feat(charts): implement postgres backup/restore on pollux

JamesDoingStuff · JamesDoingStuff · commit 54bab3fb3f64 · 2026-04-01T15:40:01.000+01:00
diff --git a/charts/workflows-cluster/dev-values.yaml b/charts/workflows-cluster/dev-values.yaml
@@ -8,6 +8,11 @@ backup:
     snapshotDir: /backup/
     snapshotName: etcd-snapshot
     fileExtension: .db
+  postgres:
+    enabled: false
+    snapshotDir: /backup/
+    snapshotName: postgres-snapshot
+    fileExtension: .pgdump
   bucket:
     prefix: dev
 
diff --git a/charts/workflows-cluster/scripts/restore-vcluster-postgres.sh b/charts/workflows-cluster/scripts/restore-vcluster-postgres.sh
@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if [ -z "$KUBECONFIG" ]
+then
+    echo "ERROR: Kube config not found - have you loaded a cluster?"
+    exit 1
+fi
+
+CLUSTER=$(kubectl config view --minify -o jsonpath='{.clusters[0].name}')
+
+if [[ "$CLUSTER" == vcluster* ]]; then
+    CLUSTER_NAME=$(echo $CLUSTER | awk -F"@" '{print $2}')
+    cd "${0%/*}/.."
+    read -p "WARNING: You are about to attempt a full restore of the Argo Workflows database on $CLUSTER_NAME. Proceed? (y/n)" -r
+    if [[ $REPLY =~ ^[Yy]$ && ! -z "$CLUSTER_NAME" ]]; then
+        kubectl -n workflows delete job restore-postgres --ignore-not-found
+        helm template . -s templates/postgres-restore-job.yaml | kubectl -n workflows apply -f -
+        kubectl -n workflows get job restore-postgres >/dev/null
+        if ! kubectl -n workflows wait --for=condition=complete job/restore-postgres --timeout=120s; then
+            echo "Restore job failed or timed out. Fetching logs..."
+            kubectl -n workflows logs job/restore-postgres --all-containers=true
+            exit 1
+        fi
+        echo "Restore complete."
+    fi
+else 
+    echo "ERROR: This scipt must be run inside the VCluster"
+    exit 1
+fi
+
+ 
+
diff --git a/charts/workflows-cluster/staging-values.yaml b/charts/workflows-cluster/staging-values.yaml
@@ -7,6 +7,11 @@ backup:
     snapshotDir: /backup/
     snapshotName: etcd-snapshot
     fileExtension: .db
+  postgres:
+    enabled: true
+    snapshotDir: /backup/
+    snapshotName: postgres-snapshot
+    fileExtension: .pgdump
   bucket:
     prefix: staging
 
diff --git a/charts/workflows-cluster/templates/postgres-backup-cronjob.yaml b/charts/workflows-cluster/templates/postgres-backup-cronjob.yaml
@@ -0,0 +1,96 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: backup-postgres
+spec:
+  {{- if $.Values.backup.postgres.enabled }}
+  schedule: "@daily"
+  {{ else }}
+  schedule: "@yearly"
+  suspend: true
+  {{- end }}
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: Never
+          initContainers:
+            - name: create-backup
+              image: docker.io/postgres
+              command: ["pg_dump"]
+              args:
+                - -h
+                - $(PGHOST)
+                - -U
+                - $(PGUSER)
+                - -d
+                - $(DB)
+                - --clean
+                - --if-exists
+                - --no-password
+                - --file={{- $.Values.backup.postgres.snapshotDir -}}{{- $.Values.backup.postgres.snapshotName -}}{{- $.Values.backup.postgres.fileExtension }}
+              env:
+                - name: PGPASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      name: postgres-argo-workflows-password
+                      key: password
+                - name: PGHOST
+                  value: workflows-postgresql-ha-pgpool-x-workflows-x-workflows-cluster
+                - name: PGUSER
+                  valueFrom:
+                    secretKeyRef:
+                      name: postgres-argo-workflows-password
+                      key: username
+                - name: DB
+                  value: argo_workflows
+                - name: PGPORT
+                  value: "5432"
+              volumeMounts:
+                - mountPath: {{ $.Values.backup.postgres.snapshotDir | quote }}
+                  name: backup
+                  readOnly: false
+              resources:
+                requests:
+                  ephemeral-storage: "1Gi"
+                limits:
+                  ephemeral-storage: "2Gi"
+          containers:
+          - name: rclone
+            image: docker.io/rclone/rclone
+            command: ["/bin/sh"]
+            args: ["/scripts/rclone-upload.sh"]
+            env:
+            - name: RCLONE_CONFIG
+              value: /etc/rclone.conf
+            - name: PREFIX
+              value: {{ $.Values.backup.bucket.prefix | quote }}
+            - name: SNAPSHOT_DIR
+              value: {{ $.Values.backup.postgres.snapshotDir | quote }}
+            - name: SNAPSHOT_NAME
+              value: {{ $.Values.backup.postgres.snapshotName | quote }}
+            - name: SNAPSHOT_EXT
+              value: {{ $.Values.backup.postgres.fileExtension | quote }}
+            volumeMounts:
+            - name: backup
+              mountPath: {{ $.Values.backup.postgres.snapshotDir | quote }}
+            - name: scripts
+              mountPath: /scripts
+            - name: rclone-conf
+              mountPath: /etc/rclone.conf
+              subPath: rclone.conf
+            resources:
+              requests:
+                ephemeral-storage: "1Gi"
+              limits:
+                ephemeral-storage: "2Gi"
+          restartPolicy: Never
+          volumes:
+            - name: backup
+              emptyDir: {}
+            - name: scripts
+              configMap:
+                name: rclone-scripts
+            - name: rclone-conf
+              secret:
+                secretName: etcd-rclone-config
diff --git a/charts/workflows-cluster/templates/postgres-restore-cronjob.yaml b/charts/workflows-cluster/templates/postgres-restore-cronjob.yaml
@@ -0,0 +1,76 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "restore-postgres"
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      volumes:
+        - name: scripts
+          configMap:
+            name: rclone-scripts
+            defaultMode: 0755
+        - name: snapshot
+          emptyDir: {}
+        - name: rclone-conf
+          secret:
+            secretName: etcd-rclone-config
+      initContainers:
+        - name: rclone
+          image: docker.io/rclone/rclone
+          command: [/bin/sh, "-c", "/scripts/rclone-download.sh"]
+          env:
+            - name: RCLONE_CONFIG
+              value: /etc/rclone.conf
+            - name: PREFIX
+              value: {{ $.Values.backup.bucket.prefix | quote }}
+            - name: SNAPSHOT_NAME
+              value: {{ $.Values.backup.postgres.snapshotName | quote }}
+            - name: SNAPSHOT_EXT
+              value: {{ $.Values.backup.postgres.fileExtension | quote }}
+          volumeMounts:
+            - name: scripts
+              mountPath: /scripts
+            - name: snapshot
+              mountPath: /snapshot
+            - name: rclone-conf
+              mountPath: /etc/rclone.conf
+              subPath: rclone.conf
+          resources:
+            requests:
+              ephemeral-storage: "1Gi"
+            limits:
+              ephemeral-storage: "2Gi"
+      containers:
+        - name: restore-postgres
+          image: docker.io/postgres
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              host="workflows-postgresql-ha-postgresql-0.workflows-postgresql-ha-postgresql-headless"
+              if psql -h "$host" -U postgres -tAc "SELECT pg_is_in_recovery()" | grep -q t; then
+                echo "This is not the primary host"
+                exit 1
+              fi
+              echo "Beginning restore"
+              psql -h "$PRIMARY" -d $DB -U $PGUSER -f /snapshot/snapshot$(SNAPSHOT_EXT)
+              echo "Restore complete."
+          env:
+            - name: PGPASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postgres-passwords
+                  key: password
+            - name: PGUSER
+              value: postgres
+            - name: DB
+              value: argo_workflows
+            - name: SNAPSHOT_NAME
+              value: {{ $.Values.backup.postgres.snapshotName | quote }}
+            - name: SNAPSHOT_EXT
+              value: {{ $.Values.backup.postgres.fileExtension | quote }}
+          volumeMounts:
+            - name: snapshot
+              mountPath: /snapshot
+          
diff --git a/charts/workflows-cluster/templates/postgres-test-restore-pod.yaml b/charts/workflows-cluster/templates/postgres-test-restore-pod.yaml
@@ -0,0 +1,70 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: postgres-test
+spec:
+  dnsPolicy: ClusterFirst
+  initContainers:
+    - name: rclone
+      image: docker.io/rclone/rclone
+      command: [/bin/sh, "-c", "/scripts/rclone-download.sh"]
+      env:
+        - name: RCLONE_CONFIG
+          value: /etc/rclone.conf
+        - name: PREFIX
+          value: staging
+        - name: SNAPSHOT_NAME
+          value: postgres-snapshot
+        - name: SNAPSHOT_EXT
+          value: ".pgdump"
+      volumeMounts:
+        - name: scripts
+          mountPath: /scripts
+        - name: snapshot
+          mountPath: /snapshot
+        - name: rclone-conf
+          mountPath: /etc/rclone.conf
+          subPath: rclone.conf
+      resources:
+        requests:
+          ephemeral-storage: "1Gi"
+        limits:
+          ephemeral-storage: "2Gi"
+  containers:
+    - name: postgres-test
+      image: docker.io/postgres
+      command: ["/bin/sh", -c]
+      args:
+        - |
+          sleep infinity
+      env:
+        - name: PGPASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: postgres-passwords
+              key: password
+        - name: PGUSER
+          value: argo_workflows
+        - name: DB
+          value: argo_workflows
+        - name: PGPORT
+          value: "5432"
+      volumeMounts:
+        - mountPath: "/snapshot/"
+          name: snapshot
+          readOnly: false
+      resources:
+        requests:
+          ephemeral-storage: "1Gi"
+        limits:
+          ephemeral-storage: "2Gi"
+  volumes:
+    - name: scripts
+      configMap:
+        name: rclone-scripts
+        defaultMode: 0755
+    - name: snapshot
+      emptyDir: {}
+    - name: rclone-conf
+      secret:
+        secretName: etcd-rclone-config
diff --git a/charts/workflows-cluster/values.yaml b/charts/workflows-cluster/values.yaml
@@ -8,6 +8,11 @@ backup:
     snapshotDir: /backup/
     snapshotName: etcd-snapshot
     fileExtension: .db
+  postgres:
+    enabled: false
+    snapshotDir: /backup/
+    snapshotName: postgres-snapshot
+    fileExtension: .pgdump
   bucket:
     prefix: prod
 
