portswigger-cloud · pselliotc · Jul 22, 2024 · Jul 22, 2024
diff --git a/charts/cloudnative-pg/Chart.yaml b/charts/cloudnative-pg/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: cloudnative-pg
 description: Create a Postgresql database cluster on AWS EKS using cloudnative-pg.io and any required AWS resources via crossplane.io.
 type: application
-version: 0.1.1-backup-dev-2
+version: 0.1.1
 kubeVersion: ">=1.24.0-0"
 keywords:
   - postgresql

diff --git a/charts/cloudnative-pg/templates/crossplane-aws-iam/policy.yaml b/charts/cloudnative-pg/templates/crossplane-aws-iam/policy.yaml
@@ -22,8 +22,8 @@ spec:
             ],
             "Effect": "Allow",
             "Resource": [
-              "arn:aws:s3:::{{ .Values.aws.s3Backups.bucketName }}",
-              "arn:aws:s3:::{{ .Values.aws.s3Backups.bucketName }}/{{.Values.aws.resourcePrefix}}{{.Values.stackId}}"
+              "arn:aws:s3:::{{ .Values.aws.resourcePrefix }}{{ .Values.stackId }}",
+              "arn:aws:s3:::{{ .Values.aws.resourcePrefix }}{{ .Values.stackId }}/*"
             ]
           },
           {
@@ -37,10 +37,7 @@ spec:
             ],
             "Condition": {
               "ForAnyValue:StringLike": {
-                "kms:ResourceAliases": [
-                  "alias/{{ .Values.aws.resourcePrefix }}{{ .Values.stackId }}",
-                  "alias/{{ .Values.aws.s3Backups.bucketKmsKeyAlias }}"
-                ]
+                "kms:ResourceAliases": "alias/{{ .Values.aws.resourcePrefix }}{{ .Values.stackId }}"
               }
             }
           }

diff --git a/charts/cloudnative-pg/templates/stegostore/logical-backup.yaml b/charts/cloudnative-pg/templates/stegostore/logical-backup.yaml
@@ -53,9 +53,7 @@ spec:
                   name: postgres-app
                   key: port
             - name: S3PATH
-              value: "s3://{{.Values.aws.s3Backups.bucketName}}/{{ .Values.aws.resourcePrefix }}{{ .Values.stackId }}/stegostore/"
-            - name: KMS_KEY_ID
-              value: {{ .Values.aws.resourcePrefix }}{{ .Values.stackId }}
+              value: "s3://{{ .Values.aws.resourcePrefix }}{{ .Values.stackId }}/stegostore/"
             - name: PGHOST
               value: "postgres-rw"
           restartPolicy: Never

diff --git a/charts/cloudnative-pg/templates/stegosweep/lifecycle-mgmt.yaml b/charts/cloudnative-pg/templates/stegosweep/lifecycle-mgmt.yaml
@@ -34,9 +34,9 @@ spec:
             command: ["bash", "/stegosweep.sh"]
             env:
             - name: S3_BUCKET_NAME
-              value: {{ .Values.aws.s3Backups.bucketName }}
+              value: "{{ .Values.aws.resourcePrefix }}{{ .Values.stackId }}"
             - name: S3_PREFIX
-              value: "{{ .Values.aws.resourcePrefix }}{{ .Values.stackId }}/stegostore"
+              value: "stegostore"
             - name: DAYS_RETENTION_DAILY
               value: {{ .Values.stegosweep.daysRetentionDaily | quote }}
             - name: DAYS_RETENTION_HOURLY

diff --git a/charts/cloudnative-pg/values.yaml b/charts/cloudnative-pg/values.yaml
@@ -8,9 +8,6 @@ aws:
     rolePath: /my-role-path/
     policyPath: /my-policy-path/
     permissionsBoundary: arn:aws:iam::123456789012:policy/my-policy-path/my-policy-name
-  s3Backups:
-    bucketName: backup-bucket-name
-    bucketKmsKeyAlias: database-backup-bucket-key
 cluster:
   imageName: ghcr.io/cloudnative-pg/postgresql:15.3@sha256:10fa87e8fbf7f1d7d6be3124ef364068e5844e825b17649bc0b2efbab4b54f69
   instances: 2
@@ -47,7 +44,7 @@ stegostore:
   schedule: "0 * * * *"
   concurrencyPolicy: Forbid
   imageName: portswigger-cloud/stegostore
-  imageDigest: sha256:3e4771a813ed530a27b5ac6b009e6961a8bc67f9b9e1b386c09bbb60dd05211d
+  imageDigest: sha256:c3ee6874873ad41081e95eae17322c6b9424503098262ca0641cf1aa21bf7c08
 stegosweep:
   enabled: true
   schedule: "30 1 * * *"