Barman Cloud CNPG-I backup plugin
Go to file
Armando Ruocco a6ddc7828e fix: rework managed RBAC reconciliation
Adds the safety and robustness improvements identified during
review of the recommended-labels feature, all on the managed
Role and RoleBinding paths.

Labels: per-key overwrite. Keys the plugin manages overwrite
existing values; unrelated keys (anything outside the desired
set) are left alone. The plugin owns these objects exclusively
— OwnerReference points to the Cluster CR, the Pre hook
reconciles them on every call, and there is no realistic path
for an external manager (Helm, Kustomize, ArgoCD, …) to ever
touch these per-Cluster runtime-generated objects, so per-key
overwrite is the correct policy and version labels follow
plugin upgrades naturally.

Subjects: additive. The plugin guarantees its own ServiceAccount
Subject is bound, but never removes Subjects added by other
actors. A Subject is a grant of access; silently revoking
access an admin granted (e.g. a debugging ServiceAccount) is
the wrong default. This is intentionally asymmetric to the
label policy.

RoleRef: immutable in Kubernetes; a Patch cannot fix it.
Divergence at the canonical name is corruption regardless of
who wrote the existing object — fail loudly so the operator
notices and deletes the RoleBinding, and the next Pre call
recreates it correctly.

AlreadyExists tolerance: EnsureRoleBinding called c.Create
directly when Get returned NotFound and propagated whatever
Create returned. That's noisy on plugin pod startup: the
controller-runtime client is cache-backed by default, and during
the warm-up window the informer cache can return NotFound for a
RoleBinding that is actually present on the API server. The
follow-up Create then hits AlreadyExists and the whole Pre hook
returned an error to the cnpg-i framework. Mirror the pattern
used by ensureRoleExists: split the exists-or-create concern
into getOrCreateRoleBinding, swallow AlreadyExists, and re-Get
to return the racing winner so the caller can fall through to
reconcile.

Optimistic locking on patches: patchRole already wrapped its
Get+Patch in retry.RetryOnConflict, but used client.MergeFrom
which doesn't include resourceVersion — so the API server never
returns 409 and the retry never fires. Switch both Patch sites
to client.MergeFromWithOptions(WithOptimisticLock{}) so the
retry actually does what its caller assumes it does.
EnsureRoleBinding gets the same retry wrapper for parity.

Single-Get steady state: the previous structure did one Get to
check existence and a second Get inside the retry loop, even
when the object was already present and matched desired.
reconcileRoleBinding now receives the existing object as input
and uses it on the first attempt, only Get-ing again on actual
conflict-driven retries.

Helpers: extract mergeLabels (per-key overwrite), mergeSubjects
(additive append), containsSubject (semantic deep-equal), and
keep labelsNeedUpdate / roleBindingNeedsUpdate as no-Patch
short-circuits whose result mirrors the merge helpers exactly.

Tests: cover fresh creation, steady-state no-op (via Patch
interceptor counter, more reliable than the previous
ResourceVersion comparison which depended on fake-client RV
semantics that aren't part of the controller-runtime contract),
unrelated-label preservation, stale-label refresh, additive
subjects with user-added entries, AlreadyExists race during
pod startup (deterministic via interceptor), divergent
RoleRef error path, and the upgrade scenario for objects that
predate the recommended-labels feature.

Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
2026-04-29 10:54:54 +02:00
.github/workflows chore(deps): update actions/upload-pages-artifact action to v5 (#851) 2026-04-17 17:20:40 +02:00
api/v1 feat(ip): assign copyright to the Linux Foundation (#571) 2025-10-07 18:06:06 +02:00
cmd/manager feat(ip): assign copyright to the Linux Foundation (#571) 2025-10-07 18:06:06 +02:00
config fix: add lz4 compression support for base backups (#868) 2026-04-21 19:23:45 +02:00
containers chore(deps): refresh pip-compile outputs (#873) 2026-04-27 10:49:58 +02:00
dagger chore: update dagger dependencies (#859) 2026-04-17 14:53:22 +02:00
hack docs(apidoc): filter Optional markers from validation column (#723) 2026-02-04 13:46:51 +01:00
internal fix: rework managed RBAC reconciliation 2026-04-29 10:54:54 +02:00
kubernetes test(e2e): use correct image name in kustomize overlay (#841) 2026-04-11 13:31:31 +02:00
logo Initial commit 2024-09-24 14:52:25 +02:00
scripts feat(ip): assign copyright to the Linux Foundation (#571) 2025-10-07 18:06:06 +02:00
test/e2e fix(rbac): reconcile Role when ObjectStore spec changes (#823) 2026-04-13 15:48:35 +02:00
web chore(deps): lock file maintenance (#872) 2026-04-27 09:59:58 +02:00
.dockerignore chore: scaffold (#2) 2024-09-26 11:52:56 +02:00
.gitignore ci: add e2e kustomization.yaml to .gitignore (#112) 2024-12-16 11:04:39 +01:00
.golangci.yml chore(deps): update golangci/golangci-lint docker tag to v2.2.1 (#430) 2025-07-01 17:34:08 +02:00
.release-please-manifest.json chore(main): release 0.12.0 (#756) 2026-04-14 09:31:41 +02:00
.spellcheck.yaml chore: limit the spellchecking to a fixed list of directories (#294) 2025-05-05 10:21:18 +02:00
.wordlist.txt fix: add lz4 compression support for base backups (#868) 2026-04-21 19:23:45 +02:00
CHANGELOG.md chore(main): release 0.12.0 (#756) 2026-04-14 09:31:41 +02:00
CODE_OF_CONDUCT.md Initial commit 2024-09-24 14:52:25 +02:00
CODEOWNERS Initial commit 2024-09-24 14:52:25 +02:00
commitlint.config.js ci: warn on long commit body line (#12) 2024-09-27 10:07:47 +02:00
CONTRIBUTING.md docs: add CONTRIBUTING.md file 2026-03-02 17:03:09 +11:00
go.mod fix(deps): update all non-major go dependencies (#877) 2026-04-29 10:53:19 +02:00
go.sum fix(deps): update all non-major go dependencies (#877) 2026-04-29 10:53:19 +02:00
GOVERNANCE.md Initial commit 2024-09-24 14:52:25 +02:00
LICENSE Initial commit 2024-09-24 14:52:25 +02:00
Makefile fix: add cluster/finalizers update permission (#465) 2025-08-14 22:55:25 +02:00
manifest.yaml fix: add lz4 compression support for base backups (#868) 2026-04-21 19:23:45 +02:00
PROJECT chore: scaffold (#2) 2024-09-26 11:52:56 +02:00
README.md docs: release procedure (#373) 2025-05-29 17:52:44 +02:00
release-please-config.json ci: update version in metadata (#229) 2025-03-25 17:21:56 +01:00
RELEASE-PROCEDURE.md docs: release procedure (#373) 2025-05-29 17:52:44 +02:00
renovate.json5 fix: resolve WAL archiving performance and memory issues (#746) 2026-01-29 16:43:55 +01:00
Taskfile.yml chore(deps): update all cloudnative-pg daggerverse dependencies to f84ac0c (#875) 2026-04-27 12:05:00 +02:00

CloudNativePG

Barman Cloud CNPG-I plugin for CloudNativePG

The documentation for the Barman Cloud Plugin for CloudNativePG is available at https://cloudnative-pg.io/plugin-barman-cloud.


The Barman Cloud CNPG-I plugin is a component of the CloudNativePG project and adheres to the same community-driven governance model under the CNCF.

CNCF logo


CloudNativePG was originally built and sponsored by EDB.

EDB logo


Postgres, PostgreSQL, and the Slonik Logo are trademarks or registered trademarks of the PostgreSQL Community Association of Canada, and used with their permission.