From 6ff111381d75c29d0c55893a1197cb8e732dbce4 Mon Sep 17 00:00:00 2001 From: Armando Ruocco Date: Tue, 16 Dec 2025 17:46:28 +0100 Subject: [PATCH 1/3] feat: Add support for DefaultAzureCredential authentication mechanism This commit adds support for the DefaultAzureCredential authentication mechanism in Azure Blob Storage. Users can now use the `useDefaultAzureCredentials` option to enable Azure's default credential chain, which automatically discovers and uses available credentials in the following order Signed-off-by: Armando Ruocco --- go.mod | 2 +- go.sum | 4 +- internal/cnpgi/operator/specs/secrets.go | 17 +- internal/cnpgi/operator/specs/secrets_test.go | 227 ++++++++++++++++++ internal/cnpgi/operator/specs/suite_test.go | 32 +++ web/docs/object_stores.md | 27 +++ 6 files changed, 299 insertions(+), 10 deletions(-) create mode 100644 internal/cnpgi/operator/specs/secrets_test.go create mode 100644 internal/cnpgi/operator/specs/suite_test.go diff --git a/go.mod b/go.mod index 4149bb58..951be323 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ toolchain go1.25.4 require ( github.com/cert-manager/cert-manager v1.19.1 github.com/cloudnative-pg/api v1.27.0 - github.com/cloudnative-pg/barman-cloud v0.3.4-0.20251203100017-1d476f125c5b + github.com/cloudnative-pg/barman-cloud v0.3.4-0.20251216161014-c61e31075c40 github.com/cloudnative-pg/cloudnative-pg v1.27.1 github.com/cloudnative-pg/cnpg-i v0.3.0 github.com/cloudnative-pg/cnpg-i-machinery v0.4.1 diff --git a/go.sum b/go.sum index 58fa2292..25a9b542 100644 --- a/go.sum +++ b/go.sum @@ -18,8 +18,8 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cloudnative-pg/api v1.27.0 h1:uSUkF9X/0UZu1Xn5qI33qHVmzZrDKuuyoiRlsOmSTv4= github.com/cloudnative-pg/api v1.27.0/go.mod h1:IWyAmuirffHiw6iIGD1p18BmZNb13TK9Os/wkp8ltDg= -github.com/cloudnative-pg/barman-cloud v0.3.4-0.20251203100017-1d476f125c5b h1:7qpnZpOkmjhs0Prasu8laSaiEQ7eC2qW1xA39mQ/aEc= -github.com/cloudnative-pg/barman-cloud v0.3.4-0.20251203100017-1d476f125c5b/go.mod h1:F6JqmFpa3V0/8paxu372tvxH7F6NrfUbtul3zrsoy+k= +github.com/cloudnative-pg/barman-cloud v0.3.4-0.20251216161014-c61e31075c40 h1:EtYldJY2ddaNIicYvJBP4jK8OSOBQupTkrLAAUMWhEA= +github.com/cloudnative-pg/barman-cloud v0.3.4-0.20251216161014-c61e31075c40/go.mod h1:F6JqmFpa3V0/8paxu372tvxH7F6NrfUbtul3zrsoy+k= github.com/cloudnative-pg/cloudnative-pg v1.27.1 h1:w+bbtXyEPoaa7sZGXxbb8qJ+/bUGWQ3M48kbNUEpKlk= github.com/cloudnative-pg/cloudnative-pg v1.27.1/go.mod h1:XbwCAlCm5fr+/A+v+qvMp8DHzVtJr2m0Y/TpKALw+Bk= github.com/cloudnative-pg/cnpg-i v0.3.0 h1:5ayNOG5x68lU70IVbHDZQrv5p+bErCJ0mqRmOpW2jjE= diff --git a/internal/cnpgi/operator/specs/secrets.go b/internal/cnpgi/operator/specs/secrets.go index c1fd2684..e0aca1f7 100644 --- a/internal/cnpgi/operator/specs/secrets.go +++ b/internal/cnpgi/operator/specs/secrets.go @@ -37,13 +37,16 @@ func CollectSecretNamesFromCredentials(barmanCredentials *barmanapi.BarmanCreden ) } if barmanCredentials.Azure != nil { - references = append( - references, - barmanCredentials.Azure.ConnectionString, - barmanCredentials.Azure.StorageAccount, - barmanCredentials.Azure.StorageKey, - barmanCredentials.Azure.StorageSasToken, - ) + // When using default Azure credentials, no secrets are required + if !barmanCredentials.Azure.UseDefaultAzureCredentials { + references = append( + references, + barmanCredentials.Azure.ConnectionString, + barmanCredentials.Azure.StorageAccount, + barmanCredentials.Azure.StorageKey, + barmanCredentials.Azure.StorageSasToken, + ) + } } if barmanCredentials.Google != nil { references = append( diff --git a/internal/cnpgi/operator/specs/secrets_test.go b/internal/cnpgi/operator/specs/secrets_test.go new file mode 100644 index 00000000..d6fa706b --- /dev/null +++ b/internal/cnpgi/operator/specs/secrets_test.go @@ -0,0 +1,227 @@ +/* +Copyright © contributors to CloudNativePG, established as +CloudNativePG a Series of LF Projects, LLC. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +SPDX-License-Identifier: Apache-2.0 +*/ + +package specs + +import ( + barmanapi "github.com/cloudnative-pg/barman-cloud/pkg/api" + machineryapi "github.com/cloudnative-pg/machinery/pkg/api" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" +) + +var _ = Describe("CollectSecretNamesFromCredentials", func() { + Context("when collecting secrets from AWS credentials", func() { + It("should return secret names from S3 credentials", func() { + credentials := &barmanapi.BarmanCredentials{ + AWS: &barmanapi.S3Credentials{ + AccessKeyIDReference: &machineryapi.SecretKeySelector{ + LocalObjectReference: machineryapi.LocalObjectReference{ + Name: "aws-secret", + }, + Key: "access-key-id", + }, + SecretAccessKeyReference: &machineryapi.SecretKeySelector{ + LocalObjectReference: machineryapi.LocalObjectReference{ + Name: "aws-secret", + }, + Key: "secret-access-key", + }, + }, + } + + secrets := CollectSecretNamesFromCredentials(credentials) + Expect(secrets).To(ContainElement("aws-secret")) + }) + + It("should handle nil AWS credentials", func() { + credentials := &barmanapi.BarmanCredentials{} + + secrets := CollectSecretNamesFromCredentials(credentials) + Expect(secrets).To(BeEmpty()) + }) + }) + + Context("when collecting secrets from Azure credentials", func() { + It("should return secret names when using explicit credentials", func() { + credentials := &barmanapi.BarmanCredentials{ + Azure: &barmanapi.AzureCredentials{ + ConnectionString: &machineryapi.SecretKeySelector{ + LocalObjectReference: machineryapi.LocalObjectReference{ + Name: "azure-secret", + }, + Key: "connection-string", + }, + }, + } + + secrets := CollectSecretNamesFromCredentials(credentials) + Expect(secrets).To(ContainElement("azure-secret")) + }) + + It("should return empty list when using UseDefaultAzureCredentials", func() { + credentials := &barmanapi.BarmanCredentials{ + Azure: &barmanapi.AzureCredentials{ + UseDefaultAzureCredentials: true, + ConnectionString: &machineryapi.SecretKeySelector{ + LocalObjectReference: machineryapi.LocalObjectReference{ + Name: "azure-secret", + }, + Key: "connection-string", + }, + }, + } + + secrets := CollectSecretNamesFromCredentials(credentials) + Expect(secrets).To(BeEmpty()) + }) + + It("should return empty list when using InheritFromAzureAD", func() { + credentials := &barmanapi.BarmanCredentials{ + Azure: &barmanapi.AzureCredentials{ + InheritFromAzureAD: true, + }, + } + + secrets := CollectSecretNamesFromCredentials(credentials) + Expect(secrets).To(BeEmpty()) + }) + + It("should return secret names for storage account and key", func() { + credentials := &barmanapi.BarmanCredentials{ + Azure: &barmanapi.AzureCredentials{ + StorageAccount: &machineryapi.SecretKeySelector{ + LocalObjectReference: machineryapi.LocalObjectReference{ + Name: "azure-storage", + }, + Key: "account-name", + }, + StorageKey: &machineryapi.SecretKeySelector{ + LocalObjectReference: machineryapi.LocalObjectReference{ + Name: "azure-storage", + }, + Key: "account-key", + }, + }, + } + + secrets := CollectSecretNamesFromCredentials(credentials) + Expect(secrets).To(ContainElement("azure-storage")) + }) + }) + + Context("when collecting secrets from Google credentials", func() { + It("should return secret names from Google credentials", func() { + credentials := &barmanapi.BarmanCredentials{ + Google: &barmanapi.GoogleCredentials{ + ApplicationCredentials: &machineryapi.SecretKeySelector{ + LocalObjectReference: machineryapi.LocalObjectReference{ + Name: "google-secret", + }, + Key: "credentials.json", + }, + }, + } + + secrets := CollectSecretNamesFromCredentials(credentials) + Expect(secrets).To(ContainElement("google-secret")) + }) + }) + + Context("when collecting secrets from multiple cloud providers", func() { + It("should return secret names from all providers", func() { + credentials := &barmanapi.BarmanCredentials{ + AWS: &barmanapi.S3Credentials{ + AccessKeyIDReference: &machineryapi.SecretKeySelector{ + LocalObjectReference: machineryapi.LocalObjectReference{ + Name: "aws-secret", + }, + Key: "access-key-id", + }, + }, + Azure: &barmanapi.AzureCredentials{ + ConnectionString: &machineryapi.SecretKeySelector{ + LocalObjectReference: machineryapi.LocalObjectReference{ + Name: "azure-secret", + }, + Key: "connection-string", + }, + }, + Google: &barmanapi.GoogleCredentials{ + ApplicationCredentials: &machineryapi.SecretKeySelector{ + LocalObjectReference: machineryapi.LocalObjectReference{ + Name: "google-secret", + }, + Key: "credentials.json", + }, + }, + } + + secrets := CollectSecretNamesFromCredentials(credentials) + Expect(secrets).To(ContainElements("aws-secret", "azure-secret", "google-secret")) + }) + + It("should skip Azure secrets when using UseDefaultAzureCredentials with other providers", func() { + credentials := &barmanapi.BarmanCredentials{ + AWS: &barmanapi.S3Credentials{ + AccessKeyIDReference: &machineryapi.SecretKeySelector{ + LocalObjectReference: machineryapi.LocalObjectReference{ + Name: "aws-secret", + }, + Key: "access-key-id", + }, + }, + Azure: &barmanapi.AzureCredentials{ + UseDefaultAzureCredentials: true, + ConnectionString: &machineryapi.SecretKeySelector{ + LocalObjectReference: machineryapi.LocalObjectReference{ + Name: "azure-secret", + }, + Key: "connection-string", + }, + }, + } + + secrets := CollectSecretNamesFromCredentials(credentials) + Expect(secrets).To(ContainElement("aws-secret")) + Expect(secrets).NotTo(ContainElement("azure-secret")) + }) + }) + + Context("when handling nil references", func() { + It("should skip nil secret references", func() { + credentials := &barmanapi.BarmanCredentials{ + AWS: &barmanapi.S3Credentials{ + AccessKeyIDReference: &machineryapi.SecretKeySelector{ + LocalObjectReference: machineryapi.LocalObjectReference{ + Name: "aws-secret", + }, + Key: "access-key-id", + }, + SecretAccessKeyReference: nil, + }, + } + + secrets := CollectSecretNamesFromCredentials(credentials) + Expect(secrets).To(ContainElement("aws-secret")) + Expect(len(secrets)).To(Equal(1)) + }) + }) +}) diff --git a/internal/cnpgi/operator/specs/suite_test.go b/internal/cnpgi/operator/specs/suite_test.go new file mode 100644 index 00000000..1dc0ae18 --- /dev/null +++ b/internal/cnpgi/operator/specs/suite_test.go @@ -0,0 +1,32 @@ +/* +Copyright © contributors to CloudNativePG, established as +CloudNativePG a Series of LF Projects, LLC. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. + +SPDX-License-Identifier: Apache-2.0 +*/ + +package specs + +import ( + "testing" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" +) + +func TestSpecs(t *testing.T) { + RegisterFailHandler(Fail) + RunSpecs(t, "Specs Suite") +} diff --git a/web/docs/object_stores.md b/web/docs/object_stores.md index f1714c93..4582530a 100644 --- a/web/docs/object_stores.md +++ b/web/docs/object_stores.md @@ -252,6 +252,33 @@ spec: [...] ``` +### Default Azure Credentials + +The `useDefaultAzureCredentials` option enables the default Azure credentials +flow, which uses [`DefaultAzureCredential`](https://learn.microsoft.com/en-us/python/api/azure-identity/azure.identity.defaultazurecredential) +to automatically discover and use available credentials in the following order: + +1. **Environment Variables** — `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, and `AZURE_TENANT_ID` for Service Principal authentication +2. **Managed Identity** — Uses the managed identity assigned to the pod +3. **Azure CLI** — Uses credentials from the Azure CLI if available +4. **Azure PowerShell** — Uses credentials from Azure PowerShell if available + +This is particularly useful when running on Azure Kubernetes Service (AKS) with +[Workload Identity](https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview): + +```yaml +apiVersion: barmancloud.cnpg.io/v1 +kind: ObjectStore +metadata: + name: azure-store +spec: + configuration: + destinationPath: "" + azureCredentials: + useDefaultAzureCredentials: true + [...] +``` + ### Access Key, SAS Token, or Connection String Store credentials in a Kubernetes secret: From be5cad11724704bf6329a4ea82ecee5f1be0718f Mon Sep 17 00:00:00 2001 From: Armando Ruocco Date: Mon, 22 Dec 2025 17:45:53 +0100 Subject: [PATCH 2/3] chore: dependency Signed-off-by: Armando Ruocco --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 951be323..b3ad31d5 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ toolchain go1.25.4 require ( github.com/cert-manager/cert-manager v1.19.1 github.com/cloudnative-pg/api v1.27.0 - github.com/cloudnative-pg/barman-cloud v0.3.4-0.20251216161014-c61e31075c40 + github.com/cloudnative-pg/barman-cloud v0.3.4-0.20251222164401-b0362dc07186 github.com/cloudnative-pg/cloudnative-pg v1.27.1 github.com/cloudnative-pg/cnpg-i v0.3.0 github.com/cloudnative-pg/cnpg-i-machinery v0.4.1 diff --git a/go.sum b/go.sum index 25a9b542..449e4a4e 100644 --- a/go.sum +++ b/go.sum @@ -18,8 +18,8 @@ github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UF github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cloudnative-pg/api v1.27.0 h1:uSUkF9X/0UZu1Xn5qI33qHVmzZrDKuuyoiRlsOmSTv4= github.com/cloudnative-pg/api v1.27.0/go.mod h1:IWyAmuirffHiw6iIGD1p18BmZNb13TK9Os/wkp8ltDg= -github.com/cloudnative-pg/barman-cloud v0.3.4-0.20251216161014-c61e31075c40 h1:EtYldJY2ddaNIicYvJBP4jK8OSOBQupTkrLAAUMWhEA= -github.com/cloudnative-pg/barman-cloud v0.3.4-0.20251216161014-c61e31075c40/go.mod h1:F6JqmFpa3V0/8paxu372tvxH7F6NrfUbtul3zrsoy+k= +github.com/cloudnative-pg/barman-cloud v0.3.4-0.20251222164401-b0362dc07186 h1:RAioyfO0rNpURUXU0Gn5Lb7m7JzVq1/Y9qX0sy7bhts= +github.com/cloudnative-pg/barman-cloud v0.3.4-0.20251222164401-b0362dc07186/go.mod h1:F6JqmFpa3V0/8paxu372tvxH7F6NrfUbtul3zrsoy+k= github.com/cloudnative-pg/cloudnative-pg v1.27.1 h1:w+bbtXyEPoaa7sZGXxbb8qJ+/bUGWQ3M48kbNUEpKlk= github.com/cloudnative-pg/cloudnative-pg v1.27.1/go.mod h1:XbwCAlCm5fr+/A+v+qvMp8DHzVtJr2m0Y/TpKALw+Bk= github.com/cloudnative-pg/cnpg-i v0.3.0 h1:5ayNOG5x68lU70IVbHDZQrv5p+bErCJ0mqRmOpW2jjE= From 853ec3c57519bed9934b3582e62d92a7b7f22059 Mon Sep 17 00:00:00 2001 From: Armando Ruocco Date: Mon, 22 Dec 2025 17:59:32 +0100 Subject: [PATCH 3/3] fix: manifests Signed-off-by: Armando Ruocco --- config/crd/bases/barmancloud.cnpg.io_objectstores.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/config/crd/bases/barmancloud.cnpg.io_objectstores.yaml b/config/crd/bases/barmancloud.cnpg.io_objectstores.yaml index a141948e..6abbd752 100644 --- a/config/crd/bases/barmancloud.cnpg.io_objectstores.yaml +++ b/config/crd/bases/barmancloud.cnpg.io_objectstores.yaml @@ -108,6 +108,11 @@ spec: - key - name type: object + useDefaultAzureCredentials: + description: |- + Use the default Azure authentication flow, which includes DefaultAzureCredential. + This allows authentication using environment variables and managed identities. + type: boolean type: object data: description: |-