Feature: support backup.barmanObjectStore.s3Credentials.inheritFromIAMRole

charts/cluster/Chart.yaml

@@ -18,7 +18,7 @@ name: cluster
 description: Deploys and manages a CloudNativePG cluster and its associated resources.
 icon: https://raw.githubusercontent.com/cloudnative-pg/artwork/main/cloudnativepg-logo.svg
 type: application
-version: 0.1.3
+version: 0.2.0
 sources:
   - https://github.com/cloudnative-pg/charts
 keywords:

charts/cluster/README.md

@@ -1,6 +1,6 @@
 # cluster
 
-![Version: 0.1.3](https://img.shields.io/badge/Version-0.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 > **Warning**
 > ### This chart is under active development.
@@ -136,6 +136,7 @@ refer to  the [CloudNativePG Documentation](https://cloudnative-pg.io/documentat
 | backups.retentionPolicy | string | `"30d"` | Retention policy for backups |
 | backups.s3.accessKey | string | `""` |  |
 | backups.s3.bucket | string | `""` |  |
+| backups.s3.inheritFromIAMRole | bool | `false` | Use the role based authentication without providing explicitly the keys |
 | backups.s3.path | string | `"/"` |  |
 | backups.s3.region | string | `""` |  |
 | backups.s3.secretKey | string | `""` |  |
@@ -237,6 +238,7 @@ refer to  the [CloudNativePG Documentation](https://cloudnative-pg.io/documentat
 | recovery.provider | string | `"s3"` | One of `s3`, `azure` or `google` |
 | recovery.s3.accessKey | string | `""` |  |
 | recovery.s3.bucket | string | `""` |  |
+| recovery.s3.inheritFromIAMRole | bool | `false` | Use the role based authentication without providing explicitly the keys |
 | recovery.s3.path | string | `"/"` |  |
 | recovery.s3.region | string | `""` |  |
 | recovery.s3.secretKey | string | `""` |  |
@@ -279,3 +281,5 @@ TODO
 * IAM Role for S3 Service Account
 * Automatic provisioning of a Alert Manager configuration
 
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

charts/cluster/templates/_barman_object_store.tpl

@@ -23,12 +23,16 @@
   {{- end }}
   {{- $secretName := coalesce .scope.secret.name (printf "%s-%s-s3-creds" .chartFullname .secretPrefix) }}
   s3Credentials:
+  {{- if .scope.s3.inheritFromIAMRole }}
+    inheritFromIAMRole: true
+  {{- else }}
     accessKeyId:
       name: {{ $secretName }}
       key: ACCESS_KEY_ID
     secretAccessKey:
       name: {{ $secretName }}
       key: ACCESS_SECRET_KEY
+  {{- end }}
 {{- else if eq .scope.provider "azure" }}
   {{- if empty .scope.destinationPath }}
   destinationPath: "https://{{ required "You need to specify Azure storageAccount if destinationPath is not specified." .scope.azure.storageAccount }}.{{ .scope.azure.serviceName }}.core.windows.net/{{ .scope.azure.containerName }}{{ .scope.azure.path }}"

charts/cluster/templates/backup-s3-creds.yaml

@@ -1,4 +1,4 @@
-{{- if and .Values.backups.enabled (eq .Values.backups.provider "s3") .Values.backups.secret.create }}
+{{- if and .Values.backups.enabled (eq .Values.backups.provider "s3") (not .Values.backups.s3.inheritFromIAMRole) .Values.backups.secret.create }}
 apiVersion: v1
 kind: Secret
 metadata:

charts/cluster/values.yaml

@@ -72,6 +72,8 @@ recovery:
     path: "/"
     accessKey: ""
     secretKey: ""
+    # -- Use the role based authentication without providing explicitly the keys
+    inheritFromIAMRole: false
   azure:
     path: "/"
     connectionString: ""
@@ -326,6 +328,8 @@ backups:
     path: "/"
     accessKey: ""
     secretKey: ""
+    # -- Use the role based authentication without providing explicitly the keys
+    inheritFromIAMRole: false
   azure:
     path: "/"
     connectionString: ""