mirror of
https://github.com/cloudnative-pg/plugin-barman-cloud.git
synced 2026-01-13 14:13:10 +01:00
Compare commits
2 Commits
aae7e2314f
...
cfbeb89079
| Author | SHA1 | Date | |
|---|---|---|---|
|
cfbeb89079 | ||
|
|
37575b78f0 |
@ -1,4 +1,3 @@
|
||||
AKS
|
||||
AccessDenied
|
||||
AdditionalContainerArgs
|
||||
Akamai
|
||||
@ -6,7 +5,6 @@ Azurite
|
||||
BarmanObjectStore
|
||||
BarmanObjectStoreConfiguration
|
||||
BarmanObjectStores
|
||||
CLI
|
||||
CNCF
|
||||
CRD
|
||||
CloudNativePG
|
||||
@ -40,7 +38,6 @@ PITR
|
||||
PoR
|
||||
PostgreSQL
|
||||
Postgres
|
||||
PowerShell
|
||||
README
|
||||
RPO
|
||||
RTO
|
||||
@ -48,7 +45,6 @@ RecoveryWindow
|
||||
ResourceRequirements
|
||||
RetentionPolicy
|
||||
SAS
|
||||
SDK
|
||||
SFO
|
||||
SPDX
|
||||
SPDX
|
||||
|
||||
@ -108,11 +108,6 @@ spec:
|
||||
- key
|
||||
- name
|
||||
type: object
|
||||
useDefaultAzureCredentials:
|
||||
description: |-
|
||||
Use the default Azure authentication flow, which includes DefaultAzureCredential.
|
||||
This allows authentication using environment variables and managed identities.
|
||||
type: boolean
|
||||
type: object
|
||||
data:
|
||||
description: |-
|
||||
|
||||
@ -14,27 +14,31 @@ azure-identity==1.25.1 \
|
||||
--hash=sha256:87ca8328883de6036443e1c37b40e8dc8fb74898240f61071e09d2e369361456 \
|
||||
--hash=sha256:e9edd720af03dff020223cd269fa3a61e8f345ea75443858273bcb44844ab651
|
||||
# via barman
|
||||
azure-storage-blob==12.28.0 \
|
||||
--hash=sha256:00fb1db28bf6a7b7ecaa48e3b1d5c83bfadacc5a678b77826081304bd87d6461 \
|
||||
--hash=sha256:e7d98ea108258d29aa0efbfd591b2e2075fa1722a2fae8699f0b3c9de11eff41
|
||||
azure-storage-blob==12.27.1 \
|
||||
--hash=sha256:65d1e25a4628b7b6acd20ff7902d8da5b4fde8e46e19c8f6d213a3abc3ece272 \
|
||||
--hash=sha256:a1596cc4daf5dac9be115fcb5db67245eae894cf40e4248243754261f7b674a6
|
||||
# via barman
|
||||
barman==3.16.2 \
|
||||
--hash=sha256:0549f451a1b928647c75c5a2977526233ad7a976bb83e9a4379c33ce61443515 \
|
||||
--hash=sha256:ab0c6f4f5cfc0cc12b087335bdd5def2edbca32bc1bf553cc5a9e78cd83df43a
|
||||
# via -r sidecar-requirements.in
|
||||
boto3==1.42.24 \
|
||||
--hash=sha256:8ed6ad670a5a2d7f66c1b0d3362791b48392c7a08f78479f5d8ab319a4d9118f \
|
||||
--hash=sha256:c47a2f40df933e3861fc66fd8d6b87ee36d4361663a7e7ba39a87f5a78b2eae1
|
||||
boto3==1.42.17 \
|
||||
--hash=sha256:8a2e345e96d5ceba755c55539c93f99705f403fbfdeef2e838eabdc56750828b \
|
||||
--hash=sha256:e0ee40f7102712452f6776af891c8f49b5ae9133bdaf22711d6f4a78963c2614
|
||||
# via barman
|
||||
botocore==1.42.24 \
|
||||
--hash=sha256:8fca9781d7c84f7ad070fceffaff7179c4aa7a5ffb27b43df9d1d957801e0a8d \
|
||||
--hash=sha256:be8d1bea64fb91eea08254a1e5fea057e4428d08e61f4e11083a02cafc1f8cc6
|
||||
botocore==1.42.17 \
|
||||
--hash=sha256:a832e4c04e63141221480967e9e511363aa54d24c405935fccb913a18583c96b \
|
||||
--hash=sha256:d73fe22c8e1497e4d59ff7dc68eb05afac68a4a6457656811562285d6132bc04
|
||||
# via
|
||||
# boto3
|
||||
# s3transfer
|
||||
certifi==2026.1.4 \
|
||||
--hash=sha256:9943707519e4add1115f44c2bc244f782c0249876bf51b6599fee1ffbedd685c \
|
||||
--hash=sha256:ac726dd470482006e014ad384921ed6438c457018f4b3d204aea4281258b2120
|
||||
cachetools==6.2.4 \
|
||||
--hash=sha256:69a7a52634fed8b8bf6e24a050fb60bff1c9bd8f6d24572b99c32d4e71e62a51 \
|
||||
--hash=sha256:82c5c05585e70b6ba2d3ae09ea60b79548872185d2f24ae1f2709d37299fd607
|
||||
# via google-auth
|
||||
certifi==2025.11.12 \
|
||||
--hash=sha256:97de8790030bbd5c2d96b7ec782fc2f7820ef8dba6db909ccf95449f2d062d4b \
|
||||
--hash=sha256:d8ab5478f2ecd78af242878415affce761ca6bc54a22a27e026d7c25357c3316
|
||||
# via requests
|
||||
cffi==2.0.0 \
|
||||
--hash=sha256:00bdf7acc5f795150faa6957054fbbca2439db2f775ce831222b66f192f03beb \
|
||||
@ -434,15 +438,15 @@ cryptography==46.0.3 \
|
||||
# azure-storage-blob
|
||||
# msal
|
||||
# pyjwt
|
||||
google-api-core==2.29.0 \
|
||||
--hash=sha256:84181be0f8e6b04006df75ddfe728f24489f0af57c96a529ff7cf45bc28797f7 \
|
||||
--hash=sha256:d30bc60980daa36e314b5d5a3e5958b0200cb44ca8fa1be2b614e932b75a3ea9
|
||||
google-api-core==2.28.1 \
|
||||
--hash=sha256:2b405df02d68e68ce0fbc138559e6036559e685159d148ae5861013dc201baf8 \
|
||||
--hash=sha256:4021b0f8ceb77a6fb4de6fde4502cecab45062e66ff4f2895169e0b35bc9466c
|
||||
# via
|
||||
# google-cloud-core
|
||||
# google-cloud-storage
|
||||
google-auth==2.47.0 \
|
||||
--hash=sha256:833229070a9dfee1a353ae9877dcd2dec069a8281a4e72e72f77d4a70ff945da \
|
||||
--hash=sha256:c516d68336bfde7cf0da26aab674a36fedcf04b37ac4edd59c597178760c3498
|
||||
google-auth==2.45.0 \
|
||||
--hash=sha256:82344e86dc00410ef5382d99be677c6043d72e502b625aa4f4afa0bdacca0f36 \
|
||||
--hash=sha256:90d3f41b6b72ea72dd9811e765699ee491ab24139f34ebf1ca2b9cc0c38708f3
|
||||
# via
|
||||
# google-api-core
|
||||
# google-cloud-core
|
||||
@ -668,9 +672,9 @@ typing-extensions==4.15.0 \
|
||||
# azure-core
|
||||
# azure-identity
|
||||
# azure-storage-blob
|
||||
urllib3==2.6.3 \
|
||||
--hash=sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed \
|
||||
--hash=sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4
|
||||
urllib3==2.6.2 \
|
||||
--hash=sha256:016f9c98bb7e98085cb2b4b17b87d2c702975664e4f060c6532e64d1c1a5e797 \
|
||||
--hash=sha256:ec21cddfe7724fc7cb4ba4bea7aa8e2ef36f607a4bab81aa6ce42a13dc3f03dd
|
||||
# via
|
||||
# botocore
|
||||
# requests
|
||||
|
||||
2
go.mod
2
go.mod
@ -7,7 +7,7 @@ toolchain go1.25.5
|
||||
require (
|
||||
github.com/cert-manager/cert-manager v1.19.2
|
||||
github.com/cloudnative-pg/api v1.28.0
|
||||
github.com/cloudnative-pg/barman-cloud v0.4.1-0.20260108104508-ced266c145f5
|
||||
github.com/cloudnative-pg/barman-cloud v0.4.1-0.20251230211524-20b7e0e10b0f
|
||||
github.com/cloudnative-pg/cloudnative-pg v1.28.0
|
||||
github.com/cloudnative-pg/cnpg-i v0.3.1
|
||||
github.com/cloudnative-pg/cnpg-i-machinery v0.4.2
|
||||
|
||||
4
go.sum
4
go.sum
@ -18,8 +18,8 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
|
||||
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
|
||||
github.com/cloudnative-pg/api v1.28.0 h1:xElzHliO0eKkVQafkfMhDJo0aIRCmB1ItEt+SGh6B58=
|
||||
github.com/cloudnative-pg/api v1.28.0/go.mod h1:puXJBOsEaJd8JLgvCtxgl2TO/ZANap/z7bPepKRUgrk=
|
||||
github.com/cloudnative-pg/barman-cloud v0.4.1-0.20260108104508-ced266c145f5 h1:wPB7VTNgTv6t9sl4QYOBakmVTqHnOdKUht7Q3aL+uns=
|
||||
github.com/cloudnative-pg/barman-cloud v0.4.1-0.20260108104508-ced266c145f5/go.mod h1:qD0NtJOllNQbRB0MaleuHsZjFYaXtXfdg0HbFTbuHn0=
|
||||
github.com/cloudnative-pg/barman-cloud v0.4.1-0.20251230211524-20b7e0e10b0f h1:4/PwIQOwQSTIxuncGRn3pX2V9CRwl7zJNXOVWOMSCCU=
|
||||
github.com/cloudnative-pg/barman-cloud v0.4.1-0.20251230211524-20b7e0e10b0f/go.mod h1:qD0NtJOllNQbRB0MaleuHsZjFYaXtXfdg0HbFTbuHn0=
|
||||
github.com/cloudnative-pg/cloudnative-pg v1.28.0 h1:vkv0a0ewDSfJOPJrsyUr4uczsxheReAWf/k171V0Dm0=
|
||||
github.com/cloudnative-pg/cloudnative-pg v1.28.0/go.mod h1:209fkRR6m0vXUVQ9Q498eAPQqN2UlXECbXXtpGsZz3I=
|
||||
github.com/cloudnative-pg/cnpg-i v0.3.1 h1:fKj8NoToWI11HUL2UWYJBpkVzmaTvbs3kDMo7wQF8RU=
|
||||
|
||||
@ -37,17 +37,13 @@ func CollectSecretNamesFromCredentials(barmanCredentials *barmanapi.BarmanCreden
|
||||
)
|
||||
}
|
||||
if barmanCredentials.Azure != nil {
|
||||
// When using default Azure credentials or managed identity, no secrets are required
|
||||
if !barmanCredentials.Azure.UseDefaultAzureCredentials &&
|
||||
!barmanCredentials.Azure.InheritFromAzureAD {
|
||||
references = append(
|
||||
references,
|
||||
barmanCredentials.Azure.ConnectionString,
|
||||
barmanCredentials.Azure.StorageAccount,
|
||||
barmanCredentials.Azure.StorageKey,
|
||||
barmanCredentials.Azure.StorageSasToken,
|
||||
)
|
||||
}
|
||||
references = append(
|
||||
references,
|
||||
barmanCredentials.Azure.ConnectionString,
|
||||
barmanCredentials.Azure.StorageAccount,
|
||||
barmanCredentials.Azure.StorageKey,
|
||||
barmanCredentials.Azure.StorageSasToken,
|
||||
)
|
||||
}
|
||||
if barmanCredentials.Google != nil {
|
||||
references = append(
|
||||
|
||||
@ -1,227 +0,0 @@
|
||||
/*
|
||||
Copyright © contributors to CloudNativePG, established as
|
||||
CloudNativePG a Series of LF Projects, LLC.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
|
||||
package specs
|
||||
|
||||
import (
|
||||
barmanapi "github.com/cloudnative-pg/barman-cloud/pkg/api"
|
||||
machineryapi "github.com/cloudnative-pg/machinery/pkg/api"
|
||||
|
||||
. "github.com/onsi/ginkgo/v2"
|
||||
. "github.com/onsi/gomega"
|
||||
)
|
||||
|
||||
var _ = Describe("CollectSecretNamesFromCredentials", func() {
|
||||
Context("when collecting secrets from AWS credentials", func() {
|
||||
It("should return secret names from S3 credentials", func() {
|
||||
credentials := &barmanapi.BarmanCredentials{
|
||||
AWS: &barmanapi.S3Credentials{
|
||||
AccessKeyIDReference: &machineryapi.SecretKeySelector{
|
||||
LocalObjectReference: machineryapi.LocalObjectReference{
|
||||
Name: "aws-secret",
|
||||
},
|
||||
Key: "access-key-id",
|
||||
},
|
||||
SecretAccessKeyReference: &machineryapi.SecretKeySelector{
|
||||
LocalObjectReference: machineryapi.LocalObjectReference{
|
||||
Name: "aws-secret",
|
||||
},
|
||||
Key: "secret-access-key",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
secrets := CollectSecretNamesFromCredentials(credentials)
|
||||
Expect(secrets).To(ContainElement("aws-secret"))
|
||||
})
|
||||
|
||||
It("should handle nil AWS credentials", func() {
|
||||
credentials := &barmanapi.BarmanCredentials{}
|
||||
|
||||
secrets := CollectSecretNamesFromCredentials(credentials)
|
||||
Expect(secrets).To(BeEmpty())
|
||||
})
|
||||
})
|
||||
|
||||
Context("when collecting secrets from Azure credentials", func() {
|
||||
It("should return secret names when using explicit credentials", func() {
|
||||
credentials := &barmanapi.BarmanCredentials{
|
||||
Azure: &barmanapi.AzureCredentials{
|
||||
ConnectionString: &machineryapi.SecretKeySelector{
|
||||
LocalObjectReference: machineryapi.LocalObjectReference{
|
||||
Name: "azure-secret",
|
||||
},
|
||||
Key: "connection-string",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
secrets := CollectSecretNamesFromCredentials(credentials)
|
||||
Expect(secrets).To(ContainElement("azure-secret"))
|
||||
})
|
||||
|
||||
It("should return empty list when using UseDefaultAzureCredentials", func() {
|
||||
credentials := &barmanapi.BarmanCredentials{
|
||||
Azure: &barmanapi.AzureCredentials{
|
||||
UseDefaultAzureCredentials: true,
|
||||
ConnectionString: &machineryapi.SecretKeySelector{
|
||||
LocalObjectReference: machineryapi.LocalObjectReference{
|
||||
Name: "azure-secret",
|
||||
},
|
||||
Key: "connection-string",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
secrets := CollectSecretNamesFromCredentials(credentials)
|
||||
Expect(secrets).To(BeEmpty())
|
||||
})
|
||||
|
||||
It("should return empty list when using InheritFromAzureAD", func() {
|
||||
credentials := &barmanapi.BarmanCredentials{
|
||||
Azure: &barmanapi.AzureCredentials{
|
||||
InheritFromAzureAD: true,
|
||||
},
|
||||
}
|
||||
|
||||
secrets := CollectSecretNamesFromCredentials(credentials)
|
||||
Expect(secrets).To(BeEmpty())
|
||||
})
|
||||
|
||||
It("should return secret names for storage account and key", func() {
|
||||
credentials := &barmanapi.BarmanCredentials{
|
||||
Azure: &barmanapi.AzureCredentials{
|
||||
StorageAccount: &machineryapi.SecretKeySelector{
|
||||
LocalObjectReference: machineryapi.LocalObjectReference{
|
||||
Name: "azure-storage",
|
||||
},
|
||||
Key: "account-name",
|
||||
},
|
||||
StorageKey: &machineryapi.SecretKeySelector{
|
||||
LocalObjectReference: machineryapi.LocalObjectReference{
|
||||
Name: "azure-storage",
|
||||
},
|
||||
Key: "account-key",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
secrets := CollectSecretNamesFromCredentials(credentials)
|
||||
Expect(secrets).To(ContainElement("azure-storage"))
|
||||
})
|
||||
})
|
||||
|
||||
Context("when collecting secrets from Google credentials", func() {
|
||||
It("should return secret names from Google credentials", func() {
|
||||
credentials := &barmanapi.BarmanCredentials{
|
||||
Google: &barmanapi.GoogleCredentials{
|
||||
ApplicationCredentials: &machineryapi.SecretKeySelector{
|
||||
LocalObjectReference: machineryapi.LocalObjectReference{
|
||||
Name: "google-secret",
|
||||
},
|
||||
Key: "credentials.json",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
secrets := CollectSecretNamesFromCredentials(credentials)
|
||||
Expect(secrets).To(ContainElement("google-secret"))
|
||||
})
|
||||
})
|
||||
|
||||
Context("when collecting secrets from multiple cloud providers", func() {
|
||||
It("should return secret names from all providers", func() {
|
||||
credentials := &barmanapi.BarmanCredentials{
|
||||
AWS: &barmanapi.S3Credentials{
|
||||
AccessKeyIDReference: &machineryapi.SecretKeySelector{
|
||||
LocalObjectReference: machineryapi.LocalObjectReference{
|
||||
Name: "aws-secret",
|
||||
},
|
||||
Key: "access-key-id",
|
||||
},
|
||||
},
|
||||
Azure: &barmanapi.AzureCredentials{
|
||||
ConnectionString: &machineryapi.SecretKeySelector{
|
||||
LocalObjectReference: machineryapi.LocalObjectReference{
|
||||
Name: "azure-secret",
|
||||
},
|
||||
Key: "connection-string",
|
||||
},
|
||||
},
|
||||
Google: &barmanapi.GoogleCredentials{
|
||||
ApplicationCredentials: &machineryapi.SecretKeySelector{
|
||||
LocalObjectReference: machineryapi.LocalObjectReference{
|
||||
Name: "google-secret",
|
||||
},
|
||||
Key: "credentials.json",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
secrets := CollectSecretNamesFromCredentials(credentials)
|
||||
Expect(secrets).To(ContainElements("aws-secret", "azure-secret", "google-secret"))
|
||||
})
|
||||
|
||||
It("should skip Azure secrets when using UseDefaultAzureCredentials with other providers", func() {
|
||||
credentials := &barmanapi.BarmanCredentials{
|
||||
AWS: &barmanapi.S3Credentials{
|
||||
AccessKeyIDReference: &machineryapi.SecretKeySelector{
|
||||
LocalObjectReference: machineryapi.LocalObjectReference{
|
||||
Name: "aws-secret",
|
||||
},
|
||||
Key: "access-key-id",
|
||||
},
|
||||
},
|
||||
Azure: &barmanapi.AzureCredentials{
|
||||
UseDefaultAzureCredentials: true,
|
||||
ConnectionString: &machineryapi.SecretKeySelector{
|
||||
LocalObjectReference: machineryapi.LocalObjectReference{
|
||||
Name: "azure-secret",
|
||||
},
|
||||
Key: "connection-string",
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
secrets := CollectSecretNamesFromCredentials(credentials)
|
||||
Expect(secrets).To(ContainElement("aws-secret"))
|
||||
Expect(secrets).NotTo(ContainElement("azure-secret"))
|
||||
})
|
||||
})
|
||||
|
||||
Context("when handling nil references", func() {
|
||||
It("should skip nil secret references", func() {
|
||||
credentials := &barmanapi.BarmanCredentials{
|
||||
AWS: &barmanapi.S3Credentials{
|
||||
AccessKeyIDReference: &machineryapi.SecretKeySelector{
|
||||
LocalObjectReference: machineryapi.LocalObjectReference{
|
||||
Name: "aws-secret",
|
||||
},
|
||||
Key: "access-key-id",
|
||||
},
|
||||
SecretAccessKeyReference: nil,
|
||||
},
|
||||
}
|
||||
|
||||
secrets := CollectSecretNamesFromCredentials(credentials)
|
||||
Expect(secrets).To(ContainElement("aws-secret"))
|
||||
Expect(len(secrets)).To(Equal(1))
|
||||
})
|
||||
})
|
||||
})
|
||||
@ -1,32 +0,0 @@
|
||||
/*
|
||||
Copyright © contributors to CloudNativePG, established as
|
||||
CloudNativePG a Series of LF Projects, LLC.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
|
||||
SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
|
||||
package specs
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
. "github.com/onsi/ginkgo/v2"
|
||||
. "github.com/onsi/gomega"
|
||||
)
|
||||
|
||||
func TestSpecs(t *testing.T) {
|
||||
RegisterFailHandler(Fail)
|
||||
RunSpecs(t, "Specs Suite")
|
||||
}
|
||||
@ -107,11 +107,6 @@ spec:
|
||||
- key
|
||||
- name
|
||||
type: object
|
||||
useDefaultAzureCredentials:
|
||||
description: |-
|
||||
Use the default Azure authentication flow, which includes DefaultAzureCredential.
|
||||
This allows authentication using environment variables and managed identities.
|
||||
type: boolean
|
||||
type: object
|
||||
data:
|
||||
description: |-
|
||||
|
||||
@ -29,16 +29,6 @@ the specific object storage provider you are using.
|
||||
|
||||
The following sections detail the setup for each.
|
||||
|
||||
:::note Authentication Methods
|
||||
The Barman Cloud Plugin does not independently test all authentication methods
|
||||
supported by `barman-cloud`. The plugin's responsibility is limited to passing
|
||||
the provided credentials to `barman-cloud`, which then handles authentication
|
||||
according to its own implementation. Users should refer to the
|
||||
[Barman Cloud documentation](https://docs.pgbarman.org/release/latest/) to
|
||||
verify that their chosen authentication method is supported and properly
|
||||
configured.
|
||||
:::
|
||||
|
||||
---
|
||||
|
||||
## AWS S3
|
||||
@ -240,18 +230,14 @@ is Microsoft’s cloud-based object storage solution.
|
||||
Barman Cloud supports the following authentication methods:
|
||||
|
||||
- [Connection String](https://learn.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string)
|
||||
- Storage Account Name + [Storage Account Access Key](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage)
|
||||
- Storage Account Name + [Storage Account SAS Token](https://learn.microsoft.com/en-us/azure/storage/blobs/sas-service-create)
|
||||
- [Azure AD Managed Identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview)
|
||||
- [Default Azure Credentials](https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet)
|
||||
- Storage Account Name + [Access Key](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage)
|
||||
- Storage Account Name + [SAS Token](https://learn.microsoft.com/en-us/azure/storage/blobs/sas-service-create)
|
||||
- [Azure AD Workload Identity](https://azure.github.io/azure-workload-identity/docs/introduction.html)
|
||||
|
||||
### Azure AD Managed Identity
|
||||
### Azure AD Workload Identity
|
||||
|
||||
This method avoids storing credentials in Kubernetes by enabling the
|
||||
usage of [Azure Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) authentication mechanism.
|
||||
This can be enabled by setting the `inheritFromAzureAD` option to `true`.
|
||||
Managed Identity can be configured for the AKS Cluster by following
|
||||
the [Azure documentation](https://learn.microsoft.com/en-us/azure/aks/use-managed-identity?pivots=system-assigned).
|
||||
This method avoids storing credentials in Kubernetes via the
|
||||
`.spec.configuration.inheritFromAzureAD` option:
|
||||
|
||||
```yaml
|
||||
apiVersion: barmancloud.cnpg.io/v1
|
||||
@ -266,36 +252,6 @@ spec:
|
||||
[...]
|
||||
```
|
||||
|
||||
### Default Azure Credentials
|
||||
|
||||
The `useDefaultAzureCredentials` option enables the default Azure credentials
|
||||
flow, which uses [`DefaultAzureCredential`](https://learn.microsoft.com/en-us/python/api/azure-identity/azure.identity.defaultazurecredential)
|
||||
to automatically discover and use available credentials in the following order:
|
||||
|
||||
1. **Environment Variables** — `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, and `AZURE_TENANT_ID` for Service Principal authentication
|
||||
2. **Managed Identity** — Uses the managed identity assigned to the pod
|
||||
3. **Azure CLI** — Uses credentials from the Azure CLI if available
|
||||
4. **Azure PowerShell** — Uses credentials from Azure PowerShell if available
|
||||
|
||||
This approach is particularly useful for getting started with development and testing; it allows
|
||||
the SDK to attempt multiple authentication mechanisms seamlessly across different environments.
|
||||
However, this is not recommended for production. Please refer to the
|
||||
[official Azure guidance](https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication/credential-chains?tabs=dac#usage-guidance-for-defaultazurecredential)
|
||||
for a comprehensive understanding of `DefaultAzureCredential`.
|
||||
|
||||
```yaml
|
||||
apiVersion: barmancloud.cnpg.io/v1
|
||||
kind: ObjectStore
|
||||
metadata:
|
||||
name: azure-store
|
||||
spec:
|
||||
configuration:
|
||||
destinationPath: "<destination path here>"
|
||||
azureCredentials:
|
||||
useDefaultAzureCredentials: true
|
||||
[...]
|
||||
```
|
||||
|
||||
### Access Key, SAS Token, or Connection String
|
||||
|
||||
Store credentials in a Kubernetes secret:
|
||||
|
||||
Loading…
Reference in New Issue
Block a user