AKS template for maestro

the new template `service-template-aro-hcp.yml` is a first draft for deploying the maestro server on ARO-HCP. it leverages the pre-provisoned secrets that can be found on such a cluster, like the MQTT secret and CSI secret store configuration to transparently load client certificates from key vault. part of https://issues.redhat.com/browse/ARO-7234
openshift-online · May 16, 2024 · 1af07b1 · 1af07b1
1 parent 72419fb
commit 1af07b1
Show file tree

Hide file tree

Showing 2 changed files with 370 additions and 4 deletions.
diff --git a/templates/db-template.yml b/templates/db-template.yml
@@ -46,6 +46,11 @@ parameters:
     required: true
     value: "postgres:14.2"
 
+  - name: DB_SECRET_NAME
+    displayName: Database Secret Name
+    description: Name of the secret containing database connection information
+    value: "maestro-db"
+
 objects:
 
   - apiVersion: v1
@@ -102,17 +107,17 @@ objects:
                   valueFrom:
                     secretKeyRef:
                       key: database-user
-                      name: ${DATABASE_SERVICE_NAME}
+                      name: ${DATABASE_SERVICE_NAME}-creds
                 - name: POSTGRES_PASSWORD
                   valueFrom:
                     secretKeyRef:
                       key: database-password
-                      name: ${DATABASE_SERVICE_NAME}
+                      name: ${DATABASE_SERVICE_NAME}-creds
                 - name: POSTGRES_DB
                   valueFrom:
                     secretKeyRef:
                       key: database-name
-                      name: ${DATABASE_SERVICE_NAME}
+                      name: ${DATABASE_SERVICE_NAME}-creds
                 - name: PGDATA
                   value: /var/lib/pgsql/data/pgdata
               image: ${POSTGRES_IMAGE}
@@ -155,9 +160,19 @@ objects:
         template.openshift.io/expose-database_name: "{.data['database-name']}"
         template.openshift.io/expose-password: "{.data['database-password']}"
         template.openshift.io/expose-username: "{.data['database-user']}"
-      name: ${DATABASE_SERVICE_NAME}
+      name: ${DATABASE_SERVICE_NAME}-creds
     stringData:
       database-name: ${DATABASE_NAME}
       database-password: ${DATABASE_PASSWORD}
       database-user: ${DATABASE_USER}
 
+  - apiVersion: v1
+    kind: Secret
+    metadata:
+      name: ${DB_SECRET_NAME}
+    stringData:
+      db.host: ${DATABASE_SERVICE_NAME}
+      db.port: "5432"
+      db.name: ${DATABASE_NAME}
+      db.user: ${DATABASE_USER}
+      db.password: ${DATABASE_PASSWORD}