Update helm/chart-testing-action action to v2.8.0

.gitea/workflows/lint-test.yaml

@@ -42,7 +42,7 @@ jobs:
           python-version: '3.14'
 
       - name: Set up Chart Testing
-        uses: helm/chart-testing-action@v2.7.0
+        uses: helm/chart-testing-action@v2.8.0
         with:
           yamale_version: "6.0.0"
 
@@ -170,7 +170,13 @@ jobs:
             helm dependency list --max-col-width 120 charts/$dir 2> /dev/null \
               | tail +2 | head -n -1 \
               | awk '{ print "helm repo add " $1 " " $3 }' \
-              | while read cmd; do echo "$cmd" | sh; done || true
+              | while read cmd; do
+                if [[ "$cmd" == "*oci://*" ]]; then
+                  echo ">> Ignoring OCI repo"
+                else
+                  echo "$cmd" | sh;
+                fi
+              done || true
           done
 
           if helm repo list | tail +2 | read -r; then

.gitea/workflows/release-charts-volsync-target.yml

@@ -0,0 +1,128 @@
+name: release-charts-volsync-target
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "charts/volsync-target/**"
+
+  workflow_dispatch:
+
+env:
+  WORKFLOW_DIR: "charts/volsync-target"
+
+jobs:
+  release:
+    runs-on: ubuntu-js
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          version: v3.19.2
+
+      - name: Add Repositories
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Adding repositories for chart dependencies ..."
+          helm dependency list --max-col-width 120 2> /dev/null \
+            | tail +2 | head -n -1 \
+            | awk '{ print "helm repo add " $1 " " $3 }' \
+            | while read cmd; do echo "$cmd" | sh; done || true
+
+          if helm repo list | tail +2 | read -r; then
+            echo ">> Update repository cache ..."
+            helm repo update
+          fi
+
+          echo "----"
+
+      - name: Package Helm Chart
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Building helm dependency ..."
+          helm dependency build --skip-refresh --debug
+
+          echo "----"
+
+          echo "PACKAGE_PATH=$(helm package . | awk '{print $NF}')" >> $GITEA_ENV
+
+      - name: Publish Helm Chart to Harbor
+        run: |
+          echo ">> Logging into Harbor ..."
+          helm registry login ${{ vars.REGISTRY_HOST }} -u ${{ vars.REGISTRY_USER }} -p ${{ secrets.REGISTRY_SECRET }} --debug
+
+          echo ""
+          echo ">> Publishing chart to Harbor ..."
+          helm push ${{ env.PACKAGE_PATH }} oci://${{ vars.REGISTRY_HOST }}/helm-charts --debug
+
+          echo "----"
+
+      - name: Publish Helm Chart to Gitea
+        run: |
+          echo ">> Installing Chart Museum plugin ..."
+          helm plugin install https://github.com/chartmuseum/helm-push --debug
+
+          echo ""
+          echo ">> Adding Gitea repository ..."
+          helm repo add --username ${{ gitea.actor }} --password ${{ secrets.REPOSITORY_TOKEN }} helm-charts https://${{ vars.REPOSITORY_HOST }}/api/packages/alexlebens/helm --debug
+
+          echo ""
+          echo ">> Pushing chart to gitea"
+          helm cm-push ${{ env.PACKAGE_PATH }} helm-charts --debug
+
+      - name: Extract Chart Metadata
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Adding Chart metadata to workflow ENV ..."
+          echo ""
+          echo ">> Chart Version: $(yq '.version' Chart.yaml)"
+          echo ">> Chart Name: $(yq '.name' Chart.yaml)"
+
+          echo "----"
+
+          echo "CHART_VERSION=$(yq '.version' Chart.yaml)" >> $GITEA_ENV
+          echo "CHART_NAME=$(yq '.name' Chart.yaml)" >> $GITEA_ENV
+
+      - name: Release Helm Chart
+        uses: akkuman/gitea-release-action@v1
+        with:
+          name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}
+          tag_name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}
+          files: |-
+            ${{ env.PACKAGE_PATH }}
+
+      - name: ntfy Success
+        uses: niniyas/ntfy-action@master
+        if: success()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Release Success - ${{ env.CHART_NAME }}'
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: 'Helm Chart ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }} has been released!'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Release Failure - ${{ env.CHART_NAME }}'
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: 'Helm Chart ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }} has failed to be released.'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/helm-charts/actions?workflow=release-charts-volsync-target.yml", "clear": true}]'
+          image: true

charts/generic-device-plugin/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: generic-device-plugin
-version: 0.20.7
+version: 0.20.8
 description: Generic Device Plugin
 keywords:
   - generic-device-plugin

charts/generic-device-plugin/README.md

@@ -1,6 +1,6 @@
 # generic-device-plugin
 
-![Version: 0.20.7](https://img.shields.io/badge/Version-0.20.7-informational?style=flat-square) ![AppVersion: 0.20.4](https://img.shields.io/badge/AppVersion-0.20.4-informational?style=flat-square)
+![Version: 0.20.8](https://img.shields.io/badge/Version-0.20.8-informational?style=flat-square) ![AppVersion: 0.20.4](https://img.shields.io/badge/AppVersion-0.20.4-informational?style=flat-square)
 
 Generic Device Plugin
 
@@ -28,7 +28,7 @@ Generic Device Plugin
 | config | object | `{"data":"devices:\n  - name: serial\n    groups:\n      - paths:\n          - path: /dev/ttyUSB*\n      - paths:\n          - path: /dev/ttyACM*\n      - paths:\n          - path: /dev/tty.usb*\n      - paths:\n          - path: /dev/cu.*\n      - paths:\n          - path: /dev/cuaU*\n      - paths:\n          - path: /dev/rfcomm*\n  - name: video\n    groups:\n      - paths:\n          - path: /dev/video0\n  - name: fuse\n    groups:\n      - count: 10\n        paths:\n          - path: /dev/fuse\n  - name: audio\n    groups:\n      - count: 10\n        paths:\n          - path: /dev/snd\n  - name: capture\n    groups:\n      - paths:\n          - path: /dev/snd/controlC0\n          - path: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC1\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC1D0c\n            mountPath: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC2\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC2D0c\n            mountPath: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC3\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC3D0c\n            mountPath: /dev/snd/pcmC0D0c\n","enabled":true}` | Config map |
 | config.data | string | See [values.yaml](./values.yaml) | generic-device-plugin config file [[ref]](https://github.com/squat/generic-device-plugin#usage) |
 | deviceDomain | string | `"devic.es"` | Domain used by devices for identifcation |
-| image | object | `{"pullPolicy":"Always","repository":"ghcr.io/squat/generic-device-plugin","tag":"latest@sha256:aa0571c7f461fb99747ada00f2de69eb856dcbbc0e87965fffe37a15f7bc006f"}` | Default image |
+| image | object | `{"pullPolicy":"Always","repository":"ghcr.io/squat/generic-device-plugin","tag":"latest@sha256:29a59a330b93ed4173109839329796a39c528d0d0afeee76291b33787ae19001"}` | Default image |
 | name | string | `"generic-device-plugin"` | Name override of release |
 | resources | object | `{"requests":{"cpu":"50m","memory":"10Mi"}}` | Default resources |
 | service | object | `{"listenPort":8080}` | Service port |

charts/generic-device-plugin/values.yaml

@@ -4,7 +4,7 @@ name: generic-device-plugin
 # -- Default image
 image:
   repository: ghcr.io/squat/generic-device-plugin
-  tag: latest@sha256:aa0571c7f461fb99747ada00f2de69eb856dcbbc0e87965fffe37a15f7bc006f
+  tag: latest@sha256:29a59a330b93ed4173109839329796a39c528d0d0afeee76291b33787ae19001
   pullPolicy: Always
 
 # -- Domain used by devices for identifcation

charts/postgres-cluster/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: postgres-cluster
-version: 7.1.0
+version: 7.1.3
 description: Cloudnative-pg Cluster
 keywords:
   - database

charts/postgres-cluster/README.md

@@ -1,6 +1,6 @@
 # postgres-cluster
 
-![Version: 7.1.0](https://img.shields.io/badge/Version-7.1.0-informational?style=flat-square) ![AppVersion: v1.28.0](https://img.shields.io/badge/AppVersion-v1.28.0-informational?style=flat-square)
+![Version: 7.1.3](https://img.shields.io/badge/Version-7.1.3-informational?style=flat-square) ![AppVersion: v1.28.0](https://img.shields.io/badge/AppVersion-v1.28.0-informational?style=flat-square)
 
 Cloudnative-pg Cluster
 

charts/postgres-cluster/templates/_external_clusters.tpl

@@ -14,7 +14,7 @@ externalClusters:
       name: barman-cloud.cloudnative-pg.io
       enabled: true
       isWALArchiver: false
-      barmanObjectStore:
+      parameters:
         barmanObjectName: "{{ include "cluster.name" . }}-{{ .Values.recovery.objectStore.name }}"
         serverName: {{ include "cluster.recoveryServerName" . }}
   {{- end }}

charts/postgres-cluster/templates/databases.yaml

@@ -10,7 +10,7 @@ metadata:
 spec:
   name: {{ .name }}
   cluster:
-    name: {{ include "cluster.name" $ }}
+    name: {{ include "cluster.name" $ }}-cluster
   ensure: {{ .ensure | default "present" }}
   owner: {{ .owner }}
   template: {{ .template | default "template1" }}

charts/redis-replication/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: redis-replication
-version: 0.2.0
+version: 0.5.0
 description: Redis Replication with Sentinel
 keywords:
   - redis-operator

charts/redis-replication/README.md

@@ -1,6 +1,6 @@
 # redis-replication
 
-![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![AppVersion: v0.21.0](https://img.shields.io/badge/AppVersion-v0.21.0-informational?style=flat-square)
+![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![AppVersion: v0.21.0](https://img.shields.io/badge/AppVersion-v0.21.0-informational?style=flat-square)
 
 Redis Replication with Sentinel
 
@@ -22,17 +22,17 @@ Redis Replication with Sentinel
 | additionalLabels | object | `{}` | Add additional labels |
 | existingSecret | object | `{"enabled":false,"key":"password","name":"secret-name"}` | Password |
 | namespaceOverride | string | `""` | Override the namespace of the chart |
-| redisReplication | object | `{"clusterSize":3,"image":{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis","tag":"v8.4.0"},"podSecurityContext":{"fsGroup":1000,"runAsUser":1000},"redisExporter":{"enabled":true,"image":{"repository":"quay.io/opstree/redis-exporter","tag":"v1.80.1"},"serviceMonitor":{"enabled":true,"extraLabels":{},"interval":"30s","scrapeTimeout":"10s"}},"resources":{"requests":{"cpu":"10m","memory":"128Mi"}},"volumeClaimTemplate":{"spec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"1Gi"}},"storageClassName":"ceph-block"}}}` | Redis Replication settings |
+| redisReplication | object | `{"clusterSize":3,"image":{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis","tag":"v8.4.0"},"podSecurityContext":{"fsGroup":1000,"runAsUser":1000},"redisExporter":{"enabled":true,"image":{"repository":"quay.io/opstree/redis-exporter","tag":"v1.80.1"},"serviceMonitor":{"enabled":true,"extraLabels":{},"interval":"30s","scrapeTimeout":"10s"}},"resources":{"requests":{"cpu":"10m","memory":"32Mi"}},"volumeClaimTemplate":{"spec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"1Gi"}},"storageClassName":"ceph-block"}}}` | Redis Replication settings |
 | redisReplication.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis","tag":"v8.4.0"}` | Image |
 | redisReplication.podSecurityContext | object | `{"fsGroup":1000,"runAsUser":1000}` | Security |
 | redisReplication.redisExporter | object | `{"enabled":true,"image":{"repository":"quay.io/opstree/redis-exporter","tag":"v1.80.1"},"serviceMonitor":{"enabled":true,"extraLabels":{},"interval":"30s","scrapeTimeout":"10s"}}` | Metrics |
-| redisReplication.resources | object | `{"requests":{"cpu":"10m","memory":"128Mi"}}` | Resources |
+| redisReplication.resources | object | `{"requests":{"cpu":"10m","memory":"32Mi"}}` | Resources |
 | redisReplication.volumeClaimTemplate | object | `{"spec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"1Gi"}},"storageClassName":"ceph-block"}}` | Storage |
-| redisSentinel | object | `{"clusterSize":3,"enabled":false,"image":{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis-sentinel","tag":"v8.4.0"},"podSecurityContext":{"fsGroup":1000,"runAsUser":1000},"redisExporter":{"enabled":true,"image":{"repository":"quay.io/opstree/redis-exporter","tag":"v1.80.1"},"serviceMonitor":{"enabled":true,"extraLabels":{},"interval":"30s","scrapeTimeout":"10s"}},"resources":{"requests":{"cpu":"10m","memory":"128Mi"}}}` | Redis Sentinel settings |
+| redisSentinel | object | `{"clusterSize":3,"enabled":false,"image":{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis-sentinel","tag":"v8.4.0"},"podSecurityContext":{"fsGroup":1000,"runAsUser":1000},"redisExporter":{"enabled":true,"image":{"repository":"quay.io/opstree/redis-exporter","tag":"v1.80.1"},"serviceMonitor":{"enabled":true,"extraLabels":{},"interval":"30s","scrapeTimeout":"10s"}},"resources":{"requests":{"cpu":"10m","memory":"32Mi"}}}` | Redis Sentinel settings |
 | redisSentinel.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis-sentinel","tag":"v8.4.0"}` | Image |
 | redisSentinel.podSecurityContext | object | `{"fsGroup":1000,"runAsUser":1000}` | Security |
 | redisSentinel.redisExporter | object | `{"enabled":true,"image":{"repository":"quay.io/opstree/redis-exporter","tag":"v1.80.1"},"serviceMonitor":{"enabled":true,"extraLabels":{},"interval":"30s","scrapeTimeout":"10s"}}` | Metrics |
-| redisSentinel.resources | object | `{"requests":{"cpu":"10m","memory":"128Mi"}}` | Resources |
+| redisSentinel.resources | object | `{"requests":{"cpu":"10m","memory":"32Mi"}}` | Resources |
 | replicationNameOverride | string | `""` | Override the name of the resources |
 | sentinelNameOverride | string | `""` |  |
 

charts/redis-replication/templates/redis-replication.yaml

@@ -11,7 +11,7 @@ spec:
 
   podSecurityContext:
   {{- with .Values.redisReplication.podSecurityContext }}
-    {{- toYaml . | nindent 10 }}
+    {{- toYaml . | nindent 4 }}
   {{ end }}
 
   kubernetesConfig:
@@ -19,7 +19,7 @@ spec:
     imagePullPolicy: {{ .Values.redisReplication.image.pullPolicy }}
     resources:
     {{- with .Values.redisReplication.resources }}
-      {{- toYaml . | nindent 10 }}
+      {{- toYaml . | nindent 6 }}
     {{ end }}
 
     {{ if .Values.existingSecret.enabled }}
@@ -31,7 +31,7 @@ spec:
   storage:
     volumeClaimTemplate:
     {{- with .Values.redisReplication.volumeClaimTemplate }}
-      {{- toYaml . | nindent 10 }}
+      {{- toYaml . | nindent 6 }}
     {{ end }}
 
   redisExporter:

charts/redis-replication/templates/service-monitor.yaml

@@ -23,7 +23,7 @@ spec:
       scrapeTimeout: {{ .Values.redisReplication.redisExporter.serviceMonitor.scrapeTimeout }}
 {{- end }}
 
-{{- if .Values.redisSentinel.redisExporter.serviceMonitor.enabled }}
+{{- if and (.Values.redisSentinel.redisExporter.serviceMonitor.enabled) (.Values.redisSentinel.enabled) }}
 ---
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor

charts/redis-replication/values.yaml

@@ -20,8 +20,8 @@ redisReplication:
 
   # -- Security
   podSecurityContext:
-    runAsUser: 1000
     fsGroup: 1000
+    runAsUser: 1000
 
   # -- Image
   image:
@@ -33,16 +33,17 @@ redisReplication:
   resources:
     requests:
       cpu: 10m
-      memory: 128Mi
+      memory: 32Mi
 
   # -- Storage
   volumeClaimTemplate:
     spec:
-      storageClassName: ceph-block
+      accessModes:
-      accessModes: ["ReadWriteOnce"]
+        - ReadWriteOnce
       resources:
         requests:
           storage: 1Gi
+      storageClassName: ceph-block
 
   # -- Metrics
   redisExporter:
@@ -76,7 +77,7 @@ redisSentinel:
   resources:
     requests:
       cpu: 10m
-      memory: 128Mi
+      memory: 32Mi
 
   # -- Metrics
   redisExporter:

charts/volsync-target/Chart.yaml

@@ -0,0 +1,16 @@
+apiVersion: v2
+name: volsync-target
+version: 0.5.0
+description: Volsync Replication set to target specific PVC with preconfigured settings
+keywords:
+  - volsync-target
+  - volsync
+  - storage
+  - kubernetes
+sources:
+  - https://github.com/backube/volsync
+  - https://github.com/backube/volsync/tree/main/helm/volsync
+maintainers:
+  - name: alexlebens
+icon: https://raw.githubusercontent.com/backube/volsync/main/docs/media/volsync.svg?sanitize=true
+appVersion: 0.14.0

charts/volsync-target/README.md

@@ -0,0 +1,42 @@
+# volsync-target
+
+![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![AppVersion: 0.14.0](https://img.shields.io/badge/AppVersion-0.14.0-informational?style=flat-square)
+
+Volsync Replication set to target specific PVC with preconfigured settings
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| alexlebens |  |  |
+
+## Source Code
+
+* <https://github.com/backube/volsync>
+* <https://github.com/backube/volsync/tree/main/helm/volsync>
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| additionalLabels | object | `{}` | Add additional labels |
+| external | object | `{"enabled":true,"externalSecret":{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 4 * * *"}` | External backup configuration |
+| external.externalSecret | object | `{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"}` | External Secret configuration |
+| external.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| external.schedule | string | `"0 4 * * *"` | 5 character cron schedule |
+| externalSecrets | object | `{"enabled":true}` | Use external secrets |
+| local | object | `{"enabled":true,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 2 * * *"}` | Local backup configuration |
+| local.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"}` | External Secret configuration |
+| local.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| local.schedule | string | `"0 2 * * *"` | 5 character cron schedule |
+| moverSecurityContext | object | `{}` | Glocal security context for restic mover |
+| nameOverride | string | `""` | Default pattern follows <pvcTarget>-backup |
+| namespaceOverride | string | `""` | Override the namespace of the chart |
+| pvcTarget | string | `"data"` | Name of the PVC target |
+| remote | object | `{"enabled":true,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 3 * * *"}` | Remote backup configuration |
+| remote.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"}` | External Secret configuration |
+| remote.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| remote.schedule | string | `"0 3 * * *"` | 5 character cron schedule |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/volsync-target/templates/_helpers.tpl

@@ -0,0 +1,75 @@
+{{/*
+Expand the names
+*/}}
+{{- define "volsync.name" -}}
+  {{- if .Values.nameOverride }}
+    {{- .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    {{- printf "%s-backup" .Values.pvcTarget -}}
+  {{- end }}
+{{- end }}
+
+{{- define "volsync.localRepoName" -}}
+  {{- if .Values.local.restic.repository }}
+    {{- .Values.local.restic.repository | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    {{- printf "%s-secret-local" (include "volsync.name" .) -}}
+  {{- end }}
+{{- end }}
+
+{{- define "volsync.remoteRepoName" -}}
+  {{- if .Values.remote.restic.repository }}
+    {{- .Values.remote.restic.repository | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    {{- printf "%s-secret-remote" (include "volsync.name" .) -}}
+  {{- end }}
+{{- end }}
+
+{{- define "volsync.externalRepoName" -}}
+  {{- if .Values.external.restic.repository }}
+    {{- .Values.external.restic.repository | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    {{- printf "%s-secret-external" (include "volsync.name" .) -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "volsync.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "volsync.chart" -}}
+  {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "volsync.labels" -}}
+helm.sh/chart: {{ include "volsync.chart" $ }}
+{{ include "volsync.selectorLabels" $ }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.Version | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.additionalLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "volsync.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

charts/volsync-target/templates/external-secret.yaml

@@ -0,0 +1,182 @@
+{{- if and (.Values.local.enabled) (.Values.externalSecrets.enabled) }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "volsync.localRepoName" . }}
+  namespace: {{ include "volsync.namespace" . }}
+  labels:
+    {{- include "volsync.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "volsync.localRepoName" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync local path is required" }}
+        metadataPolicy: None
+        property: BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync local path is required" }}
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+{{- end }}
+
+{{- if and (.Values.remote.enabled) (.Values.externalSecrets.enabled) }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "volsync.remoteRepoName" . }}
+  namespace: {{ include "volsync.namespace" . }}
+  labels:
+    {{- include "volsync.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "volsync.remoteRepoName" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
+        metadataPolicy: None
+        property: BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
+        metadataPolicy: None
+        property: ACCESS_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+{{- end }}
+
+{{- if and (.Values.external.enabled) (.Values.externalSecrets.enabled) }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "volsync.externalRepoName" . }}
+  namespace: {{ include "volsync.namespace" . }}
+  labels:
+    {{- include "volsync.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "volsync.externalRepoName" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  target:
+    template:
+      mergePolicy: Merge
+      engineVersion: v2
+      data:
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+  data:
+    - secretKey: BUCKET_ENDPOINT
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
+        metadataPolicy: None
+        property: BUCKET_ENDPOINT
+    - secretKey: RESTIC_PASSWORD
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
+    - secretKey: AWS_DEFAULT_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
+        metadataPolicy: None
+        property: AWS_ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
+        metadataPolicy: None
+        property: AWS_SECRET_ACCESS_KEY
+{{- end }}

charts/volsync-target/templates/replication-source.yaml

@@ -0,0 +1,107 @@
+{{- if .Values.local.enabled }}
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: {{ include "volsync.name" . }}-source-local
+  namespace: {{ include "volsync.namespace" . }}
+  labels:
+    {{- include "volsync.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "volsync.name" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  sourcePVC: {{ .Values.pvcTarget }}
+  trigger:
+    schedule: {{ .Values.local.schedule }}
+  restic:
+    pruneIntervalDays: {{ .Values.local.restic.pruneIntervalDays }}
+    repository: {{ include "volsync.localRepoName" . }}
+    retain:
+    {{- with .Values.local.restic.retain }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- if .Values.moverSecurityContext }}
+    moverSecurityContext:
+    {{- with .Values.moverSecurityContext }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- end }}
+    copyMethod: {{ .Values.local.restic.copyMethod }}
+    storageClassName: {{ .Values.local.restic.storageClassName }}
+    volumeSnapshotClassName: {{ .Values.local.restic.volumeSnapshotClassName }}
+    cacheCapacity: {{ .Values.local.restic.cacheCapacity }}
+{{- end }}
+
+{{- if .Values.remote.enabled }}
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: {{ include "volsync.name" . }}-source-remote
+  namespace: {{ include "volsync.namespace" . }}
+  labels:
+    {{- include "volsync.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "volsync.name" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  sourcePVC: {{ .Values.pvcTarget | required "PVC target is required" }}
+  trigger:
+    schedule: {{ .Values.remote.schedule }}
+  restic:
+    pruneIntervalDays: {{ .Values.remote.restic.pruneIntervalDays }}
+    repository: {{ include "volsync.remoteRepoName" . }}
+    retain:
+    {{- with .Values.remote.restic.retain }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- if .Values.moverSecurityContext }}
+    moverSecurityContext:
+    {{- with .Values.moverSecurityContext }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- end }}
+    copyMethod: {{ .Values.remote.restic.copyMethod }}
+    storageClassName: {{ .Values.remote.restic.storageClassName }}
+    volumeSnapshotClassName: {{ .Values.remote.restic.volumeSnapshotClassName }}
+    cacheCapacity: {{ .Values.remote.restic.cacheCapacity }}
+{{- end }}
+
+{{- if .Values.external.enabled }}
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: {{ include "volsync.name" . }}-source-external
+  namespace: {{ include "volsync.namespace" . }}
+  labels:
+    {{- include "volsync.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "volsync.name" . }}
+    {{- with .Values.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  sourcePVC: {{ .Values.pvcTarget }}
+  trigger:
+    schedule: {{ .Values.external.schedule }}
+  restic:
+    pruneIntervalDays: {{ .Values.external.restic.pruneIntervalDays }}
+    repository: {{ include "volsync.externalRepoName" . }}
+    retain:
+    {{- with .Values.external.restic.retain }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- if .Values.moverSecurityContext }}
+    moverSecurityContext:
+    {{- with .Values.moverSecurityContext }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- end }}
+    copyMethod: {{ .Values.external.restic.copyMethod }}
+    storageClassName: {{ .Values.external.restic.storageClassName }}
+    volumeSnapshotClassName: {{ .Values.external.restic.volumeSnapshotClassName }}
+    cacheCapacity: {{ .Values.external.restic.cacheCapacity }}
+{{- end }}

charts/volsync-target/values.yaml

@@ -0,0 +1,105 @@
+# -- Default pattern follows <pvcTarget>-backup
+nameOverride: ""
+
+# -- Override the namespace of the chart
+namespaceOverride: ""
+
+# -- Add additional labels
+additionalLabels: {}
+
+# -- Name of the PVC target
+pvcTarget: "data"
+
+# -- Glocal security context for restic mover
+moverSecurityContext: {}
+
+# -- Use external secrets
+externalSecrets:
+  enabled: true
+
+# -- Local backup configuration
+local:
+  enabled: true
+
+  # -- 5 character cron schedule
+  schedule: 0 2 * * *
+
+  # -- Backup configuration, inserted directly into the yaml
+  restic:
+    pruneIntervalDays: 7
+    repository: ""
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+    cacheCapacity: 1Gi
+
+  # -- External Secret configuration
+  externalSecret:
+    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
+    volsyncPath: /volsync/restic/garage-local
+    # This path must contain the AWS/S3 credentials
+    credentialPath: /garage/home-infra/volsync-backups
+
+# -- Remote backup configuration
+remote:
+  enabled: true
+
+  # -- 5 character cron schedule
+  schedule: 0 3 * * *
+
+  # -- Backup configuration, inserted directly into the yaml
+  restic:
+    pruneIntervalDays: 7
+    repository: ""
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+    cacheCapacity: 1Gi
+
+  # -- External Secret configuration
+  externalSecret:
+    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
+    volsyncPath: /volsync/restic/garage-remote
+    # This path must contain the AWS/S3 credentials
+    credentialPath: /garage/home-infra/volsync-backups
+
+# -- External backup configuration
+external:
+  enabled: true
+
+  # -- 5 character cron schedule
+  schedule: 0 4 * * *
+
+  # -- Backup configuration, inserted directly into the yaml
+  restic:
+    pruneIntervalDays: 7
+    repository: ""
+    retain:
+      hourly: 1
+      daily: 3
+      weekly: 2
+      monthly: 2
+      yearly: 4
+    copyMethod: Snapshot
+    storageClassName: ceph-block
+    volumeSnapshotClassName: ceph-blockpool-snapshot
+    cacheCapacity: 1Gi
+
+  # -- External Secret configuration
+  externalSecret:
+    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
+    volsyncPath: /volsync/restic/digital-ocean
+    # This path must contain the AWS/S3 credentials
+    credentialPath: /digital-ocean/home-infra/volsync-backups