{"id":20376677,"url":"https://github.com/andrebriggs/fence-csi","last_synced_at":"2025-07-29T01:37:15.535Z","repository":{"id":150973677,"uuid":"328622464","full_name":"andrebriggs/fence-csi","owner":"andrebriggs","description":null,"archived":false,"fork":false,"pushed_at":"2021-03-12T06:20:04.000Z","size":24,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-04T21:42:17.648Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/andrebriggs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-01-11T10:09:37.000Z","updated_at":"2021-03-12T06:20:06.000Z","dependencies_parsed_at":null,"dependency_job_id":"11f64ca8-c96b-4e46-8b9d-b58578b73483","html_url":"https://github.com/andrebriggs/fence-csi","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/andrebriggs/fence-csi","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrebriggs%2Ffence-csi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrebriggs%2Ffence-csi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrebriggs%2Ffence-csi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrebriggs%2Ffence-csi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/andrebriggs","download_url":"https://codeload.github.com/andrebriggs/fence-csi/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/andrebriggs%2Ffence-csi/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":267616825,"owners_count":24116167,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-28T02:00:09.689Z","response_time":68,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-15T01:39:08.324Z","updated_at":"2025-07-29T01:37:15.515Z","avatar_url":"https://github.com/andrebriggs.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Fence on Azure Cloud POC\n\n## Goals\n- [x] Create AKS cluster that supports managed identities \n- [x] Have all mounted secrets from Azure Key Vault using CSI Driver and AAD Pod Identity\n- [x] Successful run of k8s job to initialize Fence DB (uses Azure Key Vault derived secrets)\n- [ ] Successful setup the [Fence](https://github.com/andrebriggs/fence/tree/azure_support) deployment and service k8s objects (uses Azure Key Vault derived secrets)\n\n## What's going on\n* Create an Azure Identity that has a reader role to Azure KeyVault \n* Associate the Azure Identity with AAD Pod Identity (in k8s)\n* Correctly labeled k8s deployments use the Azure Identity via AAD Pod Identity and are able to access Azure KeyVault as a mounted volume using the [secrets-store-csi-driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver) and [secrets-store-csi-driver-provider-azure](https://github.com/Azure/secrets-store-csi-driver-provider-azure)\n* A K8S job resource creates pod that [initializes](https://github.com/uc-cdis/userdatamodel) the Fence database (creates tables, etc) after loading credentials from a file that is setup in Azure KeyVault  \n\n## Manual Steps for PostGres\n* Create Azure PostgreSQL server\n* Login to the `postgres` db and create a new database (I used `metadata_db`)\n* Run the `fencedb-create-job.yaml` and wait for completion\n* Check logs of pod that the job created (`k logs fencedb-create-xxxxx`)\n* Log into DB verify tables are created\n\nThe job creates a pod that looks for a creds json file in the format of \n```json\n{\n    \"db_host\": \"\u003cYOUR ACCOUNT\u003e.postgres.database.azure.com\",\n    \"db_username\": \"\u003cAzure Postgres Username\u003e\",\n    \"db_password\": \"\u003cPassword\u003e\",\n    \"db_database\": \"\u003cWhatever you named the DB\u003e\"\n}\n```\nIf running scripts in `./deploy` load the folling ENV VARS into your environment:\n```bash\nexport SUBID=\"Azure subscription guid\"\nexport REGION=\"Azure region, for instance \u003cwestus\u003e\"\nexport RESOURCE_GROUP=\"Azure resource group name\" \nexport CLUSTER=\"AKS Cluster name\"\nexport STORAGE_ACCOUNT=\"Azure Storage account name\"\nexport NODE_RESOURCE_GROUP=\"Managed cluster resource group \u003cMC_xxxxx\u003e\"\nexport VAULT_NAME=\"Azure Keyvault name\"\n```\n\n## Long Term\nUsing Terraform would most likely be a better production choice when setting up all of this. We could utilize [Bedrock](https://github.com/Microsoft/bedrock) TF templates.   \n\n\u003c!-- \n\n-----\n\nAdding `creds.json` to AzKV:\n`az keyvault secret set --vault-name $VAULT_NAME --name \"fence-creds\" --file ./secrets/creds.json`\n\n[Install the Azure Key Vault Provider](https://github.com/Azure/secrets-store-csi-driver-provider-azure/blob/master/docs/install-yamls.md#install-the-azure-key-vault-provider)\n\n`kubectl apply -f https://raw.githubusercontent.com/Azure/secrets-store-csi-driver-provider-azure/master/deployment/provider-azure-installer.yaml`\n\nThings that helped:\nhttps://github.com/Azure/secrets-store-csi-driver-provider-azure/issues/88\n\nFinally verify with kubectl exec -it nginx-secrets-store-inline cat /mnt/secrets-store/fence-creds --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandrebriggs%2Ffence-csi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fandrebriggs%2Ffence-csi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fandrebriggs%2Ffence-csi/lists"}