feat: Add CloudNativePG with B2 backups for persistent Rancher database

- Add Local Path Provisioner for storage - Add CloudNativePG operator (v1.27.0) via Flux - Create PostgreSQL cluster with B2 (Backblaze) auto-backup/restore - Update Rancher to use external PostgreSQL via CATTLE_DB_CATTLE_* env vars - Add weekly pg_dump CronJob to B2 (Sundays 2AM) - Add pre-destroy backup hook to destroy workflow - Add B2 credentials to Doppler (B2_ACCOUNT_ID, B2_APPLICATION_KEY) - Generate RANCHER_DB_PASSWORD in Doppler Backup location: HetznerTerra/rancher-backups/ Retention: 14 backups
2026-03-25 23:06:45 +00:00
parent f36445d99a
commit 9d601dc77c
17 changed files with 402 additions and 1 deletions
--- a/infrastructure/addons/cnpg/postgres-cluster.yaml
+++ b/infrastructure/addons/cnpg/postgres-cluster.yaml
@@ -0,0 +1,70 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: rancher-db
+  namespace: cnpg-cluster
+spec:
+  description: "Rancher external database cluster"
+  imageName: ghcr.io/cloudnative-pg/postgresql:17.4
+  imagePullPolicy: IfNotPresent
+
+  instances: 1
+  primaryUpdateStrategy: unsupervised
+
+  storage:
+    storageClass: local-path
+    size: 50Gi
+    resizeStorageStorageClassName: local-path
+
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      cpu: 1000m
+      memory: 2Gi
+
+  bootstrap:
+    recovery:
+      externalClusters:
+        - name: b2-backup
+          s3Compatible:
+            bucket: HetznerTerra
+            region: us-east-005
+            endpoint: s3.us-east-005.backblazeb2.com
+            prefix: rancher-backups/
+            credentials:
+              name: b2-credentials
+              accessKey: B2_ACCOUNT_ID
+              secretKey: B2_APPLICATION_KEY
+
+  backup:
+    b2:
+      bucket: HetznerTerra
+      region: us-east-005
+      endpoint: s3.us-east-005.backblazeb2.com
+      prefix: rancher-backups/
+      credentials:
+        name: b2-credentials
+        accessKey: B2_ACCOUNT_ID
+        secretKey: B2_APPLICATION_KEY
+    retentionPolicy: keep14
+
+  serviceAccountTemplate:
+    metadata:
+      labels:
+        app.kubernetes.io/name: rancher-db
+
+  superuserSecret:
+    name: rancher-db-password
+
+  monitoring:
+    enablePodMonitor: true
+
+  affinity:
+    nodeSelector:
+      kubernetes.io/hostname: k8s-cluster-cp-1
+    tolerations:
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+        effect: NoSchedule