https://github.com/andrebriggs/fence-csi
https://github.com/andrebriggs/fence-csi
Last synced: 11 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/andrebriggs/fence-csi
- Owner: andrebriggs
- Created: 2021-01-11T10:09:37.000Z (over 5 years ago)
- Default Branch: main
- Last Pushed: 2021-03-12T06:20:04.000Z (over 5 years ago)
- Last Synced: 2025-03-04T21:42:17.648Z (over 1 year ago)
- Language: Shell
- Size: 23.4 KB
- Stars: 0
- Watchers: 2
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Fence on Azure Cloud POC
## Goals
- [x] Create AKS cluster that supports managed identities
- [x] Have all mounted secrets from Azure Key Vault using CSI Driver and AAD Pod Identity
- [x] Successful run of k8s job to initialize Fence DB (uses Azure Key Vault derived secrets)
- [ ] Successful setup the [Fence](https://github.com/andrebriggs/fence/tree/azure_support) deployment and service k8s objects (uses Azure Key Vault derived secrets)
## What's going on
* Create an Azure Identity that has a reader role to Azure KeyVault
* Associate the Azure Identity with AAD Pod Identity (in k8s)
* Correctly labeled k8s deployments use the Azure Identity via AAD Pod Identity and are able to access Azure KeyVault as a mounted volume using the [secrets-store-csi-driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver) and [secrets-store-csi-driver-provider-azure](https://github.com/Azure/secrets-store-csi-driver-provider-azure)
* A K8S job resource creates pod that [initializes](https://github.com/uc-cdis/userdatamodel) the Fence database (creates tables, etc) after loading credentials from a file that is setup in Azure KeyVault
## Manual Steps for PostGres
* Create Azure PostgreSQL server
* Login to the `postgres` db and create a new database (I used `metadata_db`)
* Run the `fencedb-create-job.yaml` and wait for completion
* Check logs of pod that the job created (`k logs fencedb-create-xxxxx`)
* Log into DB verify tables are created
The job creates a pod that looks for a creds json file in the format of
```json
{
"db_host": ".postgres.database.azure.com",
"db_username": "",
"db_password": "",
"db_database": ""
}
```
If running scripts in `./deploy` load the folling ENV VARS into your environment:
```bash
export SUBID="Azure subscription guid"
export REGION="Azure region, for instance "
export RESOURCE_GROUP="Azure resource group name"
export CLUSTER="AKS Cluster name"
export STORAGE_ACCOUNT="Azure Storage account name"
export NODE_RESOURCE_GROUP="Managed cluster resource group "
export VAULT_NAME="Azure Keyvault name"
```
## Long Term
Using Terraform would most likely be a better production choice when setting up all of this. We could utilize [Bedrock](https://github.com/Microsoft/bedrock) TF templates.