diff --git a/dev-infrastructure/modules/postgres/postgres-access.bicep b/dev-infrastructure/modules/postgres/postgres-access.bicep index 617bff66d..90fa5d0ac 100644 --- a/dev-infrastructure/modules/postgres/postgres-access.bicep +++ b/dev-infrastructure/modules/postgres/postgres-access.bicep @@ -34,10 +34,16 @@ var sqlScriptLines = [ ';' 'SECURITY LABEL for "pgaadauth" on role "${newUserName}" is \'aadauth,oid=${newUserPrincipalId},type=service\';' 'GRANT ALL PRIVILEGES ON DATABASE ${databaseName} TO "${newUserName}";' - 'GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO "${newUserName}";' + 'GRANT ALL ON SCHEMA public TO "${newUserName}";' + 'GRANT USAGE ON SCHEMA public TO "${newUserName}";' + 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "${newUserName}";' + '\\c ${databaseName};' + 'GRANT ALL ON SCHEMA public TO "${newUserName}";' + 'GRANT USAGE ON SCHEMA public TO "${newUserName}";' + 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "${newUserName}";' ] -module csManagedIdentityDatabaseAccess 'postgres-sql.bicep' = { +module managedIdentityDatabaseAccess 'postgres-sql.bicep' = { name: '${deployment().name}-db-access' params: { postgresServerName: postgres.properties.fullyQualifiedDomainName diff --git a/maestro/server/Makefile b/maestro/server/Makefile index 13ea98c2f..4e0263ebf 100644 --- a/maestro/server/Makefile +++ b/maestro/server/Makefile @@ -10,6 +10,7 @@ deploy: EVENTGRID_HOSTNAME=$(shell az resource show -n ${EVENTGRID_NAME} -g ${REGION_RG} --resource-type "Microsoft.EventGrid/namespaces" --query properties.topicSpacesConfiguration.hostname -o tsv) && \ TENANT_ID=$(shell az account show --query tenantId --output tsv) && \ MAESTRO_MI_CLIENT_ID=$(shell az identity show -g "${SVC_RG}" -n maestro-server --query clientId -o tsv) && \ + DATABASE_HOST=$(shell az postgres flexible-server show -g ${SVC_RG} -n ${DATABASE_NAME} --query fullyQualifiedDomainName -o tsv) && \ helm upgrade --install maestro-server ./helm \ --namespace maestro \ --set broker.host=$${EVENTGRID_HOSTNAME} \ @@ -21,5 +22,7 @@ deploy: --set image.base=${IMAGE_BASE} \ --set image.tag=${IMAGE_TAG} \ --set database.containerizedDb=${USE_CONTAINERIZED_DB} \ - --set database.ssl='${USE_DATABASE_SSL}' + --set database.ssl='${USE_DATABASE_SSL}' \ + $(if $(filter false,$(USE_CONTAINERIZED_DB)),--set database.host=$${DATABASE_HOST}) \ + --set database.authMethod='${DATABASE_AUTH_METHOD}' .PHONY: deploy diff --git a/maestro/server/config.tmpl.mk b/maestro/server/config.tmpl.mk index fb67afeac..eb316373f 100644 --- a/maestro/server/config.tmpl.mk +++ b/maestro/server/config.tmpl.mk @@ -5,7 +5,9 @@ SVC_RG ?= {{ .svc.rg }} IMAGE_BASE ?= {{ .maestro.imageBase }} IMAGE_TAG ?= {{ .maestro.imageTag }} USE_CONTAINERIZED_DB ?= {{ not .maestro.postgres.deploy }} -USE_DATABASE_SSL ?= {{ ternary "enable" "disable" .maestro.postgres.deploy }} +USE_DATABASE_SSL ?= {{ ternary "require" "disable" .maestro.postgres.deploy }} +DATABASE_NAME ?= {{ .maestro.postgres.name }} +DATABASE_AUTH_METHOD ?= {{ ternary "az-entra" "password" .maestro.postgres.deploy }} ISTIO_RESTRICT_INGRESS ?= {{ .maestro.restrictIstioIngress }} KEYVAULT_NAME ?= {{ .serviceKeyVault.name }} MQTT_CLIENT_NAME ?= {{ .maestro.serverMqttClientName }} diff --git a/maestro/server/helm/templates/maestro.deployment.yaml b/maestro/server/helm/templates/maestro.deployment.yaml index 3ee367a24..730548c4f 100644 --- a/maestro/server/helm/templates/maestro.deployment.yaml +++ b/maestro/server/helm/templates/maestro.deployment.yaml @@ -19,6 +19,7 @@ spec: metadata: labels: app: maestro + azure.workload.identity/use: "true" annotations: checksum/credsstore: {{ include (print $.Template.BasePath "/maestro.secretproviderclass.yaml") . | sha256sum }} checksum/config: {{ include (print $.Template.BasePath "/maestro.secret.yaml") . | sha256sum }} @@ -56,6 +57,7 @@ spec: - --db-sslmode={{ .Values.database.ssl }} - --alsologtostderr - -v={{ .Values.maestro.glog_v }} + - --db-auth-method={{ .Values.database.authMethod }} containers: - name: service image: "{{ .Values.image.base }}:{{ .Values.image.tag }}" @@ -110,6 +112,7 @@ spec: - --label-metrics-inclusion-duration={{ .Values.maestro.labelMetricsInclusionDuration }} - --alsologtostderr - -v={{ .Values.maestro.glog_v }} + - --db-auth-method={{ .Values.database.authMethod }} resources: requests: cpu: {{ .Values.deployment.requests.cpu }} diff --git a/maestro/server/helm/values.yaml b/maestro/server/helm/values.yaml index c23d15478..95cd06fda 100644 --- a/maestro/server/helm/values.yaml +++ b/maestro/server/helm/values.yaml @@ -16,11 +16,12 @@ database: host: "maestro-db" port: 5432 name: "maestro" - user: "maestro" + user: "maestro-server" password: "TheBlurstOfTimes" ssl: "require" maxOpenConnections: 50 debug: false + authMethod: "password" maestro: serviceAccount: maestro httpReadTimeout: 60s