Model secrets as a property of PostgreSql Databases #95
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Reshma Abdul Rahim <[email protected]>
Signed-off-by: Reshma Abdul Rahim <[email protected]>
Signed-off-by: Reshma Abdul Rahim <[email protected]>
zachcasper
requested changes
Jan 22, 2026
Contributor
zachcasper
left a comment
zachcasper
left a comment
There was a problem hiding this comment.
I only reviewed secrets.yaml, postgreSqlDatabases.yaml, and postgresql.bicep.
| resource myApplication 'Applications.Core/Applications@2023-10-01-preview' = { ... } | ||
|
|
||
| resource frontend 'Applications.Core/containers@2023-10-01-preview' = { | ||
| resource frontend 'Radius.Compute/containers@2025-08-01-preview' = { |
Contributor
There was a problem hiding this comment.
Needs to be
connections: {
postgresql: {
source: postgresql.id
Comment on lines
83
to
85
| secretName: | ||
| type: string | ||
| description: "(Required) The name of the secret containing the database crdentials" |
Contributor
There was a problem hiding this comment.
Suggested change
| secretName: | |
| type: string | |
| description: "(Required) The name of the secret containing the database crdentials" | |
| secretName: | |
| type: string | |
| description: "(Required) The name of the secret containing the database crdentials" |
I'm wondering if this should be credentials.secretName rather than just secretName. If that clearer?
| var dbSecretName = context.resource.properties.secretName | ||
| var database string = 'postgres_db' | ||
| var tag string = '16-alpine' | ||
| var port = 5432 |
Contributor
There was a problem hiding this comment.
Suggested change
| var port = 5432 | |
| var port = 5432 | |
| var applicationName = context.application != null ? context.application.name : '' | |
| // Extract last segment from environment path for labels | |
| var environmentId = resourceProperties.?environment ?? '' | |
| var environmentParts = environmentId != '' ? split(environmentId, '/') : [] | |
| var environmentName = length(environmentParts) > 0 | |
| ? environmentParts[length(environmentParts) - 1] | |
| : '' | |
| // Extract resource group name | |
| // Index 4 is the resource group name | |
| var resourceGroupName = split(context.resource.id, '/')[4] | |
| // Common labels | |
| var labels = { | |
| 'radapp.io/resource': resourceName | |
| 'radapp.io/application': applicationName | |
| 'radapp.io/environment': environmentName | |
| 'radapp.io/resource-type': replace(context.resource.type, '/', '-') | |
| 'radapp.io/resource-group': resourceGroupName | |
| } |
Contributor
Author
There was a problem hiding this comment.
Should all of these be populated when deploying Recipes? I think we should prioritize this issue -#60 and not have users write so much code to get Radius metadata.
| metadata: { | ||
| name: uniqueName | ||
| name: resourceName | ||
| namespace: namespace |
Contributor
There was a problem hiding this comment.
Suggested change
| namespace: namespace | |
| namespace: namespace | |
| labels: labels |
| name: uniqueName | ||
| } | ||
| name: resourceName | ||
| namespace: namespace |
Contributor
There was a problem hiding this comment.
Suggested change
| namespace: namespace | |
| namespace: namespace | |
| labels: labels |
17 tasks
Co-authored-by: Will Smith <[email protected]> Co-authored-by: Zach Casper <[email protected]> Signed-off-by: Reshma Abdul Rahim <[email protected]>
Contributor
Author
|
@sk593 and @lakshmimsft - Can you help review updates to the container Recipe? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request introduces changes to how PostgreSQL database credentials are managed and injected into Kubernetes containers using secrets. The changes refactor the
postgreSqlDatabasesresource to require asecretNameproperty, ensuring that sensitive information like usernames and passwords is stored in Kubernetes secrets rather than as resource properties. The Bicep recipes, documentation, and schema definitions have been updated to reflect and support this new pattern.Short gist - https://gist.github.com/Reshrahim/5ea332db690c623de64c1c85a01071aa
postgreSqlDatabasesresource schema to require thesecretNameproperty and removedusernameandpasswordfrom the resource outputs and required properties.secretNameproperty, removingusernameandpasswordfrom output properties and instead sourcing them from a referenced Kubernetes secret. The deployment now pulls credentials usingvalueFrom.secretKeyRefreferencing the provided secret.username,password) as uppercase environment variables when asecretNameis provided, ensuring injection of credentials into containers. Also fixed this bug Environment variables from Connected resource doesn't get injected properly on the container #92app.bicepfiles to use the new secret-based pattern for PostgreSQL databases and secrets