feat: tidy external secrets

charts/postgres-cluster/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: postgres-cluster
-version: 7.12.0
+version: 7.12.1
 description: Cloudnative-pg Cluster
 keywords:
   - database

charts/postgres-cluster/README.md

@@ -1,6 +1,6 @@
 # postgres-cluster
 
-![Version: 7.12.0](https://img.shields.io/badge/Version-7.12.0-informational?style=flat-square) ![AppVersion: v1.29.0](https://img.shields.io/badge/AppVersion-v1.29.0-informational?style=flat-square)
+![Version: 7.12.1](https://img.shields.io/badge/Version-7.12.1-informational?style=flat-square) ![AppVersion: v1.29.0](https://img.shields.io/badge/AppVersion-v1.29.0-informational?style=flat-square)
 
 Cloudnative-pg Cluster
 

charts/postgres-cluster/templates/external-secret.yaml

@@ -20,24 +20,15 @@ spec:
   data:
     - secretKey: ACCESS_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: ACCESS_SECRET_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .externalSecretCredentialPath| required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
 {{ end -}}
 {{ end }}
@@ -62,23 +53,14 @@ spec:
   data:
     - secretKey: ACCESS_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: ACCESS_SECRET_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
 {{- end }}

charts/volsync-target/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: volsync-target
-version: 0.8.0
+version: 1.0.0
 description: Volsync Replication set to target specific PVC with preconfigured settings
 keywords:
   - volsync-target

charts/volsync-target/README.md

@@ -1,6 +1,6 @@
 # volsync-target
 
-![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square)
+![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square)
 
 Volsync Replication set to target specific PVC with preconfigured settings
 
@@ -20,21 +20,22 @@ Volsync Replication set to target specific PVC with preconfigured settings
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | additionalLabels | object | `{}` | Add additional labels |
-| external | object | `{"enabled":true,"externalSecret":{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 9 * * *"}` | External backup configuration |
+| external | object | `{"enabled":true,"externalSecret":{"bucketPath":"/digital-ocean/config","credentialPath":"/digital-ocean/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 9 * * *"}` | External backup configuration |
-| external.externalSecret | object | `{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"}` | External Secret configuration |
+| external.externalSecret | object | `{"bucketPath":"/digital-ocean/config","credentialPath":"/digital-ocean/home-infra/volsync-backups"}` | External Secret configuration |
 | external.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
 | external.schedule | string | `"0 9 * * *"` | 5 character cron schedule |
 | externalSecrets | object | `{"enabled":true}` | Use external secrets |
-| local | object | `{"enabled":false,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 8 * * *"}` | Local backup configuration |
+| kubernetesClusterName | string | `"cl01tl"` | Kubernetes cluster name |
-| local.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"}` | External Secret configuration |
+| local | object | `{"enabled":false,"externalSecret":{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 8 * * *"}` | Local backup configuration |
+| local.externalSecret | object | `{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"}` | External Secret configuration |
 | local.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
 | local.schedule | string | `"0 8 * * *"` | 5 character cron schedule |
 | moverSecurityContext | object | `{}` | Glocal security context for restic mover |
 | nameOverride | string | `""` | Default pattern follows <pvcTarget>-backup |
 | namespaceOverride | string | `""` | Override the namespace of the chart |
 | pvcTarget | string | `"data"` | Name of the PVC target |
-| remote | object | `{"enabled":false,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 10 * * *"}` | Remote backup configuration |
+| remote | object | `{"enabled":false,"externalSecret":{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 10 * * *"}` | Remote backup configuration |
-| remote.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"}` | External Secret configuration |
+| remote.externalSecret | object | `{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"}` | External Secret configuration |
 | remote.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
 | remote.schedule | string | `"0 10 * * *"` | 5 character cron schedule |
 

charts/volsync-target/templates/external-secret.yaml

@@ -14,48 +14,37 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   target:
     template:
       mergePolicy: Merge
       engineVersion: v2
       data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+        RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
   data:
-    - secretKey: BUCKET_ENDPOINT
+    - secretKey: ENDPOINT
       remoteRef:
-        conversionStrategy: Default
+        key: {{ .Values.local.externalSecret.bucketPath | required "External Secret Volsync local path is required" }}
-        decodingStrategy: None
+        property: ENDPOINT_LOCAL
-        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync local path is required" }}
+    - secretKey: BUCKET
-        metadataPolicy: None
+      remoteRef:
-        property: BUCKET_ENDPOINT
+        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: BUCKET
     - secretKey: RESTIC_PASSWORD
       remoteRef:
-        conversionStrategy: Default
+        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
-        decodingStrategy: None
+        property: RESTIC_PASSWORD_LOCAL
-        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync local path is required" }}
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
     - secretKey: AWS_DEFAULT_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: AWS_ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: AWS_SECRET_ACCESS_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
 {{- end }}
 
@@ -75,48 +64,37 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   target:
     template:
       mergePolicy: Merge
       engineVersion: v2
       data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+        RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
   data:
-    - secretKey: BUCKET_ENDPOINT
+    - secretKey: ENDPOINT
       remoteRef:
-        conversionStrategy: Default
+        key: {{ .Values.remote.externalSecret.bucketPath | required "External Secret Volsync local path is required" }}
-        decodingStrategy: None
+        property: ENDPOINT_REMOTE
-        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
+    - secretKey: BUCKET
-        metadataPolicy: None
+      remoteRef:
-        property: BUCKET_ENDPOINT
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: BUCKET
     - secretKey: RESTIC_PASSWORD
       remoteRef:
-        conversionStrategy: Default
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
-        decodingStrategy: None
+        property: RESTIC_PASSWORD_REMOTE
-        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
-        metadataPolicy: None
-        property: RESTIC_PASSWORD
     - secretKey: AWS_DEFAULT_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
-        metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: AWS_ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
-        metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: AWS_SECRET_ACCESS_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
-        metadataPolicy: None
         property: ACCESS_SECRET_KEY
 {{- end }}
 
@@ -136,47 +114,36 @@ metadata:
 spec:
   secretStoreRef:
     kind: ClusterSecretStore
-    name: vault
+    name: openbao
   target:
     template:
       mergePolicy: Merge
       engineVersion: v2
       data:
-        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+        RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
   data:
-    - secretKey: BUCKET_ENDPOINT
+    - secretKey: ENDPOINT
       remoteRef:
-        conversionStrategy: Default
+        key: {{ .Values.external.externalSecret.bucketPath | required "External Secret Volsync external path is required" }}
-        decodingStrategy: None
+        property: ENDPOINT
-        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
+    - secretKey: BUCKET
-        metadataPolicy: None
+      remoteRef:
-        property: BUCKET_ENDPOINT
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
+        property: BUCKET
     - secretKey: RESTIC_PASSWORD
       remoteRef:
-        conversionStrategy: Default
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Volsync external path is required" }}
-        decodingStrategy: None
-        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
-        metadataPolicy: None
         property: RESTIC_PASSWORD
     - secretKey: AWS_DEFAULT_REGION
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
-        metadataPolicy: None
+        property: AWS_REGION
-        property: AWS_DEFAULT_REGION
     - secretKey: AWS_ACCESS_KEY_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
-        metadataPolicy: None
         property: AWS_ACCESS_KEY_ID
     - secretKey: AWS_SECRET_ACCESS_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
-        metadataPolicy: None
         property: AWS_SECRET_ACCESS_KEY
 {{- end }}

charts/volsync-target/values.yaml

@@ -4,6 +4,9 @@ nameOverride: ""
 # -- Override the namespace of the chart
 namespaceOverride: ""
 
+# -- Kubernetes cluster name
+kubernetesClusterName: cl01tl
+
 # -- Add additional labels
 additionalLabels: {}
 
@@ -41,9 +44,9 @@ local:
 
   # -- External Secret configuration
   externalSecret:
-    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
+    # This path must contain the BUCKET_ENDPOINT
-    volsyncPath: /volsync/restic/garage-local
+    bucketPath: /garage/config
-    # This path must contain the AWS/S3 credentials
+    # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD
     credentialPath: /garage/home-infra/volsync-backups
 
 # -- Remote backup configuration
@@ -70,9 +73,9 @@ remote:
 
   # -- External Secret configuration
   externalSecret:
-    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
+    # This path must contain the BUCKET_ENDPOINT
-    volsyncPath: /volsync/restic/garage-remote
+    bucketPath: /garage/config
-    # This path must contain the AWS/S3 credentials
+    # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD
     credentialPath: /garage/home-infra/volsync-backups
 
 # -- External backup configuration
@@ -99,7 +102,7 @@ external:
 
   # -- External Secret configuration
   externalSecret:
-    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
+    # This path must contain the ENDPOINT
-    volsyncPath: /volsync/restic/digital-ocean
+    bucketPath: /digital-ocean/config
-    # This path must contain the AWS/S3 credentials
+    # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD
     credentialPath: /digital-ocean/home-infra/volsync-backups