fix(ci): restore from cnpg (#1736)

* fix: restore from CNPG

* fix: reset dbs on dev/preprod deploys

* fix

* fix

* fix

* fix

* fix

* fix

* Update values.yaml

* Update values.yaml

* Update values.yaml

.kontinuous/env/dev/templates/les1000jours-prod-backups-access-key.sealed-secret.yaml

@@ -0,0 +1,17 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  annotations:
+    sealedsecrets.bitnami.com/cluster-wide: 'true'
+  name: les1000jours-prod-backups-access-key
+spec:
+  encryptedData:
+    bucket_access_key: AgBXMBpaDwqtV9Zvv0yssxa9167/rrp9L+XM2CSCBo2V+26dNHOUdObKZCXoB7+383xsE+ip7ibE2qft0bvUpTXqpqpkCEbTTFPu/sEYyLl/ndV2YPm4HJLf5JXMcCQUAc5RyG0f9tdQjn6saIqQQkbOLT7hPF9C+phU6XOjdaIwTQb3sD94ZSXJJ8rCmeYoBfGJAkfwSxPNdprCQDe2qB63wz+1NiL15OG3pX1b/5xAhMVN19W8ExJ9khqkAE6vqGjw95mqlPxhqWcPOCZWQKd17rQavWHOGlCIR1oX5GwNqsRnoJFSxqRCI+jltpgBOaZD3+XVBw6frkFwKPZvnz6ltuLI7VtHixKH0MPBLNUC39gQ47AyFTlMuH4oEFPvDA8iy6HKovPhA/SzO14gHhRci25ICqjvrglXIBE6NXvKYLn98twWbIozH/nwFWQ1UC9ZNKmQeNdDqUA6a8GTTYiphlsAKZ67mc9IFA6bpL4xOb5kucB2MrTNgTxJAeLgVO3nVCayXejUhT91AZqjz7RYhy+1h8xUBWm57PExxCJ3hAiyMim6Mj9Dc+EZGMqsYg3SRcrDT3ncbb+oBSuTxFytTDsa4+mKUV8k+NDOgInWSER21RniN+zt6uMtsRPcItoQvj5cvMYPe9m19XqH/wGjTFbgd+Aoa3ktTwJw9q83zUx9wbZ4BlYYrOeFBLhOQpnT8toPrsug2CpzkhdRRXp4aM84mOy6WAzNOgcdDO2/eA==
+    bucket_region: AgAgvbih0BEDkbHdDTZYj6EBZzHXXt2AEBsh4QY2T5oNq7bOcsccEwNDFvpNsc/jVRB/f+8GnS8+FN2cUeV0ddsw85Ioh/h1Ftu6V+a2i/6bQ4v9fAeZARp8bkGG0umtxhY09vsmThC/JBrmamDgiyK05ArvwacYUKKyooPAMJ6kP1PeGKgpx+O0WsYuK/qPDg61f7nGkt8z0iOnaU6NYMzaJjknZ9LWcpV5XSDCLzvPI6mDMB/eke8gMwGLejqdg4iqfCbE2z3ex1tvTob4rMNqdfjqkQSA4VADi5V40Kov+15+QQDFZe/im3N0BWVZiQB5M4BotXPtwz4k3aGXMREHrk9lwenjlsU4Hpp/snXm68VfDRYh1gSUUEFVxLtcFcDdGSCqxP/RXA/TqU2M2+DvRpq18BI2TNQ0O6c9gQVYUTFAAPEv6VIsCVEL7iFjhlC9ETyXOYtrnpKTwq+bJDbvwua7+g/9uM8nnb7VvMdvOpIQcfEPrL1NJdFUWmbE2LynFfmSBF9cKz07tpu945EAP+VOF3Zn3+LfJa9aHJ6qi/7zbguNblZcx8KfoIS0MWLyutnBtJN/2IuFcobPBYWwlDpNpit9KJ7y3Be+3H6obCyimz1lhXfl7dF0WPAluDQGbvoCfsUx9LxicrDnXoGA5pRqNKwLBp0pUE2TIFY47+lS8hCvtj9xFo+4lSxCs3Loe9k=
+    bucket_secret_key: AgDQrJS7bl3CECS8V73hd+m2ZQrjLYa4tAGkW6wF97hl4RJoLB1y6G3ztFv2QOcfSy9b+r/lBaMk8qs+R2RWI0yAp+WEXGcODJyl+qeMrw0wXpeHBV7UlklFRz9h+jsZ8jW1qJPo1ArRv6wYs5ZRttB5ND5FkobgIRkHD4tOkMyXWPI5JoSycTwNPX6+UKSeiOo0CxPbTT50iq5V7ZufxznYQRMu5fo1mP051GoAnbLVIm6T8Ns+KBxZ0F8DXpWj/IV/SBjCea7MfG3xkHa4vAwsAkc4om+5FE1jL6tE47Mm0CJxdd8Unhco4iIPucrznVu0J5cJCv0nlD36mV17WY9j/3EyZTsT79MAlfRLD6okWfJ30kRBQ9Fa2onRybnDkhlY4rL1yFpKLKNozNa3qMoxk53wKidcc7kH1wAIcTLtjdtWwAJD6KHtEDjZTYS6n75Vi6s5SIU5ujb5dEPj2F7Yu6F6uuE8kylPZjky0TUOOPsG/eXS6FDO3tnl8CVP2oCz42iWxWNAOziIp8UP2U+2Z1rdIA8GU9u4mI/FtBszyzA4vZihuyxj/L8XtMjHzI+A24Pqw9kBsNtxUDEUzBDOD+tXXtgZeeO9MaSNHeaq9RldNaXXq8HFamlPBsJpkV6vNWGUCOTShF6xTEqjOblnFdjGrXkLxR2T2KOZ/FKmCCuRluVeMt1NSTRWbKh9UXGsjdB2AWqddub5j1NAn4vFjO0AqSqEL1w6M91ntQGWFg==
+  template:
+    metadata:
+      annotations:
+        sealedsecrets.bitnami.com/cluster-wide: 'true'
+      name: les1000jours-prod-backups-access-key
+    type: Opaque

.kontinuous/env/dev/values.yaml

@@ -1,5 +1,6 @@
+
 app-strapi:
-  ~needs: [pg, build-strapi, restore]
+  ~needs: [pg, build-strapi]
   ~preDeploy.cleaner:
     match:
       kind: Deployment
@@ -19,45 +20,31 @@ app-strapi:
         name: "pg-app"
     # - secretRef:
     #     name: azure-les1000jours-volume
-#
-# todo: a remplacer par une conf de restore CNPG
-#
-jobs:
-  runs:
-    restore:
-      ~needs: [pg]
-      use: pg-restore
-      checkout: false
-      with:
-        mountPath: /mnt/restore
-        restorePath: "${LATEST}"
-        pgAdminUserSecretRefName: pg-superuser
-      env: # there is a bug when setting custom job env, so we have to repeat "with" vars here
-        - name: RESTORE_PATH
-          value: "${LATEST}"
-        - name: OWNER
-          value: "{{ $.Values.global.pgUser }}"
-        - name: MOUNT_PATH
-          value: /mnt/restore
-        - name: FILTER_PATH
-          value: prod_db
-        - name: PGPASSWORD
-          value: "$(password)"
-        - name: PGUSER
-          value: "$(username)"
-        - name: PGHOST
-          value: "pg-rw"
-        - name: PGDATABASE
-          value: "{{ $.Values.global.pgDatabase }}"
-      volumeMounts:
-        - name: restore
-          mountPath: /mnt/restore
-          readOnly: true
-      volumes:
-        - name: restore
-          csi:
-            driver: file.csi.azure.com
-            readOnly: true
-            volumeAttributes:
-              secretName: les1000joursprodserver-backup-credentials
-              shareName: les1000jprodsrv2-backup-restore
+
+pg:
+  ~chart: pg
+  # this force ce PG cluster to be destroyed on redeploys
+  ~preDeploy.cleaner:
+    match:
+      kind: Cluster
+    value: true
+  cnpg-cluster:
+    recovery:
+      ~tpl~database: "{{ .Values.global.pgDatabase }}"
+      ~tpl~owner: "{{ .Values.global.pgUser }}"
+      secretName: "pg-db"
+      enabled: true
+      #targetTime: "2023-12-01T09:00:00"
+      barmanObjectStore:
+        ~tpl~destinationPath: "s3://les1000jours-prod-backups/les1000jours"
+        s3Credentials:
+          accessKeyId:
+            ~tpl~name: "les1000jours-prod-backups-access-key"
+            key: bucket_access_key
+          secretAccessKey:
+            ~tpl~name: "les1000jours-prod-backups-access-key"
+            key: bucket_secret_key
+          region:
+            ~tpl~name: "les1000jours-prod-backups-access-key"
+            key: bucket_region
+

.kontinuous/env/preprod/templates/les1000jours-prod-backups-access-key.sealed-secret.yaml

@@ -0,0 +1,17 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  annotations:
+    sealedsecrets.bitnami.com/cluster-wide: 'true'
+  name: les1000jours-prod-backups-access-key
+spec:
+  encryptedData:
+    bucket_access_key: AgBXMBpaDwqtV9Zvv0yssxa9167/rrp9L+XM2CSCBo2V+26dNHOUdObKZCXoB7+383xsE+ip7ibE2qft0bvUpTXqpqpkCEbTTFPu/sEYyLl/ndV2YPm4HJLf5JXMcCQUAc5RyG0f9tdQjn6saIqQQkbOLT7hPF9C+phU6XOjdaIwTQb3sD94ZSXJJ8rCmeYoBfGJAkfwSxPNdprCQDe2qB63wz+1NiL15OG3pX1b/5xAhMVN19W8ExJ9khqkAE6vqGjw95mqlPxhqWcPOCZWQKd17rQavWHOGlCIR1oX5GwNqsRnoJFSxqRCI+jltpgBOaZD3+XVBw6frkFwKPZvnz6ltuLI7VtHixKH0MPBLNUC39gQ47AyFTlMuH4oEFPvDA8iy6HKovPhA/SzO14gHhRci25ICqjvrglXIBE6NXvKYLn98twWbIozH/nwFWQ1UC9ZNKmQeNdDqUA6a8GTTYiphlsAKZ67mc9IFA6bpL4xOb5kucB2MrTNgTxJAeLgVO3nVCayXejUhT91AZqjz7RYhy+1h8xUBWm57PExxCJ3hAiyMim6Mj9Dc+EZGMqsYg3SRcrDT3ncbb+oBSuTxFytTDsa4+mKUV8k+NDOgInWSER21RniN+zt6uMtsRPcItoQvj5cvMYPe9m19XqH/wGjTFbgd+Aoa3ktTwJw9q83zUx9wbZ4BlYYrOeFBLhOQpnT8toPrsug2CpzkhdRRXp4aM84mOy6WAzNOgcdDO2/eA==
+    bucket_region: AgAgvbih0BEDkbHdDTZYj6EBZzHXXt2AEBsh4QY2T5oNq7bOcsccEwNDFvpNsc/jVRB/f+8GnS8+FN2cUeV0ddsw85Ioh/h1Ftu6V+a2i/6bQ4v9fAeZARp8bkGG0umtxhY09vsmThC/JBrmamDgiyK05ArvwacYUKKyooPAMJ6kP1PeGKgpx+O0WsYuK/qPDg61f7nGkt8z0iOnaU6NYMzaJjknZ9LWcpV5XSDCLzvPI6mDMB/eke8gMwGLejqdg4iqfCbE2z3ex1tvTob4rMNqdfjqkQSA4VADi5V40Kov+15+QQDFZe/im3N0BWVZiQB5M4BotXPtwz4k3aGXMREHrk9lwenjlsU4Hpp/snXm68VfDRYh1gSUUEFVxLtcFcDdGSCqxP/RXA/TqU2M2+DvRpq18BI2TNQ0O6c9gQVYUTFAAPEv6VIsCVEL7iFjhlC9ETyXOYtrnpKTwq+bJDbvwua7+g/9uM8nnb7VvMdvOpIQcfEPrL1NJdFUWmbE2LynFfmSBF9cKz07tpu945EAP+VOF3Zn3+LfJa9aHJ6qi/7zbguNblZcx8KfoIS0MWLyutnBtJN/2IuFcobPBYWwlDpNpit9KJ7y3Be+3H6obCyimz1lhXfl7dF0WPAluDQGbvoCfsUx9LxicrDnXoGA5pRqNKwLBp0pUE2TIFY47+lS8hCvtj9xFo+4lSxCs3Loe9k=
+    bucket_secret_key: AgDQrJS7bl3CECS8V73hd+m2ZQrjLYa4tAGkW6wF97hl4RJoLB1y6G3ztFv2QOcfSy9b+r/lBaMk8qs+R2RWI0yAp+WEXGcODJyl+qeMrw0wXpeHBV7UlklFRz9h+jsZ8jW1qJPo1ArRv6wYs5ZRttB5ND5FkobgIRkHD4tOkMyXWPI5JoSycTwNPX6+UKSeiOo0CxPbTT50iq5V7ZufxznYQRMu5fo1mP051GoAnbLVIm6T8Ns+KBxZ0F8DXpWj/IV/SBjCea7MfG3xkHa4vAwsAkc4om+5FE1jL6tE47Mm0CJxdd8Unhco4iIPucrznVu0J5cJCv0nlD36mV17WY9j/3EyZTsT79MAlfRLD6okWfJ30kRBQ9Fa2onRybnDkhlY4rL1yFpKLKNozNa3qMoxk53wKidcc7kH1wAIcTLtjdtWwAJD6KHtEDjZTYS6n75Vi6s5SIU5ujb5dEPj2F7Yu6F6uuE8kylPZjky0TUOOPsG/eXS6FDO3tnl8CVP2oCz42iWxWNAOziIp8UP2U+2Z1rdIA8GU9u4mI/FtBszyzA4vZihuyxj/L8XtMjHzI+A24Pqw9kBsNtxUDEUzBDOD+tXXtgZeeO9MaSNHeaq9RldNaXXq8HFamlPBsJpkV6vNWGUCOTShF6xTEqjOblnFdjGrXkLxR2T2KOZ/FKmCCuRluVeMt1NSTRWbKh9UXGsjdB2AWqddub5j1NAn4vFjO0AqSqEL1w6M91ntQGWFg==
+  template:
+    metadata:
+      annotations:
+        sealedsecrets.bitnami.com/cluster-wide: 'true'
+      name: les1000jours-prod-backups-access-key
+    type: Opaque

.kontinuous/env/preprod/values.yaml

@@ -1,50 +1,35 @@
 app-strapi:
   host: "backoffice-1000jours-preprod.dev.fabrique.social.gouv.fr"
-  ~needs: [pg, build-strapi, restore]
+  ~needs: [pg, build-strapi]
   addVolumes:
     - uploads
   volumeMounts:
     - mountPath: /app/public/uploads
       name: uploads
 
-# todo: a remplacer par une conf de restore CNPG
-#
-jobs:
-  runs:
-    restore:
-      ~needs: [pg]
-      use: pg-restore
-      checkout: false
-      with:
-        mountPath: /mnt/restore
-        restorePath: "${LATEST}"
-        pgAdminUserSecretRefName: pg-superuser
-      env: # there is a bug when setting custom job env, so we have to repeat "with" vars here
-        - name: RESTORE_PATH
-          value: "${LATEST}"
-        - name: OWNER
-          value: "{{ $.Values.global.pgUser }}"
-        - name: MOUNT_PATH
-          value: /mnt/restore
-        - name: FILTER_PATH
-          value: prod_db
-        - name: PGPASSWORD
-          value: "$(password)"
-        - name: PGUSER
-          value: "$(username)"
-        - name: PGHOST
-          value: "pg-rw"
-        - name: PGDATABASE
-          value: "{{ $.Values.global.pgDatabase }}"
-      volumeMounts:
-        - name: restore
-          mountPath: /mnt/restore
-          readOnly: true
-      volumes:
-        - name: restore
-          csi:
-            driver: file.csi.azure.com
-            readOnly: true
-            volumeAttributes:
-              secretName: les1000joursprodserver-backup-credentials
-              shareName: les1000jprodsrv2-backup-restore
+pg:
+  ~chart: pg
+  # this force ce PG cluster to be destroyed on redeploys
+  ~preDeploy.cleaner:
+    match:
+      kind: Cluster
+    value: true
+  cnpg-cluster:
+    recovery:
+      enabled: true
+      ~tpl~database: "{{ .Values.global.pgDatabase }}"
+      ~tpl~owner: "{{ .Values.global.pgUser }}"
+      secretName: "pg-db"
+      barmanObjectStore:
+        ~tpl~destinationPath: "s3://les1000jours-prod-backups/les1000jours"
+        s3Credentials:
+          accessKeyId:
+            ~tpl~name: "les1000jours-prod-backups-access-key"
+            key: bucket_access_key
+          secretAccessKey:
+            ~tpl~name: "les1000jours-prod-backups-access-key"
+            key: bucket_secret_key
+          region:
+            ~tpl~name: "les1000jours-prod-backups-access-key"
+            key: bucket_region
+