Compare commits

...

6 Commits

Author SHA1 Message Date
Martin Hansen
370a866b4d
Merge ea0a7b5698 into 0bb78879ce 2026-06-01 13:47:21 +02:00
renovate[bot]
0bb78879ce
chore(deps): update dependency barman to v3.19.1 (#921)
Some checks failed
release-please / release-please (push) Failing after 4s
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [barman](https://www.pgbarman.org/) | `==3.18.0` → `==3.19.1` |
![age](https://developer.mend.io/api/mc/badges/age/pypi/barman/3.19.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/barman/3.18.0/3.19.1?slim=true)
|

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJhdXRvbWF0ZWQiLCJuby1pc3N1ZSJdfQ==-->

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-28 12:15:32 +02:00
renovate[bot]
ef4b711137
fix(deps): update module github.com/cloudnative-pg/machinery to v0.5.0 (#925)
Some checks failed
release-please / release-please (push) Failing after 4s
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[github.com/cloudnative-pg/machinery](https://redirect.github.com/cloudnative-pg/machinery)
| `v0.4.0` → `v0.5.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fcloudnative-pg%2fmachinery/v0.5.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fcloudnative-pg%2fmachinery/v0.4.0/v0.5.0?slim=true)
|

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJhdXRvbWF0ZWQiLCJuby1pc3N1ZSJdfQ==-->

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-27 21:57:18 +02:00
renovate[bot]
baf7985d66
chore(deps): update all cloudnative-pg daggerverse dependencies to 21755df (#928)
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| commitlint | digest | `537e0dd` → `21755df` |
| controller-gen | digest | `537e0dd` → `21755df` |
| crd-gen-refs | digest | `537e0dd` → `21755df` |
| spellcheck | digest | `537e0dd` → `21755df` |
| uncommitted | digest | `537e0dd` → `21755df` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/7) for more information.

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Never, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/cloudnative-pg/plugin-barman-cloud).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJhdXRvbWF0ZWQiLCJuby1pc3N1ZSJdfQ==-->

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-27 17:31:15 +02:00
renovate[bot]
d244faa5b2
chore(deps): update dependency dagger/dagger to v0.21.0 (#926)
Some checks failed
release-please / release-please (push) Failing after 6s
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [dagger/dagger](https://redirect.github.com/dagger/dagger) | minor |
`0.20.8` → `0.21.0` |

---

### Release Notes

<details>
<summary>dagger/dagger (dagger/dagger)</summary>

###
[`v0.21.0`](https://redirect.github.com/dagger/dagger/blob/HEAD/CHANGELOG.md#v0210---2026-05-22)

[Compare
Source](https://redirect.github.com/dagger/dagger/compare/v0.20.8...v0.21.0)

##### Added

- Automatically expose a `check` for each `generate` function by
[@&#8203;eunomie](https://redirect.github.com/eunomie) in
[#&#8203;12923](https://redirect.github.com/dagger/dagger/pull/12923) \
Each generated `check` has the same name as its `generate` function, so
`dagger check` can report whether generated files are out of date.
Use `dagger check --no-generate` to list or run only functions
explicitly marked as checks, without the generated ones.
Toolchains can set `ignoreChecks` to skip creating checks for specific
`generate` functions.
- Add workspace lockfiles for selected lookups such as `container.from`
and Git refs by [@&#8203;shykes](https://redirect.github.com/shykes) +
[@&#8203;alexcb](https://redirect.github.com/alexcb) +
[@&#8203;grouville](https://redirect.github.com/grouville) +
[@&#8203;tiborvass](https://redirect.github.com/tiborvass) +
[@&#8203;eunomie](https://redirect.github.com/eunomie) in
[#&#8203;12046](https://redirect.github.com/dagger/dagger/pull/12046)
[#&#8203;13094](https://redirect.github.com/dagger/dagger/pull/13094) \
Locking is opt-in with `--lock live`, `--lock pinned`, or `--lock
frozen`: live mode resolves and records live values, pinned mode prefers
recorded pins while resolving the rest live, and frozen mode only
resolves from `.dagger/lock`.
Use `dagger lock update` to refresh entries already recorded in
`.dagger/lock`; it now creates the file when missing.
This also fixes remote Git tree cache keys so cache reuse follows the
actual checkout inputs.
- Add an interactive tests view to the TUI, plus compact test summaries
for pretty, plain, logs, dots, and report progress modes by
[@&#8203;vito](https://redirect.github.com/vito) in
[#&#8203;13073](https://redirect.github.com/dagger/dagger/pull/13073)
- Add experimental `--x-release=<ref>` and `DAGGER_X_RELEASE=<ref>`
support for running a command against an unreleased Dagger build from a
GitHub ref, fixing
[#&#8203;12996](https://redirect.github.com/dagger/dagger/issues/12996)
by [@&#8203;tiborvass](https://redirect.github.com/tiborvass) in
[#&#8203;13156](https://redirect.github.com/dagger/dagger/pull/13156)
- Add a configurable Kubernetes `Service` to the Helm chart by
[@&#8203;pierreyves-lebrun](https://redirect.github.com/pierreyves-lebrun)
+ [@&#8203;grouville](https://redirect.github.com/grouville) in
[#&#8203;11993](https://redirect.github.com/dagger/dagger/pull/11993)
- Add `EngineCacheEntry.dagqlCall` and `EngineCacheEntry.recordTypes` so
cache entries expose the producing DagQL call and all represented
storage record types for inspection and GC filtering by
[@&#8203;sipsma](https://redirect.github.com/sipsma) in
[#&#8203;13207](https://redirect.github.com/dagger/dagger/pull/13207)
- Show the Dagger Cloud trace URL when using the logs frontend by
[@&#8203;marcosnils](https://redirect.github.com/marcosnils) in
[#&#8203;13105](https://redirect.github.com/dagger/dagger/pull/13105)
- Dang SDK: add support for local types that shadow Dagger core types,
early `return`, self-calls, order-independent declarations, and stricter
nullability/type checking by
[@&#8203;vito](https://redirect.github.com/vito) in
[#&#8203;13184](https://redirect.github.com/dagger/dagger/pull/13184)

##### Changed

- Migrate caching to DagQL and remove the BuildKit solver backend,
making DagQL responsible for cache lookups, persistence, and pruning by
[@&#8203;sipsma](https://redirect.github.com/sipsma) in
[#&#8203;11856](https://redirect.github.com/dagger/dagger/pull/11856)
- Improve engine performance and memory use by reducing bbolt/containerd
metadata overhead, lazily creating containerd operation leases, reusing
pooled CNI namespaces for default execs, and batching long
`withDirectory` chains instead of materializing them quadratically by
[@&#8203;sipsma](https://redirect.github.com/sipsma) in
[#&#8203;13117](https://redirect.github.com/dagger/dagger/pull/13117)
[#&#8203;13123](https://redirect.github.com/dagger/dagger/pull/13123)
[#&#8203;13144](https://redirect.github.com/dagger/dagger/pull/13144)
[#&#8203;13124](https://redirect.github.com/dagger/dagger/pull/13124)
- Deduplicate equivalent in-flight DagQL calls across clients in the
same session and fall back to same-session secret/socket attachables
when the original client binding is gone by
[@&#8203;sipsma](https://redirect.github.com/sipsma) in
[#&#8203;13118](https://redirect.github.com/dagger/dagger/pull/13118)

##### Fixed

- Fix enum argument defaults so they appear correctly in schema output
and CLI help by
[@&#8203;kpenfound](https://redirect.github.com/kpenfound) in
[#&#8203;13068](https://redirect.github.com/dagger/dagger/pull/13068)
- Fix module loading and type generation failures caused by stale
handle-form module IDs and nested client session races, replacing
`session ... not found` failures with the intended behavior or original
error by [@&#8203;sipsma](https://redirect.github.com/sipsma) in
[#&#8203;13108](https://redirect.github.com/dagger/dagger/pull/13108)
[#&#8203;13119](https://redirect.github.com/dagger/dagger/pull/13119)
- Fix bound service failures so dependent execs and container-backed
services see the service exit as the cause while interactive terminals
stay open by [@&#8203;vito](https://redirect.github.com/vito) in
[#&#8203;13099](https://redirect.github.com/dagger/dagger/pull/13099)
- Fix remote Git checkout behavior so cached trees can be reused after
cache pruning by [@&#8203;sipsma](https://redirect.github.com/sipsma) in
[#&#8203;13141](https://redirect.github.com/dagger/dagger/pull/13141)
- Fix Changeset merge cleanup flakiness by disabling Git
auto-maintenance in Dagger's temporary merge repositories by
[@&#8203;sipsma](https://redirect.github.com/sipsma) in
[#&#8203;13121](https://redirect.github.com/dagger/dagger/pull/13121)
- Fix `WithSecretVariable` so later calls override earlier values,
fixing
[#&#8203;13147](https://redirect.github.com/dagger/dagger/issues/13147)
by [@&#8203;matipan](https://redirect.github.com/matipan) in
[#&#8203;13159](https://redirect.github.com/dagger/dagger/pull/13159)
- Fix user-default secret and env handling so empty plaintext secrets
resolve correctly, `.env` values are not double-expanded through
namespaces, and plaintext `Secret` defaults are scrubbed in console
output; fixes
[#&#8203;12855](https://redirect.github.com/dagger/dagger/issues/12855)
and closes
[#&#8203;12014](https://redirect.github.com/dagger/dagger/pull/12014) by
[@&#8203;sipsma](https://redirect.github.com/sipsma) +
[@&#8203;marcosnils](https://redirect.github.com/marcosnils) +
[@&#8203;tiborvass](https://redirect.github.com/tiborvass) in
[#&#8203;13163](https://redirect.github.com/dagger/dagger/pull/13163)
[#&#8203;13160](https://redirect.github.com/dagger/dagger/pull/13160)
[#&#8203;13177](https://redirect.github.com/dagger/dagger/pull/13177)
- Fix telemetry and replay output so `dagger check` log telemetry is not
dropped, Python module logs are not duplicated, and `dagger trace`
honors frontend flags by
[@&#8203;vito](https://redirect.github.com/vito) +
[@&#8203;sipsma](https://redirect.github.com/sipsma) in
[#&#8203;13114](https://redirect.github.com/dagger/dagger/pull/13114)
[#&#8203;13153](https://redirect.github.com/dagger/dagger/pull/13153)
- Fix `dagger generate --scale-out` returning unusable remote
`Changeset` objects by always running generation locally; `dagger check
--scale-out` remains supported by
[@&#8203;eunomie](https://redirect.github.com/eunomie) in
[#&#8203;13190](https://redirect.github.com/dagger/dagger/pull/13190)
- Fix toolchain customizations so they propagate when toolchain
functions are called through another module function by
[@&#8203;suprjinx](https://redirect.github.com/suprjinx) in
[#&#8203;13176](https://redirect.github.com/dagger/dagger/pull/13176)
- Dang SDK: fix panics, initialization-race typechecking failures, and
ID argument handling by
[@&#8203;tiborvass](https://redirect.github.com/tiborvass) +
[@&#8203;vito](https://redirect.github.com/vito) in
[#&#8203;13098](https://redirect.github.com/dagger/dagger/pull/13098)
[#&#8203;13103](https://redirect.github.com/dagger/dagger/pull/13103)
[#&#8203;13150](https://redirect.github.com/dagger/dagger/pull/13150)
- Java SDK: fix version updates so `mvn versions:set` no longer performs
unnecessary dependency/plugin resolution, preventing Maven Central 429
failures; fixes
[#&#8203;13174](https://redirect.github.com/dagger/dagger/issues/13174)
by
[@&#8203;dagger-codex](https://redirect.github.com/dagger-codex)\[bot] +
[@&#8203;tiborvass](https://redirect.github.com/tiborvass) in
[#&#8203;13198](https://redirect.github.com/dagger/dagger/pull/13198)
- Python SDK: fix static module analysis regressions from the AST
analyzer cutover, including inherited functions, aliased decorators and
fields, `@staticmethod`, type aliases, constants/defaults, `Annotated`,
`Optional`, `Union`, and relative imports; fixes
[#&#8203;13097](https://redirect.github.com/dagger/dagger/issues/13097)
and
[#&#8203;13089](https://redirect.github.com/dagger/dagger/issues/13089)
by [@&#8203;eunomie](https://redirect.github.com/eunomie) in
[#&#8203;13095](https://redirect.github.com/dagger/dagger/pull/13095)
- Python SDK: fix more AST analyzer cases for `TypeAlias` inside `X |
None`, quoted and aliased annotations, and absolute self-package imports
by [@&#8203;marcosnils](https://redirect.github.com/marcosnils) +
[@&#8203;grouville](https://redirect.github.com/grouville) +
[@&#8203;eunomie](https://redirect.github.com/eunomie) in
[#&#8203;13149](https://redirect.github.com/dagger/dagger/pull/13149)
[#&#8203;13162](https://redirect.github.com/dagger/dagger/pull/13162)
[#&#8203;13171](https://redirect.github.com/dagger/dagger/pull/13171)
- Python SDK: exclude the broken `yarl` 1.24.1 release from the
dependency range by
[@&#8203;tiborvass](https://redirect.github.com/tiborvass) in
[#&#8203;13189](https://redirect.github.com/dagger/dagger/pull/13189)
- Rust SDK: fix list-of-object fields so generated clients load each
object by ID instead of returning an incorrect single wrapped selection
by [@&#8203;wingyplus](https://redirect.github.com/wingyplus) in
[#&#8203;13000](https://redirect.github.com/dagger/dagger/pull/13000)

##### What to do next?

- Read the [documentation](https://docs.dagger.io)
- Join our [Discord server](https://discord.gg/dagger-io)
- Follow us on [Twitter](https://twitter.com/dagger_io)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Never, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/cloudnative-pg/plugin-barman-cloud).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTQuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJhdXRvbWF0ZWQiLCJuby1pc3N1ZSJdfQ==-->

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-27 09:02:39 +02:00
Martin Hansen
ea0a7b5698
Scope barman Secret RBAC
Avoid granting namespace-wide Secret access when ObjectStores do not need credential Secrets.

Ref: #892
Signed-off-by: Martin Hansen <dontbeevilpls@gmail.com>
2026-05-07 15:49:04 +02:00
13 changed files with 96 additions and 40 deletions

View File

@ -44,7 +44,7 @@ jobs:
- name: Install Dagger
env:
# renovate: datasource=github-tags depName=dagger/dagger versioning=semver
DAGGER_VERSION: 0.20.8
DAGGER_VERSION: 0.21.0
run: |
curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
- name: Run CI task

View File

@ -31,7 +31,7 @@ jobs:
- name: Install Dagger
env:
# renovate: datasource=github-tags depName=dagger/dagger versioning=semver
DAGGER_VERSION: 0.20.8
DAGGER_VERSION: 0.21.0
run: |
curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
- name: Create image and manifest

View File

@ -21,7 +21,7 @@ jobs:
- name: Install Dagger
env:
# renovate: datasource=github-tags depName=dagger/dagger versioning=semver
DAGGER_VERSION: 0.20.8
DAGGER_VERSION: 0.21.0
run: |
curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
- name: Create image and manifest

View File

@ -46,7 +46,7 @@ tasks:
- wordlist-ordered
env:
# renovate: datasource=git-refs depName=spellcheck lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
DAGGER_SPELLCHECK_SHA: 537e0ddae55ad0344af8f4454de7f27baeee48fa
DAGGER_SPELLCHECK_SHA: 21755df1a27febff19b28dbe6ae57116f6088bb0
cmds:
- >
GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/spellcheck@${DAGGER_SPELLCHECK_SHA}
@ -60,7 +60,7 @@ tasks:
desc: Check for conventional commits
env:
# renovate: datasource=git-refs depName=commitlint lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
DAGGER_COMMITLINT_SHA: 537e0ddae55ad0344af8f4454de7f27baeee48fa
DAGGER_COMMITLINT_SHA: 21755df1a27febff19b28dbe6ae57116f6088bb0
cmds:
- >
GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/commitlint@${DAGGER_COMMITLINT_SHA}
@ -74,7 +74,7 @@ tasks:
- wordlist-ordered
env:
# renovate: datasource=git-refs depName=uncommitted lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
DAGGER_UNCOMMITTED_SHA: 537e0ddae55ad0344af8f4454de7f27baeee48fa
DAGGER_UNCOMMITTED_SHA: 21755df1a27febff19b28dbe6ae57116f6088bb0
cmds:
- GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/uncommitted@${DAGGER_UNCOMMITTED_SHA} check-uncommitted --source . stdout
sources:
@ -86,7 +86,7 @@ tasks:
- controller-gen
env:
# renovate: datasource=git-refs depName=crd-gen-refs lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
DAGGER_CRDGENREF_SHA: 537e0ddae55ad0344af8f4454de7f27baeee48fa
DAGGER_CRDGENREF_SHA: 21755df1a27febff19b28dbe6ae57116f6088bb0
# renovate: datasource=go depName=github.com/elastic/crd-ref-docs
CRDREFDOCS_VERSION: v0.3.0
cmds:
@ -206,7 +206,7 @@ tasks:
- start-build-network
vars:
# renovate: datasource=github-tags depName=dagger/dagger versioning=semver
DAGGER_VERSION: 0.20.8
DAGGER_VERSION: 0.21.0
DAGGER_ENGINE_IMAGE: registry.dagger.io/engine:v{{ .DAGGER_VERSION }}
cmds:
- >
@ -381,7 +381,7 @@ tasks:
run: once
env:
# renovate: datasource=git-refs depName=controller-gen lookupName=https://github.com/cloudnative-pg/daggerverse currentValue=main
DAGGER_CONTROLLER_GEN_SHA: 537e0ddae55ad0344af8f4454de7f27baeee48fa
DAGGER_CONTROLLER_GEN_SHA: 21755df1a27febff19b28dbe6ae57116f6088bb0
cmds:
- >
GITHUB_REF= dagger -s call -m github.com/cloudnative-pg/daggerverse/controller-gen@${DAGGER_CONTROLLER_GEN_SHA}

View File

@ -1,3 +1,3 @@
barman[azure,cloud,google,snappy,zstandard,lz4]==3.18.0
barman[azure,cloud,google,snappy,zstandard,lz4]==3.19.1
setuptools==82.0.1
zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability

View File

@ -18,9 +18,9 @@ azure-storage-blob==12.29.0 \
--hash=sha256:2824ddd7ebc9056034ebc76b17971a38e9aa5835abb0d565b9700493f2a6c657 \
--hash=sha256:ccf8a1bcd5e49df83ab85aab793b579e5ba2eeea2ad8900b2f62ca3a37dc391f
# via barman
barman==3.18.0 \
--hash=sha256:8e752ac93d2f3a61e86b8374185209cae477a638ece7e6f540070f36d28d6997 \
--hash=sha256:ff90c44dafa4107b7574142771cdc2611c4cf1af818d93d3e67440a0c81164b9
barman==3.19.1 \
--hash=sha256:0a6a9e1babf97687732d8b2a3eb79ea95d55246a5257b9433865cb6e755221c0 \
--hash=sha256:2f71c4a1f1ba53f694cbdf838bb9906d8ba02b97d1fd3041196e8999bec7a1ee
# via -r sidecar-requirements.in
boto3==1.43.14 \
--hash=sha256:574335744656cfed0b362a0a0467aaf2eb2bf15526edcd02d31d3c661f4b09e4 \
@ -788,6 +788,4 @@ zstandard==0.25.0 \
setuptools==82.0.1 \
--hash=sha256:7d872682c5d01cfde07da7bccc7b65469d3dca203318515ada1de5eda35efbf9 \
--hash=sha256:a59e362652f08dcd477c78bb6e7bd9d80a7995bc73ce773050228a348ce2e5bb
# via
# -r sidecar-requirements.in
# barman
# via -r sidecar-requirements.in

4
go.mod
View File

@ -9,7 +9,7 @@ require (
github.com/cloudnative-pg/cloudnative-pg v1.29.1
github.com/cloudnative-pg/cnpg-i v0.5.0
github.com/cloudnative-pg/cnpg-i-machinery v0.4.2
github.com/cloudnative-pg/machinery v0.4.0
github.com/cloudnative-pg/machinery v0.5.0
github.com/onsi/ginkgo/v2 v2.29.0
github.com/onsi/gomega v1.41.0
github.com/spf13/cobra v1.10.2
@ -114,7 +114,7 @@ require (
golang.org/x/net v0.53.0 // indirect
golang.org/x/oauth2 v0.36.0 // indirect
golang.org/x/sync v0.20.0 // indirect
golang.org/x/sys v0.43.0 // indirect
golang.org/x/sys v0.45.0 // indirect
golang.org/x/term v0.42.0 // indirect
golang.org/x/text v0.36.0 // indirect
golang.org/x/time v0.15.0 // indirect

8
go.sum
View File

@ -28,8 +28,8 @@ github.com/cloudnative-pg/cnpg-i v0.5.0 h1:/TOzpNT6cwNgrpftTtrnLKdoHgMwd+88vZgXj
github.com/cloudnative-pg/cnpg-i v0.5.0/go.mod h1:7Gh4+UzhBpGhr4DreB1GN9wGYfvxwXCXZUyVt3zE/3I=
github.com/cloudnative-pg/cnpg-i-machinery v0.4.2 h1:0reS9MtyLYINHXQ/MfxJ9jp39hhBf8e3Qdj+T5Nsq6I=
github.com/cloudnative-pg/cnpg-i-machinery v0.4.2/go.mod h1:gvrKabgxXq0zGthXGucemDdsxakLEQDMxn43M4HLW30=
github.com/cloudnative-pg/machinery v0.4.0 h1:3sfqrBptH4QQSVB4g10Z+7aiQRnh4g+6AsqsK0ibKaQ=
github.com/cloudnative-pg/machinery v0.4.0/go.mod h1:OIwaTYAnLv8PmBmBvEf0BvMK2JBX6J+naTMg9UgV1FQ=
github.com/cloudnative-pg/machinery v0.5.0 h1:hhTnkzn+AiN3NmbjCQ6RXj5rfqV3K6arzq6kdXAzcnQ=
github.com/cloudnative-pg/machinery v0.5.0/go.mod h1:uuFjqBUjWn0a9uvAk1ixTSzPM0PrjaS+QiKLOIBqLm4=
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@ -275,8 +275,8 @@ golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=

View File

@ -60,7 +60,7 @@ func BuildRoleRules(barmanObjects []barmancloudv1.ObjectStore) []rbacv1.PolicyRu
}
}
return []rbacv1.PolicyRule{
rules := []rbacv1.PolicyRule{
{
APIGroups: []string{
barmancloudv1.GroupVersion.Group,
@ -87,7 +87,11 @@ func BuildRoleRules(barmanObjects []barmancloudv1.ObjectStore) []rbacv1.PolicyRu
},
ResourceNames: barmanObjectsSet.ToSortedList(),
},
{
}
secrets := secretsSet.ToSortedList()
if len(secrets) > 0 {
rules = append(rules, rbacv1.PolicyRule{
APIGroups: []string{
"",
},
@ -99,9 +103,11 @@ func BuildRoleRules(barmanObjects []barmancloudv1.ObjectStore) []rbacv1.PolicyRu
"watch",
"list",
},
ResourceNames: secretsSet.ToSortedList(),
},
ResourceNames: secrets,
})
}
return rules
}
// ObjectStoreNamesFromRole extracts the ObjectStore names referenced

View File

@ -78,13 +78,12 @@ var _ = Describe("BuildRoleRules", func() {
Expect(rules[2].ResourceNames).To(ConsistOf("secret-a", "secret-b"))
})
It("should produce rules with empty ResourceNames for empty input", func() {
It("should not produce a secrets rule for empty input", func() {
rules := BuildRoleRules(nil)
Expect(rules).To(HaveLen(3))
Expect(rules).To(HaveLen(2))
Expect(rules[0].ResourceNames).To(BeEmpty())
Expect(rules[0].ResourceNames).NotTo(BeNil())
Expect(rules[1].ResourceNames).To(BeEmpty())
Expect(rules[2].ResourceNames).To(BeEmpty())
})
It("should deduplicate secret names across ObjectStores", func() {
@ -95,6 +94,31 @@ var _ = Describe("BuildRoleRules", func() {
rules := BuildRoleRules(objects)
Expect(rules[2].ResourceNames).To(Equal([]string{"shared-secret"}))
})
It("should not produce a secrets rule when ObjectStores use IAM role inheritance", func() {
objects := []barmancloudv1.ObjectStore{
{
ObjectMeta: metav1.ObjectMeta{
Name: "store-a",
Namespace: "default",
},
Spec: barmancloudv1.ObjectStoreSpec{
Configuration: barmanapi.BarmanObjectStoreConfiguration{
DestinationPath: "s3://bucket/path",
BarmanCredentials: barmanapi.BarmanCredentials{
AWS: &barmanapi.S3Credentials{
InheritFromIAMRole: true,
},
},
},
},
},
}
rules := BuildRoleRules(objects)
Expect(rules).To(HaveLen(2))
Expect(rules[0].ResourceNames).To(Equal([]string{"store-a"}))
Expect(rules[1].ResourceNames).To(Equal([]string{"store-a"}))
})
})
var _ = Describe("BuildRole", func() {

View File

@ -28,6 +28,9 @@ import (
func CollectSecretNamesFromCredentials(barmanCredentials *barmanapi.BarmanCredentials) []string {
var references []*machineryapi.SecretKeySelector
if barmanCredentials.AWS != nil {
// When using IAM role inheritance, barman-cloud uses the pod
// environment credential chain and does not read credential Secrets.
if !barmanCredentials.AWS.InheritFromIAMRole {
references = append(
references,
barmanCredentials.AWS.AccessKeyIDReference,
@ -36,6 +39,7 @@ func CollectSecretNamesFromCredentials(barmanCredentials *barmanapi.BarmanCreden
barmanCredentials.AWS.SessionToken,
)
}
}
if barmanCredentials.Azure != nil {
// When using default Azure credentials or managed identity, no secrets are required
if !barmanCredentials.Azure.UseDefaultAzureCredentials &&

View File

@ -57,6 +57,29 @@ var _ = Describe("CollectSecretNamesFromCredentials", func() {
secrets := CollectSecretNamesFromCredentials(credentials)
Expect(secrets).To(BeEmpty())
})
It("should return empty list when using InheritFromIAMRole", func() {
credentials := &barmanapi.BarmanCredentials{
AWS: &barmanapi.S3Credentials{
InheritFromIAMRole: true,
AccessKeyIDReference: &machineryapi.SecretKeySelector{
LocalObjectReference: machineryapi.LocalObjectReference{
Name: "aws-secret",
},
Key: "access-key-id",
},
RegionReference: &machineryapi.SecretKeySelector{
LocalObjectReference: machineryapi.LocalObjectReference{
Name: "aws-region",
},
Key: "region",
},
},
}
secrets := CollectSecretNamesFromCredentials(credentials)
Expect(secrets).To(BeEmpty())
})
})
Context("when collecting secrets from Azure credentials", func() {

View File

@ -31,8 +31,8 @@ import (
apierrs "k8s.io/apimachinery/pkg/api/errors"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
"k8s.io/apimachinery/pkg/types"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
"sigs.k8s.io/controller-runtime/pkg/client"
"sigs.k8s.io/controller-runtime/pkg/client/fake"
"sigs.k8s.io/controller-runtime/pkg/client/interceptor"
@ -261,7 +261,7 @@ var _ = Describe("ObjectStoreReconciler", func() {
Expect(result).To(Equal(reconcile.Result{}))
})
It("should produce empty ResourceNames when all ObjectStores are deleted", func() {
It("should omit the secrets rule when all ObjectStores are deleted", func() {
store := newTestObjectStore("my-store", "default", "aws-creds")
role := newLabeledRole("my-cluster", "default", []barmancloudv1.ObjectStore{*store})
@ -291,10 +291,11 @@ var _ = Describe("ObjectStoreReconciler", func() {
Name: "my-cluster-barman-cloud",
}, &updatedRole)).To(Succeed())
// All rules should have empty ResourceNames
Expect(updatedRole.Rules[0].ResourceNames).To(BeEmpty())
Expect(updatedRole.Rules[1].ResourceNames).To(BeEmpty())
Expect(updatedRole.Rules[2].ResourceNames).To(BeEmpty())
for _, rule := range updatedRole.Rules {
Expect(rule.Resources).NotTo(Equal([]string{"secrets"}))
}
})
It("should return an error when listing Roles fails", func() {