feat(helm): stable DB passwords, Barman backup, OAuth fixes, TLS auto-enable

- Change default postgres.database from vibe_kanban to remote (matches app migrations)
- Generate stable app password in postgres-credentials.yaml (lookup + randAlphaNum)
- Add vk-app secret for CNPG bootstrap.initdb.secret
- Use chart-generated URL for SERVER_DATABASE_URL instead of CNPG -app.uri
- Remove managed.roles from CNPG cluster (app migrations own electric_sync)
- Add postInitApplicationSQL to grant SUPERUSER on initdb
- Make GitHub/Google/Zoho OAuth injection conditional on non-empty key
- Auto-enable TLS when global.tls.clusterIssuer is set (ingress + relay-ingress)
- Add remote.<domain> alias when frontend.enabled=false
- Add helm.sh/resource-policy: keep on CNPG Cluster CR
- Add postgres.backup.* values for Barman Cloud Plugin (ObjectStore + ScheduledBackup)

Co-authored-by: Riajul Islam <riajul@kahf.co>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 3 people

helm/vibe-kanban-team/templates/_helpers.tpl

@@ -93,17 +93,16 @@ Trimmed to 59 chars so CNPG-generated suffixes (-app, -rw, -superuser) stay with
 {{- printf "%s-vk-generated" (include "vibe-kanban-team.fullname" .) | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
+{{/* Secret with app DB credentials (username + password) for CNPG bootstrap.initdb.secret. */}}
+{{- define "vibe-kanban-team.appCredentialsSecretName" -}}
+{{- printf "%s-vk-app" .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
 {{/* Secret with key "password" consumed by CNPG managed.roles for the electric_sync role. */}}
 {{- define "vibe-kanban-team.electricSyncSecretName" -}}
 {{- printf "%s-vk-electric-sync" (include "vibe-kanban-team.fullname" .) | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
-{{/* Secret with username+password for the CNPG app user; passed as bootstrap.initdb.secret.
-     Kept across helm uninstall so the password survives cluster recreation. */}}
-{{- define "vibe-kanban-team.appCredentialsSecretName" -}}
-{{- printf "%s-vk-app" .Release.Name | trunc 63 | trimSuffix "-" }}
-{{- end }}
-
 {{- define "vibe-kanban-team.ingress.className" -}}
 {{- $className := .className | default "" -}}
 {{- if $className -}}
@@ -224,7 +223,7 @@ Trimmed to 59 chars so CNPG-generated suffixes (-app, -rw, -superuser) stay with
 
 {{- define "vibe-kanban-team.remote.structuredEnv" -}}
 {{- if .Values.postgres.enabled }}
-{{/* postgres.enabled: chart-generated secret for DB URL (stable across reinstalls), JWT, electric password */}}
+{{/* postgres.enabled: chart-generated secret for DB URL, JWT, and electric password */}}
 - name: SERVER_DATABASE_URL
   valueFrom:
     secretKeyRef:
@@ -289,24 +288,12 @@ Trimmed to 59 chars so CNPG-generated suffixes (-app, -rw, -superuser) stay with
       name: {{ $oauth.name }}
       key: {{ $oauth.googleClientSecretKey }}
 {{- end }}
-{{- if $oauth.zohoClientIdKey }}
-- name: ZOHO_OAUTH_CLIENT_ID
-  valueFrom:
-    secretKeyRef:
-      name: {{ $oauth.name }}
-      key: {{ $oauth.zohoClientIdKey }}
-- name: ZOHO_OAUTH_CLIENT_SECRET
-  valueFrom:
-    secretKeyRef:
-      name: {{ $oauth.name }}
-      key: {{ $oauth.zohoClientSecretKey }}
-{{- end }}
 {{- end }}
 {{- end }}
 
 {{- define "vibe-kanban-team.relay.structuredEnv" -}}
 {{- if .Values.postgres.enabled }}
-{{/* postgres.enabled: chart-generated secret for DB URL (stable across reinstalls) + JWT */}}
+{{/* postgres.enabled: chart-generated secret for DB URL and JWT */}}
 - name: SERVER_DATABASE_URL
   valueFrom:
     secretKeyRef:

helm/vibe-kanban-team/templates/ingress.yaml

@@ -7,6 +7,12 @@
 {{- $annotations := include "vibe-kanban-team.ingress.annotations" (dict "root" . "annotations" .Values.ingress.annotations) -}}
 {{- $className := include "vibe-kanban-team.ingress.className" (dict "root" . "className" .Values.ingress.className) -}}
 {{- $derivedHost := include "vibe-kanban-team.remote.host" . -}}
+{{- $domain := .Values.global.domain | default "" -}}
+{{- $tlsEnabled := or .Values.ingress.tls (and (or .Values.global.tls.enabled (ne (.Values.global.tls.clusterIssuer | default "") "")) $derivedHost) -}}
+{{- $remoteAlias := "" -}}
+{{- if and $domain (not .Values.frontend.enabled) -}}
+{{- $remoteAlias = printf "remote.%s" $domain -}}
+{{- end -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -21,7 +27,7 @@ spec:
   {{- if $className }}
   ingressClassName: {{ $className }}
   {{- end }}
-  {{- if or .Values.ingress.tls (and .Values.global.tls.enabled $derivedHost) }}
+  {{- if $tlsEnabled }}
   tls:
     {{- if .Values.ingress.tls }}
     {{- range .Values.ingress.tls }}
@@ -34,6 +40,9 @@ spec:
     {{- else }}
     - hosts:
         - {{ $derivedHost | quote }}
+        {{- if $remoteAlias }}
+        - {{ $remoteAlias | quote }}
+        {{- end }}
       secretName: {{ printf "%sremote-tls" (.Values.global.tls.secretNamePrefix | default "") }}
     {{- end }}
   {{- end }}
@@ -86,5 +95,28 @@ spec:
                 name: {{ $fullName }}
                 port:
                   number: {{ $svcPort }}
+    {{- if $remoteAlias }}
+    - host: {{ $remoteAlias | quote }}
+      http:
+        paths:
+          {{- if $proxyRelayViaRemote }}
+          {{- range $.Values.relay.proxyUnderRemoteIngress.paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
+            backend:
+              service:
+                name: {{ $relayName }}
+                port:
+                  number: {{ $relaySvcPort }}
+          {{- end }}
+          {{- end }}
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+    {{- end }}
     {{- end }}
 {{- end }}

helm/vibe-kanban-team/templates/postgres-backup.yaml

@@ -0,0 +1,50 @@
+{{- if and .Values.postgres.enabled .Values.postgres.backup.enabled }}
+{{- $clusterName := include "vibe-kanban-team.postgres.clusterName" . }}
+{{- $backup := .Values.postgres.backup }}
+---
+# Barman Cloud ObjectStore: configures where backups and WAL archives are stored.
+# Requires the CNPG Barman Cloud Plugin to be installed in the cluster.
+apiVersion: barmancloud.cnpg.io/v1
+kind: ObjectStore
+metadata:
+  name: {{ $clusterName }}-backup
+  labels:
+    {{- include "vibe-kanban-team.labels" . | nindent 4 }}
+spec:
+  configuration:
+    destinationPath: {{ $backup.destinationPath | quote }}
+    {{- if $backup.endpointURL }}
+    endpointURL: {{ $backup.endpointURL | quote }}
+    {{- end }}
+    s3Credentials:
+      accessKeyId:
+        name: {{ $backup.secretName }}
+        key: {{ $backup.accessKeyIdKey }}
+      secretAccessKey:
+        name: {{ $backup.secretName }}
+        key: {{ $backup.secretAccessKeyKey }}
+    {{- if $backup.walCompression }}
+    wal:
+      compression: {{ $backup.walCompression }}
+    {{- end }}
+  {{- if $backup.retentionPolicy }}
+  retentionPolicy: {{ $backup.retentionPolicy | quote }}
+  {{- end }}
+---
+# ScheduledBackup: triggers periodic base backups via the Barman Cloud Plugin.
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: {{ $clusterName }}-backup
+  labels:
+    {{- include "vibe-kanban-team.labels" . | nindent 4 }}
+spec:
+  cluster:
+    name: {{ $clusterName }}
+  schedule: {{ $backup.schedule | quote }}
+  backupOwnerReference: {{ $backup.backupOwnerReference | default "self" }}
+  immediate: {{ $backup.immediate | default true }}
+  method: plugin
+  pluginConfiguration:
+    name: barman-cloud.cloudnative-pg.io
+{{- end }}

helm/vibe-kanban-team/templates/postgres-credentials.yaml

@@ -3,7 +3,7 @@
 {{- $genSecret := include "vibe-kanban-team.generatedSecretName" . }}
 {{- $syncSecret := include "vibe-kanban-team.electricSyncSecretName" . }}
 {{- $appSecret := include "vibe-kanban-team.appCredentialsSecretName" . }}
-{{- $database := .Values.postgres.database | default "vibe_kanban" }}
+{{- $database := .Values.postgres.database | default "remote" }}
 
 {{- /* Stable random values: reuse from existing secrets on upgrade, generate once on install.
        lookup returns nil during `helm template`; new values are generated each dry-run but
@@ -30,19 +30,17 @@
 {{- $electricSyncPassword = randAlphaNum 24 }}
 {{- end }}
 
-{{- /* App user (vibe_kanban) password: stable across reinstalls so PVC data stays accessible.
-       Stored in the vk-app secret which CNPG uses as bootstrap.initdb.secret. */ -}}
 {{- $appPassword := "" }}
 {{- if and $existingApp (index $existingApp.data "password") }}
 {{- $appPassword = index $existingApp.data "password" | b64dec }}
 {{- else }}
 {{- $appPassword = randAlphaNum 24 }}
 {{- end }}
 
-{{- $appUrl := printf "postgresql://%s:%s@%s-rw:5432/%s" $database $appPassword $pgCluster $database }}
 {{- $electricUrl := printf "postgresql://electric_sync:%s@%s-rw:5432/%s?sslmode=disable" $electricSyncPassword $pgCluster $database }}
+{{- $appUrl := printf "postgresql://%s:%s@%s-rw:5432/%s" $database $appPassword $pgCluster $database }}
 ---
-# Generated secret: JWT key, Electric sync password, app DB URL, and pre-assembled Electric DATABASE_URL.
+# Generated secret: JWT key, Electric sync password, app DB URL, and Electric DATABASE_URL.
 # helm.sh/resource-policy: keep prevents accidental deletion on helm uninstall.
 apiVersion: v1
 kind: Secret
@@ -59,31 +57,30 @@ stringData:
   electric-url: {{ $electricUrl | quote }}
   url: {{ $appUrl | quote }}
 ---
-# App credentials secret: passed to CNPG as bootstrap.initdb.secret so the app user password
-# is pinned and survives cluster recreation (helm uninstall keeps this via resource-policy).
+# Electric sync role secret: consumed by CNPG managed.roles to set the electric_sync password.
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ $appSecret }}
+  name: {{ $syncSecret }}
   labels:
     {{- include "vibe-kanban-team.labels" . | nindent 4 }}
   annotations:
     helm.sh/resource-policy: keep
-type: kubernetes.io/basic-auth
+type: Opaque
 stringData:
-  username: {{ $database | quote }}
-  password: {{ $appPassword | quote }}
+  password: {{ $electricSyncPassword | quote }}
 ---
-# Electric sync role secret: consumed by CNPG managed.roles to set the electric_sync password.
+# App DB credentials: consumed by CNPG bootstrap.initdb.secret to set the app user password.
 apiVersion: v1
 kind: Secret
 metadata:
-  name: {{ $syncSecret }}
+  name: {{ $appSecret }}
   labels:
     {{- include "vibe-kanban-team.labels" . | nindent 4 }}
   annotations:
     helm.sh/resource-policy: keep
 type: Opaque
 stringData:
-  password: {{ $electricSyncPassword | quote }}
+  username: {{ $database | quote }}
+  password: {{ $appPassword | quote }}
 {{- end }}

helm/vibe-kanban-team/templates/postgresql-cluster.yaml

@@ -1,11 +1,13 @@
 {{- if .Values.postgres.enabled }}
-{{- $dbName := .Values.postgres.database | default "vibe_kanban" }}
+{{- $dbName := .Values.postgres.database | default "remote" }}
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
   name: {{ include "vibe-kanban-team.postgres.clusterName" . }}
   labels:
     {{- include "vibe-kanban-team.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/resource-policy: keep
 spec:
   instances: {{ .Values.postgres.instances | default 1 }}
   storage:
@@ -24,12 +26,9 @@ spec:
       secret:
         name: {{ include "vibe-kanban-team.appCredentialsSecretName" . }}
       postInitApplicationSQL:
-        - {{ printf "ALTER ROLE %s WITH SUPERUSER CREATEROLE CREATEDB REPLICATION;" $dbName | quote }}
-  managed:
-    roles:
-      - name: electric_sync
-        login: true
-        replication: true
-        passwordSecret:
-          name: {{ include "vibe-kanban-team.electricSyncSecretName" . }}
+        - "ALTER ROLE {{ $dbName }} WITH SUPERUSER CREATEROLE CREATEDB REPLICATION;"
+  {{- if .Values.postgres.backup.enabled }}
+  plugins:
+    - name: barman-cloud.cloudnative-pg.io
+  {{- end }}
 {{- end }}

helm/vibe-kanban-team/templates/relay-ingress.yaml

@@ -19,7 +19,7 @@ spec:
   {{- if $className }}
   ingressClassName: {{ $className }}
   {{- end }}
-  {{- if or .Values.relay.ingress.tls (and .Values.global.tls.enabled $derivedHost) }}
+  {{- if or .Values.relay.ingress.tls (and (or .Values.global.tls.enabled (ne (.Values.global.tls.clusterIssuer | default "") "")) $derivedHost) }}
   tls:
     {{- if .Values.relay.ingress.tls }}
     {{- range .Values.relay.ingress.tls }}

helm/vibe-kanban-team/values.yaml

@@ -111,11 +111,64 @@ affinity: {}
 postgres:
   enabled: true
   instances: 1
-  database: vibe_kanban
+  database: remote
   storage:
     size: 8Gi
     storageClass: ""
 
+  # ---------------------------------------------------------------------------
+  # Backup via Barman Cloud Plugin (optional)
+  # ---------------------------------------------------------------------------
+  # Requires the CNPG Barman Cloud Plugin installed in the cluster:
+  #   kubectl apply -f \
+  #     https://raw.githubusercontent.com/cloudnative-pg/plugin-barman-cloud/main/config/release.yaml
+  #
+  # Create a secret with your object-store credentials:
+  #   kubectl create secret generic backup-creds -n <namespace> \
+  #     --from-literal=ACCESS_KEY_ID='...' \
+  #     --from-literal=ACCESS_SECRET_KEY='...'
+  #
+  # Then enable backup:
+  #   postgres.backup.enabled: true
+  #   postgres.backup.destinationPath: "s3://my-bucket/backups/"
+  #   postgres.backup.secretName: "backup-creds"
+  # ---------------------------------------------------------------------------
+  backup:
+    enabled: false
+
+    # S3/GCS/Azure destination (required when enabled)
+    #   S3:    s3://bucket/path/
+    #   GCS:   gs://bucket/path/
+    #   Azure: https://account.blob.core.windows.net/container/path/
+    destinationPath: ""
+
+    # Custom S3 endpoint for MinIO or S3-compatible stores (optional)
+    endpointURL: ""
+
+    # Kubernetes secret with object-store credentials
+    # For S3: keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+    # For GCS: key APPLICATION_CREDENTIALS (JSON service account)
+    # For Azure: keys AZURE_STORAGE_ACCOUNT and AZURE_STORAGE_KEY (or SAS token)
+    secretName: ""
+    accessKeyIdKey: ACCESS_KEY_ID
+    secretAccessKeyKey: ACCESS_SECRET_KEY
+
+    # WAL archiving compression (gzip, bzip2, snappy, lz4, zstd, or "")
+    walCompression: gzip
+
+    # Retention policy — how long to keep backups (e.g. "30d", "90d")
+    retentionPolicy: "30d"
+
+    # Scheduled backup cron (6 fields: sec min hour dom month dow)
+    # Default: daily at midnight
+    schedule: "0 0 0 * * *"
+
+    # Take an immediate backup when the schedule is first created
+    immediate: true
+
+    # Owner reference for backup objects: "self", "cluster", or "none"
+    backupOwnerReference: self
+
 config:
   existingSecrets:
     database:
@@ -130,14 +183,8 @@ config:
       name: ""
       githubClientIdKey: github-client-id
       githubClientSecretKey: github-client-secret
-      # Google OAuth — set googleClientIdKey to activate (leave empty to disable)
-      googleClientIdKey: ""
+      googleClientIdKey: google-client-id
       googleClientSecretKey: google-client-secret
-      # Zoho OAuth — set zohoClientIdKey to activate (leave empty to disable)
-      zohoClientIdKey: ""
-      zohoClientSecretKey: zoho-client-secret
-      # Optional: override Zoho accounts URL (e.g. https://accounts.zoho.eu)
-      # Set via extraEnv: [{name: ZOHO_ACCOUNTS_URL, value: "..."}]
 
 # =============================================================================
 # Environment Variables