Add borgmatic user to k8s-pg via CloudNativePG

- Create secret-borgmatic.yaml.tpl for 1Password integration - Add borgmatic managed role with pg_read_all_data privilege - Update README with borgmatic user documentation Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-19 17:39:27 -08:00 · 2026-01-19 17:39:27 -08:00 · 420aaf5696
commit 420aaf5696
parent 3f6af244f6
3 changed files with 31 additions and 6 deletions
--- a/argocd/manifests/databases/README.md
+++ b/argocd/manifests/databases/README.md
@ -14,15 +14,16 @@ Single-instance PostgreSQL cluster for blumeops services.

 ### Users/Roles

-| User     | Role        | Purpose                          | Password Source                    |
-|----------|-------------|----------------------------------|------------------------------------|
-| postgres | superuser   | CNPG internal (avoid using)      | `blumeops-pg-superuser` secret     |
-| miniflux | app owner   | Owns miniflux database           | `blumeops-pg-app` secret           |
-| eblume   | superuser   | Admin access (matches brew pg)   | `blumeops-pg-eblume` secret (manual) |
+| User      | Role           | Purpose                          | Password Source                       |
+|-----------|----------------|----------------------------------|---------------------------------------|
+| postgres  | superuser      | CNPG internal (avoid using)      | `blumeops-pg-superuser` secret        |
+| miniflux  | app owner      | Owns miniflux database           | `blumeops-pg-app` secret              |
+| eblume    | superuser      | Admin access (matches brew pg)   | `blumeops-pg-eblume` secret (manual)  |
+| borgmatic | pg_read_all_data | Backup access for borgmatic    | `blumeops-pg-borgmatic` secret (manual) |

 ### Manual Secret Setup

-Before deploying, create the eblume password secret:
+Before deploying, create the password secrets:

 ```bash
 # Create namespace first
@ -30,6 +31,9 @@ kubectl create namespace databases

 # Apply eblume password from 1Password
 op inject -i argocd/manifests/databases/secret-eblume.yaml.tpl | kubectl apply -f -
+
+# Apply borgmatic password from 1Password
+op inject -i argocd/manifests/databases/secret-borgmatic.yaml.tpl | kubectl apply -f -
 ```

 The `miniflux` user password is auto-generated by CloudNativePG and stored in `blumeops-pg-app`.
--- a/argocd/manifests/databases/blumeops-pg.yaml
+++ b/argocd/manifests/databases/blumeops-pg.yaml
@ -29,6 +29,14 @@ spec:
        createrole: true
        passwordSecret:
          name: blumeops-pg-eblume
+      # borgmatic read-only user for backups
+      - name: borgmatic
+        login: true
+        superuser: false
+        inRoles:
+          - pg_read_all_data
+        passwordSecret:
+          name: blumeops-pg-borgmatic

  # Resource limits for minikube environment
  resources:
--- a/argocd/manifests/databases/secret-borgmatic.yaml.tpl
+++ b/argocd/manifests/databases/secret-borgmatic.yaml.tpl
@ -0,0 +1,13 @@
+# Template for borgmatic backup user password
+# Apply with: op inject -i secret-borgmatic.yaml.tpl | kubectl apply -f -
+#
+# Uses the same borgmatic password from 1Password as the brew PostgreSQL setup
+apiVersion: v1
+kind: Secret
+metadata:
+  name: blumeops-pg-borgmatic
+  namespace: databases
+type: kubernetes.io/basic-auth
+stringData:
+  username: borgmatic
+  password: {{ op://vg6xf6vvfmoh5hqjjhlhbeoaie/mw2bv5we7woicjza7hc6s44yvy/password }}