backups for cnpg cluster

2026-05-03 10:47:03 +12:00 · 2026-05-03 10:47:03 +12:00 · d21e4411e6
parent 61a9a4f5b5
commit d21e4411e6
3 changed files with 49 additions and 0 deletions
--- a/infrastructure/databases/cnpg-clusters/backup-secret.yaml
+++ b/infrastructure/databases/cnpg-clusters/backup-secret.yaml
@ -0,0 +1,27 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: backup-creds
+  namespace: pg-databases
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: bitwarden
+    kind: ClusterSecretStore
+  target:
+    name: backup-creds
+    creationPolicy: Owner
+    template:
+      engineVersion: v2
+      mergePolicy: Merge
+      data:
+        ACCESS_KEY_ID: '{{ .accessKeyId }}'
+        ACCESS_SECRET_KEY: '{{ .accessSecretKey }}'
+  data:
+    - secretKey: accessKeyId
+      remoteRef:
+        key: contabo-client-id
+
+    - secretKey: accessSecretKey
+      remoteRef:
+        key: contabo-client-secret
--- a/infrastructure/databases/cnpg-clusters/kustomization.yaml
+++ b/infrastructure/databases/cnpg-clusters/kustomization.yaml
@ -4,3 +4,4 @@ resources:
 - pg-cluster.yaml
 - namespace.yaml
 - secret.yaml
+- backup-secret.yaml
--- a/infrastructure/databases/cnpg-clusters/pg-cluster.yaml
+++ b/infrastructure/databases/cnpg-clusters/pg-cluster.yaml
@ -13,3 +13,24 @@ spec:

  superuserSecret:
    name: pg-cluster-root-password
+
+  backup:
+    barmanObjectStore:
+      destinationPath: s3://databases/pg-cluster/
+      endpointURL: https://eu2.contabostorage.com
+      s3Credentials:
+        accessKeyId:
+          name: backup-creds
+          key: ACCESS_KEY_ID
+        secretAccessKey:
+          name: backup-creds
+          key: ACCESS_SECRET_KEY
+      wal:
+        compression: gzip
+        encryption: AES256
+      data:
+        compression: gzip
+        encryption: AES256
+        immediateCheckpoint: false
+        jobs: 2
+    retentionPolicy: "30d"