From 4d62961c8905cfcacf806b9f2ec6739b5c3ff136 Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Wed, 16 Jul 2025 14:06:34 +0200
Subject: [PATCH 1/2] Update FerretDB v2.4.0

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
---
 packages/apps/ferretdb/Chart.yaml             |   4 +-
 packages/apps/ferretdb/Makefile               |   7 +
 .../apps/ferretdb/templates/ferretdb.yaml     |  10 +-
 .../apps/ferretdb/templates/init-job.yaml     |  66 ---------
 .../apps/ferretdb/templates/init-script.yaml  | 131 ------------------
 .../apps/ferretdb/templates/postgres.yaml     |  21 ++-
 packages/apps/ferretdb/values.yaml            |   4 +-
 packages/apps/versions_map                    |   2 +-
 8 files changed, 37 insertions(+), 208 deletions(-)
 delete mode 100644 packages/apps/ferretdb/templates/init-job.yaml
 delete mode 100644 packages/apps/ferretdb/templates/init-script.yaml

diff --git a/packages/apps/ferretdb/Chart.yaml b/packages/apps/ferretdb/Chart.yaml
index 5c0e9a49..7117cc35 100644
--- a/packages/apps/ferretdb/Chart.yaml
+++ b/packages/apps/ferretdb/Chart.yaml
@@ -16,10 +16,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.8.1
+version: 1.0.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.24.0"
+appVersion: 2.4.0
diff --git a/packages/apps/ferretdb/Makefile b/packages/apps/ferretdb/Makefile
index 9e32d0b0..4ee52529 100644
--- a/packages/apps/ferretdb/Makefile
+++ b/packages/apps/ferretdb/Makefile
@@ -4,3 +4,10 @@ PRESET_ENUM := ["nano","micro","small","medium","large","xlarge","2xlarge"]
 generate:
 	readme-generator -v values.yaml -s values.schema.json -r README.md
 	yq -i -o json --indent 4 '.properties.resourcesPreset.enum = $(PRESET_ENUM)' values.schema.json
+
+update:
+	tag=$$(git ls-remote --tags --sort="v:refname" https://github.com/FerretDB/FerretDB | awk -F'[/^]' '{sub("^v", "", $$3)} END{print $$3}') && \
+	pgtag=$$(skopeo list-tags docker://ghcr.io/ferretdb/postgres-documentdb | jq -r --arg tag "$$tag" '.Tags[] | select(endswith("ferretdb-" + $$tag))' | sort -V | tail -n1) && \
+	sed -i "s|\(imageName: ghcr.io/ferretdb/postgres-documentdb:\).*|\1$$pgtag|" templates/postgres.yaml && \
+	sed -i "s|\(image: ghcr.io/ferretdb/ferretdb:\).*|\1$$tag|" templates/ferretdb.yaml && \
+	sed -i "s|\(appVersion: \).*|\1$$tag|" Chart.yaml
diff --git a/packages/apps/ferretdb/templates/ferretdb.yaml b/packages/apps/ferretdb/templates/ferretdb.yaml
index 7fbba009..e73d42a3 100644
--- a/packages/apps/ferretdb/templates/ferretdb.yaml
+++ b/packages/apps/ferretdb/templates/ferretdb.yaml
@@ -16,12 +16,14 @@ spec:
     spec:
       containers:
       - name: ferretdb
-        image: ghcr.io/ferretdb/ferretdb:1.24.0
+        image: ghcr.io/ferretdb/ferretdb:2.4.0
         ports:
         - containerPort: 27017
         env:
-          - name: FERRETDB_POSTGRESQL_URL
+          - name: POSTGRESQL_PASSWORD
             valueFrom:
               secretKeyRef:
-                name: {{ .Release.Name }}-postgres-app
-                key: uri
+                name: {{ .Release.Name }}-postgres-superuser
+                key: password
+          - name: FERRETDB_POSTGRESQL_URL
+            value: "postgresql://postgres:$(POSTGRESQL_PASSWORD)@{{ .Release.Name }}-postgres-rw:5432/postgres"
diff --git a/packages/apps/ferretdb/templates/init-job.yaml b/packages/apps/ferretdb/templates/init-job.yaml
deleted file mode 100644
index b7b03133..00000000
--- a/packages/apps/ferretdb/templates/init-job.yaml
+++ /dev/null
@@ -1,66 +0,0 @@
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ .Release.Name }}-init-job
-  annotations:
-    "helm.sh/hook": post-install,post-upgrade
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": before-hook-creation
-spec:
-  template:
-    metadata:
-      name: {{ .Release.Name }}-init-job
-      annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/init-script.yaml") . | sha256sum }}
-    spec:
-      restartPolicy: Never
-      containers:
-      - name: postgres
-        image: ghcr.io/cloudnative-pg/postgresql:15.3
-        command:
-        - bash
-        - /scripts/init.sh
-        env:
-        - name: PGUSER
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Release.Name }}-postgres-superuser
-              key: username
-        - name: PGPASSWORD
-          valueFrom:
-            secretKeyRef:
-              name: {{ .Release.Name }}-postgres-superuser
-              key: password
-        - name: PGHOST
-          value: {{ .Release.Name }}-postgres-rw
-        - name: PGPORT
-          value: "5432"
-        - name: PGDATABASE
-          value: postgres
-        securityContext:
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-          privileged: false
-          readOnlyRootFilesystem: true
-          runAsNonRoot: true
-        volumeMounts:
-        - mountPath: /etc/secret
-          name: secret
-        - mountPath: /scripts
-          name: scripts
-      securityContext:
-        fsGroup: 26
-        runAsGroup: 26
-        runAsNonRoot: true
-        runAsUser: 26
-        seccompProfile:
-          type: RuntimeDefault
-      volumes:
-      - name: secret
-        secret:
-          secretName: {{ .Release.Name }}-postgres-superuser
-      - name: scripts
-        secret:
-          secretName: {{ .Release.Name }}-init-script
diff --git a/packages/apps/ferretdb/templates/init-script.yaml b/packages/apps/ferretdb/templates/init-script.yaml
deleted file mode 100644
index 35723ede..00000000
--- a/packages/apps/ferretdb/templates/init-script.yaml
+++ /dev/null
@@ -1,131 +0,0 @@
-{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-credentials" .Release.Name) }}
-{{- $passwords := dict }}
-
-{{- with (index $existingSecret "data") }}
-  {{- range $k, $v := . }}
-    {{- $_ := set $passwords $k (b64dec $v) }}
-  {{- end }}
-{{- end }}
-
-{{- range $user, $u := .Values.users }}
-  {{- if $u.password }}
-    {{- $_ := set $passwords $user $u.password }}
-  {{- else if not (index $passwords $user) }}
-    {{- $_ := set $passwords $user (randAlphaNum 16) }}
-  {{- end }}
-{{- end }}
-
-{{- if .Values.users }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-credentials
-stringData:
-  {{- range $user, $u := .Values.users }}
-  {{ quote $user }}: {{ quote (index $passwords $user) }}
-  {{- end }}
-{{- end }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-init-script
-stringData:
-  init.sh: |
-    #!/bin/bash
-    set -e
-
-    until pg_isready ; do sleep 5; done
-
-    echo "== create users"
-    {{- if .Values.users }}
-    psql -v ON_ERROR_STOP=1 <<\EOT
-    {{- range $user, $u := .Values.users }}
-    SELECT 'CREATE ROLE {{ $user }} LOGIN INHERIT;'
-    WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = '{{ $user }}')\gexec
-    ALTER ROLE {{ $user }} WITH PASSWORD '{{ index $passwords $user }}' LOGIN INHERIT {{ ternary "REPLICATION" "NOREPLICATION" (default false $u.replication) }};
-    COMMENT ON ROLE {{ $user }} IS 'user managed by helm';
-    {{- end }}
-    EOT
-    {{- end }}
-
-    echo "== delete users"
-    MANAGED_USERS=$(echo '\du+' | psql | awk -F'|' '$4 == " user managed by helm" {print $1}' | awk NF=NF RS= OFS=' ')
-    DEFINED_USERS="{{ join " " (keys .Values.users) }}"
-    DELETE_USERS=$(for user in $MANAGED_USERS; do case " $DEFINED_USERS " in *" $user "*) :;; *) echo $user;; esac; done)
-
-    echo "users to delete: $DELETE_USERS"
-    for user in $DELETE_USERS; do
-    # https://stackoverflow.com/a/51257346/2931267
-    psql -v ON_ERROR_STOP=1 --echo-all <<EOT
-    REASSIGN OWNED BY $user TO postgres;
-    DROP OWNED BY $user;
-    DROP USER $user;
-    EOT
-    done
-
-    echo "== create roles"
-    psql -v ON_ERROR_STOP=1 --echo-all <<\EOT
-    SELECT 'CREATE ROLE app_admin NOINHERIT;'
-    WHERE NOT EXISTS (SELECT FROM pg_catalog.pg_roles WHERE rolname = 'app_admin')\gexec
-    COMMENT ON ROLE app_admin IS 'role managed by helm';
-    EOT
-
-    echo "== grant privileges on databases to roles"
-    psql -v ON_ERROR_STOP=1 --echo-all -d "app" <<\EOT
-    ALTER DATABASE app OWNER TO app_admin;
-
-    DO $$
-    DECLARE
-        schema_record record;
-    BEGIN
-        -- Loop over all schemas
-        FOR schema_record IN SELECT schema_name FROM information_schema.schemata WHERE schema_name NOT IN ('pg_catalog', 'information_schema') LOOP
-            -- Changing Schema Ownership
-            EXECUTE format('ALTER SCHEMA %I OWNER TO %I', schema_record.schema_name, 'app_admin');
-
-            -- Add rights for the admin role
-            EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('GRANT ALL ON ALL TABLES IN SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('GRANT ALL ON ALL SEQUENCES IN SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('GRANT ALL ON ALL FUNCTIONS IN SCHEMA %I TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON TABLES TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON SEQUENCES TO %I', schema_record.schema_name, 'app_admin');
-            EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON FUNCTIONS TO %I', schema_record.schema_name, 'app_admin');
-        END LOOP;
-    END$$;
-    EOT
-
-    echo "== setup event trigger for schema creation"
-    psql -v ON_ERROR_STOP=1 --echo-all -d "app" <<\EOT
-    CREATE OR REPLACE FUNCTION auto_grant_schema_privileges()
-    RETURNS event_trigger LANGUAGE plpgsql AS $$
-    DECLARE
-      obj record;
-    BEGIN
-      FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag = 'CREATE SCHEMA' LOOP
-        -- Set owner for schema
-        EXECUTE format('ALTER SCHEMA %I OWNER TO %I', obj.object_identity, 'app_admin');
-
-        -- Set privileges for admin role
-        EXECUTE format('GRANT ALL ON SCHEMA %I TO %I', obj.object_identity, 'app_admin');
-        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON TABLES TO %I', obj.object_identity, 'app_admin');
-        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON SEQUENCES TO %I', obj.object_identity, 'app_admin');
-        EXECUTE format('ALTER DEFAULT PRIVILEGES IN SCHEMA %I GRANT ALL ON FUNCTIONS TO %I', obj.object_identity, 'app_admin');
-      END LOOP;
-    END;
-    $$;
-
-    DROP EVENT TRIGGER IF EXISTS trigger_auto_grant;
-    CREATE EVENT TRIGGER trigger_auto_grant ON ddl_command_end
-    WHEN TAG IN ('CREATE SCHEMA')
-    EXECUTE PROCEDURE auto_grant_schema_privileges();
-    EOT
-
-    echo "== assign roles to users"
-    psql -v ON_ERROR_STOP=1 --echo-all <<\EOT
-    GRANT app_admin TO app;
-    {{- range $user, $u := $.Values.users }}
-    GRANT app_admin TO {{ $user }};
-    {{- end }}
-    EOT
diff --git a/packages/apps/ferretdb/templates/postgres.yaml b/packages/apps/ferretdb/templates/postgres.yaml
index 82900b8c..a54681ef 100644
--- a/packages/apps/ferretdb/templates/postgres.yaml
+++ b/packages/apps/ferretdb/templates/postgres.yaml
@@ -5,6 +5,9 @@ metadata:
   name: {{ .Release.Name }}-postgres
 spec:
   instances: {{ .Values.replicas }}
+  imageName: ghcr.io/ferretdb/postgres-documentdb:17-0.105.0-ferretdb-2.4.0
+  postgresUID: 999
+  postgresGID: 999
   enableSuperuserAccess: true
   {{- $configMap := lookup "v1" "ConfigMap" "cozy-system" "cozystack-scheduling" }}
   {{- if $configMap }}
@@ -22,6 +25,22 @@ spec:
   monitoring:
     enablePodMonitor: true
 
+  postgresql:
+    shared_preload_libraries:
+      - pg_cron
+      - pg_documentdb_core
+      - pg_documentdb
+    parameters:
+      cron.database_name: 'postgres'
+    pg_hba:
+      - host postgres postgres 127.0.0.1/32 trust
+      - host postgres postgres ::1/128 trust
+
+  bootstrap:
+    initdb:
+      postInitSQL:
+        - 'CREATE EXTENSION IF NOT EXISTS documentdb CASCADE;'
+
   storage:
     size: {{ required ".Values.size is required" .Values.size }}
     {{- with .Values.storageClass }}
@@ -42,8 +61,6 @@ spec:
       passwordSecret:
         name: {{ printf "%s-user-%s" $.Release.Name $user }}
       login: true
-      inRoles:
-      - app
     {{- end }}
   {{- end }}
 
diff --git a/packages/apps/ferretdb/values.yaml b/packages/apps/ferretdb/values.yaml
index e596d898..c10cccfb 100644
--- a/packages/apps/ferretdb/values.yaml
+++ b/packages/apps/ferretdb/values.yaml
@@ -55,5 +55,5 @@ resources: {}
  #   cpu: 4000m
  #   memory: 4Gi
 
-## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.
-resourcesPreset: "nano"
+## @param resourcesPreset Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.
+resourcesPreset: "micro"
diff --git a/packages/apps/versions_map b/packages/apps/versions_map
index 5c8fa5dc..ac999363 100644
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -29,7 +29,7 @@ ferretdb 0.6.1 632224a3
 ferretdb 0.7.0 62cb694d
 ferretdb 0.7.1 4369b031
 ferretdb 0.8.0 08cb7c0f
-ferretdb 0.8.1 HEAD
+ferretdb 1.0.0 HEAD
 http-cache 0.1.0 263e47be
 http-cache 0.2.0 53f2365e
 http-cache 0.3.0 6c5cf5bf

From e5cde60311a3ba20070e879fb61638a316dd1917 Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Wed, 16 Jul 2025 15:29:41 +0200
Subject: [PATCH 2/2] [ferretdb] Reuse backup logic from postgres

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
---
 packages/apps/ferretdb/README.md              | 31 +++---
 .../apps/ferretdb/images/postgres-backup.tag  |  1 -
 .../ferretdb/templates/backup-cronjob.yaml    | 99 -------------------
 .../ferretdb/templates/backup-script.yaml     | 50 ----------
 .../ferretdb/templates/backup-secret.yaml     | 11 ---
 packages/apps/ferretdb/templates/backup.yaml  | 12 +++
 .../apps/ferretdb/templates/postgres.yaml     | 46 ++++++++-
 packages/apps/ferretdb/values.schema.json     | 59 ++++++-----
 packages/apps/ferretdb/values.yaml            | 35 ++++---
 9 files changed, 132 insertions(+), 212 deletions(-)
 delete mode 100644 packages/apps/ferretdb/images/postgres-backup.tag
 delete mode 100644 packages/apps/ferretdb/templates/backup-cronjob.yaml
 delete mode 100644 packages/apps/ferretdb/templates/backup-script.yaml
 delete mode 100644 packages/apps/ferretdb/templates/backup-secret.yaml
 create mode 100644 packages/apps/ferretdb/templates/backup.yaml

diff --git a/packages/apps/ferretdb/README.md b/packages/apps/ferretdb/README.md
index 386d44ae..9c3c41cc 100644
--- a/packages/apps/ferretdb/README.md
+++ b/packages/apps/ferretdb/README.md
@@ -25,18 +25,25 @@ Internally, FerretDB service is backed by Postgres.
 
 ### Backup parameters
 
-| Name                     | Description                                                                                                                           | Value                                                  |
-| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------ |
-| `backup.enabled`         | Enable periodic backups                                                                                                               | `false`                                                |
-| `backup.s3Region`        | The AWS S3 region where backups are stored                                                                                            | `us-east-1`                                            |
-| `backup.s3Bucket`        | The S3 bucket used for storing backups                                                                                                | `s3.example.org/postgres-backups`                      |
-| `backup.schedule`        | Cron schedule for automated backups                                                                                                   | `0 2 * * *`                                            |
-| `backup.cleanupStrategy` | The strategy for cleaning up old backups                                                                                              | `--keep-last=3 --keep-daily=3 --keep-within-weekly=1m` |
-| `backup.s3AccessKey`     | The access key for S3, used for authentication                                                                                        | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`                     |
-| `backup.s3SecretKey`     | The secret key for S3, used for authentication                                                                                        | `ju3eum4dekeich9ahM1te8waeGai0oog`                     |
-| `backup.resticPassword`  | The password for Restic backup encryption                                                                                             | `ChaXoveekoh6eigh4siesheeda2quai0`                     |
-| `resources`              | Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`                                                   |
-| `resourcesPreset`        | Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.           | `nano`                                                 |
+| Name                     | Description                                                | Value                               |
+| ------------------------ | ---------------------------------------------------------- | ----------------------------------- |
+| `backup.enabled`         | Enable regular backups                                     | `false`                             |
+| `backup.schedule`        | Cron schedule for automated backups                        | `0 2 * * * *`                       |
+| `backup.retentionPolicy` | Retention policy                                           | `30d`                               |
+| `backup.destinationPath` | Path to store the backup (i.e. s3://bucket/path/to/folder) | `s3://bucket/path/to/folder/`       |
+| `backup.endpointURL`     | S3 Endpoint used to upload data to the cloud               | `http://minio-gateway-service:9000` |
+| `backup.s3AccessKey`     | Access key for S3, used for authentication                 | `oobaiRus9pah8PhohL1ThaeTa4UVa7gu`  |
+| `backup.s3SecretKey`     | Secret key for S3, used for authentication                 | `ju3eum4dekeich9ahM1te8waeGai0oog`  |
+
+### Bootstrap parameters
+
+| Name                     | Description                                                                                                                           | Value   |
+| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `bootstrap.enabled`      | Restore database cluster from a backup                                                                                                | `false` |
+| `bootstrap.recoveryTime` | Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest                  | `""`    |
+| `bootstrap.oldName`      | Name of database cluster before deleting                                                                                              | `""`    |
+| `resources`              | Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied. | `{}`    |
+| `resourcesPreset`        | Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.     | `micro` |
 
 
 
diff --git a/packages/apps/ferretdb/images/postgres-backup.tag b/packages/apps/ferretdb/images/postgres-backup.tag
deleted file mode 100644
index c06767fd..00000000
--- a/packages/apps/ferretdb/images/postgres-backup.tag
+++ /dev/null
@@ -1 +0,0 @@
-ghcr.io/cozystack/cozystack/postgres-backup:0.14.0@sha256:10179ed56457460d95cd5708db2a00130901255fa30c4dd76c65d2ef5622b61f
diff --git a/packages/apps/ferretdb/templates/backup-cronjob.yaml b/packages/apps/ferretdb/templates/backup-cronjob.yaml
deleted file mode 100644
index ae3b148a..00000000
--- a/packages/apps/ferretdb/templates/backup-cronjob.yaml
+++ /dev/null
@@ -1,99 +0,0 @@
-{{- if .Values.backup.enabled }}
-{{ $image := .Files.Get "images/backup.json" | fromJson }}
-
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: {{ .Release.Name }}-backup
-spec:
-  schedule: "{{ .Values.backup.schedule }}"
-  concurrencyPolicy: Forbid
-  successfulJobsHistoryLimit: 3
-  failedJobsHistoryLimit: 3
-  jobTemplate:
-    spec:
-      backoffLimit: 2
-      template:
-        spec:
-          restartPolicy: OnFailure
-      template:
-        metadata:
-          annotations:
-            checksum/config: {{ include (print $.Template.BasePath "/backup-script.yaml") . | sha256sum }}
-            checksum/secret: {{ include (print $.Template.BasePath "/backup-secret.yaml") . | sha256sum }}
-        spec:
-          restartPolicy: Never
-          containers:
-          - name: pgdump
-            image: "{{ $.Files.Get "images/postgres-backup.tag" | trim }}"
-            command:
-            - /bin/sh
-            - /scripts/backup.sh
-            env:
-            - name: REPO_PREFIX
-              value: {{ required "s3Bucket is not specified!" .Values.backup.s3Bucket | quote }}
-            - name: CLEANUP_STRATEGY
-              value: {{ required "cleanupStrategy is not specified!" .Values.backup.cleanupStrategy | quote }}
-            - name: PGUSER
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-postgres-superuser
-                  key: username
-            - name: PGPASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-postgres-superuser
-                  key: password
-            - name: PGHOST
-              value: {{ .Release.Name }}-postgres-rw
-            - name: PGPORT
-              value: "5432"
-            - name: PGDATABASE
-              value: postgres
-            - name: AWS_ACCESS_KEY_ID
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-backup
-                  key: s3AccessKey
-            - name: AWS_SECRET_ACCESS_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-backup
-                  key: s3SecretKey
-            - name: AWS_DEFAULT_REGION
-              value: {{ .Values.backup.s3Region }}
-            - name: RESTIC_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Release.Name }}-backup
-                  key: resticPassword
-            volumeMounts:
-            - mountPath: /scripts
-              name: scripts
-            - mountPath: /tmp
-              name: tmp
-            - mountPath: /.cache
-              name: cache
-            securityContext:
-              allowPrivilegeEscalation: false
-              capabilities:
-                drop:
-                - ALL
-              privileged: false
-              readOnlyRootFilesystem: true
-              runAsNonRoot: true
-          volumes:
-          - name: scripts
-            secret:
-              secretName: {{ .Release.Name }}-backup-script
-          - name: tmp
-            emptyDir: {}
-          - name: cache
-            emptyDir: {}
-          securityContext:
-            runAsNonRoot: true
-            runAsUser: 9000
-            runAsGroup: 9000
-            seccompProfile:
-              type: RuntimeDefault
-{{- end }}
diff --git a/packages/apps/ferretdb/templates/backup-script.yaml b/packages/apps/ferretdb/templates/backup-script.yaml
deleted file mode 100644
index 362bdc01..00000000
--- a/packages/apps/ferretdb/templates/backup-script.yaml
+++ /dev/null
@@ -1,50 +0,0 @@
-{{- if .Values.backup.enabled }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-backup-script
-stringData:
-  backup.sh: |
-    #!/bin/sh
-    set -e
-    set -o pipefail
-
-    JOB_ID="job-$(uuidgen|cut -f1 -d-)"
-    DB_LIST=$(psql -Atq -c 'SELECT datname FROM pg_catalog.pg_database;' | grep -v '^\(postgres\|app\|template.*\)$')
-    echo DB_LIST=$(echo "$DB_LIST" | shuf) # shuffle list
-    echo "Job ID: $JOB_ID"
-    echo "Target repo: $REPO_PREFIX"
-    echo "Cleanup strategy: $CLEANUP_STRATEGY"
-    echo "Start backup for:"
-    echo "$DB_LIST"
-    echo
-    echo "Backup started at `date +%Y-%m-%d\ %H:%M:%S`"
-    for db in $DB_LIST; do
-      (
-        set -x
-        restic -r "s3:${REPO_PREFIX}/$db" cat config >/dev/null 2>&1 || \
-          restic -r "s3:${REPO_PREFIX}/$db" init --repository-version 2
-        restic -r "s3:${REPO_PREFIX}/$db" unlock --remove-all >/dev/null 2>&1 || true # no locks, k8s takes care of it
-        pg_dump -Z0 -Ft -d "$db" | \
-          restic -r "s3:${REPO_PREFIX}/$db" backup --tag "$JOB_ID" --stdin --stdin-filename dump.tar
-        restic -r "s3:${REPO_PREFIX}/$db" tag --tag "$JOB_ID" --set "completed"
-      )
-    done
-    echo "Backup finished at `date +%Y-%m-%d\ %H:%M:%S`"
-
-    echo
-    echo "Run cleanup:"
-    echo
-
-    echo "Cleanup started at `date +%Y-%m-%d\ %H:%M:%S`"
-    for db in $DB_LIST; do
-      (
-        set -x
-        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags --keep-tag "completed" # keep completed snapshots only
-        restic forget -r "s3:${REPO_PREFIX}/$db" --group-by=tags $CLEANUP_STRATEGY
-        restic prune -r "s3:${REPO_PREFIX}/$db"
-      )
-    done
-    echo "Cleanup finished at `date +%Y-%m-%d\ %H:%M:%S`"
-{{- end }}
diff --git a/packages/apps/ferretdb/templates/backup-secret.yaml b/packages/apps/ferretdb/templates/backup-secret.yaml
deleted file mode 100644
index be221e2f..00000000
--- a/packages/apps/ferretdb/templates/backup-secret.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-{{- if .Values.backup.enabled }}
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ .Release.Name }}-backup
-stringData:
-  s3AccessKey: {{ required "s3AccessKey is not specified!" .Values.backup.s3AccessKey }}
-  s3SecretKey: {{ required "s3SecretKey is not specified!" .Values.backup.s3SecretKey }}
-  resticPassword: {{ required "resticPassword is not specified!" .Values.backup.resticPassword }}
-{{- end }}
diff --git a/packages/apps/ferretdb/templates/backup.yaml b/packages/apps/ferretdb/templates/backup.yaml
new file mode 100644
index 00000000..96dea599
--- /dev/null
+++ b/packages/apps/ferretdb/templates/backup.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.backup.enabled }}
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: {{ .Release.Name }}-postgres
+spec:
+  schedule: {{ .Values.backup.schedule | quote }}
+  backupOwnerReference: self
+  cluster:
+    name: {{ .Release.Name }}-postgres
+{{- end }}
diff --git a/packages/apps/ferretdb/templates/postgres.yaml b/packages/apps/ferretdb/templates/postgres.yaml
index a54681ef..4d1d8e29 100644
--- a/packages/apps/ferretdb/templates/postgres.yaml
+++ b/packages/apps/ferretdb/templates/postgres.yaml
@@ -5,6 +5,47 @@ metadata:
   name: {{ .Release.Name }}-postgres
 spec:
   instances: {{ .Values.replicas }}
+  {{- if .Values.backup.enabled }}
+  backup:
+    barmanObjectStore:
+      destinationPath: {{ .Values.backup.destinationPath }}
+      endpointURL: {{ .Values.backup.endpointURL }}
+      s3Credentials:
+        accessKeyId:
+          name: {{ .Release.Name }}-s3-creds
+          key: AWS_ACCESS_KEY_ID
+        secretAccessKey:
+          name: {{ .Release.Name }}-s3-creds
+          key: AWS_SECRET_ACCESS_KEY
+    retentionPolicy: {{ .Values.backup.retentionPolicy }}
+  {{- end }}
+
+  bootstrap:
+    initdb:
+      postInitSQL:
+        - 'CREATE EXTENSION IF NOT EXISTS documentdb CASCADE;'
+    {{- if .Values.bootstrap.enabled }}
+    recovery:
+      source: {{ .Values.bootstrap.oldName }}
+      {{- if .Values.bootstrap.recoveryTime }}
+      recoveryTarget:
+        targetTime: {{ .Values.bootstrap.recoveryTime }}
+      {{- end }}
+    {{- end }}
+  {{- if .Values.bootstrap.enabled }}
+  externalClusters:
+    - name: {{ .Values.bootstrap.oldName }}
+      barmanObjectStore:
+        destinationPath: {{ .Values.backup.destinationPath }}
+        endpointURL: {{ .Values.backup.endpointURL }}
+        s3Credentials:
+          accessKeyId:
+            name: {{ .Release.Name }}-s3-creds
+            key: AWS_ACCESS_KEY_ID
+          secretAccessKey:
+            name: {{ .Release.Name }}-s3-creds
+            key: AWS_SECRET_ACCESS_KEY
+  {{- end }}
   imageName: ghcr.io/ferretdb/postgres-documentdb:17-0.105.0-ferretdb-2.4.0
   postgresUID: 999
   postgresGID: 999
@@ -36,11 +77,6 @@ spec:
       - host postgres postgres 127.0.0.1/32 trust
       - host postgres postgres ::1/128 trust
 
-  bootstrap:
-    initdb:
-      postInitSQL:
-        - 'CREATE EXTENSION IF NOT EXISTS documentdb CASCADE;'
-
   storage:
     size: {{ required ".Values.size is required" .Values.size }}
     {{- with .Values.storageClass }}
diff --git a/packages/apps/ferretdb/values.schema.json b/packages/apps/ferretdb/values.schema.json
index fd7235f8..92bb8626 100644
--- a/packages/apps/ferretdb/values.schema.json
+++ b/packages/apps/ferretdb/values.schema.json
@@ -42,43 +42,58 @@
             "properties": {
                 "enabled": {
                     "type": "boolean",
-                    "description": "Enable periodic backups",
+                    "description": "Enable regular backups",
                     "default": false
                 },
-                "s3Region": {
-                    "type": "string",
-                    "description": "The AWS S3 region where backups are stored",
-                    "default": "us-east-1"
-                },
-                "s3Bucket": {
-                    "type": "string",
-                    "description": "The S3 bucket used for storing backups",
-                    "default": "s3.example.org/postgres-backups"
-                },
                 "schedule": {
                     "type": "string",
                     "description": "Cron schedule for automated backups",
-                    "default": "0 2 * * *"
+                    "default": "0 2 * * * *"
                 },
-                "cleanupStrategy": {
+                "retentionPolicy": {
                     "type": "string",
-                    "description": "The strategy for cleaning up old backups",
-                    "default": "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+                    "description": "Retention policy",
+                    "default": "30d"
+                },
+                "destinationPath": {
+                    "type": "string",
+                    "description": "Path to store the backup (i.e. s3://bucket/path/to/folder)",
+                    "default": "s3://bucket/path/to/folder/"
+                },
+                "endpointURL": {
+                    "type": "string",
+                    "description": "S3 Endpoint used to upload data to the cloud",
+                    "default": "http://minio-gateway-service:9000"
                 },
                 "s3AccessKey": {
                     "type": "string",
-                    "description": "The access key for S3, used for authentication",
+                    "description": "Access key for S3, used for authentication",
                     "default": "oobaiRus9pah8PhohL1ThaeTa4UVa7gu"
                 },
                 "s3SecretKey": {
                     "type": "string",
-                    "description": "The secret key for S3, used for authentication",
+                    "description": "Secret key for S3, used for authentication",
                     "default": "ju3eum4dekeich9ahM1te8waeGai0oog"
+                }
+            }
+        },
+        "bootstrap": {
+            "type": "object",
+            "properties": {
+                "enabled": {
+                    "type": "boolean",
+                    "description": "Restore database cluster from a backup",
+                    "default": false
                 },
-                "resticPassword": {
+                "recoveryTime": {
                     "type": "string",
-                    "description": "The password for Restic backup encryption",
-                    "default": "ChaXoveekoh6eigh4siesheeda2quai0"
+                    "description": "Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest",
+                    "default": ""
+                },
+                "oldName": {
+                    "type": "string",
+                    "description": "Name of database cluster before deleting",
+                    "default": ""
                 }
             }
         },
@@ -89,8 +104,8 @@
         },
         "resourcesPreset": {
             "type": "string",
-            "description": "Default sizing preset used when `resources` is omitted. Allowed values: nano, micro, small, medium, large, xlarge, 2xlarge.",
-            "default": "nano",
+            "description": "Default sizing preset used when `resources` is omitted. Allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge.",
+            "default": "micro",
             "enum": [
                 "nano",
                 "micro",
diff --git a/packages/apps/ferretdb/values.yaml b/packages/apps/ferretdb/values.yaml
index c10cccfb..5d6e12f0 100644
--- a/packages/apps/ferretdb/values.yaml
+++ b/packages/apps/ferretdb/values.yaml
@@ -31,23 +31,34 @@ users: {}
 
 ## @section Backup parameters
 
-## @param backup.enabled Enable periodic backups
-## @param backup.s3Region The AWS S3 region where backups are stored
-## @param backup.s3Bucket The S3 bucket used for storing backups
+## @param backup.enabled Enable regular backups
 ## @param backup.schedule Cron schedule for automated backups
-## @param backup.cleanupStrategy The strategy for cleaning up old backups
-## @param backup.s3AccessKey The access key for S3, used for authentication
-## @param backup.s3SecretKey The secret key for S3, used for authentication
-## @param backup.resticPassword The password for Restic backup encryption
+## @param backup.retentionPolicy Retention policy
+## @param backup.destinationPath Path to store the backup (i.e. s3://bucket/path/to/folder)
+## @param backup.endpointURL S3 Endpoint used to upload data to the cloud
+## @param backup.s3AccessKey Access key for S3, used for authentication
+## @param backup.s3SecretKey Secret key for S3, used for authentication
 backup:
   enabled: false
-  s3Region: us-east-1
-  s3Bucket: s3.example.org/postgres-backups
-  schedule: "0 2 * * *"
-  cleanupStrategy: "--keep-last=3 --keep-daily=3 --keep-within-weekly=1m"
+  retentionPolicy: 30d
+  destinationPath: s3://bucket/path/to/folder/
+  endpointURL: http://minio-gateway-service:9000
+  schedule: "0 2 * * * *"
   s3AccessKey: oobaiRus9pah8PhohL1ThaeTa4UVa7gu
   s3SecretKey: ju3eum4dekeich9ahM1te8waeGai0oog
-  resticPassword: ChaXoveekoh6eigh4siesheeda2quai0
+
+## @section Bootstrap parameters
+
+## @param bootstrap.enabled Restore database cluster from a backup
+## @param bootstrap.recoveryTime Timestamp (PITR) up to which recovery will proceed, expressed in RFC 3339 format. If left empty, will restore latest
+## @param bootstrap.oldName Name of database cluster before deleting
+##
+bootstrap:
+  enabled: false
+  # example: 2020-11-26 15:22:00.00000+00
+  recoveryTime: ""
+  oldName: ""
+
 
 ## @param resources Explicit CPU and memory configuration for each FerretDB replica. When left empty, the preset defined in `resourcesPreset` is applied.
 resources: {}