Feature Overview (aka. Goal Summary)

The current method for connecting the Red Hat Developer Hub (RHDH, inferred) application to an Azure Database for PostgreSQL server relies on traditional static or shared credentials, which presents a significant security and governance risk.

This feature is required to implement a secretless connection by leveraging Azure Managed Identity (MI). Azure MI allows the RHDH host environment (e.g., the underlying Azure VM or AKS Pod) to obtain an Azure Active Directory (AAD) access token that can be used as the database password. This removes the need to store, manage, and rotate sensitive database secrets within the application configuration or external secret stores.

The key technical challenge to address is the token lifecycle management. The AAD access tokens are short-lived (typically expiring in 60 minutes) and require an automated, non-disruptive renewal mechanism within the RHDH backend to maintain continuous database connectivity.

Goals (aka. expected user outcomes)

• Security & Compliance: Successfully connect RHDH to Azure PostgreSQL using an Azure Managed Identity, eliminating the need for hardcoded, long-lived database passwords.

• Operational Stability: Ensure continuous, non-interruptible database connectivity by implementing an automated token refresh mechanism that renews the AAD token before it expires.

• Configuration Simplicity: Provide a clear, minimal set of configuration parameters for enabling and configuring Managed Identity use.

Requirements (aka. Acceptance Criteria):

1. Configuration: The RHDH application must be configurable to use Azure Managed Identity for the database connection. This includes a boolean flag to enable MI and an optional field for the User-Assigned Managed Identity Client ID (managedIdentityClientId).
2. Token Acquisition: The application must successfully retrieve a valid AAD Access Token for the Azure PostgreSQL service endpoint using the assigned Managed Identity.
3. Connection Success: RHDH must establish a successful initial connection to the Azure PostgreSQL database using the retrieved AAD token as the password.
4. Token Refresh: A robust mechanism must be implemented to automatically and securely refresh the AAD token prior to its expiration (e.g., 50 minutes into its 60-minute lifecycle).
5. Connection Pooling Integrity: The token refresh mechanism must integrate cleanly with the application's database connection pool, ensuring that existing active connections are not dropped and that new connections utilize the current, valid token.
6. Error Handling: Appropriate logging must be present to track successful token refresh cycles and to flag any failures in token acquisition or renewal.
7. System-Assigned MI Support: The solution must support connections using the System-Assigned Managed Identity of the host environment by default.
8. User-Assigned MI Support: The solution must support connections using a specified User-Assigned Managed Identity.

Out of Scope

1. Support for Managed Identity integration with other cloud providers (e.g., AWS IAM authentication, GCP Workload Identity).
2. Integration with external third-party secret management tools (e.g., HashiCorp Vault, Azure Key Vault).
3. Automatic provisioning or configuration of the necessary database user/role within the Azure PostgreSQL database. This is a manual prerequisite.

Customer Considerations

• Prerequisites: Clear documentation is needed instructing the customer/platform team on two key external steps: 1) How to assign the Managed Identity to the RHDH hosting infrastructure (VM/Pod), and 2) How to grant the necessary login and SELECT permissions to the Managed Identity principal within the Azure PostgreSQL database itself.

• Deployment: Changes to deployment configuration (e.g., Helm charts, Operator, environment variables) must be clearly communicated.

Documentation Considerations

• A dedicated section in the RHDH Installation detailing "Azure Managed Identity Configuration" must be created.

• The guide must include examples for both System-Assigned and User-Assigned Managed Identity setup.

Technical Requirements:

• Development Requirements:

• • Integration with the appropriate Azure SDK (e.g., a relevant azure-identity library for the RHDH backend language) to handle token acquisition from the Azure Instance Metadata Service (IMDS) or AAD endpoint.

• • Modification of the underlying PostgreSQL driver or ORM (e.g., the code handling the connection string generation) to inject the dynamically retrieved AAD token into the password field.

• Dependencies:

• • Azure SDK library for Identity/Token Management.

• • Clarification Required: What is the specific database connection library (e.g., Node-pg, Knex, etc.) used by RHDH that needs modification?

• Technical Notes:

• • The token caching mechanism must be implemented carefully to minimize repeated external calls to the token endpoint while ensuring tokens are always refreshed well before expiration.

• • The implementation should prioritize retrieving the token only when establishing a new connection or when an existing connection from the pool needs refreshing/re-validation.