Skip to content

Commit

Permalink
makefile and helm chart updates for maestro db auth method
Browse files Browse the repository at this point in the history
Signed-off-by: Gerd Oberlechner <[email protected]>
  • Loading branch information
geoberle committed Nov 27, 2024
1 parent 7194741 commit e454cd7
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 5 deletions.
10 changes: 8 additions & 2 deletions dev-infrastructure/modules/postgres/postgres-access.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,16 @@ var sqlScriptLines = [
';'
'SECURITY LABEL for "pgaadauth" on role "${newUserName}" is \'aadauth,oid=${newUserPrincipalId},type=service\';'
'GRANT ALL PRIVILEGES ON DATABASE ${databaseName} TO "${newUserName}";'
'GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO "${newUserName}";'
'GRANT ALL ON SCHEMA public TO "${newUserName}";'
'GRANT USAGE ON SCHEMA public TO "${newUserName}";'
'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "${newUserName}";'
'\\c ${databaseName};'
'GRANT ALL ON SCHEMA public TO "${newUserName}";'
'GRANT USAGE ON SCHEMA public TO "${newUserName}";'
'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "${newUserName}";'
]

module csManagedIdentityDatabaseAccess 'postgres-sql.bicep' = {
module managedIdentityDatabaseAccess 'postgres-sql.bicep' = {
name: '${deployment().name}-db-access'
params: {
postgresServerName: postgres.properties.fullyQualifiedDomainName
Expand Down
5 changes: 4 additions & 1 deletion maestro/server/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ deploy:
EVENTGRID_HOSTNAME=$(shell az resource show -n ${EVENTGRID_NAME} -g ${REGION_RG} --resource-type "Microsoft.EventGrid/namespaces" --query properties.topicSpacesConfiguration.hostname -o tsv) && \
TENANT_ID=$(shell az account show --query tenantId --output tsv) && \
MAESTRO_MI_CLIENT_ID=$(shell az identity show -g "${SVC_RG}" -n maestro-server --query clientId -o tsv) && \
DATABASE_HOST=$(shell az postgres flexible-server show -g ${SVC_RG} -n ${DATABASE_NAME} --query fullyQualifiedDomainName -o tsv) && \
helm upgrade --install maestro-server ./helm \
--namespace maestro \
--set broker.host=$${EVENTGRID_HOSTNAME} \
Expand All @@ -21,5 +22,7 @@ deploy:
--set image.base=${IMAGE_BASE} \
--set image.tag=${IMAGE_TAG} \
--set database.containerizedDb=${USE_CONTAINERIZED_DB} \
--set database.ssl='${USE_DATABASE_SSL}'
--set database.ssl='${USE_DATABASE_SSL}' \
$(if $(filter false,$(USE_CONTAINERIZED_DB)),--set database.host=$${DATABASE_HOST}) \
--set database.authMethod='${DATABASE_AUTH_METHOD}'
.PHONY: deploy
4 changes: 3 additions & 1 deletion maestro/server/config.tmpl.mk
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,9 @@ SVC_RG ?= {{ .svc.rg }}
IMAGE_BASE ?= {{ .maestro.imageBase }}
IMAGE_TAG ?= {{ .maestro.imageTag }}
USE_CONTAINERIZED_DB ?= {{ not .maestro.postgres.deploy }}
USE_DATABASE_SSL ?= {{ ternary "enable" "disable" .maestro.postgres.deploy }}
USE_DATABASE_SSL ?= {{ ternary "require" "disable" .maestro.postgres.deploy }}
DATABASE_NAME ?= {{ .maestro.postgres.name }}
DATABASE_AUTH_METHOD ?= {{ ternary "az-entra" "password" .maestro.postgres.deploy }}
ISTIO_RESTRICT_INGRESS ?= {{ .maestro.restrictIstioIngress }}
KEYVAULT_NAME ?= {{ .serviceKeyVault.name }}
MQTT_CLIENT_NAME ?= {{ .maestro.serverMqttClientName }}
3 changes: 3 additions & 0 deletions maestro/server/helm/templates/maestro.deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ spec:
metadata:
labels:
app: maestro
azure.workload.identity/use: "true"
annotations:
checksum/credsstore: {{ include (print $.Template.BasePath "/maestro.secretproviderclass.yaml") . | sha256sum }}
checksum/config: {{ include (print $.Template.BasePath "/maestro.secret.yaml") . | sha256sum }}
Expand Down Expand Up @@ -56,6 +57,7 @@ spec:
- --db-sslmode={{ .Values.database.ssl }}
- --alsologtostderr
- -v={{ .Values.maestro.glog_v }}
- --db-auth-method={{ .Values.database.authMethod }}
containers:
- name: service
image: "{{ .Values.image.base }}:{{ .Values.image.tag }}"
Expand Down Expand Up @@ -110,6 +112,7 @@ spec:
- --label-metrics-inclusion-duration={{ .Values.maestro.labelMetricsInclusionDuration }}
- --alsologtostderr
- -v={{ .Values.maestro.glog_v }}
- --db-auth-method={{ .Values.database.authMethod }}
resources:
requests:
cpu: {{ .Values.deployment.requests.cpu }}
Expand Down
3 changes: 2 additions & 1 deletion maestro/server/helm/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,12 @@ database:
host: "maestro-db"
port: 5432
name: "maestro"
user: "maestro"
user: "maestro-server"
password: "TheBlurstOfTimes"
ssl: "require"
maxOpenConnections: 50
debug: false
authMethod: "password"
maestro:
serviceAccount: maestro
httpReadTimeout: 60s
Expand Down

0 comments on commit e454cd7

Please sign in to comment.