allow creation of pg-stac secrets from azure secret vault, refs #186 (#187)

* allow creation of pg-stac secrets from azure secret vault, refs #186

* bump version in chart

* add serviceAccount to create azure service account from values

* change version in chart yaml

* fix secret order since we need multiple secrets derived from a single key in the vault

* bump chart version to 0.5.3-azure-test-3 and add support for Azure AKS secrets provider

* refactor deployment templates to properly handle Azure AKS secrets provider configuration

* bump chart version to 0.5.3-azure-test-4

* fix: update template to use correct context for Azure AKS secrets provider

* fix: adjust secret reference formatting and add service account configuration for Azure AKS

* fix: add volume mounts for Azure AKS secrets provider in deployment template

* bump chart version to 0.5.3-azure-test-7

* bump chart version to 0.5.3-azure-test-8 and add Azure AKS secrets provider configuration

* bump chart version to 0.5.3-azure-test-9 and add Azure workload identity annotation in deployment template

* bump chart version to 0.5.3-azure-test-10 and add service account configuration in deployment template

* use the service account name from values

* name in the deploy for service account should match values

* key names in vault still not working, try replacing _ with -

* bump version in Chart.yaml

* oops, replace _ with - everywhere

* bump chart version to azure-test-14

* bump chart version to 0.5.3-azure-test-15 and update job.yaml for Azure workload identity and secrets management

* bump chart version to 0.5.3-azure-test-16 and update job.yaml for conditional secret inclusion

* bump chart version to 0.5.3-azure-test-17 and update job.yaml for environment variable configuration

* bump chart version to 0.5.3-azure-test-18 and update job.yaml for PostgreSQL connection string format

* bump chart version to 0.5.3-azure-test-19 and update job.yaml and configmap.yaml for PGADMIN_URI initialization and PostgreSQL environment variables

* bump chart version to 0.5.3-azure-test-20 and update configmap.yaml to ensure PGADMIN_URI is initialized correctly

* bump chart version to 0.5.3-azure-test-21 and update PGADMIN_URI initialization in configmap.yaml

* bump chart version to 0.5.3-azure-test-21 and update job.yaml and configmap.yaml for PGADMIN_URI initialization and PostgreSQL environment variables

* Refactor Azure integration: deprecate specific service account configuration, update pgstacBootstrap settings, and enhance documentation for Azure setup

* Add support for additional labels, environment variables, and volume mounts in raster, multidim, stac, and vector configurations

* Remove redundant value assignment for KEEP_ALIVE in pgstacbootstrap job configuration

* Enable backups in PostgreSQL operator installation

* Enable backups for PostgreSQL cluster in test configuration

* Enhance cleanup step to extract and display pod logs for debugging on failure

* Enhance cleanup step to extract and display logs from PGSTACBootstrap and raster pod containers for improved debugging

* Refactor ServiceAccount name in RBAC configuration to use template function for consistency

* Refactor endpoint exports in helm-tests workflow for consistency and clarity

* Fix endpoint URLs in helm-tests workflow to include release name for proper routing

* Enhance error handling in test execution by extracting and displaying pod logs for improved debugging

* remove azure specifics

* Update PGO_VERSION to 5.7.0 and remove backupsEnabled comment from test values

* Revert chart version to 0.5.3-azure-test-21 for consistency with application versioning

* Update chart version to 0.5.3-azure-test-21 for consistency with application versioning

* Add service account configuration and update values.yaml with ingress and environment settings

* Update database connection wait command to use POSTGRES_HOST variable

* Add environment variables to wait-for-db init container

* Enable pgstacBootstrap and update environment variables for database connection

* Fix wait-for-db command to correctly reference POSTGRES_PORT environment variable

* Enhance pgstacbootstrap job configuration by adding extra volume mounts and environment variables for LOAD_FIXTURES and KEEP_ALIVE

* Refactor pgstacBootstrap to support additional environment variables and update values.yaml to use a map for extraEnvVars

* Refactor deployment.yaml to correctly reference extraEnvVars in pgstacBootstrap settings and clean up values.yaml by removing unused envVars for raster and vector

* Refactor pgstacBootstrap job configuration to use extraEnvFrom and extraEnvVars for environment variable management in job.yaml and values.yaml

* Fix reference to extraEnvFrom in pgstacBootstrap job configuration

* Refactor pgstacBootstrap configuration to add extraEnvFrom, extraVolumeMounts, and extraVolumes for improved secret management and volume handling

* Fix DUMMY_ENV_VAR value type in deployment.yaml to use string format

* Refactor PostgreSQL configuration and remove deprecated database setup

- Introduced a unified PostgreSQL configuration structure in values.yaml, replacing the old db configuration.
- Added new helper functions for managing PostgreSQL environment variables and secrets based on the selected configuration type (postgrescluster, external-plaintext, external-secret).
- Removed old database-related templates (ConfigMap, Deployment, PVC, Secrets, Service) that are no longer needed.
- Updated the pgstacbootstrap job and configmap templates to align with the new PostgreSQL configuration.
- Implemented validation for PostgreSQL settings to ensure required fields are set based on the selected type.

* Add PostgreSQL host reader and writer environment variables, and include DATABASE_URL for connection string

* Added a clarifying comment in values.yaml to explain that values in the external secret (host, port, database) will override the corresponding values defined in external.host, external.port, and external.database.

Confirmed that the conditional blocks in deployment.yaml were already consolidated to eliminate redundancy. The file was already using a single include statement for PostgreSQL environment variables:

env:
  {{- include "eoapi.postgresqlEnv" $ | nindent 12 }}
Removed the unused eoapi.mapLegacyPostgresql helper function from _helpers.tpl as it wasn't being referenced anywhere in the codebase.

* Enhance Azure PostgreSQL setup documentation with detailed setup instructions and examples for server creation, database setup, firewall configuration, and Key Vault integration.

* Remove unused ingress and values.yaml configurations

* Bump chart version to 0.6.0 for release

---------

Co-authored-by: Emmanuel Mathot <[email protected]>
Co-authored-by: geohacker <[email protected]>

Author: 3 people

docs/azure.md

@@ -0,0 +1,318 @@
+# Microsoft Azure Setup
+
+## Using Azure Managed PostgreSQL
+
+With the unified PostgreSQL configuration, connecting to an Azure managed PostgreSQL instance has become more straightforward. Here's how to set it up:
+
+1. **Create an Azure PostgreSQL server**: Create a PostgreSQL server using the Azure portal or the Azure CLI.
+
+   ```bash
+   # Example of creating an Azure PostgreSQL flexible server
+   az postgres flexible-server create \
+     --resource-group myResourceGroup \
+     --name mypostgresserver \
+     --location westus \
+     --admin-user myusername \
+     --admin-password mypassword \
+     --sku-name Standard_B1ms
+   ```
+
+2. **Create a PostgreSQL database**: After creating the server, create a database for your EOAPI deployment.
+
+   ```bash
+   # Create a database on the Azure PostgreSQL server
+   az postgres flexible-server db create \
+     --resource-group myResourceGroup \
+     --server-name mypostgresserver \
+     --database-name eoapi
+   ```
+
+3. **Configure firewall rules**: Ensure that the PostgreSQL server allows connections from your Kubernetes cluster's IP address.
+
+   ```bash
+   # Allow connections from your AKS cluster's outbound IP
+   az postgres flexible-server firewall-rule create \
+     --resource-group myResourceGroup \
+     --server-name mypostgresserver \
+     --name AllowAKS \
+     --start-ip-address <AKS-outbound-IP> \
+     --end-ip-address <AKS-outbound-IP>
+   ```
+
+4. **Store PostgreSQL credentials in Azure Key Vault**: Create secrets in your Azure Key Vault to store the database connection information.
+
+   ```bash
+   # Create Key Vault secrets for PostgreSQL connection
+   az keyvault secret set --vault-name your-keyvault-name --name db-host --value "mypostgresserver.postgres.database.azure.com"
+   az keyvault secret set --vault-name your-keyvault-name --name db-port --value "5432"
+   az keyvault secret set --vault-name your-keyvault-name --name db-name --value "eoapi"
+   az keyvault secret set --vault-name your-keyvault-name --name db-username --value "myusername@mypostgresserver"
+   az keyvault secret set --vault-name your-keyvault-name --name db-password --value "mypassword"
+   ```
+
+## Azure Configuration for eoapi-k8s
+
+When deploying on Azure, you'll need to configure several settings in your values.yaml file. Below are the configurations needed for proper integration with Azure services.
+
+### Common Azure Configuration
+
+First, configure the service account with Azure Workload Identity:
+
+```yaml
+# Service Account Configuration
+serviceAccount:
+  create: true
+  annotations:
+    azure.workload.identity/client-id: "your-client-id"
+    azure.workload.identity/tenant-id: "your-tenant-id"
+```
+
+### Unified PostgreSQL Configuration
+
+Use the unified PostgreSQL configuration with the `external-secret` type to connect to your Azure managed PostgreSQL:
+
+```yaml
+# Configure PostgreSQL connection to use Azure managed PostgreSQL with secrets from Key Vault
+postgresql:
+  # Use external-secret type to get credentials from a pre-existing secret
+  type: "external-secret"
+  
+  # Basic connection information
+  external:
+    host: "mypostgresserver.postgres.database.azure.com"  # Can be overridden by secret values
+    port: "5432"                                          # Can be overridden by secret values
+    database: "eoapi"                                     # Can be overridden by secret values
+    
+    # Reference to a secret that will be created by Azure Key Vault integration
+    existingSecret:
+      name: "azure-pg-credentials"
+      keys:
+        username: "username"     # Secret key for the username
+        password: "password"     # Secret key for the password
+        host: "host"             # Secret key for the host (optional)
+        port: "port"             # Secret key for the port (optional)
+        database: "database"     # Secret key for the database name (optional)
+```
+
+With this configuration, you're telling the PostgreSQL components to use an external PostgreSQL database and to get its connection details from a Kubernetes secret named `azure-pg-credentials`. This secret will be created using Azure Key Vault integration as described below.
+
+### Disable internal PostgreSQL cluster
+
+When using Azure managed PostgreSQL, you should disable the internal PostgreSQL cluster:
+
+```yaml
+postgrescluster:
+  enabled: false
+```
+
+### Azure Key Vault Integration
+
+To allow your Kubernetes pods to access PostgreSQL credentials stored in Azure Key Vault, create a SecretProviderClass:
+
+```yaml
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: azure-pg-secret-provider
+spec:
+  provider: azure
+  parameters:
+    usePodIdentity: "false"
+    clientID: "your-client-id"
+    keyvaultName: "your-keyvault-name"
+    tenantId: "your-tenant-id"
+    objects: |
+      array:
+        - |
+          objectName: db-host
+          objectType: secret
+          objectAlias: host
+        - |
+          objectName: db-port
+          objectType: secret
+          objectAlias: port
+        - |
+          objectName: db-name
+          objectType: secret
+          objectAlias: database
+        - |
+          objectName: db-username
+          objectType: secret
+          objectAlias: username
+        - |
+          objectName: db-password
+          objectType: secret
+          objectAlias: password
+  secretObjects:
+    - secretName: azure-pg-credentials
+      type: Opaque
+      data:
+        - objectName: host
+          key: host
+        - objectName: port
+          key: port
+        - objectName: database
+          key: database
+        - objectName: username
+          key: username
+        - objectName: password
+          key: password
+```
+
+### Service Configuration
+
+For services that need to mount the Key Vault secrets, add the following configuration to each service (pgstacBootstrap, raster, stac, vector, multidim):
+
+```yaml
+# Define a common volume configuration for all services
+commonVolumeConfig: &commonVolumeConfig
+  labels:
+    azure.workload.identity/use: "true"
+  extraVolumeMounts:
+    - name: azure-keyvault-secrets
+      mountPath: /mnt/secrets-store
+      readOnly: true
+  extraVolumes:
+    - name: azure-keyvault-secrets
+      csi:
+        driver: secrets-store.csi.k8s.io
+        readOnly: true
+        volumeAttributes:
+          secretProviderClass: azure-pg-secret-provider
+
+# Apply the common volume configuration to each service
+pgstacBootstrap:
+  enabled: true
+  settings:
+    <<: *commonVolumeConfig
+
+raster:
+  enabled: true
+  settings:
+    <<: *commonVolumeConfig
+
+stac:
+  enabled: true
+  settings:
+    <<: *commonVolumeConfig
+
+vector:
+  enabled: true
+  settings:
+    <<: *commonVolumeConfig
+
+multidim:
+  enabled: false  # set to true if needed
+  settings:
+    <<: *commonVolumeConfig
+```
+
+## Azure Managed Identity Setup
+
+To use Azure Managed Identity with your Kubernetes cluster:
+
+1. **Enable Workload Identity on your AKS cluster**:
+   ```bash
+   az aks update -g <resource-group> -n <cluster-name> --enable-workload-identity
+   ```
+
+2. **Create a Managed Identity**:
+   ```bash
+   az identity create -g <resource-group> -n eoapi-identity
+   ```
+
+3. **Configure Key Vault access**:
+   ```bash
+   # Get the client ID of the managed identity
+   CLIENT_ID=$(az identity show -g <resource-group> -n eoapi-identity --query clientId -o tsv)
+   
+   # Grant access to Key Vault
+   az keyvault set-policy -n <keyvault-name> --secret-permissions get list --spn $CLIENT_ID
+   ```
+
+4. **Create a federated identity credential** to connect the Kubernetes service account to the Azure managed identity:
+   ```bash
+   az identity federated-credential create \
+     --name eoapi-federated-credential \
+     --identity-name eoapi-identity \
+     --resource-group <resource-group> \
+     --issuer <aks-oidc-issuer> \
+     --subject system:serviceaccount:<namespace>:eoapi-sa
+   ```
+
+## Complete Example
+
+Here's a complete example configuration for connecting EOAPI to an Azure managed PostgreSQL database:
+
+```yaml
+# Service Account Configuration with Azure Workload Identity
+serviceAccount:
+  create: true
+  annotations:
+    azure.workload.identity/client-id: "12345678-1234-1234-1234-123456789012"
+    azure.workload.identity/tenant-id: "87654321-4321-4321-4321-210987654321"
+
+# Unified PostgreSQL Configuration - using external-secret type
+postgresql:
+  type: "external-secret"
+  external:
+    host: "mypostgresserver.postgres.database.azure.com"
+    port: "5432"
+    database: "eoapi"
+    existingSecret:
+      name: "azure-pg-credentials"
+      keys:
+        username: "username"
+        password: "password"
+        host: "host"
+        port: "port"
+        database: "database"
+
+# Disable internal PostgreSQL cluster
+postgrescluster:
+  enabled: false
+
+# Define common volume configuration with Azure Key Vault integration
+commonVolumeConfig: &commonVolumeConfig
+  labels:
+    azure.workload.identity/use: "true"
+  extraVolumeMounts:
+    - name: azure-keyvault-secrets
+      mountPath: /mnt/secrets-store
+      readOnly: true
+  extraVolumes:
+    - name: azure-keyvault-secrets
+      csi:
+        driver: secrets-store.csi.k8s.io
+        readOnly: true
+        volumeAttributes:
+          secretProviderClass: azure-pg-secret-provider
+
+# Apply the common volume configuration to each service
+pgstacBootstrap:
+  enabled: true
+  settings:
+    <<: *commonVolumeConfig
+
+stac:
+  enabled: true
+  settings:
+    <<: *commonVolumeConfig
+
+raster:
+  enabled: true
+  settings:
+    <<: *commonVolumeConfig
+
+vector:
+  enabled: true
+  settings:
+    <<: *commonVolumeConfig
+
+multidim:
+  enabled: false
+  settings:
+    <<: *commonVolumeConfig
+```
+
+Make sure to create the SecretProviderClass as shown in the "Azure Key Vault Integration" section above before deploying EOAPI with this configuration.

helm-chart/eoapi/templates/service-account.yaml

@@ -0,0 +1,18 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "eoapi.serviceAccountName" . }}
+  labels:
+    app: eoapi-{{ .Release.Name }}
+    {{- range $key, $value := .Values.serviceAccount.labels }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- if .Values.serviceAccount.annotations }}
+  annotations:
+    {{- range $key, $value := .Values.serviceAccount.annotations }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+automountServiceAccountToken: {{ default true .Values.serviceAccount.automount }}
+{{- end }}

helm-chart/eoapi/templates/services/deployment.yaml

@@ -30,8 +30,10 @@ spec:
     metadata:
       labels:
         app: {{ $serviceName }}-{{ $.Release.Name }}
+        {{- with index $v "settings" "labels" }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
-      serviceAccountName: eoapi-sa-{{ $.Release.Name }}
       containers:
       - image: {{ index $v "image" "name" }}:{{ index $v "image" "tag" }}
         name: {{ $serviceName }}
@@ -88,6 +90,15 @@ spec:
             name: {{ $secret }}
         {{- end }}
         {{- end }}
+        {{- with index $v "settings" "extraVolumeMounts" }}
+        volumeMounts:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+      volumes:
+        {{- with index $v "settings" "extraVolumes" }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      serviceAccountName: {{ include "eoapi.serviceAccountName" $ }}
       {{- with index $v "settings" "affinity" }}
       affinity:
         {{- toYaml . | nindent 8 }}

helm-chart/eoapi/templates/services/rbac.yaml

@@ -1,12 +1,4 @@
 {{- if .Values.apiServices }}
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: eoapi-sa-{{ $.Release.Name }}
-  labels:
-    app: eoapi-{{ $.Release.Name }}
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -26,7 +18,7 @@ metadata:
     app: eoapi-{{ $.Release.Name }}
 subjects:
 - kind: ServiceAccount
-  name: eoapi-sa-{{ $.Release.Name }}
+  name: {{ include "eoapi.serviceAccountName" . }}
   namespace: {{ $.Release.Namespace }}
 roleRef:
   kind: Role

helm-chart/eoapi/test-k3s-unittest-values.yaml

@@ -3,6 +3,8 @@ testing: true
 ingress:
   enabled: true
   className: "traefik"
+postgrescluster:
+  enabled: true
 pgstacBootstrap:
   enabled: true
   settings: