Improve CNPG templating (#428)

* Improve CNPG templating

* Refactor object store credentials handling

Author: QuentinBisson

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Changed
+
+- Improve CNPG templates.
+
 ## [2.33.0] - 2026-03-02
 
 ### Changed

helm/grafana/templates/cnpg/_helpers.tpl

@@ -0,0 +1,61 @@
+{{/*
+Object store credentials for CNPG barman-cloud ObjectStore resources.
+
+Outputs the appropriate credentials block based on the configured storage type.
+Intended to be called with `{{- include "grafana.cnpg.objectStoreCredentials" . | nindent 4 }}`.
+
+Credential paths:
+
+  S3 with explicit keys:
+    Condition: objectStorage.type == "s3" AND s3.accessKeyId AND s3.secretAccessKey are set
+    Use case: customers providing their own S3 bucket with static credentials
+    Source: the <cluster-name>-access-keys Secret (rendered by access-keys-secret.yaml)
+
+  S3 with IRSA:
+    Condition: objectStorage.type == "s3", no explicit keys
+    Use case: AWS/CAPA clusters with an IAM role configured for the CNPG service account
+    Source: pod's IAM role via IRSA (no secret needed)
+
+  Azure with Crossplane:
+    Condition: objectStorage.type == "azure" AND crossplane.azure.enabled == true
+    Use case: CAPZ clusters where Crossplane provisions the storage account
+    Source: connection string from the Crossplane-generated secret
+             (key: attribute.primary_blob_connection_string)
+
+  Azure manual:
+    Condition: objectStorage.type == "azure", Crossplane not enabled
+    Use case: non-Crossplane Azure installs with an existing storage account
+    Source: azureCredentials passthrough from objectStorage.azure.credentials
+*/}}
+{{- define "grafana.cnpg.objectStoreCredentials" -}}
+{{- if eq .Values.postgresqlCluster.objectStorage.type "s3" }}
+{{- if and .Values.postgresqlCluster.objectStorage.s3.accessKeyId .Values.postgresqlCluster.objectStorage.s3.secretAccessKey }}
+endpointURL: {{ .Values.postgresqlCluster.objectStorage.s3.endpointURL }}
+s3Credentials:
+  region: {{ .Values.postgresqlCluster.objectStorage.s3.region }}
+  accessKeyId:
+    name: {{ .Values.postgresqlCluster.name }}-access-keys
+    key: ACCESS_KEY_ID
+  secretAccessKey:
+    name: {{ .Values.postgresqlCluster.name }}-access-keys
+    key: SECRET_ACCESS_KEY
+{{- else }}
+s3Credentials:
+  inheritFromIAMRole: true
+{{- end }}
+{{- else if eq .Values.postgresqlCluster.objectStorage.type "azure" }}
+{{- if .Values.postgresqlCluster.crossplane.azure.enabled }}
+azureCredentials:
+  connectionString:
+    name: {{ .Values.postgresqlCluster.crossplane.azure.container.name }}
+    key: attribute.primary_blob_connection_string
+{{- else }}
+{{- with .Values.postgresqlCluster.objectStorage.azure.credentials }}
+azureCredentials:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+{{- else }}
+{{- fail "Unsupported object storage type. Supported types are 's3' and 'azure'." }}
+{{- end }}
+{{- end -}}

helm/grafana/templates/cnpg/bucket.yaml

@@ -1,3 +1,5 @@
+# TODO remove once we have migrated onprem clusters to use crossplane for bucket management
+
 {{- if and (.Values.postgresqlCluster.enabled) (and (.Values.postgresqlCluster.backup.enabled) (.Values.postgresqlCluster.objectStorage.bucket.create)) }}
 apiVersion: objectstorage.giantswarm.io/v1alpha1
 kind: Bucket

helm/grafana/templates/cnpg/objectstore-backup.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.postgresqlCluster.enabled .Values.postgresqlCluster.backup.enabled }}
+---
+apiVersion: barmancloud.cnpg.io/v1
+kind: ObjectStore
+metadata:
+  labels:
+    {{- include "grafana.labels" . | nindent 4 }}
+    observability.giantswarm.io/tenant: giantswarm
+  name: {{ .Values.postgresqlCluster.name }}-objectstore-backup
+  namespace: {{ .Release.Namespace }}
+spec:
+  configuration:
+    destinationPath: {{ .Values.postgresqlCluster.backup.destinationPath | quote }}
+    {{- include "grafana.cnpg.objectStoreCredentials" . | nindent 4 }}
+    wal:
+      compression: gzip
+  retentionPolicy: {{ .Values.postgresqlCluster.backup.retentionPolicy | quote }}
+{{- end }}

helm/grafana/templates/cnpg/objectstore-recovery.yaml

@@ -0,0 +1,17 @@
+{{- if and .Values.postgresqlCluster.enabled .Values.postgresqlCluster.recovery.enabled }}
+---
+apiVersion: barmancloud.cnpg.io/v1
+kind: ObjectStore
+metadata:
+  labels:
+    {{- include "grafana.labels" . | nindent 4 }}
+    observability.giantswarm.io/tenant: giantswarm
+  name: {{ .Values.postgresqlCluster.name }}-objectstore-recovery
+  namespace: {{ .Release.Namespace }}
+spec:
+  configuration:
+    destinationPath: {{ .Values.postgresqlCluster.recovery.destinationPath | quote }}
+    {{- include "grafana.cnpg.objectStoreCredentials" . | nindent 4 }}
+    wal:
+      compression: gzip
+{{- end }}

helm/grafana/templates/cnpg/objectstores.yaml

@@ -59,15 +59,23 @@ postgresqlCluster:
       accessKeyId: ""
       secretAccessKey: ""
     azure:
-      #-- For Azure object storage access
-      #   storageAccount:
-      #     name: storageAccountName
-      #     key: accountName
-      #   storageKey:
-      #     name: storageKeyName
-      #     key: accountKey
+      #-- Azure object storage credentials. Two paths are supported:
+      #
+      #   Crossplane (CAPZ): set crossplane.azure.enabled: true. Credentials are
+      #   auto-configured from the Crossplane-generated connection secret
+      #   (key: attribute.primary_blob_connection_string). No manual input needed.
+      #
+      #   Manual (non-Crossplane): provide explicit secret references, e.g.:
+      #   credentials:
+      #     storageAccount:
+      #       name: <secret-name>
+      #       key: <key-holding-account-name>
+      #     storageKey:
+      #       name: <secret-name>
+      #       key: <key-holding-account-key>
       credentials: {}
     #-- Bucket CR config
+    # TODO remove once we have migrated onprem clusters to use crossplane for bucket management
     bucket:
       create: false
       name: "giantswarm-installationName-grafana-postgresql"