v0.10.0-beta.6
Pre-release
Pre-release
·
39 commits
to main
since this release
v0.10.0-beta.6
fheikens
Frank Heikens
This tag was signed with the committer’s verified signature.
fheikens
Frank Heikens
Added
- Secret-store credential provider (
auth_method: secret_store, #93,
#97). Fetch a static database password from a cloud secret store using
the collector's ambient cloud identity and apply it as the connection
password - keeping the credential out of Signals' config and off disk
while leaving rotation to the vault. The backend is inferred from the
shape ofsecret_ref: an AWS Secrets Manager ARN, an Azure Key Vault
secret URI, or a GCP Secret Manager resource name; a reference matching
none is a hard startup error naming the three accepted forms. The AWS
Secrets Manager path is production-grade (region taken authoritatively
from the ARN, neverAWS_REGION/ the SDK default chain / IMDS). Azure
Key Vault and GCP Secret Manager are now production-wired as well (#108):
eachsecret_refis routed to exactly its inferred backend's SDK - Azure
via theDefaultAzureCredentialchain +azsecrets.GetSecret, GCP via
Application Default Credentials +AccessSecretVersion- and no other
backend's SDK is ever invoked (INV005). A backend the collector's ambient
identity cannot reach is a connect-time, target-scoped failure that does
not stop collection for other targets.
An optionalsecret_json_keyextracts a named key from a JSON secret
(raw value otherwise); extraction failures never echo the raw secret. The
fetched secret is cached per target with a reuse bound ofmin(vault TTL, max_cache_ttl)- with neither set it is re-fetched on every reconnect so
a rotated secret is picked up without a restart. Validation enforces the
passwordless andverify-fullTLS floors at startup; the secret is never
stored, exported, or logged (metadata only). Reuses the shared
credential-provider scaffolding from #94. Live behaviour covered by an
env-gated smoke (ARQ_SIGNALS_INTEGRATION_LIVE=1). - GCP Cloud SQL IAM credential provider (
auth_method: gcp_cloudsql_iam, #93, #96). Connect passwordlessly to Cloud SQL for
PostgreSQL using Cloud SQL IAM database authentication: a short-lived
Google OAuth2 access token acquired from the collector's ambient Google
identity (Application Default Credentials - environment / GKE workload
identity / service-account key /gcloud auth application-default login). The token (scope fixed at
https://www.googleapis.com/auth/sqlservice.login) is the connection
password over a direct libpqverify-fullchannel - the token-as-
password seam, not the Cloud SQL Go Connector; no secret is stored in
Signals' config. Tokens are cached per target and re-acquired ~5 minutes
before their ~60 minute expiry, never shared across targets, and never
logged or exported (metadata only). Validation enforces the passwordless
andverify-fullTLS floors at startup; an optional
gcp_impersonate_service_accountlets the ambient identity impersonate a
per-target service account, and an undiscoverable identity or denied
impersonation is a connect-time, target-scoped failure that does not stop
collection for other targets. The Google SDK is linked only on the
gcp_cloudsql_iampath - password targets require no Google credentials.
Reuses the shared credential-provider scaffolding from #94. Live
behaviour covered by an env-gated smoke
(ARQ_SIGNALS_INTEGRATION_LIVE=1). - Azure Entra ID credential provider (
auth_method: azure_entra, #93,
#95). Connect passwordlessly to Azure Database for PostgreSQL -
Flexible Server using a short-lived Microsoft Entra ID access token
acquired from the collector's ambient Azure identity (the
DefaultAzureCredentialchain: environment / AKS workload identity /
managed identity / Azure CLI). The token (scope fixed at
https://ossrdbms-aad.database.windows.net/.default) is the connection
password; no secret is stored in Signals' config. Tokens are cached per
target and re-acquired ~5 minutes before their ~60-90 minute expiry,
never shared across targets, and never logged or exported (metadata
only). Validation enforces the passwordless andverify-fullTLS
floors at startup; a user-assigned managed identity is disambiguated by
the optionalazure_client_id(thenAZURE_CLIENT_ID), and an
undiscoverable or ambiguous identity is a connect-time, target-scoped
failure that does not stop collection for other targets. The Azure SDK
is linked only on theazure_entrapath - password targets require no
Azure credentials. Reuses the shared credential-provider scaffolding
from #94. Live behaviour covered by an env-gated smoke
(ARQ_SIGNALS_INTEGRATION_LIVE=1). - AWS RDS/Aurora IAM credential provider (
auth_method: aws_rds_iam,
#93, #94). Connect passwordlessly to Amazon RDS / Aurora PostgreSQL
using a short-lived RDS IAM auth token minted from the collector's
ambient AWS identity (SDK default credential chain: env / shared
config / EC2 instance profile / ECS task role / EKS IRSA / Pod
Identity). The token is the connection password; no secret is stored
in Signals' config. Tokens are cached per target and re-minted ~3
minutes before their 15-minute expiry, never shared across targets,
and never logged or exported (metadata only). Validation enforces the
passwordless andverify-fullTLS floors at startup; a missing region
is a startup warning resolved fromAWS_REGION/
AWS_DEFAULT_REGION/ instance metadata (IMDS) at connect time. The
AWS SDK is linked only on theaws_rds_iampath - password targets
require no AWS credentials. Introduces the shared credential-provider
scaffolding (auth_methoddispatch, per-target token cache,
BeforeConnectwiring) that sibling providers reuse. Live behaviour
covered by an env-gated smoke (ARQ_SIGNALS_INTEGRATION_LIVE=1).
Changed
- Public binaries renamed to
signals(daemon) andsignalsctl
(CLI) (#125). The open-source collector now ships under its own
unbranded names so it can stand on its own, independent of the
commercial Elevarq products. The container image moves to
ghcr.io/elevarq/signals(Docker Hub mirrorelevarq/signals), the
Helm chart is renamed tosignals, and the demo/quickstart surface
(Dockerfiles, compose files, Helm install commands, Prometheus/Grafana
examples, cloud deploy templates, and user-facing help text) now uses
the new names throughout. The old namesarq-signalsandarqctlare
retained as deprecation aliases: invoking either prints a one-line
stderr warning and otherwise behaves identically. The aliases are
removed one release after launch (tracked in #62). The Go module path
(github.com/elevarq/arq-signals), the GitHub repository URL, the
ARQ_SIGNALS_*environment variables, and the PostgreSQL
application_name = 'arq-signals'collector identity are intentionally
unchanged in this phase (config and integration interfaces, not binary
branding). - Release signature verification is forward-compatible with the repo
rename (#131). Thecosign verify--certificate-identity-regexpin
the README,SECURITY.md, the release notes, and the release workflow
now matches both the currentElevarq/Arq-Signalsand the future
Elevarq/signalsworkflow identity, so signature verification keeps
working across the planned GitHub repository rename (#62) without a
flag-day change.
Supply chain
- Images (same manifest digest in both registries):
- GHCR:
ghcr.io/elevarq/signals:0.10.0-beta.6 - Docker Hub:
elevarq/signals:0.10.0-beta.6(when configured)
- GHCR:
- Digest:
sha256:ced51c346669960f90a4cc0d5b0564cd2e8aafa00f51629cad9883f9d228aa4b - Architectures:
linux/amd64,linux/arm64 - Cosign-signed in both registries (keyless, GitHub OIDC)
- SBOM attached as OCI attestation and as
sbom.spdx.jsonrelease asset - SLSA build provenance attestation (
mode=max)
Quick signature verification (GHCR):
cosign verify ghcr.io/elevarq/signals:0.10.0-beta.6 --certificate-identity-regexp='github.com/Elevarq/(Arq-Signals|signals)/.github/workflows/release.yml@' --certificate-oidc-issuer='https://token.actions.githubusercontent.com'Same command works against elevarq/signals:0.10.0-beta.6 — the certificate identity is bound to the workflow, not the registry.
Full verification checklist (manifest, SBOM, provenance, Trivy):
docs/release-verification.md