How‑To: Nightly Postgres → MinIO Backups with Kubernetes CronJob (plus lifecycle)


Updated: 2025-08-24

Overview

Create a CronJob that runs `pg_dumpall`, compresses the dump, and uploads to MinIO. Add a lifecycle rule to age off old backups automatically.

Prerequisites

- Postgres reachable from the cluster
- MinIO endpoint and access keys
- kubectl access to create Secrets and CronJobs

Secrets (example):

kubectl -n backups create secret generic minio-env   --from-literal=MC_HOST_minio="http://ACCESSKEY:SECRETKEY@minio.minio.svc.cluster.local:9000"   --from-literal=BUCKET="pg-backups"

kubectl -n backups create secret generic pg-env   --from-literal=PGHOST=postgres.postgres.svc.cluster.local   --from-literal=PGPORT=5432   --from-literal=PGUSER=postgres

CronJob manifest:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: pg-backup
  namespace: backups
spec:
  schedule: "0 3 * * *"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 2
  failedJobsHistoryLimit: 2
  jobTemplate:
    spec:
      backoffLimit: 0
      template:
        spec:
          restartPolicy: Never
          containers:
          - name: backup
            image: alpine:3.20
            envFrom:
            - secretRef: { name: minio-env }
            - secretRef: { name: pg-env }
            command: ["/bin/sh","-lc"]
            args:
            - |
              set -euo pipefail
              apk add --no-cache postgresql-client minio-client
              ts=$(date -u +%Y%m%dT%H%M%SZ)
              pg_dumpall -h "$PGHOST" -p "$PGPORT" -U "$PGUSER" -f /tmp/cluster.sql
              gzip -9 /tmp/cluster.sql
              mc mb -p minio/"$BUCKET" || true
              mc cp /tmp/cluster.sql.gz minio/"$BUCKET"/cluster-$ts.sql.gz
            resources:
              requests: { cpu: "50m", memory: "128Mi", ephemeral-storage: "1Gi" }
              limits:   { cpu: "500m", memory: "512Mi", ephemeral-storage: "5Gi" }

Lifecycle policy (delete after 14 days):

# one-off job/pod to set ILM on the bucket
kubectl -n backups run --rm -it mc --image=alpine:3.20 -- sh -lc '
  apk add --no-cache minio-client &&
  mc alias set minio "$MC_HOST_minio" &&
  mc ilm add --expiry-days 14 minio/pg-backups &&
  mc ilm ls minio/pg-backups'

Restore (Quick):

# Download a backup and restore all DBs
mc cp minio/pg-backups/cluster-<timestamp>.sql.gz .
gunzip cluster-<timestamp>.sql.gz
psql -h $PGHOST -p $PGPORT -U postgres -f cluster-<timestamp>.sql

Verification

kubectl -n backups get cronjob pg-backup
kubectl -n backups logs job/pg-backup-<timestamp>
# List objects:
kubectl -n backups run --rm -it mc --image=alpine:3.20 -- sh -lc '
  apk add --no-cache minio-client &&
  mc alias set minio "$MC_HOST_minio" &&
  mc ls minio/pg-backups'

Troubleshooting

- `/bin/sh: MINIO_ACCESS_KEY: parameter not set` → use MC_HOST_minio, not old env var names.
- `AccessDenied` → wrong ACCESS/SECRET or bucket policy; test with `mc alias set`.
- Pod OOM/ephemeral storage errors → increase resource limits; run off-peak.
- Network/TLS issues → verify service DNS names and CA trust to MinIO.

Security

- Use a write-only MinIO key scoped to the backup bucket.
- Enable SSE (server-side encryption) or KMS.
- Keep DB creds in Secrets; avoid storing in images/logs.
- Consider PITR with WAL archiving for production RPO < 24h.

Meme idea

Backups are like umbrellas—you miss them most when the sky opens up.

Taylor Swift

“I remember it all too well.” — All Too Well

Comments

Post a Comment

Popular posts from this blog

Learning to Automate My Side Projects with SWE-agent + GitLab

Image
I wanted to share something I built. I managed to connect SWE-agent with my self-hosted GitLab so that Issues can drive automation—and I think it’s kind of cool. (Currently, it isn’t directly supported in SWE-Agent, but there is an issue ( https://github.com/SWE-agent/SWE-agent/issues/760 ) on GitHub to add support. Why wait? ^_^) I’ve been tinkering with SWE-agent in the homelab while between roles. SWE-agent doesn’t natively support GitLab, but that wasn’t going to stop me—I wired it into my self-hosted GitLab instance so Issues drive the automation end-to-end. The Flow I Built 1. Start with an Issue. When I create an Issue, I describe the task in plain language. For example: “create `/taylor-swift` route that responds with JSON key lucky=13.” 2. Label the intent. Add the label `run:swe` and tag the model (in my case: `model:qwen3-coder-30b-a3b-instruct` from LM Studio). There is also a label swe:in-progress so that the pipeline does not pick up in-progress issues. If the pipeline ne...
Read more

Ship-Ready Web Essentials: Search, Sitemap, Metadata & Icons (SvelteKit)

This guide is a pragmatic, production-minded checklist and how-to for hardening a SvelteKit landing site so it’s discoverable by search engines, understandable by AI crawlers, and delightful on modern devices. It includes file locations, example contents, and verification steps. Everything here works even if you only have a single landing page today. Branding note: this document uses a fictional brand (“Example Store”) and domain (example.com). Replace these with your own values when you implement. Quick To-Do Checklist • Serve a real XML sitemap at /sitemap.xml and reference it in robots.txt. • Add a lightweight, server-rendered /search?q=… endpoint (backs JSON-LD SearchAction). • Place ai.txt (allow/deny AI crawlers) and .well-known/security.txt (vuln-reporting). • Wire canonical Open Graph/Twitter tags and og.png for social previews. • Add platform icons (apple-touch-icon.png, safari-pinned-tab.svg) and site.webmanifest. • Harden app.html with meta theme-color (light/dark), color-sc...
Read more

Kubernetes Secrets Management — SOPS + age (GitOps‑friendly)

Image
  Owner: Platform Engineering Audience: Devs & Ops Status: Adopted This document captures the exact process we use to manage Kubernetes secrets with Mozilla SOPS and the age encryption tool. It includes why we chose this approach, how to work with secrets day‑to‑day, and trade‑offs versus other methods. Executive Summary We store Kubernetes Secret manifests in Git encrypted at rest using SOPS with an age public key.  SOPS encrypts your secret values with AES‑256‑GCM , which is industry gold standard. In SOPS you can not swap AES‑256‑GCM out. The age private key lives only in protected CI variables. CI decrypts the manifests at deploy time and applies them with kubectl. No in‑cluster controllers, CRDs, or webhooks are required. Why this approach Top benefits: • Zero in‑cluster installs (no CRDs/controllers to run or break). • GitOps‑native: encrypted YAML sits in the repo; diffs remain readable (metadata & keys stay visible). • Cloud‑agnostic: age works anywhere; no ...
Read more