.github/workflows/barman-base-image.yml

@@ -27,7 +27,7 @@ jobs:
       - name: Install Dagger
         env:
           # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
-          DAGGER_VERSION: 0.19.9
+          DAGGER_VERSION: 0.19.8
         run: |
           curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
       - name: Publish a barman-base

.github/workflows/ci.yml

@@ -44,7 +44,7 @@ jobs:
       - name: Install Dagger
         env:
           # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
-          DAGGER_VERSION: 0.19.9
+          DAGGER_VERSION: 0.19.8
         run: |
           curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
       - name: Run CI task

.github/workflows/release-please.yml

@@ -31,7 +31,7 @@ jobs:
       - name: Install Dagger
         env:
           # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
-          DAGGER_VERSION: 0.19.9
+          DAGGER_VERSION: 0.19.8
         run: |
           curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
       - name: Create image and manifest

.github/workflows/release-publish.yml

@@ -21,7 +21,7 @@ jobs:
       - name: Install Dagger
         env:
           # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
-          DAGGER_VERSION: 0.19.9
+          DAGGER_VERSION: 0.19.8
         run: |
           curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh
       - name: Create image and manifest

.wordlist.txt

@@ -1,4 +1,3 @@
-AKS
 AccessDenied
 AdditionalContainerArgs
 Akamai
@@ -6,7 +5,6 @@ Azurite
 BarmanObjectStore
 BarmanObjectStoreConfiguration
 BarmanObjectStores
-CLI
 CNCF
 CRD
 CloudNativePG
@@ -40,7 +38,6 @@ PITR
 PoR
 PostgreSQL
 Postgres
-PowerShell
 README
 RPO
 RTO
@@ -48,7 +45,6 @@ RecoveryWindow
 ResourceRequirements
 RetentionPolicy
 SAS
-SDK
 SFO
 SPDX
 SPDX

Taskfile.yml

@@ -202,7 +202,7 @@ tasks:
       - start-build-network
     vars:
       # renovate: datasource=github-tags depName=dagger/dagger versioning=semver
-      DAGGER_VERSION: 0.19.9
+      DAGGER_VERSION: 0.19.8
       DAGGER_ENGINE_IMAGE: registry.dagger.io/engine:v{{ .DAGGER_VERSION }}
     cmds:
       - >

config/crd/bases/barmancloud.cnpg.io_objectstores.yaml

@@ -108,11 +108,6 @@ spec:
                         - key
                         - name
                         type: object
-                      useDefaultAzureCredentials:
-                        description: |-
-                          Use the default Azure authentication flow, which includes DefaultAzureCredential.
-                          This allows authentication using environment variables and managed identities.
-                        type: boolean
                     type: object
                   data:
                     description: |-

containers/sidecar-requirements.in

@@ -1,3 +1,3 @@
-barman[azure,cloud,google,snappy,zstandard,lz4]==3.17.0
+barman[azure,cloud,google,snappy,zstandard,lz4]==3.16.2
 setuptools==80.9.0
 zipp>=3.19.1 # not directly required, pinned by Snyk to avoid a vulnerability

containers/sidecar-requirements.txt

@@ -18,9 +18,9 @@ azure-storage-blob==12.27.1 \
     --hash=sha256:65d1e25a4628b7b6acd20ff7902d8da5b4fde8e46e19c8f6d213a3abc3ece272 \
     --hash=sha256:a1596cc4daf5dac9be115fcb5db67245eae894cf40e4248243754261f7b674a6
     # via barman
-barman==3.17.0 \
+barman==3.16.2 \
-    --hash=sha256:07b033da14e72f103de44261c31bd0c3169bbb2e4de3481c6bb3510e9870d38e \
+    --hash=sha256:0549f451a1b928647c75c5a2977526233ad7a976bb83e9a4379c33ce61443515 \
-    --hash=sha256:d6618990a6dbb31af3286d746a278a038534b7e3cc617c2b379ef7ebdeb7ed5a
+    --hash=sha256:ab0c6f4f5cfc0cc12b087335bdd5def2edbca32bc1bf553cc5a9e78cd83df43a
     # via -r sidecar-requirements.in
 boto3==1.42.14 \
     --hash=sha256:a5d005667b480c844ed3f814a59f199ce249d0f5669532a17d06200c0a93119c \

go.mod

@@ -7,7 +7,7 @@ toolchain go1.25.5
 require (
 	github.com/cert-manager/cert-manager v1.19.2
 	github.com/cloudnative-pg/api v1.28.0
-	github.com/cloudnative-pg/barman-cloud v0.4.1-0.20260108104508-ced266c145f5
+	github.com/cloudnative-pg/barman-cloud v0.4.0
 	github.com/cloudnative-pg/cloudnative-pg v1.28.0
 	github.com/cloudnative-pg/cnpg-i v0.3.1
 	github.com/cloudnative-pg/cnpg-i-machinery v0.4.2
@@ -22,7 +22,7 @@ require (
 	k8s.io/apiextensions-apiserver v0.35.0
 	k8s.io/apimachinery v0.35.0
 	k8s.io/client-go v0.35.0
-	k8s.io/utils v0.0.0-20260108192941-914a6e750570
+	k8s.io/utils v0.0.0-20251222233032-718f0e51e6d2
 	sigs.k8s.io/controller-runtime v0.22.4
 	sigs.k8s.io/kustomize/api v0.21.0
 	sigs.k8s.io/kustomize/kyaml v0.21.0

go.sum

@@ -18,8 +18,8 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cloudnative-pg/api v1.28.0 h1:xElzHliO0eKkVQafkfMhDJo0aIRCmB1ItEt+SGh6B58=
 github.com/cloudnative-pg/api v1.28.0/go.mod h1:puXJBOsEaJd8JLgvCtxgl2TO/ZANap/z7bPepKRUgrk=
-github.com/cloudnative-pg/barman-cloud v0.4.1-0.20260108104508-ced266c145f5 h1:wPB7VTNgTv6t9sl4QYOBakmVTqHnOdKUht7Q3aL+uns=
+github.com/cloudnative-pg/barman-cloud v0.4.0 h1:V4ajM5yDWq2m+TxmnDtCBGmfMXAxbXr9k7lfR4jM+eE=
-github.com/cloudnative-pg/barman-cloud v0.4.1-0.20260108104508-ced266c145f5/go.mod h1:qD0NtJOllNQbRB0MaleuHsZjFYaXtXfdg0HbFTbuHn0=
+github.com/cloudnative-pg/barman-cloud v0.4.0/go.mod h1:AWdyNP2jvMO1c7eOOwT8kT+QGyK5O7lEBZX12LEZ1Ic=
 github.com/cloudnative-pg/cloudnative-pg v1.28.0 h1:vkv0a0ewDSfJOPJrsyUr4uczsxheReAWf/k171V0Dm0=
 github.com/cloudnative-pg/cloudnative-pg v1.28.0/go.mod h1:209fkRR6m0vXUVQ9Q498eAPQqN2UlXECbXXtpGsZz3I=
 github.com/cloudnative-pg/cnpg-i v0.3.1 h1:fKj8NoToWI11HUL2UWYJBpkVzmaTvbs3kDMo7wQF8RU=
@@ -326,8 +326,8 @@ k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20251125145642-4e65d59e963e h1:iW9ChlU0cU16w8MpVYjXk12dqQ4BPFBEgif+ap7/hqQ=
 k8s.io/kube-openapi v0.0.0-20251125145642-4e65d59e963e/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
-k8s.io/utils v0.0.0-20260108192941-914a6e750570 h1:JT4W8lsdrGENg9W+YwwdLJxklIuKWdRm+BC+xt33FOY=
+k8s.io/utils v0.0.0-20251222233032-718f0e51e6d2 h1:OfgiEo21hGiwx1oJUU5MpEaeOEg6coWndBkZF/lkFuE=
-k8s.io/utils v0.0.0-20260108192941-914a6e750570/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
+k8s.io/utils v0.0.0-20251222233032-718f0e51e6d2/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.33.0 h1:qPrZsv1cwQiFeieFlRqT627fVZ+tyfou/+S5S0H5ua0=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.33.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
 sigs.k8s.io/controller-runtime v0.22.4 h1:GEjV7KV3TY8e+tJ2LCTxUTanW4z/FmNB7l327UfMq9A=

internal/cnpgi/operator/specs/secrets.go

@@ -37,9 +37,6 @@ func CollectSecretNamesFromCredentials(barmanCredentials *barmanapi.BarmanCreden
 		)
 	}
 	if barmanCredentials.Azure != nil {
-		// When using default Azure credentials or managed identity, no secrets are required
-		if !barmanCredentials.Azure.UseDefaultAzureCredentials &&
-			!barmanCredentials.Azure.InheritFromAzureAD {
 		references = append(
 			references,
 			barmanCredentials.Azure.ConnectionString,
@@ -48,7 +45,6 @@ func CollectSecretNamesFromCredentials(barmanCredentials *barmanapi.BarmanCreden
 			barmanCredentials.Azure.StorageSasToken,
 		)
 	}
-	}
 	if barmanCredentials.Google != nil {
 		references = append(
 			references,

internal/cnpgi/operator/specs/secrets_test.go

@@ -1,227 +0,0 @@
-/*
-Copyright © contributors to CloudNativePG, established as
-CloudNativePG a Series of LF Projects, LLC.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-
-SPDX-License-Identifier: Apache-2.0
-*/
-
-package specs
-
-import (
-	barmanapi "github.com/cloudnative-pg/barman-cloud/pkg/api"
-	machineryapi "github.com/cloudnative-pg/machinery/pkg/api"
-
-	. "github.com/onsi/ginkgo/v2"
-	. "github.com/onsi/gomega"
-)
-
-var _ = Describe("CollectSecretNamesFromCredentials", func() {
-	Context("when collecting secrets from AWS credentials", func() {
-		It("should return secret names from S3 credentials", func() {
-			credentials := &barmanapi.BarmanCredentials{
-				AWS: &barmanapi.S3Credentials{
-					AccessKeyIDReference: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "aws-secret",
-						},
-						Key: "access-key-id",
-					},
-					SecretAccessKeyReference: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "aws-secret",
-						},
-						Key: "secret-access-key",
-					},
-				},
-			}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(ContainElement("aws-secret"))
-		})
-
-		It("should handle nil AWS credentials", func() {
-			credentials := &barmanapi.BarmanCredentials{}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(BeEmpty())
-		})
-	})
-
-	Context("when collecting secrets from Azure credentials", func() {
-		It("should return secret names when using explicit credentials", func() {
-			credentials := &barmanapi.BarmanCredentials{
-				Azure: &barmanapi.AzureCredentials{
-					ConnectionString: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "azure-secret",
-						},
-						Key: "connection-string",
-					},
-				},
-			}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(ContainElement("azure-secret"))
-		})
-
-		It("should return empty list when using UseDefaultAzureCredentials", func() {
-			credentials := &barmanapi.BarmanCredentials{
-				Azure: &barmanapi.AzureCredentials{
-					UseDefaultAzureCredentials: true,
-					ConnectionString: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "azure-secret",
-						},
-						Key: "connection-string",
-					},
-				},
-			}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(BeEmpty())
-		})
-
-		It("should return empty list when using InheritFromAzureAD", func() {
-			credentials := &barmanapi.BarmanCredentials{
-				Azure: &barmanapi.AzureCredentials{
-					InheritFromAzureAD: true,
-				},
-			}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(BeEmpty())
-		})
-
-		It("should return secret names for storage account and key", func() {
-			credentials := &barmanapi.BarmanCredentials{
-				Azure: &barmanapi.AzureCredentials{
-					StorageAccount: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "azure-storage",
-						},
-						Key: "account-name",
-					},
-					StorageKey: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "azure-storage",
-						},
-						Key: "account-key",
-					},
-				},
-			}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(ContainElement("azure-storage"))
-		})
-	})
-
-	Context("when collecting secrets from Google credentials", func() {
-		It("should return secret names from Google credentials", func() {
-			credentials := &barmanapi.BarmanCredentials{
-				Google: &barmanapi.GoogleCredentials{
-					ApplicationCredentials: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "google-secret",
-						},
-						Key: "credentials.json",
-					},
-				},
-			}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(ContainElement("google-secret"))
-		})
-	})
-
-	Context("when collecting secrets from multiple cloud providers", func() {
-		It("should return secret names from all providers", func() {
-			credentials := &barmanapi.BarmanCredentials{
-				AWS: &barmanapi.S3Credentials{
-					AccessKeyIDReference: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "aws-secret",
-						},
-						Key: "access-key-id",
-					},
-				},
-				Azure: &barmanapi.AzureCredentials{
-					ConnectionString: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "azure-secret",
-						},
-						Key: "connection-string",
-					},
-				},
-				Google: &barmanapi.GoogleCredentials{
-					ApplicationCredentials: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "google-secret",
-						},
-						Key: "credentials.json",
-					},
-				},
-			}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(ContainElements("aws-secret", "azure-secret", "google-secret"))
-		})
-
-		It("should skip Azure secrets when using UseDefaultAzureCredentials with other providers", func() {
-			credentials := &barmanapi.BarmanCredentials{
-				AWS: &barmanapi.S3Credentials{
-					AccessKeyIDReference: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "aws-secret",
-						},
-						Key: "access-key-id",
-					},
-				},
-				Azure: &barmanapi.AzureCredentials{
-					UseDefaultAzureCredentials: true,
-					ConnectionString: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "azure-secret",
-						},
-						Key: "connection-string",
-					},
-				},
-			}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(ContainElement("aws-secret"))
-			Expect(secrets).NotTo(ContainElement("azure-secret"))
-		})
-	})
-
-	Context("when handling nil references", func() {
-		It("should skip nil secret references", func() {
-			credentials := &barmanapi.BarmanCredentials{
-				AWS: &barmanapi.S3Credentials{
-					AccessKeyIDReference: &machineryapi.SecretKeySelector{
-						LocalObjectReference: machineryapi.LocalObjectReference{
-							Name: "aws-secret",
-						},
-						Key: "access-key-id",
-					},
-					SecretAccessKeyReference: nil,
-				},
-			}
-
-			secrets := CollectSecretNamesFromCredentials(credentials)
-			Expect(secrets).To(ContainElement("aws-secret"))
-			Expect(len(secrets)).To(Equal(1))
-		})
-	})
-})

internal/cnpgi/operator/specs/suite_test.go

@@ -1,32 +0,0 @@
-/*
-Copyright © contributors to CloudNativePG, established as
-CloudNativePG a Series of LF Projects, LLC.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-
-SPDX-License-Identifier: Apache-2.0
-*/
-
-package specs
-
-import (
-	"testing"
-
-	. "github.com/onsi/ginkgo/v2"
-	. "github.com/onsi/gomega"
-)
-
-func TestSpecs(t *testing.T) {
-	RegisterFailHandler(Fail)
-	RunSpecs(t, "Specs Suite")
-}

manifest.yaml

@@ -107,11 +107,6 @@ spec:
                         - key
                         - name
                         type: object
-                      useDefaultAzureCredentials:
-                        description: |-
-                          Use the default Azure authentication flow, which includes DefaultAzureCredential.
-                          This allows authentication using environment variables and managed identities.
-                        type: boolean
                     type: object
                   data:
                     description: |-

web/docs/object_stores.md

@@ -29,16 +29,6 @@ the specific object storage provider you are using.
 
 The following sections detail the setup for each.
 
-:::note Authentication Methods
-The Barman Cloud Plugin does not independently test all authentication methods
-supported by `barman-cloud`. The plugin's responsibility is limited to passing
-the provided credentials to `barman-cloud`, which then handles authentication
-according to its own implementation. Users should refer to the
-[Barman Cloud documentation](https://docs.pgbarman.org/release/latest/) to
-verify that their chosen authentication method is supported and properly
-configured.
-:::
-
 ---
 
 ## AWS S3
@@ -240,18 +230,14 @@ is Microsoft’s cloud-based object storage solution.
 Barman Cloud supports the following authentication methods:
 
 - [Connection String](https://learn.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string)
-- Storage Account Name + [Storage Account Access Key](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage)
+- Storage Account Name + [Access Key](https://learn.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage)
-- Storage Account Name + [Storage Account SAS Token](https://learn.microsoft.com/en-us/azure/storage/blobs/sas-service-create)
+- Storage Account Name + [SAS Token](https://learn.microsoft.com/en-us/azure/storage/blobs/sas-service-create)
-- [Azure AD Managed Identity](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview)
+- [Azure AD Workload Identity](https://azure.github.io/azure-workload-identity/docs/introduction.html)
-- [Default Azure Credentials](https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet)
 
-### Azure AD Managed Identity
+### Azure AD Workload Identity
 
-This method avoids storing credentials in Kubernetes by enabling the
+This method avoids storing credentials in Kubernetes via the
-usage of [Azure Managed Identities](https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) authentication mechanism.
+`.spec.configuration.inheritFromAzureAD` option:
-This can be enabled by setting the `inheritFromAzureAD` option to `true`.
-Managed Identity can be configured for the AKS Cluster by following
-the [Azure documentation](https://learn.microsoft.com/en-us/azure/aks/use-managed-identity?pivots=system-assigned).
 
 ```yaml
 apiVersion: barmancloud.cnpg.io/v1
@@ -266,36 +252,6 @@ spec:
   [...]
 ```
 
-### Default Azure Credentials
-
-The `useDefaultAzureCredentials` option enables the default Azure credentials
-flow, which uses [`DefaultAzureCredential`](https://learn.microsoft.com/en-us/python/api/azure-identity/azure.identity.defaultazurecredential)
-to automatically discover and use available credentials in the following order:
-
-1. **Environment Variables** — `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, and `AZURE_TENANT_ID` for Service Principal authentication
-2. **Managed Identity** — Uses the managed identity assigned to the pod
-3. **Azure CLI** — Uses credentials from the Azure CLI if available
-4. **Azure PowerShell** — Uses credentials from Azure PowerShell if available
-
-This approach is particularly useful for getting started with development and testing; it allows
-the SDK to attempt multiple authentication mechanisms seamlessly across different environments.
-However, this is not recommended for production. Please refer to the
-[official Azure guidance](https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication/credential-chains?tabs=dac#usage-guidance-for-defaultazurecredential)
-for a comprehensive understanding of `DefaultAzureCredential`.
-
-```yaml
-apiVersion: barmancloud.cnpg.io/v1
-kind: ObjectStore
-metadata:
-  name: azure-store
-spec:
-  configuration:
-    destinationPath: "<destination path here>"
-    azureCredentials:
-      useDefaultAzureCredentials: true
-  [...]
-```
-
 ### Access Key, SAS Token, or Connection String
 
 Store credentials in a Kubernetes secret: