feat(auth): add support for DefaultAzureCredential

GabriFedi97 · GabriFedi97 · commit 02915f417ec5 · 2025-11-14T16:16:54.000+01:00
Signed-off-by: Gabriele Fedi &lt;gabriele.fedi@enterprisedb.com&gt;
diff --git a/internal/cnpgi/common/common.go b/internal/cnpgi/common/common.go
@@ -20,13 +20,17 @@ SPDX-License-Identifier: Apache-2.0
 package common
 
 import (
+	"context"
 	"fmt"
 	"path"
 	"strings"
 
 	barmanapi "github.com/cloudnative-pg/barman-cloud/pkg/api"
+	"github.com/cloudnative-pg/barman-cloud/pkg/command"
 
+	barmancloudv1 "github.com/cloudnative-pg/plugin-barman-cloud/api/v1"
 	"github.com/cloudnative-pg/plugin-barman-cloud/internal/cnpgi/metadata"
+	pluginmetadata "github.com/cloudnative-pg/plugin-barman-cloud/pkg/metadata"
 )
 
 // TODO: refactor.
@@ -97,3 +101,14 @@ func MergeEnv(env []string, incomingEnv []string) []string {
 func BuildCertificateFilePath(objectStoreName string) string {
 	return path.Join(metadata.BarmanCertificatesPath, objectStoreName, metadata.BarmanCertificatesFileName)
 }
+
+// ContextWithProviderOptions enriches the context with cloud service provider specific options
+// based on the ObjectStore resource
+func ContextWithProviderOptions(ctx context.Context, objectStore barmancloudv1.ObjectStore) context.Context {
+	if objectStore.GetAnnotations()[pluginmetadata.UseDefaultAzureCredentialsAnnotationName] ==
+		pluginmetadata.UseDefaultAzureCredentialsTrueValue {
+		return command.ContextWithDefaultAzureCredentials(ctx, true)
+	}
+
+	return ctx
+}
diff --git a/internal/cnpgi/common/wal.go b/internal/cnpgi/common/wal.go
@@ -127,6 +127,8 @@ func (w WALServiceImplementation) Archive(
 		return nil, err
 	}
 
+	ctx = ContextWithProviderOptions(ctx, objectStore)
+
 	envArchive, err := barmanCredentials.EnvSetCloudCredentialsAndCertificates(
 		ctx,
 		w.Client,
diff --git a/internal/cnpgi/instance/backup.go b/internal/cnpgi/instance/backup.go
@@ -87,6 +87,8 @@ func (b BackupServiceImplementation) Backup(
 		return nil, err
 	}
 
+	ctx = common.ContextWithProviderOptions(ctx, objectStore)
+
 	if err := fileutils.EnsureDirectoryExists(postgres.BackupTemporaryDirectory); err != nil {
 		contextLogger.Error(err, "Cannot create backup temporary directory", "err", err)
 		return nil, err
diff --git a/internal/cnpgi/instance/retention.go b/internal/cnpgi/instance/retention.go
@@ -93,6 +93,8 @@ func (c *CatalogMaintenanceRunnable) cycle(ctx context.Context) (time.Duration,
 		return 0, err
 	}
 
+	ctx = common.ContextWithProviderOptions(ctx, barmanObjectStore)
+
 	if err := c.maintenance(ctx, &cluster, &barmanObjectStore); err != nil {
 		return 0, err
 	}
diff --git a/internal/cnpgi/restore/restore.go b/internal/cnpgi/restore/restore.go
@@ -98,7 +98,9 @@ func (impl JobHookImpl) Restore(
 	}
 
 	var recoveryObjectStore barmancloudv1.ObjectStore
-	if err := impl.Client.Get(ctx, configuration.GetRecoveryBarmanObjectKey(), &recoveryObjectStore); err != nil {
+	if err := impl.Client.Get(ctx,
+		configuration.GetRecoveryBarmanObjectKey(),
+		&recoveryObjectStore); err != nil {
 		return nil, err
 	}
 
@@ -109,7 +111,7 @@ func (impl JobHookImpl) Restore(
 		}
 
 		if err := impl.checkBackupDestination(
-			ctx,
+			common.ContextWithProviderOptions(ctx, targetObjectStore),
 			configuration.Cluster,
 			&targetObjectStore.Spec.Configuration,
 			targetObjectStore.Name,
@@ -118,6 +120,8 @@ func (impl JobHookImpl) Restore(
 		}
 	}
 
+	ctx = common.ContextWithProviderOptions(ctx, recoveryObjectStore)
+
 	// Detect the backup to recover
 	backup, env, err := loadBackupObjectFromExternalCluster(
 		ctx,
diff --git a/pkg/metadata/doc.go b/pkg/metadata/doc.go
@@ -0,0 +1,2 @@
+// Package metadata provides metadata utilities for the Barman Cloud plugin
+package metadata
diff --git a/pkg/metadata/labels_annotations.go b/pkg/metadata/labels_annotations.go
@@ -0,0 +1,15 @@
+package metadata
+
+// MetadataNamespace is the namespace used for the Barman Cloud plugin metadata
+const MetadataNamespace = "barmancloud.cnpg.io"
+
+const (
+	// UseDefaultAzureCredentialsAnnotationName is an annotation that can be set
+	// on an ObjectStore resource to enable the use DefaultAzureCredentials
+	// to authenticate to Azure. This is meant to be used with inheritFromAzureAD enabled.
+	UseDefaultAzureCredentialsAnnotationName = MetadataNamespace + "/useDefaultAzureCredentials"
+
+	// UseDefaultAzureCredentialsTrueValue is the value for the annotation
+	// barmancloud.cnpg.io/useDefaultAzureCredentials to enable the use of DefaultAzureCredentials
+	UseDefaultAzureCredentialsTrueValue = "true"
+)

Original file line number	Diff line number	Diff line change
`@@ -127,6 +127,8 @@ func (w WALServiceImplementation) Archive(`
`127`	`127`	`return nil, err`
`128`	`128`	`}`
`129`	`129`
	`130`	`+ ctx = ContextWithProviderOptions(ctx, objectStore)`
	`131`	`+`
`130`	`132`	`envArchive, err := barmanCredentials.EnvSetCloudCredentialsAndCertificates(`
`131`	`133`	`ctx,`
`132`	`134`	`w.Client,`
Original file line number	Diff line number	Diff line change
`@@ -87,6 +87,8 @@ func (b BackupServiceImplementation) Backup(`
`87`	`87`	`return nil, err`
`88`	`88`	`}`
`89`	`89`
	`90`	`+ ctx = common.ContextWithProviderOptions(ctx, objectStore)`
	`91`	`+`
`90`	`92`	`if err := fileutils.EnsureDirectoryExists(postgres.BackupTemporaryDirectory); err != nil {`
`91`	`93`	`contextLogger.Error(err, "Cannot create backup temporary directory", "err", err)`
`92`	`94`	`return nil, err`
Original file line number	Diff line number	Diff line change
`@@ -93,6 +93,8 @@ func (c *CatalogMaintenanceRunnable) cycle(ctx context.Context) (time.Duration,`
`93`	`93`	`return 0, err`
`94`	`94`	`}`
`95`	`95`
	`96`	`+ ctx = common.ContextWithProviderOptions(ctx, barmanObjectStore)`
	`97`	`+`
`96`	`98`	`if err := c.maintenance(ctx, &cluster, &barmanObjectStore); err != nil {`
`97`	`99`	`return 0, err`
`98`	`100`	`}`
Original file line number	Diff line number	Diff line change
`@@ -98,7 +98,9 @@ func (impl JobHookImpl) Restore(`
`98`	`98`	`}`
`99`	`99`
`100`	`100`	`var recoveryObjectStore barmancloudv1.ObjectStore`
`101`		`- if err := impl.Client.Get(ctx, configuration.GetRecoveryBarmanObjectKey(), &recoveryObjectStore); err != nil {`
	`101`	`+ if err := impl.Client.Get(ctx,`
	`102`	`+ configuration.GetRecoveryBarmanObjectKey(),`
	`103`	`+ &recoveryObjectStore); err != nil {`
`102`	`104`	`return nil, err`
`103`	`105`	`}`
`104`	`106`
`@@ -109,7 +111,7 @@ func (impl JobHookImpl) Restore(`
`109`	`111`	`}`
`110`	`112`
`111`	`113`	`if err := impl.checkBackupDestination(`
`112`		`- ctx,`
	`114`	`+ common.ContextWithProviderOptions(ctx, targetObjectStore),`
`113`	`115`	`configuration.Cluster,`
`114`	`116`	`&targetObjectStore.Spec.Configuration,`
`115`	`117`	`targetObjectStore.Name,`
`@@ -118,6 +120,8 @@ func (impl JobHookImpl) Restore(`
`118`	`120`	`}`
`119`	`121`	`}`
`120`	`122`
	`123`	`+ ctx = common.ContextWithProviderOptions(ctx, recoveryObjectStore)`
	`124`	`+`
`121`	`125`	`// Detect the backup to recover`
`122`	`126`	`backup, env, err := loadBackupObjectFromExternalCluster(`
`123`	`127`	`ctx,`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+// Package metadata provides metadata utilities for the Barman Cloud plugin`
	`2`	`+package metadata`