Skip to content

v0.1.29 — Passwordless duroxide orchestration store

Choose a tag to compare

View all tags
@ChrisKrawczyk ChrisKrawczyk released this 13 May 22:39
v0.1.29
6ea4e76

Passwordless duroxide orchestration store. When useManagedIdentity: true, the worker now routes the duroxide Postgres store through PostgresProvider.connectWithSchemaAndEntra (duroxide-node 0.1.25+) instead of connectWithSchema. CMS, facts, and the orchestration store all authenticate via Microsoft Entra ID — closing the last password-URL gap blocking pure-Entra cutover on AKS.

Highlights

  • SDK: Passwordless duroxide orchestration store via connectWithSchemaAndEntra (MI mode).
  • Dependency: Bumped duroxide to ^0.1.26, which picks up duroxide-pg 0.1.33 / duroxide-pg-opt 0.1.29. Those crates switch reqwest to default-features = false + native-tls, fixing TLS handshake failures during AAD token acquisition in container images. Without this fix, the MI path above would not be usable end-to-end.
  • Docs: Updated README, deploy scripts, env templates, postgres.bicep, and the worker/portal overlays to reflect that the duroxide store now honours the MI switch.
  • Tests: Added unit coverage for the new duroxide-provider-factory (legacy vs MI routing, URL parsing, error path). Refactored pg-pool-factory to share parsing helpers.

Validation

  • npm run build clean.
  • pg-pool-factory (16 tests) + duroxide-provider-factory (6 tests) all passing locally.
  • Production validation: Patched worker (with duroxide-pg 0.1.33 binary) ran in chkrawps7 AKS for the duration of this release work — 3 worker replicas, fully MI-authenticated against Azure Database for PostgreSQL Flexible Server, 0 errors. This exercises the AAD token acquisition + TLS path more thoroughly than the local integration suite (which uses password auth).
  • Local integration suite gate (./scripts/run-tests.sh) was skipped for this release. The local suite doesn't exercise the AAD/TLS code path that changed; production soak on chkrawps7 was used as the equivalent gate.

Upstream chain published in support of this release

  • duroxide-pg 0.1.33 → crates.io
  • duroxide-node 0.1.26 → npm (latest)

Downstream unblocked

Consumers can now bump pilotswarm-sdk to 0.1.29, drop the password store: argument, flip passwordAuth: 'Disabled' on the Bicep postgres module, and remove postgres-admin-password from Key Vault / SecretProviderClass manifests.

See CHANGELOG.md for the full entry.

Assets 2
Loading