Adding cloudnative-pg backups for authentik

creedasaurus · Jun 18, 2024 · dc0d423 · dc0d423
1 parent e50e1e3
commit dc0d423
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 0 deletions.
diff --git a/apps/infra/authentik/database.yml b/apps/infra/authentik/database.yml
@@ -18,3 +18,31 @@ spec:
   superuserSecret:
     name: authentik-pg-superuser-creds
   enableSuperuserAccess: true
+
+  nodeMaintenanceWindow:
+    inProgress: false
+    reusePVC: true
+
+  monitoring:
+    enablePodMonitor: false
+
+  backup:
+    retentionPolicy: 30d
+    barmanObjectStore:
+      data:
+        compression: bzip2
+      wal:
+        compression: bzip2
+        maxParallel: 8
+      destinationPath: s3://cloudnative-pg/
+      endpointURL: https://s3.vulf.haus
+      # Note: serverName version needs to be inclemented
+      # when recovering from an existing cnpg cluster
+      serverName: &currentCluster authentik-pg-v1
+      s3Credentials:
+        accessKeyId:
+          name: authentik-pg-backup-creds
+          key: aws-access-key-id
+        secretAccessKey:
+          name: authentik-pg-backup-creds
+          key: aws-secret-access-key
diff --git a/apps/infra/authentik/secrets.yml b/apps/infra/authentik/secrets.yml
@@ -53,3 +53,29 @@ spec:
       remoteRef:
         key: authentik-creds
         property: authentik-secret-key
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: authentik-pg-backup-creds
+spec:
+  secretStoreRef:
+    name: 1password-connect
+    kind: ClusterSecretStore
+  target:
+    name: authentik-pg-backup-creds
+    template:
+      engineVersion: v2
+      metadata:
+        labels:
+          cnpg.io/reload: "true"
+  data:
+    - secretKey: aws-access-key-id
+      remoteRef:
+        key: authentik-creds
+        property: authentik-pg-backup-s3-accesskey
+
+    - secretKey: aws-secret-access-key
+      remoteRef:
+        key: authentik-creds
+        property: authentik-pg-backup-s3-secretkey