feat: tidy external secrets

feat: switch to openbao
2026-04-24 15:39:30 -05:00 · 2026-04-24 15:38:27 -05:00 · 2026-04-24 15:14:43 -05:00 · 2026-04-24 15:06:34 -05:00 · 2026-04-15 00:02:40 +00:00 · 2026-04-15 00:02:09 +00:00
18 changed files with 97 additions and 142 deletions
--- a/charts/cloudflared/Chart.yaml
+++ b/charts/cloudflared/Chart.yaml
@@ -1,12 +1,13 @@
 apiVersion: v2
 name: cloudflared
-version: 2.4.0
+version: 2.6.0
 description: Cloudflared Tunnel
 keywords:
  - cloudflare
  - tunnel
 sources:
  - https://github.com/cloudflare/cloudflared
+  - https://hub.docker.com/r/cloudflare/cloudflared
  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/library/common
 maintainers:
  - name: alexlebens
@@ -14,6 +15,6 @@ dependencies:
  - name: common
    repository: https://bjw-s-labs.github.io/helm-charts/
    version: 4.6.2
-icon: https://avatars.githubusercontent.com/u/314135?s=48&v=4
-# renovate: datasource=github-releases depName=cloudflare/cloudflared
-appVersion: "2026.3.0"
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/cloudflare.png
+# renovate: datasource=docker depName=cloudflare/cloudflared
+appVersion: 2026.3.0
--- a/charts/cloudflared/README.md
+++ b/charts/cloudflared/README.md
@@ -1,6 +1,6 @@
 # cloudflared

-![Version: 2.4.0](https://img.shields.io/badge/Version-2.4.0-informational?style=flat-square) ![AppVersion: 2026.3.0](https://img.shields.io/badge/AppVersion-2026.3.0-informational?style=flat-square)
+![Version: 2.6.0](https://img.shields.io/badge/Version-2.6.0-informational?style=flat-square) ![AppVersion: 2026.3.0](https://img.shields.io/badge/AppVersion-2026.3.0-informational?style=flat-square)

 Cloudflared Tunnel

@@ -13,6 +13,7 @@ Cloudflared Tunnel
 ## Source Code

 * <https://github.com/cloudflare/cloudflared>
+* <https://hub.docker.com/r/cloudflare/cloudflared>
 * <https://github.com/bjw-s-labs/helm-charts/tree/main/charts/library/common>

 ## Requirements
@@ -25,14 +26,14 @@ Cloudflared Tunnel

 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| image | object | `{"pullPolicy":"IfNotPresent","repository":"cloudflare/cloudflared","tag":"2026.3.0"}` | Default image |
+| image | object | `{"pullPolicy":"IfNotPresent","repository":"cloudflare/cloudflared","tag":"2026.3.0@sha256:6b599ca3e974349ead3286d178da61d291961182ec3fe9c505e1dd02c8ac31b0"}` | Default image |
 | name | string | `""` | Name override of release |
-| resources | object | `{"requests":{"cpu":"10m","memory":"128Mi"}}` | Default resources |
-| secret | object | `{"existingSecret":{"key":"cf-tunnel-token","name":"cloudflared-secret"},"externalSecret":{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"vault","path":"/cloudflare/tunnels","property":"token"}}}` | Secret configuration |
+| resources | object | `{"requests":{"cpu":"1m","memory":"20Mi"}}` | Default resources |
+| secret | object | `{"existingSecret":{"key":"cf-tunnel-token","name":"cloudflared-secret"},"externalSecret":{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"openbao","path":"/cloudflare/tunnels","property":"token"}}}` | Secret configuration |
 | secret.existingSecret | object | `{"key":"cf-tunnel-token","name":"cloudflared-secret"}` | Name of existing secret that contains Cloudflare token |
-| secret.externalSecret | object | `{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"vault","path":"/cloudflare/tunnels","property":"token"}}` | External Secret configuration |
+| secret.externalSecret | object | `{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"openbao","path":"/cloudflare/tunnels","property":"token"}}` | External Secret configuration |
 | secret.externalSecret.additionalLabels | object | `{}` | Add additional labels |
-| secret.externalSecret.store | object | `{"name":"vault","path":"/cloudflare/tunnels","property":"token"}` | Cluster store config |
+| secret.externalSecret.store | object | `{"name":"openbao","path":"/cloudflare/tunnels","property":"token"}` | Cluster store config |

 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
--- a/charts/cloudflared/templates/external-secret.yaml
+++ b/charts/cloudflared/templates/external-secret.yaml
@@ -14,10 +14,6 @@ spec:
  data:
    - secretKey: {{ include "secret.key" . }}
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ include "secret.path" . }}
-        metadataPolicy: None
        property: {{ .Values.secret.externalSecret.store.property | required "External Secret store property is required" }}
-
 {{- end }}
--- a/charts/cloudflared/values.yaml
+++ b/charts/cloudflared/values.yaml
@@ -11,7 +11,7 @@ secret:

    # -- Cluster store config
    store:
-      name: vault
+      name: openbao
      path: /cloudflare/tunnels
      property: token

@@ -26,11 +26,11 @@ secret:
 # -- Default image
 image:
  repository: cloudflare/cloudflared
-  tag: "2026.3.0"
+  tag: 2026.3.0@sha256:6b599ca3e974349ead3286d178da61d291961182ec3fe9c505e1dd02c8ac31b0
  pullPolicy: IfNotPresent

 # -- Default resources
 resources:
  requests:
-    cpu: 10m
-    memory: 128Mi
+    cpu: 1m
+    memory: 20Mi
--- a/charts/generic-device-plugin/Chart.yaml
+++ b/charts/generic-device-plugin/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: generic-device-plugin
-version: 0.20.29
+version: 0.20.31
 description: Generic Device Plugin
 keywords:
  - generic-device-plugin
--- a/charts/generic-device-plugin/README.md
+++ b/charts/generic-device-plugin/README.md
@@ -1,6 +1,6 @@
 # generic-device-plugin

-![Version: 0.20.27](https://img.shields.io/badge/Version-0.20.27-informational?style=flat-square) ![AppVersion: 0.20.17](https://img.shields.io/badge/AppVersion-0.20.17-informational?style=flat-square)
+![Version: 0.20.31](https://img.shields.io/badge/Version-0.20.31-informational?style=flat-square) ![AppVersion: 0.20.17](https://img.shields.io/badge/AppVersion-0.20.17-informational?style=flat-square)

 Generic Device Plugin

@@ -28,7 +28,7 @@ Generic Device Plugin
 | config | object | `{"data":"devices:\n  - name: serial\n    groups:\n      - paths:\n          - path: /dev/ttyUSB*\n      - paths:\n          - path: /dev/ttyACM*\n      - paths:\n          - path: /dev/tty.usb*\n      - paths:\n          - path: /dev/cu.*\n      - paths:\n          - path: /dev/cuaU*\n      - paths:\n          - path: /dev/rfcomm*\n  - name: video\n    groups:\n      - paths:\n          - path: /dev/video0\n  - name: fuse\n    groups:\n      - count: 10\n        paths:\n          - path: /dev/fuse\n  - name: audio\n    groups:\n      - count: 10\n        paths:\n          - path: /dev/snd\n  - name: capture\n    groups:\n      - paths:\n          - path: /dev/snd/controlC0\n          - path: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC1\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC1D0c\n            mountPath: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC2\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC2D0c\n            mountPath: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC3\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC3D0c\n            mountPath: /dev/snd/pcmC0D0c\n","enabled":true}` | Config map |
 | config.data | string | See [values.yaml](./values.yaml) | generic-device-plugin config file [[ref]](https://github.com/squat/generic-device-plugin#usage) |
 | deviceDomain | string | `"devic.es"` | Domain used by devices for identifcation |
-| image | object | `{"pullPolicy":"Always","repository":"ghcr.io/squat/generic-device-plugin","tag":"latest@sha256:e85f9637ea93f0e9a8d477b0e136783cd6fb8f1a5426cf84ef05ab4c88661c8c"}` | Default image |
+| image | object | `{"pullPolicy":"Always","repository":"ghcr.io/squat/generic-device-plugin","tag":"latest@sha256:d9e098e33a20c32a561adb1ef8cace7d5912cd5ffb38f07dd9f83af4bdf38505"}` | Default image |
 | name | string | `"generic-device-plugin"` | Name override of release |
 | resources | object | `{"requests":{"cpu":"50m","memory":"10Mi"}}` | Default resources |
 | service | object | `{"listenPort":8080}` | Service port |
--- a/charts/generic-device-plugin/values.yaml
+++ b/charts/generic-device-plugin/values.yaml
@@ -4,7 +4,7 @@ name: generic-device-plugin
 # -- Default image
 image:
  repository: ghcr.io/squat/generic-device-plugin
-  tag: latest@sha256:c4e3a24a5f20449e027b9de2c3cee790169ab42220818315f5f8ee9830788981
+  tag: latest@sha256:d9e098e33a20c32a561adb1ef8cace7d5912cd5ffb38f07dd9f83af4bdf38505
  pullPolicy: Always

 # -- Domain used by devices for identifcation
--- a/charts/postgres-cluster/Chart.yaml
+++ b/charts/postgres-cluster/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: postgres-cluster
-version: 7.11.2
+version: 7.12.1
 description: Cloudnative-pg Cluster
 keywords:
  - database
--- a/charts/postgres-cluster/README.md
+++ b/charts/postgres-cluster/README.md
@@ -1,6 +1,6 @@
 # postgres-cluster

-![Version: 7.11.2](https://img.shields.io/badge/Version-7.11.2-informational?style=flat-square) ![AppVersion: v1.29.0](https://img.shields.io/badge/AppVersion-v1.29.0-informational?style=flat-square)
+![Version: 7.12.1](https://img.shields.io/badge/Version-7.12.1-informational?style=flat-square) ![AppVersion: v1.29.0](https://img.shields.io/badge/AppVersion-v1.29.0-informational?style=flat-square)

 Cloudnative-pg Cluster

--- a/charts/postgres-cluster/templates/external-secret.yaml
+++ b/charts/postgres-cluster/templates/external-secret.yaml
@@ -16,28 +16,19 @@ metadata:
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: ACCESS_REGION
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: ACCESS_KEY_ID
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .externalSecretCredentialPath| required "External Secret Credential local path is required" }}
-        metadataPolicy: None
        property: ACCESS_SECRET_KEY
 {{ end -}}
 {{ end }}
@@ -58,27 +49,18 @@ metadata:
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  data:
    - secretKey: ACCESS_REGION
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: ACCESS_KEY_ID
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
        property: ACCESS_SECRET_KEY
 {{- end }}
--- a/charts/valkey/Chart.lock
+++ b/charts/valkey/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: valkey
  repository: https://valkey.io/valkey-helm/
-  version: 0.9.3
-digest: sha256:705fdaa1d456e55dd1a8aba698e17b2309a336f614cba8fd3cdb7e072b323b36
-generated: "2026-03-03T16:02:43.407652-06:00"
+  version: 0.9.4
+digest: sha256:84e2e4a944be7f69b6819215a53c068a126fc9d62383a90e22b33751ec5d2810
+generated: "2026-04-13T00:01:51.952023667Z"
--- a/charts/valkey/Chart.yaml
+++ b/charts/valkey/Chart.yaml
@@ -1,21 +1,22 @@
 apiVersion: v2
 name: valkey
-version: 0.5.0
+version: 0.6.1
 description: Valkey chart with preconfigured settings
 keywords:
  - valkey
-  - redis
-  - storage
-  - kubernetes
+  - redis-compatible
 sources:
  - https://github.com/valkey-io/valkey
+  - https://github.com/oliver006/redis_exporter
+  - https://hub.docker.com/r/valkey/valkey
+  - https://github.com/oliver006/redis_exporter/pkgs/container/redis_exporter
  - https://github.com/valkey-io/valkey-helm
 maintainers:
  - name: alexlebens
 dependencies:
  - name: valkey
    repository: https://valkey.io/valkey-helm/
-    version: 0.9.3
-icon: https://dyltqmyl993wv.cloudfront.net/assets/stacks/valkey/img/valkey-stack-220x234.png
+    version: 0.9.4
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/valkey.png
 # renovate: datasource=github-releases depName=valkey-io/valkey
 appVersion: 9.0.3
--- a/charts/valkey/README.md
+++ b/charts/valkey/README.md
@@ -1,6 +1,6 @@
 # valkey

-![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![AppVersion: 9.0.3](https://img.shields.io/badge/AppVersion-9.0.3-informational?style=flat-square)
+![Version: 0.6.1](https://img.shields.io/badge/Version-0.6.1-informational?style=flat-square) ![AppVersion: 9.0.3](https://img.shields.io/badge/AppVersion-9.0.3-informational?style=flat-square)

 Valkey chart with preconfigured settings

@@ -13,13 +13,16 @@ Valkey chart with preconfigured settings
 ## Source Code

 * <https://github.com/valkey-io/valkey>
+* <https://github.com/oliver006/redis_exporter>
+* <https://hub.docker.com/r/valkey/valkey>
+* <https://github.com/oliver006/redis_exporter/pkgs/container/redis_exporter>
 * <https://github.com/valkey-io/valkey-helm>

 ## Requirements

 | Repository | Name | Version |
 |------------|------|---------|
-| https://valkey.io/valkey-helm/ | valkey | 0.9.3 |
+| https://valkey.io/valkey-helm/ | valkey | 0.9.4 |

 ## Values

@@ -32,11 +35,11 @@ Valkey chart with preconfigured settings
 | valkey.dataStorage.requestedSize | string | `"1Gi"` |  |
 | valkey.image.registry | string | `"docker.io"` |  |
 | valkey.image.repository | string | `"valkey/valkey"` |  |
-| valkey.image.tag | string | `"9.0.3"` |  |
+| valkey.image.tag | string | `"9.0.3@sha256:3b55fbaa0cd93cf0d9d961f405e4dfcc70efe325e2d84da207a0a8e6d8fde4f9"` |  |
 | valkey.metrics.enabled | bool | `true` |  |
 | valkey.metrics.exporter.image.registry | string | `"ghcr.io"` |  |
 | valkey.metrics.exporter.image.repository | string | `"oliver006/redis_exporter"` |  |
-| valkey.metrics.exporter.image.tag | string | `"v1.82.0"` |  |
+| valkey.metrics.exporter.image.tag | string | `"v1.82.0@sha256:6a97d4dd743b533e1f950c677b87d880e44df363c61af3f406fc9e53ed65ee03"` |  |
 | valkey.metrics.exporter.resources.requests.cpu | string | `"1m"` |  |
 | valkey.metrics.exporter.resources.requests.memory | string | `"10M"` |  |
 | valkey.metrics.podMonitor.enabled | bool | `true` |  |
--- a/charts/valkey/values.yaml
+++ b/charts/valkey/values.yaml
@@ -3,7 +3,7 @@ valkey:
  image:
    registry: docker.io
    repository: valkey/valkey
-    tag: 9.0.3
+    tag: 9.0.3@sha256:3b55fbaa0cd93cf0d9d961f405e4dfcc70efe325e2d84da207a0a8e6d8fde4f9
  serviceAccount:
    create: true
  resources:
@@ -31,7 +31,7 @@ valkey:
      image:
        registry: ghcr.io
        repository: oliver006/redis_exporter
-        tag: v1.82.0
+        tag: v1.82.0@sha256:6a97d4dd743b533e1f950c677b87d880e44df363c61af3f406fc9e53ed65ee03
      resources:
        requests:
          cpu: 1m
--- a/charts/volsync-target/Chart.yaml
+++ b/charts/volsync-target/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: volsync-target
-version: 0.8.0
+version: 1.0.0
 description: Volsync Replication set to target specific PVC with preconfigured settings
 keywords:
  - volsync-target
--- a/charts/volsync-target/README.md
+++ b/charts/volsync-target/README.md
@@ -1,6 +1,6 @@
 # volsync-target

-![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square)
+![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square)

 Volsync Replication set to target specific PVC with preconfigured settings

@@ -20,21 +20,22 @@ Volsync Replication set to target specific PVC with preconfigured settings
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | additionalLabels | object | `{}` | Add additional labels |
-| external | object | `{"enabled":true,"externalSecret":{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 9 * * *"}` | External backup configuration |
-| external.externalSecret | object | `{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"}` | External Secret configuration |
+| external | object | `{"enabled":true,"externalSecret":{"bucketPath":"/digital-ocean/config","credentialPath":"/digital-ocean/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 9 * * *"}` | External backup configuration |
+| external.externalSecret | object | `{"bucketPath":"/digital-ocean/config","credentialPath":"/digital-ocean/home-infra/volsync-backups"}` | External Secret configuration |
 | external.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
 | external.schedule | string | `"0 9 * * *"` | 5 character cron schedule |
 | externalSecrets | object | `{"enabled":true}` | Use external secrets |
-| local | object | `{"enabled":false,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 8 * * *"}` | Local backup configuration |
-| local.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"}` | External Secret configuration |
+| kubernetesClusterName | string | `"cl01tl"` | Kubernetes cluster name |
+| local | object | `{"enabled":false,"externalSecret":{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 8 * * *"}` | Local backup configuration |
+| local.externalSecret | object | `{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"}` | External Secret configuration |
 | local.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
 | local.schedule | string | `"0 8 * * *"` | 5 character cron schedule |
 | moverSecurityContext | object | `{}` | Glocal security context for restic mover |
 | nameOverride | string | `""` | Default pattern follows <pvcTarget>-backup |
 | namespaceOverride | string | `""` | Override the namespace of the chart |
 | pvcTarget | string | `"data"` | Name of the PVC target |
-| remote | object | `{"enabled":false,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 10 * * *"}` | Remote backup configuration |
-| remote.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"}` | External Secret configuration |
+| remote | object | `{"enabled":false,"externalSecret":{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 10 * * *"}` | Remote backup configuration |
+| remote.externalSecret | object | `{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"}` | External Secret configuration |
 | remote.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
 | remote.schedule | string | `"0 10 * * *"` | 5 character cron schedule |

--- a/charts/volsync-target/templates/external-secret.yaml
+++ b/charts/volsync-target/templates/external-secret.yaml
@@ -14,48 +14,37 @@ metadata:
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+        RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
  data:
-    - secretKey: BUCKET_ENDPOINT
+    - secretKey: ENDPOINT
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync local path is required" }}
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
+        key: {{ .Values.local.externalSecret.bucketPath | required "External Secret Volsync local path is required" }}
+        property: ENDPOINT_LOCAL
+    - secretKey: BUCKET
+      remoteRef:
+        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: BUCKET
    - secretKey: RESTIC_PASSWORD
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync local path is required" }}
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
+        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: RESTIC_PASSWORD_LOCAL
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
        property: ACCESS_SECRET_KEY
 {{- end }}

@@ -75,48 +64,37 @@ metadata:
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+        RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
  data:
-    - secretKey: BUCKET_ENDPOINT
+    - secretKey: ENDPOINT
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
+        key: {{ .Values.remote.externalSecret.bucketPath | required "External Secret Volsync local path is required" }}
+        property: ENDPOINT_REMOTE
+    - secretKey: BUCKET
+      remoteRef:
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: BUCKET
    - secretKey: RESTIC_PASSWORD
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: RESTIC_PASSWORD_REMOTE
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
-        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
-        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
-        metadataPolicy: None
        property: ACCESS_SECRET_KEY
 {{- end }}

@@ -136,47 +114,36 @@ metadata:
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: vault
+    name: openbao
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+        RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
  data:
-    - secretKey: BUCKET_ENDPOINT
+    - secretKey: ENDPOINT
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
-        metadataPolicy: None
-        property: BUCKET_ENDPOINT
+        key: {{ .Values.external.externalSecret.bucketPath | required "External Secret Volsync external path is required" }}
+        property: ENDPOINT
+    - secretKey: BUCKET
+      remoteRef:
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: BUCKET
    - secretKey: RESTIC_PASSWORD
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
-        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
-        metadataPolicy: None
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Volsync external path is required" }}
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
-        metadataPolicy: None
-        property: AWS_DEFAULT_REGION
+        property: AWS_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
-        metadataPolicy: None
        property: AWS_ACCESS_KEY_ID
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
-        metadataPolicy: None
        property: AWS_SECRET_ACCESS_KEY
 {{- end }}
--- a/charts/volsync-target/values.yaml
+++ b/charts/volsync-target/values.yaml
@@ -4,6 +4,9 @@ nameOverride: ""
 # -- Override the namespace of the chart
 namespaceOverride: ""

+# -- Kubernetes cluster name
+kubernetesClusterName: cl01tl
+
 # -- Add additional labels
 additionalLabels: {}

@@ -41,9 +44,9 @@ local:

  # -- External Secret configuration
  externalSecret:
-    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
-    volsyncPath: /volsync/restic/garage-local
-    # This path must contain the AWS/S3 credentials
+    # This path must contain the BUCKET_ENDPOINT
+    bucketPath: /garage/config
+    # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD
    credentialPath: /garage/home-infra/volsync-backups

 # -- Remote backup configuration
@@ -70,9 +73,9 @@ remote:

  # -- External Secret configuration
  externalSecret:
-    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
-    volsyncPath: /volsync/restic/garage-remote
-    # This path must contain the AWS/S3 credentials
+    # This path must contain the BUCKET_ENDPOINT
+    bucketPath: /garage/config
+    # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD
    credentialPath: /garage/home-infra/volsync-backups

 # -- External backup configuration
@@ -99,7 +102,7 @@ external:

  # -- External Secret configuration
  externalSecret:
-    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
-    volsyncPath: /volsync/restic/digital-ocean
-    # This path must contain the AWS/S3 credentials
+    # This path must contain the ENDPOINT
+    bucketPath: /digital-ocean/config
+    # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD
    credentialPath: /digital-ocean/home-infra/volsync-backups
Author	SHA1	Message	Date
Alex Lebens	9b50e6b890	feat: tidy external secrets All checks were successful lint-and-test / lint-helm (push) Successful in 20s Details release-charts-postgres-cluster / release (push) Successful in 16s Details lint-and-test / chart-testing (push) Successful in 3m51s Details renovate / renovate (push) Successful in 3m6s Details	2026-04-24 15:39:30 -05:00
Alex Lebens	617b14b7aa	feat: switch to openbao All checks were successful lint-and-test / lint-helm (push) Successful in 25s Details release-charts-volsync-target / release (push) Successful in 37s Details renovate / renovate (push) Successful in 59s Details lint-and-test / chart-testing (push) Successful in 2m1s Details	2026-04-24 15:38:27 -05:00
Alex Lebens	47a93ddf40	feat: switch to openbao All checks were successful lint-and-test / lint-helm (push) Successful in 42s Details release-charts-postgres-cluster / release (push) Successful in 47s Details release-charts-valkey / release (push) Successful in 33s Details renovate / renovate (push) Successful in 47s Details release-charts-generic-device-plugin / release (push) Successful in 1m22s Details lint-and-test / chart-testing (push) Successful in 4m59s Details	2026-04-24 15:14:43 -05:00
Alex Lebens	9f3b66af07	feat: switch to openbao All checks were successful lint-and-test / lint-helm (push) Successful in 36s Details renovate / renovate (push) Successful in 53s Details release-charts-cloudflared / release (push) Successful in 1m30s Details lint-and-test / chart-testing (push) Successful in 6m33s Details	2026-04-24 15:06:34 -05:00
Renovate Bot	b69b96e97b	Merge pull request 'chore(deps): update ghcr.io/squat/generic-device-plugin:latest docker digest to d9e098e' (#193 ) from renovate/unified-squatgeneric-device-plugin into main All checks were successful lint-and-test / lint-helm (push) Successful in 50s Details lint-and-test / chart-testing (push) Successful in 1m1s Details release-charts-generic-device-plugin / release (push) Successful in 1m0s Details renovate / renovate (push) Successful in 1m39s Details	2026-04-15 00:02:40 +00:00
Renovate Bot	178176fd4b	chore(deps): update ghcr.io/squat/generic-device-plugin:latest docker digest to d9e098e Some checks failed renovate/stability-days Updates have not met minimum release age requirement Details lint-and-test / lint-helm (pull_request) Failing after 58s Details lint-and-test / chart-testing (pull_request) Successful in 2m52s Details	2026-04-15 00:02:09 +00:00
Renovate Bot	dbdf4b25a6	Merge pull request 'chore(deps): update ghcr.io/squat/generic-device-plugin:latest docker digest to e11621c' (#192 ) from renovate/unified-squatgeneric-device-plugin into main All checks were successful lint-and-test / lint-helm (push) Successful in 19s Details release-charts-generic-device-plugin / release (push) Successful in 37s Details lint-and-test / chart-testing (push) Successful in 1m39s Details renovate / renovate (push) Successful in 2m2s Details	2026-04-14 00:02:02 +00:00
Renovate Bot	4fd08657a5	chore(deps): update ghcr.io/squat/generic-device-plugin:latest docker digest to e11621c Some checks failed renovate/stability-days Updates have not met minimum release age requirement Details lint-and-test / lint-helm (pull_request) Failing after 28s Details lint-and-test / chart-testing (pull_request) Successful in 43s Details	2026-04-14 00:01:55 +00:00
Alex Lebens	1f1a9b14d9	Merge pull request 'chore(deps): update helm release valkey to v0.9.4' (#191 ) from renovate/valkey-0.x into main All checks were successful lint-and-test / lint-helm (push) Successful in 12s Details lint-and-test / chart-testing (push) Successful in 26s Details release-charts-valkey / release (push) Successful in 32s Details renovate / renovate (push) Successful in 1m53s Details Reviewed-on: #191	2026-04-13 00:06:27 +00:00
Renovate Bot	96bcd95382	chore(deps): update helm release valkey to v0.9.4 All checks were successful lint-and-test / chart-testing (pull_request) Successful in 38s Details lint-and-test / lint-helm (pull_request) Successful in 45s Details	2026-04-13 00:01:59 +00:00
Alex Lebens	50ac119e1a	feat: add image sha All checks were successful lint-and-test / lint-helm (push) Successful in 14s Details release-charts-valkey / release (push) Successful in 27s Details lint-and-test / chart-testing (push) Successful in 1m16s Details renovate / renovate (push) Successful in 2m34s Details	2026-04-09 20:05:58 -05:00
Alex Lebens	792a392d70	feat: update README All checks were successful lint-and-test / lint-helm (push) Successful in 34s Details renovate / renovate (push) Successful in 45s Details release-charts-generic-device-plugin / release (push) Successful in 58s Details lint-and-test / chart-testing (push) Successful in 1m9s Details	2026-04-09 20:02:06 -05:00
Alex Lebens	d65e044655	feat: add sha to image tag All checks were successful lint-and-test / lint-helm (push) Successful in 17s Details release-charts-cloudflared / release (push) Successful in 28s Details lint-and-test / chart-testing (push) Successful in 48s Details renovate / renovate (push) Successful in 54s Details	2026-04-09 19:59:29 -05:00