mirror of
https://github.com/cloudnative-pg/plugin-barman-cloud.git
synced 2026-07-08 10:42:21 +02:00
Compare commits
6 Commits
8c26d9fae8
...
370a866b4d
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
370a866b4d | ||
|
|
0bb78879ce | ||
|
|
ef4b711137 | ||
|
|
baf7985d66 | ||
|
|
d244faa5b2 | ||
|
|
ea0a7b5698 |
2
.github/workflows/ci.yml
vendored
2
.github/workflows/ci.yml
vendored
@ -44,7 +44,7 @@ jobs:
|
|||||||
- name: Install Dagger
|
- name: Install Dagger
|
||||||
env:
|
env:
|
||||||
# renovate: datasource=github-tags depName=dagger/dagger versioning=semver
|
# renovate: datasource=github-tags depName=dagger/dagger versioning=semver
|
||||||
DAGGER_VERSION: 0.20.8
|
DAGGER_VERSION: 0.21.0
|
||||||
run: |
|
run: |
|
||||||
curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
|
curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
|
||||||
- name: Run CI task
|
- name: Run CI task
|
||||||
|
|||||||
2
.github/workflows/release-please.yml
vendored
2
.github/workflows/release-please.yml
vendored
@ -31,7 +31,7 @@ jobs:
|
|||||||
- name: Install Dagger
|
- name: Install Dagger
|
||||||
env:
|
env:
|
||||||
# renovate: datasource=github-tags depName=dagger/dagger versioning=semver
|
# renovate: datasource=github-tags depName=dagger/dagger versioning=semver
|
||||||
DAGGER_VERSION: 0.20.8
|
DAGGER_VERSION: 0.21.0
|
||||||
run: |
|
run: |
|
||||||
curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
|
curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
|
||||||
- name: Create image and manifest
|
- name: Create image and manifest
|
||||||
|
|||||||
2
.github/workflows/release-publish.yml
vendored
2
.github/workflows/release-publish.yml
vendored
@ -21,7 +21,7 @@ jobs:
|
|||||||
- name: Install Dagger
|
- name: Install Dagger
|
||||||
env:
|
env:
|
||||||
# renovate: datasource=github-tags depName=dagger/dagger versioning=semver
|
# renovate: datasource=github-tags depName=dagger/dagger versioning=semver
|
||||||
DAGGER_VERSION: 0.20.8
|
DAGGER_VERSION: 0.21.0
|
||||||
run: |
|
run: |
|
||||||
curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
|
curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
|
||||||
- name: Create image and manifest
|
- name: Create image and manifest
|
||||||
|
|||||||
12
Taskfile.yml
12
Taskfile.yml
@ -46,7 +46,7 @@ tasks:
|
|||||||
- wordlist-ordered
|
- wordlist-ordered
|
||||||
env:
|
env:
|
||||||
# renovate: datasource=git-refs depName=spellcheck lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
|
# renovate: datasource=git-refs depName=spellcheck lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
|
||||||
DAGGER_SPELLCHECK_SHA: 537e0ddae55ad0344af8f4454de7f27baeee48fa
|
DAGGER_SPELLCHECK_SHA: 21755df1a27febff19b28dbe6ae57116f6088bb0
|
||||||
cmds:
|
cmds:
|
||||||
- >
|
- >
|
||||||
GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/spellcheck@${DAGGER_SPELLCHECK_SHA}
|
GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/spellcheck@${DAGGER_SPELLCHECK_SHA}
|
||||||
@ -60,7 +60,7 @@ tasks:
|
|||||||
desc: Check for conventional commits
|
desc: Check for conventional commits
|
||||||
env:
|
env:
|
||||||
# renovate: datasource=git-refs depName=commitlint lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
|
# renovate: datasource=git-refs depName=commitlint lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
|
||||||
DAGGER_COMMITLINT_SHA: 537e0ddae55ad0344af8f4454de7f27baeee48fa
|
DAGGER_COMMITLINT_SHA: 21755df1a27febff19b28dbe6ae57116f6088bb0
|
||||||
cmds:
|
cmds:
|
||||||
- >
|
- >
|
||||||
GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/commitlint@${DAGGER_COMMITLINT_SHA}
|
GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/commitlint@${DAGGER_COMMITLINT_SHA}
|
||||||
@ -74,7 +74,7 @@ tasks:
|
|||||||
- wordlist-ordered
|
- wordlist-ordered
|
||||||
env:
|
env:
|
||||||
# renovate: datasource=git-refs depName=uncommitted lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
|
# renovate: datasource=git-refs depName=uncommitted lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
|
||||||
DAGGER_UNCOMMITTED_SHA: 537e0ddae55ad0344af8f4454de7f27baeee48fa
|
DAGGER_UNCOMMITTED_SHA: 21755df1a27febff19b28dbe6ae57116f6088bb0
|
||||||
cmds:
|
cmds:
|
||||||
- GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/uncommitted@${DAGGER_UNCOMMITTED_SHA} check-uncommitted --source . stdout
|
- GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/uncommitted@${DAGGER_UNCOMMITTED_SHA} check-uncommitted --source . stdout
|
||||||
sources:
|
sources:
|
||||||
@ -86,7 +86,7 @@ tasks:
|
|||||||
- controller-gen
|
- controller-gen
|
||||||
env:
|
env:
|
||||||
# renovate: datasource=git-refs depName=crd-gen-refs lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
|
# renovate: datasource=git-refs depName=crd-gen-refs lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
|
||||||
DAGGER_CRDGENREF_SHA: 537e0ddae55ad0344af8f4454de7f27baeee48fa
|
DAGGER_CRDGENREF_SHA: 21755df1a27febff19b28dbe6ae57116f6088bb0
|
||||||
# renovate: datasource=go depName=github.com/elastic/crd-ref-docs
|
# renovate: datasource=go depName=github.com/elastic/crd-ref-docs
|
||||||
CRDREFDOCS_VERSION: v0.3.0
|
CRDREFDOCS_VERSION: v0.3.0
|
||||||
cmds:
|
cmds:
|
||||||
@ -206,7 +206,7 @@ tasks:
|
|||||||
- start-build-network
|
- start-build-network
|
||||||
vars:
|
vars:
|
||||||
# renovate: datasource=github-tags depName=dagger/dagger versioning=semver
|
# renovate: datasource=github-tags depName=dagger/dagger versioning=semver
|
||||||
DAGGER_VERSION: 0.20.8
|
DAGGER_VERSION: 0.21.0
|
||||||
DAGGER_ENGINE_IMAGE: registry.dagger.io/engine:v{{ .DAGGER_VERSION }}
|
DAGGER_ENGINE_IMAGE: registry.dagger.io/engine:v{{ .DAGGER_VERSION }}
|
||||||
cmds:
|
cmds:
|
||||||
- >
|
- >
|
||||||
@ -381,7 +381,7 @@ tasks:
|
|||||||
run: once
|
run: once
|
||||||
env:
|
env:
|
||||||
# renovate: datasource=git-refs depName=controller-gen lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
|
# renovate: datasource=git-refs depName=controller-gen lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
|
||||||
DAGGER_CONTROLLER_GEN_SHA: 537e0ddae55ad0344af8f4454de7f27baeee48fa
|
DAGGER_CONTROLLER_GEN_SHA: 21755df1a27febff19b28dbe6ae57116f6088bb0
|
||||||
cmds:
|
cmds:
|
||||||
- >
|
- >
|
||||||
GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/controller-gen@${DAGGER_CONTROLLER_GEN_SHA}
|
GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/controller-gen@${DAGGER_CONTROLLER_GEN_SHA}
|
||||||
|
|||||||
@ -1,3 +1,3 @@
|
|||||||
barman[azure,cloud,google,snappy,zstandard,lz4]==3.18.0
|
barman[azure,cloud,google,snappy,zstandard,lz4]==3.19.1
|
||||||
setuptools==82.0.1
|
setuptools==82.0.1
|
||||||
zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability
|
zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability
|
||||||
|
|||||||
@ -18,9 +18,9 @@ azure-storage-blob==12.29.0 \
|
|||||||
--hash=sha256:2824ddd7ebc9056034ebc76b17971a38e9aa5835abb0d565b9700493f2a6c657 \
|
--hash=sha256:2824ddd7ebc9056034ebc76b17971a38e9aa5835abb0d565b9700493f2a6c657 \
|
||||||
--hash=sha256:ccf8a1bcd5e49df83ab85aab793b579e5ba2eeea2ad8900b2f62ca3a37dc391f
|
--hash=sha256:ccf8a1bcd5e49df83ab85aab793b579e5ba2eeea2ad8900b2f62ca3a37dc391f
|
||||||
# via barman
|
# via barman
|
||||||
barman==3.18.0 \
|
barman==3.19.1 \
|
||||||
--hash=sha256:8e752ac93d2f3a61e86b8374185209cae477a638ece7e6f540070f36d28d6997 \
|
--hash=sha256:0a6a9e1babf97687732d8b2a3eb79ea95d55246a5257b9433865cb6e755221c0 \
|
||||||
--hash=sha256:ff90c44dafa4107b7574142771cdc2611c4cf1af818d93d3e67440a0c81164b9
|
--hash=sha256:2f71c4a1f1ba53f694cbdf838bb9906d8ba02b97d1fd3041196e8999bec7a1ee
|
||||||
# via -r sidecar-requirements.in
|
# via -r sidecar-requirements.in
|
||||||
boto3==1.43.14 \
|
boto3==1.43.14 \
|
||||||
--hash=sha256:574335744656cfed0b362a0a0467aaf2eb2bf15526edcd02d31d3c661f4b09e4 \
|
--hash=sha256:574335744656cfed0b362a0a0467aaf2eb2bf15526edcd02d31d3c661f4b09e4 \
|
||||||
@ -788,6 +788,4 @@ zstandard==0.25.0 \
|
|||||||
setuptools==82.0.1 \
|
setuptools==82.0.1 \
|
||||||
--hash=sha256:7d872682c5d01cfde07da7bccc7b65469d3dca203318515ada1de5eda35efbf9 \
|
--hash=sha256:7d872682c5d01cfde07da7bccc7b65469d3dca203318515ada1de5eda35efbf9 \
|
||||||
--hash=sha256:a59e362652f08dcd477c78bb6e7bd9d80a7995bc73ce773050228a348ce2e5bb
|
--hash=sha256:a59e362652f08dcd477c78bb6e7bd9d80a7995bc73ce773050228a348ce2e5bb
|
||||||
# via
|
# via -r sidecar-requirements.in
|
||||||
# -r sidecar-requirements.in
|
|
||||||
# barman
|
|
||||||
|
|||||||
4
go.mod
4
go.mod
@ -9,7 +9,7 @@ require (
|
|||||||
github.com/cloudnative-pg/cloudnative-pg v1.29.1
|
github.com/cloudnative-pg/cloudnative-pg v1.29.1
|
||||||
github.com/cloudnative-pg/cnpg-i v0.5.0
|
github.com/cloudnative-pg/cnpg-i v0.5.0
|
||||||
github.com/cloudnative-pg/cnpg-i-machinery v0.4.2
|
github.com/cloudnative-pg/cnpg-i-machinery v0.4.2
|
||||||
github.com/cloudnative-pg/machinery v0.4.0
|
github.com/cloudnative-pg/machinery v0.5.0
|
||||||
github.com/onsi/ginkgo/v2 v2.29.0
|
github.com/onsi/ginkgo/v2 v2.29.0
|
||||||
github.com/onsi/gomega v1.41.0
|
github.com/onsi/gomega v1.41.0
|
||||||
github.com/spf13/cobra v1.10.2
|
github.com/spf13/cobra v1.10.2
|
||||||
@ -114,7 +114,7 @@ require (
|
|||||||
golang.org/x/net v0.53.0 // indirect
|
golang.org/x/net v0.53.0 // indirect
|
||||||
golang.org/x/oauth2 v0.36.0 // indirect
|
golang.org/x/oauth2 v0.36.0 // indirect
|
||||||
golang.org/x/sync v0.20.0 // indirect
|
golang.org/x/sync v0.20.0 // indirect
|
||||||
golang.org/x/sys v0.43.0 // indirect
|
golang.org/x/sys v0.45.0 // indirect
|
||||||
golang.org/x/term v0.42.0 // indirect
|
golang.org/x/term v0.42.0 // indirect
|
||||||
golang.org/x/text v0.36.0 // indirect
|
golang.org/x/text v0.36.0 // indirect
|
||||||
golang.org/x/time v0.15.0 // indirect
|
golang.org/x/time v0.15.0 // indirect
|
||||||
|
|||||||
8
go.sum
8
go.sum
@ -28,8 +28,8 @@ github.com/cloudnative-pg/cnpg-i v0.5.0 h1:/TOzpNT6cwNgrpftTtrnLKdoHgMwd+88vZgXj
|
|||||||
github.com/cloudnative-pg/cnpg-i v0.5.0/go.mod h1:7Gh4+UzhBpGhr4DreB1GN9wGYfvxwXCXZUyVt3zE/3I=
|
github.com/cloudnative-pg/cnpg-i v0.5.0/go.mod h1:7Gh4+UzhBpGhr4DreB1GN9wGYfvxwXCXZUyVt3zE/3I=
|
||||||
github.com/cloudnative-pg/cnpg-i-machinery v0.4.2 h1:0reS9MtyLYINHXQ/MfxJ9jp39hhBf8e3Qdj+T5Nsq6I=
|
github.com/cloudnative-pg/cnpg-i-machinery v0.4.2 h1:0reS9MtyLYINHXQ/MfxJ9jp39hhBf8e3Qdj+T5Nsq6I=
|
||||||
github.com/cloudnative-pg/cnpg-i-machinery v0.4.2/go.mod h1:gvrKabgxXq0zGthXGucemDdsxakLEQDMxn43M4HLW30=
|
github.com/cloudnative-pg/cnpg-i-machinery v0.4.2/go.mod h1:gvrKabgxXq0zGthXGucemDdsxakLEQDMxn43M4HLW30=
|
||||||
github.com/cloudnative-pg/machinery v0.4.0 h1:3sfqrBptH4QQSVB4g10Z+7aiQRnh4g+6AsqsK0ibKaQ=
|
github.com/cloudnative-pg/machinery v0.5.0 h1:hhTnkzn+AiN3NmbjCQ6RXj5rfqV3K6arzq6kdXAzcnQ=
|
||||||
github.com/cloudnative-pg/machinery v0.4.0/go.mod h1:OIwaTYAnLv8PmBmBvEf0BvMK2JBX6J+naTMg9UgV1FQ=
|
github.com/cloudnative-pg/machinery v0.5.0/go.mod h1:uuFjqBUjWn0a9uvAk1ixTSzPM0PrjaS+QiKLOIBqLm4=
|
||||||
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
|
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
|
||||||
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||||
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
|
||||||
@ -275,8 +275,8 @@ golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
|
|||||||
golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
|
golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
|
||||||
golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
|
golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
|
||||||
golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
|
golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
|
||||||
golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
|
golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
|
||||||
golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
|
golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
|
||||||
golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
|
golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
|
||||||
golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
|
golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
|
||||||
golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
|
golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
|
||||||
|
|||||||
@ -60,7 +60,7 @@ func BuildRoleRules(barmanObjects []barmancloudv1.ObjectStore) []rbacv1.PolicyRu
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return []rbacv1.PolicyRule{
|
rules := []rbacv1.PolicyRule{
|
||||||
{
|
{
|
||||||
APIGroups: []string{
|
APIGroups: []string{
|
||||||
barmancloudv1.GroupVersion.Group,
|
barmancloudv1.GroupVersion.Group,
|
||||||
@ -87,7 +87,11 @@ func BuildRoleRules(barmanObjects []barmancloudv1.ObjectStore) []rbacv1.PolicyRu
|
|||||||
},
|
},
|
||||||
ResourceNames: barmanObjectsSet.ToSortedList(),
|
ResourceNames: barmanObjectsSet.ToSortedList(),
|
||||||
},
|
},
|
||||||
{
|
}
|
||||||
|
|
||||||
|
secrets := secretsSet.ToSortedList()
|
||||||
|
if len(secrets) > 0 {
|
||||||
|
rules = append(rules, rbacv1.PolicyRule{
|
||||||
APIGroups: []string{
|
APIGroups: []string{
|
||||||
"",
|
"",
|
||||||
},
|
},
|
||||||
@ -99,9 +103,11 @@ func BuildRoleRules(barmanObjects []barmancloudv1.ObjectStore) []rbacv1.PolicyRu
|
|||||||
"watch",
|
"watch",
|
||||||
"list",
|
"list",
|
||||||
},
|
},
|
||||||
ResourceNames: secretsSet.ToSortedList(),
|
ResourceNames: secrets,
|
||||||
},
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return rules
|
||||||
}
|
}
|
||||||
|
|
||||||
// ObjectStoreNamesFromRole extracts the ObjectStore names referenced
|
// ObjectStoreNamesFromRole extracts the ObjectStore names referenced
|
||||||
|
|||||||
@ -78,13 +78,12 @@ var _ = Describe("BuildRoleRules", func() {
|
|||||||
Expect(rules[2].ResourceNames).To(ConsistOf("secret-a", "secret-b"))
|
Expect(rules[2].ResourceNames).To(ConsistOf("secret-a", "secret-b"))
|
||||||
})
|
})
|
||||||
|
|
||||||
It("should produce rules with empty ResourceNames for empty input", func() {
|
It("should not produce a secrets rule for empty input", func() {
|
||||||
rules := BuildRoleRules(nil)
|
rules := BuildRoleRules(nil)
|
||||||
Expect(rules).To(HaveLen(3))
|
Expect(rules).To(HaveLen(2))
|
||||||
Expect(rules[0].ResourceNames).To(BeEmpty())
|
Expect(rules[0].ResourceNames).To(BeEmpty())
|
||||||
Expect(rules[0].ResourceNames).NotTo(BeNil())
|
Expect(rules[0].ResourceNames).NotTo(BeNil())
|
||||||
Expect(rules[1].ResourceNames).To(BeEmpty())
|
Expect(rules[1].ResourceNames).To(BeEmpty())
|
||||||
Expect(rules[2].ResourceNames).To(BeEmpty())
|
|
||||||
})
|
})
|
||||||
|
|
||||||
It("should deduplicate secret names across ObjectStores", func() {
|
It("should deduplicate secret names across ObjectStores", func() {
|
||||||
@ -95,6 +94,31 @@ var _ = Describe("BuildRoleRules", func() {
|
|||||||
rules := BuildRoleRules(objects)
|
rules := BuildRoleRules(objects)
|
||||||
Expect(rules[2].ResourceNames).To(Equal([]string{"shared-secret"}))
|
Expect(rules[2].ResourceNames).To(Equal([]string{"shared-secret"}))
|
||||||
})
|
})
|
||||||
|
|
||||||
|
It("should not produce a secrets rule when ObjectStores use IAM role inheritance", func() {
|
||||||
|
objects := []barmancloudv1.ObjectStore{
|
||||||
|
{
|
||||||
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
|
Name: "store-a",
|
||||||
|
Namespace: "default",
|
||||||
|
},
|
||||||
|
Spec: barmancloudv1.ObjectStoreSpec{
|
||||||
|
Configuration: barmanapi.BarmanObjectStoreConfiguration{
|
||||||
|
DestinationPath: "s3://bucket/path",
|
||||||
|
BarmanCredentials: barmanapi.BarmanCredentials{
|
||||||
|
AWS: &barmanapi.S3Credentials{
|
||||||
|
InheritFromIAMRole: true,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
rules := BuildRoleRules(objects)
|
||||||
|
Expect(rules).To(HaveLen(2))
|
||||||
|
Expect(rules[0].ResourceNames).To(Equal([]string{"store-a"}))
|
||||||
|
Expect(rules[1].ResourceNames).To(Equal([]string{"store-a"}))
|
||||||
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
var _ = Describe("BuildRole", func() {
|
var _ = Describe("BuildRole", func() {
|
||||||
|
|||||||
@ -28,6 +28,9 @@ import (
|
|||||||
func CollectSecretNamesFromCredentials(barmanCredentials *barmanapi.BarmanCredentials) []string {
|
func CollectSecretNamesFromCredentials(barmanCredentials *barmanapi.BarmanCredentials) []string {
|
||||||
var references []*machineryapi.SecretKeySelector
|
var references []*machineryapi.SecretKeySelector
|
||||||
if barmanCredentials.AWS != nil {
|
if barmanCredentials.AWS != nil {
|
||||||
|
// When using IAM role inheritance, barman-cloud uses the pod
|
||||||
|
// environment credential chain and does not read credential Secrets.
|
||||||
|
if !barmanCredentials.AWS.InheritFromIAMRole {
|
||||||
references = append(
|
references = append(
|
||||||
references,
|
references,
|
||||||
barmanCredentials.AWS.AccessKeyIDReference,
|
barmanCredentials.AWS.AccessKeyIDReference,
|
||||||
@ -36,6 +39,7 @@ func CollectSecretNamesFromCredentials(barmanCredentials *barmanapi.BarmanCreden
|
|||||||
barmanCredentials.AWS.SessionToken,
|
barmanCredentials.AWS.SessionToken,
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
}
|
||||||
if barmanCredentials.Azure != nil {
|
if barmanCredentials.Azure != nil {
|
||||||
// When using default Azure credentials or managed identity, no secrets are required
|
// When using default Azure credentials or managed identity, no secrets are required
|
||||||
if !barmanCredentials.Azure.UseDefaultAzureCredentials &&
|
if !barmanCredentials.Azure.UseDefaultAzureCredentials &&
|
||||||
|
|||||||
@ -57,6 +57,29 @@ var _ = Describe("CollectSecretNamesFromCredentials", func() {
|
|||||||
secrets := CollectSecretNamesFromCredentials(credentials)
|
secrets := CollectSecretNamesFromCredentials(credentials)
|
||||||
Expect(secrets).To(BeEmpty())
|
Expect(secrets).To(BeEmpty())
|
||||||
})
|
})
|
||||||
|
|
||||||
|
It("should return empty list when using InheritFromIAMRole", func() {
|
||||||
|
credentials := &barmanapi.BarmanCredentials{
|
||||||
|
AWS: &barmanapi.S3Credentials{
|
||||||
|
InheritFromIAMRole: true,
|
||||||
|
AccessKeyIDReference: &machineryapi.SecretKeySelector{
|
||||||
|
LocalObjectReference: machineryapi.LocalObjectReference{
|
||||||
|
Name: "aws-secret",
|
||||||
|
},
|
||||||
|
Key: "access-key-id",
|
||||||
|
},
|
||||||
|
RegionReference: &machineryapi.SecretKeySelector{
|
||||||
|
LocalObjectReference: machineryapi.LocalObjectReference{
|
||||||
|
Name: "aws-region",
|
||||||
|
},
|
||||||
|
Key: "region",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
secrets := CollectSecretNamesFromCredentials(credentials)
|
||||||
|
Expect(secrets).To(BeEmpty())
|
||||||
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
Context("when collecting secrets from Azure credentials", func() {
|
Context("when collecting secrets from Azure credentials", func() {
|
||||||
|
|||||||
@ -31,8 +31,8 @@ import (
|
|||||||
apierrs "k8s.io/apimachinery/pkg/api/errors"
|
apierrs "k8s.io/apimachinery/pkg/api/errors"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
|
||||||
"k8s.io/apimachinery/pkg/types"
|
"k8s.io/apimachinery/pkg/types"
|
||||||
|
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
|
||||||
"sigs.k8s.io/controller-runtime/pkg/client"
|
"sigs.k8s.io/controller-runtime/pkg/client"
|
||||||
"sigs.k8s.io/controller-runtime/pkg/client/fake"
|
"sigs.k8s.io/controller-runtime/pkg/client/fake"
|
||||||
"sigs.k8s.io/controller-runtime/pkg/client/interceptor"
|
"sigs.k8s.io/controller-runtime/pkg/client/interceptor"
|
||||||
@ -261,7 +261,7 @@ var _ = Describe("ObjectStoreReconciler", func() {
|
|||||||
Expect(result).To(Equal(reconcile.Result{}))
|
Expect(result).To(Equal(reconcile.Result{}))
|
||||||
})
|
})
|
||||||
|
|
||||||
It("should produce empty ResourceNames when all ObjectStores are deleted", func() {
|
It("should omit the secrets rule when all ObjectStores are deleted", func() {
|
||||||
store := newTestObjectStore("my-store", "default", "aws-creds")
|
store := newTestObjectStore("my-store", "default", "aws-creds")
|
||||||
role := newLabeledRole("my-cluster", "default", []barmancloudv1.ObjectStore{*store})
|
role := newLabeledRole("my-cluster", "default", []barmancloudv1.ObjectStore{*store})
|
||||||
|
|
||||||
@ -291,10 +291,11 @@ var _ = Describe("ObjectStoreReconciler", func() {
|
|||||||
Name: "my-cluster-barman-cloud",
|
Name: "my-cluster-barman-cloud",
|
||||||
}, &updatedRole)).To(Succeed())
|
}, &updatedRole)).To(Succeed())
|
||||||
|
|
||||||
// All rules should have empty ResourceNames
|
|
||||||
Expect(updatedRole.Rules[0].ResourceNames).To(BeEmpty())
|
Expect(updatedRole.Rules[0].ResourceNames).To(BeEmpty())
|
||||||
Expect(updatedRole.Rules[1].ResourceNames).To(BeEmpty())
|
Expect(updatedRole.Rules[1].ResourceNames).To(BeEmpty())
|
||||||
Expect(updatedRole.Rules[2].ResourceNames).To(BeEmpty())
|
for _, rule := range updatedRole.Rules {
|
||||||
|
Expect(rule.Resources).NotTo(Equal([]string{"secrets"}))
|
||||||
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
It("should return an error when listing Roles fails", func() {
|
It("should return an error when listing Roles fails", func() {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user