Skip to content

chore(deps): update docker/setup-qemu-action action to v3.7.0#2

Closed
renovate[bot] wants to merge 2 commits into
mainfrom
renovate/docker-setup-qemu-action-3.x
Closed

chore(deps): update docker/setup-qemu-action action to v3.7.0#2
renovate[bot] wants to merge 2 commits into
mainfrom
renovate/docker-setup-qemu-action-3.x

Conversation

@renovate

@renovate renovate Bot commented Nov 13, 2025

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
docker/setup-qemu-action action minor v3.3.0 -> v3.7.0

Release Notes

docker/setup-qemu-action (docker/setup-qemu-action)

v3.7.0

Compare Source

Full Changelog: docker/setup-qemu-action@v3.6.0...v3.7.0

v3.6.0

Compare Source

Full Changelog: docker/setup-qemu-action@v3.5.0...v3.6.0

v3.5.0

Compare Source

Full Changelog: docker/setup-qemu-action@v3.4.0...v3.5.0

v3.4.0

Compare Source

Full Changelog: docker/setup-qemu-action@v3.3.0...v3.4.0


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge (squash) November 13, 2025 15:51
renovate-approve[bot]
renovate-approve Bot previously approved these changes Nov 13, 2025
auto-merge was automatically disabled November 13, 2025 15:51

Pull request was closed

@renovate renovate Bot dismissed renovate-approve[bot]’s stale review November 13, 2025 15:51

The merge-base changed after approval.

@renovate

renovate Bot commented Nov 13, 2025

Copy link
Copy Markdown
Contributor Author

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v3.7.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate Bot deleted the renovate/docker-setup-qemu-action-3.x branch November 13, 2025 15:52
peter-svensson added a commit that referenced this pull request May 7, 2026
Five fixes surfaced by smoke testing the secretBackend.kubernetes path
against Scaleway managed PostgreSQL:

1. config/manager/manager.yaml: drop --leader-elect arg
   The flag was no longer registered (LeaderElection is hardcoded true
   for safe multi-replica operation), so the binary aborted on the
   unknown flag at startup. Removing the arg matches the new behaviour.
   BREAKING for kustomize users overriding the arg list.

2. internal/controller/database_controller.go: backend-aware default
   for secretName. Kubernetes Secret names reject '/'; the rds/<eng>/<db>
   path-shape was AWS-SM-friendly only. Use rds-<eng>-<db> for the
   kubernetes backend, keep slashes for AWS / Infisical.

3. RBAC marker: secrets verbs now include create/update/patch/delete.
   The kubernetes backend needs to write/delete Secrets, not just read.
   Regenerated config/rbac/role.yaml via 'make manifests'.

4. database_controller.go recovery: when userExists && !secretExists
   (and not a region-change), rotate the password via CreateUser
   (idempotent ALTER USER WITH PASSWORD) and recreate the secret
   instead of aborting with 'cannot recover password'. Previously left
   CRs perma-stuck because the kubernetes backend's finalizer also
   failed on the '/'-in-name issue from #2.

5. internal/database/postgres.go: resolve CURRENT_USER to a literal
   role name before issuing GRANT. Some managed PG providers (Scaleway
   managed RDB confirmed) reject 'GRANT role TO CURRENT_USER' with
   XX000 'cannot use special role specifier'. The literal-name form
   succeeds on RDS and on Scaleway (idempotent — Scaleway's
   _rdb_superadmin trigger already grants membership at CREATE USER).
peter-svensson added a commit that referenced this pull request May 7, 2026
Five fixes surfaced by smoke testing the secretBackend.kubernetes path
against Scaleway managed PostgreSQL:

1. config/manager/manager.yaml: drop --leader-elect arg
   The flag was no longer registered (LeaderElection is hardcoded true
   for safe multi-replica operation), so the binary aborted on the
   unknown flag at startup. Removing the arg matches the new behaviour.
   BREAKING for kustomize users overriding the arg list.

2. internal/controller/database_controller.go: backend-aware default
   for secretName. Kubernetes Secret names reject '/'; the rds/<eng>/<db>
   path-shape was AWS-SM-friendly only. Use rds-<eng>-<db> for the
   kubernetes backend, keep slashes for AWS / Infisical.

3. RBAC marker: secrets verbs now include create/update/patch/delete.
   The kubernetes backend needs to write/delete Secrets, not just read.
   Regenerated config/rbac/role.yaml via 'make manifests'.

4. database_controller.go recovery: when userExists && !secretExists
   (and not a region-change), rotate the password via CreateUser
   (idempotent ALTER USER WITH PASSWORD) and recreate the secret
   instead of aborting with 'cannot recover password'. Previously left
   CRs perma-stuck because the kubernetes backend's finalizer also
   failed on the '/'-in-name issue from #2.

5. internal/database/postgres.go: resolve CURRENT_USER to a literal
   role name before issuing GRANT. Some managed PG providers (Scaleway
   managed RDB confirmed) reject 'GRANT role TO CURRENT_USER' with
   XX000 'cannot use special role specifier'. The literal-name form
   succeeds on RDS and on Scaleway (idempotent — Scaleway's
   _rdb_superadmin trigger already grants membership at CREATE USER).
peter-svensson added a commit that referenced this pull request May 7, 2026
Five fixes surfaced by smoke testing the secretBackend.kubernetes path
against Scaleway managed PostgreSQL:

1. config/manager/manager.yaml: drop --leader-elect arg
   The flag was no longer registered (LeaderElection is hardcoded true
   for safe multi-replica operation), so the binary aborted on the
   unknown flag at startup. Removing the arg matches the new behaviour.
   BREAKING for kustomize users overriding the arg list.

2. internal/controller/database_controller.go: backend-aware default
   for secretName. Kubernetes Secret names reject '/'; the rds/<eng>/<db>
   path-shape was AWS-SM-friendly only. Use rds-<eng>-<db> for the
   kubernetes backend, keep slashes for AWS / Infisical.

3. RBAC marker: secrets verbs now include create/update/patch/delete.
   The kubernetes backend needs to write/delete Secrets, not just read.
   Regenerated config/rbac/role.yaml via 'make manifests'.

4. database_controller.go recovery: when userExists && !secretExists
   (and not a region-change), rotate the password via CreateUser
   (idempotent ALTER USER WITH PASSWORD) and recreate the secret
   instead of aborting with 'cannot recover password'. Previously left
   CRs perma-stuck because the kubernetes backend's finalizer also
   failed on the '/'-in-name issue from #2.

5. internal/database/postgres.go: resolve CURRENT_USER to a literal
   role name before issuing GRANT. Some managed PG providers (Scaleway
   managed RDB confirmed) reject 'GRANT role TO CURRENT_USER' with
   XX000 'cannot use special role specifier'. The literal-name form
   succeeds on RDS and on Scaleway (idempotent — Scaleway's
   _rdb_superadmin trigger already grants membership at CREATE USER).
opzkit-auto-merge Bot pushed a commit that referenced this pull request May 7, 2026
)

* refactor(secrets): introduce Backend interface + factory

Adds a backend-agnostic Backend interface (Exists, Get, Create, Update,
Delete, Locator, SyncTags) and a NewBackend factory that picks an
implementation based on the Database CR spec. Existing
AWSSecretsManagerClient gains adapter methods so it satisfies Backend
without renaming any of its current public methods — call sites that
need AWS-specific behaviour (cross-region migration, source-side
GetSecretString) continue to work unchanged.

No behaviour change. Tests still pass.

This is the first of two refactor commits towards supporting additional
secret backends (Kubernetes Secret, Infisical Cloud).

* refactor(secrets): replace SecretARN+SecretRegion with SecretLocator

The two AWS-specific Database status fields are folded into a single
generic SecretLocator string. For the AWS backend the locator is the
ARN, which already carries the region; the cross-region migration
logic now derives the previously-used region from the stored ARN via
secrets.AWSRegionFromARN. Other backends (Kubernetes Secret, Infisical
— added in subsequent phases) will populate SecretLocator with their
own identifiers.

The "Region" printcolumn becomes "Locator" with priority=1 (hidden by
default in `kubectl get`, visible with -o wide).

Behaviour preserved:
- Cross-region migration still detects, fetches password from old
  region, creates in new region, deletes old after success.
- Tag-sync, idempotent reconciliation, restore-from-deletion
  unchanged.

This is the second commit of the Phase 1 refactor (Backend interface
extraction). Phase 2 adds the Kubernetes Secret backend; Phase 3 adds
Infisical Cloud.

* chore(crds): regenerate from controller-gen v0.19.0

Output of `make manifests && make helm-crds`. No semantic change beyond
the field rename done in the previous commit; this just refreshes the
CRD to the current controller-gen formatting (description reflow,
Condition struct doc, etc.) and populates config/crd/bases/ which was
empty.

* refactor!(api): nest backends under spec.secretBackend / spec.connectionString

BREAKING CHANGE — drops the v0.1.x flat-field shape:

  spec.connectionStringSecretRef       → spec.connectionString.kubernetes
  spec.connectionStringAWSSecretRef    → spec.connectionString.aws
  spec.awsSecretsManager               → spec.secretBackend.aws

The new spec.secretBackend.{aws,kubernetes,infisical} oneOf is the
seam for upcoming backends. Phase 2 fills in spec.secretBackend.kubernetes
(KubernetesSecretBackend already declared). Phase 3 fills in the
Infisical backend (InfisicalSecretBackend already declared with
ProjectSlug/EnvironmentSlug/AuthSecretRef etc).

Validation: the controller's existing oneOf checks for connectionString
remain; secrets.NewBackend returns ErrMultipleBackendsConfigured /
ErrNoBackendConfigured if zero or multiple secretBackend.* are set.

Sample manifests, CRDs, and unit tests updated. AWSSecretsManagerConfig,
SecretKeyReference, AWSSecretReference types removed.

Refs Phase 2 / Phase 3 / Phase 4 release work.

* feat(secrets): add Kubernetes Secret backend

internal/secrets/kubernetes.go implements the Backend interface against
controller-runtime's client.Client, storing the DatabaseSecret JSON
blob under a single 'credentials' key in a Kubernetes Secret. Shape
matches the AWS Secrets Manager backend so consumers can decode the
same JSON regardless of which backend is configured.

- Locator format: <namespace>/<name>
- Description lands in the database.opzkit.io/description annotation
  (Kubernetes Secrets have no native description field)
- Tags are mapped onto Secret labels (caller is responsible for
  ensuring values pass Kubernetes label validation)
- Delete is idempotent on missing secrets (matches AWS impl)
- Create overwrites an existing Secret to mirror AWS's
  restore-from-soft-deletion behaviour
- forceDelete is ignored — Kubernetes Secrets have no soft-delete

Wired into secrets.NewBackend via the new spec.secretBackend.kubernetes
case. The factory signature gains a client.Client parameter (used by
the K8s backend; ignored by AWS and Infisical).

Tests cover create/get/update/delete/exists/syncTags via
controller-runtime's fake client.

Also adds the requested AWSRegionFromARN unit test.

The controller still calls AWSSecretsManagerClient directly for now;
the next commit refactors it to use the Backend interface so
spec.secretBackend.kubernetes works end-to-end.

* refactor(controller): route destination secret ops through Backend

Replaces direct AWSSecretsManagerClient calls in the destination
secret create/update/delete/exists/get/sync-tags paths with the
generic secrets.Backend interface (constructed via secrets.NewBackend).
spec.secretBackend.kubernetes now works end-to-end against a
Kubernetes Secret in the cluster; spec.secretBackend.aws continues
to behave exactly as before (AWS adapter satisfies the interface).

AWS-specific paths kept direct:
- Cross-region migration in reconcileDatabase + secret reconciliation
  paths (oldRegionClient — only triggered when SecretBackend.AWS is set
  and the locator is an AWS ARN whose region differs from spec)
- Source-side reading from AWS Secrets Manager via
  getConnectionStringFromAWSSecret (the connectionString.aws path)

Removed dead helpers tagsEqual / getTagsToRemove / getTagsToAdd —
each backend implements SyncTags internally. Their unit tests went
with them.

Status field rename: secretARN local var → secretLocator throughout
the create/update flow, populated from backend.Locator() / backend
return values.

Build green, full test suite passes.

* feat(secrets): add Infisical Cloud backend

internal/secrets/infisical.go implements the Backend interface against
Infisical (Cloud or self-hosted) via Universal Auth. The DatabaseSecret
JSON blob is stored as a single Infisical secret value, matching the
shape used by AWS Secrets Manager and the Kubernetes backend.

- Authentication: Universal Auth (clientId + clientSecret) read from a
  Kubernetes Secret in the same namespace as the Database, referenced
  by spec.secretBackend.infisical.authSecretRef.
- Locator format: infisical://<projectID>/<env><path>/<key>
- Secret-key sanitisation: slashes in the supplied name (default
  rds/<engine>/<db>) are replaced with underscores so the result is a
  valid Infisical secret key.
- Restore-on-create: if the secret already exists, Create overwrites
  it via Update — same semantics as AWS / Kubernetes.
- SyncTags is a no-op: Infisical tags are first-class entities with
  their own UUIDs; mapping AWS-style key/value tags onto them is out
  of scope.
- Versioning: Infisical's V3 secrets API doesn't expose per-secret
  version IDs, so Create/Update return an empty version string.

Wired into secrets.NewBackend via the spec.secretBackend.infisical
case. Factory reads the auth Secret using the K8s client.

CRD: spec.secretBackend.infisical now exposes ProjectID (UUID) and
Environment (slug) instead of the previously declared ProjectSlug /
EnvironmentSlug — the Infisical V3 API requires the UUID for
create/update/delete, slug only works on retrieve.

Tests use an in-memory fake implementing the InfisicalSecretClient
interface, covering create/get/update/delete/exists/sync-tags +
key sanitisation and login-error propagation.

Adds dependency github.com/infisical/go-sdk v0.7.1 (and its transitive
google.golang.org/api / OpenTelemetry / grpc deps — substantial; see
v0.2.0 release notes).

Sample manifest under config/samples/.

Closes Phase 3 of the multi-backend refactor.

* fix(controller): address PR #135 smoke-test blockers

Five fixes surfaced by smoke testing the secretBackend.kubernetes path
against Scaleway managed PostgreSQL:

1. config/manager/manager.yaml: drop --leader-elect arg
   The flag was no longer registered (LeaderElection is hardcoded true
   for safe multi-replica operation), so the binary aborted on the
   unknown flag at startup. Removing the arg matches the new behaviour.
   BREAKING for kustomize users overriding the arg list.

2. internal/controller/database_controller.go: backend-aware default
   for secretName. Kubernetes Secret names reject '/'; the rds/<eng>/<db>
   path-shape was AWS-SM-friendly only. Use rds-<eng>-<db> for the
   kubernetes backend, keep slashes for AWS / Infisical.

3. RBAC marker: secrets verbs now include create/update/patch/delete.
   The kubernetes backend needs to write/delete Secrets, not just read.
   Regenerated config/rbac/role.yaml via 'make manifests'.

4. database_controller.go recovery: when userExists && !secretExists
   (and not a region-change), rotate the password via CreateUser
   (idempotent ALTER USER WITH PASSWORD) and recreate the secret
   instead of aborting with 'cannot recover password'. Previously left
   CRs perma-stuck because the kubernetes backend's finalizer also
   failed on the '/'-in-name issue from #2.

5. internal/database/postgres.go: resolve CURRENT_USER to a literal
   role name before issuing GRANT. Some managed PG providers (Scaleway
   managed RDB confirmed) reject 'GRANT role TO CURRENT_USER' with
   XX000 'cannot use special role specifier'. The literal-name form
   succeeds on RDS and on Scaleway (idempotent — Scaleway's
   _rdb_superadmin trigger already grants membership at CREATE USER).

* docs: update CRD examples and prose for new spec.connectionString/secretBackend

Mass rename across README and docs:
  spec.connectionStringSecretRef    -> spec.connectionString.kubernetes
  spec.connectionStringAWSSecretRef -> spec.connectionString.aws
  spec.awsSecretsManager            -> spec.secretBackend.aws

Also refreshed TROUBLESHOOTING.md prose to reflect that AWS permissions
are now optional (depend on the chosen backend, not always required) and
removed the stale --leader-elect example since the flag is no longer
registered.

* fix(database): grant admin role WITH INHERIT, SET for PG 16+

PG 16 changed GRANT defaults to NOINHERIT, NOSET, NOADMIN.
CREATE/ALTER DATABASE ... OWNER now requires the executor to
hold SET privilege on the owner role, not just bare membership.

Aurora/RDS paper over this via an event trigger on CREATE ROLE
that grants WITH INHERIT, SET, ADMIN OPTION. Scaleway managed
RDB and self-hosted PG 16+ do not, so the operator failed with
'must be able to SET ROLE' (42501) on those providers.

Add WITH INHERIT TRUE, SET TRUE to the admin-grant statement.
PG <16 honours INHERIT and ignores the SET column cleanly.

* docs: document supported database versions

PostgreSQL 14+ (tested on 15/16/17), MySQL 8.0+, MariaDB 10.6+.
Also clarify AWS credentials are only required when the AWS
backends (secretBackend.aws or connectionString.aws) are used.

* test(integration): update CRs to new spec.connectionString/secretBackend shape

Old ConnectionStringSecretRef + bare SecretName fields removed in
158fda5. Integration tests still referenced them and failed to
build. Replace with spec.connectionString.kubernetes (admin DSN
source) and spec.secretBackend.aws (generated-credential dest)
across all 12 createDatabase call sites.

* test(integration): assert recovery (not error) when secret missing

Old test expected phase=Error with message about cannot recover password.
New behaviour (introduced with the smoke-test blocker fix in e619043):
controller rotates the password via ALTER USER and recreates the secret.

Updated test now waits for Ready phase and verifies the secret reappears
in AWS Secrets Manager with the same username and a non-empty password.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant