feat(cluster): allow using existing secret for backup and restore (#239)

* Renamed barmanObjectStore secrets for consistency * feat(cluster): allow using existing secret for backup and restore Signed-off-by: Itay Grudev <[email protected]> Signed-off-by: Itay Grudev <[email protected]> Co-authored-by: Ben Scholzen (DASPRiD) <[email protected]> Co-authored-by: Cr4mble <[email protected]>
cloudnative-pg · May 25, 2024 · a123fb4 · a123fb4
1 parent 7da043f
commit a123fb4
Show file tree

Hide file tree

Showing 11 changed files with 49 additions and 35 deletions.
diff --git a/charts/cluster/templates/_backup.tpl b/charts/cluster/templates/_backup.tpl
@@ -1,6 +1,6 @@
 {{- define "cluster.backup" -}}
-backup:
 {{- if .Values.backups.enabled }}
+backup:
   target: "prefer-standby"
   retentionPolicy: {{ .Values.backups.retentionPolicy }}
   barmanObjectStore:
@@ -13,7 +13,7 @@ backup:
       encryption: {{ .Values.backups.data.encryption }}
       jobs: {{ .Values.backups.data.jobs }}
 
-    {{- $d := dict "chartFullname" (include "cluster.fullname" .) "scope" .Values.backups }}
+    {{- $d := dict "chartFullname" (include "cluster.fullname" .) "scope" .Values.backups "secretPrefix" "backup" }}
     {{- include "cluster.barmanObjectStoreConfig" $d | nindent 2 }}
 {{- end }}
 {{- end }}
diff --git a/charts/cluster/templates/_barman_object_store.tpl b/charts/cluster/templates/_barman_object_store.tpl
@@ -1,7 +1,7 @@
 {{- define "cluster.barmanObjectStoreConfig" -}}
 
 {{- if .scope.endpointURL }}
-  endpointURL: {{ .scope.endpointURL }}
+  endpointURL: {{ .scope.endpointURL | quote }}
 {{- end }}
 
 {{- if or (.scope.endpointCA.create) (.scope.endpointCA.name) }}
@@ -21,46 +21,49 @@
   {{- if empty .scope.destinationPath }}
   destinationPath: "s3://{{ required "You need to specify S3 bucket if destinationPath is not specified." .scope.s3.bucket }}{{ .scope.s3.path }}"
   {{- end }}
+  {{- $secretName := coalesce .scope.secret.name (printf "%s-%s-s3-creds" .chartFullname .secretPrefix) }}
   s3Credentials:
     accessKeyId:
-      name: {{ .chartFullname }}-backup-s3{{ .secretSuffix }}-creds
+      name: {{ $secretName }}
       key: ACCESS_KEY_ID
     secretAccessKey:
-      name: {{ .chartFullname }}-backup-s3{{ .secretSuffix }}-creds
+      name: {{ $secretName }}
       key: ACCESS_SECRET_KEY
 {{- else if eq .scope.provider "azure" }}
   {{- if empty .scope.destinationPath }}
   destinationPath: "https://{{ required "You need to specify Azure storageAccount if destinationPath is not specified." .scope.azure.storageAccount }}.{{ .scope.azure.serviceName }}.core.windows.net/{{ .scope.azure.containerName }}{{ .scope.azure.path }}"
   {{- end }}
+  {{- $secretName := coalesce .scope.secret.name (printf "%s-%s-azure-creds" .chartFullname .secretPrefix) }}
   azureCredentials:
   {{- if .scope.azure.inheritFromAzureAD }}
     inheritFromAzureAD: true
   {{- else if .scope.azure.connectionString }}
     connectionString:
-      name: {{ .chartFullname }}-backup-azure{{ .secretSuffix }}-creds
+      name: {{ $secretName }}
       key: AZURE_CONNECTION_STRING
   {{- else }}
     storageAccount:
-      name: {{ .chartFullname }}-backup-azure{{ .secretSuffix }}-creds
+      name: {{ $secretName }}
       key: AZURE_STORAGE_ACCOUNT
     {{- if .scope.azure.storageKey }}
     storageKey:
-      name: {{ .chartFullname }}-backup-azure{{ .secretSuffix }}-creds
+      name: {{ $secretName }}
       key: AZURE_STORAGE_KEY
     {{- else }}
     storageSasToken:
-      name: {{ .chartFullname }}-backup-azure{{ .secretSuffix }}-creds
+      name: {{ $secretName }}
       key: AZURE_STORAGE_SAS_TOKEN
     {{- end }}
   {{- end }}
 {{- else if eq .scope.provider "google" }}
   {{- if empty .scope.destinationPath }}
   destinationPath: "gs://{{ required "You need to specify Google storage bucket if destinationPath is not specified." .scope.google.bucket }}{{ .scope.google.path }}"
   {{- end }}
+  {{- $secretName := coalesce .scope.secret.name (printf "%s-%s-google-creds" .chartFullname .secretPrefix) }}
   googleCredentials:
     gkeEnvironment: {{ .scope.google.gkeEnvironment }}
     applicationCredentials:
-      name: {{ .chartFullname }}-backup-google{{ .secretSuffix }}-creds
+      name: {{ $secretName }}
       key: APPLICATION_CREDENTIALS
 {{- end -}}
 {{- end -}}
diff --git a/charts/cluster/templates/_bootstrap.tpl b/charts/cluster/templates/_bootstrap.tpl
@@ -1,6 +1,6 @@
 {{- define "cluster.bootstrap" -}}
-bootstrap:
 {{- if eq .Values.mode "standalone" }}
+bootstrap:
   initdb:
     {{- with .Values.cluster.initdb }}
         {{- with (omit . "postInitApplicationSQL") }}
@@ -21,7 +21,8 @@ bootstrap:
             {{- printf "- %s" . | nindent 6 }}
           {{- end -}}
       {{- end -}}
-{{- else if eq .Values.mode "recovery" }}
+{{- else if eq .Values.mode "recovery" -}}
+bootstrap:
   recovery:
     {{- with .Values.recovery.pitrTarget.time }}
     recoveryTarget:
@@ -38,7 +39,7 @@ externalClusters:
   - name: objectStoreRecoveryCluster
     barmanObjectStore:
       serverName: {{ default (include "cluster.fullname" .) .Values.recovery.clusterName }}
-      {{- $d := dict "chartFullname" (include "cluster.fullname" .) "scope" .Values.recovery "secretSuffix" "-recovery" -}}
+      {{- $d := dict "chartFullname" (include "cluster.fullname" .) "scope" .Values.recovery "secretPrefix" "recovery" -}}
       {{- include "cluster.barmanObjectStoreConfig" $d | nindent 4 }}
 {{-  else }}
   {{ fail "Invalid cluster mode!" }}

diff --git a/charts/cluster/templates/backup-azure-creds.yaml b/charts/cluster/templates/backup-azure-creds.yaml
@@ -1,11 +1,11 @@
-{{- if and .Values.backups.enabled (eq .Values.backups.provider "azure") }}
+{{- if and .Values.backups.enabled (eq .Values.backups.provider "azure") .Values.backups.secret.create }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "cluster.fullname" . }}-backup-azure-creds
+  name: {{ default (printf "%s-backup-azure-creds" (include "cluster.fullname" .)) .Values.backups.secret.name }}
 data:
   AZURE_CONNECTION_STRING: {{ .Values.backups.azure.connectionString | b64enc | quote }}
   AZURE_STORAGE_ACCOUNT: {{ .Values.backups.azure.storageAccount | b64enc | quote }}
   AZURE_STORAGE_KEY: {{ .Values.backups.azure.storageKey | b64enc | quote }}
   AZURE_STORAGE_SAS_TOKEN: {{ .Values.backups.azure.storageSasToken | b64enc | quote }}
-{{- end }}
+{{- end }}
diff --git a/charts/cluster/templates/backup-google-creds.yaml b/charts/cluster/templates/backup-google-creds.yaml
@@ -1,8 +1,8 @@
-{{- if and .Values.backups.enabled (eq .Values.backups.provider "google") }}
+{{- if and .Values.backups.enabled (eq .Values.backups.provider "google") .Values.backups.secret.create }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "cluster.fullname" . }}-backup-google-creds
+  name: {{ default (printf "%s-backup-google-creds" (include "cluster.fullname" .)) .Values.backups.secret.name }}
 data:
   APPLICATION_CREDENTIALS: {{ .Values.backups.google.applicationCredentials | b64enc | quote }}
-{{- end }}
+{{- end }}
diff --git a/charts/cluster/templates/backup-google-recovery-creds.yaml b/charts/cluster/templates/backup-google-recovery-creds.yaml
diff --git a/charts/cluster/templates/backup-s3-creds.yaml b/charts/cluster/templates/backup-s3-creds.yaml
@@ -1,8 +1,8 @@
-{{- if and .Values.backups.enabled (eq .Values.backups.provider "s3") }}
+{{- if and .Values.backups.enabled (eq .Values.backups.provider "s3") .Values.backups.secret.create }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "cluster.fullname" . }}-backup-s3-creds
+  name: {{ default (printf "%s-backup-s3-creds" (include "cluster.fullname" .)) .Values.backups.secret.name }}
 data:
   ACCESS_KEY_ID: {{ required ".Values.backups.s3.accessKey is required, but not specified." .Values.backups.s3.accessKey | b64enc | quote }}
   ACCESS_SECRET_KEY: {{ required ".Values.backups.s3.secretKey is required, but not specified." .Values.backups.s3.secretKey | b64enc | quote }}

diff --git a/...emplates/backup-azure-recovery-creds.yaml → ...uster/templates/recovery-azure-creds.yaml b/...emplates/backup-azure-recovery-creds.yaml → ...uster/templates/recovery-azure-creds.yaml
@@ -1,11 +1,11 @@
-{{- if and (eq .Values.mode "recovery" ) (eq .Values.recovery.method "object_store") (eq .Values.recovery.provider "azure") }}
+{{- if and (eq .Values.mode "recovery" ) (eq .Values.recovery.method "object_store") (eq .Values.recovery.provider "azure") .Values.recovery.secret.create }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "cluster.fullname" . }}-backup-azure-recovery-creds
+  name: {{ default (printf "%s-recovery-azure-creds" (include "cluster.fullname" .)) .Values.recovery.secret.name }}
 data:
   AZURE_CONNECTION_STRING: {{ .Values.recovery.azure.connectionString | b64enc | quote }}
   AZURE_STORAGE_ACCOUNT: {{ .Values.recovery.azure.storageAccount | b64enc | quote }}
   AZURE_STORAGE_KEY: {{ .Values.recovery.azure.storageKey | b64enc | quote }}
   AZURE_STORAGE_SAS_TOKEN: {{ .Values.recovery.azure.storageSasToken | b64enc | quote }}
-{{- end }}
+{{- end }}
diff --git a/charts/cluster/templates/recovery-google-creds.yaml b/charts/cluster/templates/recovery-google-creds.yaml
@@ -0,0 +1,8 @@
+{{- if and (eq .Values.mode "recovery" ) (eq .Values.recovery.method "object_store") (eq .Values.recovery.provider "google") .Values.recovery.secret.create }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ default (printf "%s-recovery-google-creds" (include "cluster.fullname" .)) .Values.recovery.secret.name }}
+data:
+  APPLICATION_CREDENTIALS: {{ .Values.recovery.google.applicationCredentials | b64enc | quote }}
+{{- end }}
diff --git a/...r/templates/backup-s3-recovery-creds.yaml → .../cluster/templates/recovery-s3-creds.yaml b/...r/templates/backup-s3-recovery-creds.yaml → .../cluster/templates/recovery-s3-creds.yaml
@@ -1,9 +1,9 @@
-{{- if and (eq .Values.mode "recovery" ) (eq .Values.recovery.method "object_store") (eq .Values.recovery.provider "s3") }}
+{{- if and (eq .Values.mode "recovery" ) (eq .Values.recovery.method "object_store") (eq .Values.recovery.provider "s3") .Values.recovery.secret.create }}
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ include "cluster.fullname" . }}-backup-s3-recovery-creds
+  name: {{ default (printf "%s-recovery-s3-creds" (include "cluster.fullname" .)) .Values.recovery.secret.name }}
 data:
   ACCESS_KEY_ID: {{ required ".Values.recovery.s3.accessKey is required, but not specified." .Values.recovery.s3.accessKey | b64enc | quote }}
   ACCESS_SECRET_KEY: {{ required ".Values.recovery.s3.secretKey is required, but not specified." .Values.recovery.s3.secretKey | b64enc | quote }}
-{{- end }}
+{{- end }}
diff --git a/charts/cluster/values.yaml b/charts/cluster/values.yaml
@@ -75,6 +75,11 @@ recovery:
     bucket: ""
     gkeEnvironment: false
     applicationCredentials: ""
+  secret:
+    # -- Whether to create a secret for the backup credentials
+    create: true
+    # -- Name of the backup credentials secret
+    name: ""
 
 
 cluster:
@@ -242,6 +247,11 @@ backups:
     bucket: ""
     gkeEnvironment: false
     applicationCredentials: ""
+  secret:
+    # -- Whether to create a secret for the backup credentials
+    create: true
+    # -- Name of the backup credentials secret
+    name: ""
 
   wal:
     # -- WAL compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`.