feat(helm): add backup CronJobs and configurable image registry

Add nightly S3 backup automation (CockroachDB pg_dump, MongoDB mongodump,
S3-to-S3 file sync) with retention cleanup and credential rotation support.
Add hulyRegistry value to allow overriding the Docker image registry prefix
for all Huly service deployments (e.g. for GAR/private registry).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: dnplkndll

kube/helm/huly/templates/_helpers.tpl

@@ -112,6 +112,25 @@ Init container that waits for Redpanda to accept connections.
 {{- end }}
 {{- end }}
 
+{{/*
+Backup secret resource name.
+*/}}
+{{- define "huly.backupSecretName" -}}
+{{- printf "%s-backup-secret" (include "huly.fullname" .) }}
+{{- end }}
+
+{{/*
+Env var from backup Secret helper.
+Usage: {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_ENDPOINT" "key" "BACKUP_S3_ENDPOINT" "root" .) }}
+*/}}
+{{- define "huly.envBackupSecret" -}}
+- name: {{ .name }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "huly.backupSecretName" .root }}
+      key: {{ .key }}
+{{- end }}
+
 {{/*
 Env var from Secret helper — reduces boilerplate.
 Usage: {{- include "huly.envSecret" (dict "name" "SERVER_SECRET" "key" "SERVER_SECRET" "root" .) }}

kube/helm/huly/templates/account/deployment.yaml

@@ -24,7 +24,7 @@ spec:
         {{- include "huly.waitForRedpanda" . | nindent 8 }}
       containers:
         - name: account
-          image: hardcoreeng/account:{{ .Values.hulyVersion }}
+          image: {{ .Values.hulyRegistry }}/account:{{ .Values.hulyVersion }}
           ports:
             - name: http
               containerPort: 3000

kube/helm/huly/templates/backup/cronjob-cockroachdb.yaml

@@ -0,0 +1,85 @@
+{{- if and .Values.backup.enabled .Values.backup.cockroachdb.enabled .Values.cockroach.enabled }}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "huly.fullname" . }}-backup-cockroachdb
+  labels:
+    {{- include "huly.labels" . | nindent 4 }}
+    app: backup-cockroachdb
+spec:
+  schedule: {{ .Values.backup.cockroachdb.schedule | default .Values.backup.schedule | quote }}
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 2
+      template:
+        metadata:
+          labels:
+            {{- include "huly.labels" . | nindent 12 }}
+            app: backup-cockroachdb
+        spec:
+          {{- include "huly.scheduling" . | nindent 10 }}
+          restartPolicy: OnFailure
+          volumes:
+            - name: backup
+              emptyDir: {}
+          initContainers:
+            - name: pg-dump
+              image: postgres:16-alpine
+              volumeMounts:
+                - name: backup
+                  mountPath: /backup
+              env:
+                {{- include "huly.envSecret" (dict "name" "CR_DB_URL" "key" "CR_DB_URL" "root" .) | nindent 16 }}
+              command:
+                - sh
+                - -c
+                - |
+                  set -e
+                  STAMP=$(date +%Y%m%d-%H%M%S)
+                  DEST="/backup/cockroachdb_${STAMP}.sql.gz"
+                  echo "Dumping CockroachDB to ${DEST}..."
+                  pg_dump "$CR_DB_URL" | gzip > "$DEST"
+                  ls -lh "$DEST"
+                  echo "pg_dump complete."
+          containers:
+            - name: rclone-upload
+              image: {{ .Values.backup.rcloneImage }}
+              volumeMounts:
+                - name: backup
+                  mountPath: /backup
+              env:
+                {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_ENDPOINT" "key" "BACKUP_S3_ENDPOINT" "root" .) | nindent 16 }}
+                {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_REGION" "key" "BACKUP_S3_REGION" "root" .) | nindent 16 }}
+                {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_BUCKET" "key" "BACKUP_S3_BUCKET" "root" .) | nindent 16 }}
+                {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_PATH_PREFIX" "key" "BACKUP_S3_PATH_PREFIX" "root" .) | nindent 16 }}
+                {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_ACCESS_KEY" "key" "BACKUP_S3_ACCESS_KEY" "root" .) | nindent 16 }}
+                {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_SECRET_KEY" "key" "BACKUP_S3_SECRET_KEY" "root" .) | nindent 16 }}
+              command:
+                - sh
+                - -c
+                - |
+                  set -e
+                  # Configure rclone remote
+                  rclone config create backup s3 \
+                    provider=Other \
+                    env_auth=false \
+                    access_key_id="$BACKUP_S3_ACCESS_KEY" \
+                    secret_access_key="$BACKUP_S3_SECRET_KEY" \
+                    endpoint="$BACKUP_S3_ENDPOINT" \
+                    region="$BACKUP_S3_REGION" \
+                    --non-interactive
+
+                  REMOTE_PATH="backup:${BACKUP_S3_BUCKET}/${BACKUP_S3_PATH_PREFIX}/cockroachdb/"
+
+                  echo "Uploading to ${REMOTE_PATH}..."
+                  rclone copy /backup/ "$REMOTE_PATH" --include "*.sql.gz" -v
+
+                  echo "Cleaning up backups older than {{ .Values.backup.retentionDays }} days..."
+                  rclone delete "$REMOTE_PATH" --min-age {{ .Values.backup.retentionDays }}d -v
+
+                  echo "Backup complete."
+                  rclone ls "$REMOTE_PATH" | tail -5
+{{- end }}

kube/helm/huly/templates/backup/cronjob-files.yaml

@@ -0,0 +1,107 @@
+{{- if and .Values.backup.enabled .Values.backup.files.enabled }}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "huly.fullname" . }}-backup-files
+  labels:
+    {{- include "huly.labels" . | nindent 4 }}
+    app: backup-files
+spec:
+  schedule: {{ .Values.backup.files.schedule | default .Values.backup.schedule | quote }}
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 2
+      template:
+        metadata:
+          labels:
+            {{- include "huly.labels" . | nindent 12 }}
+            app: backup-files
+        spec:
+          {{- include "huly.scheduling" . | nindent 10 }}
+          restartPolicy: OnFailure
+          containers:
+            - name: rclone-sync
+              image: {{ .Values.backup.rcloneImage }}
+              env:
+                {{- include "huly.envSecret" (dict "name" "STORAGE_CONFIG" "key" "STORAGE_CONFIG" "root" .) | nindent 16 }}
+                {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_ENDPOINT" "key" "BACKUP_S3_ENDPOINT" "root" .) | nindent 16 }}
+                {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_REGION" "key" "BACKUP_S3_REGION" "root" .) | nindent 16 }}
+                {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_BUCKET" "key" "BACKUP_S3_BUCKET" "root" .) | nindent 16 }}
+                {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_PATH_PREFIX" "key" "BACKUP_S3_PATH_PREFIX" "root" .) | nindent 16 }}
+                {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_ACCESS_KEY" "key" "BACKUP_S3_ACCESS_KEY" "root" .) | nindent 16 }}
+                {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_SECRET_KEY" "key" "BACKUP_S3_SECRET_KEY" "root" .) | nindent 16 }}
+              command:
+                - sh
+                - -c
+                - |
+                  set -e
+
+                  # Parse STORAGE_CONFIG to extract source S3 details.
+                  # Format: s3|https://endpoint?accessKey=X&secretKey=Y&region=Z&rootBucket=B
+                  #     or: minio|minio?accessKey=X&secretKey=Y
+
+                  PROTO=$(echo "$STORAGE_CONFIG" | cut -d'|' -f1)
+                  REST=$(echo "$STORAGE_CONFIG" | cut -d'|' -f2)
+
+                  if [ "$PROTO" = "minio" ]; then
+                    # MinIO: host is "minio", creds in query string
+                    SRC_ENDPOINT="http://minio:9000"
+                    SRC_PROVIDER="Minio"
+                  else
+                    # External S3: endpoint is the URL before '?'
+                    SRC_ENDPOINT=$(echo "$REST" | cut -d'?' -f1)
+                    SRC_PROVIDER="Other"
+                  fi
+
+                  PARAMS=$(echo "$REST" | cut -d'?' -f2)
+                  SRC_ACCESS_KEY=$(echo "$PARAMS" | tr '&' '\n' | grep '^accessKey=' | cut -d= -f2)
+                  SRC_SECRET_KEY=$(echo "$PARAMS" | tr '&' '\n' | grep '^secretKey=' | cut -d= -f2)
+                  SRC_REGION=$(echo "$PARAMS" | tr '&' '\n' | grep '^region=' | cut -d= -f2)
+                  SRC_ROOT_BUCKET=$(echo "$PARAMS" | tr '&' '\n' | grep '^rootBucket=' | cut -d= -f2)
+                  SRC_BUCKET_PREFIX=$(echo "$PARAMS" | tr '&' '\n' | grep '^bucketPrefix=' | cut -d= -f2)
+
+                  # Configure source remote
+                  rclone config create source s3 \
+                    provider="$SRC_PROVIDER" \
+                    env_auth=false \
+                    access_key_id="$SRC_ACCESS_KEY" \
+                    secret_access_key="$SRC_SECRET_KEY" \
+                    endpoint="$SRC_ENDPOINT" \
+                    region="${SRC_REGION:-us-east-1}" \
+                    --non-interactive
+
+                  # Configure backup remote
+                  rclone config create backup s3 \
+                    provider=Other \
+                    env_auth=false \
+                    access_key_id="$BACKUP_S3_ACCESS_KEY" \
+                    secret_access_key="$BACKUP_S3_SECRET_KEY" \
+                    endpoint="$BACKUP_S3_ENDPOINT" \
+                    region="$BACKUP_S3_REGION" \
+                    --non-interactive
+
+                  # Determine source path
+                  if [ -n "$SRC_ROOT_BUCKET" ]; then
+                    SRC_PATH="source:${SRC_ROOT_BUCKET}"
+                  elif [ -n "$SRC_BUCKET_PREFIX" ]; then
+                    echo "Warning: bucketPrefix mode — syncing all buckets with prefix '${SRC_BUCKET_PREFIX}'"
+                    SRC_PATH="source:${SRC_BUCKET_PREFIX}"
+                  else
+                    echo "Error: cannot determine source bucket from STORAGE_CONFIG"
+                    exit 1
+                  fi
+
+                  DEST_PATH="backup:${BACKUP_S3_BUCKET}/${BACKUP_S3_PATH_PREFIX}/files/"
+
+                  echo "Syncing files from ${SRC_PATH} to ${DEST_PATH}..."
+                  rclone sync "$SRC_PATH" "$DEST_PATH" \
+                    --transfers 8 \
+                    --checkers 16 \
+                    --fast-list \
+                    -v
+
+                  echo "File sync complete."
+{{- end }}

kube/helm/huly/templates/backup/cronjob-mongodb.yaml

@@ -0,0 +1,84 @@
+{{- if and .Values.backup.enabled .Values.backup.mongodb.enabled .Values.aibot.enabled }}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "huly.fullname" . }}-backup-mongodb
+  labels:
+    {{- include "huly.labels" . | nindent 4 }}
+    app: backup-mongodb
+spec:
+  schedule: {{ .Values.backup.mongodb.schedule | default .Values.backup.schedule | quote }}
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 2
+      template:
+        metadata:
+          labels:
+            {{- include "huly.labels" . | nindent 12 }}
+            app: backup-mongodb
+        spec:
+          {{- include "huly.scheduling" . | nindent 10 }}
+          restartPolicy: OnFailure
+          volumes:
+            - name: backup
+              emptyDir: {}
+          initContainers:
+            - name: mongodump
+              image: {{ .Values.mongodb.image }}
+              volumeMounts:
+                - name: backup
+                  mountPath: /backup
+              env:
+                {{- include "huly.envConfig" (dict "name" "MONGO_URL" "key" "MONGO_URL" "root" .) | nindent 16 }}
+              command:
+                - sh
+                - -c
+                - |
+                  set -e
+                  STAMP=$(date +%Y%m%d-%H%M%S)
+                  DEST="/backup/mongodb_${STAMP}.gz"
+                  echo "Dumping MongoDB to ${DEST}..."
+                  mongodump --uri="$MONGO_URL" --archive="$DEST" --gzip
+                  ls -lh "$DEST"
+                  echo "mongodump complete."
+          containers:
+            - name: rclone-upload
+              image: {{ .Values.backup.rcloneImage }}
+              volumeMounts:
+                - name: backup
+                  mountPath: /backup
+              env:
+                {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_ENDPOINT" "key" "BACKUP_S3_ENDPOINT" "root" .) | nindent 16 }}
+                {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_REGION" "key" "BACKUP_S3_REGION" "root" .) | nindent 16 }}
+                {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_BUCKET" "key" "BACKUP_S3_BUCKET" "root" .) | nindent 16 }}
+                {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_PATH_PREFIX" "key" "BACKUP_S3_PATH_PREFIX" "root" .) | nindent 16 }}
+                {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_ACCESS_KEY" "key" "BACKUP_S3_ACCESS_KEY" "root" .) | nindent 16 }}
+                {{- include "huly.envBackupSecret" (dict "name" "BACKUP_S3_SECRET_KEY" "key" "BACKUP_S3_SECRET_KEY" "root" .) | nindent 16 }}
+              command:
+                - sh
+                - -c
+                - |
+                  set -e
+                  rclone config create backup s3 \
+                    provider=Other \
+                    env_auth=false \
+                    access_key_id="$BACKUP_S3_ACCESS_KEY" \
+                    secret_access_key="$BACKUP_S3_SECRET_KEY" \
+                    endpoint="$BACKUP_S3_ENDPOINT" \
+                    region="$BACKUP_S3_REGION" \
+                    --non-interactive
+
+                  REMOTE_PATH="backup:${BACKUP_S3_BUCKET}/${BACKUP_S3_PATH_PREFIX}/mongodb/"
+
+                  echo "Uploading to ${REMOTE_PATH}..."
+                  rclone copy /backup/ "$REMOTE_PATH" --include "*.gz" -v
+
+                  echo "Cleaning up backups older than {{ .Values.backup.retentionDays }} days..."
+                  rclone delete "$REMOTE_PATH" --min-age {{ .Values.backup.retentionDays }}d -v
+
+                  echo "Backup complete."
+                  rclone ls "$REMOTE_PATH" | tail -5
+{{- end }}

kube/helm/huly/templates/backup/secret.yaml

@@ -0,0 +1,43 @@
+{{- if .Values.backup.enabled }}
+{{- $secretName := include "huly.backupSecretName" . -}}
+{{- $existing := lookup "v1" "Secret" .Release.Namespace $secretName -}}
+{{- $hasExisting := not (empty $existing) -}}
+
+{{- /* Resolve active credential set */ -}}
+{{- $accessKey := "" -}}
+{{- $secretKey := "" -}}
+{{- if eq .Values.backup.s3.activeCredential "secondary" -}}
+  {{- $accessKey = .Values.backup.s3.secondaryAccessKey -}}
+  {{- $secretKey = .Values.backup.s3.secondarySecretKey -}}
+{{- else -}}
+  {{- $accessKey = .Values.backup.s3.accessKey -}}
+  {{- $secretKey = .Values.backup.s3.secretKey -}}
+{{- end -}}
+
+{{- /* Fall back to existing secret if keys are empty */ -}}
+{{- if and (not $accessKey) $hasExisting (hasKey $existing.data "BACKUP_S3_ACCESS_KEY") -}}
+  {{- $accessKey = index $existing.data "BACKUP_S3_ACCESS_KEY" | b64dec -}}
+{{- end -}}
+{{- if and (not $secretKey) $hasExisting (hasKey $existing.data "BACKUP_S3_SECRET_KEY") -}}
+  {{- $secretKey = index $existing.data "BACKUP_S3_SECRET_KEY" | b64dec -}}
+{{- end -}}
+
+{{- if or (not $accessKey) (not $secretKey) -}}
+  {{- fail "backup.s3.accessKey and backup.s3.secretKey are required when backup.enabled=true" }}
+{{- end -}}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $secretName }}
+  labels:
+    {{- include "huly.labels" . | nindent 4 }}
+type: Opaque
+data:
+  BACKUP_S3_ENDPOINT: {{ .Values.backup.s3.endpoint | b64enc | quote }}
+  BACKUP_S3_REGION: {{ .Values.backup.s3.region | b64enc | quote }}
+  BACKUP_S3_BUCKET: {{ .Values.backup.s3.bucket | b64enc | quote }}
+  BACKUP_S3_PATH_PREFIX: {{ .Values.backup.s3.pathPrefix | b64enc | quote }}
+  BACKUP_S3_ACCESS_KEY: {{ $accessKey | b64enc | quote }}
+  BACKUP_S3_SECRET_KEY: {{ $secretKey | b64enc | quote }}
+{{- end }}

kube/helm/huly/templates/collaborator/deployment.yaml

@@ -21,7 +21,7 @@ spec:
       {{- include "huly.scheduling" . | nindent 6 }}
       containers:
         - name: collaborator
-          image: hardcoreeng/collaborator:{{ .Values.hulyVersion }}
+          image: {{ .Values.hulyRegistry }}/collaborator:{{ .Values.hulyVersion }}
           ports:
             - name: http
               containerPort: 3078

kube/helm/huly/templates/front/deployment.yaml

@@ -21,7 +21,7 @@ spec:
       {{- include "huly.scheduling" . | nindent 6 }}
       containers:
         - name: front
-          image: hardcoreeng/front:{{ .Values.hulyVersion }}
+          image: {{ .Values.hulyRegistry }}/front:{{ .Values.hulyVersion }}
           ports:
             - name: http
               containerPort: 8080

kube/helm/huly/templates/fulltext/deployment.yaml

@@ -24,7 +24,7 @@ spec:
         {{- include "huly.waitForRedpanda" . | nindent 8 }}
       containers:
         - name: fulltext
-          image: hardcoreeng/fulltext:{{ .Values.hulyVersion }}
+          image: {{ .Values.hulyRegistry }}/fulltext:{{ .Values.hulyVersion }}
           ports:
             - name: http
               containerPort: 4700

kube/helm/huly/templates/kvs/deployment.yaml

@@ -24,7 +24,7 @@ spec:
         {{- include "huly.waitForCockroach" . | nindent 8 }}
       containers:
         - name: kvs
-          image: hardcoreeng/hulykvs:{{ .Values.hulyVersion }}
+          image: {{ .Values.hulyRegistry }}/hulykvs:{{ .Values.hulyVersion }}
           ports:
             - name: http
               containerPort: 8094