PLAT-453: Stegostore using a single backup bucket (#6)

* PLAT-453: Update cloudnative-pg helm chart to save backups to shared bucket * fix: linting error * PLAT-453: Fix formatting on go templating * fix: bump chart version * PLAT-453: Bump stegostore container version and template formatting * fix: add missing comma to policy.yaml
portswigger-cloud · Jul 24, 2024 · 85e4d9e · 85e4d9e
1 parent 9573170
commit 85e4d9e
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 6 deletions.
diff --git a/charts/cloudnative-pg/Chart.yaml b/charts/cloudnative-pg/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: cloudnative-pg
 description: Create a Postgresql database cluster on AWS EKS using cloudnative-pg.io and any required AWS resources via crossplane.io.
 type: application
-version: 0.1.1
+version: 0.1.2
 kubeVersion: ">=1.24.0-0"
 keywords:
   - postgresql

diff --git a/charts/cloudnative-pg/templates/crossplane-aws-iam/policy.yaml b/charts/cloudnative-pg/templates/crossplane-aws-iam/policy.yaml
@@ -23,7 +23,9 @@ spec:
             "Effect": "Allow",
             "Resource": [
               "arn:aws:s3:::{{ .Values.aws.resourcePrefix }}{{ .Values.stackId }}",
-              "arn:aws:s3:::{{ .Values.aws.resourcePrefix }}{{ .Values.stackId }}/*"
+              "arn:aws:s3:::{{ .Values.aws.resourcePrefix }}{{ .Values.stackId }}/*",
+              "arn:aws:s3:::{{.Values.aws.s3Backups.bucketName}}",
+              "arn:aws:s3:::{{.Values.aws.s3Backups.bucketName}}/{{.Values.aws.resourcePrefix}}{{.Values.stackId}}/*"
             ]
           },
           {

diff --git a/charts/cloudnative-pg/templates/stegostore/logical-backup.yaml b/charts/cloudnative-pg/templates/stegostore/logical-backup.yaml
@@ -53,7 +53,9 @@ spec:
                   name: postgres-app
                   key: port
             - name: S3PATH
-              value: "s3://{{ .Values.aws.resourcePrefix }}{{ .Values.stackId }}/stegostore/"
+              value: "s3://{{ .Values.aws.s3Backups.bucketName }}/{{ .Values.aws.resourcePrefix }}{{ .Values.stackId }}/stegostore/"
+            - name: KMS_KEY_ALIAS_NAME
+              value: {{ .Values.aws.resourcePrefix }}{{ .Values.stackId }}
             - name: PGHOST
               value: "postgres-rw"
           restartPolicy: Never

diff --git a/charts/cloudnative-pg/templates/stegosweep/lifecycle-mgmt.yaml b/charts/cloudnative-pg/templates/stegosweep/lifecycle-mgmt.yaml
@@ -34,9 +34,9 @@ spec:
             command: ["bash", "/stegosweep.sh"]
             env:
             - name: S3_BUCKET_NAME
-              value: "{{ .Values.aws.resourcePrefix }}{{ .Values.stackId }}"
+              value: "{{ .Values.aws.s3Backups.bucketName }}"
             - name: S3_PREFIX
-              value: "stegostore"
+              value: "{{ .Values.aws.resourcePrefix }}{{ .Values.stackId }}/stegostore"
             - name: DAYS_RETENTION_DAILY
               value: {{ .Values.stegosweep.daysRetentionDaily | quote }}
             - name: DAYS_RETENTION_HOURLY

diff --git a/charts/cloudnative-pg/values.yaml b/charts/cloudnative-pg/values.yaml
@@ -8,6 +8,9 @@ aws:
     rolePath: /my-role-path/
     policyPath: /my-policy-path/
     permissionsBoundary: arn:aws:iam::123456789012:policy/my-policy-path/my-policy-name
+  s3Backups:
+    bucketName: backup-bucket-name
+    bucketKmsKeyAlias: database-backup-bucket-key
 cluster:
   imageName: ghcr.io/cloudnative-pg/postgresql:15.3@sha256:10fa87e8fbf7f1d7d6be3124ef364068e5844e825b17649bc0b2efbab4b54f69
   instances: 2
@@ -44,7 +47,7 @@ stegostore:
   schedule: "0 * * * *"
   concurrencyPolicy: Forbid
   imageName: portswigger-cloud/stegostore
-  imageDigest: sha256:c3ee6874873ad41081e95eae17322c6b9424503098262ca0641cf1aa21bf7c08
+  imageDigest: sha256:ab831be05edb2753e6106735ea23afa717ecb1f9c1e61ac847e1c95933309de2
 stegosweep:
   enabled: true
   schedule: "30 1 * * *"