first commit

.gitea/workflows/build.yaml

@@ -0,0 +1,27 @@
+name: Build Docker image
+on:
+  push:
+    tags:
+      - "*"
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Docker Registry
+        uses: docker/login-action@v3
+        with:
+          registry: git.mak-sim.ru
+          username: maksim
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Build and Push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          push: true
+          tags: git.mak-sim.ru/maksim/pg_backup:${{ gitea.ref_name }}

Dockerfile

@@ -0,0 +1,11 @@
+FROM postgres:17
+
+WORKDIR /root
+
+RUN apt update && \
+    apt -y install restic ca-certificates
+
+COPY docker-entrypoint.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]

docker-entrypoint.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -eo pipefail
+
+: "${POSTGRES_HOST:?Please set the environment variable.}"
+: "${POSTGRES_USER:?Please set the environment variable.}"
+: "${POSTGRES_PASSWORD:?Please set the environment variable.}"
+: "${AWS_ACCESS_KEY_ID:?Please set the environment variable.}"
+: "${AWS_SECRET_ACCESS_KEY:?Please set the environment variable.}"
+: "${RESTIC_PASSWORD:?Please set the environment variable.}"
+: "${RESTIC_REPOSITORY:?Please set the environment variable.}"
+: "${RESTIC_HOST:?Please set the environment variable.}"
+
+POSTGRES_PORT="${POSTGRES_PORT:-5432}"
+POSTGRES_SSL_MODE=${POSTGRES_SSL_MODE:-"require"}
+RESTIC_TAG=${RESTIC_TAG:-"pg_basebackup"}
+
+PGPASSWORD=${POSTGRES_PASSWORD} pg_basebackup -h "${POSTGRES_HOST}" -d "sslmode=${POSTGRES_SSL_MODE}" -D /tmp/backup -U ${POSTGRES_USER} -F t -z -P
+restic --verbose backup -H ${RESTIC_HOST} --tag ${RESTIC_TAG} /tmp/backup
+restic forget --prune --keep-last 14 --host ${RESTIC_HOST}

pg_backup/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

pg_backup/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: pg_backup
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.0.1"

pg_backup/templates/cron.yaml

@@ -0,0 +1,68 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: pg-backup
+spec:
+  schedule: "@daily"
+  concurrencyPolicy: Forbid
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          {{- with .Values.imagePullSecrets }}
+          imagePullSecrets:
+          {{- toYaml . | nindent 12 }}
+          {{- end }}
+          containers:
+          - name: pg-backup
+            image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+            imagePullPolicy: "{{ .Values.image.pullPolicy }}"
+            env:
+              - name: POSTGRES_HOST
+                valueFrom:
+                  configMapKeyRef:
+                    name: pg-config
+                    key: postgres_host
+              - name: POSTGRES_USER
+                valueFrom:
+                  configMapKeyRef:
+                    name: pg-config
+                    key: postgres_user
+              - name: POSTGRES_PASSWORD
+                valueFrom:
+                  secretKeyRef:
+                    name: pg-secret
+                    key: postgres_password
+              - name: POSTGRES_PORT
+                valueFrom:
+                  configMapKeyRef:
+                    name: pg-config
+                    key: postgres_port
+              - name: AWS_ACCESS_KEY_ID
+                valueFrom:
+                  configMapKeyRef:
+                    name: restic-config
+                    key: aws_access_key_id
+              - name: AWS_SECRET_ACCESS_KEY
+                valueFrom:
+                  secretKeyRef:
+                    name: restic-secret
+                    key: aws_secret_access_key
+              - name: RESTIC_PASSWORD
+                valueFrom:
+                  secretKeyRef:
+                    name: restic-secret
+                    key: restic_password
+              - name: RESTIC_REPOSITORY
+                valueFrom:
+                  configMapKeyRef:
+                    name: restic-config
+                    key: restic_repository
+              - name: RESTIC_HOST
+                valueFrom:
+                  configMapKeyRef:
+                    name: restic-config
+                    key: restic_host
+            resources:
+              {{- .Values.resources | toYaml | nindent 14 }}
+          restartPolicy: OnFailure

pg_backup/templates/pg-conf.yaml

@@ -0,0 +1,18 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: pg-config
+data:
+  postgres_host: {{ .Values.postgres_host | toString | quote  }}
+  postgres_port: {{ .Values.postgres_port | toString | quote }}
+  postgres_user: {{ .Values.postgres_user | toString | quote }}
+  postgres_ssl_mode: {{ .Values.postgres_ssl_mode | toString | quote }}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pg-secret
+type: Opaque
+data:
+  postgres_password: {{ .Values.postgres_password | b64enc }}

pg_backup/templates/restic-conf.yaml

@@ -0,0 +1,19 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: restic-config
+data:
+  aws_access_key_id: {{ .Values.aws_access_key_id }}
+  restic_repository: {{ .Values.restic_repository }}
+  restic_host: {{ .Values.restic_host }}
+  restic_tag: {{ .Values.restic_tag }}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: restic-secret
+type: Opaque
+data:
+  aws_secret_access_key: {{ .Values.aws_secret_access_key | b64enc }}
+  restic_password: {{ .Values.restic_password | b64enc }}

pg_backup/values.yaml

@@ -0,0 +1,29 @@
+image:
+  repository: cr.yandex/crp6ch9mi9nt1cu5mnif/pg_backup
+  pullPolicy: IfNotPresent
+  tag: "0.0.7"
+
+imagePullSecrets:
+  - name: regcred
+
+resources:
+  requests:
+    cpu: "200m"
+    memory: 256Mi
+  limits:
+    cpu: "750m"
+    memory: "600Mi"
+
+postgres_host: ""
+postgres_port: "5432"
+postgres_user: postgres
+postgres_password: ""
+postgres_ssl_mode: require
+
+aws_access_key_id: ""
+aws_secret_access_key: ""
+
+restic_password: ""
+restic_repository: ""
+restic_host: weasel
+restic_tag: pg_basebackup