Compare commits

...

8 Commits

Author SHA1 Message Date
Rasmus Kock Thygesen
4b396d4a93
Merge c1d963973d into 0bb78879ce 2026-05-29 11:00:41 +02:00
renovate[bot]
0bb78879ce
chore(deps): update dependency barman to v3.19.1 (#921)
Some checks failed
release-please / release-please (push) Failing after 4s
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [barman](https://www.pgbarman.org/) | `==3.18.0` → `==3.19.1` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/barman/3.19.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/barman/3.18.0/3.19.1?slim=true)
|

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJhdXRvbWF0ZWQiLCJuby1pc3N1ZSJdfQ==-->

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-28 12:15:32 +02:00
renovate[bot]
ef4b711137
fix(deps): update module github.com/cloudnative-pg/machinery to v0.5.0 (#925)
Some checks failed
release-please / release-please (push) Failing after 4s
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[github.com/cloudnative-pg/machinery](https://redirect.github.com/cloudnative-pg/machinery)
| `v0.4.0` → `v0.5.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fcloudnative-pg%2fmachinery/v0.5.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fcloudnative-pg%2fmachinery/v0.4.0/v0.5.0?slim=true)
|

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJhdXRvbWF0ZWQiLCJuby1pc3N1ZSJdfQ==-->

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-27 21:57:18 +02:00
renovate[bot]
baf7985d66
chore(deps): update all cloudnative-pg daggerverse dependencies to 21755df (#928)
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| commitlint | digest | `537e0dd` → `21755df` |
| controller-gen | digest | `537e0dd` → `21755df` |
| crd-gen-refs | digest | `537e0dd` → `21755df` |
| spellcheck | digest | `537e0dd` → `21755df` |
| uncommitted | digest | `537e0dd` → `21755df` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/7) for more information.

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Never, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/cloudnative-pg/plugin-barman-cloud).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJhdXRvbWF0ZWQiLCJuby1pc3N1ZSJdfQ==-->

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-27 17:31:15 +02:00
renovate[bot]
d244faa5b2
chore(deps): update dependency dagger/dagger to v0.21.0 (#926)
Some checks failed
release-please / release-please (push) Failing after 6s
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [dagger/dagger](https://redirect.github.com/dagger/dagger) | minor |
`0.20.8` → `0.21.0` |

---

### Release Notes

<details>
<summary>dagger/dagger (dagger/dagger)</summary>

###
[`v0.21.0`](https://redirect.github.com/dagger/dagger/blob/HEAD/CHANGELOG.md#v0210---2026-05-22)

[Compare
Source](https://redirect.github.com/dagger/dagger/compare/v0.20.8...v0.21.0)

##### Added

- Automatically expose a `check` for each `generate` function by
[@&#8203;eunomie](https://redirect.github.com/eunomie) in
[#&#8203;12923](https://redirect.github.com/dagger/dagger/pull/12923) \
Each generated `check` has the same name as its `generate` function, so
`dagger check` can report whether generated files are out of date.
Use `dagger check --no-generate` to list or run only functions
explicitly marked as checks, without the generated ones.
Toolchains can set `ignoreChecks` to skip creating checks for specific
`generate` functions.
- Add workspace lockfiles for selected lookups such as `container.from`
and Git refs by [@&#8203;shykes](https://redirect.github.com/shykes) +
[@&#8203;alexcb](https://redirect.github.com/alexcb) +
[@&#8203;grouville](https://redirect.github.com/grouville) +
[@&#8203;tiborvass](https://redirect.github.com/tiborvass) +
[@&#8203;eunomie](https://redirect.github.com/eunomie) in
[#&#8203;12046](https://redirect.github.com/dagger/dagger/pull/12046)
[#&#8203;13094](https://redirect.github.com/dagger/dagger/pull/13094) \
Locking is opt-in with `--lock live`, `--lock pinned`, or `--lock
frozen`: live mode resolves and records live values, pinned mode prefers
recorded pins while resolving the rest live, and frozen mode only
resolves from `.dagger/lock`.
Use `dagger lock update` to refresh entries already recorded in
`.dagger/lock`; it now creates the file when missing.
This also fixes remote Git tree cache keys so cache reuse follows the
actual checkout inputs.
- Add an interactive tests view to the TUI, plus compact test summaries
for pretty, plain, logs, dots, and report progress modes by
[@&#8203;vito](https://redirect.github.com/vito) in
[#&#8203;13073](https://redirect.github.com/dagger/dagger/pull/13073)
- Add experimental `--x-release=<ref>` and `DAGGER_X_RELEASE=<ref>`
support for running a command against an unreleased Dagger build from a
GitHub ref, fixing
[#&#8203;12996](https://redirect.github.com/dagger/dagger/issues/12996)
by [@&#8203;tiborvass](https://redirect.github.com/tiborvass) in
[#&#8203;13156](https://redirect.github.com/dagger/dagger/pull/13156)
- Add a configurable Kubernetes `Service` to the Helm chart by
[@&#8203;pierreyves-lebrun](https://redirect.github.com/pierreyves-lebrun)
+ [@&#8203;grouville](https://redirect.github.com/grouville) in
[#&#8203;11993](https://redirect.github.com/dagger/dagger/pull/11993)
- Add `EngineCacheEntry.dagqlCall` and `EngineCacheEntry.recordTypes` so
cache entries expose the producing DagQL call and all represented
storage record types for inspection and GC filtering by
[@&#8203;sipsma](https://redirect.github.com/sipsma) in
[#&#8203;13207](https://redirect.github.com/dagger/dagger/pull/13207)
- Show the Dagger Cloud trace URL when using the logs frontend by
[@&#8203;marcosnils](https://redirect.github.com/marcosnils) in
[#&#8203;13105](https://redirect.github.com/dagger/dagger/pull/13105)
- Dang SDK: add support for local types that shadow Dagger core types,
early `return`, self-calls, order-independent declarations, and stricter
nullability/type checking by
[@&#8203;vito](https://redirect.github.com/vito) in
[#&#8203;13184](https://redirect.github.com/dagger/dagger/pull/13184)

##### Changed

- Migrate caching to DagQL and remove the BuildKit solver backend,
making DagQL responsible for cache lookups, persistence, and pruning by
[@&#8203;sipsma](https://redirect.github.com/sipsma) in
[#&#8203;11856](https://redirect.github.com/dagger/dagger/pull/11856)
- Improve engine performance and memory use by reducing bbolt/containerd
metadata overhead, lazily creating containerd operation leases, reusing
pooled CNI namespaces for default execs, and batching long
`withDirectory` chains instead of materializing them quadratically by
[@&#8203;sipsma](https://redirect.github.com/sipsma) in
[#&#8203;13117](https://redirect.github.com/dagger/dagger/pull/13117)
[#&#8203;13123](https://redirect.github.com/dagger/dagger/pull/13123)
[#&#8203;13144](https://redirect.github.com/dagger/dagger/pull/13144)
[#&#8203;13124](https://redirect.github.com/dagger/dagger/pull/13124)
- Deduplicate equivalent in-flight DagQL calls across clients in the
same session and fall back to same-session secret/socket attachables
when the original client binding is gone by
[@&#8203;sipsma](https://redirect.github.com/sipsma) in
[#&#8203;13118](https://redirect.github.com/dagger/dagger/pull/13118)

##### Fixed

- Fix enum argument defaults so they appear correctly in schema output
and CLI help by
[@&#8203;kpenfound](https://redirect.github.com/kpenfound) in
[#&#8203;13068](https://redirect.github.com/dagger/dagger/pull/13068)
- Fix module loading and type generation failures caused by stale
handle-form module IDs and nested client session races, replacing
`session ... not found` failures with the intended behavior or original
error by [@&#8203;sipsma](https://redirect.github.com/sipsma) in
[#&#8203;13108](https://redirect.github.com/dagger/dagger/pull/13108)
[#&#8203;13119](https://redirect.github.com/dagger/dagger/pull/13119)
- Fix bound service failures so dependent execs and container-backed
services see the service exit as the cause while interactive terminals
stay open by [@&#8203;vito](https://redirect.github.com/vito) in
[#&#8203;13099](https://redirect.github.com/dagger/dagger/pull/13099)
- Fix remote Git checkout behavior so cached trees can be reused after
cache pruning by [@&#8203;sipsma](https://redirect.github.com/sipsma) in
[#&#8203;13141](https://redirect.github.com/dagger/dagger/pull/13141)
- Fix Changeset merge cleanup flakiness by disabling Git
auto-maintenance in Dagger's temporary merge repositories by
[@&#8203;sipsma](https://redirect.github.com/sipsma) in
[#&#8203;13121](https://redirect.github.com/dagger/dagger/pull/13121)
- Fix `WithSecretVariable` so later calls override earlier values,
fixing
[#&#8203;13147](https://redirect.github.com/dagger/dagger/issues/13147)
by [@&#8203;matipan](https://redirect.github.com/matipan) in
[#&#8203;13159](https://redirect.github.com/dagger/dagger/pull/13159)
- Fix user-default secret and env handling so empty plaintext secrets
resolve correctly, `.env` values are not double-expanded through
namespaces, and plaintext `Secret` defaults are scrubbed in console
output; fixes
[#&#8203;12855](https://redirect.github.com/dagger/dagger/issues/12855)
and closes
[#&#8203;12014](https://redirect.github.com/dagger/dagger/pull/12014) by
[@&#8203;sipsma](https://redirect.github.com/sipsma) +
[@&#8203;marcosnils](https://redirect.github.com/marcosnils) +
[@&#8203;tiborvass](https://redirect.github.com/tiborvass) in
[#&#8203;13163](https://redirect.github.com/dagger/dagger/pull/13163)
[#&#8203;13160](https://redirect.github.com/dagger/dagger/pull/13160)
[#&#8203;13177](https://redirect.github.com/dagger/dagger/pull/13177)
- Fix telemetry and replay output so `dagger check` log telemetry is not
dropped, Python module logs are not duplicated, and `dagger trace`
honors frontend flags by
[@&#8203;vito](https://redirect.github.com/vito) +
[@&#8203;sipsma](https://redirect.github.com/sipsma) in
[#&#8203;13114](https://redirect.github.com/dagger/dagger/pull/13114)
[#&#8203;13153](https://redirect.github.com/dagger/dagger/pull/13153)
- Fix `dagger generate --scale-out` returning unusable remote
`Changeset` objects by always running generation locally; `dagger check
--scale-out` remains supported by
[@&#8203;eunomie](https://redirect.github.com/eunomie) in
[#&#8203;13190](https://redirect.github.com/dagger/dagger/pull/13190)
- Fix toolchain customizations so they propagate when toolchain
functions are called through another module function by
[@&#8203;suprjinx](https://redirect.github.com/suprjinx) in
[#&#8203;13176](https://redirect.github.com/dagger/dagger/pull/13176)
- Dang SDK: fix panics, initialization-race typechecking failures, and
ID argument handling by
[@&#8203;tiborvass](https://redirect.github.com/tiborvass) +
[@&#8203;vito](https://redirect.github.com/vito) in
[#&#8203;13098](https://redirect.github.com/dagger/dagger/pull/13098)
[#&#8203;13103](https://redirect.github.com/dagger/dagger/pull/13103)
[#&#8203;13150](https://redirect.github.com/dagger/dagger/pull/13150)
- Java SDK: fix version updates so `mvn versions:set` no longer performs
unnecessary dependency/plugin resolution, preventing Maven Central 429
failures; fixes
[#&#8203;13174](https://redirect.github.com/dagger/dagger/issues/13174)
by
[@&#8203;dagger-codex](https://redirect.github.com/dagger-codex)\[bot] +
[@&#8203;tiborvass](https://redirect.github.com/tiborvass) in
[#&#8203;13198](https://redirect.github.com/dagger/dagger/pull/13198)
- Python SDK: fix static module analysis regressions from the AST
analyzer cutover, including inherited functions, aliased decorators and
fields, `@staticmethod`, type aliases, constants/defaults, `Annotated`,
`Optional`, `Union`, and relative imports; fixes
[#&#8203;13097](https://redirect.github.com/dagger/dagger/issues/13097)
and
[#&#8203;13089](https://redirect.github.com/dagger/dagger/issues/13089)
by [@&#8203;eunomie](https://redirect.github.com/eunomie) in
[#&#8203;13095](https://redirect.github.com/dagger/dagger/pull/13095)
- Python SDK: fix more AST analyzer cases for `TypeAlias` inside `X |
None`, quoted and aliased annotations, and absolute self-package imports
by [@&#8203;marcosnils](https://redirect.github.com/marcosnils) +
[@&#8203;grouville](https://redirect.github.com/grouville) +
[@&#8203;eunomie](https://redirect.github.com/eunomie) in
[#&#8203;13149](https://redirect.github.com/dagger/dagger/pull/13149)
[#&#8203;13162](https://redirect.github.com/dagger/dagger/pull/13162)
[#&#8203;13171](https://redirect.github.com/dagger/dagger/pull/13171)
- Python SDK: exclude the broken `yarl` 1.24.1 release from the
dependency range by
[@&#8203;tiborvass](https://redirect.github.com/tiborvass) in
[#&#8203;13189](https://redirect.github.com/dagger/dagger/pull/13189)
- Rust SDK: fix list-of-object fields so generated clients load each
object by ID instead of returning an incorrect single wrapped selection
by [@&#8203;wingyplus](https://redirect.github.com/wingyplus) in
[#&#8203;13000](https://redirect.github.com/dagger/dagger/pull/13000)

##### What to do next?

- Read the [documentation](https://docs.dagger.io)
- Join our [Discord server](https://discord.gg/dagger-io)
- Follow us on [Twitter](https://twitter.com/dagger_io)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Never, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/cloudnative-pg/plugin-barman-cloud).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJhdXRvbWF0ZWQiLCJuby1pc3N1ZSJdfQ==-->

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-27 09:02:39 +02:00
Rasmus Kock Thygesen
c1d963973d
Merge branch 'main' into rkth/azure-workload-identity 2026-04-30 14:30:35 +02:00
Rasmus Kock Thygesen
2a12a52211
Merge branch 'main' into rkth/azure-workload-identity 2026-04-14 15:29:07 +02:00
rkthtrifork
2a70f54ef8
Add Azure workload identity support
Signed-off-by: rkthtrifork <rkth@trifork.com>
2026-03-17 09:29:04 +01:00
11 changed files with 264 additions and 36 deletions

View File

@ -44,7 +44,7 @@ jobs:
- name: Install Dagger - name: Install Dagger
env: env:
# renovate: datasource=github-tags depName=dagger/dagger versioning=semver # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
DAGGER_VERSION: 0.20.8 DAGGER_VERSION: 0.21.0
run: | run: |
curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
- name: Run CI task - name: Run CI task

View File

@ -31,7 +31,7 @@ jobs:
- name: Install Dagger - name: Install Dagger
env: env:
# renovate: datasource=github-tags depName=dagger/dagger versioning=semver # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
DAGGER_VERSION: 0.20.8 DAGGER_VERSION: 0.21.0
run: | run: |
curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
- name: Create image and manifest - name: Create image and manifest

View File

@ -21,7 +21,7 @@ jobs:
- name: Install Dagger - name: Install Dagger
env: env:
# renovate: datasource=github-tags depName=dagger/dagger versioning=semver # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
DAGGER_VERSION: 0.20.8 DAGGER_VERSION: 0.21.0
run: | run: |
curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
- name: Create image and manifest - name: Create image and manifest

View File

@ -46,7 +46,7 @@ tasks:
- wordlist-ordered - wordlist-ordered
env: env:
# renovate: datasource=git-refs depName=spellcheck lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main # renovate: datasource=git-refs depName=spellcheck lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
DAGGER_SPELLCHECK_SHA: 537e0ddae55ad0344af8f4454de7f27baeee48fa DAGGER_SPELLCHECK_SHA: 21755df1a27febff19b28dbe6ae57116f6088bb0
cmds: cmds:
- > - >
GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/spellcheck@${DAGGER_SPELLCHECK_SHA} GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/spellcheck@${DAGGER_SPELLCHECK_SHA}
@ -60,7 +60,7 @@ tasks:
desc: Check for conventional commits desc: Check for conventional commits
env: env:
# renovate: datasource=git-refs depName=commitlint lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main # renovate: datasource=git-refs depName=commitlint lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
DAGGER_COMMITLINT_SHA: 537e0ddae55ad0344af8f4454de7f27baeee48fa DAGGER_COMMITLINT_SHA: 21755df1a27febff19b28dbe6ae57116f6088bb0
cmds: cmds:
- > - >
GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/commitlint@${DAGGER_COMMITLINT_SHA} GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/commitlint@${DAGGER_COMMITLINT_SHA}
@ -74,7 +74,7 @@ tasks:
- wordlist-ordered - wordlist-ordered
env: env:
# renovate: datasource=git-refs depName=uncommitted lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main # renovate: datasource=git-refs depName=uncommitted lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
DAGGER_UNCOMMITTED_SHA: 537e0ddae55ad0344af8f4454de7f27baeee48fa DAGGER_UNCOMMITTED_SHA: 21755df1a27febff19b28dbe6ae57116f6088bb0
cmds: cmds:
- GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/uncommitted@${DAGGER_UNCOMMITTED_SHA} check-uncommitted --source . stdout - GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/uncommitted@${DAGGER_UNCOMMITTED_SHA} check-uncommitted --source . stdout
sources: sources:
@ -86,7 +86,7 @@ tasks:
- controller-gen - controller-gen
env: env:
# renovate: datasource=git-refs depName=crd-gen-refs lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main # renovate: datasource=git-refs depName=crd-gen-refs lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
DAGGER_CRDGENREF_SHA: 537e0ddae55ad0344af8f4454de7f27baeee48fa DAGGER_CRDGENREF_SHA: 21755df1a27febff19b28dbe6ae57116f6088bb0
# renovate: datasource=go depName=github.com/elastic/crd-ref-docs # renovate: datasource=go depName=github.com/elastic/crd-ref-docs
CRDREFDOCS_VERSION: v0.3.0 CRDREFDOCS_VERSION: v0.3.0
cmds: cmds:
@ -206,7 +206,7 @@ tasks:
- start-build-network - start-build-network
vars: vars:
# renovate: datasource=github-tags depName=dagger/dagger versioning=semver # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
DAGGER_VERSION: 0.20.8 DAGGER_VERSION: 0.21.0
DAGGER_ENGINE_IMAGE: registry.dagger.io/engine:v{{ .DAGGER_VERSION }} DAGGER_ENGINE_IMAGE: registry.dagger.io/engine:v{{ .DAGGER_VERSION }}
cmds: cmds:
- > - >
@ -381,7 +381,7 @@ tasks:
run: once run: once
env: env:
# renovate: datasource=git-refs depName=controller-gen lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main # renovate: datasource=git-refs depName=controller-gen lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
DAGGER_CONTROLLER_GEN_SHA: 537e0ddae55ad0344af8f4454de7f27baeee48fa DAGGER_CONTROLLER_GEN_SHA: 21755df1a27febff19b28dbe6ae57116f6088bb0
cmds: cmds:
- > - >
GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/controller-gen@${DAGGER_CONTROLLER_GEN_SHA} GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/controller-gen@${DAGGER_CONTROLLER_GEN_SHA}

View File

@ -1,3 +1,3 @@
barman[azure,cloud,google,snappy,zstandard,lz4]==3.18.0 barman[azure,cloud,google,snappy,zstandard,lz4]==3.19.1
setuptools==82.0.1 setuptools==82.0.1
zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability

View File

@ -18,9 +18,9 @@ azure-storage-blob==12.29.0 \
--hash=sha256:2824ddd7ebc9056034ebc76b17971a38e9aa5835abb0d565b9700493f2a6c657 \ --hash=sha256:2824ddd7ebc9056034ebc76b17971a38e9aa5835abb0d565b9700493f2a6c657 \
--hash=sha256:ccf8a1bcd5e49df83ab85aab793b579e5ba2eeea2ad8900b2f62ca3a37dc391f --hash=sha256:ccf8a1bcd5e49df83ab85aab793b579e5ba2eeea2ad8900b2f62ca3a37dc391f
# via barman # via barman
barman==3.18.0 \ barman==3.19.1 \
--hash=sha256:8e752ac93d2f3a61e86b8374185209cae477a638ece7e6f540070f36d28d6997 \ --hash=sha256:0a6a9e1babf97687732d8b2a3eb79ea95d55246a5257b9433865cb6e755221c0 \
--hash=sha256:ff90c44dafa4107b7574142771cdc2611c4cf1af818d93d3e67440a0c81164b9 --hash=sha256:2f71c4a1f1ba53f694cbdf838bb9906d8ba02b97d1fd3041196e8999bec7a1ee
# via -r sidecar-requirements.in # via -r sidecar-requirements.in
boto3==1.43.14 \ boto3==1.43.14 \
--hash=sha256:574335744656cfed0b362a0a0467aaf2eb2bf15526edcd02d31d3c661f4b09e4 \ --hash=sha256:574335744656cfed0b362a0a0467aaf2eb2bf15526edcd02d31d3c661f4b09e4 \
@ -788,6 +788,4 @@ zstandard==0.25.0 \
setuptools==82.0.1 \ setuptools==82.0.1 \
--hash=sha256:7d872682c5d01cfde07da7bccc7b65469d3dca203318515ada1de5eda35efbf9 \ --hash=sha256:7d872682c5d01cfde07da7bccc7b65469d3dca203318515ada1de5eda35efbf9 \
--hash=sha256:a59e362652f08dcd477c78bb6e7bd9d80a7995bc73ce773050228a348ce2e5bb --hash=sha256:a59e362652f08dcd477c78bb6e7bd9d80a7995bc73ce773050228a348ce2e5bb
# via # via -r sidecar-requirements.in
# -r sidecar-requirements.in
# barman

4
go.mod
View File

@ -9,7 +9,7 @@ require (
github.com/cloudnative-pg/cloudnative-pg v1.29.1 github.com/cloudnative-pg/cloudnative-pg v1.29.1
github.com/cloudnative-pg/cnpg-i v0.5.0 github.com/cloudnative-pg/cnpg-i v0.5.0
github.com/cloudnative-pg/cnpg-i-machinery v0.4.2 github.com/cloudnative-pg/cnpg-i-machinery v0.4.2
github.com/cloudnative-pg/machinery v0.4.0 github.com/cloudnative-pg/machinery v0.5.0
github.com/onsi/ginkgo/v2 v2.29.0 github.com/onsi/ginkgo/v2 v2.29.0
github.com/onsi/gomega v1.41.0 github.com/onsi/gomega v1.41.0
github.com/spf13/cobra v1.10.2 github.com/spf13/cobra v1.10.2
@ -114,7 +114,7 @@ require (
golang.org/x/net v0.53.0 // indirect golang.org/x/net v0.53.0 // indirect
golang.org/x/oauth2 v0.36.0 // indirect golang.org/x/oauth2 v0.36.0 // indirect
golang.org/x/sync v0.20.0 // indirect golang.org/x/sync v0.20.0 // indirect
golang.org/x/sys v0.43.0 // indirect golang.org/x/sys v0.45.0 // indirect
golang.org/x/term v0.42.0 // indirect golang.org/x/term v0.42.0 // indirect
golang.org/x/text v0.36.0 // indirect golang.org/x/text v0.36.0 // indirect
golang.org/x/time v0.15.0 // indirect golang.org/x/time v0.15.0 // indirect

8
go.sum
View File

@ -28,8 +28,8 @@ github.com/cloudnative-pg/cnpg-i v0.5.0 h1:/TOzpNT6cwNgrpftTtrnLKdoHgMwd+88vZgXj
github.com/cloudnative-pg/cnpg-i v0.5.0/go.mod h1:7Gh4+UzhBpGhr4DreB1GN9wGYfvxwXCXZUyVt3zE/3I= github.com/cloudnative-pg/cnpg-i v0.5.0/go.mod h1:7Gh4+UzhBpGhr4DreB1GN9wGYfvxwXCXZUyVt3zE/3I=
github.com/cloudnative-pg/cnpg-i-machinery v0.4.2 h1:0reS9MtyLYINHXQ/MfxJ9jp39hhBf8e3Qdj+T5Nsq6I= github.com/cloudnative-pg/cnpg-i-machinery v0.4.2 h1:0reS9MtyLYINHXQ/MfxJ9jp39hhBf8e3Qdj+T5Nsq6I=
github.com/cloudnative-pg/cnpg-i-machinery v0.4.2/go.mod h1:gvrKabgxXq0zGthXGucemDdsxakLEQDMxn43M4HLW30= github.com/cloudnative-pg/cnpg-i-machinery v0.4.2/go.mod h1:gvrKabgxXq0zGthXGucemDdsxakLEQDMxn43M4HLW30=
github.com/cloudnative-pg/machinery v0.4.0 h1:3sfqrBptH4QQSVB4g10Z+7aiQRnh4g+6AsqsK0ibKaQ= github.com/cloudnative-pg/machinery v0.5.0 h1:hhTnkzn+AiN3NmbjCQ6RXj5rfqV3K6arzq6kdXAzcnQ=
github.com/cloudnative-pg/machinery v0.4.0/go.mod h1:OIwaTYAnLv8PmBmBvEf0BvMK2JBX6J+naTMg9UgV1FQ= github.com/cloudnative-pg/machinery v0.5.0/go.mod h1:uuFjqBUjWn0a9uvAk1ixTSzPM0PrjaS+QiKLOIBqLm4=
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@ -275,8 +275,8 @@ golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q= golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4= golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0= golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI= golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY= golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY= golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg= golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=

View File

@ -150,10 +150,16 @@ func (impl LifecycleImplementation) reconcileJob(
return nil, err return nil, err
} }
useAzureWorkloadIdentity, err := impl.collectAzureWorkloadIdentityUsage(ctx, pluginConfiguration)
if err != nil {
return nil, err
}
return reconcileJob(ctx, cluster, request, sidecarConfiguration{ return reconcileJob(ctx, cluster, request, sidecarConfiguration{
env: env, env: env,
certificates: certificates, certificates: certificates,
resources: resources, resources: resources,
useAzureWorkloadIdentity: useAzureWorkloadIdentity,
}) })
} }
@ -162,6 +168,7 @@ type sidecarConfiguration struct {
certificates []corev1.VolumeProjection certificates []corev1.VolumeProjection
resources corev1.ResourceRequirements resources corev1.ResourceRequirements
additionalArgs []string additionalArgs []string
useAzureWorkloadIdentity bool
} }
func reconcileJob( func reconcileJob(
@ -248,11 +255,17 @@ func (impl LifecycleImplementation) reconcilePod(
return nil, err return nil, err
} }
useAzureWorkloadIdentity, err := impl.collectAzureWorkloadIdentityUsage(ctx, pluginConfiguration)
if err != nil {
return nil, err
}
return reconcileInstancePod(ctx, cluster, request, pluginConfiguration, sidecarConfiguration{ return reconcileInstancePod(ctx, cluster, request, pluginConfiguration, sidecarConfiguration{
env: env, env: env,
certificates: certificates, certificates: certificates,
resources: resources, resources: resources,
additionalArgs: additionalArgs, additionalArgs: additionalArgs,
useAzureWorkloadIdentity: useAzureWorkloadIdentity,
}) })
} }
@ -306,6 +319,25 @@ func (impl LifecycleImplementation) collectAdditionalInstanceArgs(
return nil, nil return nil, nil
} }
func (impl LifecycleImplementation) collectAzureWorkloadIdentityUsage(
ctx context.Context,
pluginConfiguration *config.PluginConfiguration,
) (bool, error) {
for _, objectKey := range pluginConfiguration.GetReferredBarmanObjectsKey() {
var objectStore barmancloudv1.ObjectStore
if err := impl.Client.Get(ctx, objectKey, &objectStore); err != nil {
return false, fmt.Errorf("while getting object store %s: %w", objectKey.String(), err)
}
if objectStore.Spec.Configuration.Azure != nil &&
objectStore.Spec.Configuration.Azure.UseDefaultAzureCredentials {
return true, nil
}
}
return false, nil
}
func reconcileInstancePod( func reconcileInstancePod(
ctx context.Context, ctx context.Context,
cluster *cnpgv1.Cluster, cluster *cnpgv1.Cluster,
@ -384,6 +416,13 @@ func reconcilePodSpec(
}, },
) )
if config.useAzureWorkloadIdentity {
envs = append(envs, corev1.EnvVar{
Name: "AZURE_FEDERATED_TOKEN_FILE",
Value: azureFederatedTokenFilePath,
})
}
envs = append(envs, config.env...) envs = append(envs, config.env...)
baseProbe := &corev1.Probe{ baseProbe := &corev1.Probe{
@ -471,6 +510,34 @@ func reconcilePodSpec(
spec.Volumes = removeVolume(spec.Volumes, barmanCertificatesVolumeName) spec.Volumes = removeVolume(spec.Volumes, barmanCertificatesVolumeName)
} }
if config.useAzureWorkloadIdentity {
sidecarTemplate.VolumeMounts = ensureVolumeMount(
sidecarTemplate.VolumeMounts,
corev1.VolumeMount{
Name: azureFederatedTokenVolumeName,
MountPath: azureFederatedTokenMountPath,
ReadOnly: true,
},
)
spec.Volumes = ensureVolume(spec.Volumes, corev1.Volume{
Name: azureFederatedTokenVolumeName,
VolumeSource: corev1.VolumeSource{
Projected: &corev1.ProjectedVolumeSource{
Sources: []corev1.VolumeProjection{
{
ServiceAccountToken: &corev1.ServiceAccountTokenProjection{
Path: azureFederatedTokenFileName,
Audience: azureFederatedTokenAudience,
ExpirationSeconds: ptr.To[int64](azureFederatedTokenExpirationSeconds),
},
},
},
},
},
})
}
if err := injectPluginSidecarPodSpec(spec, &sidecarTemplate, mainContainerName); err != nil { if err := injectPluginSidecarPodSpec(spec, &sidecarTemplate, mainContainerName); err != nil {
return err return err
} }
@ -478,6 +545,15 @@ func reconcilePodSpec(
return nil return nil
} }
const (
azureFederatedTokenVolumeName = "azure-identity-token"
azureFederatedTokenMountPath = "/var/run/secrets/azure/tokens"
azureFederatedTokenFileName = "azure-identity-token"
azureFederatedTokenFilePath = azureFederatedTokenMountPath + "/" + azureFederatedTokenFileName
azureFederatedTokenAudience = "api://AzureADTokenExchange"
azureFederatedTokenExpirationSeconds = 3600
)
// TODO: move to machinery once the logic is finalized // TODO: move to machinery once the logic is finalized
// InjectPluginVolumePodSpec injects the plugin volume into a CNPG Pod spec. // InjectPluginVolumePodSpec injects the plugin volume into a CNPG Pod spec.

View File

@ -22,6 +22,7 @@ package operator
import ( import (
"encoding/json" "encoding/json"
barmanapi "github.com/cloudnative-pg/barman-cloud/pkg/api"
cnpgv1 "github.com/cloudnative-pg/cloudnative-pg/api/v1" cnpgv1 "github.com/cloudnative-pg/cloudnative-pg/api/v1"
"github.com/cloudnative-pg/cloudnative-pg/pkg/utils" "github.com/cloudnative-pg/cloudnative-pg/pkg/utils"
"github.com/cloudnative-pg/cnpg-i/pkg/lifecycle" "github.com/cloudnative-pg/cnpg-i/pkg/lifecycle"
@ -387,6 +388,134 @@ var _ = Describe("LifecycleImplementation", func() {
Expect(args).To(Equal([]string{"--log-level=info"})) Expect(args).To(Equal([]string{"--log-level=info"}))
}) })
}) })
Describe("collectAzureWorkloadIdentityUsage", func() {
It("returns true when any referred object store uses default Azure credentials", func(ctx SpecContext) {
ns := "test-ns"
cluster := &cnpgv1.Cluster{ObjectMeta: metav1.ObjectMeta{Name: "c", Namespace: ns}}
pc := &config.PluginConfiguration{
Cluster: cluster,
BarmanObjectName: "primary-store",
RecoveryBarmanObjectName: "recovery-store",
}
primaryStore := &barmancloudv1.ObjectStore{
ObjectMeta: metav1.ObjectMeta{Name: pc.BarmanObjectName, Namespace: ns},
Spec: barmancloudv1.ObjectStoreSpec{
Configuration: barmanapi.BarmanObjectStoreConfiguration{
BarmanCredentials: barmanapi.BarmanCredentials{
Azure: &barmanapi.AzureCredentials{UseDefaultAzureCredentials: true},
},
},
},
}
recoveryStore := &barmancloudv1.ObjectStore{
ObjectMeta: metav1.ObjectMeta{Name: pc.RecoveryBarmanObjectName, Namespace: ns},
}
cli := buildClientFunc(primaryStore, recoveryStore).Build()
impl := LifecycleImplementation{Client: cli}
useWorkloadIdentity, err := impl.collectAzureWorkloadIdentityUsage(ctx, pc)
Expect(err).NotTo(HaveOccurred())
Expect(useWorkloadIdentity).To(BeTrue())
})
It("returns false when none of the referred object stores use default Azure credentials", func(ctx SpecContext) {
ns := "test-ns"
cluster := &cnpgv1.Cluster{ObjectMeta: metav1.ObjectMeta{Name: "c", Namespace: ns}}
pc := &config.PluginConfiguration{
Cluster: cluster,
BarmanObjectName: "primary-store",
}
primaryStore := &barmancloudv1.ObjectStore{
ObjectMeta: metav1.ObjectMeta{Name: pc.BarmanObjectName, Namespace: ns},
Spec: barmancloudv1.ObjectStoreSpec{
Configuration: barmanapi.BarmanObjectStoreConfiguration{
BarmanCredentials: barmanapi.BarmanCredentials{
Azure: &barmanapi.AzureCredentials{InheritFromAzureAD: true},
},
},
},
}
cli := buildClientFunc(primaryStore).Build()
impl := LifecycleImplementation{Client: cli}
useWorkloadIdentity, err := impl.collectAzureWorkloadIdentityUsage(ctx, pc)
Expect(err).NotTo(HaveOccurred())
Expect(useWorkloadIdentity).To(BeFalse())
})
})
})
var _ = Describe("reconcilePodSpec", func() {
It("injects the Azure federated token volume and env when workload identity is enabled", func() {
cluster := &cnpgv1.Cluster{ObjectMeta: metav1.ObjectMeta{Name: "cluster-1", Namespace: "ns-1"}}
spec := &corev1.PodSpec{
Containers: []corev1.Container{
{
Name: "postgres",
Env: []corev1.EnvVar{
{Name: "AZURE_CLIENT_ID", Value: "client-id"},
},
},
},
}
err := reconcilePodSpec(
cluster,
spec,
"postgres",
corev1.Container{Args: []string{"instance"}},
sidecarConfiguration{useAzureWorkloadIdentity: true},
)
Expect(err).NotTo(HaveOccurred())
Expect(spec.Volumes).To(ContainElement(HaveField("Name", azureFederatedTokenVolumeName)))
Expect(spec.InitContainers).To(HaveLen(1))
Expect(spec.InitContainers[0].Env).To(ContainElement(corev1.EnvVar{
Name: "AZURE_FEDERATED_TOKEN_FILE",
Value: azureFederatedTokenFilePath,
}))
Expect(spec.InitContainers[0].Env).To(ContainElement(corev1.EnvVar{
Name: "AZURE_CLIENT_ID",
Value: "client-id",
}))
Expect(spec.InitContainers[0].VolumeMounts).To(ContainElement(corev1.VolumeMount{
Name: azureFederatedTokenVolumeName,
MountPath: azureFederatedTokenMountPath,
ReadOnly: true,
}))
})
It("does not override an existing federated token file env", func() {
cluster := &cnpgv1.Cluster{ObjectMeta: metav1.ObjectMeta{Name: "cluster-1", Namespace: "ns-1"}}
spec := &corev1.PodSpec{
Containers: []corev1.Container{
{
Name: "postgres",
Env: []corev1.EnvVar{
{Name: "AZURE_FEDERATED_TOKEN_FILE", Value: "/custom/token"},
},
},
},
}
err := reconcilePodSpec(
cluster,
spec,
"postgres",
corev1.Container{Args: []string{"instance"}},
sidecarConfiguration{useAzureWorkloadIdentity: true},
)
Expect(err).NotTo(HaveOccurred())
Expect(spec.InitContainers).To(HaveLen(1))
Expect(spec.InitContainers[0].Env).To(ContainElement(corev1.EnvVar{
Name: "AZURE_FEDERATED_TOKEN_FILE",
Value: "/custom/token",
}))
Expect(spec.InitContainers[0].Env).NotTo(ContainElement(corev1.EnvVar{
Name: "AZURE_FEDERATED_TOKEN_FILE",
Value: azureFederatedTokenFilePath,
}))
})
}) })
var _ = Describe("Volume utilities", func() { var _ = Describe("Volume utilities", func() {

View File

@ -272,9 +272,10 @@ flow, which uses [`DefaultAzureCredential`](https://learn.microsoft.com/en-us/py
to automatically discover and use available credentials in the following order: to automatically discover and use available credentials in the following order:
1. **Environment Variables**`AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, and `AZURE_TENANT_ID` for Service Principal authentication 1. **Environment Variables**`AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, and `AZURE_TENANT_ID` for Service Principal authentication
2. **Managed Identity** — Uses the managed identity assigned to the pod 2. **Workload Identity** — Uses `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and a federated service account token
3. **Azure CLI** — Uses credentials from the Azure CLI if available 3. **Managed Identity** — Uses the managed identity assigned to the pod
4. **Azure PowerShell** — Uses credentials from Azure PowerShell if available 4. **Azure CLI** — Uses credentials from the Azure CLI if available
5. **Azure PowerShell** — Uses credentials from Azure PowerShell if available
This approach is particularly useful for getting started with development and testing; it allows This approach is particularly useful for getting started with development and testing; it allows
the SDK to attempt multiple authentication mechanisms seamlessly across different environments. the SDK to attempt multiple authentication mechanisms seamlessly across different environments.
@ -295,6 +296,30 @@ spec:
[...] [...]
``` ```
When `useDefaultAzureCredentials: true` is set, the plugin sidecar projects a
service account token with the Azure workload identity audience and exposes it
as `AZURE_FEDERATED_TOKEN_FILE`. If your platform does not already inject
`AZURE_CLIENT_ID` and `AZURE_TENANT_ID`, you can provide them through
`.spec.instanceSidecarConfiguration.env`:
```yaml
apiVersion: barmancloud.cnpg.io/v1
kind: ObjectStore
metadata:
name: azure-store
spec:
configuration:
destinationPath: "<destination path here>"
azureCredentials:
useDefaultAzureCredentials: true
instanceSidecarConfiguration:
env:
- name: AZURE_CLIENT_ID
value: "<managed-identity-client-id>"
- name: AZURE_TENANT_ID
value: "<tenant-id>"
```
### Access Key, SAS Token, or Connection String ### Access Key, SAS Token, or Connection String
Store credentials in a Kubernetes secret: Store credentials in a Kubernetes secret: