Skip to content

building homelab cluster part 11

Table of Content

building homelab cluster part 11

I want to revisit Postgres Operator by Zalando I installed in part 9 and practice backup and restore using WAL-e/g.

Here is the plan.

  • create a minio s3 bucket
  • prepare access key and secret access key
  • create a SOPS-encrypted secret on SOPS repository
  • update postgres operator to use the secret

Minio Tenant

  • create a bucket named "postgres" with "private" access policy
  • create a policy "postgres-rw"
  • create a user named "postgresadmin" and set "postgres-rw" policy
  • generate access and secret key for this "postgresadmin" user
  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": ["s3:*"],
      "Resource": ["arn:aws:s3:::postgres", "arn:aws:s3:::postgres/*"]


Create a generic secret with environment variables.

# on SOPS repo
kubectl create secret generic postgres-backup -n postgres \
    --from-literal=WAL_S3_BUCKET=postgres \
    --from-literal=USE_WALG_BACKUP="true" \
    --from-literal=USE_WALG_RESTORE="true" \
    --from-literal=BACKUP_SCHEDULE='00 10 * * *' \
    --from-literal=AWS_ACCESS_KEY_ID=access_key_here \
    --from-literal=AWS_SECRET_ACCESS_KEY=secret_key_here \
    --from-literal=AWS_S3_FORCE_PATH_STYLE="true" \
    --from-literal=AWS_ENDPOINT= \
    --from-literal=AWS_REGION=homelab \
    --from-literal=WALG_DISABLE_S3_SSE="true" \
    --from-literal=BACKUP_NUM_TO_RETAIN="5" \
    --from-literal=CLONE_USE_WALG_RESTORE="true" \
    --dry-run=client -o yaml > postgres-backup.yaml

# encrypt
sops -i --encrypt postgres-backup.yaml

# git commit and push for flux to process

postgres operator helm values file

Update values file to use "postgres-backup" secret.

diff --git a/infrastructure/homelab/controllers/postgres-operator-values.yaml b/infrastructure/homelab/controllers/postgres-operator-values.yaml
index 7993d0d..8020267 100644
--- a/infrastructure/homelab/controllers/postgres-operator-values.yaml
+++ b/infrastructure/homelab/controllers/postgres-operator-values.yaml
@@ -182,7 +182,7 @@ configKubernetes:
   # namespaced name of the ConfigMap with environment variables to populate on every pod
   # pod_environment_configmap: "default/my-custom-config"
   # name of the Secret (in cluster namespace) with environment variables to populate on every pod
-  # pod_environment_secret: "my-custom-secret"
+  pod_environment_secret: "postgres-backup"

   # specify the pod management policy of stateful sets of Postgres clusters
   pod_management_policy: "ordered_ready"

Update shell script to generate updated flux helmrelease manifest using values file.

diff --git a/infrastructure/homelab/controllers/ b/infrastructure/homelab/controllers/
index 162dec5..ee28a95 100755
--- a/infrastructure/homelab/controllers/
+++ b/infrastructure/homelab/controllers/
@@ -13,4 +13,5 @@ flux create helmrelease postgres-operator \
        --source=HelmRepository/postgres-operator \
        --chart=postgres-operator \
        --chart-version=1.11.0 \
+       --values=./postgres-operator-values.yaml \
        --export >>postgres-operator.yaml


This did work out well, but since I create database in each namespace, I also need to create secret in each namespace. Doing the same using configmap (also encrypted using sops) was better solution.

and ... wip 2024-04-23