Update helm/chart-testing-action action to v2.8.0

.gitea/workflows/lint-test.yaml

@@ -42,7 +42,7 @@ jobs:
           python-version: '3.14'
 
       - name: Set up Chart Testing
-        uses: helm/chart-testing-action@v2.7.0
+        uses: helm/chart-testing-action@v2.8.0
         with:
           yamale_version: "6.0.0"
 

charts/cloudflared/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: cloudflared
-version: 1.23.2
+version: 2.1.4
 description: Cloudflared Tunnel
 keywords:
   - cloudflare

charts/cloudflared/README.md

@@ -1,6 +1,6 @@
 # cloudflared
 
-![Version: 1.23.2](https://img.shields.io/badge/Version-1.23.2-informational?style=flat-square) ![AppVersion: 2025.11.1](https://img.shields.io/badge/AppVersion-2025.11.1-informational?style=flat-square)
+![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![AppVersion: 2025.11.1](https://img.shields.io/badge/AppVersion-2025.11.1-informational?style=flat-square)
 
 Cloudflared Tunnel
 
@@ -25,11 +25,14 @@ Cloudflared Tunnel
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| existingSecretKey | string | `"cf-tunnel-token"` | Name of key that contains the token in the existingSecret |
-| existingSecretName | string | `"cloudflared-secret"` | Name of existing secret that contains Cloudflare token |
 | image | object | `{"pullPolicy":"IfNotPresent","repository":"cloudflare/cloudflared","tag":"2025.11.1"}` | Default image |
-| name | string | `"cloudflared"` | Name override of release |
+| name | string | `""` | Name override of release |
 | resources | object | `{"requests":{"cpu":"10m","memory":"128Mi"}}` | Default resources |
+| secret | object | `{"existingSecret":{"key":"cf-tunnel-token","name":"cloudflared-secret"},"externalSecret":{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"vault","path":"/cloudflare/tunnels","property":"token"}}}` | Secret configuration |
+| secret.existingSecret | object | `{"key":"cf-tunnel-token","name":"cloudflared-secret"}` | Name of existing secret that contains Cloudflare token |
+| secret.externalSecret | object | `{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"vault","path":"/cloudflare/tunnels","property":"token"}}` | External Secret configuration |
+| secret.externalSecret.additionalLabels | object | `{}` | Add additional labels |
+| secret.externalSecret.store | object | `{"name":"vault","path":"/cloudflare/tunnels","property":"token"}` | Cluster store config |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/cloudflared/templates/_helpers.tpl

@@ -0,0 +1,86 @@
+{{/*
+Generate the root name
+*/}}
+{{- define "cloudflared.name" -}}
+  {{- if .Values.name }}
+    {{- printf "%s-cloudflared" .Values.name -}}
+  {{- else }}
+    {{- printf "cloudflared" -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate the secret name
+*/}}
+{{- define "secret.name" -}}
+  {{- if .Values.secret.externalSecret.enabled }}
+    {{- if .Values.secret.externalSecret.nameOverride }}
+      {{- .Values.secret.externalSecret.nameOverride | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+      {{- printf "%s-%s-secret" .Release.Name (include "cloudflared.name" .) -}}
+    {{- end }}
+  {{- else if .Values.secret.existingSecret.name }}
+    {{- printf "%s" .Values.secret.existingSecret.name -}}
+  {{- else }}
+    {{ fail "No Secret Name Found!" }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate the name of the secret key
+*/}}
+{{- define "secret.key" -}}
+  {{- if .Values.secret.externalSecret.enabled }}
+    {{- printf "cf-tunnel-token" -}}
+  {{- else if .Values.secret.existingSecret.key }}
+    {{- printf "%s" .Values.secret.existingSecret.key -}}
+  {{- else }}
+    {{ fail "No Secret Key Found!" }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate path in the secret store
+*/}}
+{{- define "secret.path" -}}
+  {{- if and (.Values.secret.externalSecret.enabled) (.Values.secret.externalSecret.store.path) }}
+    {{- if .Values.name }}
+      {{- printf "%s/%s-%s" .Values.secret.externalSecret.store.path .Release.Name .Values.name -}}
+    {{- else }}
+      {{- printf "%s/%s" .Values.secret.externalSecret.store.path .Release.Name -}}
+    {{- end }}
+  {{- else }}
+    {{ fail "No Secret Store Path Found!" }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "secret.chart" -}}
+  {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "secret.labels" -}}
+helm.sh/chart: {{ include "secret.chart" $ }}
+{{ include "secret.selectorLabels" $ }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.Version | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/name: {{ include "secret.name" . }}
+{{- with .Values.secret.externalSecret.additionalLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "secret.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

charts/cloudflared/templates/common.yaml

@@ -1,10 +1,9 @@
 {{- include "bjw-s.common.loader.init" . }}
 
 {{- define "cloudflared.hardcodedValues" -}}
-{{ if not .Values.global.nameOverride }}
 global:
-  nameOverride: {{ .Values.name }}
+  nameOverride: {{ include "cloudflared.name" . }}
-{{ end }}
+  fullNameOverride: {{ include "cloudflared.name" . }}
 controllers:
   main:
     type: deployment
@@ -27,8 +26,8 @@ controllers:
           - name: CF_MANAGED_TUNNEL_TOKEN
             valueFrom:
               secretKeyRef:
-                name: {{ .Values.existingSecretName }}
+                name: {{ include "secret.name" . }}
-                key: {{ .Values.existingSecretKey }}
+                key: {{ include "secret.key" . }}
         resources:
         {{- with .Values.resources }}
         resources:

charts/cloudflared/templates/external-secret.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.secret.externalSecret.enabled }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "secret.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "secret.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: {{ .Values.secret.externalSecret.store.name | required "External Secret store name is required" }}
+  data:
+    - secretKey: {{ include "secret.key" . }}
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ include "secret.path" . }}
+        metadataPolicy: None
+        property: {{ .Values.secret.externalSecret.store.property | required "External Secret store property is required" }}
+
+{{- end }}

charts/cloudflared/values.yaml

@@ -1,11 +1,27 @@
 # -- Name override of release
-name: cloudflared
+name: ""
 
-# -- Name of existing secret that contains Cloudflare token
+# -- Secret configuration
-existingSecretName: cloudflared-secret
+secret:
 
-# -- Name of key that contains the token in the existingSecret
+  # -- External Secret configuration
-existingSecretKey: cf-tunnel-token
+  externalSecret:
+    enabled: true
+    nameOverride: ""
+
+    # -- Cluster store config
+    store:
+      name: vault
+      path: /cloudflare/tunnels
+      property: token
+
+    # -- Add additional labels
+    additionalLabels: {}
+
+  # -- Name of existing secret that contains Cloudflare token
+  existingSecret:
+    name: cloudflared-secret
+    key: cf-tunnel-token
 
 # -- Default image
 image:

charts/volsync-target/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: volsync-target
-version: 0.1.0
+version: 0.6.0
 description: Volsync Replication set to target specific PVC with preconfigured settings
 keywords:
   - volsync-target

charts/volsync-target/README.md

@@ -1,6 +1,6 @@
 # volsync-target
 
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![AppVersion: 0.14.0](https://img.shields.io/badge/AppVersion-0.14.0-informational?style=flat-square)
+![Version: 0.6.0](https://img.shields.io/badge/Version-0.6.0-informational?style=flat-square) ![AppVersion: 0.14.0](https://img.shields.io/badge/AppVersion-0.14.0-informational?style=flat-square)
 
 Volsync Replication set to target specific PVC with preconfigured settings
 
@@ -20,22 +20,23 @@ Volsync Replication set to target specific PVC with preconfigured settings
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | additionalLabels | object | `{}` | Add additional labels |
-| external | object | `{"enabled":true,"externalSecret":{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 4 * * *"}` | External backup configuration |
+| external | object | `{"enabled":true,"externalSecret":{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 9 * * *"}` | External backup configuration |
 | external.externalSecret | object | `{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"}` | External Secret configuration |
-| external.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| external.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
-| external.schedule | string | `"0 4 * * *"` | 5 character cron schedule |
+| external.schedule | string | `"0 9 * * *"` | 5 character cron schedule |
 | externalSecrets | object | `{"enabled":true}` | Use external secrets |
-| local | object | `{"enabled":true,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 2 * * *"}` | Local backup configuration |
+| local | object | `{"enabled":true,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 8 * * *"}` | Local backup configuration |
 | local.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"}` | External Secret configuration |
-| local.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| local.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
-| local.schedule | string | `"0 2 * * *"` | 5 character cron schedule |
+| local.schedule | string | `"0 8 * * *"` | 5 character cron schedule |
+| moverSecurityContext | object | `{}` | Glocal security context for restic mover |
 | nameOverride | string | `""` | Default pattern follows <pvcTarget>-backup |
 | namespaceOverride | string | `""` | Override the namespace of the chart |
 | pvcTarget | string | `"data"` | Name of the PVC target |
-| remote | object | `{"enabled":true,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 3 * * *"}` | Remote backup configuration |
+| remote | object | `{"enabled":true,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 10 * * *"}` | Remote backup configuration |
 | remote.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"}` | External Secret configuration |
-| remote.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| remote.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
-| remote.schedule | string | `"0 3 * * *"` | 5 character cron schedule |
+| remote.schedule | string | `"0 10 * * *"` | 5 character cron schedule |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/volsync-target/templates/external-secret.yaml

@@ -87,35 +87,35 @@ spec:
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
+        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
         metadataPolicy: None
         property: BUCKET_ENDPOINT
     - secretKey: RESTIC_PASSWORD
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
+        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync remote path is required" }}
         metadataPolicy: None
         property: RESTIC_PASSWORD
     - secretKey: AWS_DEFAULT_REGION
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
         metadataPolicy: None
         property: ACCESS_REGION
     - secretKey: AWS_ACCESS_KEY_ID
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
         metadataPolicy: None
         property: ACCESS_KEY_ID
     - secretKey: AWS_SECRET_ACCESS_KEY
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
+        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential remote path is required" }}
         metadataPolicy: None
         property: ACCESS_SECRET_KEY
 {{- end }}
@@ -148,35 +148,35 @@ spec:
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
+        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
         metadataPolicy: None
         property: BUCKET_ENDPOINT
     - secretKey: RESTIC_PASSWORD
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: {{ .Values.local.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
+        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
         metadataPolicy: None
         property: RESTIC_PASSWORD
     - secretKey: AWS_DEFAULT_REGION
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
         metadataPolicy: None
         property: AWS_DEFAULT_REGION
     - secretKey: AWS_ACCESS_KEY_ID
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
         metadataPolicy: None
         property: AWS_ACCESS_KEY_ID
     - secretKey: AWS_SECRET_ACCESS_KEY
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: {{ .Values.local.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
         metadataPolicy: None
         property: AWS_SECRET_ACCESS_KEY
 {{- end }}

charts/volsync-target/templates/replication-source.yaml

@@ -21,7 +21,13 @@ spec:
     retain:
     {{- with .Values.local.restic.retain }}
       {{- toYaml . | nindent 6 }}
-    {{ end }}
+    {{- end }}
+    {{- if .Values.moverSecurityContext }}
+    moverSecurityContext:
+    {{- with .Values.moverSecurityContext }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- end }}
     copyMethod: {{ .Values.local.restic.copyMethod }}
     storageClassName: {{ .Values.local.restic.storageClassName }}
     volumeSnapshotClassName: {{ .Values.local.restic.volumeSnapshotClassName }}
@@ -51,7 +57,13 @@ spec:
     retain:
     {{- with .Values.remote.restic.retain }}
       {{- toYaml . | nindent 6 }}
-    {{ end }}
+    {{- end }}
+    {{- if .Values.moverSecurityContext }}
+    moverSecurityContext:
+    {{- with .Values.moverSecurityContext }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- end }}
     copyMethod: {{ .Values.remote.restic.copyMethod }}
     storageClassName: {{ .Values.remote.restic.storageClassName }}
     volumeSnapshotClassName: {{ .Values.remote.restic.volumeSnapshotClassName }}
@@ -81,7 +93,13 @@ spec:
     retain:
     {{- with .Values.external.restic.retain }}
       {{- toYaml . | nindent 6 }}
-    {{ end }}
+    {{- end }}
+    {{- if .Values.moverSecurityContext }}
+    moverSecurityContext:
+    {{- with .Values.moverSecurityContext }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- end }}
     copyMethod: {{ .Values.external.restic.copyMethod }}
     storageClassName: {{ .Values.external.restic.storageClassName }}
     volumeSnapshotClassName: {{ .Values.external.restic.volumeSnapshotClassName }}

charts/volsync-target/values.yaml

@@ -10,6 +10,9 @@ additionalLabels: {}
 # -- Name of the PVC target
 pvcTarget: "data"
 
+# -- Glocal security context for restic mover
+moverSecurityContext: {}
+
 # -- Use external secrets
 externalSecrets:
   enabled: true
@@ -19,18 +22,18 @@ local:
   enabled: true
 
   # -- 5 character cron schedule
-  schedule: 0 2 * * *
+  schedule: 0 8 * * *
 
   # -- Backup configuration, inserted directly into the yaml
   restic:
     pruneIntervalDays: 7
     repository: ""
     retain:
-      hourly: 1
+      hourly: 0
-      daily: 3
+      daily: 7
-      weekly: 2
+      weekly: 4
-      monthly: 2
+      monthly: 3
-      yearly: 4
+      yearly: 1
     copyMethod: Snapshot
     storageClassName: ceph-block
     volumeSnapshotClassName: ceph-blockpool-snapshot
@@ -48,18 +51,18 @@ remote:
   enabled: true
 
   # -- 5 character cron schedule
-  schedule: 0 3 * * *
+  schedule: 0 10 * * *
 
   # -- Backup configuration, inserted directly into the yaml
   restic:
     pruneIntervalDays: 7
     repository: ""
     retain:
-      hourly: 1
+      hourly: 0
-      daily: 3
+      daily: 7
-      weekly: 2
+      weekly: 4
-      monthly: 2
+      monthly: 3
-      yearly: 4
+      yearly: 1
     copyMethod: Snapshot
     storageClassName: ceph-block
     volumeSnapshotClassName: ceph-blockpool-snapshot
@@ -77,18 +80,18 @@ external:
   enabled: true
 
   # -- 5 character cron schedule
-  schedule: 0 4 * * *
+  schedule: 0 9 * * *
 
   # -- Backup configuration, inserted directly into the yaml
   restic:
     pruneIntervalDays: 7
     repository: ""
     retain:
-      hourly: 1
+      hourly: 0
-      daily: 3
+      daily: 7
-      weekly: 2
+      weekly: 4
-      monthly: 2
+      monthly: 3
-      yearly: 4
+      yearly: 1
     copyMethod: Snapshot
     storageClassName: ceph-block
     volumeSnapshotClassName: ceph-blockpool-snapshot