Azure · geoberle · Oct 30, 2024
@@ -4,7 +4,7 @@ $(shell ../templatize.sh $(DEPLOY_ENV) config.tmpl.mk config.mk)
 include config.mk
 
 deploy: deploy-namespace-template deploy-istio-configurations-template ${DB_SECRET_TARGET}
-	AZURE_CS_MI_CLIENT_ID=$(shell az identity show -g ${RESOURCEGROUP} -n clusters-service --query clientId -o tsv) && \
+	AZURE_CS_MI_CLIENT_ID=$(shell az identity show -g ${RESOURCEGROUP} -n ${CS_MI_NAME} --query clientId -o tsv) && \
 	CS_SERVICE_PRINCIPAL_CREDS_BASE64='$(shell az keyvault secret show --vault-name "${SERVICE_KV}" --name "aro-hcp-dev-sp-cs" | jq .value -r | base64 | tr -d '\n')' && \
 	TENANT_ID=$(shell az account show --query tenantId --output tsv) && \
 	OIDC_BLOB_SERVICE_ENDPOINT=$(shell az storage account show -n ${OIDC_STORAGE_ACCOUNT} -g ${RESOURCEGROUP} --query primaryEndpoints.blob -o tsv) && \
@@ -13,38 +13,44 @@ deploy: deploy-namespace-template deploy-istio-configurations-template ${DB_SECR
 	OCP_ACR_URL=$(shell az acr show -n ${OCP_ACR_NAME} --query loginServer -o tsv) && \
 	OCP_ACR_RESOURCE_ID=$(shell az acr show -n ${OCP_ACR_NAME} --query id -o tsv) && \
 	oc process --local -f deploy/openshift-templates/arohcp-service-template.yml \
-	  -p AZURE_CS_MI_CLIENT_ID=$${AZURE_CS_MI_CLIENT_ID} \
-	  -p TENANT_ID=$${TENANT_ID} \
-	  -p REGION=${REGION} \
-	  -p SERVICE_KEYVAULT_NAME=${SERVICE_KV} \
-	  -p CS_SERVICE_PRINCIPAL_CREDS_BASE64=$${CS_SERVICE_PRINCIPAL_CREDS_BASE64} \
-	  -p IMAGE_REGISTRY=${ACR_NAME}.azurecr.io \
-	  -p IMAGE_REPOSITORY=${IMAGE_REPO} \
-	  -p AZURE_FIRST_PARTY_APPLICATION_CLIENT_ID=${AZURE_FIRST_PARTY_APPLICATION_CLIENT_ID} \
-	  -p FPA_CERT_NAME=${FPA_CERT_NAME} \
-	  -p IMAGE_TAG=${IMAGE_TAG} \
-	  -p OCP_ACR_RESOURCE_ID=$${OCP_ACR_RESOURCE_ID} \
-	  -p OCP_ACR_URL=$${OCP_ACR_URL} \
-	  -p DATABASE_DISABLE_TLS=${DATABASE_DISABLE_TLS} \
-	  -p DATABASE_AUTH_METHOD=${DATABASE_AUTH_METHOD} | oc apply -f -
+		-p NAMESPACE="${CS_NAMESPACE_NAME}" \
+		-p AZURE_CS_MI_CLIENT_ID=$${AZURE_CS_MI_CLIENT_ID} \
+		-p TENANT_ID=$${TENANT_ID} \
+		-p REGION=${REGION} \
+		-p SERVICE_KEYVAULT_NAME=${SERVICE_KV} \
+		-p CS_SERVICE_PRINCIPAL_CREDS_BASE64=$${CS_SERVICE_PRINCIPAL_CREDS_BASE64} \
+		-p IMAGE_REGISTRY=${ACR_NAME}.azurecr.io \
+		-p IMAGE_REPOSITORY=${IMAGE_REPO} \
+		-p AZURE_FIRST_PARTY_APPLICATION_CLIENT_ID=${AZURE_FIRST_PARTY_APPLICATION_CLIENT_ID} \
+		-p FPA_CERT_NAME=${FPA_CERT_NAME} \
+		-p IMAGE_TAG=${IMAGE_TAG} \
+		-p OCP_ACR_RESOURCE_ID=$${OCP_ACR_RESOURCE_ID} \
+		-p OCP_ACR_URL=$${OCP_ACR_URL} \
+		-p SERVICE_ACCOUNT_NAME=${CS_SA_NAME} \
+		-p DATABASE_DISABLE_TLS=${DATABASE_DISABLE_TLS} \
+		-p DATABASE_AUTH_METHOD=${DATABASE_AUTH_METHOD} | oc apply -f -
 
 deploy-namespace-template:
 	ISTO_VERSION=$(shell az aks show -n ${AKS_NAME} -g ${RESOURCEGROUP} --query serviceMeshProfile.istio.revisions[-1] -o tsv) && \
 	oc process --local -f deploy/openshift-templates/arohcp-namespace-template.yml \
-		-p ISTIO_VERSION=$${ISTO_VERSION} | oc apply -f -
+		-p ISTIO_VERSION=$${ISTO_VERSION} \
+		-p NAMESPACE="${CS_NAMESPACE_NAME}" | oc apply -f -
 
 deploy-istio-configurations-template:
 	kubectl apply -f deploy/istio.yml
 
 deploy-local-db-secret: configure-tmp-provision-shard
 	oc process --local -f deploy/openshift-templates/arohcp-secrets-template.yml \
-		-p PROVISION_SHARDS_CONFIG="$$( base64 -i deploy/provisioning-shards.yml)" | oc apply -f -
-	oc process --local -f deploy/openshift-templates/arohcp-db-template.yml | oc apply -f -
+		-p PROVISION_SHARDS_CONFIG="$$( base64 -i deploy/provisioning-shards.yml)" \
+		-p NAMESPACE="${CS_NAMESPACE_NAME}" | oc apply -f -
+	oc process --local -f deploy/openshift-templates/arohcp-db-template.yml \
+		-p NAMESPACE="${CS_NAMESPACE_NAME}" | oc apply -f -
 
 deploy-azure-db-secret: configure-tmp-provision-shard
 	oc process --local -f deploy/openshift-templates/arohcp-secrets-template.yml \
-		-p DATABASE_USER=clusters-service \
-		-p DATABASE_NAME=clusters-service \
+		-p NAMESPACE="${CS_NAMESPACE_NAME}" \
+		-p DATABASE_USER=${CS_MI_NAME} \
+		-p DATABASE_NAME=${CS_DB_NAME} \
 		-p DATABASE_PASSWORD="" \
 		-p DATABASE_HOST=$(shell az postgres flexible-server show --resource-group ${RESOURCEGROUP} -n ${DATABASE_SERVER_NAME} --query fullyQualifiedDomainName -o tsv) \
 		-p PROVISION_SHARDS_CONFIG="$$( base64 -i deploy/provisioning-shards.yml)" | oc apply -f -

@@ -13,6 +13,11 @@ AZURE_FIRST_PARTY_APPLICATION_CLIENT_ID ?= {{ .firstPartyAppClientId }}
 FPA_CERT_NAME ?= firstPartyCert
 ZONE_NAME ?= {{ .regionalDNSSubdomain }}.{{ .baseDnsZoneName }}
 
+CS_MI_NAME ?= {{ .clusterServiceManagedIdentityName }}
+CS_DB_NAME ?= {{ .clusterServiceDatabaseName }}
+CS_SA_NAME ?= {{ .clusterServiceServiceAccountName }}
+CS_NAMESPACE_NAME ?= {{ .clusterServiceNamespace  }}
+
 DATABASE_DISABLE_TLS ?= {{ not .clusterServicePostgresDeploy }}
 DATABASE_AUTH_METHOD ?= {{ ternary "az-entra" "postgres" .clusterServicePostgresDeploy }}
 DATABASE_SERVER_NAME ?= {{ .clusterServicePostgresName }}

@@ -138,6 +138,11 @@ parameters:
   description: The resource ID of the Azure Container Registry where the OpenShift images are stored.
   required: true
 
+- name: SERVICE_ACCOUNT_NAME
+  description: The name of the service account used to run CS.
+  required: true
+  value: "clusters-service"
+
 
 # These limits are based on the metrics collected in the production environment
 # over the last year. In particular the following Prometheus queries were used
@@ -371,7 +376,7 @@ objects:
 - apiVersion: v1
   kind: ServiceAccount
   metadata:
-    name: clusters-service
+    name: ${SERVICE_ACCOUNT_NAME}
     namespace: ${NAMESPACE}
     labels:
       app: clusters-service
@@ -405,8 +410,8 @@ objects:
           app: clusters-service
           azure.workload.identity/use: "true"
       spec:
-        serviceAccount: clusters-service
-        serviceAccountName: clusters-service
+        serviceAccount: ${SERVICE_ACCOUNT_NAME}
+        serviceAccountName: ${SERVICE_ACCOUNT_NAME}
         volumes:
         - name: service
           secret:

@@ -37,6 +37,10 @@ defaults:
   maestroEventGridMaxClientSessionsPerAuthName: '4'
   maestroCertDomain: 'selfsigned.maestro.keyvault.azure.com'
   maestroPostgresName: {{ azurePostgresName "maestro" 5 .ctx.region .ctx.regionStamp }}
+  maestroServerNamespace: maestro
+  maestroServerManagedIdentityName: maestro-server
+  maestroServerServiceAccountName: maestro
+  maestroDatabaseName: maestro
   maestroPostgresServerVersion: '15'
   maestroPostgresServerStorageSizeGB: '32'
   maestroPostgresDeploy: true
@@ -49,6 +53,10 @@ defaults:
   clusterServicePostgresDeploy: true
   clusterServicePostgresPrivate: false
   clusterServiceAcrRG: global
+  clusterServiceNamespace: cluster-service
+  clusterServiceManagedIdentityName: clusters-service
+  clusterServiceServiceAccountName: clusters-service
+  clusterServiceDatabaseName: clusters-service
 
   # Image Sync
   imageSyncAcrRG: global

@@ -5,11 +5,15 @@
   "baseDnsZoneName": "hcp.osadev.cloud",
   "baseDnsZoneRG": "global",
   "clusterServiceAcrRG": "global",
+  "clusterServiceDatabaseName": "clusters-service",
   "clusterServiceImageRepo": "app-sre/uhc-clusters-service",
   "clusterServiceImageTag": "a23276d",
+  "clusterServiceManagedIdentityName": "clusters-service",
+  "clusterServiceNamespace": "cluster-service",
   "clusterServicePostgresDeploy": true,
   "clusterServicePostgresName": "cs-9c782",
   "clusterServicePostgresPrivate": false,
+  "clusterServiceServiceAccountName": "clusters-service",
   "cxKeyVaultName": "aro-hcp-cx-1abb8",
   "cxKeyVaultPrivate": false,
   "cxKeyVaultSoftDelete": false,
@@ -32,6 +36,7 @@
   "kubernetesVersion": "1.30.5",
   "maestroCertDomain": "selfsigned.maestro.keyvault.azure.com",
   "maestroConsumerName": "hcp-underlay-westus3-cs-pr-mgmt-1",
+  "maestroDatabaseName": "maestro",
   "maestroEventGridMaxClientSessionsPerAuthName": "4",
   "maestroEventgridName": "maestro-9c782",
   "maestroImageBase": "quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro",
@@ -43,6 +48,9 @@
   "maestroPostgresServerStorageSizeGB": "32",
   "maestroPostgresServerVersion": "15",
   "maestroRestrictIstioIngress": false,
+  "maestroServerManagedIdentityName": "maestro-server",
+  "maestroServerNamespace": "maestro",
+  "maestroServerServiceAccountName": "maestro",
   "managementClusterRG": "hcp-underlay-westus3-cs-pr-mgmt-1",
   "mgmtEtcdKVName": "aro-hcp-etcd-1abb8",
   "mgmtEtcdKVSoftDelete": false,

@@ -5,11 +5,15 @@
   "baseDnsZoneName": "hcp.osadev.cloud",
   "baseDnsZoneRG": "global",
   "clusterServiceAcrRG": "global",
+  "clusterServiceDatabaseName": "clusters-service",
   "clusterServiceImageRepo": "app-sre/uhc-clusters-service",
   "clusterServiceImageTag": "a23276d",
+  "clusterServiceManagedIdentityName": "clusters-service",
+  "clusterServiceNamespace": "cluster-service",
   "clusterServicePostgresDeploy": true,
   "clusterServicePostgresName": "cs-157ff",
   "clusterServicePostgresPrivate": false,
+  "clusterServiceServiceAccountName": "clusters-service",
   "cxKeyVaultName": "aro-hcp-cx-08101",
   "cxKeyVaultPrivate": false,
   "cxKeyVaultSoftDelete": false,
@@ -32,6 +36,7 @@
   "kubernetesVersion": "1.30.5",
   "maestroCertDomain": "selfsigned.maestro.keyvault.azure.com",
   "maestroConsumerName": "hcp-underlay-westus3-dev-mgmt-1",
+  "maestroDatabaseName": "maestro",
   "maestroEventGridMaxClientSessionsPerAuthName": "4",
   "maestroEventgridName": "maestro-157ff",
   "maestroImageBase": "quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro",
@@ -43,6 +48,9 @@
   "maestroPostgresServerStorageSizeGB": "32",
   "maestroPostgresServerVersion": "15",
   "maestroRestrictIstioIngress": true,
+  "maestroServerManagedIdentityName": "maestro-server",
+  "maestroServerNamespace": "maestro",
+  "maestroServerServiceAccountName": "maestro",
   "managementClusterRG": "hcp-underlay-westus3-dev-mgmt-1",
   "mgmtEtcdKVName": "aro-hcp-etcd-08101",
   "mgmtEtcdKVSoftDelete": false,

@@ -5,11 +5,15 @@
   "baseDnsZoneName": "hcp.osadev.cloud",
   "baseDnsZoneRG": "global",
   "clusterServiceAcrRG": "global",
+  "clusterServiceDatabaseName": "clusters-service",
   "clusterServiceImageRepo": "app-sre/uhc-clusters-service",
   "clusterServiceImageTag": "a23276d",
+  "clusterServiceManagedIdentityName": "clusters-service",
+  "clusterServiceNamespace": "cluster-service",
   "clusterServicePostgresDeploy": false,
   "clusterServicePostgresName": "cs-76fc6",
   "clusterServicePostgresPrivate": false,
+  "clusterServiceServiceAccountName": "clusters-service",
   "cxKeyVaultName": "aro-hcp-cx-85fcc",
   "cxKeyVaultPrivate": false,
   "cxKeyVaultSoftDelete": false,
@@ -32,6 +36,7 @@
   "kubernetesVersion": "1.30.5",
   "maestroCertDomain": "selfsigned.maestro.keyvault.azure.com",
   "maestroConsumerName": "hcp-underlay-westus3-tst-mgmt-1",
+  "maestroDatabaseName": "maestro",
   "maestroEventGridMaxClientSessionsPerAuthName": "4",
   "maestroEventgridName": "maestro-76fc6",
   "maestroImageBase": "quay.io/redhat-user-workloads/maestro-rhtap-tenant/maestro/maestro",
@@ -43,6 +48,9 @@
   "maestroPostgresServerStorageSizeGB": "32",
   "maestroPostgresServerVersion": "15",
   "maestroRestrictIstioIngress": true,
+  "maestroServerManagedIdentityName": "maestro-server",
+  "maestroServerNamespace": "maestro",
+  "maestroServerServiceAccountName": "maestro",
   "managementClusterRG": "hcp-underlay-westus3-tst-mgmt-1",
   "mgmtEtcdKVName": "aro-hcp-etcd-85fcc",
   "mgmtEtcdKVSoftDelete": false,

@@ -402,20 +402,14 @@ acr-ocp.what-if: global.rg
 # Postgres Authentication Helpers
 #
 
-cs-current-user-pg-connect:
-	@scripts/cs-current-user-pg-connect.sh $(SVC_RESOURCEGROUP) $(CS_PG_NAME)
-.PHONY: cs-current-user-pg-connect
-
 cs-miwi-pg-connect:
-	@scripts/cs-miwi-pg-connect.sh $(SVC_RESOURCEGROUP) $(CS_PG_NAME) "clusters-service" "cluster-service" "clusters-service"
+	@KUBECONFIG=${SVC_KUBECONFIG_FILE} && \
+	scripts/miwi-pg-connect.sh $(SVC_RESOURCEGROUP) $(CS_PG_NAME) $(CS_MI_NAME) $(CS_NAMESPACE_NAME) $(CS_SA_NAME) $(CS_DB_NAME)
 .PHONY: cs-miwi-pg-connect
 
-maestro-current-user-pg-connect:
-	@scripts/cs-current-user-pg-connect.sh $(SVC_RESOURCEGROUP) $(MAESTRO_PG_NAME)
-.PHONY: maestro-current-user-pg-connect
-
 maestro-miwi-pg-connect:
-	@scripts/cs-miwi-pg-connect.sh $(SVC_RESOURCEGROUP) $(MAESTRO_PG_NAME) "maestro-server" "maestro" "maestro"
+	@KUBECONFIG=${SVC_KUBECONFIG_FILE} && \
+	scripts/miwi-pg-connect.sh $(SVC_RESOURCEGROUP) $(MAESTRO_PG_NAME) $(MAESTRO_MI_NAME) $(MAESTRO_NAMESPACE_NAME) $(MAESTRO_SA_NAME) $(MAESTRO_DB_NAME)
 .PHONY: maestro-miwi-pg-connect
 
 #

@@ -9,5 +9,15 @@ IMAGE_SYNC_ENVIRONMENT ?= {{ .imageSyncEnvironmentName }}
 ARO_HCP_IMAGE_ACR ?= {{ .svcAcrName }}
 REPOSITORIES_TO_SYNC ?= '{{ .imageSyncRepositories }}'
 AKS_NAME ?= {{ .aksName }}
+
 CS_PG_NAME ?= {{ .clusterServicePostgresName }}
+CS_MI_NAME ?= {{ .clusterServiceManagedIdentityName  }}
+CS_NAMESPACE_NAME ?= {{ .clusterServiceNamespace  }}
+CS_SA_NAME = {{ .clusterServiceServiceAccountName }}
+CS_DB_NAME ?= {{ .clusterServiceDatabaseName }}
+
 MAESTRO_PG_NAME ?= {{ .maestroPostgresName }}
+MAESTRO_MI_NAME ?= {{ .maestroServerManagedIdentityName  }}
+MAESTRO_NAMESPACE_NAME ?= {{ .maestroServerNamespace  }}
+MAESTRO_SA_NAME = {{ .maestroServerServiceAccountName }}
+MAESTRO_DB_NAME ?= {{ .maestroDatabaseName }}
@@ -17,14 +17,22 @@ param maestroKeyVaultName = '{{ .maestroKeyVaultName }}'
 param maestroEventGridNamespacesName = '{{ .maestroEventgridName }}'
 param maestroCertDomain = '{{ .maestroCertDomain}}'
 param maestroPostgresServerName = '{{ .maestroPostgresName }}'
+param maestroDatabaseName = '{{ .maestroDatabaseName }}'
 param maestroPostgresServerVersion = '{{ .maestroPostgresServerVersion }}'
 param maestroPostgresServerStorageSizeGB = {{ .maestroPostgresServerStorageSizeGB }}
 param deployMaestroPostgres = {{ .maestroPostgresDeploy }}
 param maestroPostgresPrivate = {{ .maestroPostgresPrivate }}
+param maestroMIName = '{{ .maestroServerManagedIdentityName }}'
+param maestroNamespace = '{{ .maestroServerNamespace }}'
+param maestroServiceAccountName = '{{ .maestroServerServiceAccountName }}'
 
 param deployCsInfra = {{ .clusterServicePostgresDeploy }}
 param csPostgresServerName = '{{ .clusterServicePostgresName }}'
-param clusterServicePostgresPrivate = {{ .clusterServicePostgresPrivate }}
+param csDatabaseName = '{{ .clusterServiceDatabaseName }}'
+param csPostgresPrivate = {{ .clusterServicePostgresPrivate }}
+param csMIName = '{{ .clusterServiceManagedIdentityName }}'
+param csNamespace = '{{ .clusterServiceNamespace }}'
+param csServiceAccountName = '{{ .clusterServiceServiceAccountName }}'
 
 param serviceKeyVaultName = '{{ .serviceKeyVaultName }}'
 param serviceKeyVaultResourceGroup = '{{ .serviceKeyVaultRG }}'

@@ -558,20 +558,10 @@ To tear down your CS setup:
 
 ### Access Maestro Postgres from outside of the AKS cluster
 
-To connect to the database as current user run
+To connect to the database with the managed identity of Maestro, run the following command
 
   ```sh
-  eval $(AKSCONFIG=svc-cluster make maestro-current-user-pg-connect)
-  psql -d maestro
-  ```
-
-The output of the make target is in ENV var format for the `psql` tool, so this works to get a connection into the DB.
-
-To connect to the database with the managed identity of Maestro, make sure to have a KUBECONFIG for the cluster that runs Maestro Server and run
-
-  ```sh
-  eval $(AKSCONFIG=svc-cluster make maestro-miwi-pg-connect)
-  psql -d maestro
+  make maestro-miwi-pg-connect
   ```
 
 Once logged in, verify the connection with `\conninfo`
@@ -584,20 +574,10 @@ To create a Postgres DB on Azure enabled for Entra authentication, a svc cluster
 
 ### Access the database from outside of the AKS cluster
 
-To connect to the database as current user run
-
-  ```sh
-  eval $(make cs-current-user-pg-connect)
-  psql -d clusters-service
-  ```
-
-The output of the make target is in ENV var format for the `psql` tool, so this works to get a connection into the DB.
-
-To connect to the database with the managed identity of CS, make sure to have a KUBECONFIG for the cluster that runs CS and run
+To connect to the database with the managed identity of CS, run the following command
 
   ```sh
-  eval $(make cs-miwi-pg-connect)
-  psql -d clusters-service
+  make cs-miwi-pg-connect
   ```
 
 Once logged in, verify the connection with `\conninfo`

@@ -8,7 +8,7 @@ param clusterServiceManagedIdentityName string
 param clusterServiceManagedIdentityPrincipalId string
 
 @description('The name of the database to create for CS')
-param csDatabaseName string = 'clusters-service'
+param csDatabaseName string
 
 @description('The name of the Postgres server for CS')
 param postgresServerName string

@@ -48,7 +48,7 @@ param privateEndpointSubnetId string = ''
 param privateEndpointVnetId string = ''
 
 @description('The name of the database to create for Maestro')
-param maestroDatabaseName string = 'maestro'
+param maestroDatabaseName string
 
 @description('The name of the Managed Identity for the Maestro cluster service')
 param maestroServerManagedIdentityName string