Consuming Azure Flexible Server for PostgreSQL on Tanzu Application Platform with Azure Service Operator (ASO)

This topic describes using Services Toolkit to allow Tanzu Application Platform workloads to consume Azure Flexible Server PostgreSQL. This particular topic makes use of Azure Service Operator v2 to manage PostgreSQL instances in Azure.

Important: This use case is not currently compatible with air-gapped Tanzu Application Platform installations.

Prerequisites

Meet these prerequisites

Create service instances that are compatible with Tanzu Application Platform

To create an Azure PostgreSQL service instance for Tanzu Application Platform to consume, you can use a ready-made, reference Carvel package. The Service Operator typically performs this step. Follow the steps in Creating an Azure PostgreSQL service instance using a Carvel package.

$ kubectl api-resources --api-group=dbforpostgresql.azure.com
NAME                            SHORTNAMES   APIVERSION                                 NAMESPACED   KIND
flexibleservers                              dbforpostgresql.azure.com/v1beta20210601   true         FlexibleServer
flexibleserversconfigurations                dbforpostgresql.azure.com/v1beta20210601   true         FlexibleServersConfiguration
flexibleserversdatabases                     dbforpostgresql.azure.com/v1beta20210601   true         FlexibleServersDatabase
flexibleserversfirewallrules                 dbforpostgresql.azure.com/v1beta20210601   true         FlexibleServersFirewallRule

There is also the Resource Group, which is in another API group.

$ kubectl api-resources --api-group=resources.azure.com
NAME             SHORTNAMES   APIVERSION                           NAMESPACED   KIND
resourcegroups                resources.azure.com/v1beta20200601   true         ResourceGroup

To create an Azure PostgreSQL service instance for Tanzu Application Platform to consume, you can use a ready-made, reference Carvel package. The Service Operator typically performs this step. Follow the steps in Creating an Azure PostgreSQL service instance using a Carvel package.

Alternatively, if you are interested in authoring your own reference package and want to learn about the underlying APIs and how they come together to produce a useable service instance for Tanzu Application Platform, you can achieve the same outcome by using the more advanced Creating an Azure PostgreSQL service instance manually topic.

After creating a running Azure PostgreSQL service instance, return here to continue the use case.

Create a service instance class for PSQL

After creating Flexible Server service instances, you must make it possible for application operators to discover them. The service operator role typically performs this step.

You can use Services Toolkit’s ClusterInstanceClass API to create a service instance class that represents psql service instances within the cluster. The existence of such classes enables application operators to discover logical service instances. This, in turn, enables application operators to create Resource Claims for such instances and to then bind them to application workloads.

Create the following Kubernetes resource on your AKS cluster by running:

cat <<EOF | kubectl apply -f -
---
apiVersion: services.apps.tanzu.vmware.com/v1alpha1
kind: ClusterInstanceClass
metadata:
  name: azure-postgres
spec:
  description:
    short: Azure Flexible Server instances with a postgresql engine
  pool:
    kind: Secret
    labelSelector:
      matchLabels:
        services.apps.tanzu.vmware.com/class: azure-postgres
EOF

In this particular example, the class represents claimable instances of PostgreSQL by a Secret object with the label services.apps.tanzu.vmware.com/class set to azure-postgres.

In addition, you must grant RBAC permissions to Services Toolkit for reading the secrets that the class specifies. Create the following RBAC on your AKS cluster by running:

cat <<EOF | kubectl apply -f -
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: stk-secret-reader
  labels:
    servicebinding.io/controller: "true"
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
EOF

To claim resources across namespace boundaries, create a corresponding ResourceClaimPolicy.

For example, if the provisioned Azure Flexible Server instance exists in the namespace service-instances, and you want to allow application operators to claim them for workloads residing in the default namespace, you must create the following ResourceClaimPolicy by running:

cat <<EOF | kubectl apply -f -
---
apiVersion: services.apps.tanzu.vmware.com/v1alpha1
kind: ResourceClaimPolicy
metadata:
  name: default-can-claim-azure-postgres
  namespace: service-instances
spec:
  subject:
    kind: Secret
    group: ""
    selector:
      matchLabels:
        services.apps.tanzu.vmware.com/class: azure-postgres
  consumingNamespaces: [ "default" ]
EOF

Discover, Claim, and Bind to a PostgreSQL

Creating the ClusterInstanceClass and the corresponding RBAC informs application operators that Azure PostgreSQL is available to use with their application workloads on Tanzu Application Platform.

This section describes how to discover, claim, and bind to the PostgreSQL service instance previously created.

Discovering and claiming service instances is typically the responsibility of the application operator role. Binding is typically an action for application developers.

To discover which service instances are available to them, application operators can run:

tanzu services classes list

NAME                  DESCRIPTION
azure-postgres        Azure Flexible Server instances with a postgresql engine

You can see information about the ClusterInstanceClass created in the earlier step. Each ClusterInstanceClass created is added to the list of classes.

Next, the application operator claims an instance of the class they want. But to do that the application operator must first discover the list of currently claimable instances for the class.

Many variables affect the capacity to claim instances, including namespace boundaries, claim policies, and the exclusivity of claims. Therefore, Services Toolkit provides the CLI command tanzu service claimable list to help inform application operators of the instances that can cause successful claims.

Example:

tanzu services claimable list --class azure-postgres

  NAME               NAMESPACE  API KIND  API GROUP/VERSION
  aso-psql-bindable  default    Secret    v1

Create a claim for the newly created secret by running:

tanzu services claim create aso-psql-claim \
  --resource-name aso-psql-bindable \
  --resource-kind Secret \
  --resource-api-version v1

Obtain the claim reference of the claim by running:

tanzu services claim list -o wide

Verify the output is similar to the following:

NAME                    READY  REASON  CLAIM REF
aso-psql-claim          True           services.apps.tanzu.vmware.com/v1alpha1:ResourceClaim:aso-psql-claim

Test claim With Tanzu Application Platform workload

Create an application workload that consumes the claimed Azure PostgreSQL database by running:

tanzu apps workload create my-workload

Example:

tanzu apps workload create my-workload \
  --git-repo https://github.com/sample-accelerators/spring-petclinic \
  --git-tag tap-1.2 \
  --type web \
  --label app.kubernetes.io/part-of=spring-petclinic \
  --annotation autoscaling.knative.dev/minScale=1 \
  --env SPRING_PROFILES_ACTIVE=postgres \
  --service-ref db=services.apps.tanzu.vmware.com/v1alpha1:ResourceClaim:aso-psql-claim

--service-ref is set to the claim reference obtained previously.

Your application workload starts and connects automatically to the Azure PostgreSQL service instance. You can verify this by visiting the app in the browser and, for example, creating a new owner through the UI.

Delete a PostgreSQL service instance

To delete the Azure PostgreSQL service instance, run the appropriate cleanup commands for how you created the service.

Delete a PostgreSQL service instance by using a Carvel package

tanzu package installed delete demo-psql-instance

Delete a PostgreSQL service instance by using kubectl

Delete the Azure PostgreSQL service instance by running:

kubectl delete flexibleservers.dbforpostgresql.azure.com aso-psql
kubectl delete flexibleserversfirewallrules.dbforpostgresql.azure.com aso-psql
kubectl delete flexibleserversdatabases.dbforpostgresql.azure.com aso-psql
kubectl delete SecretTemplate aso-psql-bindable
kubectl delete Password aso-psql
kubectl delete ServiceAccount aso-psql-reader
kubectl delete RoleBinding aso-psql-reader-to-read
kubectl delete Role aso-psql-reading

Troubleshooting Azure Service Operator

Azure Service Operator is still in beta and doesn’t always behave as expected. For help with most common scenarios, see Troubleshooting.

check-circle-line exclamation-circle-line close-line
Scroll to top icon