feat: add valkey chart

Reviewed-on: #169

.gitea/workflows/lint-test.yaml

@@ -51,9 +51,43 @@ jobs:
         run: |
           changed=$(ct list-changed --target-branch ${{ gitea.event.repository.default_branch }})
           if [[ -n "$changed" ]]; then
+            echo ""
+            echo ">> Changed Charts:"
+            echo "$(echo "${changed}" | sort -u)"
+
+            echo "----"
+
             echo "changed=true" >> $GITHUB_OUTPUT
+            echo "changed-charts=$changed" >> $GITHUB_OUTPUT
           fi
 
+      - name: Add Repositories
+        if: steps.list-changed.outputs.changed == 'true'
+        env:
+          CHANGED_CHARTS: ${{ steps.list-changed.outputs.changed-charts }}
+        run: |
+          echo ">> Adding repositories for chart dependencies ..."
+          for dir in ${CHANGED_CHARTS}; do
+            helm dependency list --max-col-width 120 $dir 2> /dev/null \
+              | tail +2 | head -n -1 \
+              | awk '{ print "helm repo add " $1 " " $3 }' \
+              | while read cmd; do
+                if [[ "$cmd" == "*oci://*" ]]; then
+                  echo ">> Ignoring OCI repo"
+                else
+                  echo "$cmd" | sh;
+                fi
+              done || true
+          done
+
+          if helm repo list | tail +2 | read -r; then
+            echo ""
+            echo ">> Update repository cache ..."
+            helm repo update
+          fi
+
+          echo "----"
+
       - name: Run Chart Testing (lint)
         if: steps.list-changed.outputs.changed == 'true'
         run: ct lint --validate-maintainers=false --target-branch ${{ gitea.event.repository.default_branch }}

.gitea/workflows/release-charts-valkey.yml

@@ -0,0 +1,128 @@
+name: release-charts-valkey
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "charts/valkey/**"
+
+  workflow_dispatch:
+
+env:
+  WORKFLOW_DIR: "charts/valkey"
+
+jobs:
+  release:
+    runs-on: ubuntu-js
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          token: ${{ secrets.GITEA_TOKEN }}
+          version: v3.19.2
+
+      - name: Add Repositories
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Adding repositories for chart dependencies ..."
+          helm dependency list --max-col-width 120 2> /dev/null \
+            | tail +2 | head -n -1 \
+            | awk '{ print "helm repo add " $1 " " $3 }' \
+            | while read cmd; do echo "$cmd" | sh; done || true
+
+          if helm repo list | tail +2 | read -r; then
+            echo ">> Update repository cache ..."
+            helm repo update
+          fi
+
+          echo "----"
+
+      - name: Package Helm Chart
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Building helm dependency ..."
+          helm dependency build --skip-refresh --debug
+
+          echo "----"
+
+          echo "PACKAGE_PATH=$(helm package . | awk '{print $NF}')" >> $GITEA_ENV
+
+      - name: Publish Helm Chart to Harbor
+        run: |
+          echo ">> Logging into Harbor ..."
+          helm registry login ${{ vars.REGISTRY_HOST }} -u ${{ vars.REGISTRY_USER }} -p ${{ secrets.REGISTRY_SECRET }} --debug
+
+          echo ""
+          echo ">> Publishing chart to Harbor ..."
+          helm push ${{ env.PACKAGE_PATH }} oci://${{ vars.REGISTRY_HOST }}/helm-charts --debug
+
+          echo "----"
+
+      - name: Publish Helm Chart to Gitea
+        run: |
+          echo ">> Installing Chart Museum plugin ..."
+          helm plugin install https://github.com/chartmuseum/helm-push --debug
+
+          echo ""
+          echo ">> Adding Gitea repository ..."
+          helm repo add --username ${{ gitea.actor }} --password ${{ secrets.REPOSITORY_TOKEN }} helm-charts https://${{ vars.REPOSITORY_HOST }}/api/packages/alexlebens/helm --debug
+
+          echo ""
+          echo ">> Pushing chart to gitea"
+          helm cm-push ${{ env.PACKAGE_PATH }} helm-charts --debug
+
+      - name: Extract Chart Metadata
+        run: |
+          cd ${WORKFLOW_DIR}
+
+          echo ">> Adding Chart metadata to workflow ENV ..."
+          echo ""
+          echo ">> Chart Version: $(yq '.version' Chart.yaml)"
+          echo ">> Chart Name: $(yq '.name' Chart.yaml)"
+
+          echo "----"
+
+          echo "CHART_VERSION=$(yq '.version' Chart.yaml)" >> $GITEA_ENV
+          echo "CHART_NAME=$(yq '.name' Chart.yaml)" >> $GITEA_ENV
+
+      - name: Release Helm Chart
+        uses: akkuman/gitea-release-action@v1
+        with:
+          name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}
+          tag_name: ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }}
+          files: |-
+            ${{ env.PACKAGE_PATH }}
+
+      - name: ntfy Success
+        uses: niniyas/ntfy-action@master
+        if: success()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Release Success - ${{ env.CHART_NAME }}'
+          priority: 3
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,successfully,completed
+          details: 'Helm Chart ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }} has been released!'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+
+      - name: ntfy Failed
+        uses: niniyas/ntfy-action@master
+        if: failure()
+        with:
+          url: '${{ secrets.NTFY_URL }}'
+          topic: '${{ secrets.NTFY_TOPIC }}'
+          title: 'Release Failure - ${{ env.CHART_NAME }}'
+          priority: 4
+          headers: '{"Authorization": "Bearer ${{ secrets.NTFY_CRED }}"}'
+          tags: action,failed
+          details: 'Helm Chart ${{ env.CHART_NAME }}-${{ env.CHART_VERSION }} has failed to be released.'
+          icon: 'https://cdn.jsdelivr.net/gh/selfhst/icons/png/gitea.png'
+          actions: '[{"action": "view", "label": "Open Gitea", "url": "https://gitea.alexlebens.dev/alexlebens/helm-charts/actions?workflow=release-charts-volsync-target.yml", "clear": true}]'
+          image: true

.gitea/workflows/renovate.yaml

@@ -13,7 +13,7 @@ on:
 jobs:
   renovate:
     runs-on: ubuntu-latest
-    container: ghcr.io/renovatebot/renovate:42
+    container: ghcr.io/renovatebot/renovate:43
     steps:
       - name: Checkout
         uses: actions/checkout@v6

charts/cloudflared/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: common
   repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.5.0
+  version: 4.6.2
-digest: sha256:cd050e107fbec6769024a6d316c3f43701295a55cddf53a9fc304b52ea879560
+digest: sha256:35e8f4e5d15d878c246a04eb51de580291f31203fa10e9e4d2318f16026b2061
-generated: "2025-12-04T18:06:50.235715-06:00"
+generated: "2026-01-16T13:29:29.385123-06:00"

charts/cloudflared/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: cloudflared
-version: 1.23.2
+version: 2.3.0
 description: Cloudflared Tunnel
 keywords:
   - cloudflare
@@ -13,6 +13,7 @@ maintainers:
 dependencies:
   - name: common
     repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.5.0
+    version: 4.6.2
 icon: https://avatars.githubusercontent.com/u/314135?s=48&v=4
-appVersion: "2025.11.1"
+# renovate: datasource=github-releases depName=cloudflare/cloudflared
+appVersion: "2026.2.0"

charts/cloudflared/README.md

@@ -1,6 +1,6 @@
 # cloudflared
 
-![Version: 1.23.2](https://img.shields.io/badge/Version-1.23.2-informational?style=flat-square) ![AppVersion: 2025.11.1](https://img.shields.io/badge/AppVersion-2025.11.1-informational?style=flat-square)
+![Version: 2.3.0](https://img.shields.io/badge/Version-2.3.0-informational?style=flat-square) ![AppVersion: 2026.2.0](https://img.shields.io/badge/AppVersion-2026.2.0-informational?style=flat-square)
 
 Cloudflared Tunnel
 
@@ -19,17 +19,20 @@ Cloudflared Tunnel
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://bjw-s-labs.github.io/helm-charts/ | common | 4.5.0 |
+| https://bjw-s-labs.github.io/helm-charts/ | common | 4.6.2 |
 
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| existingSecretKey | string | `"cf-tunnel-token"` | Name of key that contains the token in the existingSecret |
+| image | object | `{"pullPolicy":"IfNotPresent","repository":"cloudflare/cloudflared","tag":"2026.2.0"}` | Default image |
-| existingSecretName | string | `"cloudflared-secret"` | Name of existing secret that contains Cloudflare token |
+| name | string | `""` | Name override of release |
-| image | object | `{"pullPolicy":"IfNotPresent","repository":"cloudflare/cloudflared","tag":"2025.11.1"}` | Default image |
-| name | string | `"cloudflared"` | Name override of release |
 | resources | object | `{"requests":{"cpu":"10m","memory":"128Mi"}}` | Default resources |
+| secret | object | `{"existingSecret":{"key":"cf-tunnel-token","name":"cloudflared-secret"},"externalSecret":{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"vault","path":"/cloudflare/tunnels","property":"token"}}}` | Secret configuration |
+| secret.existingSecret | object | `{"key":"cf-tunnel-token","name":"cloudflared-secret"}` | Name of existing secret that contains Cloudflare token |
+| secret.externalSecret | object | `{"additionalLabels":{},"enabled":true,"nameOverride":"","store":{"name":"vault","path":"/cloudflare/tunnels","property":"token"}}` | External Secret configuration |
+| secret.externalSecret.additionalLabels | object | `{}` | Add additional labels |
+| secret.externalSecret.store | object | `{"name":"vault","path":"/cloudflare/tunnels","property":"token"}` | Cluster store config |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/cloudflared/templates/_helpers.tpl

@@ -0,0 +1,86 @@
+{{/*
+Generate the root name
+*/}}
+{{- define "cloudflared.name" -}}
+  {{- if .Values.name }}
+    {{- printf "%s-cloudflared" .Values.name -}}
+  {{- else }}
+    {{- printf "cloudflared" -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate the secret name
+*/}}
+{{- define "secret.name" -}}
+  {{- if .Values.secret.externalSecret.enabled }}
+    {{- if .Values.secret.externalSecret.nameOverride }}
+      {{- .Values.secret.externalSecret.nameOverride | trunc 63 | trimSuffix "-" }}
+    {{- else }}
+      {{- printf "%s-%s-secret" .Release.Name (include "cloudflared.name" .) -}}
+    {{- end }}
+  {{- else if .Values.secret.existingSecret.name }}
+    {{- printf "%s" .Values.secret.existingSecret.name -}}
+  {{- else }}
+    {{ fail "No Secret Name Found!" }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate the name of the secret key
+*/}}
+{{- define "secret.key" -}}
+  {{- if .Values.secret.externalSecret.enabled }}
+    {{- printf "cf-tunnel-token" -}}
+  {{- else if .Values.secret.existingSecret.key }}
+    {{- printf "%s" .Values.secret.existingSecret.key -}}
+  {{- else }}
+    {{ fail "No Secret Key Found!" }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate path in the secret store
+*/}}
+{{- define "secret.path" -}}
+  {{- if and (.Values.secret.externalSecret.enabled) (.Values.secret.externalSecret.store.path) }}
+    {{- if .Values.name }}
+      {{- printf "%s/%s-%s" .Values.secret.externalSecret.store.path .Release.Name .Values.name -}}
+    {{- else }}
+      {{- printf "%s/%s" .Values.secret.externalSecret.store.path .Release.Name -}}
+    {{- end }}
+  {{- else }}
+    {{ fail "No Secret Store Path Found!" }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "secret.chart" -}}
+  {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "secret.labels" -}}
+helm.sh/chart: {{ include "secret.chart" $ }}
+{{ include "secret.selectorLabels" $ }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.Version | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/name: {{ include "secret.name" . }}
+{{- with .Values.secret.externalSecret.additionalLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "secret.selectorLabels" -}}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: {{ .Release.Name }}
+{{- end }}

charts/cloudflared/templates/common.yaml

@@ -1,10 +1,9 @@
 {{- include "bjw-s.common.loader.init" . }}
 
 {{- define "cloudflared.hardcodedValues" -}}
-{{ if not .Values.global.nameOverride }}
 global:
-  nameOverride: {{ .Values.name }}
+  nameOverride: {{ include "cloudflared.name" . }}
-{{ end }}
+  fullNameOverride: {{ include "cloudflared.name" . }}
 controllers:
   main:
     type: deployment
@@ -27,8 +26,8 @@ controllers:
           - name: CF_MANAGED_TUNNEL_TOKEN
             valueFrom:
               secretKeyRef:
-                name: {{ .Values.existingSecretName }}
+                name: {{ include "secret.name" . }}
-                key: {{ .Values.existingSecretKey }}
+                key: {{ include "secret.key" . }}
         resources:
         {{- with .Values.resources }}
         resources:

charts/cloudflared/templates/external-secret.yaml

@@ -0,0 +1,23 @@
+{{- if .Values.secret.externalSecret.enabled }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "secret.name" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "secret.labels" . | nindent 4 }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: {{ .Values.secret.externalSecret.store.name | required "External Secret store name is required" }}
+  data:
+    - secretKey: {{ include "secret.key" . }}
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ include "secret.path" . }}
+        metadataPolicy: None
+        property: {{ .Values.secret.externalSecret.store.property | required "External Secret store property is required" }}
+
+{{- end }}

charts/cloudflared/values.yaml

@@ -1,16 +1,32 @@
 # -- Name override of release
-name: cloudflared
+name: ""
+
+# -- Secret configuration
+secret:
+
+  # -- External Secret configuration
+  externalSecret:
+    enabled: true
+    nameOverride: ""
+
+    # -- Cluster store config
+    store:
+      name: vault
+      path: /cloudflare/tunnels
+      property: token
+
+    # -- Add additional labels
+    additionalLabels: {}
 
   # -- Name of existing secret that contains Cloudflare token
-existingSecretName: cloudflared-secret
+  existingSecret:
-
+    name: cloudflared-secret
-# -- Name of key that contains the token in the existingSecret
+    key: cf-tunnel-token
-existingSecretKey: cf-tunnel-token
 
 # -- Default image
 image:
   repository: cloudflare/cloudflared
-  tag: "2025.11.1"
+  tag: "2026.2.0"
   pullPolicy: IfNotPresent
 
 # -- Default resources

charts/generic-device-plugin/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: common
   repository: https://bjw-s-labs.github.io/helm-charts/
-  version: 4.5.0
+  version: 4.6.2
-digest: sha256:cd050e107fbec6769024a6d316c3f43701295a55cddf53a9fc304b52ea879560
+digest: sha256:35e8f4e5d15d878c246a04eb51de580291f31203fa10e9e4d2318f16026b2061
-generated: "2025-12-04T18:08:17.823318-06:00"
+generated: "2026-01-16T13:29:01.760344-06:00"

charts/generic-device-plugin/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: generic-device-plugin
-version: 0.20.8
+version: 0.20.20
 description: Generic Device Plugin
 keywords:
   - generic-device-plugin
@@ -14,5 +14,5 @@ maintainers:
 dependencies:
   - name: common
     repository: https://bjw-s-labs.github.io/helm-charts/
-    version: 4.5.0
+    version: 4.6.2
-appVersion: 0.20.4
+appVersion: 0.20.17

charts/generic-device-plugin/README.md

@@ -1,6 +1,6 @@
 # generic-device-plugin
 
-![Version: 0.20.8](https://img.shields.io/badge/Version-0.20.8-informational?style=flat-square) ![AppVersion: 0.20.4](https://img.shields.io/badge/AppVersion-0.20.4-informational?style=flat-square)
+![Version: 0.20.20](https://img.shields.io/badge/Version-0.20.20-informational?style=flat-square) ![AppVersion: 0.20.17](https://img.shields.io/badge/AppVersion-0.20.17-informational?style=flat-square)
 
 Generic Device Plugin
 
@@ -19,7 +19,7 @@ Generic Device Plugin
 
 | Repository | Name | Version |
 |------------|------|---------|
-| https://bjw-s-labs.github.io/helm-charts/ | common | 4.5.0 |
+| https://bjw-s-labs.github.io/helm-charts/ | common | 4.6.2 |
 
 ## Values
 
@@ -28,7 +28,7 @@ Generic Device Plugin
 | config | object | `{"data":"devices:\n  - name: serial\n    groups:\n      - paths:\n          - path: /dev/ttyUSB*\n      - paths:\n          - path: /dev/ttyACM*\n      - paths:\n          - path: /dev/tty.usb*\n      - paths:\n          - path: /dev/cu.*\n      - paths:\n          - path: /dev/cuaU*\n      - paths:\n          - path: /dev/rfcomm*\n  - name: video\n    groups:\n      - paths:\n          - path: /dev/video0\n  - name: fuse\n    groups:\n      - count: 10\n        paths:\n          - path: /dev/fuse\n  - name: audio\n    groups:\n      - count: 10\n        paths:\n          - path: /dev/snd\n  - name: capture\n    groups:\n      - paths:\n          - path: /dev/snd/controlC0\n          - path: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC1\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC1D0c\n            mountPath: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC2\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC2D0c\n            mountPath: /dev/snd/pcmC0D0c\n      - paths:\n          - path: /dev/snd/controlC3\n            mountPath: /dev/snd/controlC0\n          - path: /dev/snd/pcmC3D0c\n            mountPath: /dev/snd/pcmC0D0c\n","enabled":true}` | Config map |
 | config.data | string | See [values.yaml](./values.yaml) | generic-device-plugin config file [[ref]](https://github.com/squat/generic-device-plugin#usage) |
 | deviceDomain | string | `"devic.es"` | Domain used by devices for identifcation |
-| image | object | `{"pullPolicy":"Always","repository":"ghcr.io/squat/generic-device-plugin","tag":"latest@sha256:29a59a330b93ed4173109839329796a39c528d0d0afeee76291b33787ae19001"}` | Default image |
+| image | object | `{"pullPolicy":"Always","repository":"ghcr.io/squat/generic-device-plugin","tag":"latest@sha256:78127620563730680371e2915d48d69dc3ab513f12c742ca6bcacd156051fd4b"}` | Default image |
 | name | string | `"generic-device-plugin"` | Name override of release |
 | resources | object | `{"requests":{"cpu":"50m","memory":"10Mi"}}` | Default resources |
 | service | object | `{"listenPort":8080}` | Service port |

charts/generic-device-plugin/values.yaml

@@ -4,7 +4,7 @@ name: generic-device-plugin
 # -- Default image
 image:
   repository: ghcr.io/squat/generic-device-plugin
-  tag: latest@sha256:29a59a330b93ed4173109839329796a39c528d0d0afeee76291b33787ae19001
+  tag: latest@sha256:78127620563730680371e2915d48d69dc3ab513f12c742ca6bcacd156051fd4b
   pullPolicy: Always
 
 # -- Domain used by devices for identifcation

charts/postgres-cluster/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: postgres-cluster
-version: 7.1.3
+version: 7.8.0
 description: Cloudnative-pg Cluster
 keywords:
   - database
@@ -11,4 +11,5 @@ sources:
 maintainers:
   - name: alexlebens
 icon: https://avatars.githubusercontent.com/u/100373852?s=48&v=4
-appVersion: v1.28.0
+# renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg
+appVersion: v1.28.1

charts/postgres-cluster/README.md

@@ -1,6 +1,6 @@
 # postgres-cluster
 
-![Version: 7.1.3](https://img.shields.io/badge/Version-7.1.3-informational?style=flat-square) ![AppVersion: v1.28.0](https://img.shields.io/badge/AppVersion-v1.28.0-informational?style=flat-square)
+![Version: 7.8.0](https://img.shields.io/badge/Version-7.8.0-informational?style=flat-square) ![AppVersion: v1.28.1](https://img.shields.io/badge/AppVersion-v1.28.1-informational?style=flat-square)
 
 Cloudnative-pg Cluster
 
@@ -19,16 +19,17 @@ Cloudnative-pg Cluster
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| backup | object | `{"method":"objectStore","objectStore":[],"scheduledBackups":[]}` | Backup settings |
+| backup | object | `{"externalSecret":{"enabled":true},"method":"objectStore","objectStore":null,"scheduledBackups":[]}` | Backup settings |
+| backup.externalSecret | object | `{"enabled":true}` | Use generated External Secrets, credentialPath points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY |
 | backup.method | string | `"objectStore"` | Method to create backups, options currently are only objectStore |
-| backup.objectStore | list | `[]` | Options for object store backups |
+| backup.objectStore | string | `nil` | Options for object store backups |
 | backup.scheduledBackups | list | `[]` | List of scheduled backups |
-| cluster | object | `{"additionalLabels":{},"affinity":{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"},"annotations":{},"certificates":{},"enablePDB":true,"enableSuperuserAccess":false,"image":{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"18.1-standard-trixie"},"imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"initdb":{"database":"app","owner":"app"},"instances":3,"logLevel":"info","monitoring":{"customQueries":[],"customQueriesSecret":[],"disableDefaultQueries":false,"enabled":true,"podMonitor":{"enabled":true,"metricRelabelings":[],"relabelings":[]},"prometheusRule":{"enabled":true,"excludeRules":["CNPGClusterLastFailedArchiveTimeWarning"]}},"postgresGID":-1,"postgresUID":-1,"postgresql":{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"128MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}},"primaryUpdateMethod":"switchover","primaryUpdateStrategy":"unsupervised","priorityClassName":"","resources":{"limits":{"hugepages-2Mi":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}},"roles":[],"serviceAccountTemplate":{},"services":{},"storage":{"size":"10Gi","storageClass":""},"superuserSecret":"","walStorage":{"enabled":true,"size":"2Gi","storageClass":""}}` | Cluster settings |
+| cluster | object | `{"additionalLabels":{},"affinity":{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"},"annotations":{},"certificates":{},"enablePDB":true,"enableSuperuserAccess":false,"image":{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"18.3-standard-trixie"},"imagePullPolicy":"IfNotPresent","imagePullSecrets":[],"initdb":{"database":"app","owner":"app"},"instances":3,"logLevel":"info","monitoring":{"customQueries":[],"customQueriesSecret":[],"disableDefaultQueries":false,"enabled":true,"podMonitor":{"enabled":true,"metricRelabelings":[],"relabelings":[]},"prometheusRule":{"enabled":true,"excludeRules":["CNPGClusterLastFailedArchiveTimeWarning"]}},"postgresGID":-1,"postgresUID":-1,"postgresql":{"ldap":{},"parameters":{"hot_standby_feedback":"on","max_slot_wal_keep_size":"2000MB","shared_buffers":"128MB"},"pg_hba":[],"pg_ident":[],"shared_preload_libraries":[],"synchronous":{}},"primaryUpdateMethod":"switchover","primaryUpdateStrategy":"unsupervised","priorityClassName":"","resources":{"limits":{"hugepages-2Mi":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}},"roles":[],"serviceAccountTemplate":{},"services":{},"storage":{"size":"10Gi","storageClass":"local-path"},"superuserSecret":"","walStorage":{"enabled":true,"size":"2Gi","storageClass":"local-path"}}` | Cluster settings |
 | cluster.affinity | object | `{"enablePodAntiAffinity":true,"topologyKey":"kubernetes.io/hostname"}` | Affinity/Anti-affinity rules for Pods. See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-AffinityConfiguration |
 | cluster.certificates | object | `{}` | The configuration for the CA and related certificates. See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-CertificatesConfiguration |
 | cluster.enablePDB | bool | `true` | Allow to disable PDB, mainly useful for upgrade of single-instance clusters or development purposes See: https://cloudnative-pg.io/documentation/current/kubernetes_upgrade/#pod-disruption-budgets |
 | cluster.enableSuperuserAccess | bool | `false` | When this option is enabled, the operator will use the SuperuserSecret to update the postgres user password. If the secret is not present, the operator will automatically create one. When this option is disabled, the operator will ignore the SuperuserSecret content, delete it when automatically created, and then blank the password of the postgres user by setting it to NULL. |
-| cluster.image | object | `{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"18.1-standard-trixie"}` | Default image |
+| cluster.image | object | `{"repository":"ghcr.io/cloudnative-pg/postgresql","tag":"18.3-standard-trixie"}` | Default image |
 | cluster.imagePullPolicy | string | `"IfNotPresent"` | Image pull policy. One of Always, Never or IfNotPresent. If not defined, it defaults to IfNotPresent. Cannot be updated. More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
 | cluster.imagePullSecrets | list | `[]` | The list of pull secrets to be used to pull the images. See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-LocalObjectReference |
 | cluster.initdb | object | `{"database":"app","owner":"app"}` | Bootstrap is the configuration of the bootstrap process when initdb is used. See: https://cloudnative-pg.io/documentation/current/bootstrap/ See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-bootstrapinitdb |
@@ -57,13 +58,14 @@ Cloudnative-pg Cluster
 | cluster.roles | list | `[]` | This feature enables declarative management of existing roles, as well as the creation of new roles if they are not already present in the database. See: https://cloudnative-pg.io/documentation/current/declarative_role_management/ |
 | cluster.serviceAccountTemplate | object | `{}` | Configure the metadata of the generated service account |
 | cluster.services | object | `{}` | Customization of service definitions. Please refer to https://cloudnative-pg.io/documentation/current/service_management/ |
-| cluster.storage | object | `{"size":"10Gi","storageClass":""}` | Default storage size |
+| cluster.storage | object | `{"size":"10Gi","storageClass":"local-path"}` | Default storage size |
 | databases | list | `[]` | Database management configuration |
+| kubernetesClusterName | string | `"cl01tl"` | Kubernetes cluster name |
 | mode | string | `"standalone"` | Cluster mode of operation. Available modes: * `standalone` - Default mode. Creates new or updates an existing CNPG cluster. * `recovery` - Same as standalone but creates a cluster from a backup, object store or via pg_basebackup |
 | nameOverride | string | `""` | Override the name of the cluster |
 | namespaceOverride | string | `""` | Override the namespace of the chart |
 | poolers | list | `[]` | List of PgBouncer poolers |
-| recovery | object | `{"backup":{"backupName":"","database":"app","owner":"","pitrTarget":{"time":""}},"import":{"databases":[],"pgDumpExtraOptions":[],"pgRestoreExtraOptions":[],"postImportApplicationSQL":[],"roles":[],"schemaOnly":false,"source":{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"verify-full","sslRootCertSecret":{"key":"","name":""},"username":"app"},"type":"microservice"},"method":"backup","objectStore":{"clusterName":"","data":{"compression":"snappy","encryption":"","jobs":1},"database":"app","destinationPath":"","endpointCA":{"create":false,"key":"","name":""},"endpointCredentials":"","endpointURL":"https://nyc3.digitaloceanspaces.com","index":1,"name":"recovery","owner":"","pitrTarget":{"time":""},"wal":{"compression":"snappy","encryption":"","maxParallel":1}},"pgBaseBackup":{"database":"app","owner":"","secret":"","source":{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"disable","sslRootCertSecret":{"key":"","name":""},"username":""}}}` | Recovery settings when booting cluster from external cluster |
+| recovery | object | `{"backup":{"backupName":"","database":"app","owner":"","pitrTarget":{"time":""}},"import":{"databases":[],"pgDumpExtraOptions":[],"pgRestoreExtraOptions":[],"postImportApplicationSQL":[],"roles":[],"schemaOnly":false,"source":{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"verify-full","sslRootCertSecret":{"key":"","name":""},"username":"app"},"type":"microservice"},"method":"backup","objectStore":{"clusterName":"","data":{"compression":"snappy","encryption":"","jobs":1},"database":"app","destinationBucket":"postgres-backups","destinationPathOverride":"","endpointCA":{"create":false,"key":"","name":""},"endpointCredentials":"","endpointCredentialsIncludeRegion":true,"endpointURL":"http://garage-main.garage:3900","externalSecret":{"credentialPath":"/garage/home-infra/postgres-backups","enabled":true},"index":1,"owner":"","pitrTarget":{"time":""},"wal":{"compression":"snappy","encryption":"","maxParallel":1}}}` | Recovery settings when booting cluster from external cluster |
 | recovery.backup.backupName | string | `""` | Name of the backup to recover from. |
 | recovery.backup.database | string | `"app"` | Name of the database used by the application. Default: `app`. |
 | recovery.backup.owner | string | `""` | Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. |
@@ -81,19 +83,21 @@ Cloudnative-pg Cluster
 | recovery.import.source.passwordSecret.name | string | `""` | Name of the secret containing the password |
 | recovery.import.source.passwordSecret.value | string | `""` | The password value to use when creating the secret |
 | recovery.import.type | string | `"microservice"` | One of `microservice` or `monolith.` See: https://cloudnative-pg.io/documentation/current/database_import/#how-it-works |
-| recovery.method | string | `"backup"` | Available recovery methods: * `backup` - Recovers a CNPG cluster from a CNPG backup (PITR supported) Needs to be on the same cluster in the same namespace. * `objectStore` - Recovers a CNPG cluster from a barman object store (PITR supported). * `pgBaseBackup` - Recovers a CNPG cluster viaa streaming replication protocol. Useful if you want to        migrate databases to CloudNativePG, even from outside Kubernetes. * `import` - Import one or more databases from an existing Postgres cluster. |
+| recovery.method | string | `"backup"` | Available recovery methods: * `backup` - Recovers a CNPG cluster from a CNPG backup (PITR supported) Needs to be on the same cluster in the same namespace. * `objectStore` - Recovers a CNPG cluster from a barman object store (PITR supported). * `import` - Import one or more databases from an existing Postgres cluster. |
 | recovery.objectStore.clusterName | string | `""` | Override the name of the backup cluster, defaults to "cluster.name" |
 | recovery.objectStore.data.compression | string | `"snappy"` | Data compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`. |
 | recovery.objectStore.data.encryption | string | `""` | Whether to instruct the storage provider to encrypt data files. One of `` (use the storage container default), `AES256` or `aws:kms`. |
 | recovery.objectStore.data.jobs | int | `1` | Number of data files to be archived or restored in parallel. |
 | recovery.objectStore.database | string | `"app"` | Name of the database used by the application. Default: `app`. |
-| recovery.objectStore.destinationPath | string | `""` | Overrides the provider specific default path. Defaults to: S3: s3://<bucket><path> Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path> Google: gs://<bucket><path> |
+| recovery.objectStore.destinationBucket | string | `"postgres-backups"` | Desitination bucket |
+| recovery.objectStore.destinationPathOverride | string | `""` | Overrides the provider specific default path. Defaults to: S3: s3://<bucket><path> Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path> Google: gs://<bucket><path> |
 | recovery.objectStore.endpointCA | object | `{"create":false,"key":"","name":""}` | Specifies a CA bundle to validate a privately signed certificate. |
 | recovery.objectStore.endpointCA.create | bool | `false` | Creates a secret with the given value if true, otherwise uses an existing secret. |
-| recovery.objectStore.endpointCredentials | string | `""` | Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY |
+| recovery.objectStore.endpointCredentials | string | `""` | Defaults to <cluster name>-recovery-secret for the existing secret |
-| recovery.objectStore.endpointURL | string | `"https://nyc3.digitaloceanspaces.com"` | Overrides the provider specific default endpoint. Defaults to: S3: https://s3.<region>.amazonaws.com" Leave empty if using the default S3 endpoint |
+| recovery.objectStore.endpointCredentialsIncludeRegion | bool | `true` | If the S3 endpoint require the ACCESS_REGION variable set in credentials |
+| recovery.objectStore.endpointURL | string | `"http://garage-main.garage:3900"` | Overrides the provider specific default endpoint. Defaults to: S3: https://s3.<region>.amazonaws.com" Leave empty if using the default S3 endpoint |
+| recovery.objectStore.externalSecret | object | `{"credentialPath":"/garage/home-infra/postgres-backups","enabled":true}` | Use generated External Secrets, credentialPath points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY |
 | recovery.objectStore.index | int | `1` | Generate external cluster name, uses: {{ .Release.Name }}-postgresql-<major version>-backup-index-{{ index }} |
-| recovery.objectStore.name | string | `"recovery"` | Object store backup name |
 | recovery.objectStore.owner | string | `""` | Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. |
 | recovery.objectStore.pitrTarget | object | `{"time":""}` | Point in time recovery target. Specify one of the following: |
 | recovery.objectStore.pitrTarget.time | string | `""` | Time in RFC3339 format |
@@ -101,14 +105,6 @@ Cloudnative-pg Cluster
 | recovery.objectStore.wal.compression | string | `"snappy"` | WAL compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`. |
 | recovery.objectStore.wal.encryption | string | `""` | Whether to instruct the storage provider to encrypt WAL files. One of `` (use the storage container default), `AES256` or `aws:kms`. |
 | recovery.objectStore.wal.maxParallel | int | `1` | Number of WAL files to be archived or restored in parallel. |
-| recovery.pgBaseBackup.database | string | `"app"` | Name of the database used by the application. Default: `app`. |
-| recovery.pgBaseBackup.owner | string | `""` | Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. |
-| recovery.pgBaseBackup.secret | string | `""` | Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch |
-| recovery.pgBaseBackup.source | object | `{"database":"app","host":"","passwordSecret":{"create":false,"key":"password","name":"","value":""},"port":5432,"sslCertSecret":{"key":"","name":""},"sslKeySecret":{"key":"","name":""},"sslMode":"disable","sslRootCertSecret":{"key":"","name":""},"username":""}` | Configuration for the source database |
-| recovery.pgBaseBackup.source.passwordSecret.create | bool | `false` | Whether to create a secret for the password |
-| recovery.pgBaseBackup.source.passwordSecret.key | string | `"password"` | The key in the secret containing the password |
-| recovery.pgBaseBackup.source.passwordSecret.name | string | `""` | Name of the secret containing the password |
-| recovery.pgBaseBackup.source.passwordSecret.value | string | `""` | The password value to use when creating the secret |
 | type | string | `"postgresql"` | Type of the CNPG database. Available types: * `postgresql` |
 
 ----------------------------------------------

charts/postgres-cluster/prometheus_rules/cluster-backends_waiting-warning.yaml

@@ -7,7 +7,7 @@ annotations:
     Pod {{`{{`}} $labels.pod {{`}}`}}
     has been waiting for longer than 5 minutes
 expr: |
-  cnpg_backends_waiting_total > 300
+  cnpg_backends_waiting_total{namespace="{{ .namespace }}"} > 300
 for: 1m
 labels:
   severity: warning

charts/postgres-cluster/prometheus_rules/cluster-database_deadlock_conflicts-warning.yaml

@@ -7,7 +7,7 @@ annotations:
     There are over 10 deadlock conflicts in
     {{`{{`}} $labels.pod {{`}}`}}
 expr: |
-  cnpg_pg_stat_database_deadlocks > 10
+  cnpg_pg_stat_database_deadlocks{namespace="{{ .namespace }}"} > 10
 for: 1m
 labels:
   severity: warning

charts/postgres-cluster/prometheus_rules/cluster-last_failed_archive_time-warning.yaml

@@ -6,7 +6,7 @@ annotations:
   description: |-
     Archiving failed for {{`{{`}} $labels.pod {{`}}`}}
 expr: |
-  (cnpg_pg_stat_archiver_last_failed_time - cnpg_pg_stat_archiver_last_archived_time) > 2
+  (cnpg_pg_stat_archiver_last_failed_time{namespace="{{ .namespace }}"} - cnpg_pg_stat_archiver_last_archived_time{namespace="{{ .namespace }}"}) > 2
 for: 1m
 labels:
   severity: warning

charts/postgres-cluster/prometheus_rules/cluster-long_running_transaction-warning.yaml

@@ -7,7 +7,7 @@ annotations:
     CloudNativePG Cluster Pod {{`{{`}} $labels.pod {{`}}`}}
     is taking more than 5 minutes (300 seconds) for a query.
 expr: |-
-  cnpg_backends_max_tx_duration_seconds > 300
+  cnpg_backends_max_tx_duration_seconds{namespace="{{ .namespace }}"} > 300
 for: 1m
 labels:
   severity: warning

charts/postgres-cluster/prometheus_rules/cluster-pg_database_xid_age-warning.yaml

@@ -7,7 +7,7 @@ annotations:
     Over 300,000,000 transactions from frozen xid
     on pod {{`{{`}} $labels.pod {{`}}`}}
 expr: |
-  cnpg_pg_database_xid_age > 300000000
+  cnpg_pg_database_xid_age{namespace="{{ .namespace }}"} > 300000000
 for: 1m
 labels:
   severity: warning

charts/postgres-cluster/prometheus_rules/cluster-pg_replication-warning.yaml

@@ -6,7 +6,7 @@ annotations:
   description: |-
     Standby is lagging behind by over 300 seconds (5 minutes)
 expr: |
-  cnpg_pg_replication_lag > 300
+  cnpg_pg_replication_lag{namespace="{{ .namespace }}"} > 300
 for: 1m
 labels:
   severity: warning

charts/postgres-cluster/prometheus_rules/cluster-replica_failing_replication-warning.yaml

@@ -7,7 +7,7 @@ annotations:
     Replica {{`{{`}} $labels.pod {{`}}`}}
     is failing to replicate
 expr: |
-  cnpg_pg_replication_in_recovery > cnpg_pg_replication_is_wal_receiver_up
+  cnpg_pg_replication_in_recovery{namespace="{{ .namespace }}"} > cnpg_pg_replication_is_wal_receiver_up{namespace="{{ .namespace }}"}
 for: 1m
 labels:
   severity: warning

charts/postgres-cluster/templates/_bootstrap.tpl

@@ -23,21 +23,7 @@ bootstrap:
 {{- else if eq .Values.mode "recovery" -}}
 bootstrap:
 
-  {{- if eq .Values.recovery.method "pgBaseBackup" }}
+  {{- if eq .Values.recovery.method "import" }}
-  pg_basebackup:
-    source: pgBaseBackupSource
-    {{ with .Values.recovery.pgBaseBackup.database }}
-    database: {{ . }}
-    {{- end }}
-    {{ with .Values.recovery.pgBaseBackup.owner }}
-    owner: {{ . }}
-    {{- end }}
-    {{ with .Values.recovery.pgBaseBackup.secret }}
-    secret:
-      {{- toYaml . | nindent 6 }}
-    {{- end }}
-
-  {{- else if eq .Values.recovery.method "import" }}
   initdb:
     {{- with .Values.cluster.initdb }}
       {{- with (omit . "owner" "import" "postInitApplicationSQL") }}

charts/postgres-cluster/templates/_external_clusters.tpl

@@ -1,11 +1,8 @@
 {{- define "cluster.externalClusters" -}}
-externalClusters:
 {{- if eq .Values.mode "standalone" }}
 {{- else if eq .Values.mode "recovery" }}
-  {{- if eq .Values.recovery.method "pgBaseBackup" }}
+externalClusters:
-  - name: pgBaseBackupSource
+  {{- if eq .Values.recovery.method "import" }}
-     {{- include "cluster.externalSourceCluster" .Values.recovery.pgBaseBackup.source | nindent 4 }}
-  {{- else if eq .Values.recovery.method "import" }}
   - name: importSource
      {{- include "cluster.externalSourceCluster" .Values.recovery.import.source | nindent 4 }}
   {{- else if eq .Values.recovery.method "objectStore" }}
@@ -15,7 +12,7 @@ externalClusters:
       enabled: true
       isWALArchiver: false
       parameters:
-        barmanObjectName: "{{ include "cluster.name" . }}-{{ .Values.recovery.objectStore.name }}"
+        barmanObjectName: "{{ include "cluster.name" . }}-recovery"
         serverName: {{ include "cluster.recoveryServerName" . }}
   {{- end }}
 {{- else }}

charts/postgres-cluster/templates/_helpers.tpl

@@ -83,3 +83,51 @@ Generate recovery server name
     {{- printf "%s-backup-%s" (include "cluster.name" .) (toString .Values.recovery.objectStore.index) | trunc 63 | trimSuffix "-" -}}
   {{- end }}
 {{- end }}
+
+{{/*
+Generate recovery destination path
+*/}}
+{{- define "cluster.recoveryDestinationPath" -}}
+  {{- if .Values.recovery.objectStore.destinationPathOverride -}}
+    {{- .Values.recovery.objectStore.destinationPathOverride -}}
+  {{- else -}}
+    {{- printf "s3://%s/%s/%s/%s-cluster" (.Values.recovery.objectStore.destinationBucket) (.Values.kubernetesClusterName) (include "cluster.namespace" .) (include "cluster.name" .) | trimSuffix "-" -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate recovery credentials name
+*/}}
+{{- define "cluster.recoverySecretName" -}}
+  {{- if and (.Values.recovery.objectStore.endpointCredentials) (not .Values.recovery.objectStore.externalSecret.enabled) }}
+    {{- .Values.recovery.objectStore.endpointCredentials | trunc 63 | trimSuffix "-" }}
+  {{- else -}}
+    {{- printf "%s-recovery-secret" (include "cluster.name" .) -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate backup destination path
+*/}}
+{{- define "cluster.backupDestinationPath" -}}
+  {{- if .instance.destinationPathOverride -}}
+    {{- .instance.destinationPathOverride -}}
+  {{- else if .instance.destinationBucket -}}
+    {{- printf "s3://%s/%s/%s/%s-cluster" .instance.destinationBucket .global.Values.kubernetesClusterName (include "cluster.namespace" .global) (include "cluster.name" .global) | trimSuffix "-" -}}
+  {{-  else -}}
+    {{ fail "Invalid destination path!" }}
+  {{- end -}}
+{{- end }}
+
+{{/*
+Generate backup destination path
+*/}}
+{{- define "cluster.backupSecretName" -}}
+  {{- if .instance.endpointCredentialsOverride -}}
+    {{- .instance.endpointCredentialsOverride -}}
+  {{- else if .instance.name -}}
+    {{- printf "%s-backup-%s-secret" (include "cluster.name" .global) .instance.name | trunc 63 | trimSuffix "-" -}}
+  {{-  else -}}
+    {{ fail "Invalid backup secret name!" }}
+  {{- end -}}
+{{- end }}

charts/postgres-cluster/templates/cluster.yaml

@@ -139,7 +139,7 @@ spec:
       isWALArchiver: false
       {{- end }}
       parameters:
-        barmanObjectName: "{{ include "cluster.name" $ }}-{{ $objectStore.name }}-backup"
+        barmanObjectName: "{{ include "cluster.name" $ }}-backup-{{ $objectStore.name }}"
         {{- if $objectStore.clusterName }}
         serverName: "{{ $objectStore.clusterName }}-backup-{{ $objectStore.index }}"
         {{- else }}

charts/postgres-cluster/templates/external-secret.yaml

@@ -0,0 +1,84 @@
+{{ if and (eq .Values.backup.method "objectStore") (.Values.backup.externalSecret.enabled) }}
+{{ $context := . -}}
+{{ range .Values.backup.objectStore -}}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
+  namespace: {{ include "cluster.namespace" $context }}
+  labels:
+    {{- include "cluster.labels" $context | nindent 4 }}
+    app.kubernetes.io/name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
+    {{- with $context.Values.cluster.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_REGION
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .externalSecretCredentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .externalSecretCredentialPath| required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+{{ end -}}
+{{ end }}
+
+{{- if and (eq .Values.recovery.method "objectStore") (.Values.recovery.objectStore.externalSecret.enabled) }}
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "cluster.recoverySecretName" . }}
+  namespace: {{ include "cluster.namespace" . }}
+  labels:
+    {{- include "cluster.labels" . | nindent 4 }}
+    app.kubernetes.io/name: {{ include "cluster.recoverySecretName" . }}
+    {{- with .Values.cluster.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: ACCESS_REGION
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_REGION
+    - secretKey: ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_KEY_ID
+    - secretKey: ACCESS_SECRET_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ .Values.recovery.objectStore.externalSecret.credentialPath | required "External Secret Credential local path is required" }}
+        metadataPolicy: None
+        property: ACCESS_SECRET_KEY
+{{- end }}

charts/postgres-cluster/templates/object-store.yaml

@@ -5,15 +5,27 @@
 apiVersion: barmancloud.cnpg.io/v1
 kind: ObjectStore
 metadata:
-  name: "{{ include "cluster.name" $context }}-{{ .name }}-backup"
+  name: {{ include "cluster.name" $context }}-backup-{{ .name }}
   namespace: {{ include "cluster.namespace" $context }}
   labels:
     {{- include "cluster.labels" $context | nindent 4 }}
+    app.kubernetes.io/name: {{ include "cluster.name" $context }}-backup-{{ .name }}
+    {{- with $context.Values.cluster.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
-  retentionPolicy: {{ .retentionPolicy | default "30d" }}
+  retentionPolicy: {{ .retentionPolicy | default "7d" }}
+  # Required when not using AWS S3
+  # https://github.com/cloudnative-pg/cloudnative-pg/issues/8599
+  instanceSidecarConfiguration:
+    env:
+      - name: AWS_REQUEST_CHECKSUM_CALCULATION
+        value: when_required
+      - name: AWS_RESPONSE_CHECKSUM_VALIDATION
+        value: when_required
   configuration:
-    destinationPath: {{ .destinationPath | required "Destination path is required" }}
+    destinationPath: {{ include "cluster.backupDestinationPath" (dict "instance" . "global" $context) }}
-    endpointURL: {{ .endpointURL | default "https://nyc3.digitaloceanspaces.com" }}
+    endpointURL: {{ .endpointURL | default "http://garage-main.garage:3900" }}
     {{- if .endpointCA }}
     endpointCA:
       name: {{ .endpointCA.name }}
@@ -37,16 +49,14 @@ spec:
     {{- end }}
     s3Credentials:
       accessKeyId:
-        name: {{ .endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" $context) | trunc 63 | trimSuffix "-") }}
+        name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
         key: ACCESS_KEY_ID
       secretAccessKey:
-        name: {{ .endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" $context) | trunc 63 | trimSuffix "-") }}
+        name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
         key: ACCESS_SECRET_KEY
-    {{- if .endpointCredentialsIncludeRegion }}
       region:
-        name: {{ .endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" $context) | trunc 63 | trimSuffix "-") }}
+        name: {{ include "cluster.backupSecretName" (dict "instance" . "global" $context) }}
         key: ACCESS_REGION
-    {{- end }}
 {{ end -}}
 {{ end }}
 
@@ -55,13 +65,17 @@ spec:
 apiVersion: barmancloud.cnpg.io/v1
 kind: ObjectStore
 metadata:
-  name: "{{ include "cluster.name" . }}-{{ .Values.recovery.objectStore.name }}"
+  name: "{{ include "cluster.name" . }}-recovery"
   namespace: {{ include "cluster.namespace" . }}
   labels:
     {{- include "cluster.labels" . | nindent 4 }}
+    app.kubernetes.io/name: "{{ include "cluster.name" . }}-recovery"
+    {{- with .Values.cluster.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   configuration:
-    destinationPath: {{ .Values.recovery.objectStore.destinationPath }}
+    destinationPath: {{ include "cluster.recoveryDestinationPath" . }}
     endpointURL: {{ .Values.recovery.objectStore.endpointURL }}
     {{- if .Values.recovery.objectStore.endpointCA.name }}
     endpointCA:
@@ -82,9 +96,12 @@ spec:
       jobs: {{ .Values.recovery.objectStore.data.jobs }}
     s3Credentials:
       accessKeyId:
-        name: {{ .Values.recovery.objectStore.endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" .) | trunc 63 | trimSuffix "-") }}
+        name: {{ include "cluster.recoverySecretName" . }}
         key: ACCESS_KEY_ID
       secretAccessKey:
-        name: {{ .Values.recovery.objectStore.endpointCredentials | default (printf "%s-cluster-backup-secret" (include "cluster.name" .) | trunc 63 | trimSuffix "-") }}
+        name: {{ include "cluster.recoverySecretName" . }}
         key: ACCESS_SECRET_KEY
+      region:
+        name: {{ include "cluster.recoverySecretName" . }}
+        key: ACCESS_REGION
 {{ end }}

charts/postgres-cluster/templates/scheduled-backup.yaml

@@ -4,10 +4,11 @@
 apiVersion: postgresql.cnpg.io/v1
 kind: ScheduledBackup
 metadata:
-  name: "{{ include "cluster.name" $context }}-{{ .name }}-scheduled-backup"
+  name: "{{ include "cluster.name" $context }}-scheduled-backup-{{ .name }}"
   namespace: {{ include "cluster.namespace" $context }}
   labels:
     {{- include "cluster.labels" $context | nindent 4 }}
+    app.kubernetes.io/name: "{{ include "cluster.name" $context }}-scheduled-backup-{{ .name }}"
 spec:
   immediate: {{ .immediate | default false }}
   suspend: {{ .suspend | default false }}
@@ -19,5 +20,5 @@ spec:
   pluginConfiguration:
     name: {{ .plugin | default "barman-cloud.cloudnative-pg.io" }}
     parameters:
-      barmanObjectName: "{{ include "cluster.name" $context }}-{{ .backupName }}-backup"
+      barmanObjectName: "{{ include "cluster.name" $context }}-backup-{{ .backupName }}"
 {{ end -}}

charts/postgres-cluster/values.yaml

@@ -4,6 +4,9 @@ nameOverride: ""
 # -- Override the namespace of the chart
 namespaceOverride: ""
 
+# -- Kubernetes cluster name
+kubernetesClusterName: cl01tl
+
 # -- Type of the CNPG database. Available types:
 # * `postgresql`
 type: postgresql
@@ -20,7 +23,7 @@ cluster:
   # -- Default image
   image:
     repository: ghcr.io/cloudnative-pg/postgresql
-    tag: 18.1-standard-trixie
+    tag: 18.3-standard-trixie
 
   # -- Image pull policy. One of Always, Never or IfNotPresent. If not defined, it defaults to IfNotPresent. Cannot be updated.
   # More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
@@ -33,12 +36,12 @@ cluster:
   # -- Default storage size
   storage:
     size: 10Gi
-    storageClass: ""
+    storageClass: local-path
 
   walStorage:
     enabled: true
     size: 2Gi
-    storageClass: ""
+    storageClass: local-path
 
   # -- The UID and GID of the postgres user inside the image, defaults to 26
   postgresUID: -1
@@ -221,8 +224,6 @@ recovery:
   # -- Available recovery methods:
   # * `backup` - Recovers a CNPG cluster from a CNPG backup (PITR supported) Needs to be on the same cluster in the same namespace.
   # * `objectStore` - Recovers a CNPG cluster from a barman object store (PITR supported).
-  # * `pgBaseBackup` - Recovers a CNPG cluster viaa streaming replication protocol. Useful if you want to
-  #        migrate databases to CloudNativePG, even from outside Kubernetes.
   # * `import` - Import one or more databases from an existing Postgres cluster.
   method: backup
 
@@ -259,19 +260,19 @@ recovery:
     # -- Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key.
     owner: ""
 
-    # -- Object store backup name
+    # -- Desitination bucket
-    name: recovery
+    destinationBucket: postgres-backups
 
     # -- Overrides the provider specific default path. Defaults to:
     # S3: s3://<bucket><path>
     # Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path>
     # Google: gs://<bucket><path>
-    destinationPath: ""
+    destinationPathOverride: ""
 
     # -- Overrides the provider specific default endpoint. Defaults to:
     # S3: https://s3.<region>.amazonaws.com"
     # Leave empty if using the default S3 endpoint
-    endpointURL: "https://nyc3.digitaloceanspaces.com"
+    endpointURL: "http://garage-main.garage:3900"
 
     # -- Specifies a CA bundle to validate a privately signed certificate.
     endpointCA:
@@ -287,9 +288,18 @@ recovery:
     # -- Override the name of the backup cluster, defaults to "cluster.name"
     clusterName: ""
 
+    # -- Use generated External Secrets, credentialPath points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+    externalSecret:
+      enabled: true
+      credentialPath: /garage/home-infra/postgres-backups
+
     # -- Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+    # -- Defaults to <cluster name>-recovery-secret for the existing secret
     endpointCredentials: ""
 
+    # -- If the S3 endpoint require the ACCESS_REGION variable set in credentials
+    endpointCredentialsIncludeRegion: true
+
     # -- Storage
     wal:
 
@@ -312,48 +322,6 @@ recovery:
       # -- Number of data files to be archived or restored in parallel.
       jobs: 1
 
-  # See https://cloudnative-pg.io/documentation/current/bootstrap/#bootstrap-from-a-live-cluster-pg_basebackup
-  pgBaseBackup:
-
-    # -- Name of the database used by the application. Default: `app`.
-    database: app
-
-    # -- Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch
-    secret: ""
-
-    # -- Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key.
-    owner: ""
-
-    # -- Configuration for the source database
-    source:
-      host: ""
-      port: 5432
-      username: ""
-      database: "app"
-      sslMode: "disable"
-      passwordSecret:
-
-        # -- Whether to create a secret for the password
-        create: false
-
-        # -- Name of the secret containing the password
-        name: ""
-
-        # -- The key in the secret containing the password
-        key: "password"
-
-        # -- The password value to use when creating the secret
-        value: ""
-      sslKeySecret:
-        name: ""
-        key: ""
-      sslCertSecret:
-        name: ""
-        key: ""
-      sslRootCertSecret:
-        name: ""
-        key: ""
-
   # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-Import
   import:
 
@@ -420,23 +388,35 @@ backup:
   # -- Method to create backups, options currently are only objectStore
   method: objectStore
 
-  # -- Options for object store backups
+  # -- Use generated External Secrets, credentialPath points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
-  objectStore: []
+  externalSecret:
+    enabled: true
 
+  # -- Options for object store backups
+  objectStore:
     # -
     #   # -- Object store backup name
     #   name: external
 
+    #   # -- Desitination bucket
+    #   destinationBucket: postgres-backups
+
     #   # -- Overrides the provider specific default path. Defaults to:
     #   # S3: s3://<bucket><path>
     #   # Azure: https://<storageAccount>.<serviceName>.core.windows.net/<containerName><path>
     #   # Google: gs://<bucket><path>
-    #   destinationPath: ""
+    #   destinationPathOverride: ""
 
     #   # -- Overrides the provider specific default endpoint. Defaults to:
-    #   # https://nyc3.digitaloceanspaces.com
+    #   # http://garage-main.garage:3900
     #   endpointURL: ""
 
+    #   # -- Override secret name that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+    #   endpointCredentialsOverride: ""
+
+    #   # -- Path points at path in cluster store that contains the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+    #   externalSecretCredentialPath
+
     #   # -- Specifies a CA bundle to validate a privately signed certificate.
     #   endpointCA:
     #     # -- Creates a secret with the given value if true, otherwise uses an existing secret.
@@ -448,12 +428,6 @@ backup:
     #   # -- Generate external cluster name, uses: {{ .Release.Name }}-postgresql-<major version>-backup-index-{{ index }}
     #   index: 1
 
-    #   # -- Override the name of the backup cluster, defaults to "cluster.name"
-    #   clusterName: ""
-
-    #   # -- Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
-    #   endpointCredentials: ""
-
     #   # -- Retention policy for backups
     #   retentionPolicy: "30d"
 

charts/redis-replication/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: redis-replication
-version: 0.5.0
+version: 1.1.0
 description: Redis Replication with Sentinel
 keywords:
   - redis-operator
@@ -12,4 +12,5 @@ sources:
 maintainers:
   - name: alexlebens
 icon: https://github.com/OT-CONTAINER-KIT/redis-operator/raw/main/static/redis-operator-logo.svg
-appVersion: v0.21.0
+# renovate: datasource=github-releases depName=OT-CONTAINER-KIT/redis-operator
+appVersion: v0.23.0

charts/redis-replication/README.md

@@ -1,6 +1,6 @@
 # redis-replication
 
-![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![AppVersion: v0.21.0](https://img.shields.io/badge/AppVersion-v0.21.0-informational?style=flat-square)
+![Version: 1.1.0](https://img.shields.io/badge/Version-1.1.0-informational?style=flat-square) ![AppVersion: v0.23.0](https://img.shields.io/badge/AppVersion-v0.23.0-informational?style=flat-square)
 
 Redis Replication with Sentinel
 
@@ -22,19 +22,16 @@ Redis Replication with Sentinel
 | additionalLabels | object | `{}` | Add additional labels |
 | existingSecret | object | `{"enabled":false,"key":"password","name":"secret-name"}` | Password |
 | namespaceOverride | string | `""` | Override the namespace of the chart |
-| redisReplication | object | `{"clusterSize":3,"image":{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis","tag":"v8.4.0"},"podSecurityContext":{"fsGroup":1000,"runAsUser":1000},"redisExporter":{"enabled":true,"image":{"repository":"quay.io/opstree/redis-exporter","tag":"v1.80.1"},"serviceMonitor":{"enabled":true,"extraLabels":{},"interval":"30s","scrapeTimeout":"10s"}},"resources":{"requests":{"cpu":"10m","memory":"32Mi"}},"volumeClaimTemplate":{"spec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"1Gi"}},"storageClassName":"ceph-block"}}}` | Redis Replication settings |
+| redisReplication | object | `{"clusterSize":3,"image":{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis","tag":"v8.4.2"},"podSecurityContext":{"fsGroup":1000,"runAsUser":1000},"redisExporter":{"enabled":true,"image":{"repository":"quay.io/opstree/redis-exporter","tag":"v1.81.0"},"serviceMonitor":{"enabled":true,"extraLabels":{},"interval":"30s","scrapeTimeout":"10s"}},"resources":{"requests":{"cpu":"10m","memory":"32Mi"}},"sentinel":{"enabled":false,"image":{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis-sentinel","tag":"v8.4.2"},"resources":{"requests":{"cpu":"10m","memory":"32Mi"}},"size":3},"volumeClaimTemplate":{"spec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"1Gi"}},"storageClassName":"ceph-block"}}}` | Redis Replication settings |
-| redisReplication.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis","tag":"v8.4.0"}` | Image |
+| redisReplication.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis","tag":"v8.4.2"}` | Image |
 | redisReplication.podSecurityContext | object | `{"fsGroup":1000,"runAsUser":1000}` | Security |
-| redisReplication.redisExporter | object | `{"enabled":true,"image":{"repository":"quay.io/opstree/redis-exporter","tag":"v1.80.1"},"serviceMonitor":{"enabled":true,"extraLabels":{},"interval":"30s","scrapeTimeout":"10s"}}` | Metrics |
+| redisReplication.redisExporter | object | `{"enabled":true,"image":{"repository":"quay.io/opstree/redis-exporter","tag":"v1.81.0"},"serviceMonitor":{"enabled":true,"extraLabels":{},"interval":"30s","scrapeTimeout":"10s"}}` | Metrics |
 | redisReplication.resources | object | `{"requests":{"cpu":"10m","memory":"32Mi"}}` | Resources |
+| redisReplication.sentinel | object | `{"enabled":false,"image":{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis-sentinel","tag":"v8.4.2"},"resources":{"requests":{"cpu":"10m","memory":"32Mi"}},"size":3}` | Redis Sentinel settings |
+| redisReplication.sentinel.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis-sentinel","tag":"v8.4.2"}` | Image |
+| redisReplication.sentinel.resources | object | `{"requests":{"cpu":"10m","memory":"32Mi"}}` | Resources |
 | redisReplication.volumeClaimTemplate | object | `{"spec":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"1Gi"}},"storageClassName":"ceph-block"}}` | Storage |
-| redisSentinel | object | `{"clusterSize":3,"enabled":false,"image":{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis-sentinel","tag":"v8.4.0"},"podSecurityContext":{"fsGroup":1000,"runAsUser":1000},"redisExporter":{"enabled":true,"image":{"repository":"quay.io/opstree/redis-exporter","tag":"v1.80.1"},"serviceMonitor":{"enabled":true,"extraLabels":{},"interval":"30s","scrapeTimeout":"10s"}},"resources":{"requests":{"cpu":"10m","memory":"32Mi"}}}` | Redis Sentinel settings |
-| redisSentinel.image | object | `{"pullPolicy":"IfNotPresent","repository":"quay.io/opstree/redis-sentinel","tag":"v8.4.0"}` | Image |
-| redisSentinel.podSecurityContext | object | `{"fsGroup":1000,"runAsUser":1000}` | Security |
-| redisSentinel.redisExporter | object | `{"enabled":true,"image":{"repository":"quay.io/opstree/redis-exporter","tag":"v1.80.1"},"serviceMonitor":{"enabled":true,"extraLabels":{},"interval":"30s","scrapeTimeout":"10s"}}` | Metrics |
-| redisSentinel.resources | object | `{"requests":{"cpu":"10m","memory":"32Mi"}}` | Resources |
 | replicationNameOverride | string | `""` | Override the name of the resources |
-| sentinelNameOverride | string | `""` |  |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/redis-replication/templates/_helpers.tpl

@@ -9,14 +9,6 @@ Expand the names
   {{- end }}
 {{- end }}
 
-{{- define "redis.sentinelName" -}}
-  {{- if .Values.sentinelNameOverride }}
-    {{- .Values.sentinelNameOverride | trunc 63 | trimSuffix "-" }}
-  {{- else }}
-    {{- printf "redis-sentinel-%s" .Release.Name -}}
-  {{- end }}
-{{- end }}
-
 {{/*
 Allow the release namespace to be overridden for multi-namespace deployments in combined charts
 */}}
@@ -57,9 +49,3 @@ app.kubernetes.io/name: {{ include "redis.replicationName" $ }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 app.kubernetes.io/part-of: {{ .Release.Name }}
 {{- end }}
-
-{{- define "redis.sentinelSelectorLabels" -}}
-app.kubernetes.io/name: {{ include "redis.sentinelName" $ }}
-app.kubernetes.io/instance: {{ .Release.Name }}
-app.kubernetes.io/part-of: {{ .Release.Name }}
-{{- end }}

charts/redis-replication/templates/redis-replication.yaml

@@ -12,7 +12,7 @@ spec:
   podSecurityContext:
   {{- with .Values.redisReplication.podSecurityContext }}
     {{- toYaml . | nindent 4 }}
-  {{ end }}
+  {{- end }}
 
   kubernetesConfig:
     image: "{{ .Values.redisReplication.image.repository }}:{{ .Values.redisReplication.image.tag }}"
@@ -20,20 +20,38 @@ spec:
     resources:
     {{- with .Values.redisReplication.resources }}
       {{- toYaml . | nindent 6 }}
-    {{ end }}
+    {{- end }}
-
+    {{- if .Values.existingSecret.enabled }}
-    {{ if .Values.existingSecret.enabled }}
     redisSecret:
       name: {{ .Values.existingSecret.name }}
       key: {{ .Values.existingSecret.key }}
-    {{ end }}
+    {{- end }}
 
   storage:
     volumeClaimTemplate:
     {{- with .Values.redisReplication.volumeClaimTemplate }}
       {{- toYaml . | nindent 6 }}
-    {{ end }}
+    {{- end }}
 
   redisExporter:
     enabled: {{ .Values.redisReplication.redisExporter.enabled }}
     image: "{{ .Values.redisReplication.redisExporter.image.repository }}:{{ .Values.redisReplication.redisExporter.image.tag }}"
+
+  {{ if .Values.redisReplication.sentinel.enabled -}}
+  sentinel:
+    image: "{{ .Values.redisReplication.sentinel.image.repository }}:{{ .Values.redisReplication.sentinel.image.tag }}"
+    imagePullPolicy: {{ .Values.redisReplication.sentinel.image.pullPolicy }}
+
+    {{- if .Values.existingSecret.enabled }}
+    redisSecret:
+      name: {{ .Values.existingSecret.name }}
+      key: {{ .Values.existingSecret.key }}
+    {{- end }}
+
+    resources:
+    {{- with .Values.redisReplication.sentinel.resources }}
+      {{- toYaml . | nindent 10 }}
+    {{- end }}
+
+    size: {{ .Values.redisReplication.sentinel.size }}
+  {{- end }}

charts/redis-replication/templates/redis-sentinel.yaml

@@ -1,46 +0,0 @@
-{{- if .Values.redisSentinel.enabled }}
----
-apiVersion: redis.redis.opstreelabs.in/v1beta2
-kind: RedisSentinel
-metadata:
-  name: {{ include "redis.sentinelName" . }}
-  namespace: {{ include "redis.namespace" . }}
-  labels:
-    {{- include "redis.labels" . | nindent 4 }}
-    {{- include "redis.sentinelSelectorLabels" . | nindent 4 }}
-spec:
-  clusterSize: {{ .Values.redisSentinel.clusterSize }}
-
-  podSecurityContext:
-  {{- with .Values.redisSentinel.podSecurityContext }}
-    {{- toYaml . | nindent 10 }}
-  {{ end }}
-
-  redisSentinelConfig:
-    redisReplicationName: {{ include "redis.replicationName" . }}
-    {{ if .Values.existingSecret.enabled }}
-    redisReplicationPassword:
-      secretKeyRef:
-        name: {{ .Values.existingSecret.name }}
-        key: {{ .Values.existingSecret.key }}
-    {{ end }}
-
-  kubernetesConfig:
-    image: "{{ .Values.redisSentinel.image.repository }}:{{ .Values.redisSentinel.image.tag }}"
-    imagePullPolicy: {{ .Values.redisSentinel.image.pullPolicy }}
-    resources:
-    {{- with .Values.redisSentinel.resources }}
-      {{- toYaml . | nindent 10 }}
-    {{ end }}
-
-    {{ if .Values.existingSecret.enabled }}
-    redisSecret:
-      name: {{ .Values.existingSecret.name }}
-      key: {{ .Values.existingSecret.key }}
-    {{ end }}
-
-  redisExporter:
-    enabled: {{ .Values.redisSentinel.redisExporter.enabled }}
-    image: "{{ .Values.redisSentinel.redisExporter.image.repository }}:{{ .Values.redisSentinel.redisExporter.image.tag }}"
-
-{{- end }}

charts/redis-replication/templates/service-monitor.yaml

@@ -22,28 +22,3 @@ spec:
       interval: {{ .Values.redisReplication.redisExporter.serviceMonitor.interval }}
       scrapeTimeout: {{ .Values.redisReplication.redisExporter.serviceMonitor.scrapeTimeout }}
 {{- end }}
-
-{{- if and (.Values.redisSentinel.redisExporter.serviceMonitor.enabled) (.Values.redisSentinel.enabled) }}
----
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: {{ include "redis.sentinelName" . }}
-  namespace: {{ include "redis.namespace" . }}
-  labels:
-    {{- include "redis.labels" . | nindent 4 }}
-    {{- include "redis.sentinelSelectorLabels" . | nindent 4 }}
-    {{- with .Values.redisSentinel.redisExporter.serviceMonitor.extraLabels }}
-    {{- toYaml . | nindent 4 }}
-    {{- end }}
-spec:
-  selector:
-    matchLabels:
-      app: {{ include "redis.sentinelName" . }}
-      redis_setup_type: sentinel
-      role: sentinel
-  endpoints:
-    - port: sentinel-client
-      interval: {{ .Values.redisSentinel.redisExporter.serviceMonitor.interval }}
-      scrapeTimeout: {{ .Values.redisSentinel.redisExporter.serviceMonitor.scrapeTimeout }}
-{{- end }}

charts/redis-replication/values.yaml

@@ -1,6 +1,5 @@
 # -- Override the name of the resources
 replicationNameOverride: ""
-sentinelNameOverride: ""
 
 # -- Override the namespace of the chart
 namespaceOverride: ""
@@ -26,7 +25,7 @@ redisReplication:
   # -- Image
   image:
     repository: quay.io/opstree/redis
-    tag: v8.4.0
+    tag: v8.4.2
     pullPolicy: IfNotPresent
 
   # -- Resources
@@ -50,7 +49,7 @@ redisReplication:
     enabled: true
     image:
       repository: quay.io/opstree/redis-exporter
-      tag: v1.80.1
+      tag: v1.81.0
     serviceMonitor:
       enabled: true
       interval: 30s
@@ -58,19 +57,14 @@ redisReplication:
       extraLabels: {}
 
   # -- Redis Sentinel settings
-redisSentinel:
+  sentinel:
     enabled: false
-  clusterSize: 3
+    size: 3
-
-  # -- Security
-  podSecurityContext:
-    runAsUser: 1000
-    fsGroup: 1000
 
     # -- Image
     image:
       repository: quay.io/opstree/redis-sentinel
-    tag: v8.4.0
+      tag: v8.4.2
       pullPolicy: IfNotPresent
 
     # -- Resources
@@ -78,15 +72,3 @@ redisSentinel:
       requests:
         cpu: 10m
         memory: 32Mi
-
-  # -- Metrics
-  redisExporter:
-    enabled: true
-    image:
-      repository: quay.io/opstree/redis-exporter
-      tag: v1.80.1
-    serviceMonitor:
-      enabled: true
-      interval: 30s
-      scrapeTimeout: 10s
-      extraLabels: {}

charts/valkey/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: valkey
+  repository: https://valkey.io/valkey-helm/
+  version: 0.9.3
+digest: sha256:705fdaa1d456e55dd1a8aba698e17b2309a336f614cba8fd3cdb7e072b323b36
+generated: "2026-03-03T16:02:43.407652-06:00"

charts/valkey/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v2
+name: valkey
+version: 0.1.0
+description: Valkey chart with preconfigured settings
+keywords:
+  - valkey
+  - redis
+  - storage
+  - kubernetes
+sources:
+  - https://github.com/valkey-io/valkey
+  - https://github.com/valkey-io/valkey-helm
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: valkey
+    repository: https://valkey.io/valkey-helm/
+    version: 0.9.3
+icon: https://dyltqmyl993wv.cloudfront.net/assets/stacks/valkey/img/valkey-stack-220x234.png
+# renovate: datasource=github-releases depName=valkey-io/valkey
+appVersion: 9.0.3

charts/valkey/README.md

@@ -0,0 +1,73 @@
+# valkey
+
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![AppVersion: 9.0.3](https://img.shields.io/badge/AppVersion-9.0.3-informational?style=flat-square)
+
+Valkey chart with preconfigured settings
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| alexlebens |  |  |
+
+## Source Code
+
+* <https://github.com/valkey-io/valkey>
+* <https://github.com/valkey-io/valkey-helm>
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://valkey.io/valkey-helm/ | valkey | 0.9.3 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| valkey.dataStorage.accessModes[0] | string | `"ReadWriteOnce"` |  |
+| valkey.dataStorage.className | string | `"ceph-block"` |  |
+| valkey.dataStorage.enabled | bool | `true` |  |
+| valkey.dataStorage.keepPvc | bool | `false` |  |
+| valkey.dataStorage.requestedSize | string | `"1Gi"` |  |
+| valkey.image.registry | string | `"docker.io"` |  |
+| valkey.image.repository | string | `"valkey/valkey"` |  |
+| valkey.image.tag | string | `"9.0.3"` |  |
+| valkey.metrics.enabled | bool | `true` |  |
+| valkey.metrics.exporter.image.registry | string | `"ghcr.io"` |  |
+| valkey.metrics.exporter.image.repository | string | `"oliver006/redis_exporter"` |  |
+| valkey.metrics.exporter.image.tag | string | `"v1.79.0"` |  |
+| valkey.metrics.exporter.resources.requests.cpu | string | `"10m"` |  |
+| valkey.metrics.exporter.resources.requests.memory | string | `"64M"` |  |
+| valkey.metrics.podMonitor.enabled | bool | `true` |  |
+| valkey.metrics.prometheusRule.enabled | bool | `true` |  |
+| valkey.metrics.prometheusRule.rules[0].alert | string | `"ValkeyDown"` |  |
+| valkey.metrics.prometheusRule.rules[0].annotations.description | string | `"Valkey instance {{ \"{{ $labels.instance }}\" }} is down."` |  |
+| valkey.metrics.prometheusRule.rules[0].annotations.summary | string | `"Valkey instance {{ \"{{ $labels.instance }}\" }} down"` |  |
+| valkey.metrics.prometheusRule.rules[0].expr | string | `"redis_up{service=\"{{ include \"valkey.fullname\" . }}-metrics\"} == 0\n"` |  |
+| valkey.metrics.prometheusRule.rules[0].for | string | `"2m"` |  |
+| valkey.metrics.prometheusRule.rules[0].labels.severity | string | `"error"` |  |
+| valkey.metrics.prometheusRule.rules[1].alert | string | `"ValkeyMemoryHigh"` |  |
+| valkey.metrics.prometheusRule.rules[1].annotations.description | string | `"Valkey instance {{ \"{{ $labels.instance }}\" }} is using {{ \"{{ $value }}\" }}% of its available memory.\n"` |  |
+| valkey.metrics.prometheusRule.rules[1].annotations.summary | string | `"Valkey instance {{ \"{{ $labels.instance }}\" }} is using too much memory"` |  |
+| valkey.metrics.prometheusRule.rules[1].expr | string | `"redis_memory_used_bytes{service=\"{{ include \"valkey.fullname\" . }}-metrics\"} * 100\n/\nredis_memory_max_bytes{service=\"{{ include \"valkey.fullname\" . }}-metrics\"}\n> 90 <= 100\n"` |  |
+| valkey.metrics.prometheusRule.rules[1].for | string | `"2m"` |  |
+| valkey.metrics.prometheusRule.rules[1].labels.severity | string | `"error"` |  |
+| valkey.metrics.prometheusRule.rules[2].alert | string | `"ValkeyKeyEviction"` |  |
+| valkey.metrics.prometheusRule.rules[2].annotations.description | string | `"Valkey instance {{ \"{{ $labels.instance }}\" }} has evicted {{ \"{{ $value }}\" }} keys in the last 5 minutes.\n"` |  |
+| valkey.metrics.prometheusRule.rules[2].annotations.summary | string | `"Valkey instance {{ \"{{ $labels.instance }}\" }} has evicted keys"` |  |
+| valkey.metrics.prometheusRule.rules[2].expr | string | `"increase(redis_evicted_keys_total{service=\"{{ include \"valkey.fullname\" . }}-metrics\"}[5m]) > 0\n"` |  |
+| valkey.metrics.prometheusRule.rules[2].for | string | `"1s"` |  |
+| valkey.metrics.prometheusRule.rules[2].labels.severity | string | `"error"` |  |
+| valkey.metrics.serviceMonitor.enabled | bool | `true` |  |
+| valkey.replica.enabled | bool | `true` |  |
+| valkey.replica.persistence.accessModes[0] | string | `"ReadWriteOnce"` |  |
+| valkey.replica.persistence.size | string | `"1Gi"` |  |
+| valkey.replica.persistence.storageClass | string | `"ceph-block"` |  |
+| valkey.replica.replicas | int | `2` |  |
+| valkey.resources.requests.cpu | string | `"10m"` |  |
+| valkey.resources.requests.memory | string | `"128Mi"` |  |
+| valkey.serviceAccount.create | bool | `true` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/valkey/values.yaml

@@ -0,0 +1,76 @@
+valkey:
+  image:
+    registry: docker.io
+    repository: valkey/valkey
+    tag: 9.0.3
+  serviceAccount:
+    create: true
+  resources:
+    requests:
+      cpu: 10m
+      memory: 128Mi
+  dataStorage:
+    enabled: true
+    requestedSize: 1Gi
+    className: ceph-block
+    accessModes:
+      - ReadWriteOnce
+    keepPvc: false
+  replica:
+    enabled: true
+    replicas: 2
+    persistence:
+      size: 1Gi
+      storageClass: ceph-block
+      accessModes:
+        - ReadWriteOnce
+  metrics:
+    enabled: true
+    exporter:
+      image:
+        registry: ghcr.io
+        repository: oliver006/redis_exporter
+        tag: v1.79.0
+      resources:
+        requests:
+          cpu: 10m
+          memory: 64M
+    serviceMonitor:
+      enabled: true
+    podMonitor:
+      enabled: true
+    prometheusRule:
+      enabled: true
+      rules:
+        - alert: ValkeyDown
+          annotations:
+            summary: Valkey instance {{ "{{ $labels.instance }}" }} down
+            description: Valkey instance {{ "{{ $labels.instance }}" }} is down.
+          expr: |
+            redis_up{service="{{ include "valkey.fullname" . }}-metrics"} == 0
+          for: 2m
+          labels:
+            severity: error
+        - alert: ValkeyMemoryHigh
+          annotations:
+            summary: Valkey instance {{ "{{ $labels.instance }}" }} is using too much memory
+            description: |
+              Valkey instance {{ "{{ $labels.instance }}" }} is using {{ "{{ $value }}" }}% of its available memory.
+          expr: |
+            redis_memory_used_bytes{service="{{ include "valkey.fullname" . }}-metrics"} * 100
+            /
+            redis_memory_max_bytes{service="{{ include "valkey.fullname" . }}-metrics"}
+            > 90 <= 100
+          for: 2m
+          labels:
+            severity: error
+        - alert: ValkeyKeyEviction
+          annotations:
+            summary: Valkey instance {{ "{{ $labels.instance }}" }} has evicted keys
+            description: |
+              Valkey instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes.
+          expr: |
+            increase(redis_evicted_keys_total{service="{{ include "valkey.fullname" . }}-metrics"}[5m]) > 0
+          for: 1s
+          labels:
+            severity: error

charts/volsync-target/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: volsync-target
-version: 0.2.0
+version: 0.7.0
 description: Volsync Replication set to target specific PVC with preconfigured settings
 keywords:
   - volsync-target
@@ -13,4 +13,5 @@ sources:
 maintainers:
   - name: alexlebens
 icon: https://raw.githubusercontent.com/backube/volsync/main/docs/media/volsync.svg?sanitize=true
+# renovate: datasource=github-releases depName=backube/volsync
 appVersion: 0.14.0

charts/volsync-target/README.md

@@ -1,6 +1,6 @@
 # volsync-target
 
-![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![AppVersion: 0.14.0](https://img.shields.io/badge/AppVersion-0.14.0-informational?style=flat-square)
+![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![AppVersion: 0.14.0](https://img.shields.io/badge/AppVersion-0.14.0-informational?style=flat-square)
 
 Volsync Replication set to target specific PVC with preconfigured settings
 
@@ -20,22 +20,23 @@ Volsync Replication set to target specific PVC with preconfigured settings
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | additionalLabels | object | `{}` | Add additional labels |
-| external | object | `{"enabled":true,"externalSecret":{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 4 * * *"}` | External backup configuration |
+| external | object | `{"enabled":true,"externalSecret":{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 9 * * *"}` | External backup configuration |
 | external.externalSecret | object | `{"credentialPath":"/digital-ocean/home-infra/volsync-backups","volsyncPath":"/volsync/restic/digital-ocean"}` | External Secret configuration |
-| external.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| external.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
-| external.schedule | string | `"0 4 * * *"` | 5 character cron schedule |
+| external.schedule | string | `"0 9 * * *"` | 5 character cron schedule |
 | externalSecrets | object | `{"enabled":true}` | Use external secrets |
-| local | object | `{"enabled":true,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 2 * * *"}` | Local backup configuration |
+| local | object | `{"enabled":false,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 8 * * *"}` | Local backup configuration |
 | local.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-local"}` | External Secret configuration |
-| local.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| local.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
-| local.schedule | string | `"0 2 * * *"` | 5 character cron schedule |
+| local.schedule | string | `"0 8 * * *"` | 5 character cron schedule |
+| moverSecurityContext | object | `{}` | Glocal security context for restic mover |
 | nameOverride | string | `""` | Default pattern follows <pvcTarget>-backup |
 | namespaceOverride | string | `""` | Override the namespace of the chart |
 | pvcTarget | string | `"data"` | Name of the PVC target |
-| remote | object | `{"enabled":true,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 3 * * *"}` | Remote backup configuration |
+| remote | object | `{"enabled":false,"externalSecret":{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"},"restic":{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"},"schedule":"0 10 * * *"}` | Remote backup configuration |
 | remote.externalSecret | object | `{"credentialPath":"/garage/home-infra/volsync-backups","volsyncPath":"/volsync/restic/garage-remote"}` | External Secret configuration |
-| remote.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":3,"hourly":1,"monthly":2,"weekly":2,"yearly":4},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
+| remote.restic | object | `{"cacheCapacity":"1Gi","copyMethod":"Snapshot","pruneIntervalDays":7,"repository":"","retain":{"daily":7,"hourly":0,"monthly":3,"weekly":4,"yearly":1},"storageClassName":"ceph-block","volumeSnapshotClassName":"ceph-blockpool-snapshot"}` | Backup configuration, inserted directly into the yaml |
-| remote.schedule | string | `"0 3 * * *"` | 5 character cron schedule |
+| remote.schedule | string | `"0 10 * * *"` | 5 character cron schedule |
 
 ----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/volsync-target/templates/external-secret.yaml

@@ -148,35 +148,35 @@ spec:
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
+        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
         metadataPolicy: None
         property: BUCKET_ENDPOINT
     - secretKey: RESTIC_PASSWORD
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: {{ .Values.remote.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
+        key: {{ .Values.external.externalSecret.volsyncPath | required "External Secret Volsync external path is required" }}
         metadataPolicy: None
         property: RESTIC_PASSWORD
     - secretKey: AWS_DEFAULT_REGION
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
         metadataPolicy: None
         property: AWS_DEFAULT_REGION
     - secretKey: AWS_ACCESS_KEY_ID
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
         metadataPolicy: None
         property: AWS_ACCESS_KEY_ID
     - secretKey: AWS_SECRET_ACCESS_KEY
       remoteRef:
         conversionStrategy: Default
         decodingStrategy: None
-        key: {{ .Values.remote.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
+        key: {{ .Values.external.externalSecret.credentialPath | required "External Secret Credential external path is required" }}
         metadataPolicy: None
         property: AWS_SECRET_ACCESS_KEY
 {{- end }}

charts/volsync-target/templates/replication-source.yaml

@@ -21,7 +21,13 @@ spec:
     retain:
     {{- with .Values.local.restic.retain }}
       {{- toYaml . | nindent 6 }}
-    {{ end }}
+    {{- end }}
+    {{- if .Values.moverSecurityContext }}
+    moverSecurityContext:
+    {{- with .Values.moverSecurityContext }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- end }}
     copyMethod: {{ .Values.local.restic.copyMethod }}
     storageClassName: {{ .Values.local.restic.storageClassName }}
     volumeSnapshotClassName: {{ .Values.local.restic.volumeSnapshotClassName }}
@@ -51,7 +57,13 @@ spec:
     retain:
     {{- with .Values.remote.restic.retain }}
       {{- toYaml . | nindent 6 }}
-    {{ end }}
+    {{- end }}
+    {{- if .Values.moverSecurityContext }}
+    moverSecurityContext:
+    {{- with .Values.moverSecurityContext }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- end }}
     copyMethod: {{ .Values.remote.restic.copyMethod }}
     storageClassName: {{ .Values.remote.restic.storageClassName }}
     volumeSnapshotClassName: {{ .Values.remote.restic.volumeSnapshotClassName }}
@@ -81,7 +93,13 @@ spec:
     retain:
     {{- with .Values.external.restic.retain }}
       {{- toYaml . | nindent 6 }}
-    {{ end }}
+    {{- end }}
+    {{- if .Values.moverSecurityContext }}
+    moverSecurityContext:
+    {{- with .Values.moverSecurityContext }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- end }}
     copyMethod: {{ .Values.external.restic.copyMethod }}
     storageClassName: {{ .Values.external.restic.storageClassName }}
     volumeSnapshotClassName: {{ .Values.external.restic.volumeSnapshotClassName }}

charts/volsync-target/values.yaml

@@ -10,27 +10,30 @@ additionalLabels: {}
 # -- Name of the PVC target
 pvcTarget: "data"
 
+# -- Glocal security context for restic mover
+moverSecurityContext: {}
+
 # -- Use external secrets
 externalSecrets:
   enabled: true
 
 # -- Local backup configuration
 local:
-  enabled: true
+  enabled: false
 
   # -- 5 character cron schedule
-  schedule: 0 2 * * *
+  schedule: 0 8 * * *
 
   # -- Backup configuration, inserted directly into the yaml
   restic:
     pruneIntervalDays: 7
     repository: ""
     retain:
-      hourly: 1
+      hourly: 0
-      daily: 3
+      daily: 7
-      weekly: 2
+      weekly: 4
-      monthly: 2
+      monthly: 3
-      yearly: 4
+      yearly: 1
     copyMethod: Snapshot
     storageClassName: ceph-block
     volumeSnapshotClassName: ceph-blockpool-snapshot
@@ -45,21 +48,21 @@ local:
 
 # -- Remote backup configuration
 remote:
-  enabled: true
+  enabled: false
 
   # -- 5 character cron schedule
-  schedule: 0 3 * * *
+  schedule: 0 10 * * *
 
   # -- Backup configuration, inserted directly into the yaml
   restic:
     pruneIntervalDays: 7
     repository: ""
     retain:
-      hourly: 1
+      hourly: 0
-      daily: 3
+      daily: 7
-      weekly: 2
+      weekly: 4
-      monthly: 2
+      monthly: 3
-      yearly: 4
+      yearly: 1
     copyMethod: Snapshot
     storageClassName: ceph-block
     volumeSnapshotClassName: ceph-blockpool-snapshot
@@ -77,18 +80,18 @@ external:
   enabled: true
 
   # -- 5 character cron schedule
-  schedule: 0 4 * * *
+  schedule: 0 9 * * *
 
   # -- Backup configuration, inserted directly into the yaml
   restic:
     pruneIntervalDays: 7
     repository: ""
     retain:
-      hourly: 1
+      hourly: 0
-      daily: 3
+      daily: 7
-      weekly: 2
+      weekly: 4
-      monthly: 2
+      monthly: 3
-      yearly: 4
+      yearly: 1
     copyMethod: Snapshot
     storageClassName: ceph-block
     volumeSnapshotClassName: ceph-blockpool-snapshot

renovate.json

@@ -5,6 +5,16 @@
     "mergeConfidence:all-badges",
     ":rebaseStalePrs"
   ],
+  "customManagers": [
+    {
+      "customType": "regex",
+      "managerFilePatterns": ["/(^|/)Chart\\.yaml$/"],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=(?<datasource>.*?) depName=(?<depName>.*?)\\s+appVersion:\\s*[\"']?(?<currentValue>[^\"'\\s]+)[\"']?"
+      ],
+      "datasourceTemplate": "github-releases"
+    }
+  ],
   "timezone": "US/Central",
   "labels": [],
   "prHourlyLimit": 0,
@@ -36,6 +46,20 @@
         }
       ]
     },
+    {
+      "description": "Label images, helm",
+      "matchManagers": ["custom.regex", "helm-values"],
+      "groupName": "{{#if packageName}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' packageName)}}}{{else}}{{{replace 'ghcr.io/' '' (replace 'docker.io/' '' depName)}}}{{/if}}",
+      "groupSlug": "unified-{{{groupName}}}",
+      "addLabels": ["image"],
+      "bumpVersions": [
+        {
+          "filePatterns": ["{{packageFileDir}}/Chart.{yaml,yml}"],
+          "matchStrings": ["version:\\s(?<version>[^\\s]+)"],
+          "bumpType": "{{#if isPatch}}patch{{else}}minor{{/if}}"
+        }
+      ]
+    },
     {
       "description": "Automerge generic-device-plugin image on digest",
       "matchDatasources": ["docker"],