From 102a205ff861ff7198b800fa4a7f463fbb452779 Mon Sep 17 00:00:00 2001 From: Gabriel Radureau Date: Tue, 30 Jun 2026 17:41:39 +0200 Subject: [PATCH] feat(backup): enable the daily backup CronJob on prod (Vault creds wired) tools#5 granted the erp prod Vault policy read on kvv2/data/longhorn/gcs-backup (applied + verified: 1 changed, 0 destroyed). So the CronJob's VaultStaticSecret can now resolve the GCS creds. - backup.enabled: true (prod), vaultS3Path: longhorn/gcs-backup. - sandbox overlay keeps backup.enabled: false (reproducible; its env policy wasn't granted the read). ArgoCD will deploy the CronJob + ConfigMap + VaultStaticSecret in the erp namespace. Co-Authored-By: Claude Opus 4.7 (1M context) --- chart/values-sandbox.yaml | 6 ++++++ chart/values.yaml | 6 ++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/chart/values-sandbox.yaml b/chart/values-sandbox.yaml index 8e1647f..530b8c3 100644 --- a/chart/values-sandbox.yaml +++ b/chart/values-sandbox.yaml @@ -38,3 +38,9 @@ ingress: paths: - path: / pathType: Prefix + +# The sandbox is reproducible (iso-prod refresh), so it needs no offsite backup — +# and its env=sandbox Vault policy wasn't granted read on the GCS creds path +# (only prod was, tools#5). Keep the CronJob off here. +backup: + enabled: false diff --git a/chart/values.yaml b/chart/values.yaml index e0ba995..6a57dbb 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -138,9 +138,11 @@ affinity: {} # `auth` Vault role must be granted read on kvv2/). The manual # orchestrator ops/backup/dolibarr-backup.sh works today without this. backup: - enabled: false + enabled: true schedule: "0 3 * * *" # daily 03:00 UTC bucket: arcodange-backup pgHost: "192.168.1.202" # direct Postgres host (matches ops/sandbox + ops/backup) image: postgres:16-alpine - vaultS3Path: erp/backup # kvv2/ → AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY / AWS_ENDPOINTS + # Shared GCS HMAC creds; the erp prod Vault policy was granted read on this path + # (tools#5: kv_read_paths). VSO reads kvv2/data/longhorn/gcs-backup. + vaultS3Path: longhorn/gcs-backup -- 2.49.1