Skip to content

[On hold] Refactored postgreSqlDatabases to handle secrets properly#78

Closed
zachcasper wants to merge 28 commits intoradius-project:mainfrom
zachcasper:postgreSqlDatabases
Closed

[On hold] Refactored postgreSqlDatabases to handle secrets properly#78
zachcasper wants to merge 28 commits intoradius-project:mainfrom
zachcasper:postgreSqlDatabases

Conversation

@zachcasper
Copy link
Contributor

@zachcasper zachcasper commented Nov 25, 2025
edited
Loading

Update: This PR is blocked on radius-project/radius#10890

Description

This pull request refactors and improves the configuration and deployment of PostgreSQL databases and Kubernetes secrets in the Radius platform. The goal is to establish a best practices pattern for other database resources. The main focus is on enforcing the use of external secrets for database credentials, updating documentation and schema to reflect this requirement, and enhancing the Kubernetes and Terraform recipes for better resource naming, labeling, and secret handling. Specifically:

  1. Removes generating credentials in the Recipe
  2. Adds the requirement to add a connection to a secret
  3. Adds consistent labeling for Kubernetes resources
  4. Synchronizes Bicep and Terraform recipes
  5. Adds missing output resources on secrets recipe
  6. Fixes double encoding issue Secrets Terraform Recipe double encodes key value when encoding is string #53
  7. Updates developer documentation
  8. Included test app.bicep with testing instructions embedded

Contributor Checklist

  • File names follow naming conventions and folder structure
  • Platform engineer documentation is in README.md
  • Developer documentation is the top-level description property
  • Example of defining the Resource Type is in the developer documentation
  • Example of using the Resource Type with a Container is in the developer documentation
  • Verified the output of rad resource-type show is correct
  • All properties in the Resource Type definition have clear descriptions
  • Enum properties have values defined in enum: []
  • Required properties are listed in required: [] for every object property (not just the top-level properties)
  • Properties about the deployed resource, such as connection strings, are defined as read-only properties and are marked as readOnly: true
  • Recipes include a results output variable with all read-only properties set
  • Environment-specific parameters, such as a vnet ID, are exposed for platform engineers to set in the Environment
  • Recipes use the Recipe context object when possible
  • Recipes are provided for at least one platform
  • Recipes handle secrets securely
  • Recipes are idempotent
  • Resource types and recipes were tested

@zachcasper
Refactored how secrets are handled for PostgreSQL
03332d5 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
ae59b86 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
b2b59c0 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
c2abc53 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
5afd18f 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
745211a 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
13a3ab0 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
2344302 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
ab4d35a 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
383447f 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
b80c3e7 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
2c61ba4 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
a454b81 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
70145b0 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
d6311ce 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
ce88b7a 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
5a4cdcb 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
fed1664 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
9ea10f2 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
7b974f3 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
dd546ef 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
46749af 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
6933cbf 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Updated recipes
ac56adc 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Working PostgreSQL with secrets in Bicep and Terraform
daa624a 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper zachcasper requested review from a team as code owners November 25, 2025 16:10
@zachcasper zachcasper changed the title Postgre sql databases Refactored postgreSqlDatabases to handle secrets properly Nov 25, 2025
@zachcasper
Reverted resource naming to as specified by dev
037abb8 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper
Fixed tests
8f0bb70 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper zachcasper mentioned this pull request Nov 25, 2025
Open
Reshrahim
Reshrahim reviewed Nov 25, 2025
View reviewed changes
Copy link
Contributor

@Reshrahim Reshrahim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested some changes on removing secretName property as we decided to use resource name

willtsai
willtsai reviewed Dec 1, 2025
View reviewed changes
Data/postgreSqlDatabases/postgreSqlDatabases.yaml
environment: environment
}
}

Copy link
Contributor

@willtsai willtsai Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add an example for the credentials secrets resource declaration here?

@zachcasper
Removed secretName and used the resource name instead.
0e5e202 
Signed-off-by: Zach Casper <zachcasper@microsoft.com>
@zachcasper zachcasper changed the title Refactored postgreSqlDatabases to handle secrets properly [WIP] Refactored postgreSqlDatabases to handle secrets properly Dec 1, 2025
brooke-hamilton
brooke-hamilton reviewed Dec 2, 2025
View reviewed changes
Copy link
Member

@brooke-hamilton brooke-hamilton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this ready for review? The title says [WIP] so maybe I'm doing this too soon. There is one comment below, and I'll do more review if this is ready.

Data/postgreSqlDatabases/recipes/kubernetes/bicep/kubernetes-postgresql.bicep
// Get the secret reference. Should be only a single connected resource.
var radiusConnectionsMap = context.resource.?connections ?? {}
var radiusConnectionList = items(radiusConnectionsMap)
var radiusFirstConnection = length(radiusConnectionList) > 0 ? radiusConnectionList[0].value : null
Copy link
Member

@brooke-hamilton brooke-hamilton Dec 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would the secret be the only connection? Or if there are multiple, why would it be the first connection? Maybe a comment here would help explain.

Copy link
Contributor Author

@zachcasper zachcasper Dec 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the challenge with modeling the secret as a connection. @Reshrahim highlighted an inconsistency in how we are handling secrets.

@lakshmimsft's approach was to use connections from a database resource to a secret. We got some things for free, but I'll have to let her comment on what exactly the benefits of using connections was.

However, in the Containers Resource Type, @sk593 used the secretName and key which is more Kubernetes-like. This appears more straightforward since there can only be one secretName and key. Unlike connections which could be anything.

We should be consistent.

@zachcasper zachcasper changed the title [WIP] Refactored postgreSqlDatabases to handle secrets properly [On hold] Refactored postgreSqlDatabases to handle secrets properly Dec 2, 2025
@zachcasper
Copy link
Contributor Author

zachcasper commented Dec 2, 2025

Is this ready for review? The title says [WIP] so maybe I'm doing this too soon. There is one comment below, and I'll do more review if this is ready.

It's on hold. Blocked by radius-project/radius#10890

@zachcasper
Copy link
Contributor Author

zachcasper commented Feb 2, 2026

Closing in lieu of #95

@zachcasper zachcasper closed this Feb 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@willtsai willtsai willtsai left review comments

@brooke-hamilton brooke-hamilton brooke-hamilton left review comments

@Reshrahim Reshrahim Reshrahim left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@zachcasper @willtsai @brooke-hamilton @Reshrahim