Skip to content

Model secrets as a property of PostgreSql Databases #95

Open
Reshrahim wants to merge 5 commits intoradius-project:mainfrom
Reshrahim:main
Open

Model secrets as a property of PostgreSql Databases #95
Reshrahim wants to merge 5 commits intoradius-project:mainfrom
Reshrahim:main

Conversation

@Reshrahim
Copy link
Contributor

@Reshrahim Reshrahim commented Jan 22, 2026
edited
Loading

This pull request introduces changes to how PostgreSQL database credentials are managed and injected into Kubernetes containers using secrets. The changes refactor the postgreSqlDatabases resource to require a secretName property, ensuring that sensitive information like usernames and passwords is stored in Kubernetes secrets rather than as resource properties. The Bicep recipes, documentation, and schema definitions have been updated to reflect and support this new pattern.

Short gist - https://gist.github.com/Reshrahim/5ea332db690c623de64c1c85a01071aa

  • Modified the postgreSqlDatabases resource schema to require the secretName property and removed username and password from the resource outputs and required properties.
  • Refactored the PostgreSQL Bicep recipe to require a secretName property, removing username and password from output properties and instead sourcing them from a referenced Kubernetes secret. The deployment now pulls credentials using valueFrom.secretKeyRef referencing the provided secret.
  • Updated the container connection logic to map secret keys (username, password) as uppercase environment variables when a secretName is provided, ensuring injection of credentials into containers. Also fixed this bug Environment variables from Connected resource doesn't get injected properly on the container #92
  • Updated developer documentation in both the PostgreSQL and secrets resource types to demonstrate the new pattern of creating and referencing secrets, including deployment instructions and sample Bicep.
  • Updated test app.bicep files to use the new secret-based pattern for PostgreSQL databases and secrets

@Reshrahim
Secrets as property of db
9290024 
Signed-off-by: Reshma Abdul Rahim <reshmarahim.abdul@microsoft.com>
@Reshrahim
Modelin secrets as a property of db
3a5a62e 
Signed-off-by: Reshma Abdul Rahim <reshmarahim.abdul@microsoft.com>
@Reshrahim Reshrahim requested review from a team as code owners January 22, 2026 21:15
@Reshrahim
Merge branch 'main' into main
3da10b6 
Signed-off-by: Reshma Abdul Rahim <61033581+Reshrahim@users.noreply.github.com>
zachcasper
zachcasper requested changes Jan 22, 2026
View reviewed changes
Copy link
Contributor

@zachcasper zachcasper left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I only reviewed secrets.yaml, postgreSqlDatabases.yaml, and postgresql.bicep.

Data/postgreSqlDatabases/postgreSqlDatabases.yaml
resource myApplication 'Applications.Core/Applications@2023-10-01-preview' = { ... }

resource frontend 'Applications.Core/containers@2023-10-01-preview' = {
resource frontend 'Radius.Compute/containers@2025-08-01-preview' = {
Copy link
Contributor

@zachcasper zachcasper Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Needs to be

          connections: {
            postgresql: {
              source: postgresql.id

Data/postgreSqlDatabases/postgreSqlDatabases.yaml Outdated
Comment on lines 83 to 85
secretName:
type: string
description: "(Required) The name of the secret containing the database crdentials"
Copy link
Contributor

@zachcasper zachcasper Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
secretName:
type: string
description: "(Required) The name of the secret containing the database crdentials"
secretName:
type: string
description: "(Required) The name of the secret containing the database crdentials"

I'm wondering if this should be credentials.secretName rather than just secretName. If that clearer?

Data/postgreSqlDatabases/recipes/kubernetes/bicep/kubernetes-postgresql.bicep
var dbSecretName = context.resource.properties.secretName
var database string = 'postgres_db'
var tag string = '16-alpine'
var port = 5432
Copy link
Contributor

@zachcasper zachcasper Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
var port = 5432
var port = 5432
var applicationName = context.application != null ? context.application.name : ''
// Extract last segment from environment path for labels
var environmentId = resourceProperties.?environment ?? ''
var environmentParts = environmentId != '' ? split(environmentId, '/') : []
var environmentName = length(environmentParts) > 0
? environmentParts[length(environmentParts) - 1]
: ''
// Extract resource group name
// Index 4 is the resource group name
var resourceGroupName = split(context.resource.id, '/')[4]
// Common labels
var labels = {
'radapp.io/resource': resourceName
'radapp.io/application': applicationName
'radapp.io/environment': environmentName
'radapp.io/resource-type': replace(context.resource.type, '/', '-')
'radapp.io/resource-group': resourceGroupName
}

Copy link
Contributor Author

@Reshrahim Reshrahim Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should all of these be populated when deploying Recipes? I think we should prioritize this issue -#60 and not have users write so much code to get Radius metadata.

Data/postgreSqlDatabases/recipes/kubernetes/bicep/kubernetes-postgresql.bicep
metadata: {
name: uniqueName
name: resourceName
namespace: namespace
Copy link
Contributor

@zachcasper zachcasper Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
namespace: namespace
namespace: namespace
labels: labels

Data/postgreSqlDatabases/recipes/kubernetes/bicep/kubernetes-postgresql.bicep
name: uniqueName
}
name: resourceName
namespace: namespace
Copy link
Contributor

@zachcasper zachcasper Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
namespace: namespace
namespace: namespace
labels: labels

willdavsmith
willdavsmith reviewed Jan 23, 2026
View reviewed changes
willdavsmith
willdavsmith reviewed Jan 23, 2026
View reviewed changes
willdavsmith
willdavsmith reviewed Jan 23, 2026
View reviewed changes
willdavsmith
willdavsmith reviewed Jan 23, 2026
View reviewed changes
@zachcasper zachcasper mentioned this pull request Feb 2, 2026
Closed
17 tasks
Reshrahim and others added 2 commits February 6, 2026 14:08
@Reshrahim @willdavsmith @zachcasper
Apply suggestions from code review
09530c9 
Co-authored-by: Will Smith <willdavsmith@gmail.com>
Co-authored-by: Zach Casper <zachcasper@microsoft.com>
Signed-off-by: Reshma Abdul Rahim <61033581+Reshrahim@users.noreply.github.com>
@Reshrahim
Merge branch 'main' into main
680e24c
@Reshrahim
Copy link
Contributor Author

Reshrahim commented Feb 6, 2026

@sk593 and @lakshmimsft - Can you help review updates to the container Recipe?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@willdavsmith willdavsmith willdavsmith left review comments

@zachcasper zachcasper zachcasper requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Reshrahim @zachcasper @willdavsmith