The ObjectStore controller now lists Roles by a label
(barmancloud.cnpg.io/cluster) set by the Pre hook, inspects their
rules to find which ObjectStores they reference, then fetches those
ObjectStores and rebuilds the rules. This removes the clusters
get/list/watch permission. Conflict handling uses RetryOnConflict to
match the existing project pattern, and partial failures across Roles
are aggregated with errors.Join instead of failing on the first one.
Pre-existing Roles without the label won't be found by the ObjectStore
controller until the Pre hook adds it on the next Cluster
reconciliation. Same staleness window as the current main branch.
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
When an ObjectStore's credentials change (e.g., secret rename), the
RBAC Role granting the Cluster's ServiceAccount access to those secrets
was not updated because nothing triggered a Cluster reconciliation.
Implement the ObjectStore controller's Reconcile to detect referencing
Clusters and update their Roles directly. Extract ensureRole into a
shared rbac.EnsureRole function used by both the Pre hook and the
ObjectStore controller.
Handle concurrent modifications between the Pre hook and ObjectStore
controller gracefully: AlreadyExists on Create and Conflict on Patch
are retried once to avoid propagating transient errors as gRPC failures
to CNPG.
Replace the custom setOwnerReference helper (ownership.go) with
controllerutil.SetControllerReference for both Role and RoleBinding.
The old helper read the GVK from the object's metadata and replaced
all owner references unconditionally. The new function reads the GVK
from the scheme and appends to existing owner references, refusing to
overwrite if another controller already owns the object. Both produce
identical results for our use case since the Role is always freshly
built. The GVK is now resolved from the scheme configured via
CUSTOM_CNPG_GROUP/CUSTOM_CNPG_VERSION, which must match the actual
CNPG API group (same requirement as the instance sidecar).
Add dynamic CNPG scheme registration (internal/scheme) to the operator,
instance, and restore managers, replacing hardcoded cnpgv1.AddToScheme
calls. Add RBAC permission for the plugin to list/watch Clusters.
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| commitlint | digest | `d6be835` → `9d731d1` |
| controller-gen | digest | `d6be835` → `9d731d1` |
| crd-gen-refs | digest | `d6be835` → `9d731d1` |
| spellcheck | digest | `d6be835` → `9d731d1` |
| uncommitted | digest | `d6be835` → `9d731d1` |
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Never, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/cloudnative-pg/plugin-barman-cloud).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21hdGVkIiwibm8taXNzdWUiXX0=-->
---------
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Jonathan Gonzalez V. <jonathan.gonzalez@enterprisedb.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Jonathan Gonzalez V. <jonathan.gonzalez@enterprisedb.com>
This commit adds support for the DefaultAzureCredential authentication
mechanism in Azure Blob Storage. Users can now use the
`useDefaultAzureCredentials` option to enable Azure's default credential
chain, which automatically discovers and uses available credentials in
the following order
1. Environment Variables (Service Principal)
2. Managed Identity
3. Azure CLI
4. Azure PowerShell
This is particularly useful when running on Azure Kubernetes Service
(AKS) with Workload Identity, eliminating the need to explicitly store
credentials in Kubernetes Secrets.
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Signed-off-by: Gabriele Fedi <gabriele.fedi@enterprisedb.com>
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Co-authored-by: Gabriele Fedi <gabriele.fedi@enterprisedb.com>
Co-authored-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
BREAKING CHANGE: All RBAC resource names have been renamed with
consistent prefixes to prevent naming conflicts with other cluster
components.
Users must migrate their existing installations by deleting old
resources and applying the new manifest. See the migration guide for
detailed instructions (when the 0.8.0 will be published):
https://cloudnative-pg.io/plugin-barman-cloud/resource-name-migration/Closes#395
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Signed-off-by: Jonathan Battiato <jonathan.battiato@enterprisedb.com>
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Co-authored-by: Jonathan Battiato <jonathan.battiato@enterprisedb.com>
Co-authored-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Co-authored-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
This commit adds a new `logLevel` field to the plugin configuration,
allowing users to select the desired log verbosity for the instances
(e.g. error, warning, info, debug, trace).
Closes#514
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Co-authored-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Introduce the `additionalContainerArgs` field in the `ObjectStore` resource.
It allows specifying an optional list of command-line arguments appended to
the Barman Cloud sidecar container at startup.
Closes#501
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Co-authored-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Co-authored-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
Add the required missing permission to operate in k8s
environments where the Admission Controller
Plugin "OwnerReferencesPermissionEnforcement"
is enabled.
Signed-off-by: Gabriele Fedi <gabriele.fedi@enterprisedb.com>
This commit makes the Barman cloud plugin support the enforcement of
retention policy as provided by the barman-cloud tool suite.
The first recoverability point and the last successful backup are
shown in the status of the ObjectStore resource for each involved
server name.
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Co-authored-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Co-authored-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Automatically generate a manifest.yaml file that can be applied to
evaluate the content of the latest commit of the main branch.
Signed-off-by: Francesco Canovai <francesco.canovai@enterprisedb.com>