Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 62 additions & 0 deletions charts/cluster/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,16 @@ Each backup adapter takes it's own set of parameters, listed in the [Configurati
section. Refer to the table for the full list of parameters and place the configuration under the appropriate key: `backups.s3`,
`backups.azure`, or `backups.google`.

### Barman Cloud Plugin integration

The chart can configure a cluster to use the CNPG-I Barman Cloud plugin as the WAL archiver by enabling
`barmanCloudPlugin.enabled`. This renders a plugin `ObjectStore`, configures `spec.plugins` on the `Cluster`, and can
optionally create plugin-based scheduled backups. The Barman Cloud plugin and its CRDs must already be installed, for
example with the `plugin-barman-cloud` chart.

`barmanCloudPlugin.enabled` is mutually exclusive with `backups.enabled`, because the CloudNativePG API does not allow a
WAL archiver plugin and `spec.backup.barmanObjectStore` to be configured at the same time.

Recovery
--------

Expand Down Expand Up @@ -153,6 +163,58 @@ Kubernetes: `>=1.29.0-0`
| backups.wal.compression | string | `"gzip"` | WAL compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`. |
| backups.wal.encryption | string | `"AES256"` | Whether to instruct the storage provider to encrypt WAL files. One of `` (use the storage container default), `AES256` or `aws:kms`. |
| backups.wal.maxParallel | int | `1` | Number of WAL files to be archived or restored in parallel. |
| barmanCloudPlugin.additionalConfiguration | object | `{}` | Additional fields rendered under ObjectStore spec.configuration. |
| barmanCloudPlugin.additionalPluginParameters | object | `{}` | Additional plugin parameters rendered under spec.plugins[].parameters. |
| barmanCloudPlugin.data.compression | string | `""` | Data compression method. One of `` (for no compression), `gzip`, `bzip2`, `lz4` or `snappy`. |
| barmanCloudPlugin.data.encryption | string | `""` | Whether to instruct the storage provider to encrypt data files. One of `` (use the storage container default), `AES256` or `aws:kms`. |
| barmanCloudPlugin.data.jobs | int | `0` | Number of data files to be archived in parallel. Set to 0 to omit the field. |
| barmanCloudPlugin.destinationPath | string | `""` | Full object store destination path. If empty, s3.bucket and s3.path are used. |
| barmanCloudPlugin.enabled | bool | `false` | Enable the Barman Cloud CNPG-I plugin integration. |
| barmanCloudPlugin.endpointCA | object | `{}` | Optional endpoint CA reference. |
| barmanCloudPlugin.endpointURL | string | `""` | Object store endpoint URL. If empty and s3.region is set, AWS S3 endpoint is derived. |
| barmanCloudPlugin.instanceSidecarConfiguration | object | `{}` | Optional ObjectStore spec.instanceSidecarConfiguration. |
| barmanCloudPlugin.objectStore.annotations | object | `{}` | |
| barmanCloudPlugin.objectStore.name | string | `""` | Name of the ObjectStore resource. Defaults to <release>-barman-store. |
| barmanCloudPlugin.pluginName | string | `"barman-cloud.cloudnative-pg.io"` | Name of the installed CNPG-I plugin. |
| barmanCloudPlugin.retentionPolicy | string | `"30d"` | ObjectStore retention policy. |
| barmanCloudPlugin.s3.accessKey | string | `""` | Access key value, only used when s3.secret.create is true. |
| barmanCloudPlugin.s3.bucket | string | `""` | S3 bucket used when destinationPath is empty. |
| barmanCloudPlugin.s3.externalSecret.annotations | object | `{}` | |
| barmanCloudPlugin.s3.externalSecret.enabled | bool | `false` | Whether the chart should create an ExternalSecret for S3 credentials. |
| barmanCloudPlugin.s3.externalSecret.labels | object | `{}` | |
| barmanCloudPlugin.s3.externalSecret.name | string | `""` | Name of the ExternalSecret resource. Defaults to <secret name>-external-secret. |
| barmanCloudPlugin.s3.externalSecret.refreshInterval | string | `"168h"` | |
| barmanCloudPlugin.s3.externalSecret.remoteRefs.accessKeyId.conversionStrategy | string | `"Default"` | |
| barmanCloudPlugin.s3.externalSecret.remoteRefs.accessKeyId.decodingStrategy | string | `"None"` | |
| barmanCloudPlugin.s3.externalSecret.remoteRefs.accessKeyId.key | string | `""` | |
| barmanCloudPlugin.s3.externalSecret.remoteRefs.accessKeyId.metadataPolicy | string | `"None"` | |
| barmanCloudPlugin.s3.externalSecret.remoteRefs.accessKeyId.property | string | `""` | |
| barmanCloudPlugin.s3.externalSecret.remoteRefs.secretAccessKey.conversionStrategy | string | `"Default"` | |
| barmanCloudPlugin.s3.externalSecret.remoteRefs.secretAccessKey.decodingStrategy | string | `"None"` | |
| barmanCloudPlugin.s3.externalSecret.remoteRefs.secretAccessKey.key | string | `""` | |
| barmanCloudPlugin.s3.externalSecret.remoteRefs.secretAccessKey.metadataPolicy | string | `"None"` | |
| barmanCloudPlugin.s3.externalSecret.remoteRefs.secretAccessKey.property | string | `""` | |
| barmanCloudPlugin.s3.externalSecret.secretStoreRef.kind | string | `"ClusterSecretStore"` | |
| barmanCloudPlugin.s3.externalSecret.secretStoreRef.name | string | `""` | |
| barmanCloudPlugin.s3.externalSecret.target.creationPolicy | string | `"Owner"` | |
| barmanCloudPlugin.s3.externalSecret.target.deletionPolicy | string | `"Retain"` | |
| barmanCloudPlugin.s3.externalSecret.target.name | string | `""` | Target Secret name. Defaults to barmanCloudPlugin.s3.secret.name or <release>-barman-s3-creds. |
| barmanCloudPlugin.s3.inheritFromIAMRole | bool | `false` | Use role-based authentication instead of explicit credentials. |
| barmanCloudPlugin.s3.path | string | `"/"` | S3 path used when destinationPath is empty. |
| barmanCloudPlugin.s3.region | string | `""` | AWS region used to derive the default S3 endpoint when endpointURL is empty. |
| barmanCloudPlugin.s3.secret.accessKeyIdKey | string | `"ACCESS_KEY_ID"` | |
| barmanCloudPlugin.s3.secret.create | bool | `false` | Whether the chart should create a Kubernetes Secret for S3 credentials. |
| barmanCloudPlugin.s3.secret.name | string | `""` | Name of the Secret containing S3 credentials. Defaults to <release>-barman-s3-creds. |
| barmanCloudPlugin.s3.secret.secretAccessKeyKey | string | `"ACCESS_SECRET_KEY"` | |
| barmanCloudPlugin.s3.secretKey | string | `""` | Secret key value, only used when s3.secret.create is true. |
| barmanCloudPlugin.scheduledBackups[0].backupOwnerReference | string | `"self"` | Backup owner reference |
| barmanCloudPlugin.scheduledBackups[0].name | string | `"daily-backup"` | Scheduled backup name |
| barmanCloudPlugin.scheduledBackups[0].pluginName | string | `""` | Plugin name override. Defaults to barmanCloudPlugin.pluginName. |
| barmanCloudPlugin.scheduledBackups[0].schedule | string | `"0 0 0 * * *"` | Schedule in cron format |
| barmanCloudPlugin.serverName | string | `""` | Optional server name plugin parameter. Leave empty for the cluster name default. |
| barmanCloudPlugin.wal.compression | string | `""` | WAL compression method. One of `` (for no compression), `gzip`, `bzip2`, `lz4`, `snappy`, `xz` or `zstd`. |
| barmanCloudPlugin.wal.encryption | string | `""` | Whether to instruct the storage provider to encrypt WAL files. One of `` (use the storage container default), `AES256` or `aws:kms`. |
| barmanCloudPlugin.wal.maxParallel | int | `0` | Number of WAL files to be archived or restored in parallel. Set to 0 to omit the field. |
| cluster.additionalLabels | object | `{}` | |
| cluster.affinity | object | `{"topologyKey":"topology.kubernetes.io/zone"}` | Affinity/Anti-affinity rules for Pods. See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-AffinityConfiguration |
| cluster.annotations | object | `{}` | |
Expand Down
10 changes: 10 additions & 0 deletions charts/cluster/README.md.gotmpl
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,16 @@ Each backup adapter takes it's own set of parameters, listed in the [Configurati
section. Refer to the table for the full list of parameters and place the configuration under the appropriate key: `backups.s3`,
`backups.azure`, or `backups.google`.

### Barman Cloud Plugin integration

The chart can configure a cluster to use the CNPG-I Barman Cloud plugin as the WAL archiver by enabling
`barmanCloudPlugin.enabled`. This renders a plugin `ObjectStore`, configures `spec.plugins` on the `Cluster`, and can
optionally create plugin-based scheduled backups. The Barman Cloud plugin and its CRDs must already be installed, for
example with the `plugin-barman-cloud` chart.

`barmanCloudPlugin.enabled` is mutually exclusive with `backups.enabled`, because the CloudNativePG API does not allow a
WAL archiver plugin and `spec.backup.barmanObjectStore` to be configured at the same time.


Recovery
--------
Expand Down
25 changes: 25 additions & 0 deletions charts/cluster/examples/barman-cloud-plugin.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
type: postgresql
mode: standalone

cluster:
instances: 3
storage:
size: 8Gi

barmanCloudPlugin:
enabled: true
s3:
region: eu-west-1
bucket: mybucket
path: /cluster
inheritFromIAMRole: true
wal:
compression: gzip
maxParallel: 2
data:
compression: gzip
jobs: 2
scheduledBackups:
- name: daily-backup
schedule: "0 0 0 * * *"
backupOwnerReference: self
13 changes: 13 additions & 0 deletions charts/cluster/templates/_barman_cloud_plugin.tpl
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{{/*
Name of the Barman Cloud Plugin ObjectStore resource.
*/}}
{{- define "cluster.barmanCloudPlugin.objectStoreName" -}}
{{- default (printf "%s-barman-store" (include "cluster.fullname" .)) .Values.barmanCloudPlugin.objectStore.name -}}
{{- end -}}

{{/*
Name of the Secret containing Barman Cloud Plugin object store credentials.
*/}}
{{- define "cluster.barmanCloudPlugin.secretName" -}}
{{- default (printf "%s-barman-s3-creds" (include "cluster.fullname" .)) .Values.barmanCloudPlugin.s3.secret.name -}}
{{- end -}}
41 changes: 41 additions & 0 deletions charts/cluster/templates/barman-cloud-external-secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
{{- if and .Values.barmanCloudPlugin.enabled (not .Values.barmanCloudPlugin.s3.inheritFromIAMRole) .Values.barmanCloudPlugin.s3.externalSecret.enabled }}
{{- $secretName := include "cluster.barmanCloudPlugin.secretName" . -}}
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: {{ default (printf "%s-external-secret" $secretName) .Values.barmanCloudPlugin.s3.externalSecret.name }}
namespace: {{ include "cluster.namespace" . }}
labels:
{{- include "cluster.labels" . | nindent 4 }}
{{- with .Values.barmanCloudPlugin.s3.externalSecret.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.barmanCloudPlugin.s3.externalSecret.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
data:
- remoteRef:
conversionStrategy: {{ .Values.barmanCloudPlugin.s3.externalSecret.remoteRefs.accessKeyId.conversionStrategy }}
decodingStrategy: {{ .Values.barmanCloudPlugin.s3.externalSecret.remoteRefs.accessKeyId.decodingStrategy }}
key: {{ required ".Values.barmanCloudPlugin.s3.externalSecret.remoteRefs.accessKeyId.key is required when barmanCloudPlugin.s3.externalSecret.enabled is true." .Values.barmanCloudPlugin.s3.externalSecret.remoteRefs.accessKeyId.key }}
metadataPolicy: {{ .Values.barmanCloudPlugin.s3.externalSecret.remoteRefs.accessKeyId.metadataPolicy }}
property: {{ required ".Values.barmanCloudPlugin.s3.externalSecret.remoteRefs.accessKeyId.property is required when barmanCloudPlugin.s3.externalSecret.enabled is true." .Values.barmanCloudPlugin.s3.externalSecret.remoteRefs.accessKeyId.property }}
secretKey: {{ .Values.barmanCloudPlugin.s3.secret.accessKeyIdKey }}
- remoteRef:
conversionStrategy: {{ .Values.barmanCloudPlugin.s3.externalSecret.remoteRefs.secretAccessKey.conversionStrategy }}
decodingStrategy: {{ .Values.barmanCloudPlugin.s3.externalSecret.remoteRefs.secretAccessKey.decodingStrategy }}
key: {{ required ".Values.barmanCloudPlugin.s3.externalSecret.remoteRefs.secretAccessKey.key is required when barmanCloudPlugin.s3.externalSecret.enabled is true." .Values.barmanCloudPlugin.s3.externalSecret.remoteRefs.secretAccessKey.key }}
metadataPolicy: {{ .Values.barmanCloudPlugin.s3.externalSecret.remoteRefs.secretAccessKey.metadataPolicy }}
property: {{ required ".Values.barmanCloudPlugin.s3.externalSecret.remoteRefs.secretAccessKey.property is required when barmanCloudPlugin.s3.externalSecret.enabled is true." .Values.barmanCloudPlugin.s3.externalSecret.remoteRefs.secretAccessKey.property }}
secretKey: {{ .Values.barmanCloudPlugin.s3.secret.secretAccessKeyKey }}
refreshInterval: {{ .Values.barmanCloudPlugin.s3.externalSecret.refreshInterval }}
secretStoreRef:
kind: {{ required ".Values.barmanCloudPlugin.s3.externalSecret.secretStoreRef.kind is required when barmanCloudPlugin.s3.externalSecret.enabled is true." .Values.barmanCloudPlugin.s3.externalSecret.secretStoreRef.kind }}
name: {{ required ".Values.barmanCloudPlugin.s3.externalSecret.secretStoreRef.name is required when barmanCloudPlugin.s3.externalSecret.enabled is true." .Values.barmanCloudPlugin.s3.externalSecret.secretStoreRef.name }}
target:
creationPolicy: {{ .Values.barmanCloudPlugin.s3.externalSecret.target.creationPolicy }}
deletionPolicy: {{ .Values.barmanCloudPlugin.s3.externalSecret.target.deletionPolicy }}
name: {{ default $secretName .Values.barmanCloudPlugin.s3.externalSecret.target.name }}
{{- end }}
76 changes: 76 additions & 0 deletions charts/cluster/templates/barman-cloud-objectstore.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
{{- if .Values.barmanCloudPlugin.enabled }}
apiVersion: barmancloud.cnpg.io/v1
kind: ObjectStore
metadata:
name: {{ include "cluster.barmanCloudPlugin.objectStoreName" . }}
namespace: {{ include "cluster.namespace" . }}
labels:
{{- include "cluster.labels" . | nindent 4 }}
{{- with .Values.barmanCloudPlugin.objectStore.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- with .Values.barmanCloudPlugin.retentionPolicy }}
retentionPolicy: {{ . | quote }}
{{- end }}
configuration:
{{- if .Values.barmanCloudPlugin.destinationPath }}
destinationPath: {{ .Values.barmanCloudPlugin.destinationPath | quote }}
{{- else }}
destinationPath: {{ printf "s3://%s%s" (required ".Values.barmanCloudPlugin.s3.bucket is required when barmanCloudPlugin is enabled and destinationPath is empty." .Values.barmanCloudPlugin.s3.bucket) .Values.barmanCloudPlugin.s3.path | quote }}
{{- end }}
{{- if .Values.barmanCloudPlugin.endpointURL }}
endpointURL: {{ .Values.barmanCloudPlugin.endpointURL | quote }}
{{- else if .Values.barmanCloudPlugin.s3.region }}
endpointURL: {{ printf "https://s3.%s.amazonaws.com" .Values.barmanCloudPlugin.s3.region | quote }}
{{- end }}
{{- with .Values.barmanCloudPlugin.endpointCA }}
endpointCA:
{{- toYaml . | nindent 6 }}
{{- end }}
s3Credentials:
{{- if .Values.barmanCloudPlugin.s3.inheritFromIAMRole }}
inheritFromIAMRole: true
{{- else }}
accessKeyId:
name: {{ include "cluster.barmanCloudPlugin.secretName" . }}
key: {{ .Values.barmanCloudPlugin.s3.secret.accessKeyIdKey }}
secretAccessKey:
name: {{ include "cluster.barmanCloudPlugin.secretName" . }}
key: {{ .Values.barmanCloudPlugin.s3.secret.secretAccessKeyKey }}
{{- end }}
{{- $wal := .Values.barmanCloudPlugin.wal }}
{{- if or $wal.compression $wal.encryption $wal.maxParallel }}
wal:
{{- with $wal.compression }}
compression: {{ . }}
{{- end }}
{{- with $wal.encryption }}
encryption: {{ . }}
{{- end }}
{{- with $wal.maxParallel }}
maxParallel: {{ . }}
{{- end }}
{{- end }}
{{- $data := .Values.barmanCloudPlugin.data }}
{{- if or $data.compression $data.encryption $data.jobs }}
data:
{{- with $data.compression }}
compression: {{ . }}
{{- end }}
{{- with $data.encryption }}
encryption: {{ . }}
{{- end }}
{{- with $data.jobs }}
jobs: {{ . }}
{{- end }}
{{- end }}
{{- with .Values.barmanCloudPlugin.additionalConfiguration }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.barmanCloudPlugin.instanceSidecarConfiguration }}
instanceSidecarConfiguration:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
13 changes: 13 additions & 0 deletions charts/cluster/templates/barman-cloud-s3-creds.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{{- if and .Values.barmanCloudPlugin.enabled (not .Values.barmanCloudPlugin.s3.inheritFromIAMRole) .Values.barmanCloudPlugin.s3.secret.create }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "cluster.barmanCloudPlugin.secretName" . }}
namespace: {{ include "cluster.namespace" . }}
labels:
{{- include "cluster.labels" . | nindent 4 }}
type: Opaque
data:
{{ .Values.barmanCloudPlugin.s3.secret.accessKeyIdKey }}: {{ required ".Values.barmanCloudPlugin.s3.accessKey is required when barmanCloudPlugin.s3.secret.create is true." .Values.barmanCloudPlugin.s3.accessKey | b64enc | quote }}
{{ .Values.barmanCloudPlugin.s3.secret.secretAccessKeyKey }}: {{ required ".Values.barmanCloudPlugin.s3.secretKey is required when barmanCloudPlugin.s3.secret.create is true." .Values.barmanCloudPlugin.s3.secretKey | b64enc | quote }}
{{- end }}
22 changes: 22 additions & 0 deletions charts/cluster/templates/barman-cloud-scheduled-backups.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
{{- if .Values.barmanCloudPlugin.enabled }}
{{ $context := . -}}
{{ range .Values.barmanCloudPlugin.scheduledBackups -}}
---
apiVersion: postgresql.cnpg.io/v1
kind: ScheduledBackup
metadata:
name: {{ include "cluster.fullname" $context }}-{{ .name }}
namespace: {{ include "cluster.namespace" $ }}
labels:
{{- include "cluster.labels" $context | nindent 4 }}
spec:
immediate: true
schedule: {{ .schedule | quote }}
method: plugin
pluginConfiguration:
name: {{ default $context.Values.barmanCloudPlugin.pluginName .pluginName }}
backupOwnerReference: {{ .backupOwnerReference }}
cluster:
name: {{ include "cluster.fullname" $context }}
{{ end -}}
{{ end }}
16 changes: 16 additions & 0 deletions charts/cluster/templates/cluster.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,22 @@ spec:
{{- if .Values.cluster.priorityClassName }}
priorityClassName: {{ .Values.cluster.priorityClassName }}
{{- end }}
{{- if and .Values.barmanCloudPlugin.enabled .Values.backups.enabled }}
{{- fail "barmanCloudPlugin.enabled and backups.enabled cannot both be true because a WAL archiver plugin cannot be used with spec.backup.barmanObjectStore." }}
{{- end }}
{{- if .Values.barmanCloudPlugin.enabled }}
plugins:
- name: {{ .Values.barmanCloudPlugin.pluginName }}
isWALArchiver: true
parameters:
barmanObjectName: {{ include "cluster.barmanCloudPlugin.objectStoreName" . }}
{{- with .Values.barmanCloudPlugin.serverName }}
serverName: {{ . }}
{{- end }}
{{- with .Values.barmanCloudPlugin.additionalPluginParameters }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

primaryUpdateMethod: {{ .Values.cluster.primaryUpdateMethod }}
primaryUpdateStrategy: {{ .Values.cluster.primaryUpdateStrategy }}
Expand Down
4 changes: 4 additions & 0 deletions charts/cluster/templates/scheduled-backups.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ spec:
immediate: true
schedule: {{ .schedule | quote }}
method: {{ .method }}
{{- if eq .method "plugin" }}
pluginConfiguration:
name: {{ default $.Values.barmanCloudPlugin.pluginName .pluginName }}
{{- end }}
backupOwnerReference: {{ .backupOwnerReference }}
cluster:
name: {{ include "cluster.fullname" $context }}
Expand Down
Loading