[metabase] introduce a pre-upgrade hook to backup metabase application database (postgres only)

charts/metabase/Chart.yaml

@@ -3,7 +3,7 @@ description:
   The easy, open source way for everyone in your company to ask questions
   and learn from data.
 name: metabase
-version: 2.23.0
+version: 2.24.0
 appVersion: v0.56.2.x
 maintainers:
   - name: pmint93

charts/metabase/README.md

@@ -83,16 +83,27 @@ The following table lists the configurable parameters of the Metabase chart and
 | database.dbname                                 | Database name                                                              | null              |
 | database.username                               | Database username                                                          | null              |
 | database.password                               | Database password                                                          | null              |
-| database.existingSecret                         | Exising secret for database credentials                                    | null              |
-| database.existingSecretUsernameKey              | Username key for exising secret                                            | null              |
-| database.existingSecretPasswordKey              | Password key for exising secret                                            | null              |
-| database.existingSecretConnectionURIKey         | ConnectionURI key for exising secret                                       | null              |
-| database.existingSecretEncryptionKeyKey         | EncryptionKey key for exising secret                                       | null              |
+| database.existingSecret                         | existing secret for database credentials                                   | null              |
+| database.existingSecretUsernameKey              | Username key for existing secret                                           | null              |
+| database.existingSecretPasswordKey              | Password key for existing secret                                           | null              |
+| database.existingSecretConnectionURIKey         | ConnectionURI key for existing secret                                      | null              |
+| database.existingSecretEncryptionKeyKey         | EncryptionKey key for existing secret                                      | null              |
 | database.googleCloudSQL.instanceConnectionNames | Google Cloud SQL instance connection names. See `values.yaml` for details. | []                |
 | database.googleCloudSQL.sidecarImage            | Specific image for the Google Cloud SQL Auth proxy sidecar                 | gcr.io/cloudsql-docker/gce-proxy            |
 | database.googleCloudSQL.sidecarImageTag         | Specific tag for the Google Cloud SQL Auth proxy sidecar image             | latest            |
 | database.googleCloudSQL.resources               | Google Cloud SQL Auth proxy resource requests and limits                   | {}                |
 | database.googleCloudSQL.securityContext         | Google Cloud SQL Security Context                                          | runAsNonRoot: true|
+| database.postgresBackupHook.enabled             | Enables pg_dump backup pre-upgrade hook of Metabase application database   | false             |
+| database.postgresBackupHook.image               | image that contains 'pg_dump'                                              | postgres:latest   |
+| database.postgresBackupHook.existingSecret      | existing secret for database credentials                                   | null              |
+| database.postgresBackupHook.existingSecretUsernameKey      | Username key for existing secret                                | null              |
+| database.postgresBackupHook.existingSecretPasswordKey      | Password key for existing secret                                | null              |
+| database.postgresBackupHook.existingSecretHostKey          | Username key for existing secret                                | null              |
+| database.postgresBackupHook.existingSecretPortKey          | Password key for existing secret                                | null              |
+| database.postgresBackupHook.existingSecretDatabaseNameKey  | Password key for existing secret                                | null              |
+| database.postgresBackupHook.existingSecretConnectionURIKey | ConnectionURI key for existing secret                           | null              |
+| database.postgresBackupHook.pvcName             | name of the PersistenceVolumeClaim to store the backup                     | null              |
+| database.postgresBackupHook.schema              | pg_dump '--schema' option                                                  | null              |
 | password.complexity                             | Complexity requirement for Metabase account's password                     | normal            |
 | password.length                                 | Minimum length required for Metabase account's password                    | 6                 |
 | timeZone                                        | Service time zone                                                          | UTC               |

charts/metabase/templates/pg-dump-hook.yaml

@@ -0,0 +1,67 @@
+{{- if and (eq .Values.database.type "postgres") .Values.database.postgresBackupHook.enabled }}
+{{- $fullName := include "metabase.fullname" . }}
+{{- $datestring := (now | date "20060102-150405") }}
+{{- $jobname := ( printf "%s-rev-%d-%s" $fullName .Release.Revision $datestring ) }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ $jobname }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  backoffLimit: 0
+  template:
+    metadata:
+      name: pg-dump
+    spec:
+      containers:
+        - name: pg-dump
+          image: {{ .Values.database.postgresBackupHook.image | required "database.postgresBackupHook.image must be set" }}
+          env:
+            {{- if .Values.database.postgresBackupHook.existingSecretConnectionURIKey }}
+            - name: BACKUP_CONNECTION_URI
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.database.postgresBackupHook.existingSecret | required "database.postgresBackupHook.existingSecret must be set" }}
+                  key: {{ .Values.database.postgresBackupHook.existingSecretConnectionURIKey }}
+            {{- else }}
+            - name: PGPASSWORD 
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.database.postgresBackupHook.existingSecret }}
+                  key: {{ .Values.database.postgresBackupHook.existingSecretPasswordKey }}
+            - name: PGHOST
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.database.postgresBackupHook.existingSecret }}
+                  key: {{ .Values.database.postgresBackupHook.existingSecretHostKey }}
+            - name: PGUSER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.database.postgresBackupHook.existingSecret }}
+                  key: {{ .Values.database.postgresBackupHook.existingSecretUsernameKey }}
+            - name: PGDATABASE 
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.database.postgresBackupHook.existingSecret }}
+                  key: {{ .Values.database.postgresBackupHook.existingSecretDatabaseNameKey }}
+            - name: PGPORT
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.database.postgresBackupHook.existingSecret }}
+                  key: {{ .Values.database.postgresBackupHook.existingSecretPortKey }}
+            {{- end }}
+          command:
+            - sh
+            - "-c" 
+            - pg_dump --file {{ ( printf "/backup/metabase_db_rev_%d_%s.dump" .Release.Revision $datestring ) | squote }} --format=c --verbose --verbose {{ if .Values.database.postgresBackupHook.schema }}--schema={{ .Values.database.postgresBackupHook.schema | squote }}{{- end }} {{ if .Values.database.postgresBackupHook.existingSecretConnectionURIKey }}$BACKUP_CONNECTION_URI{{- else }}$PGDATABASE{{- end }}
+          volumeMounts:
+            - name: backup-storage
+              mountPath: /backup
+      restartPolicy: Never
+      volumes:
+        - name: backup-storage
+          persistentVolumeClaim:
+            claimName: {{ .Values.database.postgresBackupHook.pvcName | required ".Values.database.postgresBackupHook.pvcName is required" }}
+{{- end }}

charts/metabase/values.yaml

@@ -128,6 +128,27 @@ database:
     resources: {}
     securityContext:
       runAsNonRoot: true
+  postgresBackupHook:
+    ## Only when you use postgres
+    ## enables a pre-upgrade hook that backups the metabase database with pg_dump prior to upgrading the Helm release
+    enabled: false
+    ## image that contains 'pg_dump'
+    ## version/tag should align with your actual version of postgres (e.g. 'postgres:17.7') for best compability of the dump
+    image: "postgres:latest"
+    ## secret with the database credentials must exist
+    # existingSecret:
+    ## either use connection string
+    # existingSecretConnectionURIKey:
+    ## or specify user,password,host,port and database seperately
+    # existingSecretUsernameKey:
+    # existingSecretPasswordKey:
+    # existingSecretPortKey:
+    # existingSecretHostKey:
+    # existingSecretDatabaseNameKey:
+    ## name of the PersistenceVolumeClaim to store the backup
+    # pvcName:
+    ## optional: specify pg_dump '--schema' option (e.g. if you have multiple schemas and only want to backup specific ones)
+    # schema:
 
 password:
   # Changing Metabase password complexity: