parameterize azure PG config and use psql-client container to connect #790
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
geoberle
requested review from
bennerv,
janboll,
jmelis,
jonathan34c,
niontive,
nwnt,
SudoBrendan,
UlrichSchlueter,
weinong and
whober0521
as code owners
| --env PGUSER \ | ||
| --env PGPASSWORD \ | ||
| postgres psql \ | ||
| -d clusters-service -p 5432 |
There was a problem hiding this comment.
Depending on how the CS DB is deployed in theory the DB name might be a different one so we might want this configurable with a default. Not a blocker of course, just raising this.
There was a problem hiding this comment.
i'll wait until #763 is merged, then we can draw the actual DB name value from the config
There was a problem hiding this comment.
all CS and maestro settings around DB, namespace, service account and MI have now been parameterized
|
It looks good to me |
bennerv
reviewed
Oct 30, 2024
| @@ -7,7 +7,7 @@ NAMESPACE=$4 | |||
| SA_NAME=$5 | |||
|
|
|||
| # prep creds and configs | |||
| PGHOST=$(az postgres flexible-server list --resource-group ${RESOURCEGROUP} --query "[?starts_with(name, '${DB_SERVER_NAME_PREFIX}')].fullyQualifiedDomainName" -o tsv) | |||
| export PGHOST=$(az postgres flexible-server list --resource-group ${RESOURCEGROUP} --query "[?starts_with(name, '${DB_SERVER_NAME_PREFIX}')].fullyQualifiedDomainName" -o tsv) | |||
| AZURE_TENANT_ID=$(az account show -o json | jq .homeTenantId -r) | |||
| AZURE_CLIENT_ID=$(az identity show -g ${RESOURCEGROUP} -n ${MANAGED_IDENTITY_NAME} --query clientId -o tsv) | |||
| SA_TOKEN=$(kubectl create token ${SA_NAME} --namespace=${NAMESPACE} --audience api://AzureADTokenExchange) | |||
There was a problem hiding this comment.
Should we make the expiration of this token short-lived? I.e. 24 hrs?
There was a problem hiding this comment.
- the default SA token on AKS expires in 1h, i made it explicit though
- for
az account get-access-tokenthere is no way to set the expiration - it defaults to 24h
|
Please rebase pull request. |
geoberle
changed the title
|
Please rebase pull request. |
* installing the psql client tool locally brings a log of dependencies on most systems. by using a container we avoid having to install too many things on developer machines * parameterize all fields required for CS and Maestro DB setup so we can have consistency between infra RBAC deployment, service deployment and DB deployment Signed-off-by: Gerd Oberlechner <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does
Jira:
Link to demo recording:
Special notes for your reviewer