From 29552f377f33ecefe8111c9542cd5b9e70576c68 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Wed, 11 Mar 2026 18:50:42 -0500 Subject: [PATCH] feat: add postgres backups --- .../rclone/templates/external-secret.yaml | 51 +++++++ clusters/cl01tl/helm/rclone/values.yaml | 129 ++++++++++++++++++ 2 files changed, 180 insertions(+) diff --git a/clusters/cl01tl/helm/rclone/templates/external-secret.yaml b/clusters/cl01tl/helm/rclone/templates/external-secret.yaml index 3e47df8d5..d35c7a5cb 100644 --- a/clusters/cl01tl/helm/rclone/templates/external-secret.yaml +++ b/clusters/cl01tl/helm/rclone/templates/external-secret.yaml @@ -200,3 +200,54 @@ spec: key: /garage/config/remote metadataPolicy: None property: ENDPOINT + +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: garage-postgres-backups-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: garage-postgres-backups-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_KEY_ID + - secretKey: ACCESS_REGION + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_REGION + - secretKey: ACCESS_SECRET_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/home-infra/postgres-backups + metadataPolicy: None + property: ACCESS_SECRET_KEY + - secretKey: SRC_ENDPOINT + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/config/local + metadataPolicy: None + property: ENDPOINT + - secretKey: DEST_ENDPOINT + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /garage/config/remote + metadataPolicy: None + property: ENDPOINT diff --git a/clusters/cl01tl/helm/rclone/values.yaml b/clusters/cl01tl/helm/rclone/values.yaml index c86dd9c52..685b0297f 100644 --- a/clusters/cl01tl/helm/rclone/values.yaml +++ b/clusters/cl01tl/helm/rclone/values.yaml @@ -374,3 +374,132 @@ rclone: key: DEST_ENDPOINT - name: RCLONE_CONFIG_DEST_S3_FORCE_PATH_STYLE value: true + postgres-backups: + type: cronjob + cronjob: + suspend: false + concurrencyPolicy: Forbid + timeZone: US/Central + schedule: "40 0 * * *" + startingDeadlineSeconds: 90 + successfulJobsHistory: 1 + failedJobsHistory: 1 + backoffLimit: 3 + parallelism: 1 + containers: + sync: + image: + repository: rclone/rclone + tag: 1.73.2 + pullPolicy: IfNotPresent + args: + - sync + - src:postgres-backups + - dest:postgres-backups + - --s3-no-check-bucket + - --max-age + - 30d + - --include + - "/cl01tl/*/*/*/base/**" + - --exclude + - "**/walls/**" + - --verbose + env: + - name: RCLONE_S3_PROVIDER + value: Other + - name: RCLONE_CONFIG_SRC_TYPE + value: s3 + - name: RCLONE_CONFIG_SRC_PROVIDER + value: Other + - name: RCLONE_CONFIG_SRC_ENV_AUTH + value: false + - name: RCLONE_CONFIG_SRC_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: garage-postgres-backups-secret + key: ACCESS_KEY_ID + - name: RCLONE_CONFIG_SRC_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: garage-postgres-backups-secret + key: ACCESS_SECRET_KEY + - name: RCLONE_CONFIG_SRC_REGION + valueFrom: + secretKeyRef: + name: garage-postgres-backups-secret + key: ACCESS_REGION + - name: RCLONE_CONFIG_SRC_ENDPOINT + valueFrom: + secretKeyRef: + name: garage-postgres-backups-secret + key: SRC_ENDPOINT + - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE + value: true + - name: RCLONE_CONFIG_DEST_TYPE + value: s3 + - name: RCLONE_CONFIG_DEST_PROVIDER + value: Other + - name: RCLONE_CONFIG_DEST_ENV_AUTH + value: false + - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: garage-postgres-backups-secret + key: ACCESS_KEY_ID + - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: garage-postgres-backups-secret + key: ACCESS_SECRET_KEY + - name: RCLONE_CONFIG_DEST_REGION + valueFrom: + secretKeyRef: + name: garage-postgres-backups-secret + key: ACCESS_REGION + - name: RCLONE_CONFIG_DEST_ENDPOINT + valueFrom: + secretKeyRef: + name: garage-postgres-backups-secret + key: DEST_ENDPOINT + - name: RCLONE_CONFIG_SRC_DEST_FORCE_PATH_STYLE + value: true + prune: + image: + repository: rclone/rclone + tag: 1.73.2 + pullPolicy: IfNotPresent + args: + - delete + - dest:postgres-backups + - --min-age + - 30d + - --verbose + env: + - name: RCLONE_CONFIG_DEST_TYPE + value: s3 + - name: RCLONE_CONFIG_DEST_PROVIDER + value: Other + - name: RCLONE_CONFIG_DEST_ENV_AUTH + value: false + - name: RCLONE_CONFIG_DEST_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: garage-postgres-backups-secret + key: ACCESS_KEY_ID + - name: RCLONE_CONFIG_DEST_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: garage-postgres-backups-secret + key: ACCESS_SECRET_KEY + - name: RCLONE_CONFIG_DEST_REGION + valueFrom: + secretKeyRef: + name: garage-postgres-backups-secret + key: ACCESS_REGION + - name: RCLONE_CONFIG_DEST_ENDPOINT + valueFrom: + secretKeyRef: + name: garage-postgres-backups-secret + key: DEST_ENDPOINT + - name: RCLONE_CONFIG_SRC_S3_FORCE_PATH_STYLE + value: true