chore(deps): update helm/chart-testing-action action to v2.8.0

2026-03-11 19:36:59 +00:00
52 changed files with 279 additions and 995 deletions
@@ -26,7 +26,7 @@ jobs:
          fetch-depth: 0

      - name: Set up Helm
-        uses: azure/setup-helm@v5
+        uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          version: v3.19.2
@@ -42,7 +42,7 @@ jobs:
          python-version: '3.14'

      - name: Set up Chart Testing
-        uses: helm/chart-testing-action@v2.7.0
+        uses: helm/chart-testing-action@v2.8.0
        with:
          yamale_version: "6.0.0"

@@ -118,7 +118,7 @@ jobs:
      - name: Check Branch Exists
        id: check-branch-exists
        if: github.event_name == 'pull_request'
-        uses: GuillaumeFalourd/branch-exists@v1.2
+        uses: GuillaumeFalourd/branch-exists@v1.1
        with:
          branch: ${{ gitea.base_ref }}

@@ -139,7 +139,7 @@ jobs:
          echo "exists=true" >> $GITEA_OUTPUT

      - name: Set up Helm
-        uses: azure/setup-helm@v5
+        uses: azure/setup-helm@v4
        if: steps.branch-exists.outputs.exists == 'true'
        with:
          token: ${{ secrets.GITEA_TOKEN }}
@@ -20,7 +20,7 @@ jobs:
        uses: actions/checkout@v6

      - name: Set up Helm
-        uses: azure/setup-helm@v5
+        uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          version: v3.19.2
@@ -20,7 +20,7 @@ jobs:
        uses: actions/checkout@v6

      - name: Set up Helm
-        uses: azure/setup-helm@v5
+        uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          version: v3.19.2
@@ -20,7 +20,7 @@ jobs:
        uses: actions/checkout@v6

      - name: Set up Helm
-        uses: azure/setup-helm@v5
+        uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          version: v3.19.2
@@ -1,128 +0,0 @@
-name: release-charts-rclone-bucket
-
-on:
-  push:
-    branches:
-      - main
-    paths:
-      - "charts/rclone-bucket/**"
-
-  workflow_dispatch:
-
-env:
-  WORKFLOW_DIR: "charts/rclone-bucket"
-
-jobs:
-  release:
-    runs-on: ubuntu-js
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Set up Helm
-        uses: azure/setup-helm@v5
-        with:
-          token: ${{ secrets.GITEA_TOKEN }}
-          version: v3.19.2
-
-      - name: Add Repositories
-        run: |
-          cd ${WORKFLOW_DIR}
-
-          echo ">> Adding repositories for chart dependencies ..."
-          helm dependency list --max-col-width 120 2> /dev/null \
-            | tail +2 | head -n -1 \
-            | awk '{ print "helm repo add " $1 " " $3 }' \
-            | while read cmd; do echo "$cmd" | sh; done || true
-
-          if helm repo list | tail +2 | read -r; then
-            echo ">> Update repository cache ..."
-            helm repo update
-          fi
-
-          echo "----"
-
-      - name: Package Helm Chart
-        run: |
-          cd ${WORKFLOW_DIR}
-
-          echo ">> Building helm dependency ..."
-          helm dependency build --skip-refresh --debug
-
-          echo "----"
-
-          echo "PACKAGE_PATH=$(helm package . | awk '{print $NF}')" >> $GITEA_ENV
-
-      - name: Publish Helm Chart to Harbor
-        run: |
-          echo ">> Logging into Harbor ..."
-          helm registry login ${{ vars.REGISTRY_HOST }} -u ${{ vars.REGISTRY_USER }} -p ${{ secrets.REGISTRY_SECRET }} --debug
-
-          echo ""
-          echo ">> Publishing chart to Harbor ..."
-          helm push ${{ env.PACKAGE_PATH }} oci://${{ vars.REGISTRY_HOST }}/helm-charts --debug
-
-          echo "----"
-
-      - name: Publish Helm Chart to Gitea
-        run: |
-          echo ">> Installing Chart Museum plugin ..."
-          helm plugin install https://github.com/chartmuseum/helm-push --debug
-
-          echo ""
-          echo ">> Adding Gitea repository ..."
-          helm repo add --username ${{ gitea.actor }} --password ${{ secrets.REPOSITORY_TOKEN }} helm-charts https://${{ vars.REPOSITORY_HOST }}/api/packages/alexlebens/helm --debug
-
-          echo ""
-          echo ">> Pushing chart to gitea"
-          helm cm-push ${{ env.PACKAGE_PATH }} helm-charts --debug
-
-      - name: Extract Chart Metadata
-        run: |
-          cd ${WORKFLOW_DIR}
-
-          echo ">> Adding Chart metadata to workflow ENV ..."
-          echo ""
-          echo ">> Chart Version: $(yq '.version' Chart.yaml)"
-          echo ">> Chart Name: $(yq '.name' Chart.yaml)"
-
-          echo "----"
-
-          echo "CHART_VERSION=$(yq '.version' Chart.yaml)" >> $GITEA_ENV
-          echo "CHART_NAME=$(yq '.name' Chart.yaml)" >> $GITEA_ENV
-
-      - name: Release Helm Chart
-        uses: akkuman/gitea-release-action@v1
-        with:
-          name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}
-          tag_name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}
-          files: |-
-            ${{ env.PACKAGE_PATH }}
-
-      - name: ntfy Success
-        uses: niniyas/ntfy-action@master
-        if: success()
-        with:
-          url: '${{ secrets.NTFY_URL }}'
-          topic: '${{ secrets.NTFY_TOPIC }}'
-          title: 'Release Success - ${{ env.CHART_NAME }}'
-          priority: 3
-          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
-          tags: action,successfully,completed
-          details: 'Helm Chart ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }} has been released!'
-          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
-
-      - name: ntfy Failed
-        uses: niniyas/ntfy-action@master
-        if: failure()
-        with:
-          url: '${{ secrets.NTFY_URL }}'
-          topic: '${{ secrets.NTFY_TOPIC }}'
-          title: 'Release Failure - ${{ env.CHART_NAME }}'
-          priority: 4
-          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
-          tags: action,failed
-          details: 'Helm Chart ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }} has failed to be released.'
-          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
-          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/helm-charts/actions?workflow=release-charts-rclone-bucket.yml", "clear": true}]'
-          image: true
@@ -20,7 +20,7 @@ jobs:
        uses: actions/checkout@v6

      - name: Set up Helm
-        uses: azure/setup-helm@v5
+        uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          version: v3.19.2
@@ -20,7 +20,7 @@ jobs:
        uses: actions/checkout@v6

      - name: Set up Helm
-        uses: azure/setup-helm@v5
+        uses: azure/setup-helm@v4
        with:
          token: ${{ secrets.GITEA_TOKEN }}
          version: v3.19.2
@@ -1,16 +1,14 @@
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v6.0.0
+    rev: v2.3.0
    hooks:
      - id: end-of-file-fixer
      - id: trailing-whitespace
      - id: check-added-large-files
      - id: check-yaml
-        exclude: '^charts/.*/templates/.*$'
+        exclude: 'charts/'
        args:
          - --multi
-      - id: check-added-large-files
-      - id: check-merge-conflict
  - repo: https://github.com/norwoodj/helm-docs
    rev: v1.14.2
    hooks:
@@ -19,7 +17,3 @@ repos:
          - --chart-search-root=charts
          - --template-files=./_templates.gotmpl
          - --template-files=README.md.gotmpl
-  - repo: https://github.com/gruntwork-io/pre-commit
-    rev: v0.1.30
-    hooks:
-      - id: helmlint
@@ -1,6 +1,6 @@
 dependencies:
 - name: common
  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 5.0.1
-digest: sha256:754f21ee6fca6dc4a85e91384ff0b919b715234d764ef344bd3bbe93414275d3
-generated: "2026-05-17T20:56:16.253838-05:00"
+  version: 4.6.2
+digest: sha256:35e8f4e5d15d878c246a04eb51de580291f31203fa10e9e4d2318f16026b2061
+generated: "2026-01-16T13:29:29.385123-06:00"
@@ -1,20 +1,19 @@
 apiVersion: v2
 name: cloudflared
-version: 3.3.1
+version: 2.4.0
 description: Cloudflared Tunnel
 keywords:
  - cloudflare
  - tunnel
 sources:
  - https://github.com/cloudflare/cloudflared
-  - https://hub.docker.com/r/cloudflare/cloudflared
  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/library/common
 maintainers:
  - name: alexlebens
 dependencies:
  - name: common
    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 5.0.1
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/cloudflare.png
-# renovate: datasource=docker depName=cloudflare/cloudflared
-appVersion: 2026.5.0
+    version: 4.6.2
+icon: https://avatars.githubusercontent.com/u/314135?s=48&v=4
+# renovate: datasource=github-releases depName=cloudflare/cloudflared
+appVersion: "2026.3.0"
@@ -1,6 +1,6 @@
 # cloudflared

-![Version: 3.3.1](https://img.shields.io/badge/Version-3.3.1-informational?style=flat-square) ![AppVersion: 2026.5.0](https://img.shields.io/badge/AppVersion-2026.5.0-informational?style=flat-square)
+![Version: 2.3.0](https://img.shields.io/badge/Version-2.3.0-informational?style=flat-square) ![AppVersion: 2026.2.0](https://img.shields.io/badge/AppVersion-2026.2.0-informational?style=flat-square)

 Cloudflared Tunnel

@@ -13,29 +13,26 @@ Cloudflared Tunnel
 ## Source Code

 * <https://github.com/cloudflare/cloudflared>
-* <https://hub.docker.com/r/cloudflare/cloudflared>
 * <https://github.com/bjw-s-labs/helm-charts/tree/main/charts/library/common>

 ## Requirements

 | Repository | Name | Version |
 |------------|------|---------|
-| https://bjw-s-labs.github.io/helm-charts/ | common | 5.0.1 |
+| https://bjw-s-labs.github.io/helm-charts/ | common | 4.6.2 |

 ## Values

 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| image | object | `{"pullPolicy":"IfNotPresent","repository":"cloudflare/cloudflared","tag":"2026.5.0@sha256:59bab8d3aceec09bf6bdb07d6beca0225ca5cd7ab79436a87ea97978fe1dc4f9"}` | Default image |
-| metrics | object | `{"enabled":true}` | Metrics |
+| image | object | `{"pullPolicy":"IfNotPresent","repository":"cloudflare/cloudflared","tag":"2026.2.0"}` | Default image |
 | name | string | `""` | Name override of release |
-| protocol | string | `"auto"` | Protocol - Available values are auto, http2, and quic. |
-| resources | object | `{"requests":{"cpu":"1m","memory":"20Mi"}}` | Default resources |
-| secret | object | `{"existingSecret":{"key":"cf-tunnel-token","name":"cloudflared-secret"},"externalSecret":{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"openbao","path":"/cloudflare/tunnels","property":"token"}}}` | Secret configuration |
+| resources | object | `{"requests":{"cpu":"10m","memory":"128Mi"}}` | Default resources |
+| secret | object | `{"existingSecret":{"key":"cf-tunnel-token","name":"cloudflared-secret"},"externalSecret":{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"vault","path":"/cloudflare/tunnels","property":"token"}}}` | Secret configuration |
 | secret.existingSecret | object | `{"key":"cf-tunnel-token","name":"cloudflared-secret"}` | Name of existing secret that contains Cloudflare token |
-| secret.externalSecret | object | `{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"openbao","path":"/cloudflare/tunnels","property":"token"}}` | External Secret configuration |
+| secret.externalSecret | object | `{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"vault","path":"/cloudflare/tunnels","property":"token"}}` | External Secret configuration |
 | secret.externalSecret.additionalLabels | object | `{}` | Add additional labels |
-| secret.externalSecret.store | object | `{"name":"openbao","path":"/cloudflare/tunnels","property":"token"}` | Cluster store config |
+| secret.externalSecret.store | object | `{"name":"vault","path":"/cloudflare/tunnels","property":"token"}` | Cluster store config |

 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
@@ -4,14 +4,10 @@
 global:
  nameOverride: {{ include "cloudflared.name" . }}
  fullNameOverride: {{ include "cloudflared.name" . }}
-  createDefaultServiceAccount: true
 controllers:
  main:
    type: deployment
-    replicas: 1
    strategy: Recreate
-    serviceAccount:
-      identifier: {{ .Release.Name }}
    containers:
      main:
        image:
@@ -21,12 +17,8 @@ controllers:
        args:
          - tunnel
          - --protocol
-          - {{ .Values.protocol }}
+          - http2
          - --no-autoupdate
-          {{- if .Values.metrics.enabled }}
-          - --metrics
-          - 0.0.0.0:20241
-          {{- end }}
          - run
          - --token
          - $(CF_MANAGED_TUNNEL_TOKEN)
@@ -37,30 +29,10 @@ controllers:
                name: {{ include "secret.name" . }}
                key: {{ include "secret.key" . }}
        resources:
-          {{- with .Values.resources }}
+        {{- with .Values.resources }}
+        resources:
          {{- toYaml . | nindent 10 }}
-          {{ end }}
-{{- if .Values.metrics.enabled }}
-service:
-  main:
-    controller: main
-    ports:
-      metrics:
-        port: 20241
-        targetPort: 20241
-serviceMonitor:
-  main:
-    selector:
-      matchLabels:
-        app.kubernetes.io/name: {{ include "cloudflared.name" . }}
-        app.kubernetes.io/instance: {{ .Release.Namespace }}
-    serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
-    endpoints:
-      - port: metrics
-        interval: 30s
-        scrapeTimeout: 10s
-        path: /metrics
-{{- end }}
+        {{ end }}
 {{- end -}}
 {{- $_ := mergeOverwrite .Values (include "cloudflared.hardcodedValues" . | fromYaml) -}}

@@ -14,6 +14,10 @@ spec:
  data:
    - secretKey: {{ include "secret.key" . }}
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
        key: {{ include "secret.path" . }}
+        metadataPolicy: None
        property: {{ .Values.secret.externalSecret.store.property | required "External Secret store property is required" }}
+
 {{- end }}
@@ -1,13 +1,6 @@
 # -- Name override of release
 name: ""

-# -- Protocol - Available values are auto, http2, and quic.
-protocol: auto
-
-# -- Metrics
-metrics:
-  enabled: true
-
 # -- Secret configuration
 secret:

@@ -18,7 +11,7 @@ secret:

    # -- Cluster store config
    store:
-      name: openbao
+      name: vault
      path: /cloudflare/tunnels
      property: token

@@ -33,11 +26,11 @@ secret:
 # -- Default image
 image:
  repository: cloudflare/cloudflared
-  tag: 2026.5.0@sha256:59bab8d3aceec09bf6bdb07d6beca0225ca5cd7ab79436a87ea97978fe1dc4f9
+  tag: "2026.3.0"
  pullPolicy: IfNotPresent

 # -- Default resources
 resources:
  requests:
-    cpu: 1m
-    memory: 20Mi
+    cpu: 10m
+    memory: 128Mi
@@ -1,6 +1,6 @@
 dependencies:
 - name: common
  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 5.0.1
-digest: sha256:754f21ee6fca6dc4a85e91384ff0b919b715234d764ef344bd3bbe93414275d3
-generated: "2026-05-17T20:56:28.479119-05:00"
+  version: 4.6.2
+digest: sha256:35e8f4e5d15d878c246a04eb51de580291f31203fa10e9e4d2318f16026b2061
+generated: "2026-01-16T13:29:01.760344-06:00"
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: generic-device-plugin
-version: 0.21.6
+version: 0.20.21
 description: Generic Device Plugin
 keywords:
  - generic-device-plugin
@@ -14,5 +14,5 @@ maintainers:
 dependencies:
  - name: common
    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 5.0.1
-appVersion: 0.21.1
+    version: 4.6.2
+appVersion: 0.20.17
@@ -1,6 +1,6 @@
 # generic-device-plugin

-![Version: 0.21.6](https://img.shields.io/badge/Version-0.21.6-informational?style=flat-square) ![AppVersion: 0.21.1](https://img.shields.io/badge/AppVersion-0.21.1-informational?style=flat-square)
+![Version: 0.20.20](https://img.shields.io/badge/Version-0.20.20-informational?style=flat-square) ![AppVersion: 0.20.17](https://img.shields.io/badge/AppVersion-0.20.17-informational?style=flat-square)

 Generic Device Plugin

@@ -19,7 +19,7 @@ Generic Device Plugin

 | Repository | Name | Version |
 |------------|------|---------|
-| https://bjw-s-labs.github.io/helm-charts/ | common | 5.0.1 |
+| https://bjw-s-labs.github.io/helm-charts/ | common | 4.6.2 |

 ## Values

@@ -28,7 +28,7 @@ Generic Device Plugin
 | config | object | `{"data":"devices:\n  - name: serial\n    groups:\n      - paths:\n          - path: /dev/ttyUSB*\n      - paths:\n          - path: /dev/ttyACM*\n      - paths:\n          - path: /dev/tty.usb*\n      - paths:\n          - path: /dev/cu.*\n      - paths:\n          - path: /dev/cuaU*\n      - paths:\n          - path: /dev/rfcomm*\n  - name: video\n    groups:\n      - paths:\n          - path: /dev/video0\n  - name: fuse\n    groups:\n      - count: 10\n        paths:\n          - path: /dev/fuse\n  - name: audio\n    groups:\n      - count: 10\n        paths:\n          - path: /dev/snd\n  - name: capture\n    groups:\n      - paths:\n          - path: /dev/snd/controlC0\n          - path: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC1\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC1D0c\n            mountPath: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC2\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC2D0c\n            mountPath: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC3\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC3D0c\n            mountPath: /dev/snd/pcmC0D0c\n","enabled":true}` | Config map |
 | config.data | string | See [values.yaml](./values.yaml) | generic-device-plugin config file [[ref]](https://github.com/squat/generic-device-plugin#usage) |
 | deviceDomain | string | `"devic.es"` | Domain used by devices for identifcation |
-| image | object | `{"pullPolicy":"Always","repository":"ghcr.io/squat/generic-device-plugin","tag":"latest@sha256:dc192e164c69b03f156765793a1be62ca437709ae477b27ca7d8f3dcf5021576"}` | Default image |
+| image | object | `{"pullPolicy":"Always","repository":"ghcr.io/squat/generic-device-plugin","tag":"latest@sha256:78127620563730680371e2915d48d69dc3ab513f12c742ca6bcacd156051fd4b"}` | Default image |
 | name | string | `"generic-device-plugin"` | Name override of release |
 | resources | object | `{"requests":{"cpu":"50m","memory":"10Mi"}}` | Default resources |
 | service | object | `{"listenPort":8080}` | Service port |
@@ -4,7 +4,7 @@ name: generic-device-plugin
 # -- Default image
 image:
  repository: ghcr.io/squat/generic-device-plugin
-  tag: latest@sha256:dc192e164c69b03f156765793a1be62ca437709ae477b27ca7d8f3dcf5021576
+  tag: latest@sha256:5acdaa40af84adf8b6f7bb1b8930d4e7be1ebe7f0109f00211ce3df43217b3b7
  pullPolicy: Always

 # -- Domain used by devices for identifcation
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: postgres-cluster
-version: 7.15.0
+version: 7.9.0
 description: Cloudnative-pg Cluster
 keywords:
  - database
@@ -12,4 +12,4 @@ maintainers:
  - name: alexlebens
 icon: https://avatars.githubusercontent.com/u/100373852?s=48&v=4
 # renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg
-appVersion: v1.29.1
+appVersion: v1.28.1
@@ -1,6 +1,6 @@
 # postgres-cluster

-![Version: 7.15.0](https://img.shields.io/badge/Version-7.15.0-informational?style=flat-square) ![AppVersion: v1.29.1](https://img.shields.io/badge/AppVersion-v1.29.1-informational?style=flat-square)
+![Version: 7.9.0](https://img.shields.io/badge/Version-7.9.0-informational?style=flat-square) ![AppVersion: v1.28.1](https://img.shields.io/badge/AppVersion-v1.28.1-informational?style=flat-square)

 Cloudnative-pg Cluster

@@ -19,17 +19,17 @@ Cloudnative-pg Cluster

 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| backup | object | `{"externalSecret":{"enabled":true},"method":"objectStore","objectStore":[],"scheduledBackups":[]}` | Backup settings |
+| backup | object | `{"externalSecret":{"enabled":true},"method":"objectStore","objectStore":null,"scheduledBackups":[]}` | Backup settings |
 | backup.externalSecret | object | `{"enabled":true}` | Use generated External Secrets, credentialPath points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY |
 | backup.method | string | `"objectStore"` | Method to create backups, options currently are only objectStore |
-| backup.objectStore | list | `[]` | Options for object store backups |
+| backup.objectStore | string | `nil` | Options for object store backups |
 | backup.scheduledBackups | list | `[]` | List of scheduled backups |
-| cluster | object | `{"additionalLabels":{},"affinity":{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"},"annotations":{},"certificates":{},"enablePDB":true,"enableSuperuserAccess":false,"image":{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"18.4-standard-trixie"},"imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"initdb":{"database":"app","owner":"app"},"instances":3,"logLevel":"info","monitoring":{"customQueries":[],"customQueriesSecret":[],"disableDefaultQueries":false,"enabled":true,"podMonitor":{"enabled":true,"metricRelabelings":[],"relabelings":[]},"prometheusRule":{"enabled":true,"excludeRules":["CNPGClusterLastFailedArchiveTimeWarning"]}},"postgresGID":-1,"postgresUID":-1,"postgresql":{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"512MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}},"primaryUpdateMethod":"switchover","primaryUpdateStrategy":"unsupervised","priorityClassName":"","resources":{"limits":{"hugepages-2Mi":"256Mi"},"requests":{"cpu":"50m","memory":"512Mi"}},"roles":[],"serviceAccountTemplate":{},"services":{},"storage":{"size":"10Gi","storageClass":"local-path"},"superuserSecret":"","walStorage":{"enabled":true,"size":"2Gi","storageClass":"local-path"}}` | Cluster settings |
+| cluster | object | `{"additionalLabels":{},"affinity":{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"},"annotations":{},"certificates":{},"enablePDB":true,"enableSuperuserAccess":false,"image":{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"18.3-standard-trixie"},"imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"initdb":{"database":"app","owner":"app"},"instances":3,"logLevel":"info","monitoring":{"customQueries":[],"customQueriesSecret":[],"disableDefaultQueries":false,"enabled":true,"podMonitor":{"enabled":true,"metricRelabelings":[],"relabelings":[]},"prometheusRule":{"enabled":true,"excludeRules":["CNPGClusterLastFailedArchiveTimeWarning"]}},"postgresGID":-1,"postgresUID":-1,"postgresql":{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"128MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}},"primaryUpdateMethod":"switchover","primaryUpdateStrategy":"unsupervised","priorityClassName":"","resources":{"limits":{"hugepages-2Mi":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}},"roles":[],"serviceAccountTemplate":{},"services":{},"storage":{"size":"10Gi","storageClass":"local-path"},"superuserSecret":"","walStorage":{"enabled":true,"size":"2Gi","storageClass":"local-path"}}` | Cluster settings |
 | cluster.affinity | object | `{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"}` | Affinity/Anti-affinity rules for Pods. See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-AffinityConfiguration |
 | cluster.certificates | object | `{}` | The configuration for the CA and related certificates. See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-CertificatesConfiguration |
 | cluster.enablePDB | bool | `true` | Allow to disable PDB, mainly useful for upgrade of single-instance clusters or development purposes See: https://cloudnative-pg.io/documentation/current/kubernetes_upgrade/#pod-disruption-budgets |
 | cluster.enableSuperuserAccess | bool | `false` | When this option is enabled, the operator will use the SuperuserSecret to update the postgres user password. If the secret is not present, the operator will automatically create one. When this option is disabled, the operator will ignore the SuperuserSecret content, delete it when automatically created, and then blank the password of the postgres user by setting it to NULL. |
-| cluster.image | object | `{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"18.4-standard-trixie"}` | Default image |
+| cluster.image | object | `{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"18.3-standard-trixie"}` | Default image |
 | cluster.imagePullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never or IfNotPresent. If not defined, it defaults to IfNotPresent. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
 | cluster.imagePullSecrets | list | `[]` | The list of pull secrets to be used to pull the images. See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-LocalObjectReference |
 | cluster.initdb | object | `{"database":"app","owner":"app"}` | Bootstrap is the configuration of the bootstrap process when initdb is used. See: https://cloudnative-pg.io/documentation/current/bootstrap/ See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-bootstrapinitdb |
@@ -42,20 +42,19 @@ Cloudnative-pg Cluster
 | cluster.monitoring.podMonitor.enabled | bool | `true` | Whether to enable the PodMonitor |
 | cluster.monitoring.podMonitor.metricRelabelings | list | `[]` | The list of metric relabelings for the PodMonitor. Applied to samples before ingestion. |
 | cluster.monitoring.podMonitor.relabelings | list | `[]` | The list of relabelings for the PodMonitor. Applied to samples before scraping. |
-| cluster.monitoring.prometheusRule | object | `{"enabled":true,"excludeRules":["CNPGClusterLastFailedArchiveTimeWarning"]}` | Prometheus rule |
 | cluster.monitoring.prometheusRule.enabled | bool | `true` | Whether to enable the PrometheusRule automated alerts |
 | cluster.monitoring.prometheusRule.excludeRules | list | `["CNPGClusterLastFailedArchiveTimeWarning"]` | Exclude specified rules |
 | cluster.postgresUID | int | `-1` | The UID and GID of the postgres user inside the image, defaults to 26 |
-| cluster.postgresql | object | `{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"512MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}}` | Parameters to be set for the database itself See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-PostgresConfiguration |
+| cluster.postgresql | object | `{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"128MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}}` | Parameters to be set for the database itself See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-PostgresConfiguration |
 | cluster.postgresql.ldap | object | `{}` | PostgreSQL LDAP configuration (see https://cloudnative-pg.io/documentation/current/postgresql_conf/#ldap-configuration) |
-| cluster.postgresql.parameters | object | `{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"512MB"}` | PostgreSQL configuration options (postgresql.conf) |
+| cluster.postgresql.parameters | object | `{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"128MB"}` | PostgreSQL configuration options (postgresql.conf) |
 | cluster.postgresql.pg_hba | list | `[]` | PostgreSQL Host Based Authentication rules (lines to be appended to the pg_hba.conf file) |
 | cluster.postgresql.pg_ident | list | `[]` | PostgreSQL User Name Maps rules (lines to be appended to the pg_ident.conf file) |
 | cluster.postgresql.shared_preload_libraries | list | `[]` | Lists of shared preload libraries to add to the default ones |
 | cluster.postgresql.synchronous | object | `{}` | Quorum-based Synchronous Replication |
 | cluster.primaryUpdateMethod | string | `"switchover"` | Method to follow to upgrade the primary server during a rolling update procedure, after all replicas have been successfully updated. It can be switchover (default) or restart. |
 | cluster.primaryUpdateStrategy | string | `"unsupervised"` | Strategy to follow to upgrade the primary server during a rolling update procedure, after all replicas have been successfully updated: it can be automated (unsupervised - default) or manual (supervised) |
-| cluster.resources | object | `{"limits":{"hugepages-2Mi":"256Mi"},"requests":{"cpu":"50m","memory":"512Mi"}}` | Resources requirements of every generated Pod. Please refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for more information. We strongly advise you use the same setting for limits and requests so that your cluster pods are given a Guaranteed QoS. See: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/ |
+| cluster.resources | object | `{"limits":{"hugepages-2Mi":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}}` | Resources requirements of every generated Pod. Please refer to https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ for more information. We strongly advise you use the same setting for limits and requests so that your cluster pods are given a Guaranteed QoS. See: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/ |
 | cluster.roles | list | `[]` | This feature enables declarative management of existing roles, as well as the creation of new roles if they are not already present in the database. See: https://cloudnative-pg.io/documentation/current/declarative_role_management/ |
 | cluster.serviceAccountTemplate | object | `{}` | Configure the metadata of the generated service account |
 | cluster.services | object | `{}` | Customization of service definitions. Please refer to https://cloudnative-pg.io/documentation/current/service_management/ |
@@ -1,11 +1,12 @@
 {{- define "cluster.bootstrap" -}}
-{{- if eq .Values.mode "standalone" -}}
+
+{{- if eq .Values.mode "standalone" }}
 bootstrap:
  initdb:
    {{- with .Values.cluster.initdb }}
-      {{- with (omit . "postInitApplicationSQL" "owner" "import") }}
-      {{- . | toYaml | nindent 4 }}
-      {{- end }}
+        {{- with (omit . "postInitApplicationSQL" "owner" "import") }}
+            {{- . | toYaml | nindent 4 }}
+        {{- end }}
    {{- end }}
    {{- if .Values.cluster.initdb.owner }}
    owner: {{ tpl .Values.cluster.initdb.owner . }}
@@ -13,18 +14,20 @@ bootstrap:
    {{- if (.Values.cluster.initdb.postInitApplicationSQL) }}
    postInitApplicationSQL:
      {{- with .Values.cluster.initdb }}
-      {{- range .postInitApplicationSQL }}
-      {{- printf "- %s" . | nindent 6 }}
-      {{- end }}
+        {{- range .postInitApplicationSQL }}
+          {{- printf "- %s" . | nindent 6 }}
+        {{- end -}}
      {{- end }}
    {{- end }}
+
 {{- else if eq .Values.mode "recovery" -}}
 bootstrap:
+
  {{- if eq .Values.recovery.method "import" }}
  initdb:
    {{- with .Values.cluster.initdb }}
      {{- with (omit . "owner" "import" "postInitApplicationSQL") }}
-      {{- . | toYaml | nindent 4 }}
+        {{- . | toYaml | nindent 4 }}
      {{- end }}
    {{- end }}
    {{- if .Values.cluster.initdb.owner }}
@@ -55,45 +58,50 @@ bootstrap:
        {{- end }}
      {{- end }}
      schemaOnly: {{ .Values.recovery.import.schemaOnly }}
-      {{- with .Values.recovery.import.pgDumpExtraOptions }}
+      {{ with .Values.recovery.import.pgDumpExtraOptions }}
      pgDumpExtraOptions:
        {{- . | toYaml | nindent 8 }}
      {{- end }}
-      {{- with .Values.recovery.import.pgRestoreExtraOptions }}
+      {{ with .Values.recovery.import.pgRestoreExtraOptions }}
      pgRestoreExtraOptions:
        {{- . | toYaml | nindent 8 }}
      {{- end }}
+
  {{- else if eq .Values.recovery.method "backup" }}
  recovery:
    {{- with .Values.recovery.backup.pitrTarget.time }}
    recoveryTarget:
      targetTime: {{ . }}
    {{- end }}
-    {{- with .Values.recovery.backup.database }}
+    {{ with .Values.recovery.backup.database }}
    database: {{ . }}
    {{- end }}
-    {{- with .Values.recovery.backup.owner }}
+    {{ with .Values.recovery.backup.owner }}
    owner: {{ . }}
    {{- end }}
    backup:
      name: {{ .Values.recovery.backup.backupName }}
+
  {{- else if eq .Values.recovery.method "objectStore" }}
  recovery:
    {{- with .Values.recovery.objectStore.pitrTarget.time }}
    recoveryTarget:
      targetTime: {{ . }}
    {{- end }}
-    {{- with .Values.recovery.objectStore.database }}
+    {{ with .Values.recovery.objectStore.database }}
    database: {{ . }}
    {{- end }}
-    {{- with .Values.recovery.objectStore.owner }}
+    {{ with .Values.recovery.objectStore.owner }}
    owner: {{ . }}
    {{- end }}
    source: {{ include "cluster.recoveryServerName" . }}
-  {{- else -}}
+
+  {{-  else }}
    {{ fail "Invalid recovery mode!" }}
-  {{- end -}}
-{{- else -}}
+  {{- end }}
+
+{{-  else }}
  {{ fail "Invalid cluster mode!" }}
-{{- end -}}
-{{- end -}}
+{{- end }}
+
+{{- end }}
@@ -1,6 +1,6 @@
 {{- define "cluster.externalClusters" -}}
-{{- if eq .Values.mode "standalone" -}}
-{{- else if eq .Values.mode "recovery" -}}
+{{- if eq .Values.mode "standalone" }}
+{{- else if eq .Values.mode "recovery" }}
 externalClusters:
  {{- if eq .Values.recovery.method "import" }}
  - name: importSource
@@ -15,7 +15,7 @@ externalClusters:
        barmanObjectName: "{{ include "cluster.name" . }}-recovery"
        serverName: {{ include "cluster.recoveryServerName" . }}
  {{- end }}
-{{- else -}}
+{{- else }}
  {{ fail "Invalid cluster mode!" }}
-{{- end -}}
-{{- end -}}
+{{- end }}
+{{ end }}
@@ -30,4 +30,4 @@
    name: {{ $config.sslRootCertSecret.name }}
    key: {{ $config.sslRootCertSecret.key }}
  {{- end }}
-{{- end -}}
+{{- end }}
@@ -35,6 +35,7 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 Selector labels
 */}}
 {{- define "cluster.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cluster.name" $ }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
@@ -90,7 +91,7 @@ Generate recovery destination path
  {{- if .Values.recovery.objectStore.destinationPathOverride -}}
    {{- .Values.recovery.objectStore.destinationPathOverride -}}
  {{- else -}}
-    {{- printf "s3://%s/%s/%s/%s-cluster" (.Values.recovery.objectStore.destinationBucket) (.Values.kubernetesClusterName) (include "cluster.namespace" .) (include "cluster.name" .) | trimSuffix "-" -}}
+    {{- printf "s3://%s/%s/%s/%s-cluster/" (.Values.recovery.objectStore.destinationBucket) (.Values.kubernetesClusterName) (include "cluster.namespace" .) (include "cluster.name" .) | trimSuffix "-" -}}
  {{- end }}
 {{- end }}

@@ -112,7 +113,7 @@ Generate backup destination path
  {{- if .instance.destinationPathOverride -}}
    {{- .instance.destinationPathOverride -}}
  {{- else if .instance.destinationBucket -}}
-    {{- printf "s3://%s/%s/%s/%s-cluster" .instance.destinationBucket .global.Values.kubernetesClusterName (include "cluster.namespace" .global) (include "cluster.name" .global) | trimSuffix "-" -}}
+    {{- printf "s3://%s/%s/%s/%s-cluster/" .instance.destinationBucket .global.Values.kubernetesClusterName (include "cluster.namespace" .global) (include "cluster.name" .global) | trimSuffix "-" -}}
  {{-  else -}}
    {{ fail "Invalid destination path!" }}
  {{- end -}}
@@ -8,7 +8,6 @@ metadata:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  labels:
-    app.kubernetes.io/name: {{ include "cluster.name" . }}-cluster
    {{- include "cluster.labels" . | nindent 4 }}
 spec:
  instances: {{ .Values.cluster.instances }}
@@ -35,7 +34,7 @@ spec:
  {{- with .Values.cluster.resources }}
  resources:
    {{- toYaml . | nindent 4 }}
-  {{- end }}
+  {{ end }}
  {{- with .Values.cluster.affinity }}
  affinity:
    {{- toYaml . | nindent 4 }}
@@ -43,6 +42,7 @@ spec:
  {{- if .Values.cluster.priorityClassName }}
  priorityClassName: {{ .Values.cluster.priorityClassName }}
  {{- end }}
+
  primaryUpdateMethod: {{ .Values.cluster.primaryUpdateMethod }}
  primaryUpdateStrategy: {{ .Values.cluster.primaryUpdateStrategy }}
  logLevel: {{ .Values.cluster.logLevel }}
@@ -56,6 +56,7 @@ spec:
    name: {{ . }}
  {{ end }}
  enablePDB: {{ .Values.cluster.enablePDB }}
+
  postgresql:
    {{- if .Values.cluster.postgresql.shared_preload_libraries }}
    shared_preload_libraries:
@@ -83,6 +84,7 @@ spec:
    parameters:
      {{- toYaml . | nindent 6 }}
    {{- end }}
+
  {{- if not (and (empty .Values.cluster.roles) (empty .Values.cluster.services)) }}
  managed:
    {{- with .Values.cluster.services }}
@@ -94,12 +96,14 @@ spec:
      {{- toYaml . | nindent 6 }}
    {{ end }}
  {{- end }}
+
  {{- with .Values.cluster.serviceAccountTemplate }}
  serviceAccountTemplate:
    {{- toYaml . | nindent 4 }}
  {{- end }}
+
  monitoring:
-    enablePodMonitor: false
+    enablePodMonitor: {{ and .Values.cluster.monitoring.enabled .Values.cluster.monitoring.podMonitor.enabled }}
    disableDefaultQueries: {{ .Values.cluster.monitoring.disableDefaultQueries }}
    {{- if not (empty .Values.cluster.monitoring.customQueries) }}
    customQueriesConfigMap:
@@ -122,9 +126,9 @@ spec:
    {{- with .Values.cluster.monitoring.podMonitor.metricRelabelings }}
    podMonitorMetricRelabelings:
      {{- toYaml . | nindent 6 }}
+    {{ end }}
    {{- end }}
-    {{- end }}
-  {{- if not (empty .Values.backup.objectStore) }}
+
  plugins:
  {{- range $objectStore := .Values.backup.objectStore }}
    - name: barman-cloud.cloudnative-pg.io
@@ -141,7 +145,7 @@ spec:
        {{- else }}
        serverName: "{{ include "cluster.name" $ }}-backup-{{ $objectStore.index }}"
        {{- end }}
-  {{- end -}}
-  {{- end -}}
-  {{- include "cluster.bootstrap" . | nindent 2 -}}
-  {{- include "cluster.externalClusters" . | nindent 2 -}}
+  {{- end }}
+
+  {{ include "cluster.bootstrap" . | nindent 2 }}
+  {{ include "cluster.externalClusters" . | nindent 2 }}
@@ -5,7 +5,6 @@ metadata:
  name: {{ include "cluster.name" $ }}-monitoring
  namespace: {{ include "cluster.namespace" $ }}
  labels:
-    app.kubernetes.io/name: {{ include "cluster.name" $ }}-monitoring
    cnpg.io/reload: ""
    {{- include "cluster.labels" $ | nindent 4 }}
 data:
@@ -6,7 +6,6 @@ metadata:
  name: {{ include "cluster.name" $ }}-database-{{ .name | replace "_" "-" }}
  namespace: {{ include "cluster.namespace" $ }}
  labels:
-    app.kubernetes.io/name: {{ include "cluster.name" $ }}-database-{{ .name | replace "_" "-" }}
    {{- include "cluster.labels" $ | nindent 4 }}
 spec:
  name: {{ .name }}
@@ -1,6 +1,6 @@
-{{- if and (eq .Values.backup.method "objectStore") (.Values.backup.externalSecret.enabled) }}
-{{- $context := . }}
-{{- range .Values.backup.objectStore }}
+{{ if and (eq .Values.backup.method "objectStore") (.Values.backup.externalSecret.enabled) }}
+{{ $context := . -}}
+{{ range .Values.backup.objectStore -}}
 ---
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -8,30 +8,39 @@ metadata:
  name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
  namespace: {{ include "cluster.namespace" $context }}
  labels:
-    app.kubernetes.io/name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
    {{- include "cluster.labels" $context | nindent 4 }}
+    app.kubernetes.io/name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
    {{- with $context.Values.cluster.additionalLabels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: ACCESS_REGION
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
        key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: ACCESS_KEY_ID
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
        key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
        key: {{ .externalSecretCredentialPath| required "External Secret Credential local path is required" }}
+        metadataPolicy: None
        property: ACCESS_SECRET_KEY
-{{- end }}
-{{- end }}
+{{ end -}}
+{{ end }}

 {{- if and (eq .Values.recovery.method "objectStore") (.Values.recovery.objectStore.externalSecret.enabled) }}
 ---
@@ -49,18 +58,27 @@ metadata:
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  data:
    - secretKey: ACCESS_REGION
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: ACCESS_KEY_ID
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
        property: ACCESS_SECRET_KEY
 {{- end }}
@@ -1,6 +1,6 @@
-{{- if (eq .Values.backup.method "objectStore") }}
-{{- $context := . }}
-{{- range .Values.backup.objectStore }}
+{{ if (eq .Values.backup.method "objectStore") }}
+{{ $context := . -}}
+{{ range .Values.backup.objectStore -}}
 ---
 apiVersion: barmancloud.cnpg.io/v1
 kind: ObjectStore
@@ -8,8 +8,8 @@ metadata:
  name: {{ include "cluster.name" $context }}-backup-{{ .name }}
  namespace: {{ include "cluster.namespace" $context }}
  labels:
-    app.kubernetes.io/name: {{ include "cluster.name" $context }}-backup-{{ .name }}
    {{- include "cluster.labels" $context | nindent 4 }}
+    app.kubernetes.io/name: {{ include "cluster.name" $context }}-backup-{{ .name }}
    {{- with $context.Values.cluster.additionalLabels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
@@ -57,9 +57,10 @@ spec:
      region:
        name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
        key: ACCESS_REGION
-{{- end }}
-{{- end }}
-{{- if eq .Values.recovery.method "objectStore" }}
+{{ end -}}
+{{ end }}
+
+{{ if eq .Values.recovery.method "objectStore" }}
 ---
 apiVersion: barmancloud.cnpg.io/v1
 kind: ObjectStore
@@ -103,4 +104,4 @@ spec:
      region:
        name: {{ include "cluster.recoverySecretName" . }}
        key: ACCESS_REGION
-{{- end }}
+{{ end }}
@@ -1,18 +0,0 @@
-{{- if and .Values.cluster.monitoring.enabled .Values.cluster.monitoring.podMonitor.enabled }}
---
-apiVersion: monitoring.coreos.com/v1
-kind: PodMonitor
-metadata:
-  name: {{ include "cluster.name" $ }}-cluster
-  namespace: {{ include "cluster.namespace" $ }}
-  labels:
-    app.kubernetes.io/name: {{ include "cluster.name" $ }}-cluster
-    {{- include "cluster.labels" $ | nindent 4 }}
-spec:
-  selector:
-    matchLabels:
-      cnpg.io/cluster: {{ include "cluster.name" $ }}-cluster
-      cnpg.io/podRole: instance
-  podMetricsEndpoints:
-    - port: metrics
-{{- end }}
@@ -6,7 +6,6 @@ metadata:
  name: {{ include "cluster.name" $ }}-pooler-{{ .name }}
  namespace: {{ include "cluster.namespace" $ }}
  labels:
-    app.kubernetes.io/name: {{ include "cluster.name" $ }}-pooler-{{ .name }}
    {{- include "cluster.labels" $ | nindent 4 }}
 spec:
  cluster:
@@ -47,6 +46,6 @@ spec:
  {{- end }}
  {{- with .template }}
  template:
-    {{ . | toYaml | nindent 4 }}
+    {{- . | toYaml | nindent 4 }}
  {{- end }}
 {{- end }}
@@ -1,12 +1,10 @@
-{{- if and .Values.cluster.monitoring.enabled .Values.cluster.monitoring.prometheusRule.enabled }}
---
+{{- if and .Values.cluster.monitoring.enabled .Values.cluster.monitoring.prometheusRule.enabled -}}
 apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
  name: {{ include "cluster.name" $ }}-alert-rules
  namespace: {{ include "cluster.namespace" $ }}
  labels:
-    app.kubernetes.io/name: {{ include "cluster.name" $ }}-alert-rules
    {{- include "cluster.labels" $ | nindent 4 }}
 spec:
  groups:
@@ -26,4 +24,4 @@ spec:
        - {{ $tpl }}
        {{- end -}}
        {{- end }}
-{{- end }}
+{{ end }}
@@ -1,5 +1,5 @@
-{{- $context := . }}
-{{- range .Values.backup.scheduledBackups }}
+{{ $context := . -}}
+{{ range .Values.backup.scheduledBackups -}}
 ---
 apiVersion: postgresql.cnpg.io/v1
 kind: ScheduledBackup
@@ -7,8 +7,8 @@ metadata:
  name: "{{ include "cluster.name" $context }}-scheduled-backup-{{ .name }}"
  namespace: {{ include "cluster.namespace" $context }}
  labels:
-    app.kubernetes.io/name: "{{ include "cluster.name" $context }}-scheduled-backup-{{ .name }}"
    {{- include "cluster.labels" $context | nindent 4 }}
+    app.kubernetes.io/name: "{{ include "cluster.name" $context }}-scheduled-backup-{{ .name }}"
 spec:
  immediate: {{ .immediate | default false }}
  suspend: {{ .suspend | default false }}
@@ -21,4 +21,4 @@ spec:
    name: {{ .plugin | default "barman-cloud.cloudnative-pg.io" }}
    parameters:
      barmanObjectName: "{{ include "cluster.name" $context }}-backup-{{ .backupName }}"
-{{- end }}
+{{ end -}}
@@ -23,7 +23,7 @@ cluster:
  # -- Default image
  image:
    repository: ghcr.io/cloudnative-pg/postgresql
-    tag: 18.4-standard-trixie
+    tag: 18.3-standard-trixie

  # -- Image pull policy. One of Always, Never or IfNotPresent. If not defined, it defaults to IfNotPresent. Cannot be updated.
  # More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
@@ -56,8 +56,8 @@ cluster:
  # See: https://kubernetes.io/docs/concepts/workloads/pods/pod-qos/
  resources:
    requests:
-      memory: 512Mi
-      cpu: 50m
+      memory: 256Mi
+      cpu: 100m
    limits:
      hugepages-2Mi: 256Mi

@@ -127,7 +127,6 @@ cluster:
      # Applied to samples before ingestion.
      metricRelabelings: []

-    # -- Prometheus rule
    prometheusRule:

      # -- Whether to enable the PrometheusRule automated alerts
@@ -165,7 +164,7 @@ cluster:

    # -- PostgreSQL configuration options (postgresql.conf)
    parameters:
-      shared_buffers: 512MB
+      shared_buffers: 128MB
      max_slot_wal_keep_size: 2000MB
      hot_standby_feedback: "on"

@@ -394,8 +393,7 @@ backup:
    enabled: true

  # -- Options for object store backups
-  objectStore: []
-
+  objectStore:
    # -
    #   # -- Object store backup name
    #   name: external
@@ -1,6 +0,0 @@
-dependencies:
- name: common
-  repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 5.0.1
-digest: sha256:754f21ee6fca6dc4a85e91384ff0b919b715234d764ef344bd3bbe93414275d3
-generated: "2026-05-17T20:56:33.77714-05:00"
@@ -1,20 +0,0 @@
-apiVersion: v2
-name: rclone-bucket
-version: 0.11.4
-description: Rclone CronJob to replicate buckets
-keywords:
-  - rclone-bucket
-  - rclone
-  - storage
-sources:
-  - https://github.com/rclone/rclone
-  - https://hub.docker.com/r/rclone/rclone
-maintainers:
-  - name: alexlebens
-dependencies:
-  - name: common
-    repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 5.0.1
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/rclone.png
-# renovate: datasource=github-releases depName=rclone/rclone
-appVersion: v1.74.1
@@ -1,46 +0,0 @@
-# rclone-bucket
-
-![Version: 0.11.4](https://img.shields.io/badge/Version-0.11.4-informational?style=flat-square) ![AppVersion: v1.74.1](https://img.shields.io/badge/AppVersion-v1.74.1-informational?style=flat-square)
-
-Rclone CronJob to replicate buckets
-
-## Maintainers
-
-| Name | Email | Url |
-| ---- | ------ | --- |
-| alexlebens |  |  |
-
-## Source Code
-
-* <https://github.com/rclone/rclone>
-* <https://hub.docker.com/r/rclone/rclone>
-
-## Requirements
-
-| Repository | Name | Version |
-|------------|------|---------|
-| https://bjw-s-labs.github.io/helm-charts/ | common | 5.0.1 |
-
-## Values
-
-| Key | Type | Default | Description |
-|-----|------|---------|-------------|
-| additionalLabels | object | `{}` | Add additional labels |
-| cronJob | object | `{"backoffLimit":3,"parallelism":1,"schedule":"0 0 * * *","suspend":false,"timeZone":"America/Chicago"}` | CronJob configuration |
-| image | object | `{"pullPolicy":"IfNotPresent","repository":"rclone/rclone","tag":"1.74.1@sha256:eb8788b795f0009324e9572b0e2acb9b56885327c2746b07d67a9d3b893a6602"}` | Default image |
-| metrics | object | `{"enabled":true}` | Metrics |
-| nameOverride | string | `""` | Default pattern follows <pvcTarget>-backup |
-| prometheusRule | object | `{"enabled":true}` | Prometheus Rule |
-| prune | object | `{"ageToPrune":"90d","enabled":false,"exclude":"","include":""}` | Enable prune job |
-| rclone | object | `{"destination":{"bucketName":"bucket","forcePathStyle":true,"providerType":"Other"},"providerType":"Other","source":{"bucketName":"bucket","forcePathStyle":true,"providerType":"Other"}}` | rclone configuration |
-| rclone.destination | object | `{"bucketName":"bucket","forcePathStyle":true,"providerType":"Other"}` | Destination configuration |
-| rclone.source | object | `{"bucketName":"bucket","forcePathStyle":true,"providerType":"Other"}` | Source configuration |
-| secret | object | `{"existingSecretDestination":{"name":"rclone-destination-secret"},"existingSecretSource":{"name":"rclone-source-secret"},"externalSecret":{"additionalLabels":{},"destination":{"config":{"endpointProperty":"ENDPOINT_REMOTE","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""},"enabled":true,"source":{"config":{"endpointProperty":"ENDPOINT_LOCAL","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""},"storeName":"openbao"}}` | Secret configuration |
-| secret.existingSecretSource | object | `{"name":"rclone-source-secret"}` | Name of existing secret that contains the configuration |
-| secret.externalSecret | object | `{"additionalLabels":{},"destination":{"config":{"endpointProperty":"ENDPOINT_REMOTE","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""},"enabled":true,"source":{"config":{"endpointProperty":"ENDPOINT_LOCAL","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""},"storeName":"openbao"}` | External Secret configuration |
-| secret.externalSecret.additionalLabels | object | `{}` | Add additional labels |
-| secret.externalSecret.destination | object | `{"config":{"endpointProperty":"ENDPOINT_REMOTE","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""}` | Destination configuration |
-| secret.externalSecret.source | object | `{"config":{"endpointProperty":"ENDPOINT_LOCAL","path":"/config"},"credentials":{"keyIdProperty":"ACCESS_KEY_ID","path":"/credential","regionProperty":"ACCESS_REGION","secretKeyProperty":"ACCESS_SECRET_KEY"},"nameOverride":""}` | Source configuration |
-
----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
@@ -1,90 +0,0 @@
-{{/*
-Generate the root name
-*/}}
-{{- define "rclone.name" -}}
-  {{- if .Values.nameOverride }}
-    {{- .Values.nameOverride | trunc 63 | trimSuffix "-" }}
-  {{- else }}
-    {{- printf "%s-rclone" .Values.rclone.source.bucketName | trunc 63 | trimSuffix "-" -}}
-  {{- end }}
-{{- end }}
-
-{{/*
-Generate the secret name
-*/}}
-{{- define "rclone.sourceSecretName" -}}
-  {{- if .Values.secret.externalSecret.enabled }}
-    {{- if .Values.secret.externalSecret.source.nameOverride }}
-      {{- .Values.secret.externalSecret.source.nameOverride | trunc 63 | trimSuffix "-" }}
-    {{- else }}
-      {{- printf "%s-rclone-source-config" .Values.rclone.source.bucketName -}}
-    {{- end }}
-  {{- else if .Values.secret.existingSecretSource.name }}
-    {{- printf "%s" .Values.secret.existingSecretSource.name -}}
-  {{- else }}
-    {{ fail "No Secret Name Found!" }}
-  {{- end }}
-{{- end }}
-
-{{- define "rclone.destinationSecretName" -}}
-  {{- if .Values.secret.externalSecret.enabled }}
-    {{- if .Values.secret.externalSecret.destination.nameOverride }}
-      {{- .Values.secret.externalSecret.destination.nameOverride | trunc 63 | trimSuffix "-" }}
-    {{- else }}
-      {{- printf "%s-rclone-destination-config" .Values.rclone.destination.bucketName -}}
-    {{- end }}
-  {{- else if .Values.secret.existingSecretDestination.name }}
-    {{- printf "%s" .Values.secret.existingSecretDestination.name -}}
-  {{- else }}
-    {{ fail "No Secret Name Found!" }}
-  {{- end }}
-{{- end }}
-
-{{/*
-Common env names
-*/}}
-{{- define "secretRclone.envAccessKey" -}}
-ACCESS_KEY_ID
-{{- end }}
-{{- define "secretRclone.envSecretKey" -}}
-ACCESS_SECRET_KEY
-{{- end }}
-{{- define "secretRclone.envRegion" -}}
-ACCESS_REGION
-{{- end }}
-{{- define "secretRclone.envSrcEndpoint" -}}
-SRC_ENDPOINT
-{{- end }}
-{{- define "secretRclone.envDestEndpoint" -}}
-DEST_ENDPOINT
-{{- end }}
-
-{{/*
-Create chart name and version as used by the chart label.
-*/}}
-{{- define "rclone.chart" -}}
-  {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
-{{/*
-Common labels
-*/}}
-{{- define "rclone.labels" -}}
-helm.sh/chart: {{ include "rclone.chart" $ }}
-{{ include "rclone.selectorLabels" $ }}
-{{- if .Chart.AppVersion }}
-app.kubernetes.io/version: {{ .Chart.Version | quote }}
-{{- end }}
-app.kubernetes.io/managed-by: {{ .Release.Service }}
-{{- with .Values.secret.externalSecret.additionalLabels }}
-{{ toYaml . }}
-{{- end }}
-{{- end }}
-
-{{/*
-Selector labels
-*/}}
-{{- define "rclone.selectorLabels" -}}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}
@@ -1,186 +0,0 @@
-{{- include "bjw-s.common.loader.init" . }}
-
-{{- define "rclone.hardcodedValues" -}}
-global:
-  nameOverride: {{ include "rclone.name" . }}
-  fullNameOverride: {{ include "rclone.name" . }}
-  createDefaultServiceAccount: true
-controllers:
-  main:
-    type: cronjob
-    {{- with .Values.cronJob }}
-    cronjob:
-      {{- toYaml . | nindent 6 }}
-    {{ end }}
-    serviceAccount:
-      identifier: {{ .Release.Name }}
-    containers:
-      sync:
-        image:
-          repository: {{ .Values.image.repository }}
-          tag: {{ .Values.image.tag }}
-          pullPolicy: {{ .Values.image.pullPolicy }}
-        args:
-          - sync
-          - src:{{ .Values.rclone.source.bucketName }}
-          - dest:{{ .Values.rclone.destination.bucketName }}
-          - --s3-no-check-bucket
-          {{- if .Values.prune.enabled }}
-          - --max-age
-          - {{ .Values.prune.ageToPrune | quote }}
-          {{- end }}
-          {{- if .Values.prune.include }}
-          - --include
-          - {{ .Values.prune.include | quote }}
-          {{- end }}
-          {{- if .Values.prune.exclude }}
-          - --exclude
-          - {{ .Values.prune.exclude | quote }}
-          {{- end }}
-          {{- if .Values.metrics.enabled }}
-          - --rc
-          - --rc-addr=0.0.0.0:5572
-          - --rc-enable-metrics
-          - --rc-no-auth
-          {{- end }}
-          - --verbose
-        env:
-          - name: RCLONE_S3_PROVIDER
-            value: {{ .Values.rclone.providerType }}
-          - name: RCLONE_CONFIG_SRC_TYPE
-            value: s3
-          - name: RCLONE_CONFIG_SRC_PROVIDER
-            value: {{ .Values.rclone.source.providerType }}
-          - name: RCLONE_CONFIG_SRC_ENV_AUTH
-            value: "false"
-          - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "rclone.sourceSecretName" . }}
-                key: {{ include "secretRclone.envAccessKey" . }}
-          - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "rclone.sourceSecretName" . }}
-                key: {{ include "secretRclone.envSecretKey" . }}
-          - name: RCLONE_CONFIG_SRC_REGION
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "rclone.sourceSecretName" . }}
-                key: {{ include "secretRclone.envRegion" . }}
-          - name: RCLONE_CONFIG_SRC_ENDPOINT
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "rclone.sourceSecretName" . }}
-                key: {{ include "secretRclone.envSrcEndpoint" . }}
-          - name: RCLONE_CONFIG_SRC_FORCE_PATH_STYLE
-            value: {{ .Values.rclone.source.forcePathStyle | quote }}
-          - name: RCLONE_CONFIG_DEST_TYPE
-            value: s3
-          - name: RCLONE_CONFIG_DEST_PROVIDER
-            value: {{ .Values.rclone.destination.providerType }}
-          - name: RCLONE_CONFIG_DEST_ENV_AUTH
-            value: "false"
-          - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "rclone.destinationSecretName" . }}
-                key: {{ include "secretRclone.envAccessKey" . }}
-          - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "rclone.destinationSecretName" . }}
-                key: {{ include "secretRclone.envSecretKey" . }}
-          - name: RCLONE_CONFIG_DEST_REGION
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "rclone.destinationSecretName" . }}
-                key: {{ include "secretRclone.envRegion" . }}
-          - name: RCLONE_CONFIG_DEST_ENDPOINT
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "rclone.destinationSecretName" . }}
-                key: {{ include "secretRclone.envDestEndpoint" . }}
-          - name: RCLONE_CONFIG_DEST_FORCE_PATH_STYLE
-            value: {{ .Values.rclone.destination.forcePathStyle | quote }}
-      {{- if .Values.prune.enabled }}
-      prune:
-        image:
-          repository: {{ .Values.image.repository }}
-          tag: {{ .Values.image.tag }}
-          pullPolicy: {{ .Values.image.pullPolicy }}
-        args:
-          - delete
-          - dest:{{ .Values.rclone.destination.bucketName }}
-          - --min-age
-          - {{ .Values.prune.ageToPrune | quote }}
-          - --verbose
-          {{- if .Values.metrics.enabled }}
-          - --rc
-          - --rc-addr=0.0.0.0:5573
-          - --rc-enable-metrics
-          - --rc-no-auth
-          {{- end }}
-        env:
-          - name: RCLONE_CONFIG_DEST_TYPE
-            value: s3
-          - name: RCLONE_CONFIG_DEST_PROVIDER
-            value: {{ .Values.rclone.destination.providerType }}
-          - name: RCLONE_CONFIG_DEST_ENV_AUTH
-            value: "false"
-          - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "rclone.destinationSecretName" . }}
-                key: {{ include "secretRclone.envAccessKey" . }}
-          - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "rclone.destinationSecretName" . }}
-                key: {{ include "secretRclone.envSecretKey" . }}
-          - name: RCLONE_CONFIG_DEST_REGION
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "rclone.destinationSecretName" . }}
-                key: {{ include "secretRclone.envRegion" . }}
-          - name: RCLONE_CONFIG_DEST_ENDPOINT
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "rclone.destinationSecretName" . }}
-                key: {{ include "secretRclone.envDestEndpoint" . }}
-          - name: RCLONE_CONFIG_DEST_FORCE_PATH_STYLE
-            value: {{ .Values.rclone.destination.forcePathStyle | quote }}
-      {{- end }}
-{{- if .Values.metrics.enabled }}
-service:
-  main:
-    controller: main
-    ports:
-      rc-sync:
-        port: 5572
-        targetPort: 5572
-      rc-prune:
-        port: 5573
-        targetPort: 5573
-serviceMonitor:
-  main:
-    selector:
-      matchLabels:
-        app.kubernetes.io/name: {{ include "rclone.name" . }}
-        app.kubernetes.io/instance: {{ .Release.Namespace }}
-    serviceName: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}'
-    endpoints:
-      - port: rc-sync
-        interval: 10s
-        scrapeTimeout: 5s
-        path: /metrics
-      - port: rc-prune
-        interval: 10s
-        scrapeTimeout: 5s
-        path: /metrics
-{{- end }}
-{{- end -}}
-{{- $_ := mergeOverwrite .Values (include "rclone.hardcodedValues" . | fromYaml) -}}
-
-{{/* Render the templates */}}
-{{ include "bjw-s.common.loader.generate" . }}
@@ -1,69 +0,0 @@
-{{- if .Values.secret.externalSecret.enabled }}
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: {{ include "rclone.sourceSecretName" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "rclone.labels" . | nindent 4 }}
-    app.kubernetes.io/name: {{ include "rclone.sourceSecretName" . }}
-    {{- with .Values.additionalLabels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: {{ .Values.secret.externalSecret.storeName | required "External Secret store name is required" }}
-  data:
-    - secretKey: {{ include "secretRclone.envAccessKey" . }}
-      remoteRef:
-        key: {{ .Values.secret.externalSecret.source.credentials.path }}
-        property: {{ .Values.secret.externalSecret.source.credentials.keyIdProperty }}
-    - secretKey: {{ include "secretRclone.envSecretKey" . }}
-      remoteRef:
-        key: {{ .Values.secret.externalSecret.source.credentials.path }}
-        property: {{ .Values.secret.externalSecret.source.credentials.secretKeyProperty }}
-    - secretKey: {{ include "secretRclone.envRegion" . }}
-      remoteRef:
-        key: {{ .Values.secret.externalSecret.source.credentials.path }}
-        property: {{ .Values.secret.externalSecret.source.credentials.regionProperty }}
-    - secretKey: {{ include "secretRclone.envSrcEndpoint" . }}
-      remoteRef:
-        key: {{ .Values.secret.externalSecret.source.config.path }}
-        property: {{ .Values.secret.externalSecret.source.config.endpointProperty }}
-
---
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: {{ include "rclone.destinationSecretName" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "rclone.labels" . | nindent 4 }}
-    app.kubernetes.io/name: {{ include "rclone.destinationSecretName" . }}
-    {{- with .Values.additionalLabels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: {{ .Values.secret.externalSecret.storeName | required "External Secret store name is required" }}
-  data:
-    - secretKey: {{ include "secretRclone.envAccessKey" . }}
-      remoteRef:
-        key: {{ .Values.secret.externalSecret.destination.credentials.path }}
-        property: {{ .Values.secret.externalSecret.destination.credentials.keyIdProperty }}
-    - secretKey: {{ include "secretRclone.envSecretKey" . }}
-      remoteRef:
-        key: {{ .Values.secret.externalSecret.destination.credentials.path }}
-        property: {{ .Values.secret.externalSecret.destination.credentials.secretKeyProperty }}
-    - secretKey: {{ include "secretRclone.envRegion" . }}
-      remoteRef:
-        key: {{ .Values.secret.externalSecret.destination.credentials.path }}
-        property: {{ .Values.secret.externalSecret.destination.credentials.regionProperty }}
-    - secretKey: {{ include "secretRclone.envDestEndpoint" . }}
-      remoteRef:
-        key: {{ .Values.secret.externalSecret.destination.config.path }}
-        property: {{ .Values.secret.externalSecret.destination.config.endpointProperty }}
-{{- end }}
@@ -1,32 +0,0 @@
-{{- if .Values.prometheusRule.enabled }}
---
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
-metadata:
-  name: {{ include "rclone.name" . }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "rclone.labels" . | nindent 4 }}
-    app.kubernetes.io/name: {{ include "rclone.name" . }}
-    {{- with .Values.additionalLabels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-spec:
-  groups:
-    - name: rclone.alerts
-      rules:
-        - alert: RclonePodFailed
-          expr: |
-            (kube_pod_container_status_last_terminated_exitcode > 0)
-            * on(pod, namespace) group_left(owner_name)
-            kube_pod_owner{owner_kind="Job", owner_name=~"rclone-.*"}
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: "Rclone Pod failed in {{ `{{ $labels.namespace }}` }}"
-            description: |
-              A pod for the Rclone sync of s3 bucket '{{ .Values.rclone.source.bucketName }}' failed with exit code {{ `{{ $value }}` }}.
-              Job: {{ `{{ $labels.owner_name }}` }}
-              Namespace: {{ `{{ $labels.namespace }}` }}
-{{- end }}
@@ -1,92 +0,0 @@
-# -- Default pattern follows <pvcTarget>-backup
-nameOverride: ""
-
-# -- Add additional labels
-additionalLabels: {}
-
-# -- Default image
-image:
-  repository: rclone/rclone
-  tag: 1.74.1@sha256:eb8788b795f0009324e9572b0e2acb9b56885327c2746b07d67a9d3b893a6602
-  pullPolicy: IfNotPresent
-
-# -- CronJob configuration
-cronJob:
-  suspend: false
-  timeZone: America/Chicago
-  schedule: 0 0 * * *
-  backoffLimit: 3
-  parallelism: 1
-
-# -- rclone configuration
-rclone:
-  providerType: Other
-
-  # -- Source configuration
-  source:
-    providerType: Other
-    bucketName: bucket
-    forcePathStyle: true
-
-  # -- Destination configuration
-  destination:
-    providerType: Other
-    bucketName: bucket
-    forcePathStyle: true
-
-# -- Enable prune job
-prune:
-  enabled: false
-  ageToPrune: 90d
-  include: ""
-  exclude: ""
-
-# -- Secret configuration
-secret:
-
-  # -- External Secret configuration
-  externalSecret:
-    enabled: true
-    storeName: openbao
-
-    # -- Source configuration
-    source:
-      nameOverride: ""
-      credentials:
-        path: /credential
-        keyIdProperty: ACCESS_KEY_ID
-        secretKeyProperty: ACCESS_SECRET_KEY
-        regionProperty: ACCESS_REGION
-      config:
-        path: /config
-        endpointProperty: ENDPOINT_LOCAL
-
-    # -- Destination configuration
-    destination:
-      nameOverride: ""
-      credentials:
-        path: /credential
-        keyIdProperty: ACCESS_KEY_ID
-        secretKeyProperty: ACCESS_SECRET_KEY
-        regionProperty: ACCESS_REGION
-      config:
-        path: /config
-        endpointProperty: ENDPOINT_REMOTE
-
-    # -- Add additional labels
-    additionalLabels: {}
-
-  # -- Name of existing secret that contains the configuration
-  existingSecretSource:
-    name: rclone-source-secret
-
-  existingSecretDestination:
-    name: rclone-destination-secret
-
-# -- Metrics
-metrics:
-  enabled: true
-
-# -- Prometheus Rule
-prometheusRule:
-  enabled: true
@@ -1,6 +1,6 @@
 dependencies:
 - name: valkey
  repository: https://valkey.io/valkey-helm/
-  version: 0.9.4
-digest: sha256:84e2e4a944be7f69b6819215a53c068a126fc9d62383a90e22b33751ec5d2810
-generated: "2026-04-13T00:01:51.952023667Z"
+  version: 0.9.3
+digest: sha256:705fdaa1d456e55dd1a8aba698e17b2309a336f614cba8fd3cdb7e072b323b36
+generated: "2026-03-03T16:02:43.407652-06:00"
@@ -1,22 +1,21 @@
 apiVersion: v2
 name: valkey
-version: 0.9.0
+version: 0.4.0
 description: Valkey chart with preconfigured settings
 keywords:
  - valkey
-  - redis-compatible
+  - redis
+  - storage
+  - kubernetes
 sources:
  - https://github.com/valkey-io/valkey
-  - https://github.com/oliver006/redis_exporter
-  - https://hub.docker.com/r/valkey/valkey
-  - https://github.com/oliver006/redis_exporter/pkgs/container/redis_exporter
  - https://github.com/valkey-io/valkey-helm
 maintainers:
  - name: alexlebens
 dependencies:
  - name: valkey
    repository: https://valkey.io/valkey-helm/
-    version: 0.9.4
-icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/png/valkey.png
+    version: 0.9.3
+icon: https://dyltqmyl993wv.cloudfront.net/assets/stacks/valkey/img/valkey-stack-220x234.png
 # renovate: datasource=github-releases depName=valkey-io/valkey
-appVersion: 9.1.0
+appVersion: 9.0.3
@@ -1,6 +1,6 @@
 # valkey

-![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![AppVersion: 9.1.0](https://img.shields.io/badge/AppVersion-9.1.0-informational?style=flat-square)
+![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![AppVersion: 9.0.3](https://img.shields.io/badge/AppVersion-9.0.3-informational?style=flat-square)

 Valkey chart with preconfigured settings

@@ -13,16 +13,13 @@ Valkey chart with preconfigured settings
 ## Source Code

 * <https://github.com/valkey-io/valkey>
-* <https://github.com/oliver006/redis_exporter>
-* <https://hub.docker.com/r/valkey/valkey>
-* <https://github.com/oliver006/redis_exporter/pkgs/container/redis_exporter>
 * <https://github.com/valkey-io/valkey-helm>

 ## Requirements

 | Repository | Name | Version |
 |------------|------|---------|
-| https://valkey.io/valkey-helm/ | valkey | 0.9.4 |
+| https://valkey.io/valkey-helm/ | valkey | 0.9.3 |

 ## Values

@@ -35,13 +32,13 @@ Valkey chart with preconfigured settings
 | valkey.dataStorage.requestedSize | string | `"1Gi"` |  |
 | valkey.image.registry | string | `"docker.io"` |  |
 | valkey.image.repository | string | `"valkey/valkey"` |  |
-| valkey.image.tag | string | `"9.1.0@sha256:4963247afc4cd33c7d3b2d2816b9f7f8eeebab148d29056c2ca4d7cbc966f2d9"` |  |
+| valkey.image.tag | string | `"9.0.3"` |  |
 | valkey.metrics.enabled | bool | `true` |  |
 | valkey.metrics.exporter.image.registry | string | `"ghcr.io"` |  |
 | valkey.metrics.exporter.image.repository | string | `"oliver006/redis_exporter"` |  |
-| valkey.metrics.exporter.image.tag | string | `"v1.84.0@sha256:7ef8e9c26638158fa4e7ad60df8c7e53d1919986753d6c1d2d1876b6ec38d87b"` |  |
-| valkey.metrics.exporter.resources.requests.cpu | string | `"1m"` |  |
-| valkey.metrics.exporter.resources.requests.memory | string | `"10M"` |  |
+| valkey.metrics.exporter.image.tag | string | `"v1.81.0"` |  |
+| valkey.metrics.exporter.resources.requests.cpu | string | `"10m"` |  |
+| valkey.metrics.exporter.resources.requests.memory | string | `"64M"` |  |
 | valkey.metrics.podMonitor.enabled | bool | `true` |  |
 | valkey.metrics.prometheusRule.enabled | bool | `true` |  |
 | valkey.metrics.prometheusRule.rules[0].alert | string | `"ValkeyDown"` |  |
@@ -70,7 +67,7 @@ Valkey chart with preconfigured settings
 | valkey.replica.persistence.storageClass | string | `"ceph-block"` |  |
 | valkey.replica.replicas | int | `2` |  |
 | valkey.resources.requests.cpu | string | `"10m"` |  |
-| valkey.resources.requests.memory | string | `"20Mi"` |  |
+| valkey.resources.requests.memory | string | `"128Mi"` |  |
 | valkey.serviceAccount.create | bool | `true` |  |

 ----------------------------------------------
@@ -3,13 +3,13 @@ valkey:
  image:
    registry: docker.io
    repository: valkey/valkey
-    tag: 9.1.0@sha256:4963247afc4cd33c7d3b2d2816b9f7f8eeebab148d29056c2ca4d7cbc966f2d9
+    tag: 9.0.3
  serviceAccount:
    create: true
  resources:
    requests:
      cpu: 10m
-      memory: 20Mi
+      memory: 128Mi
  dataStorage:
    enabled: true
    requestedSize: 1Gi
@@ -31,11 +31,11 @@ valkey:
      image:
        registry: ghcr.io
        repository: oliver006/redis_exporter
-        tag: v1.84.0@sha256:7ef8e9c26638158fa4e7ad60df8c7e53d1919986753d6c1d2d1876b6ec38d87b
+        tag: v1.82.0
      resources:
        requests:
-          cpu: 1m
-          memory: 10M
+          cpu: 10m
+          memory: 64M
    serviceMonitor:
      enabled: true
    podMonitor:
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: volsync-target
-version: 2.0.0
+version: 0.8.0
 description: Volsync Replication set to target specific PVC with preconfigured settings
 keywords:
  - volsync-target
@@ -1,6 +1,6 @@
 # volsync-target

-![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square)
+![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![AppVersion: 0.15.0](https://img.shields.io/badge/AppVersion-0.15.0-informational?style=flat-square)

 Volsync Replication set to target specific PVC with preconfigured settings

@@ -20,25 +20,23 @@ Volsync Replication set to target specific PVC with preconfigured settings
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | additionalLabels | object | `{}` | Add additional labels |
-| external | object | `{"enabled":true,"externalSecret":{"bucketPath":"/backblaze/config","credentialPath":"/backblaze/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":35,"repository":"","retain":{"daily":0,"hourly":0,"monthly":0,"weekly":12,"yearly":0},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 9 * * 0"}` | External backup configuration |
-| external.externalSecret | object | `{"bucketPath":"/backblaze/config","credentialPath":"/backblaze/home-infra/volsync-backups"}` | External Secret configuration |
-| external.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":35,"repository":"","retain":{"daily":0,"hourly":0,"monthly":0,"weekly":12,"yearly":0},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
-| external.schedule | string | `"0 9 * * 0"` | 5 character cron schedule |
+| external | object | `{"enabled":true,"externalSecret":{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 9 * * *"}` | External backup configuration |
+| external.externalSecret | object | `{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"}` | External Secret configuration |
+| external.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| external.schedule | string | `"0 9 * * *"` | 5 character cron schedule |
 | externalSecrets | object | `{"enabled":true}` | Use external secrets |
-| kubernetesClusterName | string | `"cl01tl"` | Kubernetes cluster name |
-| local | object | `{"enabled":false,"externalSecret":{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":0,"weekly":4,"yearly":0},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 8 * * *"}` | Local backup configuration |
-| local.externalSecret | object | `{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"}` | External Secret configuration |
-| local.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":0,"weekly":4,"yearly":0},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| local | object | `{"enabled":false,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 8 * * *"}` | Local backup configuration |
+| local.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"}` | External Secret configuration |
+| local.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
 | local.schedule | string | `"0 8 * * *"` | 5 character cron schedule |
 | moverSecurityContext | object | `{}` | Glocal security context for restic mover |
 | nameOverride | string | `""` | Default pattern follows <pvcTarget>-backup |
 | namespaceOverride | string | `""` | Override the namespace of the chart |
-| prometheusRule | object | `{"enabled":true}` | Prometheus Rule |
 | pvcTarget | string | `"data"` | Name of the PVC target |
-| remote | object | `{"enabled":false,"externalSecret":{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":0,"hourly":0,"monthly":0,"weekly":12,"yearly":0},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 10 * * 0"}` | Remote backup configuration |
-| remote.externalSecret | object | `{"bucketPath":"/garage/config","credentialPath":"/garage/home-infra/volsync-backups"}` | External Secret configuration |
-| remote.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":0,"hourly":0,"monthly":0,"weekly":12,"yearly":0},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
-| remote.schedule | string | `"0 10 * * 0"` | 5 character cron schedule |
+| remote | object | `{"enabled":false,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 10 * * *"}` | Remote backup configuration |
+| remote.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"}` | External Secret configuration |
+| remote.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| remote.schedule | string | `"0 10 * * *"` | 5 character cron schedule |

 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)
@@ -14,37 +14,48 @@ metadata:
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
-        RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
  data:
-    - secretKey: ENDPOINT
+    - secretKey: BUCKET_ENDPOINT
      remoteRef:
-        key: {{ .Values.local.externalSecret.bucketPath | required "External Secret Volsync local path is required" }}
-        property: ENDPOINT_LOCAL
-    - secretKey: BUCKET
-      remoteRef:
-        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
-        property: BUCKET
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync local path is required" }}
+        metadataPolicy: None
+        property: BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
-        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
-        property: RESTIC_PASSWORD_LOCAL
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync local path is required" }}
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
        property: ACCESS_SECRET_KEY
 {{- end }}

@@ -64,37 +75,48 @@ metadata:
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
-        RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
  data:
-    - secretKey: ENDPOINT
+    - secretKey: BUCKET_ENDPOINT
      remoteRef:
-        key: {{ .Values.remote.externalSecret.bucketPath | required "External Secret Volsync local path is required" }}
-        property: ENDPOINT_REMOTE
-    - secretKey: BUCKET
-      remoteRef:
-        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
-        property: BUCKET
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
+        metadataPolicy: None
+        property: BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
-        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
-        property: RESTIC_PASSWORD_REMOTE
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
+        metadataPolicy: None
+        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
+        metadataPolicy: None
        property: ACCESS_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
+        metadataPolicy: None
        property: ACCESS_KEY_ID
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
+        metadataPolicy: None
        property: ACCESS_SECRET_KEY
 {{- end }}

@@ -114,36 +136,47 @@ metadata:
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
-    name: openbao
+    name: vault
  target:
    template:
      mergePolicy: Merge
      engineVersion: v2
      data:
-        RESTIC_REPOSITORY: "s3:{{ `{{ .ENDPOINT }}` }}/{{ `{{ .BUCKET }}` }}/{{ .Values.kubernetesClusterName }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
+        RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/{{ .Release.Namespace }}/{{ .Values.pvcTarget | required "PVC target is required" }}"
  data:
-    - secretKey: ENDPOINT
+    - secretKey: BUCKET_ENDPOINT
      remoteRef:
-        key: {{ .Values.external.externalSecret.bucketPath | required "External Secret Volsync external path is required" }}
-        property: ENDPOINT
-    - secretKey: BUCKET
-      remoteRef:
-        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Volsync local path is required" }}
-        property: BUCKET
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
+        metadataPolicy: None
+        property: BUCKET_ENDPOINT
    - secretKey: RESTIC_PASSWORD
      remoteRef:
-        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Volsync external path is required" }}
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
+        metadataPolicy: None
        property: RESTIC_PASSWORD
    - secretKey: AWS_DEFAULT_REGION
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
-        property: AWS_REGION
+        metadataPolicy: None
+        property: AWS_DEFAULT_REGION
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
+        metadataPolicy: None
        property: AWS_ACCESS_KEY_ID
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
+        metadataPolicy: None
        property: AWS_SECRET_ACCESS_KEY
 {{- end }}
@@ -1,32 +0,0 @@
-{{- if .Values.prometheusRule.enabled }}
---
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
-metadata:
-  name: {{ include "volsync.name" . }}-source-local
-  namespace: {{ include "volsync.namespace" . }}
-  labels:
-    {{- include "volsync.labels" . | nindent 4 }}
-    app.kubernetes.io/name: {{ include "volsync.name" . }}-source-local
-    {{- with .Values.additionalLabels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-spec:
-  groups:
-    - name: volsync.alerts
-      rules:
-        - alert: VolSyncBackupPodFailed
-          expr: |
-            (kube_pod_container_status_last_terminated_exitcode > 0)
-            * on(pod, namespace) group_left(owner_name)
-            kube_pod_owner{owner_kind="Job", owner_name=~"volsync-.*"}
-          for: 1m
-          labels:
-            severity: critical
-          annotations:
-            summary: "VolSync Backup Pod failed in {{ `{{ $labels.namespace }}` }}"
-            description: |
-              A pod for the VolSync backup of PVC '{{ .Values.pvcTarget }}' failed with exit code {{ `{{ $value }}` }}.
-              Job: {{ `{{ $labels.owner_name }}` }}
-              Namespace: {{ `{{ $labels.namespace }}` }}
-{{- end }}
@@ -7,7 +7,7 @@ metadata:
  namespace: {{ include "volsync.namespace" . }}
  labels:
    {{- include "volsync.labels" . | nindent 4 }}
-    app.kubernetes.io/name: {{ include "volsync.name" . }}-source-local
+    app.kubernetes.io/name: {{ include "volsync.name" . }}
    {{- with .Values.additionalLabels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
@@ -4,9 +4,6 @@ nameOverride: ""
 # -- Override the namespace of the chart
 namespaceOverride: ""

-# -- Kubernetes cluster name
-kubernetesClusterName: cl01tl
-
 # -- Add additional labels
 additionalLabels: {}

@@ -16,10 +13,6 @@ pvcTarget: "data"
 # -- Glocal security context for restic mover
 moverSecurityContext: {}

-# -- Prometheus Rule
-prometheusRule:
-  enabled: true
-
 # -- Use external secrets
 externalSecrets:
  enabled: true
@@ -39,8 +32,8 @@ local:
      hourly: 0
      daily: 7
      weekly: 4
-      monthly: 0
-      yearly: 0
+      monthly: 3
+      yearly: 1
    copyMethod: Snapshot
    storageClassName: ceph-block
    volumeSnapshotClassName: ceph-blockpool-snapshot
@@ -48,9 +41,9 @@ local:

  # -- External Secret configuration
  externalSecret:
-    # This path must contain the BUCKET_ENDPOINT
-    bucketPath: /garage/config
-    # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD
+    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
+    volsyncPath: /volsync/restic/garage-local
+    # This path must contain the AWS/S3 credentials
    credentialPath: /garage/home-infra/volsync-backups

 # -- Remote backup configuration
@@ -58,7 +51,7 @@ remote:
  enabled: false

  # -- 5 character cron schedule
-  schedule: 0 10 * * 0
+  schedule: 0 10 * * *

  # -- Backup configuration, inserted directly into the yaml
  restic:
@@ -66,10 +59,10 @@ remote:
    repository: ""
    retain:
      hourly: 0
-      daily: 0
-      weekly: 12
-      monthly: 0
-      yearly: 0
+      daily: 7
+      weekly: 4
+      monthly: 3
+      yearly: 1
    copyMethod: Snapshot
    storageClassName: ceph-block
    volumeSnapshotClassName: ceph-blockpool-snapshot
@@ -77,9 +70,9 @@ remote:

  # -- External Secret configuration
  externalSecret:
-    # This path must contain the BUCKET_ENDPOINT
-    bucketPath: /garage/config
-    # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD
+    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
+    volsyncPath: /volsync/restic/garage-remote
+    # This path must contain the AWS/S3 credentials
    credentialPath: /garage/home-infra/volsync-backups

 # -- External backup configuration
@@ -87,18 +80,18 @@ external:
  enabled: true

  # -- 5 character cron schedule
-  schedule: 0 9 * * 0
+  schedule: 0 9 * * *

  # -- Backup configuration, inserted directly into the yaml
  restic:
-    pruneIntervalDays: 35
+    pruneIntervalDays: 7
    repository: ""
    retain:
      hourly: 0
-      daily: 0
-      weekly: 12
-      monthly: 0
-      yearly: 0
+      daily: 7
+      weekly: 4
+      monthly: 3
+      yearly: 1
    copyMethod: Snapshot
    storageClassName: ceph-block
    volumeSnapshotClassName: ceph-blockpool-snapshot
@@ -106,7 +99,7 @@ external:

  # -- External Secret configuration
  externalSecret:
-    # This path must contain the ENDPOINT
-    bucketPath: /backblaze/config
-    # This path must contain the AWS/S3 credentials and RESTIC_PASSWORD
-    credentialPath: /backblaze/home-infra/volsync-backups
+    # This path must contain the BUCKET_ENDPOINT and RESTIC_PASSWORD
+    volsyncPath: /volsync/restic/digital-ocean
+    # This path must contain the AWS/S3 credentials
+    credentialPath: /digital-ocean/home-infra/volsync-backups