Skip to main content
logoTetrate Service BridgeVersion: 1.8.x

Configuring Azure AD with PostgreSQL in TSB

This guide explains how to integrate Azure Active Directory (now Microsoft Entra ID) with Tetrate Service Bridge (TSB) to enable authentication for TSB components (e.g., the TSB API server) running in Azure Kubernetes Service (AKS) when interacting with Azure PostgreSQL without storing sensitive credentials in Kubernetes Secrets.

Before you begin:

✓ Make sure kubectl or helm is set up to communicate with your management cluster.
✓ Make sure Azure CLI is set up to your Azure subscription.

Environment Variables

Replace the placeholder values enclosed in angle brackets with the corresponding real values. You can modify all other values to suit your specific needs.

Skipping steps

If you have already completed some of the steps in this guide, you can skip them and go to the next step.

Enabling OIDC and Azure Workload Identity on your AKS cluster

You need to enable OIDC and Azure Workload Identity on your AKS cluster. You can use following command to enable OIDC and Azure Workload Identity on your existing AKS cluster:

export RESOURCE_GROUP="<your-azure-resource-group>"
export LOCATION="<your-azure-region>"
export CLUSTER_NAME="<your-aks-name>"
az aks update \
  -g $RESOURCE_GROUP \
  -n $CLUSTER_NAME \
  --enable-oidc-issuer \
  --enable-workload-identity

Setting up a managed identity

Create a managed identity for TSB to use when authenticating with Azure PostgreSQL.

export USER_ASSIGNED_IDENTITY_NAME="passswordless-tsb-identity"  
az identity create \
  --name $USER_ASSIGNED_IDENTITY_NAME \
  --resource-group $RESOURCE_GROUP \
  --location $LOCATION

Then gather its ID for next steps

export IDENTITY_CLIENT_ID=$(az identity show --resource-group $RESOURCE_GROUP --name $USER_ASSIGNED_IDENTITY_NAME --query 'clientId' -otsv)

Create a PostgreSQL server

Using existing PostgreSQL server

Make sure that the PostgreSQL server is configured to allow access from the AKS cluster. You can do this by enabling public access, adding the AKS cluster's IP address to the server's firewall rules or using Private Endpoints.

Azure Database for PostgreSQL has two modes: Single Server and Flexible Server. You can use either mode with TSB.

export DATABASE_SERVER_NAME="tsb-postgres"
export DATABASE_LOCAL_USER="tsbpguser"
export DATABASE_PASSWORD="<very-secure-password>"
export DATABASE_NAME="tsb"

Create a PostgreSQL server

az postgres flexible-server create \
  --name $DATABASE_SERVER_NAME \
  --resource-group $RESOURCE_GROUP \
  --sku-name Standard_D2s_v3 \
  --admin-user $DATABASE_LOCAL_USER \
  --admin-password $DATABASE_PASSWORD \
  --active-directory-auth enabled

Create a firewall rule to allow access from the AKS cluster

az postgres flexible-server firewall-rule create \
    --resource-group $RESOURCE_GROUP \
    --name $DATABASE_SERVER_NAME \
    --rule-name $DATABASE_SERVER_NAME-database-allow-local-ip \
    --start-ip-address 0.0.0.0 \
    --end-ip-address 255.255.255.255 \
   -o tsv

Create a database that will be used by TSB

az postgres flexible-server db create \
    --resource-group $RESOURCE_GROUP \
    --database-name $DATABASE_NAME \
    --server-name $DATABASE_SERVER_NAME \
   -o tsv

Configure Azure AD authentication for PostgreSQL

You need Azure AD admin credentials to configure Azure AD authentication for PostgreSQL. You can use following command to put yourself as an Azure AD Admin so you can complete this step.

export DATABASE_AAD_ADMIN_OBJECT_ID=$(az ad signed-in-user show --query "[id]" -o tsv)
export DATABASE_AAD_ADMIN_NAME=$(az ad signed-in-user show --query "[userPrincipalName]" -o tsv)

az postgres flexible-server ad-admin create \
    --server-name $DATABASE_SERVER_NAME \
    -g $RESOURCE_GROUP \
    --display-name $DATABASE_AAD_ADMIN_NAME \
    --object-id $DATABASE_AAD_ADMIN_OBJECT_ID

Then create user in PostgreSQL server that connected to previously created managed Identity. Before you continue, get managed identity client id and database name from previous steps:

echo $IDENTITY_CLIENT_ID
echo $DATABASE_NAME

Login to the PostgreSQL server using the Azure AD admin credentials you created earlier.

export PGPASSWORD=$(az account get-access-token --resource-type oss-rdbms --query "[accessToken]" -o tsv)

psql "host=$DATABASE_SERVER_NAME.postgres.database.azure.com port=5432 dbname=postgres user=$DATABASE_AAD_ADMIN_NAME sslmode=require"

In the psql shell, run the following commands to create a user that linked to managed identity and grant it access to the database. Replace <IDENTITY_CLIENT_ID> and <DATABASE_NAME> with the corresponding real values that you got above.

Database User

In the following example, you use tsbaduser as the database user name that TSB will use. You will use this name later when configuring TSB PostgreSQL data store.

select * from pgaadauth_create_principal_with_oid('tsbaduser', '<IDENTITY_CLIENT_ID>', 'service', false, false);
select * from pgaadauth_list_principals(false);

Then exit the psql shell.

At this point, you have a PostgreSQL server configured to allow access from the AKS cluster and a database user that can access the TSB database using Azure AD authentication.

Create the federated credential

Create a federated credential for the managed identity you created earlier. This credential will be used by TSB to authenticate with Azure PostgreSQL. You need create two federated credentials, one for the TSB API server and one for the TSB IAM server service account since both of them need to access Azure PostgreSQL.

Get the OIDC issuer URL for your AKS cluster:

export AKS_OIDC_ISSUER=$(az aks show -n ${CLUSTER_NAME} -g ${RESOURCE_GROUP} --query 'oidcIssuerProfile.issuerUrl' -otsv)
Service Account name

The service account name for TSB API server is tsb-tsb and the service account name for TSB IAM server is tsb-iam. Do not change these names.

Create the federated credential for the TSB API server:

export FEDERATED_IDENTITY_CREDENTIAL_NAME="tsb-federated-identity"
export NAMESPACE_NAME="tsb"
export SERVICE_ACCOUNT_NAME="tsb-tsb"

az identity federated-credential create \
    --name ${FEDERATED_IDENTITY_CREDENTIAL_NAME} \
    --identity-name ${USER_ASSIGNED_IDENTITY_NAME} \
    --resource-group ${RESOURCE_GROUP} \
    --issuer ${AKS_OIDC_ISSUER} \
    --subject system:serviceaccount:${NAMESPACE_NAME}:${SERVICE_ACCOUNT_NAME}

Then create another federated credential for the TSB IAM server service account:

export FEDERATED_IDENTITY_CREDENTIAL_NAME="tsb-iam-federated-identity"
export SERVICE_ACCOUNT_NAME="tsb-iam"

az identity federated-credential create \
    --name ${FEDERATED_IDENTITY_CREDENTIAL_NAME} \
    --identity-name ${USER_ASSIGNED_IDENTITY_NAME} \
    --resource-group ${RESOURCE_GROUP} \
    --issuer ${AKS_OIDC_ISSUER} \
    --subject system:serviceaccount:${NAMESPACE_NAME}:${SERVICE_ACCOUNT_NAME}

Configure TSB

Now you can configure TSB to use the federated credential you created earlier to authenticate with Azure PostgreSQL. Configure your Management Plane Helm values or CR with following entry under spec.dataStore.postgres. Replace placeholder values with the corresponding real values.

postgres:
  address: <DATABASE_SERVER_NAME>.postgres.database.azure.com:5432
  sslMode: require
  azureIdentity:
    clientId: <IDENTITY_CLIENT_ID>
    userName: tsbaduser@<DATABASE_SERVER_NAME>
    tokenTtl: 3600s
  name: <DATABASE_NAME> 
  ...
Token TTL

The minimum token TTL is 3600s (1 hour). You can increase this value to reduce the number of token refreshes. See here for more information.

Then apply your changes. This new configuration enable TSB pods in AKS to access Azure PostgreSQL via federated credentials.

Troubleshooting

If you encounter any issues

  1. Check the tsb or iam logs for more information.
  2. Make sure that you use correct database name and address.
  3. Make sure that you use correct database user name that linked to managed identity.