change default retention

.gitea/workflows/lint-test.yaml

@@ -170,7 +170,13 @@ jobs:
             helm dependency list --max-col-width 120 charts/$dir 2> /dev/null \
               | tail +2 | head -n -1 \
               | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
+              | while read cmd; do
+                if [[ "$cmd" == "*oci://*" ]]; then
+                  echo ">> Ignoring OCI repo"
+                else
+                  echo "$cmd" | sh;
+                fi
+              done || true
           done
 
           if helm repo list | tail +2 | read -r; then

.gitea/workflows/release-charts-redis-replication.yml

@@ -0,0 +1,128 @@
+name: release-charts-redis-replication
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "charts/redis-replication/**"
+
+  workflow_dispatch:
+
+env:
+  WORKFLOW_DIR: "charts/redis-replication"
+
+jobs:
+  release:
+    runs-on: ubuntu-js
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          version: v3.19.2
+
+      - name: Add Repositories
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Adding repositories for chart dependencies ..."
+          helm dependency list --max-col-width 120 2> /dev/null \
+            | tail +2 | head -n -1 \
+            | awk '{ print "helm repo add " $1 " " $3 }' \
+            | while read cmd; do echo "$cmd" | sh; done || true
+
+          if helm repo list | tail +2 | read -r; then
+            echo ">> Update repository cache ..."
+            helm repo update
+          fi
+
+          echo "----"
+
+      - name: Package Helm Chart
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Building helm dependency ..."
+          helm dependency build --skip-refresh --debug
+
+          echo "----"
+
+          echo "PACKAGE_PATH=$(helm package . | awk '{print $NF}')" >> $GITEA_ENV
+
+      - name: Publish Helm Chart to Harbor
+        run: |
+          echo ">> Logging into Harbor ..."
+          helm registry login ${{ vars.REGISTRY_HOST }} -u ${{ vars.REGISTRY_USER }} -p ${{ secrets.REGISTRY_SECRET }} --debug
+
+          echo ""
+          echo ">> Publishing chart to Harbor ..."
+          helm push ${{ env.PACKAGE_PATH }} oci://${{ vars.REGISTRY_HOST }}/helm-charts --debug
+
+          echo "----"
+
+      - name: Publish Helm Chart to Gitea
+        run: |
+          echo ">> Installing Chart Museum plugin ..."
+          helm plugin install https://github.com/chartmuseum/helm-push --debug
+
+          echo ""
+          echo ">> Adding Gitea repository ..."
+          helm repo add --username ${{ gitea.actor }} --password ${{ secrets.REPOSITORY_TOKEN }} helm-charts https://${{ vars.REPOSITORY_HOST }}/api/packages/alexlebens/helm --debug
+
+          echo ""
+          echo ">> Pushing chart to gitea"
+          helm cm-push ${{ env.PACKAGE_PATH }} helm-charts --debug
+
+      - name: Extract Chart Metadata
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Adding Chart metadata to workflow ENV ..."
+          echo ""
+          echo ">> Chart Version: $(yq '.version' Chart.yaml)"
+          echo ">> Chart Name: $(yq '.name' Chart.yaml)"
+
+          echo "----"
+
+          echo "CHART_VERSION=$(yq '.version' Chart.yaml)" >> $GITEA_ENV
+          echo "CHART_NAME=$(yq '.name' Chart.yaml)" >> $GITEA_ENV
+
+      - name: Release Helm Chart
+        uses: akkuman/gitea-release-action@v1
+        with:
+          name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}
+          tag_name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}
+          files: |-
+            ${{ env.PACKAGE_PATH }}
+
+      - name: ntfy Success
+        uses: niniyas/ntfy-action@master
+        if: success()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Release Success - ${{ env.CHART_NAME }}'
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: 'Helm Chart ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }} has been released!'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Release Failure - ${{ env.CHART_NAME }}'
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: 'Helm Chart ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }} has failed to be released.'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/helm-charts/actions?workflow=release-charts-redis-replication.yml", "clear": true}]'
+          image: true

.gitea/workflows/release-charts-volsync-target.yml

@@ -0,0 +1,128 @@
+name: release-charts-volsync-target
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "charts/volsync-target/**"
+
+  workflow_dispatch:
+
+env:
+  WORKFLOW_DIR: "charts/volsync-target"
+
+jobs:
+  release:
+    runs-on: ubuntu-js
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          version: v3.19.2
+
+      - name: Add Repositories
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Adding repositories for chart dependencies ..."
+          helm dependency list --max-col-width 120 2> /dev/null \
+            | tail +2 | head -n -1 \
+            | awk '{ print "helm repo add " $1 " " $3 }' \
+            | while read cmd; do echo "$cmd" | sh; done || true
+
+          if helm repo list | tail +2 | read -r; then
+            echo ">> Update repository cache ..."
+            helm repo update
+          fi
+
+          echo "----"
+
+      - name: Package Helm Chart
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Building helm dependency ..."
+          helm dependency build --skip-refresh --debug
+
+          echo "----"
+
+          echo "PACKAGE_PATH=$(helm package . | awk '{print $NF}')" >> $GITEA_ENV
+
+      - name: Publish Helm Chart to Harbor
+        run: |
+          echo ">> Logging into Harbor ..."
+          helm registry login ${{ vars.REGISTRY_HOST }} -u ${{ vars.REGISTRY_USER }} -p ${{ secrets.REGISTRY_SECRET }} --debug
+
+          echo ""
+          echo ">> Publishing chart to Harbor ..."
+          helm push ${{ env.PACKAGE_PATH }} oci://${{ vars.REGISTRY_HOST }}/helm-charts --debug
+
+          echo "----"
+
+      - name: Publish Helm Chart to Gitea
+        run: |
+          echo ">> Installing Chart Museum plugin ..."
+          helm plugin install https://github.com/chartmuseum/helm-push --debug
+
+          echo ""
+          echo ">> Adding Gitea repository ..."
+          helm repo add --username ${{ gitea.actor }} --password ${{ secrets.REPOSITORY_TOKEN }} helm-charts https://${{ vars.REPOSITORY_HOST }}/api/packages/alexlebens/helm --debug
+
+          echo ""
+          echo ">> Pushing chart to gitea"
+          helm cm-push ${{ env.PACKAGE_PATH }} helm-charts --debug
+
+      - name: Extract Chart Metadata
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Adding Chart metadata to workflow ENV ..."
+          echo ""
+          echo ">> Chart Version: $(yq '.version' Chart.yaml)"
+          echo ">> Chart Name: $(yq '.name' Chart.yaml)"
+
+          echo "----"
+
+          echo "CHART_VERSION=$(yq '.version' Chart.yaml)" >> $GITEA_ENV
+          echo "CHART_NAME=$(yq '.name' Chart.yaml)" >> $GITEA_ENV
+
+      - name: Release Helm Chart
+        uses: akkuman/gitea-release-action@v1
+        with:
+          name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}
+          tag_name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}
+          files: |-
+            ${{ env.PACKAGE_PATH }}
+
+      - name: ntfy Success
+        uses: niniyas/ntfy-action@master
+        if: success()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Release Success - ${{ env.CHART_NAME }}'
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: 'Helm Chart ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }} has been released!'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Release Failure - ${{ env.CHART_NAME }}'
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: 'Helm Chart ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }} has failed to be released.'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/helm-charts/actions?workflow=release-charts-volsync-target.yml", "clear": true}]'
+          image: true

.github/workflows/release-charts.yml

@@ -23,6 +23,16 @@ jobs:
           git config user.name "$GITHUB_ACTOR"
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
+      - name: Add Repositories
+        run: |
+          echo ">> Adding repositories for chart dependencies ..."
+          for dir in $(ls -d charts/*/); do
+            helm dependency list $dir --max-col-width 120 2> /dev/null \
+              | tail +2 | head -n -1 \
+              | awk '{ print "helm repo add " $1 " " $3 }' \
+              | while read cmd; do echo "$cmd" | sh; done || true
+          done
+
       - name: Run chart-releaser
         uses: helm/chart-releaser-action@v1.7.0
         env:

charts/cloudflared/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: cloudflared
-version: 1.23.2
+version: 2.1.4
 description: Cloudflared Tunnel
 keywords:
   - cloudflare

charts/cloudflared/README.md

@@ -1,6 +1,6 @@
 # cloudflared
 
-![Version: 1.23.2](https://img.shields.io/badge/Version-1.23.2-informational?style=flat-square) ![AppVersion: 2025.11.1](https://img.shields.io/badge/AppVersion-2025.11.1-informational?style=flat-square)
+![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![AppVersion: 2025.11.1](https://img.shields.io/badge/AppVersion-2025.11.1-informational?style=flat-square)
 
 Cloudflared Tunnel
 
@@ -25,11 +25,14 @@ Cloudflared Tunnel
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| existingSecretKey | string | `"cf-tunnel-token"` | Name of key that contains the token in the existingSecret |
-| existingSecretName | string | `"cloudflared-secret"` | Name of existing secret that contains Cloudflare token |
 | image | object | `{"pullPolicy":"IfNotPresent","repository":"cloudflare/cloudflared","tag":"2025.11.1"}` | Default image |
-| name | string | `"cloudflared"` | Name override of release |
+| name | string | `""` | Name override of release |
 | resources | object | `{"requests":{"cpu":"10m","memory":"128Mi"}}` | Default resources |
+| secret | object | `{"existingSecret":{"key":"cf-tunnel-token","name":"cloudflared-secret"},"externalSecret":{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"vault","path":"/cloudflare/tunnels","property":"token"}}}` | Secret configuration |
+| secret.existingSecret | object | `{"key":"cf-tunnel-token","name":"cloudflared-secret"}` | Name of existing secret that contains Cloudflare token |
+| secret.externalSecret | object | `{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"vault","path":"/cloudflare/tunnels","property":"token"}}` | External Secret configuration |
+| secret.externalSecret.additionalLabels | object | `{}` | Add additional labels |
+| secret.externalSecret.store | object | `{"name":"vault","path":"/cloudflare/tunnels","property":"token"}` | Cluster store config |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/cloudflared/templates/_helpers.tpl

@@ -0,0 +1,86 @@
+{{/*
+Generate the root name
+*/}}
+{{- define "cloudflared.name" -}}
+  {{- if .Values.name }}
+    {{- printf "%s-cloudflared" .Values.name -}}
+  {{- else }}
+    {{- printf "cloudflared" -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate the secret name
+*/}}
+{{- define "secret.name" -}}
+  {{- if .Values.secret.externalSecret.enabled }}
+    {{- if .Values.secret.externalSecret.nameOverride }}
+      {{- .Values.secret.externalSecret.nameOverride | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+      {{- printf "%s-%s-secret" .Release.Name (include "cloudflared.name" .) -}}
+    {{- end }}
+  {{- else if .Values.secret.existingSecret.name }}
+    {{- printf "%s" .Values.secret.existingSecret.name -}}
+  {{- else }}
+    {{ fail "No Secret Name Found!" }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate the name of the secret key
+*/}}
+{{- define "secret.key" -}}
+  {{- if .Values.secret.externalSecret.enabled }}
+    {{- printf "cf-tunnel-token" -}}
+  {{- else if .Values.secret.existingSecret.key }}
+    {{- printf "%s" .Values.secret.existingSecret.key -}}
+  {{- else }}
+    {{ fail "No Secret Key Found!" }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate path in the secret store
+*/}}
+{{- define "secret.path" -}}
+  {{- if and (.Values.secret.externalSecret.enabled) (.Values.secret.externalSecret.store.path) }}
+    {{- if .Values.name }}
+      {{- printf "%s/%s-%s" .Values.secret.externalSecret.store.path .Release.Name .Values.name -}}
+    {{- else }}
+      {{- printf "%s/%s" .Values.secret.externalSecret.store.path .Release.Name -}}
+    {{- end }}
+  {{- else }}
+    {{ fail "No Secret Store Path Found!" }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "secret.chart" -}}
+  {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "secret.labels" -}}
+helm.sh/chart: {{ include "secret.chart" $ }}
+{{ include "secret.selectorLabels" $ }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.Version | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/name: {{ include "secret.name" . }}
+{{- with .Values.secret.externalSecret.additionalLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "secret.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

charts/cloudflared/templates/common.yaml

@@ -1,10 +1,9 @@
 {{- include "bjw-s.common.loader.init" . }}
 
 {{- define "cloudflared.hardcodedValues" -}}
-{{ if not .Values.global.nameOverride }}
 global:
-  nameOverride: {{ .Values.name }}
-{{ end }}
+  nameOverride: {{ include "cloudflared.name" . }}
+  fullNameOverride: {{ include "cloudflared.name" . }}
 controllers:
   main:
     type: deployment
@@ -27,8 +26,8 @@ controllers:
           - name: CF_MANAGED_TUNNEL_TOKEN
             valueFrom:
               secretKeyRef:
-                name: {{ .Values.existingSecretName }}
-                key: {{ .Values.existingSecretKey }}
+                name: {{ include "secret.name" . }}
+                key: {{ include "secret.key" . }}
         resources:
         {{- with .Values.resources }}
         resources:

charts/cloudflared/templates/external-secret.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.secret.externalSecret.enabled }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "secret.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "secret.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: {{ .Values.secret.externalSecret.store.name | required "External Secret store name is required" }}
+  data:
+    - secretKey: {{ include "secret.key" . }}
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ include "secret.path" . }}
+        metadataPolicy: None
+        property: {{ .Values.secret.externalSecret.store.property | required "External Secret store property is required" }}
+
+{{- end }}

charts/cloudflared/values.yaml

@@ -1,11 +1,27 @@
 # -- Name override of release
-name: cloudflared
+name: ""
+
+# -- Secret configuration
+secret:
+
+  # -- External Secret configuration
+  externalSecret:
+    enabled: true
+    nameOverride: ""
+
+    # -- Cluster store config
+    store:
+      name: vault
+      path: /cloudflare/tunnels
+      property: token
+
+    # -- Add additional labels
+    additionalLabels: {}
 
   # -- Name of existing secret that contains Cloudflare token
-existingSecretName: cloudflared-secret
-
-# -- Name of key that contains the token in the existingSecret
-existingSecretKey: cf-tunnel-token
+  existingSecret:
+    name: cloudflared-secret
+    key: cf-tunnel-token
 
 # -- Default image
 image:

charts/generic-device-plugin/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: generic-device-plugin
-version: 0.20.7
+version: 0.20.9
 description: Generic Device Plugin
 keywords:
   - generic-device-plugin

charts/generic-device-plugin/README.md

@@ -1,6 +1,6 @@
 # generic-device-plugin
 
-![Version: 0.20.6](https://img.shields.io/badge/Version-0.20.6-informational?style=flat-square) ![AppVersion: 0.20.4](https://img.shields.io/badge/AppVersion-0.20.4-informational?style=flat-square)
+![Version: 0.20.8](https://img.shields.io/badge/Version-0.20.8-informational?style=flat-square) ![AppVersion: 0.20.4](https://img.shields.io/badge/AppVersion-0.20.4-informational?style=flat-square)
 
 Generic Device Plugin
 
@@ -28,7 +28,7 @@ Generic Device Plugin
 | config | object | `{"data":"devices:\n  - name: serial\n    groups:\n      - paths:\n          - path: /dev/ttyUSB*\n      - paths:\n          - path: /dev/ttyACM*\n      - paths:\n          - path: /dev/tty.usb*\n      - paths:\n          - path: /dev/cu.*\n      - paths:\n          - path: /dev/cuaU*\n      - paths:\n          - path: /dev/rfcomm*\n  - name: video\n    groups:\n      - paths:\n          - path: /dev/video0\n  - name: fuse\n    groups:\n      - count: 10\n        paths:\n          - path: /dev/fuse\n  - name: audio\n    groups:\n      - count: 10\n        paths:\n          - path: /dev/snd\n  - name: capture\n    groups:\n      - paths:\n          - path: /dev/snd/controlC0\n          - path: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC1\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC1D0c\n            mountPath: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC2\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC2D0c\n            mountPath: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC3\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC3D0c\n            mountPath: /dev/snd/pcmC0D0c\n","enabled":true}` | Config map |
 | config.data | string | See [values.yaml](./values.yaml) | generic-device-plugin config file [[ref]](https://github.com/squat/generic-device-plugin#usage) |
 | deviceDomain | string | `"devic.es"` | Domain used by devices for identifcation |
-| image | object | `{"pullPolicy":"Always","repository":"ghcr.io/squat/generic-device-plugin","tag":"latest@sha256:d64b1c851b534de348bcd3189555a22d3966e6592fc79d2a78abfff4f6c1a2e1"}` | Default image |
+| image | object | `{"pullPolicy":"Always","repository":"ghcr.io/squat/generic-device-plugin","tag":"latest@sha256:29a59a330b93ed4173109839329796a39c528d0d0afeee76291b33787ae19001"}` | Default image |
 | name | string | `"generic-device-plugin"` | Name override of release |
 | resources | object | `{"requests":{"cpu":"50m","memory":"10Mi"}}` | Default resources |
 | service | object | `{"listenPort":8080}` | Service port |

charts/generic-device-plugin/values.yaml

@@ -4,7 +4,7 @@ name: generic-device-plugin
 # -- Default image
 image:
   repository: ghcr.io/squat/generic-device-plugin
-  tag: latest@sha256:aa0571c7f461fb99747ada00f2de69eb856dcbbc0e87965fffe37a15f7bc006f
+  tag: latest@sha256:2b53d255017668d70d7f59ff0b874a66c3a50922d1f8cfff182e4c55b82251a1
   pullPolicy: Always
 
 # -- Domain used by devices for identifcation

charts/postgres-cluster/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: postgres-cluster
-version: 7.1.0
+version: 7.4.1
 description: Cloudnative-pg Cluster
 keywords:
   - database

charts/postgres-cluster/README.md

@@ -1,6 +1,6 @@
 # postgres-cluster
 
-![Version: 7.1.0](https://img.shields.io/badge/Version-7.1.0-informational?style=flat-square) ![AppVersion: v1.28.0](https://img.shields.io/badge/AppVersion-v1.28.0-informational?style=flat-square)
+![Version: 7.4.1](https://img.shields.io/badge/Version-7.4.1-informational?style=flat-square) ![AppVersion: v1.28.0](https://img.shields.io/badge/AppVersion-v1.28.0-informational?style=flat-square)
 
 Cloudnative-pg Cluster
 
@@ -19,11 +19,12 @@ Cloudnative-pg Cluster
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| backup | object | `{"method":"objectStore","objectStore":[],"scheduledBackups":[]}` | Backup settings |
+| backup | object | `{"externalSecret":{"enabled":true},"method":"objectStore","objectStore":[{"destinationBucket":"postres-backups","externalSecretCredentialPath":"/garage/home-infra/postgres-backups","index":1,"isWALArchiver":true,"name":"garage-local"}],"scheduledBackups":[]}` | Backup settings |
+| backup.externalSecret | object | `{"enabled":true}` | Use generated External Secrets, credentialPath points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY |
 | backup.method | string | `"objectStore"` | Method to create backups, options currently are only objectStore |
-| backup.objectStore | list | `[]` | Options for object store backups |
+| backup.objectStore | list | `[{"destinationBucket":"postres-backups","externalSecretCredentialPath":"/garage/home-infra/postgres-backups","index":1,"isWALArchiver":true,"name":"garage-local"}]` | Options for object store backups |
 | backup.scheduledBackups | list | `[]` | List of scheduled backups |
-| cluster | object | `{"additionalLabels":{},"affinity":{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"},"annotations":{},"certificates":{},"enablePDB":true,"enableSuperuserAccess":false,"image":{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"18.1-standard-trixie"},"imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"initdb":{"database":"app","owner":"app"},"instances":3,"logLevel":"info","monitoring":{"customQueries":[],"customQueriesSecret":[],"disableDefaultQueries":false,"enabled":true,"podMonitor":{"enabled":true,"metricRelabelings":[],"relabelings":[]},"prometheusRule":{"enabled":true,"excludeRules":["CNPGClusterLastFailedArchiveTimeWarning"]}},"postgresGID":-1,"postgresUID":-1,"postgresql":{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"128MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}},"primaryUpdateMethod":"switchover","primaryUpdateStrategy":"unsupervised","priorityClassName":"","resources":{"limits":{"hugepages-2Mi":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}},"roles":[],"serviceAccountTemplate":{},"services":{},"storage":{"size":"10Gi","storageClass":""},"superuserSecret":"","walStorage":{"enabled":true,"size":"2Gi","storageClass":""}}` | Cluster settings |
+| cluster | object | `{"additionalLabels":{},"affinity":{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"},"annotations":{},"certificates":{},"enablePDB":true,"enableSuperuserAccess":false,"image":{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"18.1-standard-trixie"},"imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"initdb":{"database":"app","owner":"app"},"instances":3,"logLevel":"info","monitoring":{"customQueries":[],"customQueriesSecret":[],"disableDefaultQueries":false,"enabled":true,"podMonitor":{"enabled":true,"metricRelabelings":[],"relabelings":[]},"prometheusRule":{"enabled":true,"excludeRules":["CNPGClusterLastFailedArchiveTimeWarning"]}},"postgresGID":-1,"postgresUID":-1,"postgresql":{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"128MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}},"primaryUpdateMethod":"switchover","primaryUpdateStrategy":"unsupervised","priorityClassName":"","resources":{"limits":{"hugepages-2Mi":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}},"roles":[],"serviceAccountTemplate":{},"services":{},"storage":{"size":"10Gi","storageClass":"local-path"},"superuserSecret":"","walStorage":{"enabled":true,"size":"2Gi","storageClass":"local-path"}}` | Cluster settings |
 | cluster.affinity | object | `{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"}` | Affinity/Anti-affinity rules for Pods. See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-AffinityConfiguration |
 | cluster.certificates | object | `{}` | The configuration for the CA and related certificates. See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-CertificatesConfiguration |
 | cluster.enablePDB | bool | `true` | Allow to disable PDB, mainly useful for upgrade of single-instance clusters or development purposes See: https://cloudnative-pg.io/documentation/current/kubernetes_upgrade/#pod-disruption-budgets |
@@ -57,13 +58,14 @@ Cloudnative-pg Cluster
 | cluster.roles | list | `[]` | This feature enables declarative management of existing roles, as well as the creation of new roles if they are not already present in the database. See: https://cloudnative-pg.io/documentation/current/declarative_role_management/ |
 | cluster.serviceAccountTemplate | object | `{}` | Configure the metadata of the generated service account |
 | cluster.services | object | `{}` | Customization of service definitions. Please refer to https://cloudnative-pg.io/documentation/current/service_management/ |
-| cluster.storage | object | `{"size":"10Gi","storageClass":""}` | Default storage size |
+| cluster.storage | object | `{"size":"10Gi","storageClass":"local-path"}` | Default storage size |
 | databases | list | `[]` | Database management configuration |
+| kubernetesClusterName | string | `"cl01tl"` | Kubernetes cluster name |
 | mode | string | `"standalone"` | Cluster mode of operation. Available modes: * `standalone` - Default mode. Creates new or updates an existing CNPG cluster. * `recovery` - Same as standalone but creates a cluster from a backup, object store or via pg_basebackup |
 | nameOverride | string | `""` | Override the name of the cluster |
 | namespaceOverride | string | `""` | Override the namespace of the chart |
 | poolers | list | `[]` | List of PgBouncer poolers |
-| recovery | object | `{"backup":{"backupName":"","database":"app","owner":"","pitrTarget":{"time":""}},"import":{"databases":[],"pgDumpExtraOptions":[],"pgRestoreExtraOptions":[],"postImportApplicationSQL":[],"roles":[],"schemaOnly":false,"source":{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"verify-full","sslRootCertSecret":{"key":"","name":""},"username":"app"},"type":"microservice"},"method":"backup","objectStore":{"clusterName":"","data":{"compression":"snappy","encryption":"","jobs":1},"database":"app","destinationPath":"","endpointCA":{"create":false,"key":"","name":""},"endpointCredentials":"","endpointURL":"https://nyc3.digitaloceanspaces.com","index":1,"name":"recovery","owner":"","pitrTarget":{"time":""},"wal":{"compression":"snappy","encryption":"","maxParallel":1}},"pgBaseBackup":{"database":"app","owner":"","secret":"","source":{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"disable","sslRootCertSecret":{"key":"","name":""},"username":""}}}` | Recovery settings when booting cluster from external cluster |
+| recovery | object | `{"backup":{"backupName":"","database":"app","owner":"","pitrTarget":{"time":""}},"import":{"databases":[],"pgDumpExtraOptions":[],"pgRestoreExtraOptions":[],"postImportApplicationSQL":[],"roles":[],"schemaOnly":false,"source":{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"verify-full","sslRootCertSecret":{"key":"","name":""},"username":"app"},"type":"microservice"},"method":"backup","objectStore":{"clusterName":"","data":{"compression":"snappy","encryption":"","jobs":1},"database":"app","destinationBucket":"postgres-backups","destinationPathOverride":"","endpointCA":{"create":false,"key":"","name":""},"endpointCredentials":"","endpointCredentialsIncludeRegion":true,"endpointURL":"http://garage-main.garage:3900","externalSecret":{"credentialPath":"/garage/home-infra/postgres-backups","enabled":true},"index":1,"owner":"","pitrTarget":{"time":""},"wal":{"compression":"snappy","encryption":"","maxParallel":1}}}` | Recovery settings when booting cluster from external cluster |
 | recovery.backup.backupName | string | `""` | Name of the backup to recover from. |
 | recovery.backup.database | string | `"app"` | Name of the database used by the application. Default: `app`. |
 | recovery.backup.owner | string | `""` | Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. |
@@ -81,19 +83,21 @@ Cloudnative-pg Cluster
 | recovery.import.source.passwordSecret.name | string | `""` | Name of the secret containing the password |
 | recovery.import.source.passwordSecret.value | string | `""` | The password value to use when creating the secret |
 | recovery.import.type | string | `"microservice"` | One of `microservice` or `monolith.` See: https://cloudnative-pg.io/documentation/current/database_import/#how-it-works |
-| recovery.method | string | `"backup"` | Available recovery methods: * `backup` - Recovers a CNPG cluster from a CNPG backup (PITR supported) Needs to be on the same cluster in the same namespace. * `objectStore` - Recovers a CNPG cluster from a barman object store (PITR supported). * `pgBaseBackup` - Recovers a CNPG cluster viaa streaming replication protocol. Useful if you want to        migrate databases to CloudNativePG, even from outside Kubernetes. * `import` - Import one or more databases from an existing Postgres cluster. |
+| recovery.method | string | `"backup"` | Available recovery methods: * `backup` - Recovers a CNPG cluster from a CNPG backup (PITR supported) Needs to be on the same cluster in the same namespace. * `objectStore` - Recovers a CNPG cluster from a barman object store (PITR supported). * `import` - Import one or more databases from an existing Postgres cluster. |
 | recovery.objectStore.clusterName | string | `""` | Override the name of the backup cluster, defaults to "cluster.name" |
 | recovery.objectStore.data.compression | string | `"snappy"` | Data compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`. |
 | recovery.objectStore.data.encryption | string | `""` | Whether to instruct the storage provider to encrypt data files. One of `` (use the storage container default), `AES256` or `aws:kms`. |
 | recovery.objectStore.data.jobs | int | `1` | Number of data files to be archived or restored in parallel. |
 | recovery.objectStore.database | string | `"app"` | Name of the database used by the application. Default: `app`. |
-| recovery.objectStore.destinationPath | string | `""` | Overrides the provider specific default path. Defaults to: S3: s3://<bucket><path> Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path> Google: gs://<bucket><path> |
+| recovery.objectStore.destinationBucket | string | `"postgres-backups"` | Desitination bucket |
+| recovery.objectStore.destinationPathOverride | string | `""` | Overrides the provider specific default path. Defaults to: S3: s3://<bucket><path> Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path> Google: gs://<bucket><path> |
 | recovery.objectStore.endpointCA | object | `{"create":false,"key":"","name":""}` | Specifies a CA bundle to validate a privately signed certificate. |
 | recovery.objectStore.endpointCA.create | bool | `false` | Creates a secret with the given value if true, otherwise uses an existing secret. |
-| recovery.objectStore.endpointCredentials | string | `""` | Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY |
-| recovery.objectStore.endpointURL | string | `"https://nyc3.digitaloceanspaces.com"` | Overrides the provider specific default endpoint. Defaults to: S3: https://s3.<region>.amazonaws.com" Leave empty if using the default S3 endpoint |
+| recovery.objectStore.endpointCredentials | string | `""` | Defaults to <cluster name>-recovery-secret for the existing secret |
+| recovery.objectStore.endpointCredentialsIncludeRegion | bool | `true` | If the S3 endpoint require the ACCESS_REGION variable set in credentials |
+| recovery.objectStore.endpointURL | string | `"http://garage-main.garage:3900"` | Overrides the provider specific default endpoint. Defaults to: S3: https://s3.<region>.amazonaws.com" Leave empty if using the default S3 endpoint |
+| recovery.objectStore.externalSecret | object | `{"credentialPath":"/garage/home-infra/postgres-backups","enabled":true}` | Use generated External Secrets, credentialPath points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY |
 | recovery.objectStore.index | int | `1` | Generate external cluster name, uses: {{ .Release.Name }}-postgresql-<major version>-backup-index-{{ index }} |
-| recovery.objectStore.name | string | `"recovery"` | Object store backup name |
 | recovery.objectStore.owner | string | `""` | Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. |
 | recovery.objectStore.pitrTarget | object | `{"time":""}` | Point in time recovery target. Specify one of the following: |
 | recovery.objectStore.pitrTarget.time | string | `""` | Time in RFC3339 format |
@@ -101,14 +105,6 @@ Cloudnative-pg Cluster
 | recovery.objectStore.wal.compression | string | `"snappy"` | WAL compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`. |
 | recovery.objectStore.wal.encryption | string | `""` | Whether to instruct the storage provider to encrypt WAL files. One of `` (use the storage container default), `AES256` or `aws:kms`. |
 | recovery.objectStore.wal.maxParallel | int | `1` | Number of WAL files to be archived or restored in parallel. |
-| recovery.pgBaseBackup.database | string | `"app"` | Name of the database used by the application. Default: `app`. |
-| recovery.pgBaseBackup.owner | string | `""` | Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. |
-| recovery.pgBaseBackup.secret | string | `""` | Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch |
-| recovery.pgBaseBackup.source | object | `{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"disable","sslRootCertSecret":{"key":"","name":""},"username":""}` | Configuration for the source database |
-| recovery.pgBaseBackup.source.passwordSecret.create | bool | `false` | Whether to create a secret for the password |
-| recovery.pgBaseBackup.source.passwordSecret.key | string | `"password"` | The key in the secret containing the password |
-| recovery.pgBaseBackup.source.passwordSecret.name | string | `""` | Name of the secret containing the password |
-| recovery.pgBaseBackup.source.passwordSecret.value | string | `""` | The password value to use when creating the secret |
 | type | string | `"postgresql"` | Type of the CNPG database. Available types: * `postgresql` |
 
 ----------------------------------------------

charts/postgres-cluster/prometheus_rules/cluster-pg_replication-warning.yaml

@@ -6,7 +6,7 @@ annotations:
   description: |-
     Standby is lagging behind by over 300 seconds (5 minutes)
 expr: |
-  cnpg_pg_replication_lag > 300
+  cnpg_pg_replication_lag{namespace="{{ .namespace }}"} > 300
 for: 1m
 labels:
   severity: warning

charts/postgres-cluster/templates/_bootstrap.tpl

@@ -23,21 +23,7 @@ bootstrap:
 {{- else if eq .Values.mode "recovery" -}}
 bootstrap:
 
-  {{- if eq .Values.recovery.method "pgBaseBackup" }}
-  pg_basebackup:
-    source: pgBaseBackupSource
-    {{ with .Values.recovery.pgBaseBackup.database }}
-    database: {{ . }}
-    {{- end }}
-    {{ with .Values.recovery.pgBaseBackup.owner }}
-    owner: {{ . }}
-    {{- end }}
-    {{ with .Values.recovery.pgBaseBackup.secret }}
-    secret:
-      {{- toYaml . | nindent 6 }}
-    {{- end }}
-
-  {{- else if eq .Values.recovery.method "import" }}
+  {{- if eq .Values.recovery.method "import" }}
   initdb:
     {{- with .Values.cluster.initdb }}
       {{- with (omit . "owner" "import" "postInitApplicationSQL") }}

charts/postgres-cluster/templates/_external_clusters.tpl

@@ -2,10 +2,7 @@
 externalClusters:
 {{- if eq .Values.mode "standalone" }}
 {{- else if eq .Values.mode "recovery" }}
-  {{- if eq .Values.recovery.method "pgBaseBackup" }}
-  - name: pgBaseBackupSource
-     {{- include "cluster.externalSourceCluster" .Values.recovery.pgBaseBackup.source | nindent 4 }}
-  {{- else if eq .Values.recovery.method "import" }}
+  {{- if eq .Values.recovery.method "import" }}
   - name: importSource
      {{- include "cluster.externalSourceCluster" .Values.recovery.import.source | nindent 4 }}
   {{- else if eq .Values.recovery.method "objectStore" }}
@@ -14,8 +11,8 @@ externalClusters:
       name: barman-cloud.cloudnative-pg.io
       enabled: true
       isWALArchiver: false
-      barmanObjectStore:
-        barmanObjectName: "{{ include "cluster.name" . }}-{{ .Values.recovery.objectStore.name }}"
+      parameters:
+        barmanObjectName: "{{ include "cluster.name" . }}-recovery"
         serverName: {{ include "cluster.recoveryServerName" . }}
   {{- end }}
 {{- else }}

charts/postgres-cluster/templates/_helpers.tpl

@@ -83,3 +83,51 @@ Generate recovery server name
     {{- printf "%s-backup-%s" (include "cluster.name" .) (toString .Values.recovery.objectStore.index) | trunc 63 | trimSuffix "-" -}}
   {{- end }}
 {{- end }}
+
+{{/*
+Generate recovery destination path
+*/}}
+{{- define "cluster.recoveryDestinationPath" -}}
+  {{- if .Values.recovery.objectStore.destinationPathOverride -}}
+    {{- .Values.recovery.objectStore.destinationPathOverride -}}
+  {{- else -}}
+    {{- printf "s3://%s/%s/%s/%s-cluster" (.Values.recovery.objectStore.destinationBucket) (.Values.kubernetesClusterName) (include "cluster.namespace" .) (include "cluster.name" .) | trimSuffix "-" -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate recovery credentials name
+*/}}
+{{- define "cluster.recoverySecretName" -}}
+  {{- if and (.Values.recovery.objectStore.endpointCredentials) (not .Values.recovery.objectStore.externalSecret.enabled) }}
+    {{- .Values.recovery.objectStore.endpointCredentials | trunc 63 | trimSuffix "-" }}
+  {{- else -}}
+    {{- printf "%s-recovery-secret" (include "cluster.name" .) -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate backup destination path
+*/}}
+{{- define "cluster.backupDestinationPath" -}}
+  {{- if .instance.destinationPathOverride -}}
+    {{- .instance.destinationPathOverride -}}
+  {{- else if .instance.destinationBucket -}}
+    {{- printf "s3://%s/%s/%s/%s-cluster" .instance.destinationBucket .global.Values.kubernetesClusterName (include "cluster.namespace" .global) (include "cluster.name" .global) | trimSuffix "-" -}}
+  {{-  else -}}
+    {{ fail "Invalid destination path!" }}
+  {{- end -}}
+{{- end }}
+
+{{/*
+Generate backup destination path
+*/}}
+{{- define "cluster.backupSecretName" -}}
+  {{- if .instance.endpointCredentialsOverride -}}
+    {{- .instance.endpointCredentialsOverride -}}
+  {{- else if .instance.name -}}
+    {{- printf "%s-backup-%s-secret" (include "cluster.name" .global) .instance.name | trunc 63 | trimSuffix "-" -}}
+  {{-  else -}}
+    {{ fail "Invalid backup secret name!" }}
+  {{- end -}}
+{{- end }}

charts/postgres-cluster/templates/databases.yaml

@@ -10,7 +10,7 @@ metadata:
 spec:
   name: {{ .name }}
   cluster:
-    name: {{ include "cluster.name" $ }}
+    name: {{ include "cluster.name" $ }}-cluster
   ensure: {{ .ensure | default "present" }}
   owner: {{ .owner }}
   template: {{ .template | default "template1" }}

charts/postgres-cluster/templates/external-secret.yaml

@@ -0,0 +1,84 @@
+{{ if and (eq .Values.backup.method "objectStore") (.Values.backup.externalSecret.enabled) }}
+{{ $context := . -}}
+{{ range .Values.backup.objectStore -}}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
+  namespace: {{ include "cluster.namespace" $context }}
+  labels:
+    {{- include "cluster.labels" $context | nindent 4 }}
+    app.kubernetes.io/name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
+    {{- with $context.Values.cluster.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_REGION
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .externalSecretCredentialPath| required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+{{ end -}}
+{{ end }}
+
+{{- if and (eq .Values.recovery.method "objectStore") (.Values.recovery.objectStore.externalSecret.enabled) }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "cluster.recoverySecretName" . }}
+  namespace: {{ include "cluster.namespace" . }}
+  labels:
+    {{- include "cluster.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "cluster.recoverySecretName" . }}
+    {{- with .Values.cluster.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_REGION
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+{{- end }}

charts/postgres-cluster/templates/object-store.yaml

@@ -5,15 +5,19 @@
 apiVersion: barmancloud.cnpg.io/v1
 kind: ObjectStore
 metadata:
-  name: "{{ include "cluster.name" $context }}-{{ .name }}-backup"
+  name: {{ include "cluster.name" $context }}-backup-{{ .name }}
   namespace: {{ include "cluster.namespace" $context }}
   labels:
     {{- include "cluster.labels" $context | nindent 4 }}
+    app.kubernetes.io/name: {{ include "cluster.name" $context }}-backup-{{ .name }}
+    {{- with $context.Values.cluster.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
-  retentionPolicy: {{ .retentionPolicy | default "30d" }}
+  retentionPolicy: {{ .retentionPolicy | default "7d" }}
   configuration:
-    destinationPath: {{ .destinationPath | required "Destination path is required" }}
-    endpointURL: {{ .endpointURL | default "https://nyc3.digitaloceanspaces.com" }}
+    destinationPath: {{ include "cluster.backupDestinationPath" (dict "instance" . "global" $context) }}
+    endpointURL: {{ .endpointURL | default "http://garage-main.garage:3900" }}
     {{- if .endpointCA }}
     endpointCA:
       name: {{ .endpointCA.name }}
@@ -37,14 +41,14 @@ spec:
     {{- end }}
     s3Credentials:
       accessKeyId:
-        name: {{ .endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" $context) | trunc 63 | trimSuffix "-") }}
+        name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
         key: ACCESS_KEY_ID
       secretAccessKey:
-        name: {{ .endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" $context) | trunc 63 | trimSuffix "-") }}
+        name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
         key: ACCESS_SECRET_KEY
     {{- if .endpointCredentialsIncludeRegion }}
       region:
-        name: {{ .endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" $context) | trunc 63 | trimSuffix "-") }}
+        name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
         key: ACCESS_REGION
     {{- end }}
 {{ end -}}
@@ -55,13 +59,17 @@ spec:
 apiVersion: barmancloud.cnpg.io/v1
 kind: ObjectStore
 metadata:
-  name: "{{ include "cluster.name" . }}-{{ .Values.recovery.objectStore.name }}"
+  name: "{{ include "cluster.name" . }}-recovery"
   namespace: {{ include "cluster.namespace" . }}
   labels:
     {{- include "cluster.labels" . | nindent 4 }}
+    app.kubernetes.io/name: "{{ include "cluster.name" . }}-recovery"
+    {{- with .Values.cluster.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   configuration:
-    destinationPath: {{ .Values.recovery.objectStore.destinationPath }}
+    destinationPath: {{ include "cluster.recoveryDestinationPath" . }}
     endpointURL: {{ .Values.recovery.objectStore.endpointURL }}
     {{- if .Values.recovery.objectStore.endpointCA.name }}
     endpointCA:
@@ -82,9 +90,14 @@ spec:
       jobs: {{ .Values.recovery.objectStore.data.jobs }}
     s3Credentials:
       accessKeyId:
-        name: {{ .Values.recovery.objectStore.endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" .) | trunc 63 | trimSuffix "-") }}
+        name: {{ include "cluster.recoverySecretName" . }}
         key: ACCESS_KEY_ID
       secretAccessKey:
-        name: {{ .Values.recovery.objectStore.endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" .) | trunc 63 | trimSuffix "-") }}
+        name: {{ include "cluster.recoverySecretName" . }}
         key: ACCESS_SECRET_KEY
+      {{- if .Values.recovery.objectStore.endpointCredentialsIncludeRegion }}
+      region:
+        name: {{ include "cluster.recoverySecretName" . }}
+        key: ACCESS_REGION
+      {{- end }}
 {{ end }}

charts/postgres-cluster/values.yaml

@@ -4,6 +4,9 @@ nameOverride: ""
 # -- Override the namespace of the chart
 namespaceOverride: ""
 
+# -- Kubernetes cluster name
+kubernetesClusterName: cl01tl
+
 # -- Type of the CNPG database. Available types:
 # * `postgresql`
 type: postgresql
@@ -33,12 +36,12 @@ cluster:
   # -- Default storage size
   storage:
     size: 10Gi
-    storageClass: ""
+    storageClass: local-path
 
   walStorage:
     enabled: true
     size: 2Gi
-    storageClass: ""
+    storageClass: local-path
 
   # -- The UID and GID of the postgres user inside the image, defaults to 26
   postgresUID: -1
@@ -221,8 +224,6 @@ recovery:
   # -- Available recovery methods:
   # * `backup` - Recovers a CNPG cluster from a CNPG backup (PITR supported) Needs to be on the same cluster in the same namespace.
   # * `objectStore` - Recovers a CNPG cluster from a barman object store (PITR supported).
-  # * `pgBaseBackup` - Recovers a CNPG cluster viaa streaming replication protocol. Useful if you want to
-  #        migrate databases to CloudNativePG, even from outside Kubernetes.
   # * `import` - Import one or more databases from an existing Postgres cluster.
   method: backup
 
@@ -259,19 +260,19 @@ recovery:
     # -- Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key.
     owner: ""
 
-    # -- Object store backup name
-    name: recovery
+    # -- Desitination bucket
+    destinationBucket: postgres-backups
 
     # -- Overrides the provider specific default path. Defaults to:
     # S3: s3://<bucket><path>
     # Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path>
     # Google: gs://<bucket><path>
-    destinationPath: ""
+    destinationPathOverride: ""
 
     # -- Overrides the provider specific default endpoint. Defaults to:
     # S3: https://s3.<region>.amazonaws.com"
     # Leave empty if using the default S3 endpoint
-    endpointURL: "https://nyc3.digitaloceanspaces.com"
+    endpointURL: "http://garage-main.garage:3900"
 
     # -- Specifies a CA bundle to validate a privately signed certificate.
     endpointCA:
@@ -287,9 +288,18 @@ recovery:
     # -- Override the name of the backup cluster, defaults to "cluster.name"
     clusterName: ""
 
+    # -- Use generated External Secrets, credentialPath points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+    externalSecret:
+      enabled: true
+      credentialPath: /garage/home-infra/postgres-backups
+
     # -- Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+    # -- Defaults to <cluster name>-recovery-secret for the existing secret
     endpointCredentials: ""
 
+    # -- If the S3 endpoint require the ACCESS_REGION variable set in credentials
+    endpointCredentialsIncludeRegion: true
+
     # -- Storage
     wal:
 
@@ -312,48 +322,6 @@ recovery:
       # -- Number of data files to be archived or restored in parallel.
       jobs: 1
 
-  # See https://cloudnative-pg.io/documentation/current/bootstrap/#bootstrap-from-a-live-cluster-pg_basebackup
-  pgBaseBackup:
-
-    # -- Name of the database used by the application. Default: `app`.
-    database: app
-
-    # -- Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch
-    secret: ""
-
-    # -- Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key.
-    owner: ""
-
-    # -- Configuration for the source database
-    source:
-      host: ""
-      port: 5432
-      username: ""
-      database: "app"
-      sslMode: "disable"
-      passwordSecret:
-
-        # -- Whether to create a secret for the password
-        create: false
-
-        # -- Name of the secret containing the password
-        name: ""
-
-        # -- The key in the secret containing the password
-        key: "password"
-
-        # -- The password value to use when creating the secret
-        value: ""
-      sslKeySecret:
-        name: ""
-        key: ""
-      sslCertSecret:
-        name: ""
-        key: ""
-      sslRootCertSecret:
-        name: ""
-        key: ""
-
   # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-Import
   import:
 
@@ -420,23 +388,41 @@ backup:
   # -- Method to create backups, options currently are only objectStore
   method: objectStore
 
+  # -- Use generated External Secrets, credentialPath points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+  externalSecret:
+    enabled: true
+
   # -- Options for object store backups
-  objectStore: []
+  objectStore:
+      - name: garage-local
+        index: 1
+        destinationBucket: postres-backups
+        externalSecretCredentialPath: /garage/home-infra/postgres-backups
+        isWALArchiver: true
 
     # -
     #   # -- Object store backup name
     #   name: external
 
+    #   # -- Desitination bucket
+    #   destinationBucket: postgres-backups
+
     #   # -- Overrides the provider specific default path. Defaults to:
     #   # S3: s3://<bucket><path>
     #   # Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path>
     #   # Google: gs://<bucket><path>
-    #   destinationPath: ""
+    #   destinationPathOverride: ""
 
     #   # -- Overrides the provider specific default endpoint. Defaults to:
-    #   # https://nyc3.digitaloceanspaces.com
+    #   # http://garage-main.garage:3900
     #   endpointURL: ""
 
+    #   # -- Override secret name that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+    #   endpointCredentialsOverride: ""
+
+    #   # -- Path points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+    #   externalSecretCredentialPath
+
     #   # -- Specifies a CA bundle to validate a privately signed certificate.
     #   endpointCA:
     #     # -- Creates a secret with the given value if true, otherwise uses an existing secret.
@@ -448,12 +434,6 @@ backup:
     #   # -- Generate external cluster name, uses: {{ .Release.Name }}-postgresql-<major version>-backup-index-{{ index }}
     #   index: 1
 
-    #   # -- Override the name of the backup cluster, defaults to "cluster.name"
-    #   clusterName: ""
-
-    #   # -- Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
-    #   endpointCredentials: ""
-
     #   # -- Retention policy for backups
     #   retentionPolicy: "30d"
 

charts/redis-replication/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: redis-replication
+version: 0.5.0
+description: Redis Replication with Sentinel
+keywords:
+  - redis-operator
+  - redis
+  - kubernetes
+sources:
+  - https://github.com/OT-CONTAINER-KIT/redis-operator
+  - https://github.com/OT-CONTAINER-KIT/redis-operator/tree/main/charts/redis-operator
+maintainers:
+  - name: alexlebens
+icon: https://github.com/OT-CONTAINER-KIT/redis-operator/raw/main/static/redis-operator-logo.svg
+appVersion: v0.21.0

charts/redis-replication/README.md

@@ -0,0 +1,40 @@
+# redis-replication
+
+![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![AppVersion: v0.21.0](https://img.shields.io/badge/AppVersion-v0.21.0-informational?style=flat-square)
+
+Redis Replication with Sentinel
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| alexlebens |  |  |
+
+## Source Code
+
+* <https://github.com/OT-CONTAINER-KIT/redis-operator>
+* <https://github.com/OT-CONTAINER-KIT/redis-operator/tree/main/charts/redis-operator>
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| additionalLabels | object | `{}` | Add additional labels |
+| existingSecret | object | `{"enabled":false,"key":"password","name":"secret-name"}` | Password |
+| namespaceOverride | string | `""` | Override the namespace of the chart |
+| redisReplication | object | `{"clusterSize":3,"image":{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis","tag":"v8.4.0"},"podSecurityContext":{"fsGroup":1000,"runAsUser":1000},"redisExporter":{"enabled":true,"image":{"repository":"quay.io/opstree/redis-exporter","tag":"v1.80.1"},"serviceMonitor":{"enabled":true,"extraLabels":{},"interval":"30s","scrapeTimeout":"10s"}},"resources":{"requests":{"cpu":"10m","memory":"32Mi"}},"volumeClaimTemplate":{"spec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"1Gi"}},"storageClassName":"ceph-block"}}}` | Redis Replication settings |
+| redisReplication.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis","tag":"v8.4.0"}` | Image |
+| redisReplication.podSecurityContext | object | `{"fsGroup":1000,"runAsUser":1000}` | Security |
+| redisReplication.redisExporter | object | `{"enabled":true,"image":{"repository":"quay.io/opstree/redis-exporter","tag":"v1.80.1"},"serviceMonitor":{"enabled":true,"extraLabels":{},"interval":"30s","scrapeTimeout":"10s"}}` | Metrics |
+| redisReplication.resources | object | `{"requests":{"cpu":"10m","memory":"32Mi"}}` | Resources |
+| redisReplication.volumeClaimTemplate | object | `{"spec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"1Gi"}},"storageClassName":"ceph-block"}}` | Storage |
+| redisSentinel | object | `{"clusterSize":3,"enabled":false,"image":{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis-sentinel","tag":"v8.4.0"},"podSecurityContext":{"fsGroup":1000,"runAsUser":1000},"redisExporter":{"enabled":true,"image":{"repository":"quay.io/opstree/redis-exporter","tag":"v1.80.1"},"serviceMonitor":{"enabled":true,"extraLabels":{},"interval":"30s","scrapeTimeout":"10s"}},"resources":{"requests":{"cpu":"10m","memory":"32Mi"}}}` | Redis Sentinel settings |
+| redisSentinel.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis-sentinel","tag":"v8.4.0"}` | Image |
+| redisSentinel.podSecurityContext | object | `{"fsGroup":1000,"runAsUser":1000}` | Security |
+| redisSentinel.redisExporter | object | `{"enabled":true,"image":{"repository":"quay.io/opstree/redis-exporter","tag":"v1.80.1"},"serviceMonitor":{"enabled":true,"extraLabels":{},"interval":"30s","scrapeTimeout":"10s"}}` | Metrics |
+| redisSentinel.resources | object | `{"requests":{"cpu":"10m","memory":"32Mi"}}` | Resources |
+| replicationNameOverride | string | `""` | Override the name of the resources |
+| sentinelNameOverride | string | `""` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/redis-replication/templates/_helpers.tpl

@@ -0,0 +1,65 @@
+{{/*
+Expand the names
+*/}}
+{{- define "redis.replicationName" -}}
+  {{- if .Values.replicationNameOverride }}
+    {{- .Values.replicationNameOverride | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    {{- printf "redis-replication-%s" .Release.Name -}}
+  {{- end }}
+{{- end }}
+
+{{- define "redis.sentinelName" -}}
+  {{- if .Values.sentinelNameOverride }}
+    {{- .Values.sentinelNameOverride | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    {{- printf "redis-sentinel-%s" .Release.Name -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "redis.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "redis.chart" -}}
+  {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "redis.labels" -}}
+helm.sh/chart: {{ include "redis.chart" $ }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.Version | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.additionalLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "redis.replicationSelectorLabels" -}}
+app.kubernetes.io/name: {{ include "redis.replicationName" $ }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}
+
+{{- define "redis.sentinelSelectorLabels" -}}
+app.kubernetes.io/name: {{ include "redis.sentinelName" $ }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

charts/redis-replication/templates/redis-replication.yaml

@@ -0,0 +1,39 @@
+apiVersion: redis.redis.opstreelabs.in/v1beta2
+kind: RedisReplication
+metadata:
+  name: {{ include "redis.replicationName" . }}
+  namespace: {{ include "redis.namespace" . }}
+  labels:
+    {{- include "redis.labels" . | nindent 4 }}
+    {{- include "redis.replicationSelectorLabels" . | nindent 4 }}
+spec:
+  clusterSize: {{ .Values.redisReplication.clusterSize }}
+
+  podSecurityContext:
+  {{- with .Values.redisReplication.podSecurityContext }}
+    {{- toYaml . | nindent 4 }}
+  {{ end }}
+
+  kubernetesConfig:
+    image: "{{ .Values.redisReplication.image.repository }}:{{ .Values.redisReplication.image.tag }}"
+    imagePullPolicy: {{ .Values.redisReplication.image.pullPolicy }}
+    resources:
+    {{- with .Values.redisReplication.resources }}
+      {{- toYaml . | nindent 6 }}
+    {{ end }}
+
+    {{ if .Values.existingSecret.enabled }}
+    redisSecret:
+      name: {{ .Values.existingSecret.name }}
+      key: {{ .Values.existingSecret.key }}
+    {{ end }}
+
+  storage:
+    volumeClaimTemplate:
+    {{- with .Values.redisReplication.volumeClaimTemplate }}
+      {{- toYaml . | nindent 6 }}
+    {{ end }}
+
+  redisExporter:
+    enabled: {{ .Values.redisReplication.redisExporter.enabled }}
+    image: "{{ .Values.redisReplication.redisExporter.image.repository }}:{{ .Values.redisReplication.redisExporter.image.tag }}"

charts/redis-replication/templates/redis-sentinel.yaml

@@ -0,0 +1,46 @@
+{{- if .Values.redisSentinel.enabled }}
+---
+apiVersion: redis.redis.opstreelabs.in/v1beta2
+kind: RedisSentinel
+metadata:
+  name: {{ include "redis.sentinelName" . }}
+  namespace: {{ include "redis.namespace" . }}
+  labels:
+    {{- include "redis.labels" . | nindent 4 }}
+    {{- include "redis.sentinelSelectorLabels" . | nindent 4 }}
+spec:
+  clusterSize: {{ .Values.redisSentinel.clusterSize }}
+
+  podSecurityContext:
+  {{- with .Values.redisSentinel.podSecurityContext }}
+    {{- toYaml . | nindent 10 }}
+  {{ end }}
+
+  redisSentinelConfig:
+    redisReplicationName: {{ include "redis.replicationName" . }}
+    {{ if .Values.existingSecret.enabled }}
+    redisReplicationPassword:
+      secretKeyRef:
+        name: {{ .Values.existingSecret.name }}
+        key: {{ .Values.existingSecret.key }}
+    {{ end }}
+
+  kubernetesConfig:
+    image: "{{ .Values.redisSentinel.image.repository }}:{{ .Values.redisSentinel.image.tag }}"
+    imagePullPolicy: {{ .Values.redisSentinel.image.pullPolicy }}
+    resources:
+    {{- with .Values.redisSentinel.resources }}
+      {{- toYaml . | nindent 10 }}
+    {{ end }}
+
+    {{ if .Values.existingSecret.enabled }}
+    redisSecret:
+      name: {{ .Values.existingSecret.name }}
+      key: {{ .Values.existingSecret.key }}
+    {{ end }}
+
+  redisExporter:
+    enabled: {{ .Values.redisSentinel.redisExporter.enabled }}
+    image: "{{ .Values.redisSentinel.redisExporter.image.repository }}:{{ .Values.redisSentinel.redisExporter.image.tag }}"
+
+{{- end }}

charts/redis-replication/templates/service-monitor.yaml

@@ -0,0 +1,49 @@
+{{- if .Values.redisReplication.redisExporter.serviceMonitor.enabled }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "redis.replicationName" . }}
+  namespace: {{ include "redis.namespace" . }}
+  labels:
+    {{- include "redis.labels" . | nindent 4 }}
+    {{- include "redis.replicationSelectorLabels" . | nindent 4 }}
+    {{- with .Values.redisReplication.redisExporter.serviceMonitor.extraLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ include "redis.replicationName" . }}
+      redis_setup_type: replication
+      role: replication
+  endpoints:
+    - port: redis-exporter
+      interval: {{ .Values.redisReplication.redisExporter.serviceMonitor.interval }}
+      scrapeTimeout: {{ .Values.redisReplication.redisExporter.serviceMonitor.scrapeTimeout }}
+{{- end }}
+
+{{- if and (.Values.redisSentinel.redisExporter.serviceMonitor.enabled) (.Values.redisSentinel.enabled) }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "redis.sentinelName" . }}
+  namespace: {{ include "redis.namespace" . }}
+  labels:
+    {{- include "redis.labels" . | nindent 4 }}
+    {{- include "redis.sentinelSelectorLabels" . | nindent 4 }}
+    {{- with .Values.redisSentinel.redisExporter.serviceMonitor.extraLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  selector:
+    matchLabels:
+      app: {{ include "redis.sentinelName" . }}
+      redis_setup_type: sentinel
+      role: sentinel
+  endpoints:
+    - port: sentinel-client
+      interval: {{ .Values.redisSentinel.redisExporter.serviceMonitor.interval }}
+      scrapeTimeout: {{ .Values.redisSentinel.redisExporter.serviceMonitor.scrapeTimeout }}
+{{- end }}

charts/redis-replication/values.yaml

@@ -0,0 +1,92 @@
+# -- Override the name of the resources
+replicationNameOverride: ""
+sentinelNameOverride: ""
+
+# -- Override the namespace of the chart
+namespaceOverride: ""
+
+# -- Password
+existingSecret:
+  enabled: false
+  name: secret-name
+  key: password
+
+# -- Add additional labels
+additionalLabels: {}
+
+# -- Redis Replication settings
+redisReplication:
+  clusterSize: 3
+
+  # -- Security
+  podSecurityContext:
+    fsGroup: 1000
+    runAsUser: 1000
+
+  # -- Image
+  image:
+    repository: quay.io/opstree/redis
+    tag: v8.4.0
+    pullPolicy: IfNotPresent
+
+  # -- Resources
+  resources:
+    requests:
+      cpu: 10m
+      memory: 32Mi
+
+  # -- Storage
+  volumeClaimTemplate:
+    spec:
+      accessModes:
+        - ReadWriteOnce
+      resources:
+        requests:
+          storage: 1Gi
+      storageClassName: ceph-block
+
+  # -- Metrics
+  redisExporter:
+    enabled: true
+    image:
+      repository: quay.io/opstree/redis-exporter
+      tag: v1.80.1
+    serviceMonitor:
+      enabled: true
+      interval: 30s
+      scrapeTimeout: 10s
+      extraLabels: {}
+
+# -- Redis Sentinel settings
+redisSentinel:
+  enabled: false
+  clusterSize: 3
+
+  # -- Security
+  podSecurityContext:
+    runAsUser: 1000
+    fsGroup: 1000
+
+  # -- Image
+  image:
+    repository: quay.io/opstree/redis-sentinel
+    tag: v8.4.0
+    pullPolicy: IfNotPresent
+
+  # -- Resources
+  resources:
+    requests:
+      cpu: 10m
+      memory: 32Mi
+
+  # -- Metrics
+  redisExporter:
+    enabled: true
+    image:
+      repository: quay.io/opstree/redis-exporter
+      tag: v1.80.1
+    serviceMonitor:
+      enabled: true
+      interval: 30s
+      scrapeTimeout: 10s
+      extraLabels: {}

charts/volsync-target/Chart.yaml

@@ -0,0 +1,16 @@
+apiVersion: v2
+name: volsync-target
+version: 0.6.0
+description: Volsync Replication set to target specific PVC with preconfigured settings
+keywords:
+  - volsync-target
+  - volsync
+  - storage
+  - kubernetes
+sources:
+  - https://github.com/backube/volsync
+  - https://github.com/backube/volsync/tree/main/helm/volsync
+maintainers:
+  - name: alexlebens
+icon: https://raw.githubusercontent.com/backube/volsync/main/docs/media/volsync.svg?sanitize=true
+appVersion: 0.14.0

charts/volsync-target/README.md

@@ -0,0 +1,42 @@
+# volsync-target
+
+![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![AppVersion: 0.14.0](https://img.shields.io/badge/AppVersion-0.14.0-informational?style=flat-square)
+
+Volsync Replication set to target specific PVC with preconfigured settings
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| alexlebens |  |  |
+
+## Source Code
+
+* <https://github.com/backube/volsync>
+* <https://github.com/backube/volsync/tree/main/helm/volsync>
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| additionalLabels | object | `{}` | Add additional labels |
+| external | object | `{"enabled":true,"externalSecret":{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 9 * * *"}` | External backup configuration |
+| external.externalSecret | object | `{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"}` | External Secret configuration |
+| external.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| external.schedule | string | `"0 9 * * *"` | 5 character cron schedule |
+| externalSecrets | object | `{"enabled":true}` | Use external secrets |
+| local | object | `{"enabled":true,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 8 * * *"}` | Local backup configuration |
+| local.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"}` | External Secret configuration |
+| local.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| local.schedule | string | `"0 8 * * *"` | 5 character cron schedule |
+| moverSecurityContext | object | `{}` | Glocal security context for restic mover |
+| nameOverride | string | `""` | Default pattern follows <pvcTarget>-backup |
+| namespaceOverride | string | `""` | Override the namespace of the chart |
+| pvcTarget | string | `"data"` | Name of the PVC target |
+| remote | object | `{"enabled":true,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 10 * * *"}` | Remote backup configuration |
+| remote.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"}` | External Secret configuration |
+| remote.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| remote.schedule | string | `"0 10 * * *"` | 5 character cron schedule |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/volsync-target/templates/_helpers.tpl

@@ -0,0 +1,75 @@
+{{/*
+Expand the names
+*/}}
+{{- define "volsync.name" -}}
+  {{- if .Values.nameOverride }}
+    {{- .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    {{- printf "%s-backup" .Values.pvcTarget -}}
+  {{- end }}
+{{- end }}
+
+{{- define "volsync.localRepoName" -}}
+  {{- if .Values.local.restic.repository }}
+    {{- .Values.local.restic.repository | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    {{- printf "%s-secret-local" (include "volsync.name" .) -}}
+  {{- end }}
+{{- end }}
+
+{{- define "volsync.remoteRepoName" -}}
+  {{- if .Values.remote.restic.repository }}
+    {{- .Values.remote.restic.repository | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    {{- printf "%s-secret-remote" (include "volsync.name" .) -}}
+  {{- end }}
+{{- end }}
+
+{{- define "volsync.externalRepoName" -}}
+  {{- if .Values.external.restic.repository }}
+    {{- .Values.external.restic.repository | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    {{- printf "%s-secret-external" (include "volsync.name" .) -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "volsync.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "volsync.chart" -}}
+  {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "volsync.labels" -}}
+helm.sh/chart: {{ include "volsync.chart" $ }}
+{{ include "volsync.selectorLabels" $ }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.Version | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.additionalLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "volsync.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

charts/volsync-target/templates/external-secret.yaml

@@ -0,0 +1,182 @@
+{{- if and (.Values.local.enabled) (.Values.externalSecrets.enabled) }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "volsync.localRepoName" . }}
+  namespace: {{ include "volsync.namespace" . }}
+  labels:
+    {{- include "volsync.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "volsync.localRepoName" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync local path is required" }}
+        metadataPolicy: None
+        property: BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync local path is required" }}
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+{{- end }}
+
+{{- if and (.Values.remote.enabled) (.Values.externalSecrets.enabled) }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "volsync.remoteRepoName" . }}
+  namespace: {{ include "volsync.namespace" . }}
+  labels:
+    {{- include "volsync.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "volsync.remoteRepoName" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
+        metadataPolicy: None
+        property: BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
+        metadataPolicy: None
+        property: ACCESS_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+{{- end }}
+
+{{- if and (.Values.external.enabled) (.Values.externalSecrets.enabled) }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "volsync.externalRepoName" . }}
+  namespace: {{ include "volsync.namespace" . }}
+  labels:
+    {{- include "volsync.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "volsync.externalRepoName" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
+        metadataPolicy: None
+        property: BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
+        metadataPolicy: None
+        property: AWS_ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
+        metadataPolicy: None
+        property: AWS_SECRET_ACCESS_KEY
+{{- end }}

charts/volsync-target/templates/replication-source.yaml

@@ -0,0 +1,107 @@
+{{- if .Values.local.enabled }}
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: {{ include "volsync.name" . }}-source-local
+  namespace: {{ include "volsync.namespace" . }}
+  labels:
+    {{- include "volsync.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "volsync.name" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  sourcePVC: {{ .Values.pvcTarget }}
+  trigger:
+    schedule: {{ .Values.local.schedule }}
+  restic:
+    pruneIntervalDays: {{ .Values.local.restic.pruneIntervalDays }}
+    repository: {{ include "volsync.localRepoName" . }}
+    retain:
+    {{- with .Values.local.restic.retain }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- if .Values.moverSecurityContext }}
+    moverSecurityContext:
+    {{- with .Values.moverSecurityContext }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- end }}
+    copyMethod: {{ .Values.local.restic.copyMethod }}
+    storageClassName: {{ .Values.local.restic.storageClassName }}
+    volumeSnapshotClassName: {{ .Values.local.restic.volumeSnapshotClassName }}
+    cacheCapacity: {{ .Values.local.restic.cacheCapacity }}
+{{- end }}
+
+{{- if .Values.remote.enabled }}
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: {{ include "volsync.name" . }}-source-remote
+  namespace: {{ include "volsync.namespace" . }}
+  labels:
+    {{- include "volsync.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "volsync.name" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  sourcePVC: {{ .Values.pvcTarget | required "PVC target is required" }}
+  trigger:
+    schedule: {{ .Values.remote.schedule }}
+  restic:
+    pruneIntervalDays: {{ .Values.remote.restic.pruneIntervalDays }}
+    repository: {{ include "volsync.remoteRepoName" . }}
+    retain:
+    {{- with .Values.remote.restic.retain }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- if .Values.moverSecurityContext }}
+    moverSecurityContext:
+    {{- with .Values.moverSecurityContext }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- end }}
+    copyMethod: {{ .Values.remote.restic.copyMethod }}
+    storageClassName: {{ .Values.remote.restic.storageClassName }}
+    volumeSnapshotClassName: {{ .Values.remote.restic.volumeSnapshotClassName }}
+    cacheCapacity: {{ .Values.remote.restic.cacheCapacity }}
+{{- end }}
+
+{{- if .Values.external.enabled }}
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: {{ include "volsync.name" . }}-source-external
+  namespace: {{ include "volsync.namespace" . }}
+  labels:
+    {{- include "volsync.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "volsync.name" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  sourcePVC: {{ .Values.pvcTarget }}
+  trigger:
+    schedule: {{ .Values.external.schedule }}
+  restic:
+    pruneIntervalDays: {{ .Values.external.restic.pruneIntervalDays }}
+    repository: {{ include "volsync.externalRepoName" . }}
+    retain:
+    {{- with .Values.external.restic.retain }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- if .Values.moverSecurityContext }}
+    moverSecurityContext:
+    {{- with .Values.moverSecurityContext }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- end }}
+    copyMethod: {{ .Values.external.restic.copyMethod }}
+    storageClassName: {{ .Values.external.restic.storageClassName }}
+    volumeSnapshotClassName: {{ .Values.external.restic.volumeSnapshotClassName }}
+    cacheCapacity: {{ .Values.external.restic.cacheCapacity }}
+{{- end }}

charts/volsync-target/values.yaml

@@ -0,0 +1,105 @@
+# -- Default pattern follows <pvcTarget>-backup
+nameOverride: ""
+
+# -- Override the namespace of the chart
+namespaceOverride: ""
+
+# -- Add additional labels
+additionalLabels: {}
+
+# -- Name of the PVC target
+pvcTarget: "data"
+
+# -- Glocal security context for restic mover
+moverSecurityContext: {}
+
+# -- Use external secrets
+externalSecrets:
+  enabled: true
+
+# -- Local backup configuration
+local:
+  enabled: true
+
+  # -- 5 character cron schedule
+  schedule: 0 8 * * *
+
+  # -- Backup configuration, inserted directly into the yaml
+  restic:
+    pruneIntervalDays: 7
+    repository: ""
+    retain:
+      hourly: 0
+      daily: 7
+      weekly: 4
+      monthly: 3
+      yearly: 1
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+    cacheCapacity: 1Gi
+
+  # -- External Secret configuration
+  externalSecret:
+    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
+    volsyncPath: /volsync/restic/garage-local
+    # This path must contain the AWS/S3 credentials
+    credentialPath: /garage/home-infra/volsync-backups
+
+# -- Remote backup configuration
+remote:
+  enabled: true
+
+  # -- 5 character cron schedule
+  schedule: 0 10 * * *
+
+  # -- Backup configuration, inserted directly into the yaml
+  restic:
+    pruneIntervalDays: 7
+    repository: ""
+    retain:
+      hourly: 0
+      daily: 7
+      weekly: 4
+      monthly: 3
+      yearly: 1
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+    cacheCapacity: 1Gi
+
+  # -- External Secret configuration
+  externalSecret:
+    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
+    volsyncPath: /volsync/restic/garage-remote
+    # This path must contain the AWS/S3 credentials
+    credentialPath: /garage/home-infra/volsync-backups
+
+# -- External backup configuration
+external:
+  enabled: true
+
+  # -- 5 character cron schedule
+  schedule: 0 9 * * *
+
+  # -- Backup configuration, inserted directly into the yaml
+  restic:
+    pruneIntervalDays: 7
+    repository: ""
+    retain:
+      hourly: 0
+      daily: 7
+      weekly: 4
+      monthly: 3
+      yearly: 1
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+    cacheCapacity: 1Gi
+
+  # -- External Secret configuration
+  externalSecret:
+    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
+    volsyncPath: /volsync/restic/digital-ocean
+    # This path must contain the AWS/S3 credentials
+    credentialPath: /digital-ocean/home-infra/volsync-backups