change default retention

charts/generic-device-plugin/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: generic-device-plugin
-version: 0.20.8
+version: 0.20.9
 description: Generic Device Plugin
 keywords:
   - generic-device-plugin

charts/generic-device-plugin/values.yaml

@@ -4,7 +4,7 @@ name: generic-device-plugin
 # -- Default image
 image:
   repository: ghcr.io/squat/generic-device-plugin
-  tag: latest@sha256:29a59a330b93ed4173109839329796a39c528d0d0afeee76291b33787ae19001
+  tag: latest@sha256:2b53d255017668d70d7f59ff0b874a66c3a50922d1f8cfff182e4c55b82251a1
   pullPolicy: Always
 
 # -- Domain used by devices for identifcation

charts/postgres-cluster/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: postgres-cluster
-version: 7.1.4
+version: 7.4.1
 description: Cloudnative-pg Cluster
 keywords:
   - database

charts/postgres-cluster/README.md

@@ -1,6 +1,6 @@
 # postgres-cluster
 
-![Version: 7.1.4](https://img.shields.io/badge/Version-7.1.4-informational?style=flat-square) ![AppVersion: v1.28.0](https://img.shields.io/badge/AppVersion-v1.28.0-informational?style=flat-square)
+![Version: 7.4.1](https://img.shields.io/badge/Version-7.4.1-informational?style=flat-square) ![AppVersion: v1.28.0](https://img.shields.io/badge/AppVersion-v1.28.0-informational?style=flat-square)
 
 Cloudnative-pg Cluster
 
@@ -19,11 +19,12 @@ Cloudnative-pg Cluster
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| backup | object | `{"method":"objectStore","objectStore":[],"scheduledBackups":[]}` | Backup settings |
+| backup | object | `{"externalSecret":{"enabled":true},"method":"objectStore","objectStore":[{"destinationBucket":"postres-backups","externalSecretCredentialPath":"/garage/home-infra/postgres-backups","index":1,"isWALArchiver":true,"name":"garage-local"}],"scheduledBackups":[]}` | Backup settings |
+| backup.externalSecret | object | `{"enabled":true}` | Use generated External Secrets, credentialPath points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY |
 | backup.method | string | `"objectStore"` | Method to create backups, options currently are only objectStore |
-| backup.objectStore | list | `[]` | Options for object store backups |
+| backup.objectStore | list | `[{"destinationBucket":"postres-backups","externalSecretCredentialPath":"/garage/home-infra/postgres-backups","index":1,"isWALArchiver":true,"name":"garage-local"}]` | Options for object store backups |
 | backup.scheduledBackups | list | `[]` | List of scheduled backups |
-| cluster | object | `{"additionalLabels":{},"affinity":{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"},"annotations":{},"certificates":{},"enablePDB":true,"enableSuperuserAccess":false,"image":{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"18.1-standard-trixie"},"imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"initdb":{"database":"app","owner":"app"},"instances":3,"logLevel":"info","monitoring":{"customQueries":[],"customQueriesSecret":[],"disableDefaultQueries":false,"enabled":true,"podMonitor":{"enabled":true,"metricRelabelings":[],"relabelings":[]},"prometheusRule":{"enabled":true,"excludeRules":["CNPGClusterLastFailedArchiveTimeWarning"]}},"postgresGID":-1,"postgresUID":-1,"postgresql":{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"128MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}},"primaryUpdateMethod":"switchover","primaryUpdateStrategy":"unsupervised","priorityClassName":"","resources":{"limits":{"hugepages-2Mi":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}},"roles":[],"serviceAccountTemplate":{},"services":{},"storage":{"size":"10Gi","storageClass":""},"superuserSecret":"","walStorage":{"enabled":true,"size":"2Gi","storageClass":""}}` | Cluster settings |
+| cluster | object | `{"additionalLabels":{},"affinity":{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"},"annotations":{},"certificates":{},"enablePDB":true,"enableSuperuserAccess":false,"image":{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"18.1-standard-trixie"},"imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"initdb":{"database":"app","owner":"app"},"instances":3,"logLevel":"info","monitoring":{"customQueries":[],"customQueriesSecret":[],"disableDefaultQueries":false,"enabled":true,"podMonitor":{"enabled":true,"metricRelabelings":[],"relabelings":[]},"prometheusRule":{"enabled":true,"excludeRules":["CNPGClusterLastFailedArchiveTimeWarning"]}},"postgresGID":-1,"postgresUID":-1,"postgresql":{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"128MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}},"primaryUpdateMethod":"switchover","primaryUpdateStrategy":"unsupervised","priorityClassName":"","resources":{"limits":{"hugepages-2Mi":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}},"roles":[],"serviceAccountTemplate":{},"services":{},"storage":{"size":"10Gi","storageClass":"local-path"},"superuserSecret":"","walStorage":{"enabled":true,"size":"2Gi","storageClass":"local-path"}}` | Cluster settings |
 | cluster.affinity | object | `{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"}` | Affinity/Anti-affinity rules for Pods. See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-AffinityConfiguration |
 | cluster.certificates | object | `{}` | The configuration for the CA and related certificates. See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-CertificatesConfiguration |
 | cluster.enablePDB | bool | `true` | Allow to disable PDB, mainly useful for upgrade of single-instance clusters or development purposes See: https://cloudnative-pg.io/documentation/current/kubernetes_upgrade/#pod-disruption-budgets |
@@ -57,13 +58,14 @@ Cloudnative-pg Cluster
 | cluster.roles | list | `[]` | This feature enables declarative management of existing roles, as well as the creation of new roles if they are not already present in the database. See: https://cloudnative-pg.io/documentation/current/declarative_role_management/ |
 | cluster.serviceAccountTemplate | object | `{}` | Configure the metadata of the generated service account |
 | cluster.services | object | `{}` | Customization of service definitions. Please refer to https://cloudnative-pg.io/documentation/current/service_management/ |
-| cluster.storage | object | `{"size":"10Gi","storageClass":""}` | Default storage size |
+| cluster.storage | object | `{"size":"10Gi","storageClass":"local-path"}` | Default storage size |
 | databases | list | `[]` | Database management configuration |
+| kubernetesClusterName | string | `"cl01tl"` | Kubernetes cluster name |
 | mode | string | `"standalone"` | Cluster mode of operation. Available modes: * `standalone` - Default mode. Creates new or updates an existing CNPG cluster. * `recovery` - Same as standalone but creates a cluster from a backup, object store or via pg_basebackup |
 | nameOverride | string | `""` | Override the name of the cluster |
 | namespaceOverride | string | `""` | Override the namespace of the chart |
 | poolers | list | `[]` | List of PgBouncer poolers |
-| recovery | object | `{"backup":{"backupName":"","database":"app","owner":"","pitrTarget":{"time":""}},"import":{"databases":[],"pgDumpExtraOptions":[],"pgRestoreExtraOptions":[],"postImportApplicationSQL":[],"roles":[],"schemaOnly":false,"source":{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"verify-full","sslRootCertSecret":{"key":"","name":""},"username":"app"},"type":"microservice"},"method":"backup","objectStore":{"clusterName":"","data":{"compression":"snappy","encryption":"","jobs":1},"database":"app","destinationPath":"","endpointCA":{"create":false,"key":"","name":""},"endpointCredentials":"","endpointURL":"https://nyc3.digitaloceanspaces.com","index":1,"name":"recovery","owner":"","pitrTarget":{"time":""},"wal":{"compression":"snappy","encryption":"","maxParallel":1}},"pgBaseBackup":{"database":"app","owner":"","secret":"","source":{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"disable","sslRootCertSecret":{"key":"","name":""},"username":""}}}` | Recovery settings when booting cluster from external cluster |
+| recovery | object | `{"backup":{"backupName":"","database":"app","owner":"","pitrTarget":{"time":""}},"import":{"databases":[],"pgDumpExtraOptions":[],"pgRestoreExtraOptions":[],"postImportApplicationSQL":[],"roles":[],"schemaOnly":false,"source":{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"verify-full","sslRootCertSecret":{"key":"","name":""},"username":"app"},"type":"microservice"},"method":"backup","objectStore":{"clusterName":"","data":{"compression":"snappy","encryption":"","jobs":1},"database":"app","destinationBucket":"postgres-backups","destinationPathOverride":"","endpointCA":{"create":false,"key":"","name":""},"endpointCredentials":"","endpointCredentialsIncludeRegion":true,"endpointURL":"http://garage-main.garage:3900","externalSecret":{"credentialPath":"/garage/home-infra/postgres-backups","enabled":true},"index":1,"owner":"","pitrTarget":{"time":""},"wal":{"compression":"snappy","encryption":"","maxParallel":1}}}` | Recovery settings when booting cluster from external cluster |
 | recovery.backup.backupName | string | `""` | Name of the backup to recover from. |
 | recovery.backup.database | string | `"app"` | Name of the database used by the application. Default: `app`. |
 | recovery.backup.owner | string | `""` | Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. |
@@ -81,19 +83,21 @@ Cloudnative-pg Cluster
 | recovery.import.source.passwordSecret.name | string | `""` | Name of the secret containing the password |
 | recovery.import.source.passwordSecret.value | string | `""` | The password value to use when creating the secret |
 | recovery.import.type | string | `"microservice"` | One of `microservice` or `monolith.` See: https://cloudnative-pg.io/documentation/current/database_import/#how-it-works |
-| recovery.method | string | `"backup"` | Available recovery methods: * `backup` - Recovers a CNPG cluster from a CNPG backup (PITR supported) Needs to be on the same cluster in the same namespace. * `objectStore` - Recovers a CNPG cluster from a barman object store (PITR supported). * `pgBaseBackup` - Recovers a CNPG cluster viaa streaming replication protocol. Useful if you want to        migrate databases to CloudNativePG, even from outside Kubernetes. * `import` - Import one or more databases from an existing Postgres cluster. |
+| recovery.method | string | `"backup"` | Available recovery methods: * `backup` - Recovers a CNPG cluster from a CNPG backup (PITR supported) Needs to be on the same cluster in the same namespace. * `objectStore` - Recovers a CNPG cluster from a barman object store (PITR supported). * `import` - Import one or more databases from an existing Postgres cluster. |
 | recovery.objectStore.clusterName | string | `""` | Override the name of the backup cluster, defaults to "cluster.name" |
 | recovery.objectStore.data.compression | string | `"snappy"` | Data compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`. |
 | recovery.objectStore.data.encryption | string | `""` | Whether to instruct the storage provider to encrypt data files. One of `` (use the storage container default), `AES256` or `aws:kms`. |
 | recovery.objectStore.data.jobs | int | `1` | Number of data files to be archived or restored in parallel. |
 | recovery.objectStore.database | string | `"app"` | Name of the database used by the application. Default: `app`. |
-| recovery.objectStore.destinationPath | string | `""` | Overrides the provider specific default path. Defaults to: S3: s3://<bucket><path> Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path> Google: gs://<bucket><path> |
+| recovery.objectStore.destinationBucket | string | `"postgres-backups"` | Desitination bucket |
+| recovery.objectStore.destinationPathOverride | string | `""` | Overrides the provider specific default path. Defaults to: S3: s3://<bucket><path> Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path> Google: gs://<bucket><path> |
 | recovery.objectStore.endpointCA | object | `{"create":false,"key":"","name":""}` | Specifies a CA bundle to validate a privately signed certificate. |
 | recovery.objectStore.endpointCA.create | bool | `false` | Creates a secret with the given value if true, otherwise uses an existing secret. |
-| recovery.objectStore.endpointCredentials | string | `""` | Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY |
+| recovery.objectStore.endpointCredentials | string | `""` | Defaults to <cluster name>-recovery-secret for the existing secret |
-| recovery.objectStore.endpointURL | string | `"https://nyc3.digitaloceanspaces.com"` | Overrides the provider specific default endpoint. Defaults to: S3: https://s3.<region>.amazonaws.com" Leave empty if using the default S3 endpoint |
+| recovery.objectStore.endpointCredentialsIncludeRegion | bool | `true` | If the S3 endpoint require the ACCESS_REGION variable set in credentials |
+| recovery.objectStore.endpointURL | string | `"http://garage-main.garage:3900"` | Overrides the provider specific default endpoint. Defaults to: S3: https://s3.<region>.amazonaws.com" Leave empty if using the default S3 endpoint |
+| recovery.objectStore.externalSecret | object | `{"credentialPath":"/garage/home-infra/postgres-backups","enabled":true}` | Use generated External Secrets, credentialPath points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY |
 | recovery.objectStore.index | int | `1` | Generate external cluster name, uses: {{ .Release.Name }}-postgresql-<major version>-backup-index-{{ index }} |
-| recovery.objectStore.name | string | `"recovery"` | Object store backup name |
 | recovery.objectStore.owner | string | `""` | Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. |
 | recovery.objectStore.pitrTarget | object | `{"time":""}` | Point in time recovery target. Specify one of the following: |
 | recovery.objectStore.pitrTarget.time | string | `""` | Time in RFC3339 format |
@@ -101,14 +105,6 @@ Cloudnative-pg Cluster
 | recovery.objectStore.wal.compression | string | `"snappy"` | WAL compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`. |
 | recovery.objectStore.wal.encryption | string | `""` | Whether to instruct the storage provider to encrypt WAL files. One of `` (use the storage container default), `AES256` or `aws:kms`. |
 | recovery.objectStore.wal.maxParallel | int | `1` | Number of WAL files to be archived or restored in parallel. |
-| recovery.pgBaseBackup.database | string | `"app"` | Name of the database used by the application. Default: `app`. |
-| recovery.pgBaseBackup.owner | string | `""` | Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. |
-| recovery.pgBaseBackup.secret | string | `""` | Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch |
-| recovery.pgBaseBackup.source | object | `{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"disable","sslRootCertSecret":{"key":"","name":""},"username":""}` | Configuration for the source database |
-| recovery.pgBaseBackup.source.passwordSecret.create | bool | `false` | Whether to create a secret for the password |
-| recovery.pgBaseBackup.source.passwordSecret.key | string | `"password"` | The key in the secret containing the password |
-| recovery.pgBaseBackup.source.passwordSecret.name | string | `""` | Name of the secret containing the password |
-| recovery.pgBaseBackup.source.passwordSecret.value | string | `""` | The password value to use when creating the secret |
 | type | string | `"postgresql"` | Type of the CNPG database. Available types: * `postgresql` |
 
 ----------------------------------------------

charts/postgres-cluster/templates/_bootstrap.tpl

@@ -23,21 +23,7 @@ bootstrap:
 {{- else if eq .Values.mode "recovery" -}}
 bootstrap:
 
-  {{- if eq .Values.recovery.method "pgBaseBackup" }}
+  {{- if eq .Values.recovery.method "import" }}
-  pg_basebackup:
-    source: pgBaseBackupSource
-    {{ with .Values.recovery.pgBaseBackup.database }}
-    database: {{ . }}
-    {{- end }}
-    {{ with .Values.recovery.pgBaseBackup.owner }}
-    owner: {{ . }}
-    {{- end }}
-    {{ with .Values.recovery.pgBaseBackup.secret }}
-    secret:
-      {{- toYaml . | nindent 6 }}
-    {{- end }}
-
-  {{- else if eq .Values.recovery.method "import" }}
   initdb:
     {{- with .Values.cluster.initdb }}
       {{- with (omit . "owner" "import" "postInitApplicationSQL") }}

charts/postgres-cluster/templates/_external_clusters.tpl

@@ -2,10 +2,7 @@
 externalClusters:
 {{- if eq .Values.mode "standalone" }}
 {{- else if eq .Values.mode "recovery" }}
-  {{- if eq .Values.recovery.method "pgBaseBackup" }}
+  {{- if eq .Values.recovery.method "import" }}
-  - name: pgBaseBackupSource
-     {{- include "cluster.externalSourceCluster" .Values.recovery.pgBaseBackup.source | nindent 4 }}
-  {{- else if eq .Values.recovery.method "import" }}
   - name: importSource
      {{- include "cluster.externalSourceCluster" .Values.recovery.import.source | nindent 4 }}
   {{- else if eq .Values.recovery.method "objectStore" }}
@@ -15,7 +12,7 @@ externalClusters:
       enabled: true
       isWALArchiver: false
       parameters:
-        barmanObjectName: "{{ include "cluster.name" . }}-{{ .Values.recovery.objectStore.name }}"
+        barmanObjectName: "{{ include "cluster.name" . }}-recovery"
         serverName: {{ include "cluster.recoveryServerName" . }}
   {{- end }}
 {{- else }}

charts/postgres-cluster/templates/_helpers.tpl

@@ -83,3 +83,51 @@ Generate recovery server name
     {{- printf "%s-backup-%s" (include "cluster.name" .) (toString .Values.recovery.objectStore.index) | trunc 63 | trimSuffix "-" -}}
   {{- end }}
 {{- end }}
+
+{{/*
+Generate recovery destination path
+*/}}
+{{- define "cluster.recoveryDestinationPath" -}}
+  {{- if .Values.recovery.objectStore.destinationPathOverride -}}
+    {{- .Values.recovery.objectStore.destinationPathOverride -}}
+  {{- else -}}
+    {{- printf "s3://%s/%s/%s/%s-cluster" (.Values.recovery.objectStore.destinationBucket) (.Values.kubernetesClusterName) (include "cluster.namespace" .) (include "cluster.name" .) | trimSuffix "-" -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate recovery credentials name
+*/}}
+{{- define "cluster.recoverySecretName" -}}
+  {{- if and (.Values.recovery.objectStore.endpointCredentials) (not .Values.recovery.objectStore.externalSecret.enabled) }}
+    {{- .Values.recovery.objectStore.endpointCredentials | trunc 63 | trimSuffix "-" }}
+  {{- else -}}
+    {{- printf "%s-recovery-secret" (include "cluster.name" .) -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate backup destination path
+*/}}
+{{- define "cluster.backupDestinationPath" -}}
+  {{- if .instance.destinationPathOverride -}}
+    {{- .instance.destinationPathOverride -}}
+  {{- else if .instance.destinationBucket -}}
+    {{- printf "s3://%s/%s/%s/%s-cluster" .instance.destinationBucket .global.Values.kubernetesClusterName (include "cluster.namespace" .global) (include "cluster.name" .global) | trimSuffix "-" -}}
+  {{-  else -}}
+    {{ fail "Invalid destination path!" }}
+  {{- end -}}
+{{- end }}
+
+{{/*
+Generate backup destination path
+*/}}
+{{- define "cluster.backupSecretName" -}}
+  {{- if .instance.endpointCredentialsOverride -}}
+    {{- .instance.endpointCredentialsOverride -}}
+  {{- else if .instance.name -}}
+    {{- printf "%s-backup-%s-secret" (include "cluster.name" .global) .instance.name | trunc 63 | trimSuffix "-" -}}
+  {{-  else -}}
+    {{ fail "Invalid backup secret name!" }}
+  {{- end -}}
+{{- end }}

charts/postgres-cluster/templates/external-secret.yaml

@@ -0,0 +1,84 @@
+{{ if and (eq .Values.backup.method "objectStore") (.Values.backup.externalSecret.enabled) }}
+{{ $context := . -}}
+{{ range .Values.backup.objectStore -}}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
+  namespace: {{ include "cluster.namespace" $context }}
+  labels:
+    {{- include "cluster.labels" $context | nindent 4 }}
+    app.kubernetes.io/name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
+    {{- with $context.Values.cluster.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_REGION
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .externalSecretCredentialPath| required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+{{ end -}}
+{{ end }}
+
+{{- if and (eq .Values.recovery.method "objectStore") (.Values.recovery.objectStore.externalSecret.enabled) }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "cluster.recoverySecretName" . }}
+  namespace: {{ include "cluster.namespace" . }}
+  labels:
+    {{- include "cluster.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "cluster.recoverySecretName" . }}
+    {{- with .Values.cluster.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_REGION
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+{{- end }}

charts/postgres-cluster/templates/object-store.yaml

@@ -5,15 +5,19 @@
 apiVersion: barmancloud.cnpg.io/v1
 kind: ObjectStore
 metadata:
-  name: "{{ include "cluster.name" $context }}-{{ .name }}-backup"
+  name: {{ include "cluster.name" $context }}-backup-{{ .name }}
   namespace: {{ include "cluster.namespace" $context }}
   labels:
     {{- include "cluster.labels" $context | nindent 4 }}
+    app.kubernetes.io/name: {{ include "cluster.name" $context }}-backup-{{ .name }}
+    {{- with $context.Values.cluster.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
-  retentionPolicy: {{ .retentionPolicy | default "30d" }}
+  retentionPolicy: {{ .retentionPolicy | default "7d" }}
   configuration:
-    destinationPath: {{ .destinationPath | required "Destination path is required" }}
+    destinationPath: {{ include "cluster.backupDestinationPath" (dict "instance" . "global" $context) }}
-    endpointURL: {{ .endpointURL | default "https://nyc3.digitaloceanspaces.com" }}
+    endpointURL: {{ .endpointURL | default "http://garage-main.garage:3900" }}
     {{- if .endpointCA }}
     endpointCA:
       name: {{ .endpointCA.name }}
@@ -37,14 +41,14 @@ spec:
     {{- end }}
     s3Credentials:
       accessKeyId:
-        name: {{ .endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" $context) | trunc 63 | trimSuffix "-") }}
+        name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
         key: ACCESS_KEY_ID
       secretAccessKey:
-        name: {{ .endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" $context) | trunc 63 | trimSuffix "-") }}
+        name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
         key: ACCESS_SECRET_KEY
     {{- if .endpointCredentialsIncludeRegion }}
       region:
-        name: {{ .endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" $context) | trunc 63 | trimSuffix "-") }}
+        name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
         key: ACCESS_REGION
     {{- end }}
 {{ end -}}
@@ -55,13 +59,17 @@ spec:
 apiVersion: barmancloud.cnpg.io/v1
 kind: ObjectStore
 metadata:
-  name: "{{ include "cluster.name" . }}-{{ .Values.recovery.objectStore.name }}"
+  name: "{{ include "cluster.name" . }}-recovery"
   namespace: {{ include "cluster.namespace" . }}
   labels:
     {{- include "cluster.labels" . | nindent 4 }}
+    app.kubernetes.io/name: "{{ include "cluster.name" . }}-recovery"
+    {{- with .Values.cluster.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   configuration:
-    destinationPath: {{ .Values.recovery.objectStore.destinationPath }}
+    destinationPath: {{ include "cluster.recoveryDestinationPath" . }}
     endpointURL: {{ .Values.recovery.objectStore.endpointURL }}
     {{- if .Values.recovery.objectStore.endpointCA.name }}
     endpointCA:
@@ -82,9 +90,14 @@ spec:
       jobs: {{ .Values.recovery.objectStore.data.jobs }}
     s3Credentials:
       accessKeyId:
-        name: {{ .Values.recovery.objectStore.endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" .) | trunc 63 | trimSuffix "-") }}
+        name: {{ include "cluster.recoverySecretName" . }}
         key: ACCESS_KEY_ID
       secretAccessKey:
-        name: {{ .Values.recovery.objectStore.endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" .) | trunc 63 | trimSuffix "-") }}
+        name: {{ include "cluster.recoverySecretName" . }}
         key: ACCESS_SECRET_KEY
+      {{- if .Values.recovery.objectStore.endpointCredentialsIncludeRegion }}
+      region:
+        name: {{ include "cluster.recoverySecretName" . }}
+        key: ACCESS_REGION
+      {{- end }}
 {{ end }}

charts/postgres-cluster/values.yaml

@@ -4,6 +4,9 @@ nameOverride: ""
 # -- Override the namespace of the chart
 namespaceOverride: ""
 
+# -- Kubernetes cluster name
+kubernetesClusterName: cl01tl
+
 # -- Type of the CNPG database. Available types:
 # * `postgresql`
 type: postgresql
@@ -33,12 +36,12 @@ cluster:
   # -- Default storage size
   storage:
     size: 10Gi
-    storageClass: ""
+    storageClass: local-path
 
   walStorage:
     enabled: true
     size: 2Gi
-    storageClass: ""
+    storageClass: local-path
 
   # -- The UID and GID of the postgres user inside the image, defaults to 26
   postgresUID: -1
@@ -221,8 +224,6 @@ recovery:
   # -- Available recovery methods:
   # * `backup` - Recovers a CNPG cluster from a CNPG backup (PITR supported) Needs to be on the same cluster in the same namespace.
   # * `objectStore` - Recovers a CNPG cluster from a barman object store (PITR supported).
-  # * `pgBaseBackup` - Recovers a CNPG cluster viaa streaming replication protocol. Useful if you want to
-  #        migrate databases to CloudNativePG, even from outside Kubernetes.
   # * `import` - Import one or more databases from an existing Postgres cluster.
   method: backup
 
@@ -259,19 +260,19 @@ recovery:
     # -- Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key.
     owner: ""
 
-    # -- Object store backup name
+    # -- Desitination bucket
-    name: recovery
+    destinationBucket: postgres-backups
 
     # -- Overrides the provider specific default path. Defaults to:
     # S3: s3://<bucket><path>
     # Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path>
     # Google: gs://<bucket><path>
-    destinationPath: ""
+    destinationPathOverride: ""
 
     # -- Overrides the provider specific default endpoint. Defaults to:
     # S3: https://s3.<region>.amazonaws.com"
     # Leave empty if using the default S3 endpoint
-    endpointURL: "https://nyc3.digitaloceanspaces.com"
+    endpointURL: "http://garage-main.garage:3900"
 
     # -- Specifies a CA bundle to validate a privately signed certificate.
     endpointCA:
@@ -287,9 +288,18 @@ recovery:
     # -- Override the name of the backup cluster, defaults to "cluster.name"
     clusterName: ""
 
+    # -- Use generated External Secrets, credentialPath points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+    externalSecret:
+      enabled: true
+      credentialPath: /garage/home-infra/postgres-backups
+
     # -- Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+    # -- Defaults to <cluster name>-recovery-secret for the existing secret
     endpointCredentials: ""
 
+    # -- If the S3 endpoint require the ACCESS_REGION variable set in credentials
+    endpointCredentialsIncludeRegion: true
+
     # -- Storage
     wal:
 
@@ -312,48 +322,6 @@ recovery:
       # -- Number of data files to be archived or restored in parallel.
       jobs: 1
 
-  # See https://cloudnative-pg.io/documentation/current/bootstrap/#bootstrap-from-a-live-cluster-pg_basebackup
-  pgBaseBackup:
-
-    # -- Name of the database used by the application. Default: `app`.
-    database: app
-
-    # -- Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch
-    secret: ""
-
-    # -- Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key.
-    owner: ""
-
-    # -- Configuration for the source database
-    source:
-      host: ""
-      port: 5432
-      username: ""
-      database: "app"
-      sslMode: "disable"
-      passwordSecret:
-
-        # -- Whether to create a secret for the password
-        create: false
-
-        # -- Name of the secret containing the password
-        name: ""
-
-        # -- The key in the secret containing the password
-        key: "password"
-
-        # -- The password value to use when creating the secret
-        value: ""
-      sslKeySecret:
-        name: ""
-        key: ""
-      sslCertSecret:
-        name: ""
-        key: ""
-      sslRootCertSecret:
-        name: ""
-        key: ""
-
   # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-Import
   import:
 
@@ -420,23 +388,41 @@ backup:
   # -- Method to create backups, options currently are only objectStore
   method: objectStore
 
+  # -- Use generated External Secrets, credentialPath points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+  externalSecret:
+    enabled: true
+
   # -- Options for object store backups
-  objectStore: []
+  objectStore:
+      - name: garage-local
+        index: 1
+        destinationBucket: postres-backups
+        externalSecretCredentialPath: /garage/home-infra/postgres-backups
+        isWALArchiver: true
 
     # -
     #   # -- Object store backup name
     #   name: external
 
+    #   # -- Desitination bucket
+    #   destinationBucket: postgres-backups
+
     #   # -- Overrides the provider specific default path. Defaults to:
     #   # S3: s3://<bucket><path>
     #   # Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path>
     #   # Google: gs://<bucket><path>
-    #   destinationPath: ""
+    #   destinationPathOverride: ""
 
     #   # -- Overrides the provider specific default endpoint. Defaults to:
-    #   # https://nyc3.digitaloceanspaces.com
+    #   # http://garage-main.garage:3900
     #   endpointURL: ""
 
+    #   # -- Override secret name that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+    #   endpointCredentialsOverride: ""
+
+    #   # -- Path points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+    #   externalSecretCredentialPath
+
     #   # -- Specifies a CA bundle to validate a privately signed certificate.
     #   endpointCA:
     #     # -- Creates a secret with the given value if true, otherwise uses an existing secret.
@@ -448,12 +434,6 @@ backup:
     #   # -- Generate external cluster name, uses: {{ .Release.Name }}-postgresql-<major version>-backup-index-{{ index }}
     #   index: 1
 
-    #   # -- Override the name of the backup cluster, defaults to "cluster.name"
-    #   clusterName: ""
-
-    #   # -- Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
-    #   endpointCredentials: ""
-
     #   # -- Retention policy for backups
     #   retentionPolicy: "30d"