{{- if .Values.backup.enabled }}
# Dedicated Dolibarr backup (ops/backup/README.md): DB + documents -> offsite GCS,
# tiered retention, skip-if-unchanged. Disabled by default — enable once the S3
# creds VaultStaticSecret below resolves (the `auth` Vault role must be allowed to
# read kvv2/{{ .Values.backup.vaultS3Path }}).
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "erp.fullname" . }}-backup-job
  labels:
    {{- include "erp.labels" . | nindent 4 }}
data:
  backup-job.sh: |
    {{- .Files.Get "files/backup-job.sh" | nindent 4 }}
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
  name: {{ include "erp.fullname" . }}-backup-s3
  namespace: {{ .Release.Namespace }}
spec:
  type: kv-v2
  mount: kvv2
  # kvv2/<path> must hold AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY / AWS_ENDPOINTS
  # (the GCS HMAC creds — same shape as longhorn-gcs-backup-credentials).
  path: {{ .Values.backup.vaultS3Path }}
  destination:
    name: dolibarr-backup-s3
    create: true
  refreshAfter: 24h
  vaultAuthRef: auth
---
apiVersion: batch/v1
kind: CronJob
metadata:
  name: {{ include "erp.fullname" . }}-backup
  labels:
    {{- include "erp.labels" . | nindent 4 }}
spec:
  schedule: {{ .Values.backup.schedule | quote }}
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 3
  failedJobsHistoryLimit: 3
  jobTemplate:
    spec:
      backoffLimit: 1
      template:
        spec:
          restartPolicy: Never
          volumes:
            - name: docs
              persistentVolumeClaim:
                claimName: {{ include "erp.fullname" . }}
                readOnly: true
            - name: job
              configMap:
                name: {{ include "erp.fullname" . }}-backup-job
          containers:
            - name: backup
              image: {{ .Values.backup.image | quote }}
              envFrom:
                - secretRef:
                    name: dolibarr-backup-s3
              env:
                - { name: BUCKET, value: {{ .Values.backup.bucket | quote }} }
                - { name: PREFIX, value: {{ printf "erp/%s" .Values.env | quote }} }
                - { name: DB,     value: {{ .Values.db.name | quote }} }
                - { name: PGHOST, value: {{ .Values.backup.pgHost | quote }} }
                - name: PGUSER
                  valueFrom: { secretKeyRef: { name: vso-db-credentials, key: username } }
                - name: PGPASSWORD
                  valueFrom: { secretKeyRef: { name: vso-db-credentials, key: password } }
              volumeMounts:
                - { name: docs, mountPath: /docs, readOnly: true }
                - { name: job,  mountPath: /job }
              command: ["/bin/sh", "/job/backup-job.sh"]
{{- end }}