Merge 78d02d6803 into 0153abba82

.github/workflows/barman-base-image.yml

@@ -27,7 +27,7 @@ jobs:
       - name: Install Dagger
         env:
           # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
-          DAGGER_VERSION: 0.19.10
+          DAGGER_VERSION: 0.19.8
         run: |
           curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
       - name: Publish a barman-base

.github/workflows/ci.yml

@@ -44,7 +44,7 @@ jobs:
       - name: Install Dagger
         env:
           # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
-          DAGGER_VERSION: 0.19.10
+          DAGGER_VERSION: 0.19.8
         run: |
           curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
       - name: Run CI task

.github/workflows/release-please.yml

@@ -31,7 +31,7 @@ jobs:
       - name: Install Dagger
         env:
           # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
-          DAGGER_VERSION: 0.19.10
+          DAGGER_VERSION: 0.19.8
         run: |
           curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
       - name: Create image and manifest

.github/workflows/release-publish.yml

@@ -21,7 +21,7 @@ jobs:
       - name: Install Dagger
         env:
           # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
-          DAGGER_VERSION: 0.19.10
+          DAGGER_VERSION: 0.19.8
         run: |
           curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
       - name: Create image and manifest

.wordlist.txt

@@ -1,4 +1,3 @@
-AKS
 AccessDenied
 AdditionalContainerArgs
 Akamai
@@ -6,7 +5,6 @@ Azurite
 BarmanObjectStore
 BarmanObjectStoreConfiguration
 BarmanObjectStores
-CLI
 CNCF
 CRD
 CloudNativePG
@@ -40,7 +38,6 @@ PITR
 PoR
 PostgreSQL
 Postgres
-PowerShell
 README
 RPO
 RTO
@@ -48,7 +45,6 @@ RecoveryWindow
 ResourceRequirements
 RetentionPolicy
 SAS
-SDK
 SFO
 SPDX
 SPDX

Taskfile.yml

@@ -19,9 +19,9 @@ tasks:
     desc: Run golangci-lint
     env:
       # renovate: datasource=git-refs depName=golangci-lint lookupName=https://github.com/sagikazarmark/daggerverse currentValue=main
-      DAGGER_GOLANGCI_LINT_SHA: 5dcc7e4c4cd5ed230046955f42e27f2166545155
+      DAGGER_GOLANGCI_LINT_SHA: 6133ad18e131b891d4723b8e25d69f5de077b472
       # renovate: datasource=docker depName=golangci/golangci-lint versioning=semver
-      GOLANGCI_LINT_VERSION: v2.8.0
+      GOLANGCI_LINT_VERSION: v2.7.2
     cmds:
       - >
         GITHUB_REF= dagger -sc "github.com/sagikazarmark/daggerverse/golangci-lint@${DAGGER_GOLANGCI_LINT_SHA}
@@ -85,13 +85,9 @@ tasks:
     env:
       # renovate: datasource=git-refs depName=crd-gen-refs lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
       DAGGER_CRDGENREF_SHA: ee59e34a99940e45f87a16177b1d640975b05b74
-      # renovate: datasource=go depName=github.com/elastic/crd-ref-docs
-      CRDREFDOCS_VERSION: v0.2.0
     cmds:
       - >
-        GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/crd-ref-docs@${DAGGER_CRDGENREF_SHA}
+        GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/crd-ref-docs@${DAGGER_CRDGENREF_SHA} generate
-        --version ${CRDREFDOCS_VERSION}
-        generate
         --src .
         --source-path api/v1
         --config-file hack/crd-gen-refs/config.yaml
@@ -206,7 +202,7 @@ tasks:
       - start-build-network
     vars:
       # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
-      DAGGER_VERSION: 0.19.10
+      DAGGER_VERSION: 0.19.8
       DAGGER_ENGINE_IMAGE: registry.dagger.io/engine:v{{ .DAGGER_VERSION }}
     cmds:
       - >
@@ -486,7 +482,7 @@ tasks:
       IMAGE_VERSION: '{{regexReplaceAll "(\\d+)/merge" .GITHUB_REF_NAME "pr-${1}"}}'
     env:
       # renovate: datasource=git-refs depName=kustomize lookupName=https://github.com/sagikazarmark/daggerverse currentValue=main
-      DAGGER_KUSTOMIZE_SHA: 5dcc7e4c4cd5ed230046955f42e27f2166545155
+      DAGGER_KUSTOMIZE_SHA: 6133ad18e131b891d4723b8e25d69f5de077b472
     cmds:
       - >
         dagger -s call -m https://github.com/sagikazarmark/daggerverse/kustomize@${DAGGER_KUSTOMIZE_SHA}
@@ -516,7 +512,7 @@ tasks:
         - GITHUB_TOKEN
     env:
       # renovate: datasource=git-refs depName=gh lookupName=https://github.com/sagikazarmark/daggerverse
-      DAGGER_GH_SHA: 5dcc7e4c4cd5ed230046955f42e27f2166545155
+      DAGGER_GH_SHA: 6133ad18e131b891d4723b8e25d69f5de077b472
     preconditions:
       - sh: "[[ {{.GITHUB_REF}} =~ 'refs/tags/v.*' ]]"
         msg: not a tag, failing

config/crd/bases/barmancloud.cnpg.io_objectstores.yaml

@@ -108,11 +108,6 @@ spec:
                         - key
                         - name
                         type: object
-                      useDefaultAzureCredentials:
-                        description: |-
-                          Use the default Azure authentication flow, which includes DefaultAzureCredential.
-                          This allows authentication using environment variables and managed identities.
-                        type: boolean
                     type: object
                   data:
                     description: |-

containers/Dockerfile.sidecar

@@ -36,7 +36,7 @@ RUN --mount=type=cache,target=/go/pkg/mod --mount=type=cache,target=/root/.cache
 # Use plugin-barman-cloud-base to get the dependencies.
 # pip will build everything inside /usr, so we copy every file into a new
 # destination that will then be copied into the distroless container
-FROM ghcr.io/cloudnative-pg/plugin-barman-cloud-base:3.17.0-202601131704 AS pythonbuilder
+FROM ghcr.io/cloudnative-pg/plugin-barman-cloud-base:3.16.2-202512221525 AS pythonbuilder
 # Prepare a new /usr/ directory with the files we'll need in the final image
 RUN mkdir /new-usr/ && \
     cp -r --parents /usr/local/lib/ /usr/lib/*-linux-gnu/ /usr/local/bin/ \

containers/sidecar-requirements.in

@@ -1,3 +1,3 @@
-barman[azure,cloud,google,snappy,zstandard,lz4]==3.17.0
+barman[azure,cloud,google,snappy,zstandard,lz4]==3.16.2
 setuptools==80.9.0
 zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability

containers/sidecar-requirements.txt

@@ -4,9 +4,9 @@
 #
 #    pip-compile --allow-unsafe --generate-hashes --output-file=sidecar-requirements.txt --strip-extras sidecar-requirements.in
 #
-azure-core==1.38.0 \
+azure-core==1.37.0 \
-    --hash=sha256:8194d2682245a3e4e3151a667c686464c3786fed7918b394d035bdcd61bb5993 \
+    --hash=sha256:7064f2c11e4b97f340e8e8c6d923b822978be3016e46b7bc4aa4b337cfb48aee \
-    --hash=sha256:ab0c9b2cd71fecb1842d52c965c95285d3cfb38902f6766e4a471f1cd8905335
+    --hash=sha256:b3abe2c59e7d6bb18b38c275a5029ff80f98990e7c90a5e646249a56630fcc19
     # via
     #   azure-identity
     #   azure-storage-blob
@@ -14,27 +14,31 @@ azure-identity==1.25.1 \
     --hash=sha256:87ca8328883de6036443e1c37b40e8dc8fb74898240f61071e09d2e369361456 \
     --hash=sha256:e9edd720af03dff020223cd269fa3a61e8f345ea75443858273bcb44844ab651
     # via barman
-azure-storage-blob==12.28.0 \
+azure-storage-blob==12.27.1 \
-    --hash=sha256:00fb1db28bf6a7b7ecaa48e3b1d5c83bfadacc5a678b77826081304bd87d6461 \
+    --hash=sha256:65d1e25a4628b7b6acd20ff7902d8da5b4fde8e46e19c8f6d213a3abc3ece272 \
-    --hash=sha256:e7d98ea108258d29aa0efbfd591b2e2075fa1722a2fae8699f0b3c9de11eff41
+    --hash=sha256:a1596cc4daf5dac9be115fcb5db67245eae894cf40e4248243754261f7b674a6
     # via barman
-barman==3.17.0 \
+barman==3.16.2 \
-    --hash=sha256:07b033da14e72f103de44261c31bd0c3169bbb2e4de3481c6bb3510e9870d38e \
+    --hash=sha256:0549f451a1b928647c75c5a2977526233ad7a976bb83e9a4379c33ce61443515 \
-    --hash=sha256:d6618990a6dbb31af3286d746a278a038534b7e3cc617c2b379ef7ebdeb7ed5a
+    --hash=sha256:ab0c6f4f5cfc0cc12b087335bdd5def2edbca32bc1bf553cc5a9e78cd83df43a
     # via -r sidecar-requirements.in
-boto3==1.42.26 \
+boto3==1.42.14 \
-    --hash=sha256:0fbcf1922e62d180f3644bc1139425821b38d93c1e6ec27409325d2ae86131aa \
+    --hash=sha256:a5d005667b480c844ed3f814a59f199ce249d0f5669532a17d06200c0a93119c \
-    --hash=sha256:f116cfbe7408e0a9153da363f134d2f1b5008f17ee86af104f0ce59a62be1833
+    --hash=sha256:bfcc665227bb4432a235cb4adb47719438d6472e5ccbf7f09512046c3f749670
     # via barman
-botocore==1.42.26 \
+botocore==1.42.14 \
-    --hash=sha256:1c8855e3e811f015d930ccfe8751d4be295aae0562133d14b6f0b247cd6fd8d3 \
+    --hash=sha256:cf5bebb580803c6cfd9886902ca24834b42ecaa808da14fb8cd35ad523c9f621 \
-    --hash=sha256:71171c2d09ac07739f4efce398b15a4a8bc8769c17fb3bc99625e43ed11ad8b7
+    --hash=sha256:efe89adfafa00101390ec2c371d453b3359d5f9690261bc3bd70131e0d453e8e
     # via
     #   boto3
     #   s3transfer
-certifi==2026.1.4 \
+cachetools==6.2.4 \
-    --hash=sha256:9943707519e4add1115f44c2bc244f782c0249876bf51b6599fee1ffbedd685c \
+    --hash=sha256:69a7a52634fed8b8bf6e24a050fb60bff1c9bd8f6d24572b99c32d4e71e62a51 \
-    --hash=sha256:ac726dd470482006e014ad384921ed6438c457018f4b3d204aea4281258b2120
+    --hash=sha256:82c5c05585e70b6ba2d3ae09ea60b79548872185d2f24ae1f2709d37299fd607
+    # via google-auth
+certifi==2025.11.12 \
+    --hash=sha256:97de8790030bbd5c2d96b7ec782fc2f7820ef8dba6db909ccf95449f2d062d4b \
+    --hash=sha256:d8ab5478f2ecd78af242878415affce761ca6bc54a22a27e026d7c25357c3316
     # via requests
 cffi==2.0.0 \
     --hash=sha256:00bdf7acc5f795150faa6957054fbbca2439db2f775ce831222b66f192f03beb \
@@ -434,15 +438,15 @@ cryptography==46.0.3 \
     #   azure-storage-blob
     #   msal
     #   pyjwt
-google-api-core==2.29.0 \
+google-api-core==2.28.1 \
-    --hash=sha256:84181be0f8e6b04006df75ddfe728f24489f0af57c96a529ff7cf45bc28797f7 \
+    --hash=sha256:2b405df02d68e68ce0fbc138559e6036559e685159d148ae5861013dc201baf8 \
-    --hash=sha256:d30bc60980daa36e314b5d5a3e5958b0200cb44ca8fa1be2b614e932b75a3ea9
+    --hash=sha256:4021b0f8ceb77a6fb4de6fde4502cecab45062e66ff4f2895169e0b35bc9466c
     # via
     #   google-cloud-core
     #   google-cloud-storage
-google-auth==2.47.0 \
+google-auth==2.45.0 \
-    --hash=sha256:833229070a9dfee1a353ae9877dcd2dec069a8281a4e72e72f77d4a70ff945da \
+    --hash=sha256:82344e86dc00410ef5382d99be677c6043d72e502b625aa4f4afa0bdacca0f36 \
-    --hash=sha256:c516d68336bfde7cf0da26aab674a36fedcf04b37ac4edd59c597178760c3498
+    --hash=sha256:90d3f41b6b72ea72dd9811e765699ee491ab24139f34ebf1ca2b9cc0c38708f3
     # via
     #   google-api-core
     #   google-cloud-core
@@ -587,17 +591,17 @@ proto-plus==1.27.0 \
     --hash=sha256:1baa7f81cf0f8acb8bc1f6d085008ba4171eaf669629d1b6d1673b21ed1c0a82 \
     --hash=sha256:873af56dd0d7e91836aee871e5799e1c6f1bda86ac9a983e0bb9f0c266a568c4
     # via google-api-core
-protobuf==6.33.4 \
+protobuf==6.33.2 \
-    --hash=sha256:0f12ddbf96912690c3582f9dffb55530ef32015ad8e678cd494312bd78314c4f \
+    --hash=sha256:1f8017c48c07ec5859106533b682260ba3d7c5567b1ca1f24297ce03384d1b4f \
-    --hash=sha256:1fe3730068fcf2e595816a6c34fe66eeedd37d51d0400b72fabc848811fdc1bc \
+    --hash=sha256:2981c58f582f44b6b13173e12bb8656711189c2a70250845f264b877f00b1913 \
-    --hash=sha256:2fe67f6c014c84f655ee06f6f66213f9254b3a8b6bda6cda0ccd4232c73c06f0 \
+    --hash=sha256:56dc370c91fbb8ac85bc13582c9e373569668a290aa2e66a590c2a0d35ddb9e4 \
-    --hash=sha256:3df850c2f8db9934de4cf8f9152f8dc2558f49f298f37f90c517e8e5c84c30e9 \
+    --hash=sha256:7109dcc38a680d033ffb8bf896727423528db9163be1b6a02d6a49606dcadbfe \
-    --hash=sha256:757c978f82e74d75cba88eddec479df9b99a42b31193313b75e492c06a51764e \
+    --hash=sha256:7636aad9bb01768870266de5dc009de2d1b936771b38a793f73cbbf279c91c5c \
-    --hash=sha256:8f11ffae31ec67fc2554c2ef891dcb561dae9a2a3ed941f9e134c2db06657dbc \
+    --hash=sha256:87eb388bd2d0f78febd8f4c8779c79247b26a5befad525008e49a6955787ff3d \
-    --hash=sha256:918966612c8232fc6c24c78e1cd89784307f5814ad7506c308ee3cf86662850d \
+    --hash=sha256:8cd7640aee0b7828b6d03ae518b5b4806fdfc1afe8de82f79c3454f8aef29872 \
-    --hash=sha256:955478a89559fa4568f5a81dce77260eabc5c686f9e8366219ebd30debf06aa6 \
+    --hash=sha256:b5d3b5625192214066d99b2b605f5783483575656784de223f00a8d00754fc0e \
-    --hash=sha256:c7c64f259c618f0bef7bee042075e390debbf9682334be2b67408ec7c1c09ee6 \
+    --hash=sha256:d9b19771ca75935b3a4422957bc518b0cecb978b31d1dd12037b088f6bcc0e43 \
-    --hash=sha256:dc2e61bca3b10470c1912d166fe0af67bfc20eb55971dcef8dfa48ce14f0ed91
+    --hash=sha256:fc2a0e8b05b180e5fc0dd1559fe8ebdae21a27e81ac77728fb6c42b12c7419b4
     # via
     #   google-api-core
     #   googleapis-common-protos
@@ -668,9 +672,9 @@ typing-extensions==4.15.0 \
     #   azure-core
     #   azure-identity
     #   azure-storage-blob
-urllib3==2.6.3 \
+urllib3==2.6.2 \
-    --hash=sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed \
+    --hash=sha256:016f9c98bb7e98085cb2b4b17b87d2c702975664e4f060c6532e64d1c1a5e797 \
-    --hash=sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4
+    --hash=sha256:ec21cddfe7724fc7cb4ba4bea7aa8e2ef36f607a4bab81aa6ce42a13dc3f03dd
     # via
     #   botocore
     #   requests

go.mod

@@ -7,13 +7,13 @@ toolchain go1.25.5
 require (
 	github.com/cert-manager/cert-manager v1.19.2
 	github.com/cloudnative-pg/api v1.28.0
-	github.com/cloudnative-pg/barman-cloud v0.4.1-0.20260108104508-ced266c145f5
+	github.com/cloudnative-pg/barman-cloud v0.4.1-0.20251230211524-20b7e0e10b0f
 	github.com/cloudnative-pg/cloudnative-pg v1.28.0
 	github.com/cloudnative-pg/cnpg-i v0.3.1
 	github.com/cloudnative-pg/cnpg-i-machinery v0.4.2
 	github.com/cloudnative-pg/machinery v0.3.3
-	github.com/onsi/ginkgo/v2 v2.27.5
+	github.com/onsi/ginkgo/v2 v2.27.3
-	github.com/onsi/gomega v1.39.0
+	github.com/onsi/gomega v1.38.3
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/viper v1.21.0
 	google.golang.org/grpc v1.78.0
@@ -22,7 +22,7 @@ require (
 	k8s.io/apiextensions-apiserver v0.35.0
 	k8s.io/apimachinery v0.35.0
 	k8s.io/client-go v0.35.0
-	k8s.io/utils v0.0.0-20260108192941-914a6e750570
+	k8s.io/utils v0.0.0-20251222233032-718f0e51e6d2
 	sigs.k8s.io/controller-runtime v0.22.4
 	sigs.k8s.io/kustomize/api v0.21.0
 	sigs.k8s.io/kustomize/kyaml v0.21.0

go.sum

@@ -18,8 +18,8 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cloudnative-pg/api v1.28.0 h1:xElzHliO0eKkVQafkfMhDJo0aIRCmB1ItEt+SGh6B58=
 github.com/cloudnative-pg/api v1.28.0/go.mod h1:puXJBOsEaJd8JLgvCtxgl2TO/ZANap/z7bPepKRUgrk=
-github.com/cloudnative-pg/barman-cloud v0.4.1-0.20260108104508-ced266c145f5 h1:wPB7VTNgTv6t9sl4QYOBakmVTqHnOdKUht7Q3aL+uns=
+github.com/cloudnative-pg/barman-cloud v0.4.1-0.20251230211524-20b7e0e10b0f h1:4/PwIQOwQSTIxuncGRn3pX2V9CRwl7zJNXOVWOMSCCU=
-github.com/cloudnative-pg/barman-cloud v0.4.1-0.20260108104508-ced266c145f5/go.mod h1:qD0NtJOllNQbRB0MaleuHsZjFYaXtXfdg0HbFTbuHn0=
+github.com/cloudnative-pg/barman-cloud v0.4.1-0.20251230211524-20b7e0e10b0f/go.mod h1:qD0NtJOllNQbRB0MaleuHsZjFYaXtXfdg0HbFTbuHn0=
 github.com/cloudnative-pg/cloudnative-pg v1.28.0 h1:vkv0a0ewDSfJOPJrsyUr4uczsxheReAWf/k171V0Dm0=
 github.com/cloudnative-pg/cloudnative-pg v1.28.0/go.mod h1:209fkRR6m0vXUVQ9Q498eAPQqN2UlXECbXXtpGsZz3I=
 github.com/cloudnative-pg/cnpg-i v0.3.1 h1:fKj8NoToWI11HUL2UWYJBpkVzmaTvbs3kDMo7wQF8RU=
@@ -163,10 +163,10 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
-github.com/onsi/ginkgo/v2 v2.27.5 h1:ZeVgZMx2PDMdJm/+w5fE/OyG6ILo1Y3e+QX4zSR0zTE=
+github.com/onsi/ginkgo/v2 v2.27.3 h1:ICsZJ8JoYafeXFFlFAG75a7CxMsJHwgKwtO+82SE9L8=
-github.com/onsi/ginkgo/v2 v2.27.5/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
+github.com/onsi/ginkgo/v2 v2.27.3/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
-github.com/onsi/gomega v1.39.0 h1:y2ROC3hKFmQZJNFeGAMeHZKkjBL65mIZcvrLQBF9k6Q=
+github.com/onsi/gomega v1.38.3 h1:eTX+W6dobAYfFeGC2PV6RwXRu/MyT+cQguijutvkpSM=
-github.com/onsi/gomega v1.39.0/go.mod h1:ZCU1pkQcXDO5Sl9/VVEGlDyp+zm0m1cmeG5TOzLgdh4=
+github.com/onsi/gomega v1.38.3/go.mod h1:ZCU1pkQcXDO5Sl9/VVEGlDyp+zm0m1cmeG5TOzLgdh4=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -326,8 +326,8 @@ k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20251125145642-4e65d59e963e h1:iW9ChlU0cU16w8MpVYjXk12dqQ4BPFBEgif+ap7/hqQ=
 k8s.io/kube-openapi v0.0.0-20251125145642-4e65d59e963e/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
-k8s.io/utils v0.0.0-20260108192941-914a6e750570 h1:JT4W8lsdrGENg9W+YwwdLJxklIuKWdRm+BC+xt33FOY=
+k8s.io/utils v0.0.0-20251222233032-718f0e51e6d2 h1:OfgiEo21hGiwx1oJUU5MpEaeOEg6coWndBkZF/lkFuE=
-k8s.io/utils v0.0.0-20260108192941-914a6e750570/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
+k8s.io/utils v0.0.0-20251222233032-718f0e51e6d2/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.33.0 h1:qPrZsv1cwQiFeieFlRqT627fVZ+tyfou/+S5S0H5ua0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.33.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
 sigs.k8s.io/controller-runtime v0.22.4 h1:GEjV7KV3TY8e+tJ2LCTxUTanW4z/FmNB7l327UfMq9A=

internal/cnpgi/operator/lifecycle.go

@@ -353,31 +353,30 @@ func reconcilePodSpec(
 	sidecarTemplate corev1.Container,
 	config sidecarConfiguration,
 ) error {
-	envs := make([]corev1.EnvVar, 0, 5+len(config.env))
+	envs := []corev1.EnvVar{
-	envs = append(envs,
+		{
-		corev1.EnvVar{
 			Name:  "NAMESPACE",
 			Value: cluster.Namespace,
 		},
-		corev1.EnvVar{
+		{
 			Name:  "CLUSTER_NAME",
 			Value: cluster.Name,
 		},
-		corev1.EnvVar{
+		{
 			// TODO: should we really use this one?
 			// should we mount an emptyDir volume just for that?
 			Name:  "SPOOL_DIRECTORY",
 			Value: "/controller/wal-restore-spool",
 		},
-		corev1.EnvVar{
+		{
 			Name:  "CUSTOM_CNPG_GROUP",
 			Value: cluster.GetObjectKind().GroupVersionKind().Group,
 		},
-		corev1.EnvVar{
+		{
 			Name:  "CUSTOM_CNPG_VERSION",
 			Value: cluster.GetObjectKind().GroupVersionKind().Version,
 		},
-	)
+	}
 
 	envs = append(envs, config.env...)
 

internal/cnpgi/operator/specs/secrets.go

@@ -37,17 +37,13 @@ func CollectSecretNamesFromCredentials(barmanCredentials *barmanapi.BarmanCreden
 		)
 	}
 	if barmanCredentials.Azure != nil {
-		// When using default Azure credentials or managed identity, no secrets are required
+		references = append(
-		if !barmanCredentials.Azure.UseDefaultAzureCredentials &&
+			references,
-			!barmanCredentials.Azure.InheritFromAzureAD {
+			barmanCredentials.Azure.ConnectionString,
-			references = append(
+			barmanCredentials.Azure.StorageAccount,
-				references,
+			barmanCredentials.Azure.StorageKey,
-				barmanCredentials.Azure.ConnectionString,
+			barmanCredentials.Azure.StorageSasToken,
-				barmanCredentials.Azure.StorageAccount,
+		)
-				barmanCredentials.Azure.StorageKey,
-				barmanCredentials.Azure.StorageSasToken,
-			)
-		}
 	}
 	if barmanCredentials.Google != nil {
 		references = append(

internal/cnpgi/operator/specs/secrets_test.go

@@ -1,227 +0,0 @@
-/*
-Copyright © contributors to CloudNativePG, established as
-CloudNativePG a Series of LF Projects, LLC.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-
-SPDX-License-Identifier: Apache-2.0
-*/
-
-package specs
-
-import (
-	barmanapi "github.com/cloudnative-pg/barman-cloud/pkg/api"
-	machineryapi "github.com/cloudnative-pg/machinery/pkg/api"
-
-	. "github.com/onsi/ginkgo/v2"
-	. "github.com/onsi/gomega"
-)
-
-var _ = Describe("CollectSecretNamesFromCredentials", func() {
-	Context("when collecting secrets from AWS credentials", func() {
-		It("should return secret names from S3 credentials", func() {
-			credentials := &barmanapi.BarmanCredentials{
-				AWS: &barmanapi.S3Credentials{
-					AccessKeyIDReference: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "aws-secret",
-						},
-						Key: "access-key-id",
-					},
-					SecretAccessKeyReference: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "aws-secret",
-						},
-						Key: "secret-access-key",
-					},
-				},
-			}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(ContainElement("aws-secret"))
-		})
-
-		It("should handle nil AWS credentials", func() {
-			credentials := &barmanapi.BarmanCredentials{}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(BeEmpty())
-		})
-	})
-
-	Context("when collecting secrets from Azure credentials", func() {
-		It("should return secret names when using explicit credentials", func() {
-			credentials := &barmanapi.BarmanCredentials{
-				Azure: &barmanapi.AzureCredentials{
-					ConnectionString: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "azure-secret",
-						},
-						Key: "connection-string",
-					},
-				},
-			}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(ContainElement("azure-secret"))
-		})
-
-		It("should return empty list when using UseDefaultAzureCredentials", func() {
-			credentials := &barmanapi.BarmanCredentials{
-				Azure: &barmanapi.AzureCredentials{
-					UseDefaultAzureCredentials: true,
-					ConnectionString: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "azure-secret",
-						},
-						Key: "connection-string",
-					},
-				},
-			}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(BeEmpty())
-		})
-
-		It("should return empty list when using InheritFromAzureAD", func() {
-			credentials := &barmanapi.BarmanCredentials{
-				Azure: &barmanapi.AzureCredentials{
-					InheritFromAzureAD: true,
-				},
-			}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(BeEmpty())
-		})
-
-		It("should return secret names for storage account and key", func() {
-			credentials := &barmanapi.BarmanCredentials{
-				Azure: &barmanapi.AzureCredentials{
-					StorageAccount: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "azure-storage",
-						},
-						Key: "account-name",
-					},
-					StorageKey: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "azure-storage",
-						},
-						Key: "account-key",
-					},
-				},
-			}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(ContainElement("azure-storage"))
-		})
-	})
-
-	Context("when collecting secrets from Google credentials", func() {
-		It("should return secret names from Google credentials", func() {
-			credentials := &barmanapi.BarmanCredentials{
-				Google: &barmanapi.GoogleCredentials{
-					ApplicationCredentials: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "google-secret",
-						},
-						Key: "credentials.json",
-					},
-				},
-			}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(ContainElement("google-secret"))
-		})
-	})
-
-	Context("when collecting secrets from multiple cloud providers", func() {
-		It("should return secret names from all providers", func() {
-			credentials := &barmanapi.BarmanCredentials{
-				AWS: &barmanapi.S3Credentials{
-					AccessKeyIDReference: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "aws-secret",
-						},
-						Key: "access-key-id",
-					},
-				},
-				Azure: &barmanapi.AzureCredentials{
-					ConnectionString: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "azure-secret",
-						},
-						Key: "connection-string",
-					},
-				},
-				Google: &barmanapi.GoogleCredentials{
-					ApplicationCredentials: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "google-secret",
-						},
-						Key: "credentials.json",
-					},
-				},
-			}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(ContainElements("aws-secret", "azure-secret", "google-secret"))
-		})
-
-		It("should skip Azure secrets when using UseDefaultAzureCredentials with other providers", func() {
-			credentials := &barmanapi.BarmanCredentials{
-				AWS: &barmanapi.S3Credentials{
-					AccessKeyIDReference: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "aws-secret",
-						},
-						Key: "access-key-id",
-					},
-				},
-				Azure: &barmanapi.AzureCredentials{
-					UseDefaultAzureCredentials: true,
-					ConnectionString: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "azure-secret",
-						},
-						Key: "connection-string",
-					},
-				},
-			}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(ContainElement("aws-secret"))
-			Expect(secrets).NotTo(ContainElement("azure-secret"))
-		})
-	})
-
-	Context("when handling nil references", func() {
-		It("should skip nil secret references", func() {
-			credentials := &barmanapi.BarmanCredentials{
-				AWS: &barmanapi.S3Credentials{
-					AccessKeyIDReference: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "aws-secret",
-						},
-						Key: "access-key-id",
-					},
-					SecretAccessKeyReference: nil,
-				},
-			}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(ContainElement("aws-secret"))
-			Expect(len(secrets)).To(Equal(1))
-		})
-	})
-})

internal/cnpgi/operator/specs/suite_test.go

@@ -1,32 +0,0 @@
-/*
-Copyright © contributors to CloudNativePG, established as
-CloudNativePG a Series of LF Projects, LLC.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-
-SPDX-License-Identifier: Apache-2.0
-*/
-
-package specs
-
-import (
-	"testing"
-
-	. "github.com/onsi/ginkgo/v2"
-	. "github.com/onsi/gomega"
-)
-
-func TestSpecs(t *testing.T) {
-	RegisterFailHandler(Fail)
-	RunSpecs(t, "Specs Suite")
-}

manifest.yaml

@@ -107,11 +107,6 @@ spec:
                         - key
                         - name
                         type: object
-                      useDefaultAzureCredentials:
-                        description: |-
-                          Use the default Azure authentication flow, which includes DefaultAzureCredential.
-                          This allows authentication using environment variables and managed identities.
-                        type: boolean
                     type: object
                   data:
                     description: |-

renovate.json5

@@ -11,17 +11,6 @@
   ],
   rebaseWhen: 'never',
   prConcurrentLimit: 5,
-  // Override default ignorePaths to scan test/e2e for emulator image dependencies
-  // Removed: '**/test/**'
-  ignorePaths: [
-    '**/node_modules/**',
-    '**/bower_components/**',
-    '**/vendor/**',
-    '**/examples/**',
-    '**/__tests__/**',
-    '**/tests/**',
-    '**/__fixtures__/**',
-  ],
   lockFileMaintenance: {
     enabled: true,
   },
@@ -39,7 +28,7 @@
     {
       customType: 'regex',
       managerFilePatterns: [
-        '/(^|/)Taskfile\\.yml$/',
+        '/(^Taskfile\\.yml$)/',
       ],
       matchStrings: [
         '# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?(?: extractVersion=(?<extractVersion>[^\\s]+?))?(?: currentValue=(?<currentValue>[^\\s]+?))?\\s+[A-Za-z0-9_]+?_SHA\\s*:\\s*["\']?(?<currentDigest>[a-f0-9]+?)["\']?\\s',
@@ -49,16 +38,7 @@
     {
       customType: 'regex',
       managerFilePatterns: [
-        '/\\.go$/',
+        '/(^docs/config\\.yaml$)/',
-      ],
-      matchStrings: [
-        '//\\s*renovate:\\s*datasource=(?<datasource>[a-z-.]+?)\\s+depName=(?<depName>[^\\s]+?)(?:\\s+versioning=(?<versioning>[^\\s]+?))?\\s*\\n\\s*//\\s*Version:\\s*(?<currentValue>[^\\s]+?)\\s*\\n\\s*Image:\\s*"[^@]+@(?<currentDigest>sha256:[a-f0-9]+)"',
-      ],
-    },
-    {
-      customType: 'regex',
-      managerFilePatterns: [
-        '/(^|/)docs/config\\.yaml$/',
       ],
       matchStrings: [
         '# renovate: datasource=(?<datasource>[a-z-.]+?) depName=(?<depName>[^\\s]+?)(?: (?:lookupName|packageName)=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?(?: extractVersion=(?<extractVersion>[^\\s]+?))?\\s+kubernetesVersion:\\s*["\']?(?<currentValue>.+?)["\']?\\s',

test/e2e/internal/objectstore/azurite.go

@@ -71,15 +71,8 @@ func newAzuriteDeployment(namespace, name string) *appsv1.Deployment {
 					Containers: []corev1.Container{
 						{
 							Name: name,
-							// renovate: datasource=docker depName=mcr.microsoft.com/azure-storage/azurite versioning=docker
+							// TODO: renovate the image
-							// Version: 3.35.0
+							Image: "mcr.microsoft.com/azure-storage/azurite",
-							Image: "mcr.microsoft.com/azure-storage/azurite@sha256:647c63a91102a9d8e8000aab803436e1fc85fbb285e7ce830a82ee5d6661cf37",
-							Args: []string{
-								"azurite-blob",
-								"--blobHost",
-								"0.0.0.0",
-								"--skipApiVersionCheck",
-							},
 							Ports: []corev1.ContainerPort{
 								{
 									ContainerPort: 10000,

test/e2e/internal/objectstore/fakegcsserver.go

@@ -71,9 +71,7 @@ func newGCSDeployment(namespace, name string) *appsv1.Deployment {
 					Containers: []corev1.Container{
 						{
 							Name:  name,
-							// renovate: datasource=docker depName=fsouza/fake-gcs-server versioning=docker
+							Image: "fsouza/fake-gcs-server:latest",
-							// Version: 1.52.3
-							Image: "fsouza/fake-gcs-server@sha256:666f86b873120818b10a5e68d99401422fcf8b00c1f27fe89599c35236f48b4c",
 							Ports: []corev1.ContainerPort{
 								{
 									ContainerPort: 4443,

test/e2e/internal/objectstore/minio.go

@@ -71,9 +71,8 @@ func newMinioDeployment(namespace, name string) *appsv1.Deployment {
 					Containers: []corev1.Container{
 						{
 							Name: name,
-							// renovate: datasource=docker depName=minio/minio versioning=docker
+							// TODO: renovate the image
-							// Version: RELEASE.2025-09-07T16-13-09Z
+							Image: "minio/minio:latest",
-							Image: "minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e",
 							Args:  []string{"server", "/data"},
 							Ports: []corev1.ContainerPort{
 								{

web/docs/object_stores.md

@@ -29,16 +29,6 @@ the specific object storage provider you are using.
 
 The following sections detail the setup for each.
 
-:::note Authentication Methods
-The Barman Cloud Plugin does not independently test all authentication methods
-supported by `barman-cloud`. The plugin's responsibility is limited to passing
-the provided credentials to `barman-cloud`, which then handles authentication
-according to its own implementation. Users should refer to the
-[Barman Cloud documentation](https://docs.pgbarman.org/release/latest/) to
-verify that their chosen authentication method is supported and properly
-configured.
-:::
-
 ---
 
 ## AWS S3
@@ -253,18 +243,14 @@ is Microsoft’s cloud-based object storage solution.
 Barman Cloud supports the following authentication methods:
 
 - [Connection String](https://learn.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string)
-- Storage Account Name + [Storage Account Access Key](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage)
+- Storage Account Name + [Access Key](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage)
-- Storage Account Name + [Storage Account SAS Token](https://learn.microsoft.com/en-us/azure/storage/blobs/sas-service-create)
+- Storage Account Name + [SAS Token](https://learn.microsoft.com/en-us/azure/storage/blobs/sas-service-create)
-- [Azure AD Managed Identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview)
+- [Azure AD Workload Identity](https://azure.github.io/azure-workload-identity/docs/introduction.html)
-- [Default Azure Credentials](https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet)
 
-### Azure AD Managed Identity
+### Azure AD Workload Identity
 
-This method avoids storing credentials in Kubernetes by enabling the
+This method avoids storing credentials in Kubernetes via the
-usage of [Azure Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) authentication mechanism.
+`.spec.configuration.inheritFromAzureAD` option:
-This can be enabled by setting the `inheritFromAzureAD` option to `true`.
-Managed Identity can be configured for the AKS Cluster by following
-the [Azure documentation](https://learn.microsoft.com/en-us/azure/aks/use-managed-identity?pivots=system-assigned).
 
 ```yaml
 apiVersion: barmancloud.cnpg.io/v1
@@ -279,36 +265,6 @@ spec:
   [...]
 ```
 
-### Default Azure Credentials
-
-The `useDefaultAzureCredentials` option enables the default Azure credentials
-flow, which uses [`DefaultAzureCredential`](https://learn.microsoft.com/en-us/python/api/azure-identity/azure.identity.defaultazurecredential)
-to automatically discover and use available credentials in the following order:
-
-1. **Environment Variables** — `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, and `AZURE_TENANT_ID` for Service Principal authentication
-2. **Managed Identity** — Uses the managed identity assigned to the pod
-3. **Azure CLI** — Uses credentials from the Azure CLI if available
-4. **Azure PowerShell** — Uses credentials from Azure PowerShell if available
-
-This approach is particularly useful for getting started with development and testing; it allows
-the SDK to attempt multiple authentication mechanisms seamlessly across different environments.
-However, this is not recommended for production. Please refer to the
-[official Azure guidance](https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication/credential-chains?tabs=dac#usage-guidance-for-defaultazurecredential)
-for a comprehensive understanding of `DefaultAzureCredential`.
-
-```yaml
-apiVersion: barmancloud.cnpg.io/v1
-kind: ObjectStore
-metadata:
-  name: azure-store
-spec:
-  configuration:
-    destinationPath: "<destination path here>"
-    azureCredentials:
-      useDefaultAzureCredentials: true
-  [...]
-```
-
 ### Access Key, SAS Token, or Connection String
 
 Store credentials in a Kubernetes secret:

web/docs/troubleshooting.md

@@ -206,7 +206,7 @@ When a backup fails, follow these steps in order:
      plugins:
        - name: barman-cloud.cloudnative-pg.io
          parameters:
-           barmanObjectName: <your-objectstore-name>
+           barmanObjectStore: <your-objectstore-name>
    ```
    
    c. **Check plugin deployment is running**:

web/versioned_docs/version-0.10.0/troubleshooting.md

@@ -206,7 +206,7 @@ When a backup fails, follow these steps in order:
      plugins:
        - name: barman-cloud.cloudnative-pg.io
          parameters:
-           barmanObjectName: <your-objectstore-name>
+           barmanObjectStore: <your-objectstore-name>
    ```
    
    c. **Check plugin deployment is running**:

web/versioned_docs/version-0.7.0/troubleshooting.md

@@ -206,7 +206,7 @@ When a backup fails, follow these steps in order:
      plugins:
        - name: barman-cloud.cloudnative-pg.io
          parameters:
-           barmanObjectName: <your-objectstore-name>
+           barmanObjectStore: <your-objectstore-name>
    ```
    
    c. **Check plugin deployment is running**:

web/versioned_docs/version-0.8.0/troubleshooting.md

@@ -206,7 +206,7 @@ When a backup fails, follow these steps in order:
      plugins:
        - name: barman-cloud.cloudnative-pg.io
          parameters:
-           barmanObjectName: <your-objectstore-name>
+           barmanObjectStore: <your-objectstore-name>
    ```
    
    c. **Check plugin deployment is running**:

web/versioned_docs/version-0.9.0/troubleshooting.md

@@ -206,7 +206,7 @@ When a backup fails, follow these steps in order:
      plugins:
        - name: barman-cloud.cloudnative-pg.io
          parameters:
-           barmanObjectName: <your-objectstore-name>
+           barmanObjectStore: <your-objectstore-name>
    ```
    
    c. **Check plugin deployment is running**: