The Azure SQL operator suite consists of the following operators.
- Azure SQL server - Deploys an Azure SQL server given the location and Resource group
- Azure SQL database - Deploys an SQL database given the SQL server
- Azure SQL firewall rule - Deploys a firewall rule to allow access to the SQL server from specific IPs
- Azure SQL VirtualNetwork rule - Deploys a VirtualNetwork rule to allow access to the SQL server from specific VNets
- Azure SQL Action - Allows you to roll the password for the specified SQL server
- Azure SQL failover group - Deploys a failover group on a specified Azure SQL server given the secondary server and the databases to failover
- Azure SQL User - Creates an user on the specified Azure SQL database and stores the username/password as secrets
- Azure SQL Managed User - Binds a specified Managed Identity as a user on the SQL database
Here is a sample YAML for the Azure SQL server.
The value for kind, AzureSqlServer
is the Custom Resource Definition (CRD) name and sqlserver-sample
in this case is the name of the SQL server resource that will be created.
The values under spec
provide the values for the location where you want to create the Azure SQL server at and the Resource group in which you want to create it under.
Deploying a SQL Server instance requires that you deploy a ResourceGroup, an AzureSqlDatabase, and AzureSqlServer CRDs.
The project maintains a set of samples of how to utilize the Azure Service Operator.
As part of this, there is a sample voting app that utilizes a SQL server. Clone this repo, adjust the names in the resource group and SQL Server CRDs such that they are unique and then deploy them with:
$ kubectl apply -f azure-votes-sql/manifests/azure_v1_resourcegroup.yaml
$ kubectl apply -f azure-votes-sql/manifests/azure_v1_sqldatabase.yaml
$ kubectl apply -f azure-votes-sql/manifests/azure_v1_sqlserver.yaml
Along with creating the SQL server, this operator also generates the admin username and password for the SQL server and stores it in a kube secret with the same name as the SQL server.
This secret contains the following fields.
fullyqualifiedservername
: Fully qualified name of the SQL server such as sqlservername.database.windows.netsqlservername
: SQL server nameusername
: Server adminpassword
: Password for the server adminfullyqualifiedusername
: Fully qualified user name that is required by some apps such as @
You can retrieve this secret using the following command for the sample YAML
kubectl get secret sqlserver-sample -o yaml
This would show you the details of the secret. username
and password
in the data
section are the base64 encoded admin credentials to the SQL server.
apiVersion: v1alpha1
data:
fullyqualifiedservername: c3Fsc2VydmVyLXNhbXBsZS04ODguZGF0YWJhc2Uud2luZG93cy5uZXQ=
fullyqualifiedusername: aGFzMTUzMnVAc3Fsc2VydmVyLXNhbXBsZS04ODg=
password: XTdpMmQqNsd7YlpFdEApMw==
sqlservername: c3Fsc2VyfmVyLXNhbXBsZS04ODg=
username: aGFzMTFzMnU=
kind: Secret
metadata:
creationTimestamp: "2019-10-09T21:02:02Z"
name: sqlserver-sample-888
namespace: default
ownerReferences:
- apiVersion: azure.microsoft.com/v1
blockOwnerDeletion: true
controller: true
kind: AzureSqlServer
name: sqlserver-sample-888
uid: 08fdbf42-ead8-11e9-91e0-025000000001
resourceVersion: "131163"
selfLink: /api/v1/namespaces/default/secrets/sqlserver-sample-888
uid: 0aeb2429-ead8-11e9-91e0-025000000001
type: Opaque
Here is a sample YAML for SQL database
Update the location
and the resourcegroup
to where you want to provisiong the SQL database. server
is the name of the Azure SQL server where you want to create the database in.
The edition
represents the SQL database edition you want to use when creating the resource and should be one of the values above.
In order to configure longt-term retention policies for the SQL database, the following fields can be configured (but are optional):
weeklyRetention
- the weekly retention policy for an LTR backup in an ISO 8601 duration formatmonthlyRetention
- the monthly retention policy for an LTR backup in an ISO 8601 duration formatyearlyRetention
- the yearly retention policy for an LTR backup in an ISO 8601 duration formatweekOfYear
- this must be configured if yearlyRetention is used, this is the week of year to take the yearly backup - valid values range from [1, 52]
It is important to note that the retention time is configured according to ISO 8601 time durations, which are explained here.
The SQL firewall operator allows you to add a SQL firewall rule to the SQL server.
Here is a sample YAML for SQL firewall rule
The server
indicates the SQL server on which you want to configure the new SQL firewall rule on and resourcegroup
is the resource group of the SQL server. The startipaddress
and endipaddress
indicate the IP range of sources to allow access to the SQL server.
When the startipadress
and endipaddress
are 0.0.0.0, it is a special case that adds a firewall rule to allow all Azure services to access the SQL server.
The SQL VNet rule operator allows you to add a SQL VNet (VirtualNetwork()) rule to the SQL server.
Here is a sample YAML for SQL VNet rule
The server
indicates the SQL server on which you want to configure the new SQL VNet rule on and resourceGroup
is the resource group of the SQL server.
vNetResourceGroup
, vNetName
and subnetName
identify the Subnet on the particular VirtualNetwork that should be added to the rule.
ignoreMissingServiceEndpoint
tells the operator to go ahead and add the rule with the specified VirtualNetwork/Subnet even if that VirtualNetwork does not have the Microsoft.Sql Service Endpoint enabled
The SQL Action operator is used to trigger an action on the SQL server. Right now, the supported actions are rolladmincreds
, which rolls the password for the SQL server to a new one, and rollusercreds
, which rolls the password for the SQL Database User.
The name
is a name for the action that we want to trigger. The type of action is determined by the value of actionname
in the spec which is rolladmincreds
or rollusercreds
if you want to roll the password (Note: This action name should be exact for the password to be rolled). The resourcegroup
and servername
identify the SQL server on which the action should be triggered on.
Here is a sample YAML for rolling the admin or user password of the SQL server
Once you apply this, the kube or Key Vault secret with the same name as the SQL server is updated with the rolled password.
This action will roll the password for the SQL Server.
Optional parameters:
serverSecretKeyVault
- specify a Key Vault to store the admin secret credentials in. If there is no Key Vault specified, it will default to the global secret client.serverAdminSecretName
- specify a secret name for the admin secret. If there is no secret name specified, it will fallback to the default name.
This action will roll the password for the SQL Database User.
Required parameters:
dbName
- name of the databasedbUser
- name of the user
Optional parameters:
userSecretKeyVault
- specify a Key Vault to store the user secret credentials in. If there is no Key Vault specified, it will default to the global secret client.serverSecretKeyVault
- specify a Key Vault to store the admin secret credentials in. If there is no Key Vault specified, it will default to the global secret client.serverAdminSecretName
- specify a secret name for the admin secret. If there is no secret name specified, it will fallback to the default name.
The SQL failover group operator is used to create a failover group across two Azure SQL servers (one primary, one secondary). The servers should already be provisioned and deployed different regions. The specified databases will be replicated from the primary server and created on the secondary.
Here is a sample YAML for creating a failover group
The name
is a name for the failover group that we want to create. server
is the primary SQL server on which the failover group is created, location
and resourcegroup
are the location and the resource group of the primary SQL server. failoverpolicy
can be "automatic" or "manual". failovergraceperiod
is the time in minutes. secondaryserver
is the secondary SQL server to failover to and secondaryserverresourcegroup
is the resource group that the server is in. databaselist
is the list of databased on the primary SQL server that should replicate to the secondary SQL server, when there is a failover action.
Once you apply this, a secret with the same name as the SQL failovergroup is also stored. This secret contains the fields for primary/secondary failovergroup listener endpoints (readWriteListenerEndpoint
and readOnlyListenerEndpoint
) and the primary/secondary SQL server names (azureSqlPrimaryServerName
and azureSqlSecondaryServerName
)
The SQL user operator is used to create a user on the specified Azure SQL database. This user is more restrictive than the admin user created on the SQL server and is so recommended to use. The operator creates the user on the database by auto generating a strong password, and also stores the username and password as a secret (name can be specified in the YAML), so applications can use them.
User credentials are persisted in the secret store that has been configured for the operator runtime. The default secret contains the following fields:
azureSqlDatabaseName
azureSqlServerName
azureSqlServerNamespace
fullyQualifiedServerName
username
password
When Key Vault is configured, each value is Base64 encoded and the set of secrets is persisted as a single JSON document in the Key Vault.
The default secret name prefix in Key Vault is azuresqluser-<serverName>-<azureSqlDatabaseName>
. Users can set the keyVaultSecretPrefix
parameter to override this value.
Additionally, some client libraries support connecting directly to Key Vault to retrieve secrets. Users can set the keyVaultSecretFormats
parameter so that explicit connection strings for their desired formats are added to the Key Vault. Each secret will be named after the secret prefix followed by the format name, for example: azuresqluser-<serverName>-<azureSqlDatabaseName>-adonet
.
Here is a sample YAML for creating a database user
The name
is used to generate the username on the database. The exact name is not used but rather a UUID is appended to this to make it unique. server
and dbname
qualify the database on which you want to create the user on. adminsecret
is the name of the secret where the username and password will be stored. roles
specify the security roles that this user should have on the specified database.
The SQL Managed user operator is used to enable the specified managed identity as a database user on the specified database. It also grants the specified database roles to the user.
Pre-requisite: This operator requires that the operator is running as a Managed Identity user and that this Managed Identity user is configured as the AAD admin on the SQL server
The operator also stores the following secrets (if using Keyvault) in addition to enabling Database access for the managed identity.
- Secret named
<KeyVaultSecretPrefix>-clientid
with value<ManagedIdentityClientId>
- Secret named
<KeyVaultSecretPrefix>-server
with valueSpec.Server
- Secret named
<KeyVaultSecretPrefix>-dbName
with valueSpec.DbName
Note If KeyVaultSecretPrefix
is not specified instance.Namespace
is used appended with instance.Name
If you are using Kube for storing secrets, there will be one secret with name <instance.Name>
created with the above name-value in the secret map
You can follow the steps here to deploy, view and delete resources.
Watch this demo https://bit.ly/2lUIX6Y to observe how you would you use the Azure SQL Operator from a real application.
In this demo, we use YAML to deploy the application and the SQL server. Once the SQL server is provisioned, the connection details are stored as secrets which the application can use to access the SQL server.