Update ghcr.io/cloudnative-pg/postgresql Docker tag to v17.5-standard-bullseye

Reviewed-on: #109

.gitea/workflows/lint-test.yaml

@@ -1,6 +1,7 @@
-name: lint-and-test-charts
+name: lint-and-test
 
-on: pull_request
+on:
+  pull_request:
 
 jobs:
   lint-test:
@@ -35,4 +36,4 @@ jobs:
 
       - name: Run Chart Testing (lint)
         if: steps.list-changed.outputs.changed == 'true'
-        run: ct lint --target-branch ${{ gitea.event.repository.default_branch }}
+        run: ct lint --validate-maintainers=false --target-branch ${{ gitea.event.repository.default_branch }}

.gitea/workflows/process-repository.yaml

@@ -0,0 +1,40 @@
+name: process-repository
+
+on:
+  schedule:
+    - cron: '@daily'
+
+  workflow_dispatch:
+
+jobs:
+  process-repository:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Python Script
+        uses: actions/checkout@v4
+        with:
+          repository: alexlebens/workflow-scripts
+          ref: main
+          token: ${{ secrets.BOT_TOKEN }}
+          path: workflow-scripts
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+
+      - name: Install dependencies
+        run: pip install requests immutabledict
+
+      - name: Run Script
+        env:
+          INSTANCE_URL: ${{ vars.INSTANCE_URL }}
+          REPOSITORY: ${{ gitea.repository }}
+          TOKEN: ${{ secrets.BOT_TOKEN }}
+          LOG_LEVEL: DEBUG
+          ISSUE_STALE_DAYS: 3
+          ISSUE_STALE_TAG: stale
+          ISSUE_EXCLUDE_TAG: Renovate
+          PULL_REQUEST_STALE_DAYS: 3
+          PULL_REQUEST_STALE_TAG: stale
+        run: python ./workflow-scripts/process-repository.py

.gitea/workflows/release-charts-cloudflared.yml

@@ -56,11 +56,30 @@ jobs:
           files: |-
             ${{ env.PACKAGE_PATH }}
 
-      - name: Actions Ntfy
-        run: |
-          curl \
-            -H "Authorization: Bearer ${{ secrets.NTFY_CRED }}" \
-            -H "Title: Chart Released: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}" \
-            -H "Content-Type: text/plain" \
-            -d $'Repo: ${{ gitea.repository }}\nCommit: ${{ gitea.sha }}\nRef: ${{ gitea.ref }}\nStatus: ${{ job.status}}' \
-            ${{ secrets.NTFY_URL }}
+      - name: ntfy Success
+        uses: niniyas/ntfy-action@master
+        if: success()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Gitea Action'
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: 'Helm Chart for cloudflared release workflow has successfully completed!'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Gitea Action'
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: 'Helm Chart for cloudflared release workflow has failed!'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/site-profile/actions?workflow=release-image.yml", "clear": true}]'
+          image: true

.gitea/workflows/release-charts-generic-device-plugin.yml

@@ -56,11 +56,30 @@ jobs:
           files: |-
             ${{ env.PACKAGE_PATH }}
 
-      - name: Actions Ntfy
-        run: |
-          curl \
-            -H "Authorization: Bearer ${{ secrets.NTFY_CRED }}" \
-            -H "Title: Chart Released: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}" \
-            -H "Content-Type: text/plain" \
-            -d $'Repo: ${{ gitea.repository }}\nCommit: ${{ gitea.sha }}\nRef: ${{ gitea.ref }}\nStatus: ${{ job.status}}' \
-            ${{ secrets.NTFY_URL }}
+      - name: ntfy Success
+        uses: niniyas/ntfy-action@master
+        if: success()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Gitea Action'
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: 'Helm Chart for generic-device-plugin release workflow has successfully completed!'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Gitea Action'
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: 'Helm Chart for generic-device-plugin release workflow has failed!'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/site-profile/actions?workflow=release-image.yml", "clear": true}]'
+          image: true

.gitea/workflows/release-charts-gitea-actions.yml

@@ -0,0 +1,85 @@
+name: release-charts-gitea-actions
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "charts/gitea-actions/**"
+
+  workflow_dispatch:
+
+env:
+  WORKFLOW_DIR: "charts/gitea-actions"
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          version: latest
+
+      - name: Package Helm Chart
+        run: |
+          cd $WORKFLOW_DIR
+          helm dependency build
+          echo "PACKAGE_PATH=$(helm package . | awk '{print $NF}')" >> $GITEA_ENV
+
+      - name: Publish Helm Chart to Harbor
+        run: |
+          helm registry login ${{ vars.REGISTRY_HOST }} -u ${{ vars.REGISTRY_USER }} -p ${{ secrets.REGISTRY_SECRET }}
+          helm push ${{ env.PACKAGE_PATH }} oci://${{ vars.REGISTRY_HOST }}/helm-charts
+
+      - name: Publish Helm Chart to Gitea
+        run: |
+          helm plugin install https://github.com/chartmuseum/helm-push
+          helm repo add --username ${{ gitea.actor }} --password ${{ secrets.REPOSITORY_TOKEN }} helm-charts https://${{ vars.REPOSITORY_HOST }}/api/packages/alexlebens/helm
+          helm cm-push ${{ env.PACKAGE_PATH }} helm-charts
+
+      - name: Extract Chart Metadata
+        run: |
+          cd $WORKFLOW_DIR
+          echo "CHART_VERSION=$(yq '.version' Chart.yaml)" >> $GITEA_ENV
+          echo "CHART_NAME=$(yq '.name' Chart.yaml)" >> $GITEA_ENV
+
+      - name: Release Helm Chart
+        uses: akkuman/gitea-release-action@v1
+        with:
+          name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}
+          tag_name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}
+          files: |-
+            ${{ env.PACKAGE_PATH }}
+
+      - name: ntfy Success
+        uses: niniyas/ntfy-action@master
+        if: success()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Gitea Action'
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: 'Helm Chart for gitea-actions release workflow has successfully completed!'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Gitea Action'
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: 'Helm Chart for gitea-actions release workflow has failed!'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/site-profile/actions?workflow=release-image.yml", "clear": true}]'
+          image: true

.gitea/workflows/release-charts-postgres-cluster.yml

@@ -56,11 +56,30 @@ jobs:
           files: |-
             ${{ env.PACKAGE_PATH }}
 
-      - name: Actions Ntfy
-        run: |
-          curl \
-            -H "Authorization: Bearer ${{ secrets.NTFY_CRED }}" \
-            -H "Title: Chart Released: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}" \
-            -H "Content-Type: text/plain" \
-            -d $'Repo: ${{ gitea.repository }}\nCommit: ${{ gitea.sha }}\nRef: ${{ gitea.ref }}\nStatus: ${{ job.status}}' \
-            ${{ secrets.NTFY_URL }}
+      - name: ntfy Success
+        uses: niniyas/ntfy-action@master
+        if: success()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Gitea Action'
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: 'Helm Chart for postgres-cluster release workflow has successfully completed!'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Gitea Action'
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: 'Helm Chart for postgres-cluster release workflow has failed!'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/site-profile/actions?workflow=release-image.yml", "clear": true}]'
+          image: true

.gitea/workflows/renovate.yaml

@@ -0,0 +1,32 @@
+name: renovate
+
+on:
+  schedule:
+    - cron: "@daily"
+
+  push:
+    branches:
+      - main
+
+  workflow_dispatch:
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    container: ghcr.io/renovatebot/renovate:41
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Renovate
+        run: renovate
+        env:
+          RENOVATE_PLATFORM: gitea
+          RENOVATE_ENDPOINT: ${{ vars.INSTANCE_URL }}
+          RENOVATE_REPOSITORIES: alexlebens/helm-charts
+          RENOVATE_GIT_AUTHOR: Renovate Bot <renovate-bot@alexlebens.net>
+          LOG_LEVEL: info
+          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
+          RENOVATE_GIT_PRIVATE_KEY: ${{ secrets.RENOVATE_GIT_PRIVATE_KEY }}
+          RENOVATE_GITHUB_COM_TOKEN: ${{ secrets.RENOVATE_GITHUB_COM_TOKEN }}
+          RENOVATE_REDIS_URL: ${{ vars.RENOVATE_REDIS_URL }}

charts/cloudflared/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: cloudflared
-version: 1.15.0
+version: 1.18.0
 description: Cloudflared Tunnel
 keywords:
   - cloudflare
@@ -13,6 +13,6 @@ maintainers:
 dependencies:
   - name: common
     repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.0.1
+    version: 4.1.2
 icon: https://avatars.githubusercontent.com/u/314135?s=48&v=4
-appVersion: "2025.5.0"
+appVersion: "2025.6.0"

charts/cloudflared/README.md

@@ -1,6 +1,6 @@
 # cloudflared
 
-![Version: 1.15.0](https://img.shields.io/badge/Version-1.15.0-informational?style=flat-square) ![AppVersion: 2025.5.0](https://img.shields.io/badge/AppVersion-2025.5.0-informational?style=flat-square)
+![Version: 1.17.3](https://img.shields.io/badge/Version-1.17.3-informational?style=flat-square) ![AppVersion: 2025.6.0](https://img.shields.io/badge/AppVersion-2025.6.0-informational?style=flat-square)
 
 Cloudflared Tunnel
 
@@ -19,7 +19,7 @@ Cloudflared Tunnel
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://bjw-s-labs.github.io/helm-charts/ | common | 4.0.1 |
+| https://bjw-s-labs.github.io/helm-charts/ | common | 4.1.2 |
 
 ## Values
 
@@ -27,7 +27,7 @@ Cloudflared Tunnel
 |-----|------|---------|-------------|
 | existingSecretKey | string | `"cf-tunnel-token"` | Name of key that contains the token in the existingSecret |
 | existingSecretName | string | `"cloudflared-secret"` | Name of existing secret that contains Cloudflare token |
-| image | object | `{"pullPolicy":"IfNotPresent","repository":"cloudflare/cloudflared","tag":"2025.5.0"}` | Default image |
+| image | object | `{"pullPolicy":"IfNotPresent","repository":"cloudflare/cloudflared","tag":"2025.6.1"}` | Default image |
 | name | string | `"cloudflared"` | Name override of release |
 | resources | object | `{"requests":{"cpu":"10m","memory":"128Mi"}}` | Default resources |
 

charts/cloudflared/values.yaml

@@ -10,7 +10,7 @@ existingSecretKey: cf-tunnel-token
 # -- Default image
 image:
   repository: cloudflare/cloudflared
-  tag: "2025.5.0"
+  tag: "2025.7.0"
   pullPolicy: IfNotPresent
 
 # -- Default resources

charts/generic-device-plugin/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: generic-device-plugin
-version: 0.1.10
+version: 0.4.0
 description: Generic Device Plugin
 keywords:
   - generic-device-plugin
@@ -13,6 +13,6 @@ maintainers:
   - name: alexlebens
 dependencies:
   - name: common
-    repository: https://bjw-s.github.io/helm-charts/
-    version: 3.7.3
-appVersion: 0.1.10
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 4.1.2
+appVersion: 0.2.0

charts/generic-device-plugin/README.md

@@ -1,6 +1,6 @@
 # generic-device-plugin
 
-![Version: 0.1.10](https://img.shields.io/badge/Version-0.1.10-informational?style=flat-square) ![AppVersion: 0.1.10](https://img.shields.io/badge/AppVersion-0.1.10-informational?style=flat-square)
+![Version: 0.3.2](https://img.shields.io/badge/Version-0.3.2-informational?style=flat-square) ![AppVersion: 0.2.0](https://img.shields.io/badge/AppVersion-0.2.0-informational?style=flat-square)
 
 Generic Device Plugin
 
@@ -19,7 +19,7 @@ Generic Device Plugin
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://bjw-s.github.io/helm-charts/ | common | 3.7.3 |
+| https://bjw-s-labs.github.io/helm-charts/ | common | 4.1.2 |
 
 ## Values
 

charts/generic-device-plugin/values.yaml

@@ -4,7 +4,7 @@ name: generic-device-plugin
 # -- Default image
 image:
   repository: ghcr.io/squat/generic-device-plugin
-  tag: latest@sha256:d7d0951df7f11479185fd9fba1c1cb4d9c8f3232d38a5468d6fe80074f2b45d5
+  tag: latest@sha256:1f779444c72c7bf06b082c44698d6268a8e642ebd9488a35c84a603087940e64
   pullPolicy: Always
 
 # -- Domain used by devices for identifcation

charts/gitea-actions/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: gitea-actions
+version: 0.2.1
+description: Gitea Actions
+keywords:
+  - cicd
+  - runner
+  - actions
+sources:
+  - https://gitea.com/gitea/helm-actions
+  - https://gitea.com/gitea/act
+maintainers:
+  - name: alexlebens
+icon: https://avatars.githubusercontent.com/u/100373852?s=48&v=4
+appVersion: 0.2.11

charts/gitea-actions/LICENSE

@@ -0,0 +1,18 @@
+MIT License
+
+Copyright (c) 2025 gitea
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and
+associated documentation files (the "Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the
+following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial
+portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO
+EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
+USE OR OTHER DEALINGS IN THE SOFTWARE.

charts/gitea-actions/README.md

@@ -0,0 +1,54 @@
+# gitea-actions
+
+![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![AppVersion: 0.2.11](https://img.shields.io/badge/AppVersion-0.2.11-informational?style=flat-square)
+
+Gitea Actions
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| alexlebens |  |  |
+
+## Source Code
+
+* <https://gitea.com/gitea/helm-actions>
+* <https://gitea.com/gitea/act>
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| enabled | bool | `true` |  |
+| existingSecret | string | `""` |  |
+| existingSecretKey | string | `""` |  |
+| giteaRootURL | string | `""` |  |
+| global.fullnameOverride | string | `""` |  |
+| global.imageRegistry | string | `""` |  |
+| global.nameOverride | string | `""` |  |
+| global.storageClass | string | `""` |  |
+| init.image.repository | string | `"busybox"` |  |
+| init.image.tag | string | `"1.37.0"` |  |
+| statefulset.actRunner.config | string | `"log:\n  level: debug\ncache:\n  enabled: false\n"` |  |
+| statefulset.actRunner.extraVolumeMounts | list | `[]` |  |
+| statefulset.actRunner.pullPolicy | string | `"IfNotPresent"` |  |
+| statefulset.actRunner.repository | string | `"gitea/act_runner"` |  |
+| statefulset.actRunner.tag | string | `"0.2.11"` |  |
+| statefulset.affinity | object | `{}` |  |
+| statefulset.annotations | object | `{}` |  |
+| statefulset.dind.extraEnvs | list | `[]` |  |
+| statefulset.dind.extraVolumeMounts | list | `[]` |  |
+| statefulset.dind.pullPolicy | string | `"IfNotPresent"` |  |
+| statefulset.dind.repository | string | `"docker"` |  |
+| statefulset.dind.tag | string | `"25.0.2-dind"` |  |
+| statefulset.extraVolumes | list | `[]` |  |
+| statefulset.labels | object | `{}` |  |
+| statefulset.nodeSelector | object | `{}` |  |
+| statefulset.persistence.size | string | `"1Gi"` |  |
+| statefulset.persistence.storageClass | string | `""` |  |
+| statefulset.replicas | int | `1` |  |
+| statefulset.resources | object | `{}` |  |
+| statefulset.tolerations | list | `[]` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/gitea-actions/templates/_helpers.tpl

@@ -0,0 +1,102 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+
+{{- define "gitea.actions.name" -}}
+{{- default .Chart.Name .Values.global.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "gitea.actions.fullname" -}}
+{{- if .Values.global.fullnameOverride -}}
+{{- .Values.global.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.global.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "gitea.actions.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Storage Class
+*/}}
+{{- define "gitea.actions.persistence.storageClass" -}}
+{{- $storageClass :=  (tpl ( default "" .Values.statefulset.persistence.storageClass) .) | default (tpl ( default "" .Values.global.storageClass) .) }}
+{{- if $storageClass }}
+storageClassName: {{ $storageClass | quote }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "gitea.actions.labels" -}}
+helm.sh/chart: {{ include "gitea.actions.chart" . }}
+app: {{ include "gitea.actions.name" . }}
+{{ include "gitea.actions.selectorLabels" . }}
+app.kubernetes.io/version: {{ .Values.statefulset.actRunner.tag | default .Chart.AppVersion | quote }}
+version: {{ .Values.statefulset.actRunner.tag | default .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{- define "gitea.actions.labels.actRunner" -}}
+helm.sh/chart: {{ include "gitea.actions.chart" . }}
+app: {{ include "gitea.actions.name" . }}-act-runner
+{{ include "gitea.actions.selectorLabels.actRunner" . }}
+app.kubernetes.io/version: {{ .Values.statefulset.actRunner.tag | default .Chart.AppVersion | quote }}
+version: {{ .Values.statefulset.actRunner.tag | default .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels
+*/}}
+{{- define "gitea.actions.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "gitea.actions.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{- define "gitea.actions.selectorLabels.actRunner" -}}
+app.kubernetes.io/name: {{ include "gitea.actions.name" . }}-act-runner
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{- define "gitea.actions.local_root_url" -}}
+  {{- .Values.giteaRootURL -}}
+{{- end -}}
+
+{{/*
+Parse the http url to hostname + port separated by space for the nc command
+*/}}
+{{- define "gitea.actions.nc" -}}
+{{- $url := include "gitea.actions.local_root_url" . | urlParse -}}
+{{- $host := get $url "host" -}}
+{{- $scheme := get $url "scheme" -}}
+{{- $port := "80" -}}
+{{- if contains ":" $host -}}
+    {{- $hostAndPort := regexSplit ":" $host 2 -}}
+    {{- $host = index $hostAndPort 0 -}}
+    {{- $port = index $hostAndPort 1 -}}
+{{- else if eq $scheme "https" -}}
+    {{- $port = "443" -}}
+{{- else if eq $scheme "http" -}}
+    {{- $port = "80" -}}
+{{- end -}}
+{{- printf "%s %s" $host $port -}}
+{{- end -}}

charts/gitea-actions/templates/config-map.yaml

@@ -0,0 +1,15 @@
+{{- if .Values.enabled }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "gitea.actions.fullname" . }}-act-runner-config
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+  labels:
+    {{- include "gitea.actions.labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- with .Values.statefulset.actRunner.config -}}
+    {{ . | nindent 4}}
+    {{- end -}}
+{{- end }}

charts/gitea-actions/templates/stateful-set.yaml

@@ -0,0 +1,127 @@
+{{- if .Values.enabled }}
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    {{- include "gitea.actions.labels.actRunner" . | nindent 4 }}
+    {{- with .Values.statefulset.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.statefulset.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: {{ include "gitea.actions.fullname" . }}-act-runner
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+spec:
+  replicas: {{ .Values.statefulset.replicas }}
+  selector:
+    matchLabels:
+      {{- include "gitea.actions.selectorLabels.actRunner" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "gitea.actions.labels.actRunner" . | nindent 8 }}
+        {{- with .Values.statefulset.labels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      initContainers:
+        - name: init-gitea
+          image: "{{ .Values.init.image.repository }}:{{ .Values.init.image.tag }}"
+          command:
+            - sh
+            - -c
+            - |
+              while ! nc -z {{ include "gitea.actions.nc" . }}; do
+                sleep 5
+              done
+      containers:
+        - name: act-runner
+          image: "{{ .Values.statefulset.actRunner.repository }}:{{ .Values.statefulset.actRunner.tag }}"
+          imagePullPolicy: {{ .Values.statefulset.actRunner.pullPolicy }}
+          workingDir: /data
+          env:
+            - name: DOCKER_HOST
+              value: tcp://127.0.0.1:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/server
+            - name: GITEA_RUNNER_REGISTRATION_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.existingSecret | default "gitea-actions-token" }}"
+                  key: "{{ .Values.existingSecretKey | default "token" }}"
+            - name: GITEA_INSTANCE_URL
+              value: {{ include "gitea.actions.local_root_url" . }}
+            - name: CONFIG_FILE
+              value: /actrunner/config.yaml
+          resources:
+            {{- toYaml .Values.statefulset.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /actrunner/config.yaml
+              name: act-runner-config
+              subPath: config.yaml
+            - mountPath: /certs/server
+              name: docker-certs
+            - mountPath: /data
+              name: data-act-runner
+            {{- with .Values.statefulset.actRunner.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+        - name: dind
+          image: "{{ .Values.statefulset.dind.repository }}:{{ .Values.statefulset.dind.tag }}"
+          imagePullPolicy: {{ .Values.statefulset.dind.pullPolicy }}
+          env:
+            - name: DOCKER_HOST
+              value: tcp://127.0.0.1:2376
+            - name: DOCKER_TLS_VERIFY
+              value: "1"
+            - name: DOCKER_CERT_PATH
+              value: /certs/server
+            {{- if .Values.statefulset.dind.extraEnvs }}
+            {{- toYaml .Values.statefulset.dind.extraEnvs | nindent 12 }}
+            {{- end }}
+          securityContext:
+            privileged: true
+          resources:
+            {{- toYaml .Values.statefulset.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /certs/server
+              name: docker-certs
+            {{- with .Values.statefulset.dind.extraVolumeMounts }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+      {{- range $key, $value := .Values.statefulset.nodeSelector }}
+      nodeSelector:
+        {{ $key }}: {{ $value | quote }}
+      {{- end }}
+      {{- with .Values.statefulset.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.statefulset.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: act-runner-config
+          configMap:
+            name: {{ include "gitea.actions.fullname" . }}-act-runner-config
+        - name: docker-certs
+          emptyDir: {}
+        {{- with .Values.statefulset.extraVolumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+  volumeClaimTemplates:
+    - metadata:
+        name: data-act-runner
+      spec:
+        accessModes: [ "ReadWriteOnce" ]
+        {{- include "gitea.actions.persistence.storageClass" . | nindent 8 }}
+        resources:
+          requests:
+            storage: {{ .Values.statefulset.persistence.size }}
+{{- end }}

charts/gitea-actions/values.yaml

@@ -0,0 +1,102 @@
+# Configure Gitea Actions
+# - must enable persistence if the job is enabled
+## @section Gitea Actions
+#
+## @param enabled Create an act runner StatefulSet.
+## @param init.image.repository The image used for the init containers
+## @param init.image.tag The image tag used for the init containers
+## @param statefulset.annotations Act runner annotations
+## @param statefulset.labels Act runner labels
+## @param statefulset.resources Act runner resources
+## @param statefulset.nodeSelector NodeSelector for the statefulset
+## @param statefulset.tolerations Tolerations for the statefulset
+## @param statefulset.affinity Affinity for the statefulset
+## @param statefulset.extraVolumes Extra volumes for the statefulset
+## @param statefulset.actRunner.repository The Gitea act runner image
+## @param statefulset.actRunner.tag The Gitea act runner tag
+## @param statefulset.actRunner.pullPolicy The Gitea act runner pullPolicy
+## @param statefulset.actRunner.extraVolumeMounts Allows mounting extra volumes in the act runner container
+## @param statefulset.actRunner.config [default: Too complex. See values.yaml] Act runner custom configuration. See [Act Runner documentation](https://docs.gitea.com/usage/actions/act-runner#configuration) for details.
+## @param statefulset.dind.repository The Docker-in-Docker image
+## @param statefulset.dind.tag The Docker-in-Docker image tag
+## @param statefulset.dind.pullPolicy The Docker-in-Docker pullPolicy
+## @param statefulset.dind.extraVolumeMounts Allows mounting extra volumes in the Docker-in-Docker container
+## @param statefulset.dind.extraEnvs Allows adding custom environment variables, such as `DOCKER_IPTABLES_LEGACY`
+## @param statefulset.persistence.size Size for persistence to store act runner data
+## @param provisioning.enabled Create a job that will create and save the token in a Kubernetes Secret
+## @param provisioning.annotations Job's annotations
+## @param provisioning.labels Job's labels
+## @param provisioning.resources Job's resources
+## @param provisioning.nodeSelector NodeSelector for the job
+## @param provisioning.tolerations Tolerations for the job
+## @param provisioning.affinity Affinity for the job
+## @param provisioning.ttlSecondsAfterFinished ttl for the job after finished in order to allow helm to properly recognize that the job completed
+## @param provisioning.publish.repository The image that can create the secret via kubectl
+## @param provisioning.publish.tag The publish image tag that can create the secret
+## @param provisioning.publish.pullPolicy The publish image pullPolicy that can create the secret
+## @param existingSecret Secret that contains the token
+## @param existingSecretKey Secret key
+## @param giteaRootURL URL the act_runner registers and connect with
+enabled: true
+statefulset:
+  replicas: 1
+  annotations: {}
+  labels: {}
+  resources: {}
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+  extraVolumes: []
+
+  actRunner:
+    repository: gitea/act_runner
+    tag: 0.2.11
+    pullPolicy: IfNotPresent
+    extraVolumeMounts: []
+
+    # See full example here: https://gitea.com/gitea/act_runner/src/branch/main/internal/pkg/config/config.example.yaml
+    config: |
+      log:
+        level: debug
+      cache:
+        enabled: false
+
+  dind:
+    repository: docker
+    tag: 25.0.2-dind
+    pullPolicy: IfNotPresent
+    extraVolumeMounts: []
+
+    # If the container keeps crashing in your environment, you might have to add the `DOCKER_IPTABLES_LEGACY` environment variable.
+    # See https://github.com/docker-library/docker/issues/463#issuecomment-1881909456
+    extraEnvs:
+      []
+      #  - name: "DOCKER_IPTABLES_LEGACY"
+      #    value: "1"
+
+  persistence:
+    storageClass: ""
+    size: 1Gi
+
+init:
+  image:
+    repository: busybox
+    tag: "1.37.0"
+
+## Specify an existing token secret
+##
+existingSecret: ""
+existingSecretKey: ""
+
+## Specify the root URL of the Gitea instance
+giteaRootURL: ""
+
+## @section Global
+#
+## @param global.imageRegistry global image registry override
+## @param global.storageClass global storage class override
+global:
+  imageRegistry: ""
+  storageClass: ""
+  nameOverride: ""
+  fullnameOverride: ""

charts/postgres-cluster/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: postgres-cluster
-version: 6.1.0
+version: 6.4.5
 description: Cloudnative-pg Cluster
 keywords:
   - database

charts/postgres-cluster/README.md

@@ -1,6 +1,6 @@
 # postgres-cluster
 
-![Version: 6.1.0](https://img.shields.io/badge/Version-6.1.0-informational?style=flat-square) ![AppVersion: v1.26.0](https://img.shields.io/badge/AppVersion-v1.26.0-informational?style=flat-square)
+![Version: 6.4.4](https://img.shields.io/badge/Version-6.4.4-informational?style=flat-square) ![AppVersion: v1.26.0](https://img.shields.io/badge/AppVersion-v1.26.0-informational?style=flat-square)
 
 Cloudnative-pg Cluster
 
@@ -19,33 +19,11 @@ Cloudnative-pg Cluster
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| backup | object | `{"enabled":true,"method":"objectStore","objectStore":[{"clusterName":"","data":{"compression":"snappy","encryption":"","jobs":1},"destinationPath":"s3://postgres-backups","endpointCA":{"create":false,"enabled":false,"key":"","name":""},"endpointCredentials":"","endpointURL":"https://nyc3.digitaloceanspaces.com","index":1,"isWALArchiver":true,"name":"external","retentionPolicy":"30d","wal":{"compression":"snappy","encryption":"","maxParallel":1}}],"scheduledBackups":[{"backupName":"external","backupOwnerReference":"self","name":"daily-backup","plugin":"barman-cloud.cloudnative-pg.io","schedule":"0 0 */3 * *","suspend":false}]}` | Backup settings |
-| backup.enabled | bool | `true` | You need to configure backups manually, so backups are disabled by default. |
+| backup | object | `{"enabled":false,"method":"objectStore","objectStore":[],"scheduledBackups":[]}` | Backup settings |
+| backup.enabled | bool | `false` | You need to configure backups manually, so backups are disabled by default. |
 | backup.method | string | `"objectStore"` | Method to create backups, options currently are only objectStore |
-| backup.objectStore | list | `[{"clusterName":"","data":{"compression":"snappy","encryption":"","jobs":1},"destinationPath":"s3://postgres-backups","endpointCA":{"create":false,"enabled":false,"key":"","name":""},"endpointCredentials":"","endpointURL":"https://nyc3.digitaloceanspaces.com","index":1,"isWALArchiver":true,"name":"external","retentionPolicy":"30d","wal":{"compression":"snappy","encryption":"","maxParallel":1}}]` | Options for object store backups |
-| backup.objectStore[0].clusterName | string | `""` | Override the name of the backup cluster, defaults to "cluster.name" |
-| backup.objectStore[0].data.compression | string | `"snappy"` | Data compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`. |
-| backup.objectStore[0].data.encryption | string | `""` | Whether to instruct the storage provider to encrypt data files. One of `` (use the storage container default), `AES256` or `aws:kms`. |
-| backup.objectStore[0].data.jobs | int | `1` | Number of data files to be archived or restored in parallel. |
-| backup.objectStore[0].destinationPath | string | `"s3://postgres-backups"` | Overrides the provider specific default path. Defaults to: S3: s3://<bucket><path> Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path> Google: gs://<bucket><path> |
-| backup.objectStore[0].endpointCA | object | `{"create":false,"enabled":false,"key":"","name":""}` | Specifies a CA bundle to validate a privately signed certificate. |
-| backup.objectStore[0].endpointCA.create | bool | `false` | Creates a secret with the given value if true, otherwise uses an existing secret. |
-| backup.objectStore[0].endpointCredentials | string | `""` | Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY |
-| backup.objectStore[0].endpointURL | string | `"https://nyc3.digitaloceanspaces.com"` | Overrides the provider specific default endpoint. Defaults to: S3: https://s3.<region>.amazonaws.com" |
-| backup.objectStore[0].index | int | `1` | Generate external cluster name, uses: {{ .Release.Name }}-postgresql-<major version>-backup-index-{{ index }} |
-| backup.objectStore[0].isWALArchiver | bool | `true` | Specificies if this backup will do WALs |
-| backup.objectStore[0].name | string | `"external"` | Object store backup name |
-| backup.objectStore[0].retentionPolicy | string | `"30d"` | Retention policy for backups |
-| backup.objectStore[0].wal | object | `{"compression":"snappy","encryption":"","maxParallel":1}` | Storage |
-| backup.objectStore[0].wal.compression | string | `"snappy"` | WAL compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`. |
-| backup.objectStore[0].wal.encryption | string | `""` | Whether to instruct the storage provider to encrypt WAL files. One of `` (use the storage container default), `AES256` or `aws:kms`. |
-| backup.objectStore[0].wal.maxParallel | int | `1` | Number of WAL files to be archived or restored in parallel. |
-| backup.scheduledBackups[0].backupName | string | `"external"` | Name of backup target |
-| backup.scheduledBackups[0].backupOwnerReference | string | `"self"` | Backup owner reference |
-| backup.scheduledBackups[0].name | string | `"daily-backup"` | Scheduled backup name |
-| backup.scheduledBackups[0].plugin | string | `"barman-cloud.cloudnative-pg.io"` | Backup method, can be `barman-cloud.cloudnative-pg.io` (default) |
-| backup.scheduledBackups[0].schedule | string | `"0 0 */3 * *"` | Schedule in cron format |
-| backup.scheduledBackups[0].suspend | bool | `false` | Temporarily stop scheduled backups from running |
+| backup.objectStore | list | `[]` | Options for object store backups |
+| backup.scheduledBackups | list | `[]` | List of scheduled backups |
 | cluster | object | `{"additionalLabels":{},"affinity":{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"},"annotations":{},"certificates":{},"enablePDB":true,"enableSuperuserAccess":false,"image":{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"17.5-1-bullseye"},"imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"initdb":{},"instances":3,"logLevel":"info","monitoring":{"customQueries":[],"customQueriesSecret":[],"disableDefaultQueries":false,"enabled":false,"podMonitor":{"enabled":true,"metricRelabelings":[],"relabelings":[]},"prometheusRule":{"enabled":false,"excludeRules":[]}},"postgresGID":-1,"postgresUID":-1,"postgresql":{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"128MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}},"primaryUpdateMethod":"switchover","primaryUpdateStrategy":"unsupervised","priorityClassName":"","resources":{"limits":{"hugepages-2Mi":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}},"roles":[],"serviceAccountTemplate":{},"services":{},"storage":{"size":"10Gi","storageClass":""},"superuserSecret":"","walStorage":{"enabled":true,"size":"2Gi","storageClass":""}}` | Cluster settings |
 | cluster.affinity | object | `{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"}` | Affinity/Anti-affinity rules for Pods. See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-AffinityConfiguration |
 | cluster.certificates | object | `{}` | The configuration for the CA and related certificates. See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-CertificatesConfiguration |
@@ -85,7 +63,7 @@ Cloudnative-pg Cluster
 | nameOverride | string | `""` | Override the name of the cluster |
 | namespaceOverride | string | `""` | Override the namespace of the chart |
 | poolers | list | `[]` | List of PgBouncer poolers |
-| recovery | object | `{"backup":{"backupName":"","database":"app","owner":"","pitrTarget":{"time":""}},"import":{"databases":[],"pgDumpExtraOptions":[],"pgRestoreExtraOptions":[],"postImportApplicationSQL":[],"roles":[],"schemaOnly":false,"source":{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"verify-full","sslRootCertSecret":{"key":"","name":""},"username":"app"},"type":"microservice"},"method":"backup","objectStore":{"clusterName":"","data":{"compression":"snappy","encryption":"","jobs":1},"database":"app","destinationPath":"","endpointCA":{"create":false,"enabled":false,"key":"","name":""},"endpointCredentials":"","endpointURL":"","index":1,"name":"recovery","owner":"","pitrTarget":{"time":""},"wal":{"compression":"snappy","encryption":"","maxParallel":1}},"pgBaseBackup":{"database":"app","owner":"","secret":"","source":{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"verify-full","sslRootCertSecret":{"key":"","name":""},"username":""}}}` | Recovery settings when booting cluster from external cluster |
+| recovery | object | `{"backup":{"backupName":"","database":"app","owner":"","pitrTarget":{"time":""}},"import":{"databases":[],"pgDumpExtraOptions":[],"pgRestoreExtraOptions":[],"postImportApplicationSQL":[],"roles":[],"schemaOnly":false,"source":{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"verify-full","sslRootCertSecret":{"key":"","name":""},"username":"app"},"type":"microservice"},"method":"backup","objectStore":{"clusterName":"","data":{"compression":"snappy","encryption":"","jobs":1},"database":"app","destinationPath":"","endpointCA":{"create":false,"key":"","name":""},"endpointCredentials":"","endpointURL":"https://nyc3.digitaloceanspaces.com","index":1,"name":"recovery","owner":"","pitrTarget":{"time":""},"wal":{"compression":"snappy","encryption":"","maxParallel":1}},"pgBaseBackup":{"database":"app","owner":"","secret":"","source":{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"verify-full","sslRootCertSecret":{"key":"","name":""},"username":""}}}` | Recovery settings when booting cluster from external cluster |
 | recovery.backup.backupName | string | `""` | Name of the backup to recover from. |
 | recovery.backup.database | string | `"app"` | Name of the database used by the application. Default: `app`. |
 | recovery.backup.owner | string | `""` | Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. |
@@ -110,10 +88,10 @@ Cloudnative-pg Cluster
 | recovery.objectStore.data.jobs | int | `1` | Number of data files to be archived or restored in parallel. |
 | recovery.objectStore.database | string | `"app"` | Name of the database used by the application. Default: `app`. |
 | recovery.objectStore.destinationPath | string | `""` | Overrides the provider specific default path. Defaults to: S3: s3://<bucket><path> Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path> Google: gs://<bucket><path> |
-| recovery.objectStore.endpointCA | object | `{"create":false,"enabled":false,"key":"","name":""}` | Specifies a CA bundle to validate a privately signed certificate. |
+| recovery.objectStore.endpointCA | object | `{"create":false,"key":"","name":""}` | Specifies a CA bundle to validate a privately signed certificate. |
 | recovery.objectStore.endpointCA.create | bool | `false` | Creates a secret with the given value if true, otherwise uses an existing secret. |
 | recovery.objectStore.endpointCredentials | string | `""` | Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY |
-| recovery.objectStore.endpointURL | string | `""` | Overrides the provider specific default endpoint. Defaults to: S3: https://s3.<region>.amazonaws.com" Leave empty if using the default S3 endpoint |
+| recovery.objectStore.endpointURL | string | `"https://nyc3.digitaloceanspaces.com"` | Overrides the provider specific default endpoint. Defaults to: S3: https://s3.<region>.amazonaws.com" Leave empty if using the default S3 endpoint |
 | recovery.objectStore.index | int | `1` | Generate external cluster name, uses: {{ .Release.Name }}-postgresql-<major version>-backup-index-{{ index }} |
 | recovery.objectStore.name | string | `"recovery"` | Object store backup name |
 | recovery.objectStore.owner | string | `""` | Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. |

charts/postgres-cluster/templates/_bootstrap.tpl

@@ -131,6 +131,8 @@ externalClusters:
   - name: {{ include "cluster.recoveryServerName" . }}
     plugin:
       name: barman-cloud.cloudnative-pg.io
+      enabled: true
+      isWALArchiver: false
       parameters:
         barmanObjectName: "{{ include "cluster.name" . }}-{{ .Values.recovery.objectStore.name }}"
         serverName: {{ include "cluster.recoveryServerName" . }}

charts/postgres-cluster/templates/_helpers.tpl

@@ -80,7 +80,7 @@ Generate recovery server name
   {{- if .Values.recovery.recoveryServerName -}}
     {{- .Values.recovery.recoveryServerName -}}
   {{- else -}}
-    {{- printf "%s-backup-%s" (include "cluster.name" .) (toString .Values.recovery.recoveryIndex) | trunc 63 | trimSuffix "-" -}}
+    {{- printf "%s-backup-%s" (include "cluster.name" .) (toString .Values.recovery.objectStore.index) | trunc 63 | trimSuffix "-" -}}
   {{- end }}
 {{- end }}
 
@@ -94,3 +94,10 @@ Generate name for recovery object store credentials
     {{- printf "%s-backup-secret" (include "cluster.name" .) | trunc 63 | trimSuffix "-" -}}
   {{- end }}
 {{- end }}
+
+{{/*
+Generate name for backup object store credentials
+*/}}
+{{- define "cluster.backupCredentials" -}}
+    {{- printf "%s-backup-secret" (include "cluster.name" .) | trunc 63 | trimSuffix "-" -}}
+{{- end }}

charts/postgres-cluster/templates/cluster.yaml

@@ -19,22 +19,28 @@ spec:
   {{- end }}
   postgresUID: {{ include "cluster.postgresUID" . }}
   postgresGID: {{ include "cluster.postgresGID" . }}
-  {{ if or (and (.Values.backup.enabled) (eq .Values.backup.method "objectStore")) (eq .Values.recovery.method "objectStore") }}
+  {{ if or (eq .Values.backup.method "objectStore") (eq .Values.recovery.method "objectStore") }}
   plugins:
   {{ end }}
-  {{ if and (.Values.backup.enabled) (eq .Values.backup.method "objectStore") }}
-  {{ $context := . -}}
-  {{ range .Values.backup.objectStore -}}
+  {{- range $objectStore := .Values.backup.objectStore }}
     - name: barman-cloud.cloudnative-pg.io
-      isWALArchiver: {{ .isWALArchiver }}
+      enabled: true
+      isWALArchiver: {{ $objectStore.isWALArchiver | default true }}
       parameters:
-        barmanObjectName: "{{ include "cluster.name" $context }}-{{ .name }}-backup"
-  {{ end -}}
-  {{ end }}
+        barmanObjectName: "{{ include "cluster.name" $ }}-{{ $objectStore.name }}-backup"
+        {{- if $objectStore.clusterName }}
+        serverName: "{{ $objectStore.clusterName }}-backup-{{ $objectStore.index }}"
+        {{- else }}
+        serverName: "{{ include "cluster.name" $ }}-backup-{{ $objectStore.index }}"
+        {{- end }}
+  {{- end }}
   {{ if eq .Values.recovery.method "objectStore" }}
     - name: barman-cloud.cloudnative-pg.io
+      enabled: true
+      isWALArchiver: false
       parameters:
         barmanObjectName: "{{ include "cluster.name" . }}-{{ .Values.recovery.objectStore.name }}"
+        serverName: {{ include "cluster.recoveryServerName" . }}
   {{ end }}
   storage:
     size: {{ .Values.cluster.storage.size }}

charts/postgres-cluster/templates/object-store.yaml

@@ -10,45 +10,44 @@ metadata:
   labels:
     {{- include "cluster.labels" $context | nindent 4 }}
 spec:
-  retentionPolicy: {{ .retentionPolicy }}
+  retentionPolicy: {{ .retentionPolicy | default "30d" }}
   configuration:
-    destinationPath: {{ .destinationPath }}
-    endpointURL: {{ .endpointURL }}
-    {{ if .endpointCA.enabled }}
+    destinationPath: {{ .destinationPath | required "Destination path is required" }}
+    endpointURL: {{ .endpointURL | default "https://nyc3.digitaloceanspaces.com" }}
+    {{- if .endpointCA }}
     endpointCA:
       name: {{ .endpointCA.name }}
       key: {{ .endpointCA.key }}
-    {{ end }}
-    {{- if .clusterName }}
-    serverName: "{{ .clusterName }}-backup-{{ .index }}"
-    {{- else }}
-    serverName: "{{ include "cluster.name" $context }}-backup-{{ .index }}"
     {{- end }}
+    {{- if .wal }}
     wal:
-      compression: {{ .wal.compression }}
-      {{- with .wal.encryption}}
+      compression: {{ .wal.compression | default "snappy" }}
+      {{ with .wal.encryption }}
       encryption: {{ . }}
-      {{- end }}
-      maxParallel: {{ .wal.maxParallel }}
+      {{ end }}
+      maxParallel: {{ .wal.maxParallel | default "1" }}
+    {{- end }}
+    {{- if .wal }}
     data:
-      compression: {{ .data.compression }}
+      compression: {{ .data.compression | default "snappy"  }}
       {{- with .data.encryption }}
       encryption: {{ . }}
       {{- end }}
-      jobs: {{ .data.jobs }}
+      jobs: {{ .data.jobs | default 1 }}
+    {{- end }}
     s3Credentials:
       accessKeyId:
-        {{- if not (empty .endpointCredentials) }}
+        {{- if .endpointCredentials }}
         name: {{ .endpointCredentials }}
         {{- else }}
-        name: {{- printf "%s-backup-secret" (include "cluster.name" $context) | trunc 63 | trimSuffix "-" -}}
+        name: {{ include "cluster.backupCredentials" $context }}
         {{- end }}
         key: ACCESS_KEY_ID
       secretAccessKey:
         {{- if .endpointCredentials }}
         name: {{ .endpointCredentials }}
         {{- else }}
-        name: {{- printf "%s-backup-secret" (include "cluster.name" $context) | trunc 63 | trimSuffix "-" -}}
+        name: {{ include "cluster.backupCredentials" $context }}
         {{- end }}
         key: ACCESS_SECRET_KEY
 {{ end -}}
@@ -67,12 +66,11 @@ spec:
   configuration:
     destinationPath: {{ .Values.recovery.objectStore.destinationPath }}
     endpointURL: {{ .Values.recovery.objectStore.endpointURL }}
-    {{- if .Values.recovery.objectStore.endpointCA.enabled }}
+    {{- if .Values.recovery.objectStore.endpointCA.name }}
     endpointCA:
       name: {{ .Values.recovery.objectStore.endpointCA.name }}
       key: {{ .Values.recovery.objectStore.endpointCA.key }}
     {{- end }}
-    serverName: {{ include "cluster.recoveryServerName" . }}
     wal:
       compression: {{ .Values.recovery.objectStore.wal.compression }}
       {{- with .Values.recovery.objectStore.wal.encryption}}

charts/postgres-cluster/templates/scheduled-backup.yaml

@@ -10,15 +10,15 @@ metadata:
   labels:
     {{- include "cluster.labels" $context | nindent 4 }}
 spec:
-  immediate: true
-  suspend: {{ .suspend }}
-  schedule: {{ .schedule | quote }}
-  backupOwnerReference: {{ .backupOwnerReference }}
+  immediate: {{ .immediate | default true }}
+  suspend: {{ .suspend | default false }}
+  schedule: {{ .schedule | quote | required "Schedule is required" }}
+  backupOwnerReference: {{ .backupOwnerReference | default "self" }}
   cluster:
     name: {{ include "cluster.name" $context }}-cluster
   method: plugin
   pluginConfiguration:
-    name: {{ .plugin }}
+    name: {{ .plugin | default "barman-cloud.cloudnative-pg.io" }}
     parameters:
       barmanObjectName: "{{ include "cluster.name" $context }}-{{ .backupName }}-backup"
 {{ end -}}

charts/postgres-cluster/values.yaml

@@ -21,7 +21,7 @@ cluster:
   # -- Default image
   image:
     repository: ghcr.io/cloudnative-pg/postgresql
-    tag: "17.5-1-bullseye"
+    tag: "17.5-standard-bullseye"
 
   # -- Image pull policy. One of Always, Never or IfNotPresent. If not defined, it defaults to IfNotPresent. Cannot be updated.
   # More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
@@ -271,12 +271,10 @@ recovery:
     # -- Overrides the provider specific default endpoint. Defaults to:
     # S3: https://s3.<region>.amazonaws.com"
     # Leave empty if using the default S3 endpoint
-    endpointURL: ""
+    endpointURL: "https://nyc3.digitaloceanspaces.com"
 
     # -- Specifies a CA bundle to validate a privately signed certificate.
     endpointCA:
-      enabled: false
-
       # -- Creates a secret with the given value if true, otherwise uses an existing secret.
       create: false
 
@@ -420,93 +418,97 @@ recovery:
 backup:
 
   # -- You need to configure backups manually, so backups are disabled by default.
-  enabled: true
+  enabled: false
 
   # -- Method to create backups, options currently are only objectStore
   method: objectStore
 
   # -- Options for object store backups
-  objectStore:
-    -
-      # -- Object store backup name
-      name: external
+  objectStore: []
 
-      # -- Overrides the provider specific default path. Defaults to:
-      # S3: s3://<bucket><path>
-      # Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path>
-      # Google: gs://<bucket><path>
-      destinationPath: s3://postgres-backups
+    # -
+    #   # -- Object store backup name
+    #   name: external
 
-      # -- Overrides the provider specific default endpoint. Defaults to:
-      # S3: https://s3.<region>.amazonaws.com"
-      endpointURL: https://nyc3.digitaloceanspaces.com
+    #   # -- Overrides the provider specific default path. Defaults to:
+    #   # S3: s3://<bucket><path>
+    #   # Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path>
+    #   # Google: gs://<bucket><path>
+    #   destinationPath: ""
 
-      # -- Specifies a CA bundle to validate a privately signed certificate.
-      endpointCA:
-        enabled: false
+    #   # -- Overrides the provider specific default endpoint. Defaults to:
+    #   # https://nyc3.digitaloceanspaces.com
+    #   endpointURL: ""
 
-        # -- Creates a secret with the given value if true, otherwise uses an existing secret.
-        create: false
+    #   # -- Specifies a CA bundle to validate a privately signed certificate.
+    #   endpointCA:
+    #     # -- Creates a secret with the given value if true, otherwise uses an existing secret.
+    #     create: false
 
-        name: ""
-        key: ""
+    #     name: ""
+    #     key: ""
 
-      # -- Generate external cluster name, uses: {{ .Release.Name }}-postgresql-<major version>-backup-index-{{ index }}
-      index: 1
+    #   # -- Generate external cluster name, uses: {{ .Release.Name }}-postgresql-<major version>-backup-index-{{ index }}
+    #   index: 1
 
-      # -- Override the name of the backup cluster, defaults to "cluster.name"
-      clusterName: ""
+    #   # -- Override the name of the backup cluster, defaults to "cluster.name"
+    #   clusterName: ""
 
-      # -- Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
-      endpointCredentials: ""
+    #   # -- Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+    #   endpointCredentials: ""
 
-      # -- Retention policy for backups
-      retentionPolicy: "30d"
+    #   # -- Retention policy for backups
+    #   retentionPolicy: "30d"
 
-      # -- Specificies if this backup will do WALs
-      isWALArchiver: true
+    #   # -- Specificies if this backup will do WALs
+    #   isWALArchiver: true
 
-      # -- Storage
-      wal:
+    #   # -- Storage
+    #   wal:
 
-        # -- WAL compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`.
-        compression: snappy
+    #     # -- WAL compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`.
+    #     compression: snappy
 
-        # -- Whether to instruct the storage provider to encrypt WAL files. One of `` (use the storage container default), `AES256` or `aws:kms`.
-        encryption: ""
+    #     # -- Whether to instruct the storage provider to encrypt WAL files. One of `` (use the storage container default), `AES256` or `aws:kms`.
+    #     encryption: ""
 
-        # -- Number of WAL files to be archived or restored in parallel.
-        maxParallel: 1
+    #     # -- Number of WAL files to be archived or restored in parallel.
+    #     maxParallel: 1
 
-      data:
-        # -- Data compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`.
-        compression: snappy
+    #   data:
+    #     # -- Data compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`.
+    #     compression: snappy
 
-        # -- Whether to instruct the storage provider to encrypt data files. One of `` (use the storage container default), `AES256` or `aws:kms`.
-        encryption: ""
+    #     # -- Whether to instruct the storage provider to encrypt data files. One of `` (use the storage container default), `AES256` or `aws:kms`.
+    #     encryption: ""
 
-        # -- Number of data files to be archived or restored in parallel.
-        jobs: 1
+    #     # -- Number of data files to be archived or restored in parallel.
+    #     jobs: 1
 
-  scheduledBackups:
-    -
-      # -- Scheduled backup name
-      name: daily-backup
+  # -- List of scheduled backups
+  scheduledBackups: []
 
-      # -- Schedule in cron format
-      schedule: "0 0 */3 * *"
+    # -
+    #   # -- Scheduled backup name
+    #   name: daily-backup
 
-      # -- Temporarily stop scheduled backups from running
-      suspend: false
+    #   # -- Schedule in cron format
+    #   schedule: "0 0 0 * * *"
 
-      # -- Backup owner reference
-      backupOwnerReference: self
+    #   # -- Start backup on deployment
+    #   immediate: false
 
-      # -- Backup method, can be `barman-cloud.cloudnative-pg.io` (default)
-      plugin: barman-cloud.cloudnative-pg.io
+    #   # -- Temporarily stop scheduled backups from running
+    #   suspend: false
 
-      # -- Name of backup target
-      backupName: external
+    #   # -- Backup owner reference
+    #   backupOwnerReference: self
+
+    #   # -- Backup method, can be `barman-cloud.cloudnative-pg.io` (default)
+    #   plugin: barman-cloud.cloudnative-pg.io
+
+    #   # -- Name of backup target
+    #   backupName: external
 
 # -- List of PgBouncer poolers
 poolers: []

renovate.json

@@ -19,7 +19,14 @@
             "addLabels": [
                 "chart"
             ],
-            "automerge": false
+            "automerge": false,
+            "bumpVersions": [
+                {
+                "filePatterns": ["{{packageFileDir}}/Chart.{yaml,yml}"],
+                "matchStrings": ["version:\\s(?<version>[^\\s]+)"],
+                "bumpType": "{{#if isPatch}}patch{{else}}minor{{/if}}"
+                }
+            ]
         },
         {
             "description": "Label images",
@@ -29,7 +36,14 @@
             "addLabels": [
                 "image"
             ],
-            "automerge": false
+            "automerge": false,
+            "bumpVersions": [
+                {
+                "filePatterns": ["{{packageFileDir}}/Chart.{yaml,yml}"],
+                "matchStrings": ["version:\\s(?<version>[^\\s]+)"],
+                "bumpType": "{{#if isPatch}}patch{{else}}minor{{/if}}"
+                }
+            ]
         },
         {
             "description": "CNPG image",
@@ -43,7 +57,14 @@
                 "image"
             ],
             "automerge": false,
-            "versioning": "deb"
+            "versioning": "deb",
+            "bumpVersions": [
+                {
+                "filePatterns": ["{{packageFileDir}}/Chart.{yaml,yml}"],
+                "matchStrings": ["version:\\s(?<version>[^\\s]+)"],
+                "bumpType": "{{#if isPatch}}patch{{else}}minor{{/if}}"
+                }
+            ]
         }
     ]
 }