Add daily backups (CronJob + dedicated PVC, 7-day retention)

templates/backup-cronjob.yaml

@@ -0,0 +1,90 @@
+{{- if .Values.backups.enabled -}}
+# Daily dump job. Same image as the Postgres pod, so pg_dump is
+# version-matched. Output goes to the dedicated backup PVC; the same
+# job script prunes older dumps to honor `backups.retain`.
+#
+# Tower's "Backup Now" feature creates a one-off Job from this same
+# template at request time — see backend/cmd/api/backups.go.
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "instance.fullname" . }}-backup
+  labels:
+    {{- include "instance.labels" . | nindent 4 }}
+    odoosky.io/role: backup
+spec:
+  schedule: {{ .Values.backups.schedule | quote }}
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 5
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    metadata:
+      labels:
+        {{- include "instance.labels" . | nindent 8 }}
+        odoosky.io/role: backup
+    spec:
+      backoffLimit: 1
+      template:
+        metadata:
+          labels:
+            {{- include "instance.labels" . | nindent 12 }}
+            odoosky.io/role: backup
+        spec:
+          restartPolicy: Never
+          containers:
+            - name: pgdump
+              image: "{{ .Values.postgres.image }}:{{ .Values.postgres.tag }}"
+              imagePullPolicy: IfNotPresent
+              env:
+                - name: PGHOST
+                  value: {{ include "instance.fullname" . }}-pg
+                - name: PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ include "instance.fullname" . }}-pg
+                      key: POSTGRES_USER
+                - name: PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ include "instance.fullname" . }}-pg
+                      key: POSTGRES_PASSWORD
+                - name: PGDATABASE
+                  valueFrom:
+                    secretKeyRef:
+                      name: {{ include "instance.fullname" . }}-pg
+                      key: POSTGRES_DB
+                - name: RETAIN
+                  value: {{ .Values.backups.retain | quote }}
+              command:
+                - /bin/sh
+                - -c
+                - |
+                  set -e
+                  TS=$(date -u +%Y%m%dT%H%M%SZ)
+                  OUT=/backups/${TS}.sql.gz
+                  mkdir -p /backups
+                  echo ">>> pg_dump → $OUT"
+                  pg_dump --format=plain --clean --if-exists --no-owner --no-acl \
+                    | gzip -9 > "$OUT"
+                  echo ">>> wrote $(du -h "$OUT" | cut -f1)"
+                  # Rotate: keep only the newest $RETAIN dumps.
+                  cd /backups
+                  ls -1t *.sql.gz 2>/dev/null \
+                    | awk -v n=$RETAIN 'NR > n' \
+                    | xargs -r rm -v
+                  ls -lh /backups
+              volumeMounts:
+                - name: backups
+                  mountPath: /backups
+              resources:
+                requests:
+                  cpu: 100m
+                  memory: 256Mi
+                limits:
+                  cpu: "1"
+                  memory: 1Gi
+          volumes:
+            - name: backups
+              persistentVolumeClaim:
+                claimName: {{ include "instance.fullname" . }}-backups
+{{- end }}

templates/backup-pvc.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.backups.enabled -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "instance.fullname" . }}-backups
+  labels:
+    {{- include "instance.labels" . | nindent 4 }}
+    odoosky.io/role: backups
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: {{ .Values.backups.storage | quote }}
+{{- end }}