feat(backup): skip-if-unchanged + scheduled CronJob in the chart

Builds on the dedicated backup (erp#31). Skip-if-unchanged: each half (DB / documents) carries a content fingerprint at erp/<env>/.fp-{db,docs} and is dumped+uploaded only if it differs from the last run — a quiet ERP day re-uploads nothing. Fingerprint = durable BUSINESS content only: DB = count+max(tms) over tms tables EXCEPT volatile churn (llx_const, llx_user, session/cron); docs EXCLUDE */temp/* (Dolibarr stats cache) — from both the fingerprint and the tar. Proven live: 1st run uploads both, immediate 2nd run skips both (uploaded=0). Automation: the in-container logic moves to chart/files/backup-job.sh (single source of truth, read by the orchestrator AND the chart). New chart/templates/backup-cronjob.yaml renders a daily CronJob + ConfigMap + VaultStaticSecret, gated by backup.enabled (default false). Helm-verified: off by default (0 CronJobs), on renders correctly, env-aware (PREFIX erp/prod vs erp/sandbox), script embedded. Activation (documented): store GCS HMAC creds at kvv2/<backup.vaultS3Path> (default erp/backup), grant the erp `auth` Vault role read on it (tools change), set backup.enabled=true. Until then the orchestrator runs on demand. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-30 15:53:13 +02:00
parent e69717c2d9
commit a3f0586c77
6 changed files with 202 additions and 67 deletions
--- a/ops/backup/dolibarr-backup.sh
+++ b/ops/backup/dolibarr-backup.sh
@@ -86,7 +86,7 @@ run_backup() {
  log "Copying GCS creds into a transient secret in $NS (values stay base64)"
  copy_s3_secret
  log "Backup ${ENV}: DB=$DB  PVC=$PVC  ->  s3://$BUCKET/$PREFIX/{db,docs}/"
-  local B64; B64="$(b64 "$(cat "${SCRIPT_DIR}/backup-job.sh")")"
+  local B64; B64="$(b64 "$(cat "${SCRIPT_DIR}/../../chart/files/backup-job.sh")")"
  kubectl delete job dolibarr-backup -n "$NS" --ignore-not-found >/dev/null 2>&1 || true
  kubectl apply -f - >/dev/null <<EOF
 apiVersion: batch/v1