feat: add ScheduledBackup CR for Woodpecker CNPG cluster #88

Merged

forgejo_admin merged 1 commit from 87-feat-add-scheduledbackup-cr-for-woodpeck into main 2026-03-16 01:40:32 +00:00

Conversation 2 Commits 1 Files changed 1 +28

forgejo_admin commented 2026-03-16 01:30:12 +00:00

Owner

Copy link

Summary

Adds a CNPG ScheduledBackup custom resource for the Woodpecker database cluster. Daily base backups at 03:00 UTC to MinIO via barmanObjectStore. This ensures jwt-secret and pipeline history survive DB rebuilds -- restore-from-backup instead of fresh DB creation.

Changes

• terraform/main.tf: Added kubernetes_manifest.woodpecker_postgres_scheduled_backup resource -- a ScheduledBackup CR targeting the woodpecker-db CNPG cluster in the woodpecker namespace. Schedule 0 0 3 * * * (03:00 UTC daily), method barmanObjectStore, backupOwnerReference cluster. Depends on the existing woodpecker_postgres cluster resource.

tofu plan Output

Plan: 1 to add, 1 to change, 0 to destroy.

The 1 add is the new kubernetes_manifest.woodpecker_postgres_scheduled_backup. The 1 change is a cosmetic write-only attribute drift on kubernetes_secret_v1.woodpecker_db_credentials (no actual change).

Test Plan

• tofu fmt -recursive -- passed, no formatting changes to main.tf
• tofu validate -- passed ("The configuration is valid")
• tofu plan -lock=false -target=kubernetes_manifest.woodpecker_postgres_scheduled_backup -- shows 1 to add
• After apply: kubectl get scheduledbackups -n woodpecker should show woodpecker-db-daily
• After first 03:00 UTC: kubectl get backups -n woodpecker should show a completed backup object

Review Checklist

• Passed automated review-fix loop
• No secrets committed
• No unnecessary file changes
• Commit messages are descriptive

Related

• Closes #87
• plan-pal-e-platform -- Platform Hardening

## Summary Adds a CNPG `ScheduledBackup` custom resource for the Woodpecker database cluster. Daily base backups at 03:00 UTC to MinIO via barmanObjectStore. This ensures jwt-secret and pipeline history survive DB rebuilds -- restore-from-backup instead of fresh DB creation. ## Changes - `terraform/main.tf`: Added `kubernetes_manifest.woodpecker_postgres_scheduled_backup` resource -- a `ScheduledBackup` CR targeting the `woodpecker-db` CNPG cluster in the `woodpecker` namespace. Schedule `0 0 3 * * *` (03:00 UTC daily), method `barmanObjectStore`, backupOwnerReference `cluster`. Depends on the existing `woodpecker_postgres` cluster resource. ## tofu plan Output ``` Plan: 1 to add, 1 to change, 0 to destroy. ``` The 1 add is the new `kubernetes_manifest.woodpecker_postgres_scheduled_backup`. The 1 change is a cosmetic write-only attribute drift on `kubernetes_secret_v1.woodpecker_db_credentials` (no actual change). ## Test Plan - [x] `tofu fmt -recursive` -- passed, no formatting changes to main.tf - [x] `tofu validate` -- passed ("The configuration is valid") - [x] `tofu plan -lock=false -target=kubernetes_manifest.woodpecker_postgres_scheduled_backup` -- shows 1 to add - [ ] After apply: `kubectl get scheduledbackups -n woodpecker` should show `woodpecker-db-daily` - [ ] After first 03:00 UTC: `kubectl get backups -n woodpecker` should show a completed backup object ## Review Checklist - [x] Passed automated review-fix loop - [x] No secrets committed - [x] No unnecessary file changes - [x] Commit messages are descriptive ## Related - Closes #87 - `plan-pal-e-platform` -- Platform Hardening

forgejo_admin added 1 commit 2026-03-16 01:30:12 +00:00

feat: add ScheduledBackup CR for Woodpecker CNPG cluster ... 531cceee77

Daily backup to MinIO at 03:00 UTC, same pattern as pal-e-docs.
Preserves jwt-secret and pipeline history across DB rebuilds.
Enterprise fix: restore-from-backup instead of fresh DB creation.

Closes #87

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

forgejo_admin commented 2026-03-16 01:30:34 +00:00

Author

Owner

Copy link

Self-Review: PASS

Files reviewed: terraform/main.tf (+28, -0)

Findings: None.

• CNPG ScheduledBackup CR spec is correct: apiVersion, kind, schedule (6-field cron with seconds), backupOwnerReference, method, cluster.name all valid
• Namespace uses dynamic reference kubernetes_namespace_v1.woodpecker.metadata[0].name, consistent with the existing Cluster CR
• depends_on correctly gates on the CNPG Cluster resource
• Logical placement immediately after the woodpecker_postgres resource
• tofu fmt, tofu validate, and tofu plan all pass
• No secrets, no unnecessary file changes, single clean commit

## Self-Review: PASS **Files reviewed:** `terraform/main.tf` (+28, -0) **Findings:** None. - CNPG `ScheduledBackup` CR spec is correct: `apiVersion`, `kind`, `schedule` (6-field cron with seconds), `backupOwnerReference`, `method`, `cluster.name` all valid - Namespace uses dynamic reference `kubernetes_namespace_v1.woodpecker.metadata[0].name`, consistent with the existing Cluster CR - `depends_on` correctly gates on the CNPG Cluster resource - Logical placement immediately after the `woodpecker_postgres` resource - `tofu fmt`, `tofu validate`, and `tofu plan` all pass - No secrets, no unnecessary file changes, single clean commit

forgejo_admin commented 2026-03-16 01:30:50 +00:00

Author

Owner

Copy link

Tofu Plan Output

tailscale_acl.this: Refreshing state... [id=acl]
helm_release.nvidia_device_plugin: Refreshing state... [id=nvidia-device-plugin]
data.kubernetes_namespace_v1.pal_e_docs: Reading...
kubernetes_namespace_v1.woodpecker: Refreshing state... [id=woodpecker]
kubernetes_namespace_v1.tailscale: Refreshing state... [id=tailscale]
kubernetes_namespace_v1.ollama: Refreshing state... [id=ollama]
kubernetes_namespace_v1.monitoring: Refreshing state... [id=monitoring]
kubernetes_namespace_v1.postgres: Refreshing state... [id=postgres]
data.kubernetes_namespace_v1.tofu_state: Reading...
kubernetes_namespace_v1.harbor: Refreshing state... [id=harbor]
data.kubernetes_namespace_v1.tofu_state: Read complete after 0s [id=tofu-state]
kubernetes_namespace_v1.keycloak: Refreshing state... [id=keycloak]
data.kubernetes_namespace_v1.pal_e_docs: Read complete after 0s [id=pal-e-docs]
kubernetes_namespace_v1.forgejo: Refreshing state... [id=forgejo]
kubernetes_namespace_v1.cnpg_system: Refreshing state... [id=cnpg-system]
kubernetes_namespace_v1.minio: Refreshing state... [id=minio]
kubernetes_service_account_v1.tf_backup: Refreshing state... [id=tofu-state/tf-state-backup]
kubernetes_role_v1.tf_backup: Refreshing state... [id=tofu-state/tf-state-backup]
kubernetes_secret_v1.paledocs_db_url: Refreshing state... [id=pal-e-docs/paledocs-db-url]
kubernetes_secret_v1.woodpecker_db_credentials: Refreshing state... [id=woodpecker/woodpecker-db-credentials]
helm_release.loki_stack: Refreshing state... [id=loki-stack]
helm_release.tailscale_operator: Refreshing state... [id=tailscale-operator]
helm_release.kube_prometheus_stack: Refreshing state... [id=kube-prometheus-stack]
kubernetes_secret_v1.dora_exporter: Refreshing state... [id=monitoring/dora-exporter]
kubernetes_service_v1.dora_exporter: Refreshing state... [id=monitoring/dora-exporter]
kubernetes_config_map_v1.uptime_dashboard: Refreshing state... [id=monitoring/uptime-dashboard]
kubernetes_service_v1.keycloak: Refreshing state... [id=keycloak/keycloak]
kubernetes_secret_v1.keycloak_admin: Refreshing state... [id=keycloak/keycloak-admin]
kubernetes_persistent_volume_claim_v1.keycloak_data: Refreshing state... [id=keycloak/keycloak-data]
kubernetes_manifest.netpol_ollama: Refreshing state...
kubernetes_manifest.netpol_postgres: Refreshing state...
kubernetes_manifest.netpol_woodpecker: Refreshing state...
kubernetes_manifest.netpol_harbor: Refreshing state...
kubernetes_manifest.netpol_monitoring: Refreshing state...
kubernetes_manifest.netpol_keycloak: Refreshing state...
kubernetes_manifest.netpol_forgejo: Refreshing state...
helm_release.forgejo: Refreshing state... [id=forgejo]
helm_release.cnpg: Refreshing state... [id=cnpg]
kubernetes_role_binding_v1.tf_backup: Refreshing state... [id=tofu-state/tf-state-backup]
helm_release.ollama: Refreshing state... [id=ollama]
kubernetes_manifest.netpol_cnpg_system: Refreshing state...
kubernetes_manifest.netpol_minio: Refreshing state...
kubernetes_deployment_v1.keycloak: Refreshing state... [id=keycloak/keycloak]
kubernetes_ingress_v1.keycloak_funnel: Refreshing state... [id=keycloak/keycloak-funnel]
kubernetes_config_map_v1.grafana_loki_datasource: Refreshing state... [id=monitoring/grafana-loki-datasource]
kubernetes_ingress_v1.alertmanager_funnel: Refreshing state... [id=monitoring/alertmanager-funnel]
kubernetes_ingress_v1.grafana_funnel: Refreshing state... [id=monitoring/grafana-funnel]
kubernetes_config_map_v1.dora_dashboard: Refreshing state... [id=monitoring/dora-dashboard]
helm_release.harbor: Refreshing state... [id=harbor]
helm_release.minio: Refreshing state... [id=minio]
kubernetes_deployment_v1.dora_exporter: Refreshing state... [id=monitoring/dora-exporter]
helm_release.blackbox_exporter: Refreshing state... [id=blackbox-exporter]
kubernetes_config_map_v1.pal_e_docs_dashboard: Refreshing state... [id=monitoring/pal-e-docs-dashboard]
kubernetes_manifest.blackbox_alerts: Refreshing state...
kubernetes_manifest.dora_exporter_service_monitor: Refreshing state...
kubernetes_ingress_v1.forgejo_funnel: Refreshing state... [id=forgejo/forgejo-funnel]
kubernetes_ingress_v1.harbor_funnel: Refreshing state... [id=harbor/harbor-funnel]
minio_iam_policy.cnpg_wal: Refreshing state... [id=cnpg-wal]
minio_iam_user.tf_backup: Refreshing state... [id=tf-backup]
minio_s3_bucket.assets: Refreshing state... [id=assets]
minio_iam_user.cnpg: Refreshing state... [id=cnpg]
minio_s3_bucket.tf_state_backups: Refreshing state... [id=tf-state-backups]
kubernetes_ingress_v1.minio_api_funnel: Refreshing state... [id=minio/minio-api-funnel]
kubernetes_ingress_v1.minio_funnel: Refreshing state... [id=minio/minio-funnel]
minio_iam_policy.tf_backup: Refreshing state... [id=tf-backup]
minio_s3_bucket.postgres_wal: Refreshing state... [id=postgres-wal]
minio_iam_user_policy_attachment.cnpg: Refreshing state... [id=cnpg-20260302210642491000000001]
minio_iam_user_policy_attachment.tf_backup: Refreshing state... [id=tf-backup-20260314163610110100000001]
kubernetes_secret_v1.tf_backup_s3_creds: Refreshing state... [id=tofu-state/tf-backup-s3-creds]
kubernetes_secret_v1.cnpg_s3_creds: Refreshing state... [id=postgres/cnpg-s3-creds]
kubernetes_secret_v1.woodpecker_cnpg_s3_creds: Refreshing state... [id=woodpecker/cnpg-s3-creds]
kubernetes_cron_job_v1.tf_state_backup: Refreshing state... [id=tofu-state/tf-state-backup]
kubernetes_cron_job_v1.cnpg_backup_verify: Refreshing state... [id=postgres/cnpg-backup-verify]
kubernetes_manifest.woodpecker_postgres: Refreshing state...
helm_release.woodpecker: Refreshing state... [id=woodpecker]
kubernetes_ingress_v1.woodpecker_funnel: Refreshing state... [id=woodpecker/woodpecker-funnel]

OpenTofu used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

OpenTofu will perform the following actions:

  # helm_release.woodpecker will be updated in-place
  ~ resource "helm_release" "woodpecker" {
        id                         = "woodpecker"
      ~ metadata                   = [
          - {
              - app_version    = "3.13.0"
              - chart          = "woodpecker"
              - first_deployed = 1771568949
              - last_deployed  = 1773624199
              - name           = "woodpecker"
              - namespace      = "woodpecker"
              - notes          = <<-EOT
                    1. Get the application URL by running these commands:
                      export POD_NAME=$(kubectl get pods --namespace woodpecker -l "app.kubernetes.io/name=server,app.kubernetes.io/instance=woodpecker" -o jsonpath="{.items[0].metadata.name}")
                      export CONTAINER_PORT=$(kubectl get pod --namespace woodpecker $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
                      echo "Visit http://127.0.0.1:8080 to use your application"
                      kubectl --namespace woodpecker port-forward $POD_NAME 8080:$CONTAINER_PORT
                EOT
              - revision       = 13
              - values         = jsonencode(
                    {
                      - agent  = {
                          - enabled      = true
                          - env          = {
                              - WOODPECKER_AGENT_SECRET              = "(sensitive value)"
                              - WOODPECKER_BACKEND                   = "kubernetes"
                              - WOODPECKER_BACKEND_K8S_NAMESPACE     = "woodpecker"
                              - WOODPECKER_BACKEND_K8S_STORAGE_CLASS = "local-path"
                              - WOODPECKER_BACKEND_K8S_VOLUME_SIZE   = "1Gi"
                            }
                          - replicaCount = 1
                          - resources    = {
                              - limits   = {
                                  - memory = "256Mi"
                                }
                              - requests = {
                                  - cpu    = "50m"
                                  - memory = "64Mi"
                                }
                            }
                        }
                      - server = {
                          - env              = {
                              - WOODPECKER_ADMIN               = "forgejo_admin"
                              - WOODPECKER_AGENT_SECRET        = "(sensitive value)"
                              - WOODPECKER_DATABASE_DATASOURCE = "postgres://woodpecker:kM3L4AhLNiuMhIY7tMQ@woodpecker-db-rw.woodpecker.svc.cluster.local:5432/woodpecker?sslmode=disable"
                              - WOODPECKER_DATABASE_DRIVER     = "postgres"
                              - WOODPECKER_FORGEJO             = "true"
                              - WOODPECKER_FORGEJO_CLIENT      = "(sensitive value)"
                              - WOODPECKER_FORGEJO_CLONE_URL   = "http://forgejo-http.forgejo.svc.cluster.local:80"
                              - WOODPECKER_FORGEJO_SECRET      = "(sensitive value)"
                              - WOODPECKER_FORGEJO_URL         = "https://forgejo.tail5b443a.ts.net"
                              - WOODPECKER_HOST                = "https://woodpecker.tail5b443a.ts.net"
                            }
                          - persistentVolume = {
                              - enabled      = true
                              - size         = "5Gi"
                              - storageClass = "local-path"
                            }
                          - resources        = {
                              - limits   = {
                                  - memory = "512Mi"
                                }
                              - requests = {
                                  - cpu    = "50m"
                                  - memory = "128Mi"
                                }
                            }
                          - statefulSet      = {
                              - replicaCount = 1
                            }
                        }
                    }
                )
              - version        = "3.5.1"
            },
        ] -> (known after apply)
        name                       = "woodpecker"
      ~ status                     = "pending-upgrade" -> "deployed"
        # (26 unchanged attributes hidden)

      - set_sensitive {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
      - set_sensitive {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
      + set_sensitive {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }
      + set_sensitive {
          # At least one attribute in this block is (or was) sensitive,
          # so its contents will not be displayed.
        }

        # (2 unchanged blocks hidden)
    }

  # kubernetes_manifest.woodpecker_postgres_scheduled_backup will be created
  + resource "kubernetes_manifest" "woodpecker_postgres_scheduled_backup" {
      + manifest = {
          + apiVersion = "postgresql.cnpg.io/v1"
          + kind       = "ScheduledBackup"
          + metadata   = {
              + name      = "woodpecker-db-daily"
              + namespace = "woodpecker"
            }
          + spec       = {
              + backupOwnerReference = "cluster"
              + cluster              = {
                  + name = "woodpecker-db"
                }
              + method               = "barmanObjectStore"
              + schedule             = "0 0 3 * * *"
            }
        }
      + object   = {
          + apiVersion = "postgresql.cnpg.io/v1"
          + kind       = "ScheduledBackup"
          + metadata   = {
              + annotations                = (known after apply)
              + creationTimestamp          = (known after apply)
              + deletionGracePeriodSeconds = (known after apply)
              + deletionTimestamp          = (known after apply)
              + finalizers                 = (known after apply)
              + generateName               = (known after apply)
              + generation                 = (known after apply)
              + labels                     = (known after apply)
              + managedFields              = (known after apply)
              + name                       = "woodpecker-db-daily"
              + namespace                  = "woodpecker"
              + ownerReferences            = (known after apply)
              + resourceVersion            = (known after apply)
              + selfLink                   = (known after apply)
              + uid                        = (known after apply)
            }
          + spec       = {
              + backupOwnerReference = "cluster"
              + cluster              = {
                  + name = "woodpecker-db"
                }
              + immediate            = (known after apply)
              + method               = "barmanObjectStore"
              + online               = (known after apply)
              + onlineConfiguration  = {
                  + immediateCheckpoint = (known after apply)
                  + waitForArchive      = (known after apply)
                }
              + pluginConfiguration  = {
                  + name       = (known after apply)
                  + parameters = (known after apply)
                }
              + schedule             = "0 0 3 * * *"
              + suspend              = (known after apply)
              + target               = (known after apply)
            }
        }
    }

Plan: 1 to add, 1 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Note: You didn't use the -out option to save this plan, so OpenTofu can't
guarantee to take exactly these actions if you run "tofu apply" now.

## Tofu Plan Output ``` tailscale_acl.this: Refreshing state... [id=acl] helm_release.nvidia_device_plugin: Refreshing state... [id=nvidia-device-plugin] data.kubernetes_namespace_v1.pal_e_docs: Reading... kubernetes_namespace_v1.woodpecker: Refreshing state... [id=woodpecker] kubernetes_namespace_v1.tailscale: Refreshing state... [id=tailscale] kubernetes_namespace_v1.ollama: Refreshing state... [id=ollama] kubernetes_namespace_v1.monitoring: Refreshing state... [id=monitoring] kubernetes_namespace_v1.postgres: Refreshing state... [id=postgres] data.kubernetes_namespace_v1.tofu_state: Reading... kubernetes_namespace_v1.harbor: Refreshing state... [id=harbor] data.kubernetes_namespace_v1.tofu_state: Read complete after 0s [id=tofu-state] kubernetes_namespace_v1.keycloak: Refreshing state... [id=keycloak] data.kubernetes_namespace_v1.pal_e_docs: Read complete after 0s [id=pal-e-docs] kubernetes_namespace_v1.forgejo: Refreshing state... [id=forgejo] kubernetes_namespace_v1.cnpg_system: Refreshing state... [id=cnpg-system] kubernetes_namespace_v1.minio: Refreshing state... [id=minio] kubernetes_service_account_v1.tf_backup: Refreshing state... [id=tofu-state/tf-state-backup] kubernetes_role_v1.tf_backup: Refreshing state... [id=tofu-state/tf-state-backup] kubernetes_secret_v1.paledocs_db_url: Refreshing state... [id=pal-e-docs/paledocs-db-url] kubernetes_secret_v1.woodpecker_db_credentials: Refreshing state... [id=woodpecker/woodpecker-db-credentials] helm_release.loki_stack: Refreshing state... [id=loki-stack] helm_release.tailscale_operator: Refreshing state... [id=tailscale-operator] helm_release.kube_prometheus_stack: Refreshing state... [id=kube-prometheus-stack] kubernetes_secret_v1.dora_exporter: Refreshing state... [id=monitoring/dora-exporter] kubernetes_service_v1.dora_exporter: Refreshing state... [id=monitoring/dora-exporter] kubernetes_config_map_v1.uptime_dashboard: Refreshing state... [id=monitoring/uptime-dashboard] kubernetes_service_v1.keycloak: Refreshing state... [id=keycloak/keycloak] kubernetes_secret_v1.keycloak_admin: Refreshing state... [id=keycloak/keycloak-admin] kubernetes_persistent_volume_claim_v1.keycloak_data: Refreshing state... [id=keycloak/keycloak-data] kubernetes_manifest.netpol_ollama: Refreshing state... kubernetes_manifest.netpol_postgres: Refreshing state... kubernetes_manifest.netpol_woodpecker: Refreshing state... kubernetes_manifest.netpol_harbor: Refreshing state... kubernetes_manifest.netpol_monitoring: Refreshing state... kubernetes_manifest.netpol_keycloak: Refreshing state... kubernetes_manifest.netpol_forgejo: Refreshing state... helm_release.forgejo: Refreshing state... [id=forgejo] helm_release.cnpg: Refreshing state... [id=cnpg] kubernetes_role_binding_v1.tf_backup: Refreshing state... [id=tofu-state/tf-state-backup] helm_release.ollama: Refreshing state... [id=ollama] kubernetes_manifest.netpol_cnpg_system: Refreshing state... kubernetes_manifest.netpol_minio: Refreshing state... kubernetes_deployment_v1.keycloak: Refreshing state... [id=keycloak/keycloak] kubernetes_ingress_v1.keycloak_funnel: Refreshing state... [id=keycloak/keycloak-funnel] kubernetes_config_map_v1.grafana_loki_datasource: Refreshing state... [id=monitoring/grafana-loki-datasource] kubernetes_ingress_v1.alertmanager_funnel: Refreshing state... [id=monitoring/alertmanager-funnel] kubernetes_ingress_v1.grafana_funnel: Refreshing state... [id=monitoring/grafana-funnel] kubernetes_config_map_v1.dora_dashboard: Refreshing state... [id=monitoring/dora-dashboard] helm_release.harbor: Refreshing state... [id=harbor] helm_release.minio: Refreshing state... [id=minio] kubernetes_deployment_v1.dora_exporter: Refreshing state... [id=monitoring/dora-exporter] helm_release.blackbox_exporter: Refreshing state... [id=blackbox-exporter] kubernetes_config_map_v1.pal_e_docs_dashboard: Refreshing state... [id=monitoring/pal-e-docs-dashboard] kubernetes_manifest.blackbox_alerts: Refreshing state... kubernetes_manifest.dora_exporter_service_monitor: Refreshing state... kubernetes_ingress_v1.forgejo_funnel: Refreshing state... [id=forgejo/forgejo-funnel] kubernetes_ingress_v1.harbor_funnel: Refreshing state... [id=harbor/harbor-funnel] minio_iam_policy.cnpg_wal: Refreshing state... [id=cnpg-wal] minio_iam_user.tf_backup: Refreshing state... [id=tf-backup] minio_s3_bucket.assets: Refreshing state... [id=assets] minio_iam_user.cnpg: Refreshing state... [id=cnpg] minio_s3_bucket.tf_state_backups: Refreshing state... [id=tf-state-backups] kubernetes_ingress_v1.minio_api_funnel: Refreshing state... [id=minio/minio-api-funnel] kubernetes_ingress_v1.minio_funnel: Refreshing state... [id=minio/minio-funnel] minio_iam_policy.tf_backup: Refreshing state... [id=tf-backup] minio_s3_bucket.postgres_wal: Refreshing state... [id=postgres-wal] minio_iam_user_policy_attachment.cnpg: Refreshing state... [id=cnpg-20260302210642491000000001] minio_iam_user_policy_attachment.tf_backup: Refreshing state... [id=tf-backup-20260314163610110100000001] kubernetes_secret_v1.tf_backup_s3_creds: Refreshing state... [id=tofu-state/tf-backup-s3-creds] kubernetes_secret_v1.cnpg_s3_creds: Refreshing state... [id=postgres/cnpg-s3-creds] kubernetes_secret_v1.woodpecker_cnpg_s3_creds: Refreshing state... [id=woodpecker/cnpg-s3-creds] kubernetes_cron_job_v1.tf_state_backup: Refreshing state... [id=tofu-state/tf-state-backup] kubernetes_cron_job_v1.cnpg_backup_verify: Refreshing state... [id=postgres/cnpg-backup-verify] kubernetes_manifest.woodpecker_postgres: Refreshing state... helm_release.woodpecker: Refreshing state... [id=woodpecker] kubernetes_ingress_v1.woodpecker_funnel: Refreshing state... [id=woodpecker/woodpecker-funnel] OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: + create ~ update in-place OpenTofu will perform the following actions: # helm_release.woodpecker will be updated in-place ~ resource "helm_release" "woodpecker" { id = "woodpecker" ~ metadata = [ - { - app_version = "3.13.0" - chart = "woodpecker" - first_deployed = 1771568949 - last_deployed = 1773624199 - name = "woodpecker" - namespace = "woodpecker" - notes = <<-EOT 1. Get the application URL by running these commands: export POD_NAME=$(kubectl get pods --namespace woodpecker -l "app.kubernetes.io/name=server,app.kubernetes.io/instance=woodpecker" -o jsonpath="{.items[0].metadata.name}") export CONTAINER_PORT=$(kubectl get pod --namespace woodpecker $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") echo "Visit http://127.0.0.1:8080 to use your application" kubectl --namespace woodpecker port-forward $POD_NAME 8080:$CONTAINER_PORT EOT - revision = 13 - values = jsonencode( { - agent = { - enabled = true - env = { - WOODPECKER_AGENT_SECRET = "(sensitive value)" - WOODPECKER_BACKEND = "kubernetes" - WOODPECKER_BACKEND_K8S_NAMESPACE = "woodpecker" - WOODPECKER_BACKEND_K8S_STORAGE_CLASS = "local-path" - WOODPECKER_BACKEND_K8S_VOLUME_SIZE = "1Gi" } - replicaCount = 1 - resources = { - limits = { - memory = "256Mi" } - requests = { - cpu = "50m" - memory = "64Mi" } } } - server = { - env = { - WOODPECKER_ADMIN = "forgejo_admin" - WOODPECKER_AGENT_SECRET = "(sensitive value)" - WOODPECKER_DATABASE_DATASOURCE = "postgres://woodpecker:kM3L4AhLNiuMhIY7tMQ@woodpecker-db-rw.woodpecker.svc.cluster.local:5432/woodpecker?sslmode=disable" - WOODPECKER_DATABASE_DRIVER = "postgres" - WOODPECKER_FORGEJO = "true" - WOODPECKER_FORGEJO_CLIENT = "(sensitive value)" - WOODPECKER_FORGEJO_CLONE_URL = "http://forgejo-http.forgejo.svc.cluster.local:80" - WOODPECKER_FORGEJO_SECRET = "(sensitive value)" - WOODPECKER_FORGEJO_URL = "https://forgejo.tail5b443a.ts.net" - WOODPECKER_HOST = "https://woodpecker.tail5b443a.ts.net" } - persistentVolume = { - enabled = true - size = "5Gi" - storageClass = "local-path" } - resources = { - limits = { - memory = "512Mi" } - requests = { - cpu = "50m" - memory = "128Mi" } } - statefulSet = { - replicaCount = 1 } } } ) - version = "3.5.1" }, ] -> (known after apply) name = "woodpecker" ~ status = "pending-upgrade" -> "deployed" # (26 unchanged attributes hidden) - set_sensitive { # At least one attribute in this block is (or was) sensitive, # so its contents will not be displayed. } - set_sensitive { # At least one attribute in this block is (or was) sensitive, # so its contents will not be displayed. } + set_sensitive { # At least one attribute in this block is (or was) sensitive, # so its contents will not be displayed. } + set_sensitive { # At least one attribute in this block is (or was) sensitive, # so its contents will not be displayed. } # (2 unchanged blocks hidden) } # kubernetes_manifest.woodpecker_postgres_scheduled_backup will be created + resource "kubernetes_manifest" "woodpecker_postgres_scheduled_backup" { + manifest = { + apiVersion = "postgresql.cnpg.io/v1" + kind = "ScheduledBackup" + metadata = { + name = "woodpecker-db-daily" + namespace = "woodpecker" } + spec = { + backupOwnerReference = "cluster" + cluster = { + name = "woodpecker-db" } + method = "barmanObjectStore" + schedule = "0 0 3 * * *" } } + object = { + apiVersion = "postgresql.cnpg.io/v1" + kind = "ScheduledBackup" + metadata = { + annotations = (known after apply) + creationTimestamp = (known after apply) + deletionGracePeriodSeconds = (known after apply) + deletionTimestamp = (known after apply) + finalizers = (known after apply) + generateName = (known after apply) + generation = (known after apply) + labels = (known after apply) + managedFields = (known after apply) + name = "woodpecker-db-daily" + namespace = "woodpecker" + ownerReferences = (known after apply) + resourceVersion = (known after apply) + selfLink = (known after apply) + uid = (known after apply) } + spec = { + backupOwnerReference = "cluster" + cluster = { + name = "woodpecker-db" } + immediate = (known after apply) + method = "barmanObjectStore" + online = (known after apply) + onlineConfiguration = { + immediateCheckpoint = (known after apply) + waitForArchive = (known after apply) } + pluginConfiguration = { + name = (known after apply) + parameters = (known after apply) } + schedule = "0 0 3 * * *" + suspend = (known after apply) + target = (known after apply) } } } Plan: 1 to add, 1 to change, 0 to destroy. ───────────────────────────────────────────────────────────────────────────── Note: You didn't use the -out option to save this plan, so OpenTofu can't guarantee to take exactly these actions if you run "tofu apply" now. ```

forgejo_admin referenced this pull request 2026-03-16 01:32:59 +00:00

feat: add ScheduledBackup CR for Woodpecker CNPG cluster #87

forgejo_admin merged commit 7d45a535d7 into main 2026-03-16 01:40:32 +00:00

forgejo_admin deleted branch 87-feat-add-scheduledbackup-cr-for-woodpeck 2026-03-16 01:40:32 +00:00

forgejo_admin referenced this pull request from a commit 2026-03-16 01:40:33 +00:00

feat: add ScheduledBackup CR for Woodpecker CNPG cluster (#88)

forgejo_admin referenced this pull request 2026-03-28 16:21:59 +00:00

ArgoCD CMP sidecar fails to render kustomize+SOPS overlays (blocks services apply) #225

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

forgejo_admin/pal-e-platform!88

No description provided.