database service cleanup

Azure · Jul 2, 2024 · 046a230 · 046a230
1 parent fa36c22
commit 046a230
Show file tree

Hide file tree

Showing 4 changed files with 94 additions and 13 deletions.
diff --git a/pkg/mimo/cmd/cli.go b/pkg/mimo/cmd/cli.go
@@ -132,7 +132,7 @@ func main() {
 					}
 					go g.Run()
 
-					dbc, err := service.NewDatabase(ctx.Context, _env, log, m, service.DB_ALWAYS_MASTERKEY, false)
+					dbc, err := service.NewDatabase(ctx.Context, _env, log, m, false)
 					if err != nil {
 						return err
 					}

diff --git a/pkg/util/service/const.go b/pkg/util/service/const.go
@@ -0,0 +1,10 @@
+package service
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+const (
+	DatabaseName        = "DATABASE_NAME"
+	DatabaseAccountName = "DATABASE_ACCOUNT_NAME"
+	KeyVaultPrefix      = "KEYVAULT_PREFIX"
+)
diff --git a/pkg/util/service/database.go b/pkg/util/service/database.go
@@ -0,0 +1,83 @@
+package service
+
+// Copyright (c) Microsoft Corporation.
+// Licensed under the Apache License 2.0.
+
+import (
+	"context"
+	"fmt"
+	"os"
+
+	"github.com/sirupsen/logrus"
+
+	"github.com/Azure/ARO-RP/pkg/database"
+	"github.com/Azure/ARO-RP/pkg/database/cosmosdb"
+	"github.com/Azure/ARO-RP/pkg/env"
+	"github.com/Azure/ARO-RP/pkg/metrics"
+	"github.com/Azure/ARO-RP/pkg/util/encryption"
+	"github.com/Azure/ARO-RP/pkg/util/keyvault"
+)
+
+// NewDatabase creates a CosmosDB database client from the environment configuration.
+func NewDatabase(ctx context.Context, _env env.Core, log *logrus.Entry, m metrics.Emitter, withAEAD bool) (cosmosdb.DatabaseClient, error) {
+	var aead encryption.AEAD
+
+	msiToken, err := _env.NewMSITokenCredential()
+	if err != nil {
+		return nil, err
+	}
+
+	if withAEAD {
+		msiKVAuthorizer, err := _env.NewMSIAuthorizer(_env.Environment().KeyVaultScope)
+		if err != nil {
+			return nil, err
+		}
+
+		keyVaultPrefix := os.Getenv(KeyVaultPrefix)
+		// TODO: should not be using the service keyvault here
+		serviceKeyvaultURI := keyvault.URI(_env, env.ServiceKeyvaultSuffix, keyVaultPrefix)
+		serviceKeyvault := keyvault.NewManager(msiKVAuthorizer, serviceKeyvaultURI)
+
+		aead, err = encryption.NewMulti(
+			ctx,
+			serviceKeyvault,
+			env.EncryptionSecretV2Name,
+			env.EncryptionSecretName,
+		)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	dbAccountName := os.Getenv(DatabaseAccountName)
+	scope := []string{
+		fmt.Sprintf("https://%s.%s", dbAccountName, _env.Environment().CosmosDBDNSSuffixScope),
+	}
+
+	logrusEntry := log.WithField("component", "database")
+
+	dbAuthorizer, err := database.NewTokenAuthorizer(
+		ctx,
+		logrusEntry,
+		msiToken,
+		dbAccountName,
+		scope,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	dbc, err := database.NewDatabaseClient(
+		logrusEntry,
+		_env,
+		dbAuthorizer,
+		m,
+		aead,
+		dbAccountName,
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	return dbc, nil
+}
diff --git a/pkg/util/service/helpers.go b/pkg/util/service/helpers.go
@@ -21,15 +21,3 @@ func DBName(isLocalDevelopmentMode bool) (string, error) {
 
 	return os.Getenv(DatabaseName), nil
 }
-
-func GetDBTokenURL(isLocalDevelopmentMode bool) (string, error) {
-	if isLocalDevelopmentMode {
-		return "https://localhost:8445", nil
-	}
-
-	if err := env.ValidateVars(DBTokenUrl); err != nil {
-		return "", err
-	}
-
-	return os.Getenv(DBTokenUrl), nil
-}