From 932a2c2466e03301220f201fded3101e56a5201d Mon Sep 17 00:00:00 2001 From: Gerd Oberlechner Date: Thu, 12 Dec 2024 11:57:48 +0100 Subject: [PATCH] maestro azure postgres entra auth (#900) * leverage entra auth for postgres access * bump maestro to support entra auth * includes various maestro fixes mentioned in Bump maestro's image tag to bc2f131579c6ffc664c15f48c50a9936f1b4a7ce #970 --- config/config.msft.yaml | 2 +- config/config.yaml | 2 +- config/public-cloud-cs-pr.json | 2 +- config/public-cloud-dev.json | 2 +- config/public-cloud-msft-int.json | 2 +- config/public-cloud-personal-dev.json | 2 +- .../modules/postgres/postgres-access.bicep | 10 +++++++-- maestro/server/Makefile | 21 +++++++++---------- maestro/server/config.tmpl.mk | 11 ---------- maestro/server/helm/azuredb.values.yaml | 4 ++++ maestro/server/helm/containerdb.values.yaml | 7 +++++++ .../helm/templates/maestro.deployment.yaml | 3 +++ maestro/server/helm/values.yaml | 13 ++++++------ maestro/server/pipeline.yaml | 13 ++++++++++-- 14 files changed, 56 insertions(+), 38 deletions(-) delete mode 100644 maestro/server/config.tmpl.mk create mode 100644 maestro/server/helm/azuredb.values.yaml create mode 100644 maestro/server/helm/containerdb.values.yaml diff --git a/config/config.msft.yaml b/config/config.msft.yaml index 8cf79ad8a..a3c23838c 100644 --- a/config/config.msft.yaml +++ b/config/config.msft.yaml @@ -130,7 +130,7 @@ clouds: # the following vars need approprivate overrides: defaults: maestro: - imageTag: ea066c250a002f0cc458711945165591bc9f6d3f + imageTag: bc2f131579c6ffc664c15f48c50a9936f1b4a7ce clusterService: imageTag: ecd15ad imageRepo: app-sre/uhc-clusters-service diff --git a/config/config.yaml b/config/config.yaml index b863b5298..e14823b10 100644 --- a/config/config.yaml +++ b/config/config.yaml @@ -137,7 +137,7 @@ clouds: maestro: postgres: deploy: false - imageTag: ea066c250a002f0cc458711945165591bc9f6d3f + imageTag: bc2f131579c6ffc664c15f48c50a9936f1b4a7ce # Cluster Service clusterService: imageTag: 6157c57 diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json index 7d14330d3..d039086ff 100644 --- a/config/public-cloud-cs-pr.json +++ b/config/public-cloud-cs-pr.json @@ -83,7 +83,7 @@ "private": false }, "imageBase": "quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro", - "imageTag": "ea066c250a002f0cc458711945165591bc9f6d3f", + "imageTag": "bc2f131579c6ffc664c15f48c50a9936f1b4a7ce", "postgres": { "deploy": false, "minTLSVersion": "TLSV1.2", diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json index bb2b88a04..b4db4b6cf 100644 --- a/config/public-cloud-dev.json +++ b/config/public-cloud-dev.json @@ -83,7 +83,7 @@ "private": false }, "imageBase": "quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro", - "imageTag": "ea066c250a002f0cc458711945165591bc9f6d3f", + "imageTag": "bc2f131579c6ffc664c15f48c50a9936f1b4a7ce", "postgres": { "deploy": false, "minTLSVersion": "TLSV1.2", diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json index 3f88ec0c5..08bfb9c7a 100644 --- a/config/public-cloud-msft-int.json +++ b/config/public-cloud-msft-int.json @@ -83,7 +83,7 @@ "private": false }, "imageBase": "quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro", - "imageTag": "ea066c250a002f0cc458711945165591bc9f6d3f", + "imageTag": "bc2f131579c6ffc664c15f48c50a9936f1b4a7ce", "postgres": { "deploy": false, "minTLSVersion": "TLSV1.2", diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json index 16690e8a8..1dd70d8e6 100644 --- a/config/public-cloud-personal-dev.json +++ b/config/public-cloud-personal-dev.json @@ -83,7 +83,7 @@ "private": false }, "imageBase": "quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro", - "imageTag": "ea066c250a002f0cc458711945165591bc9f6d3f", + "imageTag": "bc2f131579c6ffc664c15f48c50a9936f1b4a7ce", "postgres": { "deploy": false, "minTLSVersion": "TLSV1.2", diff --git a/dev-infrastructure/modules/postgres/postgres-access.bicep b/dev-infrastructure/modules/postgres/postgres-access.bicep index a9520d314..1f06c93b4 100644 --- a/dev-infrastructure/modules/postgres/postgres-access.bicep +++ b/dev-infrastructure/modules/postgres/postgres-access.bicep @@ -34,10 +34,16 @@ var sqlScriptLines = [ ';' 'SECURITY LABEL for "pgaadauth" on role "${newUserName}" is \'aadauth,oid=${newUserPrincipalId},type=service\';' 'GRANT ALL PRIVILEGES ON DATABASE ${databaseName} TO "${newUserName}";' - 'GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO "${newUserName}";' + 'GRANT ALL ON SCHEMA public TO "${newUserName}";' + 'GRANT USAGE ON SCHEMA public TO "${newUserName}";' + 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "${newUserName}";' + '\\c ${databaseName};' + 'GRANT ALL ON SCHEMA public TO "${newUserName}";' + 'GRANT USAGE ON SCHEMA public TO "${newUserName}";' + 'GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO "${newUserName}";' ] -module csManagedIdentityDatabaseAccess 'postgres-sql.bicep' = { +module managedIdentityDatabaseAccess 'postgres-sql.bicep' = { name: '${deployment().name}-db-access' params: { postgresServerName: postgres.properties.fullyQualifiedDomainName diff --git a/maestro/server/Makefile b/maestro/server/Makefile index 13ea98c2f..09f7af5b7 100644 --- a/maestro/server/Makefile +++ b/maestro/server/Makefile @@ -1,17 +1,17 @@ -SHELL = /bin/bash -DEPLOY_ENV ?= personal-dev -$(shell ../../templatize.sh $(DEPLOY_ENV) config.tmpl.mk config.mk) -include config.mk +-include ../../setup-env.mk deploy: - kubectl create namespace maestro --dry-run=client -o json | kubectl apply -f - - ISTO_VERSION=$(shell az aks show -n ${AKS_NAME} -g ${SVC_RG} --query serviceMeshProfile.istio.revisions[-1] -o tsv) && \ - kubectl label namespace maestro "istio.io/rev=$${ISTO_VERSION}" --overwrite=true - EVENTGRID_HOSTNAME=$(shell az resource show -n ${EVENTGRID_NAME} -g ${REGION_RG} --resource-type "Microsoft.EventGrid/namespaces" --query properties.topicSpacesConfiguration.hostname -o tsv) && \ + @kubectl create namespace maestro --dry-run=client -o json | kubectl apply -f - + @ISTO_VERSION=$(shell az aks show -n ${AKS_NAME} -g ${SVC_RG} --query serviceMeshProfile.istio.revisions[-1] -o tsv) && \ + kubectl label ${KUBECTL_DRY_RUN} namespace maestro "istio.io/rev=$${ISTO_VERSION}" --overwrite=true + @EVENTGRID_HOSTNAME=$(shell az resource show -n ${EVENTGRID_NAME} -g ${REGION_RG} --resource-type "Microsoft.EventGrid/namespaces" --query properties.topicSpacesConfiguration.hostname -o tsv) && \ TENANT_ID=$(shell az account show --query tenantId --output tsv) && \ MAESTRO_MI_CLIENT_ID=$(shell az identity show -g "${SVC_RG}" -n maestro-server --query clientId -o tsv) && \ - helm upgrade --install maestro-server ./helm \ + DATABASE_HOST=$$(if [ "${USE_AZURE_DB}" = "true" ]; then az postgres flexible-server show -g ${SVC_RG} -n ${DATABASE_NAME} --query fullyQualifiedDomainName -o tsv; else echo "maestro-db"; fi) && \ + OVERRIDES=$$(if [ "${USE_AZURE_DB}" = "true" ]; then echo "azuredb.values.yaml"; else echo "containerdb.values.yaml"; fi) && \ + helm upgrade --install --wait ${HELM_DRY_RUN} maestro-server ./helm \ --namespace maestro \ + -f helm/$${OVERRIDES} \ --set broker.host=$${EVENTGRID_HOSTNAME} \ --set credsKeyVault.name=${KEYVAULT_NAME} \ --set credsKeyVault.secret=${MQTT_CLIENT_NAME} \ @@ -20,6 +20,5 @@ deploy: --set istio.restrictIngress=${ISTIO_RESTRICT_INGRESS} \ --set image.base=${IMAGE_BASE} \ --set image.tag=${IMAGE_TAG} \ - --set database.containerizedDb=${USE_CONTAINERIZED_DB} \ - --set database.ssl='${USE_DATABASE_SSL}' + --set database.host=$${DATABASE_HOST} .PHONY: deploy diff --git a/maestro/server/config.tmpl.mk b/maestro/server/config.tmpl.mk deleted file mode 100644 index fb67afeac..000000000 --- a/maestro/server/config.tmpl.mk +++ /dev/null @@ -1,11 +0,0 @@ -EVENTGRID_NAME ?= {{ .maestro.eventGrid.name }} -REGION_RG ?= {{ .regionRG }} -AKS_NAME ?= {{ .aksName }} -SVC_RG ?= {{ .svc.rg }} -IMAGE_BASE ?= {{ .maestro.imageBase }} -IMAGE_TAG ?= {{ .maestro.imageTag }} -USE_CONTAINERIZED_DB ?= {{ not .maestro.postgres.deploy }} -USE_DATABASE_SSL ?= {{ ternary "enable" "disable" .maestro.postgres.deploy }} -ISTIO_RESTRICT_INGRESS ?= {{ .maestro.restrictIstioIngress }} -KEYVAULT_NAME ?= {{ .serviceKeyVault.name }} -MQTT_CLIENT_NAME ?= {{ .maestro.serverMqttClientName }} diff --git a/maestro/server/helm/azuredb.values.yaml b/maestro/server/helm/azuredb.values.yaml new file mode 100644 index 000000000..b972f8750 --- /dev/null +++ b/maestro/server/helm/azuredb.values.yaml @@ -0,0 +1,4 @@ +database: + containerizedDb: false + ssl: require + authMethod: az-entra diff --git a/maestro/server/helm/containerdb.values.yaml b/maestro/server/helm/containerdb.values.yaml new file mode 100644 index 000000000..7079babc2 --- /dev/null +++ b/maestro/server/helm/containerdb.values.yaml @@ -0,0 +1,7 @@ +database: + containerizedDb: true + ssl: disable + authMethod: password + password: "TheBlurstOfTimes" + containerizedDbImage: docker.io/library/postgres:14.2 + containerizedDbPvcCapacity: 512Mi diff --git a/maestro/server/helm/templates/maestro.deployment.yaml b/maestro/server/helm/templates/maestro.deployment.yaml index 3ee367a24..730548c4f 100644 --- a/maestro/server/helm/templates/maestro.deployment.yaml +++ b/maestro/server/helm/templates/maestro.deployment.yaml @@ -19,6 +19,7 @@ spec: metadata: labels: app: maestro + azure.workload.identity/use: "true" annotations: checksum/credsstore: {{ include (print $.Template.BasePath "/maestro.secretproviderclass.yaml") . | sha256sum }} checksum/config: {{ include (print $.Template.BasePath "/maestro.secret.yaml") . | sha256sum }} @@ -56,6 +57,7 @@ spec: - --db-sslmode={{ .Values.database.ssl }} - --alsologtostderr - -v={{ .Values.maestro.glog_v }} + - --db-auth-method={{ .Values.database.authMethod }} containers: - name: service image: "{{ .Values.image.base }}:{{ .Values.image.tag }}" @@ -110,6 +112,7 @@ spec: - --label-metrics-inclusion-duration={{ .Values.maestro.labelMetricsInclusionDuration }} - --alsologtostderr - -v={{ .Values.maestro.glog_v }} + - --db-auth-method={{ .Values.database.authMethod }} resources: requests: cpu: {{ .Values.deployment.requests.cpu }} diff --git a/maestro/server/helm/values.yaml b/maestro/server/helm/values.yaml index c23d15478..e8d1ec861 100644 --- a/maestro/server/helm/values.yaml +++ b/maestro/server/helm/values.yaml @@ -11,16 +11,17 @@ broker: port: 8883 database: containerizedDb: false - containerizedDbImage: docker.io/library/postgres:14.2 - containerizedDbPvcCapacity: 512Mi - host: "maestro-db" + containerizedDbImage: "" + containerizedDbPvcCapacity: "" + host: "" port: 5432 name: "maestro" - user: "maestro" - password: "TheBlurstOfTimes" - ssl: "require" + user: "maestro-server" + password: "" + ssl: "" maxOpenConnections: 50 debug: false + authMethod: "" maestro: serviceAccount: maestro httpReadTimeout: 60s diff --git a/maestro/server/pipeline.yaml b/maestro/server/pipeline.yaml index 982799129..23bb724ac 100644 --- a/maestro/server/pipeline.yaml +++ b/maestro/server/pipeline.yaml @@ -1,4 +1,5 @@ -serviceGroup: Microsoft.Azure.ARO.Test +$schema: "pipeline.schema.v1" +serviceGroup: Microsoft.Azure.ARO.HCP.Maestro.Server rolloutName: Maestro Server Rollout resourceGroups: - name: {{ .svc.rg }} @@ -8,6 +9,12 @@ resourceGroups: - name: deploy action: Shell command: make deploy + dryRun: + variables: + - name: HELM_DRY_RUN + value: "--dry-run=server --debug" + - name: KUBECTL_DRY_RUN + value: "--dry-run=server" variables: - name: EVENTGRID_NAME configRef: maestro.eventGrid.name @@ -22,7 +29,9 @@ resourceGroups: - name: IMAGE_TAG configRef: maestro.imageTag - name: USE_AZURE_DB - configRef: maestroPostgresDeploy + configRef: maestro.postgres.deploy + - name: DATABASE_NAME + configRef: maestro.postgres.name - name: ISTIO_RESTRICT_INGRESS configRef: maestro.restrictIstioIngress - name: KEYVAULT_NAME