feat(cloudnative-pg): update secrets and configurations for Ceph integration

[Tanguille]

• Updated secret values in secret.sops.yaml for enhanced security.
• Added new CephObjectStoreUser resource for backup operations.
• Changed object store name from 'r2' to 'ceph-objectstore' in relevant configurations.
• Updated object store endpoint and destination path in objectstore.yaml.
• Increased retention policy from 14 days to 30 days.
• Introduced rclone sync CronJob for automated backup synchronization.
• Added new S3 secret for Ceph integration in rook-ceph app.
• Updated helmrelease.yaml to include ceph-objectstore configuration.

[deepsource-io]

DeepSource Code Review

DeepSource reviewed changes in the commit range 6db625e...5383390 on this pull request. Below is the summary for the review, and you can see the individual issues we found as review comments.

For detailed review results, please see the PR on DeepSource ↗

PR Report Card

Security	× 0 issues		Overall PR Quality
Reliability	× 0 issues
Complexity	× 0 issues
Hygiene	× 0 issues

Code Review Summary

Analyzer	Status	Summary	Details
JavaScript		No new issues detected.	Review ↗
Shell		No new issues detected.	Review ↗

How are these analyzer statuses calculated?

Administrators can configure which issue categories are reported and cause analysis to be marked as failed when detected. This helps prevent bad and insecure code from being introduced in the codebase. If you're an administrator, you can modify this in the repository's settings.

[tanguille-cluster]

--- kubernetes/apps/database/cloudnative-pg/cluster Kustomization: database/cloudnative-pg-cluster Cluster: database/postgres16

+++ kubernetes/apps/database/cloudnative-pg/cluster Kustomization: database/cloudnative-pg-cluster Cluster: database/postgres16

@@ -18,26 +18,26 @@

   - name: postgres18
     plugin:
       enabled: true
       isWALArchiver: false
       name: barman-cloud.cloudnative-pg.io
       parameters:
-        barmanObjectName: r2
+        barmanObjectName: ceph-objectstore
         serverName: postgres18
   imageName: ghcr.io/cloudnative-pg/postgresql:18.2-standard-trixie@sha256:adfbebaa19b30ea972eb98be8876dcc09deb1b4fba5d83ac2b7f814fb903d68b
   instances: 3
   monitoring:
     enablePodMonitor: true
   nodeMaintenanceWindow:
     inProgress: false
     reusePVC: true
   plugins:
   - isWALArchiver: true
     name: barman-cloud.cloudnative-pg.io
     parameters:
-      barmanObjectName: r2
+      barmanObjectName: ceph-objectstore
       serverName: postgres18
   postgresql:
     extensions:
     - image:
         reference: ghcr.io/tensorchord/vchord-scratch:pg18-v1.0.0
       name: vchord
--- kubernetes/apps/database/cloudnative-pg/cluster Kustomization: database/cloudnative-pg-cluster ObjectStore: database/r2

+++ kubernetes/apps/database/cloudnative-pg/cluster Kustomization: database/cloudnative-pg-cluster ObjectStore: database/r2

@@ -1,27 +0,0 @@

----
-apiVersion: barmancloud.cnpg.io/v1
-kind: ObjectStore
-metadata:
-  labels:
-    kustomize.toolkit.fluxcd.io/name: cloudnative-pg-cluster
-    kustomize.toolkit.fluxcd.io/namespace: database
-  name: r2
-  namespace: database
-spec:
-  configuration:
-    data:
-      compression: gzip
-    destinationPath: s3://cloudnative-pg/
-    endpointURL: ..PLACEHOLDER_SECRET_R2_HOST..
-    s3Credentials:
-      accessKeyId:
-        key: aws-access-key-id
-        name: cloudnative-pg-secret
-      secretAccessKey:
-        key: aws-secret-access-key
-        name: cloudnative-pg-secret
-    wal:
-      compression: zstd
-      maxParallel: 4
-  retentionPolicy: 14d
-
--- kubernetes/apps/database/cloudnative-pg/cluster Kustomization: database/cloudnative-pg-cluster ObjectStore: database/ceph-objectstore

+++ kubernetes/apps/database/cloudnative-pg/cluster Kustomization: database/cloudnative-pg-cluster ObjectStore: database/ceph-objectstore

@@ -0,0 +1,27 @@

+---
+apiVersion: barmancloud.cnpg.io/v1
+kind: ObjectStore
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: cloudnative-pg-cluster
+    kustomize.toolkit.fluxcd.io/namespace: database
+  name: ceph-objectstore
+  namespace: database
+spec:
+  configuration:
+    data:
+      compression: gzip
+    destinationPath: s3://cnpg-backups/
+    endpointURL: http://rook-ceph-rgw-ceph-objectstore.rook-ceph.svc.cluster.local:80
+    s3Credentials:
+      accessKeyId:
+        key: aws-access-key-id
+        name: cloudnative-pg-secret
+      secretAccessKey:
+        key: aws-secret-access-key
+        name: cloudnative-pg-secret
+    wal:
+      compression: zstd
+      maxParallel: 4
+  retentionPolicy: 30d
+
--- kubernetes/apps/rook-ceph/rook-ceph/cluster Kustomization: rook-ceph/rook-ceph-cluster HelmRelease: rook-ceph/rook-ceph-cluster

+++ kubernetes/apps/rook-ceph/rook-ceph/cluster Kustomization: rook-ceph/rook-ceph-cluster HelmRelease: rook-ceph/rook-ceph-cluster

@@ -200,13 +200,45 @@

         pool: data0
         reclaimPolicy: Delete
         volumeBindingMode: Immediate
     cephImage:
       repository: quay.io/ceph/ceph
       tag: v20.2.0
-    cephObjectStores: []
+    cephObjectStores:
+    - name: ceph-objectstore
+      spec:
+        dataPool:
+          erasureCoded:
+            codingChunks: 1
+            dataChunks: 2
+          failureDomain: host
+          parameters:
+            compression_algorithm: zstd
+            compression_mode: aggressive
+        gateway:
+          instances: 1
+          port: 80
+          resources:
+            limits:
+              memory: 1Gi
+            requests:
+              cpu: 100m
+              memory: 256Mi
+        healthCheck:
+          bucket:
+            disabled: false
+            interval: 60s
+        metadataPool:
+          failureDomain: host
+          replicated:
+            size: 2
+        preservePoolsOnDelete: true
+      storageClass:
+        enabled: true
+        name: ceph-bucket
+        reclaimPolicy: Delete
     monitoring:
       createPrometheusRules: true
       enabled: true
     route:
       dashboard:
         host:

[tanguille-cluster]

--- HelmRelease: rook-ceph/rook-ceph-cluster StorageClass: rook-ceph/ceph-bucket

+++ HelmRelease: rook-ceph/rook-ceph-cluster StorageClass: rook-ceph/ceph-bucket

@@ -0,0 +1,12 @@

+---
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: ceph-bucket
+provisioner: rook-ceph.ceph.rook.io/bucket
+reclaimPolicy: Delete
+volumeBindingMode: Immediate
+parameters:
+  objectStoreName: ceph-objectstore
+  objectStoreNamespace: rook-ceph
+
--- HelmRelease: rook-ceph/rook-ceph-cluster CephObjectStore: rook-ceph/ceph-objectstore

+++ HelmRelease: rook-ceph/rook-ceph-cluster CephObjectStore: rook-ceph/ceph-objectstore

@@ -0,0 +1,34 @@

+---
+kind: CephObjectStore
+apiVersion: ceph.rook.io/v1
+metadata:
+  name: ceph-objectstore
+  namespace: rook-ceph
+spec:
+  dataPool:
+    erasureCoded:
+      codingChunks: 1
+      dataChunks: 2
+    failureDomain: host
+    parameters:
+      compression_algorithm: zstd
+      compression_mode: aggressive
+  gateway:
+    instances: 1
+    port: 80
+    resources:
+      limits:
+        memory: 1Gi
+      requests:
+        cpu: 100m
+        memory: 256Mi
+  healthCheck:
+    bucket:
+      disabled: false
+      interval: 60s
+  metadataPool:
+    failureDomain: host
+    replicated:
+      size: 2
+  preservePoolsOnDelete: true
+