maestro azure postgres entra auth (#900)

* leverage entra auth for postgres access * bump maestro to support entra auth * includes various maestro fixes mentioned in Bump maestro's image tag to bc2f131579c6ffc664c15f48c50a9936f1b4a7ce #970
Azure · Dec 12, 2024 · a885d85 · a885d85
1 parent 688107d
commit a885d85
Show file tree

Hide file tree

Showing 14 changed files with 56 additions and 38 deletions.
diff --git a/config/config.msft.yaml b/config/config.msft.yaml
@@ -130,7 +130,7 @@ clouds:
     # the following vars need approprivate overrides:
     defaults:
       maestro:
-        imageTag: ea066c250a002f0cc458711945165591bc9f6d3f
+        imageTag: bc2f131579c6ffc664c15f48c50a9936f1b4a7ce
       clusterService:
         imageTag: ecd15ad
         imageRepo: app-sre/uhc-clusters-service

diff --git a/config/config.yaml b/config/config.yaml
@@ -137,7 +137,7 @@ clouds:
       maestro:
         postgres:
           deploy: false
-        imageTag: ea066c250a002f0cc458711945165591bc9f6d3f
+        imageTag: bc2f131579c6ffc664c15f48c50a9936f1b4a7ce
       # Cluster Service
       clusterService:
         imageTag: 6157c57

diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json
@@ -83,7 +83,7 @@
       "private": false
     },
     "imageBase": "quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro",
-    "imageTag": "ea066c250a002f0cc458711945165591bc9f6d3f",
+    "imageTag": "bc2f131579c6ffc664c15f48c50a9936f1b4a7ce",
     "postgres": {
       "deploy": false,
       "minTLSVersion": "TLSV1.2",

diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json
@@ -83,7 +83,7 @@
       "private": false
     },
     "imageBase": "quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro",
-    "imageTag": "ea066c250a002f0cc458711945165591bc9f6d3f",
+    "imageTag": "bc2f131579c6ffc664c15f48c50a9936f1b4a7ce",
     "postgres": {
       "deploy": false,
       "minTLSVersion": "TLSV1.2",

diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json
@@ -83,7 +83,7 @@
       "private": false
     },
     "imageBase": "quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro",
-    "imageTag": "ea066c250a002f0cc458711945165591bc9f6d3f",
+    "imageTag": "bc2f131579c6ffc664c15f48c50a9936f1b4a7ce",
     "postgres": {
       "deploy": false,
       "minTLSVersion": "TLSV1.2",

diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json
@@ -83,7 +83,7 @@
       "private": false
     },
     "imageBase": "quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro",
-    "imageTag": "ea066c250a002f0cc458711945165591bc9f6d3f",
+    "imageTag": "bc2f131579c6ffc664c15f48c50a9936f1b4a7ce",
     "postgres": {
       "deploy": false,
       "minTLSVersion": "TLSV1.2",

diff --git a/dev-infrastructure/modules/postgres/postgres-access.bicep b/dev-infrastructure/modules/postgres/postgres-access.bicep
@@ -34,10 +34,16 @@ var sqlScriptLines = [
   ';'
   'SECURITY LABEL for "pgaadauth" on role "${newUserName}" is \'aadauth,oid=${newUserPrincipalId},type=service\';'
   'GRANT ALL PRIVILEGES ON DATABASE ${databaseName} TO "${newUserName}";'
-  'GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO "${newUserName}";'
+  'GRANT ALL ON SCHEMA public TO "${newUserName}";'
+  'GRANT USAGE ON SCHEMA public TO "${newUserName}";'
+  'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "${newUserName}";'
+  '\\c ${databaseName};'
+  'GRANT ALL ON SCHEMA public TO "${newUserName}";'
+  'GRANT USAGE ON SCHEMA public TO "${newUserName}";'
+  'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "${newUserName}";'
 ]
 
-module csManagedIdentityDatabaseAccess 'postgres-sql.bicep' = {
+module managedIdentityDatabaseAccess 'postgres-sql.bicep' = {
   name: '${deployment().name}-db-access'
   params: {
     postgresServerName: postgres.properties.fullyQualifiedDomainName

diff --git a/maestro/server/Makefile b/maestro/server/Makefile
@@ -1,17 +1,17 @@
-SHELL = /bin/bash
-DEPLOY_ENV ?= personal-dev
-$(shell ../../templatize.sh $(DEPLOY_ENV) config.tmpl.mk config.mk)
-include config.mk
+-include ../../setup-env.mk
 
 deploy:
-	kubectl create namespace maestro --dry-run=client -o json | kubectl apply -f -
-	ISTO_VERSION=$(shell az aks show -n ${AKS_NAME} -g ${SVC_RG} --query serviceMeshProfile.istio.revisions[-1] -o tsv) && \
-	kubectl label namespace maestro "istio.io/rev=$${ISTO_VERSION}" --overwrite=true
-	EVENTGRID_HOSTNAME=$(shell az resource show -n ${EVENTGRID_NAME} -g ${REGION_RG} --resource-type "Microsoft.EventGrid/namespaces" --query properties.topicSpacesConfiguration.hostname -o tsv) && \
+	@kubectl create namespace maestro --dry-run=client -o json | kubectl apply -f -
+	@ISTO_VERSION=$(shell az aks show -n ${AKS_NAME} -g ${SVC_RG} --query serviceMeshProfile.istio.revisions[-1] -o tsv) && \
+	kubectl label ${KUBECTL_DRY_RUN} namespace maestro "istio.io/rev=$${ISTO_VERSION}" --overwrite=true
+	@EVENTGRID_HOSTNAME=$(shell az resource show -n ${EVENTGRID_NAME} -g ${REGION_RG} --resource-type "Microsoft.EventGrid/namespaces" --query properties.topicSpacesConfiguration.hostname -o tsv) && \
 	TENANT_ID=$(shell az account show --query tenantId --output tsv) && \
 	MAESTRO_MI_CLIENT_ID=$(shell az identity show -g "${SVC_RG}" -n maestro-server --query clientId -o tsv) && \
-	helm upgrade --install maestro-server ./helm \
+	DATABASE_HOST=$$(if [ "${USE_AZURE_DB}" = "true" ]; then az postgres flexible-server show -g ${SVC_RG} -n ${DATABASE_NAME} --query fullyQualifiedDomainName -o tsv; else echo "maestro-db"; fi) && \
+	OVERRIDES=$$(if [ "${USE_AZURE_DB}" = "true" ]; then echo "azuredb.values.yaml"; else echo "containerdb.values.yaml"; fi) && \
+	helm upgrade --install --wait ${HELM_DRY_RUN} maestro-server ./helm \
 		--namespace maestro \
+		-f helm/$${OVERRIDES} \
 		--set broker.host=$${EVENTGRID_HOSTNAME} \
 		--set credsKeyVault.name=${KEYVAULT_NAME} \
 		--set credsKeyVault.secret=${MQTT_CLIENT_NAME} \
@@ -20,6 +20,5 @@ deploy:
 		--set istio.restrictIngress=${ISTIO_RESTRICT_INGRESS} \
 		--set image.base=${IMAGE_BASE} \
 		--set image.tag=${IMAGE_TAG} \
-		--set database.containerizedDb=${USE_CONTAINERIZED_DB} \
-		--set database.ssl='${USE_DATABASE_SSL}'
+		--set database.host=$${DATABASE_HOST}
 .PHONY: deploy
diff --git a/maestro/server/config.tmpl.mk b/maestro/server/config.tmpl.mk
diff --git a/maestro/server/helm/azuredb.values.yaml b/maestro/server/helm/azuredb.values.yaml
@@ -0,0 +1,4 @@
+database:
+  containerizedDb: false
+  ssl: require
+  authMethod: az-entra
diff --git a/maestro/server/helm/containerdb.values.yaml b/maestro/server/helm/containerdb.values.yaml
@@ -0,0 +1,7 @@
+database:
+  containerizedDb: true
+  ssl: disable
+  authMethod: password
+  password: "TheBlurstOfTimes"
+  containerizedDbImage: docker.io/library/postgres:14.2
+  containerizedDbPvcCapacity: 512Mi
diff --git a/maestro/server/helm/templates/maestro.deployment.yaml b/maestro/server/helm/templates/maestro.deployment.yaml
@@ -19,6 +19,7 @@ spec:
     metadata:
       labels:
         app: maestro
+        azure.workload.identity/use: "true"
       annotations:
         checksum/credsstore: {{ include (print $.Template.BasePath "/maestro.secretproviderclass.yaml") . | sha256sum }}
         checksum/config: {{ include (print $.Template.BasePath "/maestro.secret.yaml") . | sha256sum }}
@@ -56,6 +57,7 @@ spec:
         - --db-sslmode={{ .Values.database.ssl }}
         - --alsologtostderr
         - -v={{ .Values.maestro.glog_v }}
+        - --db-auth-method={{ .Values.database.authMethod }}
       containers:
       - name: service
         image: "{{ .Values.image.base }}:{{ .Values.image.tag }}"
@@ -110,6 +112,7 @@ spec:
         - --label-metrics-inclusion-duration={{ .Values.maestro.labelMetricsInclusionDuration }}
         - --alsologtostderr
         - -v={{ .Values.maestro.glog_v }}
+        - --db-auth-method={{ .Values.database.authMethod }}
         resources:
           requests:
             cpu: {{ .Values.deployment.requests.cpu }}

diff --git a/maestro/server/helm/values.yaml b/maestro/server/helm/values.yaml
@@ -11,16 +11,17 @@ broker:
   port: 8883
 database:
   containerizedDb: false
-  containerizedDbImage: docker.io/library/postgres:14.2
-  containerizedDbPvcCapacity: 512Mi
-  host: "maestro-db"
+  containerizedDbImage: ""
+  containerizedDbPvcCapacity: ""
+  host: ""
   port: 5432
   name: "maestro"
-  user: "maestro"
-  password: "TheBlurstOfTimes"
-  ssl: "require"
+  user: "maestro-server"
+  password: ""
+  ssl: ""
   maxOpenConnections: 50
   debug: false
+  authMethod: ""
 maestro:
   serviceAccount: maestro
   httpReadTimeout: 60s

diff --git a/maestro/server/pipeline.yaml b/maestro/server/pipeline.yaml
@@ -1,4 +1,5 @@
-serviceGroup: Microsoft.Azure.ARO.Test
+$schema: "pipeline.schema.v1"
+serviceGroup: Microsoft.Azure.ARO.HCP.Maestro.Server
 rolloutName: Maestro Server Rollout
 resourceGroups:
 - name: {{ .svc.rg }}
@@ -8,6 +9,12 @@ resourceGroups:
   - name: deploy
     action: Shell
     command: make deploy
+    dryRun:
+      variables:
+      - name: HELM_DRY_RUN
+        value: "--dry-run=server --debug"
+      - name: KUBECTL_DRY_RUN
+        value: "--dry-run=server"
     variables:
     - name: EVENTGRID_NAME
       configRef: maestro.eventGrid.name
@@ -22,7 +29,9 @@ resourceGroups:
     - name: IMAGE_TAG
       configRef: maestro.imageTag
     - name: USE_AZURE_DB
-      configRef: maestroPostgresDeploy
+      configRef: maestro.postgres.deploy
+    - name: DATABASE_NAME
+      configRef: maestro.postgres.name
     - name: ISTIO_RESTRICT_INGRESS
       configRef: maestro.restrictIstioIngress
     - name: KEYVAULT_NAME