From 60e98805a241f866cf89bcc6e4f498b8515406dd Mon Sep 17 00:00:00 2001
From: Itay Grudev <itay@verito.digital>
Date: Mon, 24 Nov 2025 04:50:59 +0200
Subject: [PATCH 1/2] fix( cluster ): recovery.pgBaseBackup.secret not applied
 correctly

This fixes the `recovery.pgBaseBackup.secret` parameter by correctly setting it as a LocalObjectReference.

I also decided to rename the parameter to: `recovery.pgBaseBackup.secretName` to better reflect that this is just the secret name.

The non-backwards compatible name change is acceptable here, because the parameter never worked.

Signed-off-by: Itay Grudev <itay@verito.digital>
---
 charts/cluster/README.md                                  | 2 +-
 charts/cluster/templates/_bootstrap.tpl                   | 4 ++--
 .../02-pg_basebackup-cluster.yaml                         | 1 +
 .../cluster/test/postgresql-pg_basebackup/02-secret.yaml  | 8 ++++++++
 .../test/postgresql-pg_basebackup/chainsaw-test.yaml      | 2 ++
 charts/cluster/values.schema.json                         | 2 +-
 charts/cluster/values.yaml                                | 4 ++--
 7 files changed, 17 insertions(+), 6 deletions(-)
 create mode 100644 charts/cluster/test/postgresql-pg_basebackup/02-secret.yaml

diff --git a/charts/cluster/README.md b/charts/cluster/README.md
index d042268365..b928e99859 100644
--- a/charts/cluster/README.md
+++ b/charts/cluster/README.md
@@ -246,7 +246,7 @@ refer to  the [CloudNativePG Documentation](https://cloudnative-pg.io/documentat
 | recovery.owner | string | `""` | Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. |
 | recovery.pgBaseBackup.database | string | `"app"` | Name of the database used by the application. Default: `app`. |
 | recovery.pgBaseBackup.owner | string | `""` | Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key. |
-| recovery.pgBaseBackup.secret | string | `""` | Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch |
+| recovery.pgBaseBackup.secretName | string | `""` | Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch. The secret should include |
 | recovery.pgBaseBackup.source.database | string | `"app"` |  |
 | recovery.pgBaseBackup.source.host | string | `""` |  |
 | recovery.pgBaseBackup.source.passwordSecret.create | bool | `false` | Whether to create a secret for the password |
diff --git a/charts/cluster/templates/_bootstrap.tpl b/charts/cluster/templates/_bootstrap.tpl
index 95bedd214f..0693d6e4b2 100644
--- a/charts/cluster/templates/_bootstrap.tpl
+++ b/charts/cluster/templates/_bootstrap.tpl
@@ -37,9 +37,9 @@ bootstrap:
     {{ with .Values.recovery.pgBaseBackup.owner }}
     owner: {{ . }}
     {{- end }}
-    {{ with .Values.recovery.pgBaseBackup.secret }}
+    {{ with .Values.recovery.pgBaseBackup.secretName }}
     secret:
-      {{- toYaml . | nindent 6 }}
+      name: {{ . }}
     {{- end }}
 
 externalClusters:
diff --git a/charts/cluster/test/postgresql-pg_basebackup/02-pg_basebackup-cluster.yaml b/charts/cluster/test/postgresql-pg_basebackup/02-pg_basebackup-cluster.yaml
index 310074e1d1..3f495b5ba3 100644
--- a/charts/cluster/test/postgresql-pg_basebackup/02-pg_basebackup-cluster.yaml
+++ b/charts/cluster/test/postgresql-pg_basebackup/02-pg_basebackup-cluster.yaml
@@ -14,6 +14,7 @@ recovery:
       sslCertSecret:
         name: source-cluster-replication
         key: tls.crt
+    secretName: "mysecret"
 
 cluster:
   instances: 2
diff --git a/charts/cluster/test/postgresql-pg_basebackup/02-secret.yaml b/charts/cluster/test/postgresql-pg_basebackup/02-secret.yaml
new file mode 100644
index 0000000000..cfb71cdcc0
--- /dev/null
+++ b/charts/cluster/test/postgresql-pg_basebackup/02-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mysecret
+type: kubernetes.io/basic-auth
+data:
+  username: YXBw
+  password: cGFzc3dvcmQ=
diff --git a/charts/cluster/test/postgresql-pg_basebackup/chainsaw-test.yaml b/charts/cluster/test/postgresql-pg_basebackup/chainsaw-test.yaml
index 85f2d97439..2ae035f08c 100644
--- a/charts/cluster/test/postgresql-pg_basebackup/chainsaw-test.yaml
+++ b/charts/cluster/test/postgresql-pg_basebackup/chainsaw-test.yaml
@@ -38,6 +38,8 @@ spec:
                 --values ./02-pg_basebackup-cluster.yaml \
                 --wait \
                 pg-basebackup ../../
+        - apply:
+            file: ./02-secret.yaml
         - assert:
             file: ./02-pg_basebackup-cluster-assert.yaml
       catch:
diff --git a/charts/cluster/values.schema.json b/charts/cluster/values.schema.json
index 8890226868..68133adf4b 100644
--- a/charts/cluster/values.schema.json
+++ b/charts/cluster/values.schema.json
@@ -560,7 +560,7 @@
                         "owner": {
                             "type": "string"
                         },
-                        "secret": {
+                        "secretName": {
                             "type": "string"
                         },
                         "source": {
diff --git a/charts/cluster/values.yaml b/charts/cluster/values.yaml
index 3d5f11dc1a..6682708caa 100644
--- a/charts/cluster/values.yaml
+++ b/charts/cluster/values.yaml
@@ -103,8 +103,8 @@ recovery:
   pgBaseBackup:
     # -- Name of the database used by the application. Default: `app`.
     database: app
-    # -- Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch
-    secret: ""
+    # -- Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch. The secret should include
+    secretName: ""
     # -- Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key.
     owner: ""
     source:

From 486e3b1baf22a56e39d942258b241f3914da112b Mon Sep 17 00:00:00 2001
From: Itay Grudev <itay@verito.digital>
Date: Thu, 4 Dec 2025 15:52:19 +0200
Subject: [PATCH 2/2] docs: fixed documentation entry

Signed-off-by: Itay Grudev <itay@verito.digital>
---
 charts/cluster/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/charts/cluster/values.yaml b/charts/cluster/values.yaml
index 6682708caa..ac523da6aa 100644
--- a/charts/cluster/values.yaml
+++ b/charts/cluster/values.yaml
@@ -103,7 +103,7 @@ recovery:
   pgBaseBackup:
     # -- Name of the database used by the application. Default: `app`.
     database: app
-    # -- Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch. The secret should include
+    # -- Name of the kubernetes.io/basic-auth secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch.
     secretName: ""
     # -- Name of the owner of the database in the instance to be used by applications. Defaults to the value of the `database` key.
     owner: ""