Domain used by devices for identifcation

charts/postgres-cluster/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: postgres-cluster
-version: 7.10.0
+version: 7.15.0
 description: Cloudnative-pg Cluster
 keywords:
   - database
@@ -12,4 +12,4 @@ maintainers:
   - name: alexlebens
 icon: https://avatars.githubusercontent.com/u/100373852?s=48&v=4
 # renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg
-appVersion: v1.28.1
+appVersion: v1.29.1

charts/postgres-cluster/README.md

@@ -1,6 +1,6 @@
 # postgres-cluster
 
-![Version: 7.10.0](https://img.shields.io/badge/Version-7.10.0-informational?style=flat-square) ![AppVersion: v1.28.1](https://img.shields.io/badge/AppVersion-v1.28.1-informational?style=flat-square)
+![Version: 7.15.0](https://img.shields.io/badge/Version-7.15.0-informational?style=flat-square) ![AppVersion: v1.29.1](https://img.shields.io/badge/AppVersion-v1.29.1-informational?style=flat-square)
 
 Cloudnative-pg Cluster
 
@@ -19,17 +19,17 @@ Cloudnative-pg Cluster
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| backup | object | `{"externalSecret":{"enabled":true},"method":"objectStore","objectStore":null,"scheduledBackups":[]}` | Backup settings |
+| backup | object | `{"externalSecret":{"enabled":true},"method":"objectStore","objectStore":[],"scheduledBackups":[]}` | Backup settings |
 | backup.externalSecret | object | `{"enabled":true}` | Use generated External Secrets, credentialPath points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY |
 | backup.method | string | `"objectStore"` | Method to create backups, options currently are only objectStore |
-| backup.objectStore | string | `nil` | Options for object store backups |
+| backup.objectStore | list | `[]` | Options for object store backups |
 | backup.scheduledBackups | list | `[]` | List of scheduled backups |
-| cluster | object | `{"additionalLabels":{},"affinity":{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"},"annotations":{},"certificates":{},"enablePDB":true,"enableSuperuserAccess":false,"image":{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"18.3-standard-trixie"},"imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"initdb":{"database":"app","owner":"app"},"instances":3,"logLevel":"info","monitoring":{"customQueries":[],"customQueriesSecret":[],"disableDefaultQueries":false,"enabled":true,"podMonitor":{"enabled":true,"metricRelabelings":[],"relabelings":[]},"prometheusRule":{"enabled":true,"excludeRules":["CNPGClusterLastFailedArchiveTimeWarning"]}},"postgresGID":-1,"postgresUID":-1,"postgresql":{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"128MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}},"primaryUpdateMethod":"switchover","primaryUpdateStrategy":"unsupervised","priorityClassName":"","resources":{"limits":{"hugepages-2Mi":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}},"roles":[],"serviceAccountTemplate":{},"services":{},"storage":{"size":"10Gi","storageClass":"local-path"},"superuserSecret":"","walStorage":{"enabled":true,"size":"2Gi","storageClass":"local-path"}}` | Cluster settings |
+| cluster | object | `{"additionalLabels":{},"affinity":{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"},"annotations":{},"certificates":{},"enablePDB":true,"enableSuperuserAccess":false,"image":{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"18.4-standard-trixie"},"imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"initdb":{"database":"app","owner":"app"},"instances":3,"logLevel":"info","monitoring":{"customQueries":[],"customQueriesSecret":[],"disableDefaultQueries":false,"enabled":true,"podMonitor":{"enabled":true,"metricRelabelings":[],"relabelings":[]},"prometheusRule":{"enabled":true,"excludeRules":["CNPGClusterLastFailedArchiveTimeWarning"]}},"postgresGID":-1,"postgresUID":-1,"postgresql":{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"512MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}},"primaryUpdateMethod":"switchover","primaryUpdateStrategy":"unsupervised","priorityClassName":"","resources":{"limits":{"hugepages-2Mi":"256Mi"},"requests":{"cpu":"50m","memory":"512Mi"}},"roles":[],"serviceAccountTemplate":{},"services":{},"storage":{"size":"10Gi","storageClass":"local-path"},"superuserSecret":"","walStorage":{"enabled":true,"size":"2Gi","storageClass":"local-path"}}` | Cluster settings |
 | cluster.affinity | object | `{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"}` | Affinity/Anti-affinity rules for Pods. See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-AffinityConfiguration |
 | cluster.certificates | object | `{}` | The configuration for the CA and related certificates. See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-CertificatesConfiguration |
 | cluster.enablePDB | bool | `true` | Allow to disable PDB, mainly useful for upgrade of single-instance clusters or development purposes See: https://cloudnative-pg.io/documentation/current/kubernetes_upgrade/#pod-disruption-budgets |
 | cluster.enableSuperuserAccess | bool | `false` | When this option is enabled, the operator will use the SuperuserSecret to update the postgres user password. If the secret is not present, the operator will automatically create one. When this option is disabled, the operator will ignore the SuperuserSecret content, delete it when automatically created, and then blank the password of the postgres user by setting it to NULL. |
-| cluster.image | object | `{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"18.3-standard-trixie"}` | Default image |
+| cluster.image | object | `{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"18.4-standard-trixie"}` | Default image |
 | cluster.imagePullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never or IfNotPresent. If not defined, it defaults to IfNotPresent. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
 | cluster.imagePullSecrets | list | `[]` | The list of pull secrets to be used to pull the images. See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-LocalObjectReference |
 | cluster.initdb | object | `{"database":"app","owner":"app"}` | Bootstrap is the configuration of the bootstrap process when initdb is used. See: https://cloudnative-pg.io/documentation/current/bootstrap/ See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-bootstrapinitdb |
@@ -42,19 +42,20 @@ Cloudnative-pg Cluster
 | cluster.monitoring.podMonitor.enabled | bool | `true` | Whether to enable the PodMonitor |
 | cluster.monitoring.podMonitor.metricRelabelings | list | `[]` | The list of metric relabelings for the PodMonitor. Applied to samples before ingestion. |
 | cluster.monitoring.podMonitor.relabelings | list | `[]` | The list of relabelings for the PodMonitor. Applied to samples before scraping. |
+| cluster.monitoring.prometheusRule | object | `{"enabled":true,"excludeRules":["CNPGClusterLastFailedArchiveTimeWarning"]}` | Prometheus rule |
 | cluster.monitoring.prometheusRule.enabled | bool | `true` | Whether to enable the PrometheusRule automated alerts |
 | cluster.monitoring.prometheusRule.excludeRules | list | `["CNPGClusterLastFailedArchiveTimeWarning"]` | Exclude specified rules |
 | cluster.postgresUID | int | `-1` | The UID and GID of the postgres user inside the image, defaults to 26 |
-| cluster.postgresql | object | `{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"128MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}}` | Parameters to be set for the database itself See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-PostgresConfiguration |
+| cluster.postgresql | object | `{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"512MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}}` | Parameters to be set for the database itself See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-PostgresConfiguration |
 | cluster.postgresql.ldap | object | `{}` | PostgreSQL LDAP configuration (see https://cloudnative-pg.io/documentation/current/postgresql_conf/#ldap-configuration) |
-| cluster.postgresql.parameters | object | `{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"128MB"}` | PostgreSQL configuration options (postgresql.conf) |
+| cluster.postgresql.parameters | object | `{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"512MB"}` | PostgreSQL configuration options (postgresql.conf) |
 | cluster.postgresql.pg_hba | list | `[]` | PostgreSQL Host Based Authentication rules (lines to be appended to the pg_hba.conf file) |
 | cluster.postgresql.pg_ident | list | `[]` | PostgreSQL User Name Maps rules (lines to be appended to the pg_ident.conf file) |
 | cluster.postgresql.shared_preload_libraries | list | `[]` | Lists of shared preload libraries to add to the default ones |
 | cluster.postgresql.synchronous | object | `{}` | Quorum-based Synchronous Replication |
 | cluster.primaryUpdateMethod | string | `"switchover"` | Method to follow to upgrade the primary server during a rolling update procedure, after all replicas have been successfully updated. It can be switchover (default) or restart. |
 | cluster.primaryUpdateStrategy | string | `"unsupervised"` | Strategy to follow to upgrade the primary server during a rolling update procedure, after all replicas have been successfully updated: it can be automated (unsupervised - default) or manual (supervised) |
-| cluster.resources | object | `{"limits":{"hugepages-2Mi":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}}` | Resources requirements of every generated Pod. Please refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for more information. We strongly advise you use the same setting for limits and requests so that your cluster pods are given a Guaranteed QoS. See: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/ |
+| cluster.resources | object | `{"limits":{"hugepages-2Mi":"256Mi"},"requests":{"cpu":"50m","memory":"512Mi"}}` | Resources requirements of every generated Pod. Please refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for more information. We strongly advise you use the same setting for limits and requests so that your cluster pods are given a Guaranteed QoS. See: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/ |
 | cluster.roles | list | `[]` | This feature enables declarative management of existing roles, as well as the creation of new roles if they are not already present in the database. See: https://cloudnative-pg.io/documentation/current/declarative_role_management/ |
 | cluster.serviceAccountTemplate | object | `{}` | Configure the metadata of the generated service account |
 | cluster.services | object | `{}` | Customization of service definitions. Please refer to https://cloudnative-pg.io/documentation/current/service_management/ |

charts/postgres-cluster/templates/_bootstrap.tpl

@@ -1,12 +1,11 @@
 {{- define "cluster.bootstrap" -}}
-
+{{- if eq .Values.mode "standalone" -}}
-{{- if eq .Values.mode "standalone" }}
 bootstrap:
   initdb:
     {{- with .Values.cluster.initdb }}
-        {{- with (omit . "postInitApplicationSQL" "owner" "import") }}
+      {{- with (omit . "postInitApplicationSQL" "owner" "import") }}
-            {{- . | toYaml | nindent 4 }}
+      {{- . | toYaml | nindent 4 }}
-        {{- end }}
+      {{- end }}
     {{- end }}
     {{- if .Values.cluster.initdb.owner }}
     owner: {{ tpl .Values.cluster.initdb.owner . }}
@@ -14,20 +13,18 @@ bootstrap:
     {{- if (.Values.cluster.initdb.postInitApplicationSQL) }}
     postInitApplicationSQL:
       {{- with .Values.cluster.initdb }}
-        {{- range .postInitApplicationSQL }}
+      {{- range .postInitApplicationSQL }}
-          {{- printf "- %s" . | nindent 6 }}
+      {{- printf "- %s" . | nindent 6 }}
-        {{- end -}}
+      {{- end }}
       {{- end }}
     {{- end }}
-
 {{- else if eq .Values.mode "recovery" -}}
 bootstrap:
-
   {{- if eq .Values.recovery.method "import" }}
   initdb:
     {{- with .Values.cluster.initdb }}
       {{- with (omit . "owner" "import" "postInitApplicationSQL") }}
-        {{- . | toYaml | nindent 4 }}
+      {{- . | toYaml | nindent 4 }}
       {{- end }}
     {{- end }}
     {{- if .Values.cluster.initdb.owner }}
@@ -58,50 +55,45 @@ bootstrap:
         {{- end }}
       {{- end }}
       schemaOnly: {{ .Values.recovery.import.schemaOnly }}
-      {{ with .Values.recovery.import.pgDumpExtraOptions }}
+      {{- with .Values.recovery.import.pgDumpExtraOptions }}
       pgDumpExtraOptions:
         {{- . | toYaml | nindent 8 }}
       {{- end }}
-      {{ with .Values.recovery.import.pgRestoreExtraOptions }}
+      {{- with .Values.recovery.import.pgRestoreExtraOptions }}
       pgRestoreExtraOptions:
         {{- . | toYaml | nindent 8 }}
       {{- end }}
-
   {{- else if eq .Values.recovery.method "backup" }}
   recovery:
     {{- with .Values.recovery.backup.pitrTarget.time }}
     recoveryTarget:
       targetTime: {{ . }}
     {{- end }}
-    {{ with .Values.recovery.backup.database }}
+    {{- with .Values.recovery.backup.database }}
     database: {{ . }}
     {{- end }}
-    {{ with .Values.recovery.backup.owner }}
+    {{- with .Values.recovery.backup.owner }}
     owner: {{ . }}
     {{- end }}
     backup:
       name: {{ .Values.recovery.backup.backupName }}
-
   {{- else if eq .Values.recovery.method "objectStore" }}
   recovery:
     {{- with .Values.recovery.objectStore.pitrTarget.time }}
     recoveryTarget:
       targetTime: {{ . }}
     {{- end }}
-    {{ with .Values.recovery.objectStore.database }}
+    {{- with .Values.recovery.objectStore.database }}
     database: {{ . }}
     {{- end }}
-    {{ with .Values.recovery.objectStore.owner }}
+    {{- with .Values.recovery.objectStore.owner }}
     owner: {{ . }}
     {{- end }}
     source: {{ include "cluster.recoveryServerName" . }}
-
+  {{- else -}}
-  {{-  else }}
     {{ fail "Invalid recovery mode!" }}
-  {{- end }}
+  {{- end -}}
-
+{{- else -}}
-{{-  else }}
   {{ fail "Invalid cluster mode!" }}
-{{- end }}
+{{- end -}}
-
+{{- end -}}
-{{- end }}

charts/postgres-cluster/templates/_external_clusters.tpl

@@ -1,6 +1,6 @@
 {{- define "cluster.externalClusters" -}}
-{{- if eq .Values.mode "standalone" }}
+{{- if eq .Values.mode "standalone" -}}
-{{- else if eq .Values.mode "recovery" }}
+{{- else if eq .Values.mode "recovery" -}}
 externalClusters:
   {{- if eq .Values.recovery.method "import" }}
   - name: importSource
@@ -15,7 +15,7 @@ externalClusters:
         barmanObjectName: "{{ include "cluster.name" . }}-recovery"
         serverName: {{ include "cluster.recoveryServerName" . }}
   {{- end }}
-{{- else }}
+{{- else -}}
   {{ fail "Invalid cluster mode!" }}
-{{- end }}
+{{- end -}}
-{{ end }}
+{{- end -}}

charts/postgres-cluster/templates/_external_source_cluster.tpl

@@ -30,4 +30,4 @@
     name: {{ $config.sslRootCertSecret.name }}
     key: {{ $config.sslRootCertSecret.key }}
   {{- end }}
-{{- end }}
+{{- end -}}

charts/postgres-cluster/templates/cluster.yaml

@@ -35,7 +35,7 @@ spec:
   {{- with .Values.cluster.resources }}
   resources:
     {{- toYaml . | nindent 4 }}
-  {{ end }}
+  {{- end }}
   {{- with .Values.cluster.affinity }}
   affinity:
     {{- toYaml . | nindent 4 }}
@@ -43,7 +43,6 @@ spec:
   {{- if .Values.cluster.priorityClassName }}
   priorityClassName: {{ .Values.cluster.priorityClassName }}
   {{- end }}
-
   primaryUpdateMethod: {{ .Values.cluster.primaryUpdateMethod }}
   primaryUpdateStrategy: {{ .Values.cluster.primaryUpdateStrategy }}
   logLevel: {{ .Values.cluster.logLevel }}
@@ -57,7 +56,6 @@ spec:
     name: {{ . }}
   {{ end }}
   enablePDB: {{ .Values.cluster.enablePDB }}
-
   postgresql:
     {{- if .Values.cluster.postgresql.shared_preload_libraries }}
     shared_preload_libraries:
@@ -85,7 +83,6 @@ spec:
     parameters:
       {{- toYaml . | nindent 6 }}
     {{- end }}
-
   {{- if not (and (empty .Values.cluster.roles) (empty .Values.cluster.services)) }}
   managed:
     {{- with .Values.cluster.services }}
@@ -97,14 +94,12 @@ spec:
       {{- toYaml . | nindent 6 }}
     {{ end }}
   {{- end }}
-
   {{- with .Values.cluster.serviceAccountTemplate }}
   serviceAccountTemplate:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-
   monitoring:
-    enablePodMonitor: {{ and .Values.cluster.monitoring.enabled .Values.cluster.monitoring.podMonitor.enabled }}
+    enablePodMonitor: false
     disableDefaultQueries: {{ .Values.cluster.monitoring.disableDefaultQueries }}
     {{- if not (empty .Values.cluster.monitoring.customQueries) }}
     customQueriesConfigMap:
@@ -127,9 +122,9 @@ spec:
     {{- with .Values.cluster.monitoring.podMonitor.metricRelabelings }}
     podMonitorMetricRelabelings:
       {{- toYaml . | nindent 6 }}
-    {{ end }}
     {{- end }}
-
+    {{- end }}
+  {{- if not (empty .Values.backup.objectStore) }}
   plugins:
   {{- range $objectStore := .Values.backup.objectStore }}
     - name: barman-cloud.cloudnative-pg.io
@@ -146,7 +141,7 @@ spec:
         {{- else }}
         serverName: "{{ include "cluster.name" $ }}-backup-{{ $objectStore.index }}"
         {{- end }}
-  {{- end }}
+  {{- end -}}
-
+  {{- end -}}
-  {{ include "cluster.bootstrap" . | nindent 2 }}
+  {{- include "cluster.bootstrap" . | nindent 2 -}}
-  {{ include "cluster.externalClusters" . | nindent 2 }}
+  {{- include "cluster.externalClusters" . | nindent 2 -}}

charts/postgres-cluster/templates/external-secret.yaml

@@ -1,6 +1,6 @@
-{{ if and (eq .Values.backup.method "objectStore") (.Values.backup.externalSecret.enabled) }}
+{{- if and (eq .Values.backup.method "objectStore") (.Values.backup.externalSecret.enabled) }}
-{{ $context := . -}}
+{{- $context := . }}
-{{ range .Values.backup.objectStore -}}
+{{- range .Values.backup.objectStore }}
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -16,31 +16,22 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: ACCESS_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: ACCESS_SECRET_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .externalSecretCredentialPath| required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
-{{ end -}}
+{{- end }}
-{{ end }}
+{{- end }}
 
 {{- if and (eq .Values.recovery.method "objectStore") (.Values.recovery.objectStore.externalSecret.enabled) }}
 ---
@@ -58,27 +49,18 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   data:
     - secretKey: ACCESS_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: ACCESS_SECRET_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
 {{- end }}

charts/postgres-cluster/templates/object-store.yaml

@@ -1,6 +1,6 @@
-{{ if (eq .Values.backup.method "objectStore") }}
+{{- if (eq .Values.backup.method "objectStore") }}
-{{ $context := . -}}
+{{- $context := . }}
-{{ range .Values.backup.objectStore -}}
+{{- range .Values.backup.objectStore }}
 ---
 apiVersion: barmancloud.cnpg.io/v1
 kind: ObjectStore
@@ -57,10 +57,9 @@ spec:
       region:
         name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
         key: ACCESS_REGION
-{{ end -}}
+{{- end }}
-{{ end }}
+{{- end }}
-
+{{- if eq .Values.recovery.method "objectStore" }}
-{{ if eq .Values.recovery.method "objectStore" }}
 ---
 apiVersion: barmancloud.cnpg.io/v1
 kind: ObjectStore
@@ -104,4 +103,4 @@ spec:
       region:
         name: {{ include "cluster.recoverySecretName" . }}
         key: ACCESS_REGION
-{{ end }}
+{{- end }}

charts/postgres-cluster/templates/pod-monitor.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.cluster.monitoring.enabled .Values.cluster.monitoring.podMonitor.enabled }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: {{ include "cluster.name" $ }}-cluster
+  namespace: {{ include "cluster.namespace" $ }}
+  labels:
+    app.kubernetes.io/name: {{ include "cluster.name" $ }}-cluster
+    {{- include "cluster.labels" $ | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      cnpg.io/cluster: {{ include "cluster.name" $ }}-cluster
+      cnpg.io/podRole: instance
+  podMetricsEndpoints:
+    - port: metrics
+{{- end }}

charts/postgres-cluster/templates/poolers.yaml

@@ -47,6 +47,6 @@ spec:
   {{- end }}
   {{- with .template }}
   template:
-    {{- . | toYaml | nindent 4 }}
+    {{ . | toYaml | nindent 4 }}
   {{- end }}
 {{- end }}

charts/postgres-cluster/templates/prometheus-rule.yaml

@@ -1,4 +1,5 @@
-{{- if and .Values.cluster.monitoring.enabled .Values.cluster.monitoring.prometheusRule.enabled -}}
+{{- if and .Values.cluster.monitoring.enabled .Values.cluster.monitoring.prometheusRule.enabled }}
+---
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
@@ -25,4 +26,4 @@ spec:
         - {{ $tpl }}
         {{- end -}}
         {{- end }}
-{{ end }}
+{{- end }}

charts/postgres-cluster/templates/scheduled-backup.yaml

@@ -1,5 +1,5 @@
-{{ $context := . -}}
+{{- $context := . }}
-{{ range .Values.backup.scheduledBackups -}}
+{{- range .Values.backup.scheduledBackups }}
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: ScheduledBackup
@@ -21,4 +21,4 @@ spec:
     name: {{ .plugin | default "barman-cloud.cloudnative-pg.io" }}
     parameters:
       barmanObjectName: "{{ include "cluster.name" $context }}-backup-{{ .backupName }}"
-{{ end -}}
+{{- end }}

charts/postgres-cluster/values.yaml

@@ -23,7 +23,7 @@ cluster:
   # -- Default image
   image:
     repository: ghcr.io/cloudnative-pg/postgresql
-    tag: 18.3-standard-trixie
+    tag: 18.4-standard-trixie
 
   # -- Image pull policy. One of Always, Never or IfNotPresent. If not defined, it defaults to IfNotPresent. Cannot be updated.
   # More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
@@ -56,8 +56,8 @@ cluster:
   # See: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/
   resources:
     requests:
-      memory: 256Mi
+      memory: 512Mi
-      cpu: 100m
+      cpu: 50m
     limits:
       hugepages-2Mi: 256Mi
 
@@ -127,6 +127,7 @@ cluster:
       # Applied to samples before ingestion.
       metricRelabelings: []
 
+    # -- Prometheus rule
     prometheusRule:
 
       # -- Whether to enable the PrometheusRule automated alerts
@@ -164,7 +165,7 @@ cluster:
 
     # -- PostgreSQL configuration options (postgresql.conf)
     parameters:
-      shared_buffers: 128MB
+      shared_buffers: 512MB
       max_slot_wal_keep_size: 2000MB
       hot_standby_feedback: "on"
 
@@ -393,7 +394,8 @@ backup:
     enabled: true
 
   # -- Options for object store backups
-  objectStore:
+  objectStore: []
+
     # -
     #   # -- Object store backup name
     #   name: external

charts/rclone-bucket/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: common
+  repository: https://bjw-s-labs.github.io/helm-charts/
+  version: 5.0.1
+digest: sha256:754f21ee6fca6dc4a85e91384ff0b919b715234d764ef344bd3bbe93414275d3
+generated: "2026-05-17T20:56:33.77714-05:00"

charts/rclone-bucket/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+name: rclone-bucket
+version: 0.11.4
+description: Rclone CronJob to replicate buckets
+keywords:
+  - rclone-bucket
+  - rclone
+  - storage
+sources:
+  - https://github.com/rclone/rclone
+  - https://hub.docker.com/r/rclone/rclone
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: common
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 5.0.1
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/rclone.png
+# renovate: datasource=github-releases depName=rclone/rclone
+appVersion: v1.74.1

charts/rclone-bucket/README.md

@@ -0,0 +1,46 @@
+# rclone-bucket
+
+![Version: 0.11.4](https://img.shields.io/badge/Version-0.11.4-informational?style=flat-square) ![AppVersion: v1.74.1](https://img.shields.io/badge/AppVersion-v1.74.1-informational?style=flat-square)
+
+Rclone CronJob to replicate buckets
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| alexlebens |  |  |
+
+## Source Code
+
+* <https://github.com/rclone/rclone>
+* <https://hub.docker.com/r/rclone/rclone>
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://bjw-s-labs.github.io/helm-charts/ | common | 5.0.1 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| additionalLabels | object | `{}` | Add additional labels |
+| cronJob | object | `{"backoffLimit":3,"parallelism":1,"schedule":"0 0 * * *","suspend":false,"timeZone":"America/Chicago"}` | CronJob configuration |
+| image | object | `{"pullPolicy":"IfNotPresent","repository":"rclone/rclone","tag":"1.74.1@sha256:eb8788b795f0009324e9572b0e2acb9b56885327c2746b07d67a9d3b893a6602"}` | Default image |
+| metrics | object | `{"enabled":true}` | Metrics |
+| nameOverride | string | `""` | Default pattern follows <pvcTarget>-backup |
+| prometheusRule | object | `{"enabled":true}` | Prometheus Rule |
+| prune | object | `{"ageToPrune":"90d","enabled":false,"exclude":"","include":""}` | Enable prune job |
+| rclone | object | `{"destination":{"bucketName":"bucket","forcePathStyle":true,"providerType":"Other"},"providerType":"Other","source":{"bucketName":"bucket","forcePathStyle":true,"providerType":"Other"}}` | rclone configuration |
+| rclone.destination | object | `{"bucketName":"bucket","forcePathStyle":true,"providerType":"Other"}` | Destination configuration |
+| rclone.source | object | `{"bucketName":"bucket","forcePathStyle":true,"providerType":"Other"}` | Source configuration |
+| secret | object | `{"existingSecretDestination":{"name":"rclone-destination-secret"},"existingSecretSource":{"name":"rclone-source-secret"},"externalSecret":{"additionalLabels":{},"destination":{"config":{"endpointProperty":"ENDPOINT_REMOTE","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""},"enabled":true,"source":{"config":{"endpointProperty":"ENDPOINT_LOCAL","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""},"storeName":"openbao"}}` | Secret configuration |
+| secret.existingSecretSource | object | `{"name":"rclone-source-secret"}` | Name of existing secret that contains the configuration |
+| secret.externalSecret | object | `{"additionalLabels":{},"destination":{"config":{"endpointProperty":"ENDPOINT_REMOTE","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""},"enabled":true,"source":{"config":{"endpointProperty":"ENDPOINT_LOCAL","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""},"storeName":"openbao"}` | External Secret configuration |
+| secret.externalSecret.additionalLabels | object | `{}` | Add additional labels |
+| secret.externalSecret.destination | object | `{"config":{"endpointProperty":"ENDPOINT_REMOTE","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""}` | Destination configuration |
+| secret.externalSecret.source | object | `{"config":{"endpointProperty":"ENDPOINT_LOCAL","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""}` | Source configuration |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/rclone-bucket/templates/_helpers.tpl

@@ -0,0 +1,90 @@
+{{/*
+Generate the root name
+*/}}
+{{- define "rclone.name" -}}
+  {{- if .Values.nameOverride }}
+    {{- .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    {{- printf "%s-rclone" .Values.rclone.source.bucketName | trunc 63 | trimSuffix "-" -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate the secret name
+*/}}
+{{- define "rclone.sourceSecretName" -}}
+  {{- if .Values.secret.externalSecret.enabled }}
+    {{- if .Values.secret.externalSecret.source.nameOverride }}
+      {{- .Values.secret.externalSecret.source.nameOverride | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+      {{- printf "%s-rclone-source-config" .Values.rclone.source.bucketName -}}
+    {{- end }}
+  {{- else if .Values.secret.existingSecretSource.name }}
+    {{- printf "%s" .Values.secret.existingSecretSource.name -}}
+  {{- else }}
+    {{ fail "No Secret Name Found!" }}
+  {{- end }}
+{{- end }}
+
+{{- define "rclone.destinationSecretName" -}}
+  {{- if .Values.secret.externalSecret.enabled }}
+    {{- if .Values.secret.externalSecret.destination.nameOverride }}
+      {{- .Values.secret.externalSecret.destination.nameOverride | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+      {{- printf "%s-rclone-destination-config" .Values.rclone.destination.bucketName -}}
+    {{- end }}
+  {{- else if .Values.secret.existingSecretDestination.name }}
+    {{- printf "%s" .Values.secret.existingSecretDestination.name -}}
+  {{- else }}
+    {{ fail "No Secret Name Found!" }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Common env names
+*/}}
+{{- define "secretRclone.envAccessKey" -}}
+ACCESS_KEY_ID
+{{- end }}
+{{- define "secretRclone.envSecretKey" -}}
+ACCESS_SECRET_KEY
+{{- end }}
+{{- define "secretRclone.envRegion" -}}
+ACCESS_REGION
+{{- end }}
+{{- define "secretRclone.envSrcEndpoint" -}}
+SRC_ENDPOINT
+{{- end }}
+{{- define "secretRclone.envDestEndpoint" -}}
+DEST_ENDPOINT
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "rclone.chart" -}}
+  {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "rclone.labels" -}}
+helm.sh/chart: {{ include "rclone.chart" $ }}
+{{ include "rclone.selectorLabels" $ }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.Version | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.secret.externalSecret.additionalLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "rclone.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

charts/rclone-bucket/templates/common.yaml

@@ -0,0 +1,186 @@
+{{- include "bjw-s.common.loader.init" . }}
+
+{{- define "rclone.hardcodedValues" -}}
+global:
+  nameOverride: {{ include "rclone.name" . }}
+  fullNameOverride: {{ include "rclone.name" . }}
+  createDefaultServiceAccount: true
+controllers:
+  main:
+    type: cronjob
+    {{- with .Values.cronJob }}
+    cronjob:
+      {{- toYaml . | nindent 6 }}
+    {{ end }}
+    serviceAccount:
+      identifier: {{ .Release.Name }}
+    containers:
+      sync:
+        image:
+          repository: {{ .Values.image.repository }}
+          tag: {{ .Values.image.tag }}
+          pullPolicy: {{ .Values.image.pullPolicy }}
+        args:
+          - sync
+          - src:{{ .Values.rclone.source.bucketName }}
+          - dest:{{ .Values.rclone.destination.bucketName }}
+          - --s3-no-check-bucket
+          {{- if .Values.prune.enabled }}
+          - --max-age
+          - {{ .Values.prune.ageToPrune | quote }}
+          {{- end }}
+          {{- if .Values.prune.include }}
+          - --include
+          - {{ .Values.prune.include | quote }}
+          {{- end }}
+          {{- if .Values.prune.exclude }}
+          - --exclude
+          - {{ .Values.prune.exclude | quote }}
+          {{- end }}
+          {{- if .Values.metrics.enabled }}
+          - --rc
+          - --rc-addr=0.0.0.0:5572
+          - --rc-enable-metrics
+          - --rc-no-auth
+          {{- end }}
+          - --verbose
+        env:
+          - name: RCLONE_S3_PROVIDER
+            value: {{ .Values.rclone.providerType }}
+          - name: RCLONE_CONFIG_SRC_TYPE
+            value: s3
+          - name: RCLONE_CONFIG_SRC_PROVIDER
+            value: {{ .Values.rclone.source.providerType }}
+          - name: RCLONE_CONFIG_SRC_ENV_AUTH
+            value: "false"
+          - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.sourceSecretName" . }}
+                key: {{ include "secretRclone.envAccessKey" . }}
+          - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.sourceSecretName" . }}
+                key: {{ include "secretRclone.envSecretKey" . }}
+          - name: RCLONE_CONFIG_SRC_REGION
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.sourceSecretName" . }}
+                key: {{ include "secretRclone.envRegion" . }}
+          - name: RCLONE_CONFIG_SRC_ENDPOINT
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.sourceSecretName" . }}
+                key: {{ include "secretRclone.envSrcEndpoint" . }}
+          - name: RCLONE_CONFIG_SRC_FORCE_PATH_STYLE
+            value: {{ .Values.rclone.source.forcePathStyle | quote }}
+          - name: RCLONE_CONFIG_DEST_TYPE
+            value: s3
+          - name: RCLONE_CONFIG_DEST_PROVIDER
+            value: {{ .Values.rclone.destination.providerType }}
+          - name: RCLONE_CONFIG_DEST_ENV_AUTH
+            value: "false"
+          - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secretRclone.envAccessKey" . }}
+          - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secretRclone.envSecretKey" . }}
+          - name: RCLONE_CONFIG_DEST_REGION
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secretRclone.envRegion" . }}
+          - name: RCLONE_CONFIG_DEST_ENDPOINT
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secretRclone.envDestEndpoint" . }}
+          - name: RCLONE_CONFIG_DEST_FORCE_PATH_STYLE
+            value: {{ .Values.rclone.destination.forcePathStyle | quote }}
+      {{- if .Values.prune.enabled }}
+      prune:
+        image:
+          repository: {{ .Values.image.repository }}
+          tag: {{ .Values.image.tag }}
+          pullPolicy: {{ .Values.image.pullPolicy }}
+        args:
+          - delete
+          - dest:{{ .Values.rclone.destination.bucketName }}
+          - --min-age
+          - {{ .Values.prune.ageToPrune | quote }}
+          - --verbose
+          {{- if .Values.metrics.enabled }}
+          - --rc
+          - --rc-addr=0.0.0.0:5573
+          - --rc-enable-metrics
+          - --rc-no-auth
+          {{- end }}
+        env:
+          - name: RCLONE_CONFIG_DEST_TYPE
+            value: s3
+          - name: RCLONE_CONFIG_DEST_PROVIDER
+            value: {{ .Values.rclone.destination.providerType }}
+          - name: RCLONE_CONFIG_DEST_ENV_AUTH
+            value: "false"
+          - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secretRclone.envAccessKey" . }}
+          - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secretRclone.envSecretKey" . }}
+          - name: RCLONE_CONFIG_DEST_REGION
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secretRclone.envRegion" . }}
+          - name: RCLONE_CONFIG_DEST_ENDPOINT
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "rclone.destinationSecretName" . }}
+                key: {{ include "secretRclone.envDestEndpoint" . }}
+          - name: RCLONE_CONFIG_DEST_FORCE_PATH_STYLE
+            value: {{ .Values.rclone.destination.forcePathStyle | quote }}
+      {{- end }}
+{{- if .Values.metrics.enabled }}
+service:
+  main:
+    controller: main
+    ports:
+      rc-sync:
+        port: 5572
+        targetPort: 5572
+      rc-prune:
+        port: 5573
+        targetPort: 5573
+serviceMonitor:
+  main:
+    selector:
+      matchLabels:
+        app.kubernetes.io/name: {{ include "rclone.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Namespace }}
+    serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
+    endpoints:
+      - port: rc-sync
+        interval: 10s
+        scrapeTimeout: 5s
+        path: /metrics
+      - port: rc-prune
+        interval: 10s
+        scrapeTimeout: 5s
+        path: /metrics
+{{- end }}
+{{- end -}}
+{{- $_ := mergeOverwrite .Values (include "rclone.hardcodedValues" . | fromYaml) -}}
+
+{{/* Render the templates */}}
+{{ include "bjw-s.common.loader.generate" . }}

charts/rclone-bucket/templates/external-secret.yaml

@@ -0,0 +1,69 @@
+{{- if .Values.secret.externalSecret.enabled }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "rclone.sourceSecretName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "rclone.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "rclone.sourceSecretName" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: {{ .Values.secret.externalSecret.storeName | required "External Secret store name is required" }}
+  data:
+    - secretKey: {{ include "secretRclone.envAccessKey" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.source.credentials.path }}
+        property: {{ .Values.secret.externalSecret.source.credentials.keyIdProperty }}
+    - secretKey: {{ include "secretRclone.envSecretKey" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.source.credentials.path }}
+        property: {{ .Values.secret.externalSecret.source.credentials.secretKeyProperty }}
+    - secretKey: {{ include "secretRclone.envRegion" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.source.credentials.path }}
+        property: {{ .Values.secret.externalSecret.source.credentials.regionProperty }}
+    - secretKey: {{ include "secretRclone.envSrcEndpoint" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.source.config.path }}
+        property: {{ .Values.secret.externalSecret.source.config.endpointProperty }}
+
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "rclone.destinationSecretName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "rclone.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "rclone.destinationSecretName" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: {{ .Values.secret.externalSecret.storeName | required "External Secret store name is required" }}
+  data:
+    - secretKey: {{ include "secretRclone.envAccessKey" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.destination.credentials.path }}
+        property: {{ .Values.secret.externalSecret.destination.credentials.keyIdProperty }}
+    - secretKey: {{ include "secretRclone.envSecretKey" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.destination.credentials.path }}
+        property: {{ .Values.secret.externalSecret.destination.credentials.secretKeyProperty }}
+    - secretKey: {{ include "secretRclone.envRegion" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.destination.credentials.path }}
+        property: {{ .Values.secret.externalSecret.destination.credentials.regionProperty }}
+    - secretKey: {{ include "secretRclone.envDestEndpoint" . }}
+      remoteRef:
+        key: {{ .Values.secret.externalSecret.destination.config.path }}
+        property: {{ .Values.secret.externalSecret.destination.config.endpointProperty }}
+{{- end }}

charts/rclone-bucket/templates/prometheus-rule.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.prometheusRule.enabled }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ include "rclone.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "rclone.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "rclone.name" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  groups:
+    - name: rclone.alerts
+      rules:
+        - alert: RclonePodFailed
+          expr: |
+            (kube_pod_container_status_last_terminated_exitcode > 0)
+            * on(pod, namespace) group_left(owner_name)
+            kube_pod_owner{owner_kind="Job", owner_name=~"rclone-.*"}
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: "Rclone Pod failed in {{ `{{ $labels.namespace }}` }}"
+            description: |
+              A pod for the Rclone sync of s3 bucket '{{ .Values.rclone.source.bucketName }}' failed with exit code {{ `{{ $value }}` }}.
+              Job: {{ `{{ $labels.owner_name }}` }}
+              Namespace: {{ `{{ $labels.namespace }}` }}
+{{- end }}

charts/rclone-bucket/values.yaml

@@ -0,0 +1,92 @@
+# -- Default pattern follows <pvcTarget>-backup
+nameOverride: ""
+
+# -- Add additional labels
+additionalLabels: {}
+
+# -- Default image
+image:
+  repository: rclone/rclone
+  tag: 1.74.1@sha256:eb8788b795f0009324e9572b0e2acb9b56885327c2746b07d67a9d3b893a6602
+  pullPolicy: IfNotPresent
+
+# -- CronJob configuration
+cronJob:
+  suspend: false
+  timeZone: America/Chicago
+  schedule: 0 0 * * *
+  backoffLimit: 3
+  parallelism: 1
+
+# -- rclone configuration
+rclone:
+  providerType: Other
+
+  # -- Source configuration
+  source:
+    providerType: Other
+    bucketName: bucket
+    forcePathStyle: true
+
+  # -- Destination configuration
+  destination:
+    providerType: Other
+    bucketName: bucket
+    forcePathStyle: true
+
+# -- Enable prune job
+prune:
+  enabled: false
+  ageToPrune: 90d
+  include: ""
+  exclude: ""
+
+# -- Secret configuration
+secret:
+
+  # -- External Secret configuration
+  externalSecret:
+    enabled: true
+    storeName: openbao
+
+    # -- Source configuration
+    source:
+      nameOverride: ""
+      credentials:
+        path: /credential
+        keyIdProperty: ACCESS_KEY_ID
+        secretKeyProperty: ACCESS_SECRET_KEY
+        regionProperty: ACCESS_REGION
+      config:
+        path: /config
+        endpointProperty: ENDPOINT_LOCAL
+
+    # -- Destination configuration
+    destination:
+      nameOverride: ""
+      credentials:
+        path: /credential
+        keyIdProperty: ACCESS_KEY_ID
+        secretKeyProperty: ACCESS_SECRET_KEY
+        regionProperty: ACCESS_REGION
+      config:
+        path: /config
+        endpointProperty: ENDPOINT_REMOTE
+
+    # -- Add additional labels
+    additionalLabels: {}
+
+  # -- Name of existing secret that contains the configuration
+  existingSecretSource:
+    name: rclone-source-secret
+
+  existingSecretDestination:
+    name: rclone-destination-secret
+
+# -- Metrics
+metrics:
+  enabled: true
+
+# -- Prometheus Rule
+prometheusRule:
+  enabled: true

charts/valkey/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: valkey
   repository: https://valkey.io/valkey-helm/
-  version: 0.9.3
+  version: 0.9.4
-digest: sha256:705fdaa1d456e55dd1a8aba698e17b2309a336f614cba8fd3cdb7e072b323b36
+digest: sha256:84e2e4a944be7f69b6819215a53c068a126fc9d62383a90e22b33751ec5d2810
-generated: "2026-03-03T16:02:43.407652-06:00"
+generated: "2026-04-13T00:01:51.952023667Z"

charts/valkey/Chart.yaml

@@ -1,21 +1,22 @@
 apiVersion: v2
 name: valkey
-version: 0.4.0
+version: 0.9.0
 description: Valkey chart with preconfigured settings
 keywords:
   - valkey
-  - redis
+  - redis-compatible
-  - storage
-  - kubernetes
 sources:
   - https://github.com/valkey-io/valkey
+  - https://github.com/oliver006/redis_exporter
+  - https://hub.docker.com/r/valkey/valkey
+  - https://github.com/oliver006/redis_exporter/pkgs/container/redis_exporter
   - https://github.com/valkey-io/valkey-helm
 maintainers:
   - name: alexlebens
 dependencies:
   - name: valkey
     repository: https://valkey.io/valkey-helm/
-    version: 0.9.3
+    version: 0.9.4
-icon: https://dyltqmyl993wv.cloudfront.net/assets/stacks/valkey/img/valkey-stack-220x234.png
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/valkey.png
 # renovate: datasource=github-releases depName=valkey-io/valkey
-appVersion: 9.0.3
+appVersion: 9.1.0

charts/valkey/README.md

@@ -1,6 +1,6 @@
 # valkey
 
-![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![AppVersion: 9.0.3](https://img.shields.io/badge/AppVersion-9.0.3-informational?style=flat-square)
+![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![AppVersion: 9.1.0](https://img.shields.io/badge/AppVersion-9.1.0-informational?style=flat-square)
 
 Valkey chart with preconfigured settings
 
@@ -13,13 +13,16 @@ Valkey chart with preconfigured settings
 ## Source Code
 
 * <https://github.com/valkey-io/valkey>
+* <https://github.com/oliver006/redis_exporter>
+* <https://hub.docker.com/r/valkey/valkey>
+* <https://github.com/oliver006/redis_exporter/pkgs/container/redis_exporter>
 * <https://github.com/valkey-io/valkey-helm>
 
 ## Requirements
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://valkey.io/valkey-helm/ | valkey | 0.9.3 |
+| https://valkey.io/valkey-helm/ | valkey | 0.9.4 |
 
 ## Values
 
@@ -32,13 +35,13 @@ Valkey chart with preconfigured settings
 | valkey.dataStorage.requestedSize | string | `"1Gi"` |  |
 | valkey.image.registry | string | `"docker.io"` |  |
 | valkey.image.repository | string | `"valkey/valkey"` |  |
-| valkey.image.tag | string | `"9.0.3"` |  |
+| valkey.image.tag | string | `"9.1.0@sha256:4963247afc4cd33c7d3b2d2816b9f7f8eeebab148d29056c2ca4d7cbc966f2d9"` |  |
 | valkey.metrics.enabled | bool | `true` |  |
 | valkey.metrics.exporter.image.registry | string | `"ghcr.io"` |  |
 | valkey.metrics.exporter.image.repository | string | `"oliver006/redis_exporter"` |  |
-| valkey.metrics.exporter.image.tag | string | `"v1.82.0"` |  |
+| valkey.metrics.exporter.image.tag | string | `"v1.84.0@sha256:7ef8e9c26638158fa4e7ad60df8c7e53d1919986753d6c1d2d1876b6ec38d87b"` |  |
-| valkey.metrics.exporter.resources.requests.cpu | string | `"10m"` |  |
+| valkey.metrics.exporter.resources.requests.cpu | string | `"1m"` |  |
-| valkey.metrics.exporter.resources.requests.memory | string | `"64M"` |  |
+| valkey.metrics.exporter.resources.requests.memory | string | `"10M"` |  |
 | valkey.metrics.podMonitor.enabled | bool | `true` |  |
 | valkey.metrics.prometheusRule.enabled | bool | `true` |  |
 | valkey.metrics.prometheusRule.rules[0].alert | string | `"ValkeyDown"` |  |
@@ -67,7 +70,7 @@ Valkey chart with preconfigured settings
 | valkey.replica.persistence.storageClass | string | `"ceph-block"` |  |
 | valkey.replica.replicas | int | `2` |  |
 | valkey.resources.requests.cpu | string | `"10m"` |  |
-| valkey.resources.requests.memory | string | `"128Mi"` |  |
+| valkey.resources.requests.memory | string | `"20Mi"` |  |
 | valkey.serviceAccount.create | bool | `true` |  |
 
 ----------------------------------------------

charts/valkey/values.yaml

@@ -3,13 +3,13 @@ valkey:
   image:
     registry: docker.io
     repository: valkey/valkey
-    tag: 9.0.3
+    tag: 9.1.0@sha256:4963247afc4cd33c7d3b2d2816b9f7f8eeebab148d29056c2ca4d7cbc966f2d9
   serviceAccount:
     create: true
   resources:
     requests:
       cpu: 10m
-      memory: 128Mi
+      memory: 20Mi
   dataStorage:
     enabled: true
     requestedSize: 1Gi
@@ -31,11 +31,11 @@ valkey:
       image:
         registry: ghcr.io
         repository: oliver006/redis_exporter
-        tag: v1.82.0
+        tag: v1.84.0@sha256:7ef8e9c26638158fa4e7ad60df8c7e53d1919986753d6c1d2d1876b6ec38d87b
       resources:
         requests:
-          cpu: 10m
+          cpu: 1m
-          memory: 64M
+          memory: 10M
     serviceMonitor:
       enabled: true
     podMonitor:

charts/volsync-target/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: volsync-target
-version: 0.8.0
+version: 2.0.0
 description: Volsync Replication set to target specific PVC with preconfigured settings
 keywords:
   - volsync-target

charts/volsync-target/README.md

@@ -1,6 +1,6 @@
 # volsync-target
 
-![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square)
+![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square)
 
 Volsync Replication set to target specific PVC with preconfigured settings
 
@@ -20,23 +20,25 @@ Volsync Replication set to target specific PVC with preconfigured settings
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | additionalLabels | object | `{}` | Add additional labels |
-| external | object | `{"enabled":true,"externalSecret":{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 9 * * *"}` | External backup configuration |
+| external | object | `{"enabled":true,"externalSecret":{"bucketPath":"/backblaze/config","credentialPath":"/backblaze/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":35,"repository":"","retain":{"daily":0,"hourly":0,"monthly":0,"weekly":12,"yearly":0},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 9 * * 0"}` | External backup configuration |
-| external.externalSecret | object | `{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"}` | External Secret configuration |
+| external.externalSecret | object | `{"bucketPath":"/backblaze/config","credentialPath":"/backblaze/home-infra/volsync-backups"}` | External Secret configuration |
-| external.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| external.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":35,"repository":"","retain":{"daily":0,"hourly":0,"monthly":0,"weekly":12,"yearly":0},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
-| external.schedule | string | `"0 9 * * *"` | 5 character cron schedule |
+| external.schedule | string | `"0 9 * * 0"` | 5 character cron schedule |
 | externalSecrets | object | `{"enabled":true}` | Use external secrets |
-| local | object | `{"enabled":false,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 8 * * *"}` | Local backup configuration |
+| kubernetesClusterName | string | `"cl01tl"` | Kubernetes cluster name |
-| local.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"}` | External Secret configuration |
+| local | object | `{"enabled":false,"externalSecret":{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":0,"weekly":4,"yearly":0},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 8 * * *"}` | Local backup configuration |
-| local.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| local.externalSecret | object | `{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"}` | External Secret configuration |
+| local.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":0,"weekly":4,"yearly":0},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
 | local.schedule | string | `"0 8 * * *"` | 5 character cron schedule |
 | moverSecurityContext | object | `{}` | Glocal security context for restic mover |
 | nameOverride | string | `""` | Default pattern follows <pvcTarget>-backup |
 | namespaceOverride | string | `""` | Override the namespace of the chart |
+| prometheusRule | object | `{"enabled":true}` | Prometheus Rule |
 | pvcTarget | string | `"data"` | Name of the PVC target |
-| remote | object | `{"enabled":false,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 10 * * *"}` | Remote backup configuration |
+| remote | object | `{"enabled":false,"externalSecret":{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":0,"hourly":0,"monthly":0,"weekly":12,"yearly":0},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 10 * * 0"}` | Remote backup configuration |
-| remote.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"}` | External Secret configuration |
+| remote.externalSecret | object | `{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"}` | External Secret configuration |
-| remote.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| remote.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":0,"hourly":0,"monthly":0,"weekly":12,"yearly":0},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
-| remote.schedule | string | `"0 10 * * *"` | 5 character cron schedule |
+| remote.schedule | string | `"0 10 * * 0"` | 5 character cron schedule |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/volsync-target/templates/external-secret.yaml

@@ -14,48 +14,37 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   target:
     template:
       mergePolicy: Merge
       engineVersion: v2
       data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+        RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
   data:
-    - secretKey: BUCKET_ENDPOINT
+    - secretKey: ENDPOINT
       remoteRef:
-        conversionStrategy: Default
+        key: {{ .Values.local.externalSecret.bucketPath | required "External Secret Volsync local path is required" }}
-        decodingStrategy: None
+        property: ENDPOINT_LOCAL
-        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync local path is required" }}
+    - secretKey: BUCKET
-        metadataPolicy: None
+      remoteRef:
-        property: BUCKET_ENDPOINT
+        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: BUCKET
     - secretKey: RESTIC_PASSWORD
       remoteRef:
-        conversionStrategy: Default
+        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
-        decodingStrategy: None
+        property: RESTIC_PASSWORD_LOCAL
-        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync local path is required" }}
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
     - secretKey: AWS_DEFAULT_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: AWS_ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: AWS_SECRET_ACCESS_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
 {{- end }}
 
@@ -75,48 +64,37 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   target:
     template:
       mergePolicy: Merge
       engineVersion: v2
       data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+        RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
   data:
-    - secretKey: BUCKET_ENDPOINT
+    - secretKey: ENDPOINT
       remoteRef:
-        conversionStrategy: Default
+        key: {{ .Values.remote.externalSecret.bucketPath | required "External Secret Volsync local path is required" }}
-        decodingStrategy: None
+        property: ENDPOINT_REMOTE
-        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
+    - secretKey: BUCKET
-        metadataPolicy: None
+      remoteRef:
-        property: BUCKET_ENDPOINT
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: BUCKET
     - secretKey: RESTIC_PASSWORD
       remoteRef:
-        conversionStrategy: Default
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
-        decodingStrategy: None
+        property: RESTIC_PASSWORD_REMOTE
-        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
     - secretKey: AWS_DEFAULT_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
-        metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: AWS_ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: AWS_SECRET_ACCESS_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
 {{- end }}
 
@@ -136,47 +114,36 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   target:
     template:
       mergePolicy: Merge
       engineVersion: v2
       data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+        RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
   data:
-    - secretKey: BUCKET_ENDPOINT
+    - secretKey: ENDPOINT
       remoteRef:
-        conversionStrategy: Default
+        key: {{ .Values.external.externalSecret.bucketPath | required "External Secret Volsync external path is required" }}
-        decodingStrategy: None
+        property: ENDPOINT
-        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
+    - secretKey: BUCKET
-        metadataPolicy: None
+      remoteRef:
-        property: BUCKET_ENDPOINT
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: BUCKET
     - secretKey: RESTIC_PASSWORD
       remoteRef:
-        conversionStrategy: Default
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Volsync external path is required" }}
-        decodingStrategy: None
-        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
-        metadataPolicy: None
         property: RESTIC_PASSWORD
     - secretKey: AWS_DEFAULT_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
-        metadataPolicy: None
+        property: AWS_REGION
-        property: AWS_DEFAULT_REGION
     - secretKey: AWS_ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
-        metadataPolicy: None
         property: AWS_ACCESS_KEY_ID
     - secretKey: AWS_SECRET_ACCESS_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
-        metadataPolicy: None
         property: AWS_SECRET_ACCESS_KEY
 {{- end }}

charts/volsync-target/templates/prometheus-rule.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.prometheusRule.enabled }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ include "volsync.name" . }}-source-local
+  namespace: {{ include "volsync.namespace" . }}
+  labels:
+    {{- include "volsync.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "volsync.name" . }}-source-local
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  groups:
+    - name: volsync.alerts
+      rules:
+        - alert: VolSyncBackupPodFailed
+          expr: |
+            (kube_pod_container_status_last_terminated_exitcode > 0)
+            * on(pod, namespace) group_left(owner_name)
+            kube_pod_owner{owner_kind="Job", owner_name=~"volsync-.*"}
+          for: 1m
+          labels:
+            severity: critical
+          annotations:
+            summary: "VolSync Backup Pod failed in {{ `{{ $labels.namespace }}` }}"
+            description: |
+              A pod for the VolSync backup of PVC '{{ .Values.pvcTarget }}' failed with exit code {{ `{{ $value }}` }}.
+              Job: {{ `{{ $labels.owner_name }}` }}
+              Namespace: {{ `{{ $labels.namespace }}` }}
+{{- end }}

charts/volsync-target/templates/replication-source.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: {{ include "volsync.namespace" . }}
   labels:
     {{- include "volsync.labels" . | nindent 4 }}
-    app.kubernetes.io/name: {{ include "volsync.name" . }}
+    app.kubernetes.io/name: {{ include "volsync.name" . }}-source-local
     {{- with .Values.additionalLabels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}

charts/volsync-target/values.yaml

@@ -4,6 +4,9 @@ nameOverride: ""
 # -- Override the namespace of the chart
 namespaceOverride: ""
 
+# -- Kubernetes cluster name
+kubernetesClusterName: cl01tl
+
 # -- Add additional labels
 additionalLabels: {}
 
@@ -13,6 +16,10 @@ pvcTarget: "data"
 # -- Glocal security context for restic mover
 moverSecurityContext: {}
 
+# -- Prometheus Rule
+prometheusRule:
+  enabled: true
+
 # -- Use external secrets
 externalSecrets:
   enabled: true
@@ -32,8 +39,8 @@ local:
       hourly: 0
       daily: 7
       weekly: 4
-      monthly: 3
+      monthly: 0
-      yearly: 1
+      yearly: 0
     copyMethod: Snapshot
     storageClassName: ceph-block
     volumeSnapshotClassName: ceph-blockpool-snapshot
@@ -41,9 +48,9 @@ local:
 
   # -- External Secret configuration
   externalSecret:
-    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
+    # This path must contain the BUCKET_ENDPOINT
-    volsyncPath: /volsync/restic/garage-local
+    bucketPath: /garage/config
-    # This path must contain the AWS/S3 credentials
+    # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD
     credentialPath: /garage/home-infra/volsync-backups
 
 # -- Remote backup configuration
@@ -51,7 +58,7 @@ remote:
   enabled: false
 
   # -- 5 character cron schedule
-  schedule: 0 10 * * *
+  schedule: 0 10 * * 0
 
   # -- Backup configuration, inserted directly into the yaml
   restic:
@@ -59,10 +66,10 @@ remote:
     repository: ""
     retain:
       hourly: 0
-      daily: 7
+      daily: 0
-      weekly: 4
+      weekly: 12
-      monthly: 3
+      monthly: 0
-      yearly: 1
+      yearly: 0
     copyMethod: Snapshot
     storageClassName: ceph-block
     volumeSnapshotClassName: ceph-blockpool-snapshot
@@ -70,9 +77,9 @@ remote:
 
   # -- External Secret configuration
   externalSecret:
-    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
+    # This path must contain the BUCKET_ENDPOINT
-    volsyncPath: /volsync/restic/garage-remote
+    bucketPath: /garage/config
-    # This path must contain the AWS/S3 credentials
+    # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD
     credentialPath: /garage/home-infra/volsync-backups
 
 # -- External backup configuration
@@ -80,18 +87,18 @@ external:
   enabled: true
 
   # -- 5 character cron schedule
-  schedule: 0 9 * * *
+  schedule: 0 9 * * 0
 
   # -- Backup configuration, inserted directly into the yaml
   restic:
-    pruneIntervalDays: 7
+    pruneIntervalDays: 35
     repository: ""
     retain:
       hourly: 0
-      daily: 7
+      daily: 0
-      weekly: 4
+      weekly: 12
-      monthly: 3
+      monthly: 0
-      yearly: 1
+      yearly: 0
     copyMethod: Snapshot
     storageClassName: ceph-block
     volumeSnapshotClassName: ceph-blockpool-snapshot
@@ -99,7 +106,7 @@ external:
 
   # -- External Secret configuration
   externalSecret:
-    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
+    # This path must contain the ENDPOINT
-    volsyncPath: /volsync/restic/digital-ocean
+    bucketPath: /backblaze/config
-    # This path must contain the AWS/S3 credentials
+    # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD
-    credentialPath: /digital-ocean/home-infra/volsync-backups
+    credentialPath: /backblaze/home-infra/volsync-backups