From 5af1f3a04222dd6dec49b9b86992263a59cbb84c Mon Sep 17 00:00:00 2001
From: git_admin <m@havari.me>
Date: Sun, 26 Apr 2026 21:29:37 +0300
Subject: [PATCH] Backups: switch to postgres:alpine + apk add aws-cli (Bitnami
 images gated)

---
 templates/backup-cronjob.yaml | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/templates/backup-cronjob.yaml b/templates/backup-cronjob.yaml
index e3ed504..13ecfdc 100644
--- a/templates/backup-cronjob.yaml
+++ b/templates/backup-cronjob.yaml
@@ -39,10 +39,15 @@ spec:
           restartPolicy: Never
           containers:
             - name: pgdump-s3
-              # Image carries both pg_dump (postgresql-client) and
-              # aws-cli. We build it from alpine + apk install on
-              # first run; for now bitnami's prebuilt covers both.
-              image: bitnami/postgresql:16
+              # postgres:16-alpine + `apk add aws-cli` — alpine's
+              # aws-cli package is ~30 MB and adds ~5 s to the first
+              # job run on each node. Subsequent runs reuse the
+              # already-installed binary because we keep the same
+              # image (containerd's layer cache covers the apk index
+              # download). This matches the postgres version of the
+              # cluster's actual database container, so pg_dump's
+              # client/server protocol always lines up.
+              image: "{{ .Values.postgres.image }}:{{ .Values.postgres.tag }}"
               imagePullPolicy: IfNotPresent
               env:
                 - name: PGHOST
@@ -83,24 +88,21 @@ spec:
                 - name: RETAIN
                   value: {{ .Values.backups.retain | quote }}
               command:
-                - /bin/bash
+                - /bin/sh
                 - -c
                 - |
-                  set -euo pipefail
+                  set -eu
                   TS=$(date -u +%Y%m%dT%H%M%SZ)
                   KEY="${S3_PREFIX}/${TS}.sql.gz"
                   echo ">>> dumping to s3://${S3_BUCKET}/${KEY}"
-                  # Install aws-cli on first run. bitnami/postgresql is
-                  # debian-based so apt is available and fast.
                   if ! command -v aws >/dev/null 2>&1; then
-                    apt-get update -qq && apt-get install -y -qq awscli >/dev/null
+                    apk add --no-cache aws-cli >/dev/null
                   fi
                   pg_dump --format=plain --clean --if-exists --no-owner --no-acl \
                     | gzip -9 \
                     | aws --endpoint-url "$S3_ENDPOINT" s3 cp - "s3://${S3_BUCKET}/${KEY}"
                   echo ">>> uploaded"
                   echo ">>> rotating: keep last $RETAIN under ${S3_PREFIX}/"
-                  # List, sort newest-first, drop the top N, delete the rest.
                   aws --endpoint-url "$S3_ENDPOINT" s3api list-objects-v2 \
                     --bucket "$S3_BUCKET" --prefix "${S3_PREFIX}/" \
                     --query 'Contents[].Key' --output text 2>/dev/null \