feat: support multiple AWS key types

dougkirkley · Agalin · commit 27540db9cd43 · 2025-10-25T16:15:14.000+02:00
Signed-off-by: Douglass Kirkley &lt;doug.kirkley@gmail.com&gt;
diff --git a/config/crd/bases/pgbackrest.cnpg.opera.com_archives.yaml b/config/crd/bases/pgbackrest.cnpg.opera.com_archives.yaml
@@ -254,6 +254,11 @@ spec:
                               - key
                               - name
                               type: object
+                            keyType:
+                              default: shared
+                              description: KeyType specifies the type of key used
+                                for S3 credentials
+                              type: string
                             region:
                               description: |-
                                 The reference to the secret containing the region name.
diff --git a/internal/pgbackrest/api/config.go b/internal/pgbackrest/api/config.go
@@ -59,13 +59,30 @@ const (
 	CompressionTypeZstd = CompressionType("zst")
 )
 
+// KeyType is the type of key used for S3 credentials
+type KeyType string
+
+const (
+	// KeyTypeShared Shared keys
+	KeyTypeShared = KeyType("shared")
+	// KeyTypeAuto Automatically retrieve temporary credentials
+	KeyTypeAuto = KeyType("auto")
+	// KeyTypeWebID Automatically retrieve web identity credentials
+	KeyTypeWebID = KeyType("web-id")
+)
+
 // S3Credentials is the type for the credentials to be used to upload
 // files to S3. It can be provided in two alternative ways:
 //
 // - explicitly passing accessKeyId and secretAccessKey
 //
 // - inheriting the role from the pod environment by setting inheritFromIAMRole to true
 type S3Credentials struct {
+	// KeyType specifies the type of key used for S3 credentials
+	// +optional
+	// +kubebuilder:default:=shared
+	KeyType KeyType `json:"keyType,omitempty"`
+
 	// The reference to the access key ID
 	// +optional
 	AccessKeyIDReference *machineryapi.SecretKeySelector `json:"accessKeyId,omitempty"`
diff --git a/internal/pgbackrest/credentials/credentials.go b/internal/pgbackrest/credentials/credentials.go
@@ -138,37 +138,42 @@ func envSetAWSCredentials(
 		return nil, fmt.Errorf("missing S3 credentials")
 	}
 
-	// Get access key ID
-	if s3credentials.AccessKeyIDReference == nil {
-		return nil, fmt.Errorf("missing access key ID")
-	}
-	accessKeyID, accessKeyErr := extractValueFromSecret(
-		ctx,
-		client,
-		s3credentials.AccessKeyIDReference,
-		namespace,
-	)
-	if accessKeyErr != nil {
-		return nil, accessKeyErr
-	}
+	// only check for AWS credential secrets if the key type is shared
+	if s3credentials.KeyType == pgbackrestApi.KeyTypeShared {
+		// Get access key ID
+		if s3credentials.AccessKeyIDReference == nil {
+			return nil, fmt.Errorf("missing access key ID")
+		}
+		accessKeyID, accessKeyErr := extractValueFromSecret(
+			ctx,
+			client,
+			s3credentials.AccessKeyIDReference,
+			namespace,
+		)
+		if accessKeyErr != nil {
+			return nil, accessKeyErr
+		}
 
-	// Get secret access key
-	if s3credentials.SecretAccessKeyReference == nil {
-		return nil, fmt.Errorf("missing secret access key")
-	}
-	secretAccessKey, secretAccessErr := extractValueFromSecret(
-		ctx,
-		client,
-		s3credentials.SecretAccessKeyReference,
-		namespace,
-	)
-	if secretAccessErr != nil {
-		return nil, secretAccessErr
+		// Get secret access key
+		if s3credentials.SecretAccessKeyReference == nil {
+			return nil, fmt.Errorf("missing secret access key")
+		}
+		secretAccessKey, secretAccessErr := extractValueFromSecret(
+			ctx,
+			client,
+			s3credentials.SecretAccessKeyReference,
+			namespace,
+		)
+		if secretAccessErr != nil {
+			return nil, secretAccessErr
+		}
+
+		env = append(env, utils.FormatRepoEnv(repoIndex, "S3_KEY", string(accessKeyID)))
+		env = append(env, utils.FormatRepoEnv(repoIndex, "S3_KEY_SECRET", string(secretAccessKey)))
 	}
 
+	env = append(env, utils.FormatRepoEnv(repoIndex, "S3_KEY_TYPE", string(s3credentials.KeyType)))
 	env = append(env, utils.FormatRepoEnv(repoIndex, "S3_REGION", s3credentials.Region))
-	env = append(env, utils.FormatRepoEnv(repoIndex, "S3_KEY", string(accessKeyID)))
-	env = append(env, utils.FormatRepoEnv(repoIndex, "S3_KEY_SECRET", string(secretAccessKey)))
 
 	return env, nil
 }
diff --git a/manifest.yaml b/manifest.yaml
@@ -253,6 +253,11 @@ spec:
                               - key
                               - name
                               type: object
+                            keyType:
+                              default: shared
+                              description: KeyType specifies the type of key used
+                                for S3 credentials
+                              type: string
                             region:
                               description: |-
                                 The reference to the secret containing the region name.
