Azure
/
dapr-java-workshop
зеркало из https://github.com/Azure/java-aks-aca-dapr-workshop.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Add the secret store in the transversal challenge for Azure Container Apps

This commit is contained in:
Pierre Malarme 2023-08-07 19:15:57 +02:00
Родитель 3652379747
Коммит 64fadbc707
26 изменённых файлов: 859 добавлений и 343 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

17
dapr/aca-azure-keyvault-secretstore.yaml Normal file
Просмотреть файл

@ -0,0 +1,17 @@
componentType: secretstores.azure.keyvault
version: v1
metadata:
- name: vaultName
value: "[your_keyvault_name]"
- name: azureTenantId
value: "[your_tenant_id]"
- name: azureClientId
value: "[your_client_id]"
- name: azureClientSecret
secretRef: azure-client-secret
secrets:
- name: azure-client-secret
value: "[your_client_secret]"
scopes:
- traffic-control-service
- fine-collection-service

2
dapr/azure-keyvault-secretstore.yaml
Просмотреть файл

@ -7,7 +7,7 @@ spec:
version: v1
metadata:
- name: vaultName
value: "kv-dapr-java-workshop"
value: "[your_keyvault_name]"
- name: azureTenantId
value: "[your_tenant_id]"
- name: azureClientId

152
docs/_includes/09-bonus-assignments/03-secret-store/1-setup-azure-key-vault.md Normal file
Просмотреть файл

@ -0,0 +1,152 @@
<!-- Require 'stepNumber' as input: the number of the first step of this include.
Return the number of the last step in this include -->
## Step {{stepNumber}}: Create an Azure AD application
1. Open a terminal window.
1. Create an Azure AD application:
```bash
az ad app create --display-name dapr-java-workshop-fine-collection-service
```
1. Set the application ID in `APP_ID`:
- Linux/Unix shell:
```bash
APP_ID=$(az ad app list --display-name dapr-java-workshop-fine-collection-service --query [].appId -o tsv)
```
- Powershell:
```powershell
$APP_ID = az ad app list --display-name dapr-java-workshop-fine-collection-service --query [].appId -o tsv
```
1. Create the client secret using the following command:
```bash
az ad app credential reset --id $APP_ID --years 2
```
Take note of the values above, which will be used in the Dapr component's metadta to allow Dapr to authenticate with Azure:
- `appId` is the value for `azureClientId`
- `password` is the value for `azureClientSecret`
- `tenant` is the value for `azureTenantId`
{% assign stepNumber = stepNumber | plus: 1 %}
## Step {{stepNumber}}: Create a Service Principal
1. Create a Service Principal using the following command and replace `<appId>` with the application ID you noted down in the previous step:
```bash
az ad sp create --id $APP_ID
```
1. Set the Service Principal ID in `SERVICE_PRINCIPAL_ID`. You will need it to assign the role to access the Key Vault.
- Linux/Unix shell:
```bash
SERVICE_PRINCIPAL_ID=$(az ad sp list --display-name dapr-java-workshop-fine-collection-service --query [].id -o tsv)
```
- Powershell:
```powershell
$SERVICE_PRINCIPAL_ID = az ad sp list --display-name dapr-java-workshop-fine-collection-service --query [].id -o tsv
```
{% assign stepNumber = stepNumber | plus: 1 %}
## Step {{stepNumber}}: Create an Azure Key Vault
1. Open a terminal window.
1. [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/general/) is a manage service to securely store and access secrets. This key vault needs to be globally unique. Use the following command to generate a unique name:
- Linux/Unix shell:
```bash
UNIQUE_IDENTIFIER=$(LC_ALL=C tr -dc a-z0-9 </dev/urandom | head -c 5)
KEY_VAULT="kv-daprworkshopjava$UNIQUE_IDENTIFIER"
echo $KEY_VAULT
```
- PowerShell:
```powershell
$ACCEPTED_CHAR = [Char[]]'abcdefghijklmnopqrstuvwxyz0123456789'
$UNIQUE_IDENTIFIER = (Get-Random -Count 5 -InputObject $ACCEPTED_CHAR) -join ''
$KEY_VAULT = "kv-daprworkshopjava$UNIQUE_IDENTIFIER"
$KEY_VAULT
```
Note the name of the Key Vault. You will need it when creating the Dapr component.
1. Create an Azure Key Vault:
```bash
az keyvault create --name $KEY_VAULT --resource-group rg-dapr-workshop-java --location eastus --enable-rbac-authorization true
```
1. Set the id of the subscription in `SUBSCRIPTION_ID`. You will need it in the next step.
- Linux/Unix shell:
```bash
SUBSCRIPTION_ID=$(az account show --query id -o tsv)
```
- Powershell:
```powershell
$SUBSCRIPTION_ID = az account show --query id -o tsv
```
1. Assign a role using RBAC to the Azure AD application to access the Key Vault. The role "Key Vault Secrets User" is sufficient for this workshop.
```bash
az role assignment create --role "Key Vault Secrets User" --assignee $SERVICE_PRINCIPAL_ID --scope "/subscriptions/$SUBSCRIPTION_ID/resourcegroups/rg-dapr-workshop-java/providers/Microsoft.KeyVault/vaults/$KEY_VAULT"
```
{% assign stepNumber = stepNumber | plus: 1 %}
## Step {{stepNumber}}: Create a secret in the Azure Key Vault
The service principal created in the previous steps has the role `Key Vault Secrets User` assigned. It means this service principal can only read secrets. When assignining a role, it is recommended to use the [least privilege principle](https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices#use-role-based-access-control) during all stages of development and deployment. This means that in this workshop, you could have assigned the `Key Vault Secret User` to a specific role instead to the key vault itself. However, for simplicity, you assigned the role to the key vault.
To create a secret in the Azure Key Vault, you can use the Azure Portal or the Azure CLI. In this workshop, you will use the Azure CLI. First you need to assign you the role of `Key Vault Secrets Officer` to be able to create secrets in the Key Vault. To know more about the different roles, see [Azure built-in roles for Key Vault data plane operations](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations).
To assign to you the role of `Key Vault Secrets Officer`, follow these steps:
1. Open a terminal window.
1. Set your user id in `USER_ID`. You will need it in the next step.
- Linux/Unix shell:
```bash
USER_ID=$(az ad user show --id <your-email-address> --query id -o tsv)
```
- Powershell:
```powershell
$USER_ID = az ad user show --id <your-email-address> --query id -o tsv
```
Replace `<your-email-address>` with your email address.
1. Assign you `Key Vault Secrets Officer` role:
```bash
az role assignment create --role "Key Vault Secrets Officer" --assignee $USER_ID --scope "/subscriptions/$SUBSCRIPTION_ID/resourcegroups/rg-dapr-workshop-java/providers/Microsoft.KeyVault/vaults/$KEY_VAULT"
```
1. To create a secret in the Azure Key Vault, use the following command and replace `<secret-name>` and `<secret-value>` with the name and value of the secret you want to create:
```bash
az keyvault secret set --vault-name $KEY_VAULT --name <secret-name> --value <secret-value>
```

81
docs/_includes/09-bonus-assignments/03-secret-store/2-use-secret-store-in-code.md Normal file
Просмотреть файл

@ -0,0 +1,81 @@
## Step 1: Create a secret in the Azure Key Vault for the license key
1. Open a terminal window.
1. Create a secret in the Azure Key Vault for the license key:
```bash
az keyvault secret set --vault-name $KEY_VAULT --name license-key --value HX783-5PN1G-CRJ4A-K2L7V
```
## Step 2: Use the secret in the application `FineCollectionService`
1. Open the file `FineCollectionService/src/main/java/dapr/fines/fines/DaprCalulator.java` in your code editor, and inspect it.
It implements the `FineCalculator` interface, which is used by the `FineCollectionService` to calculate the fine for a car. The `FineCalculator` interface has a method `calculateFine` that takes the `excessSpeed` as input and returns the amount of the fine as output. If the excess speed is too high, it return `-1`.
The object `FineFines` that computes the fine requires a license Key. The license key is used to validate the license of the fine calculator. This `DaprFineCalculator` is getting the license key from the secret store when the `FineCalculator` bean is created in the class `FineCollectionConfiguration`. The license key is stored in the secret store with the name `license-key`.
```java
public class DaprFineCalculator implements FineCalculator {
private final String fineCalculatorLicenseKey;
private final FineFines fineFines;
public DaprFineCalculator(final DaprClient daprClient) {
if (daprClient == null) {
throw new IllegalArgumentException("daprClient");
}
final Map<String, String> licenseKeySecret = daprClient.getSecret("secretstore", "license-key").block();
if (licenseKeySecret == null || licenseKeySecret.isEmpty()) {
throw new RuntimeException("'license-key' is not part of the secret store.");
}
this.fineCalculatorLicenseKey = licenseKeySecret.get("license-key");
this.fineFines = new FineFines();
}
@Override
public int calculateFine(final int excessSpeed) {
return fineFines.calculateFine(this.fineCalculatorLicenseKey, excessSpeed);
}
}
```
1. Open the file `FineCollectionService/src/main/java/dapr/fines/FineCollectionConfiguration.java` in your code editor.
1. **Comment out** the following lines as the license key is now retrieved from the secret store instead of the environment variable:
```java
@Value("${finefines.license-key}")
private String fineCalculatorLicenseKey;
```
1. **Comment out** the following @Bean method that creates the bean `FineCalculator`:
```java
@Bean
public FineCalculator fineCalculator() {
return new DefaultFineCalculator(fineCalculatorLicenseKey);
}
```
1. **Uncomment** the following @Bean method that creates the bean `FineCalculator`:
```java
// @Bean
// public FineCalculator fineCalculator(final DaprClient daprClient) {
// return new DaprFineCalculator(daprClient);
// }
```
This method requires the `DaprClient` as input.
1. **Uncomment** the following @Bean method that creates the bean `DaprClient`:
```java
// @Bean
// public DaprClient daprClient() {
// return new DaprClientBuilder().build();
// }
```
1. Check all your code-changes are correct by building the code. Execute the following command in the terminal window:
```bash
mvn package
```

12
docs/_includes/09-bonus-assignments/03-secret-store/3-1-create-sb-connection-string-secret.md Normal file
Просмотреть файл

@ -0,0 +1,12 @@
## Step 1: Create a secret in the Azure Key Vault for the connetion string
Azure Service Bus' connection string will be store as a string/literal secret:
1. Open a terminal window.
1. Create a secret in the Azure Key Vault for Azure Service Bus' connection string:
```bash
az keyvault secret set --vault-name $KEY_VAULT --name azSericeBusconnectionString --value "<connection-string>"
```
Replace `<connection-string>` with the connection string of the Azure Service Bus created in assignement 3.

37
docs/_includes/09-bonus-assignments/03-secret-store/5-1-deploy-secret-store-component-to-aca.md Normal file
Просмотреть файл

@ -0,0 +1,37 @@
## Step {{stepNumber}}: Deploy Azure Key Vault secret store component
1. **Copy or Move** this file `dapr/aca-azure-keyvault-secretstore.yam` to `dapr/components/` folder.
1. Open the copied file `dapr/components/aca-azure-keyvault-secretstore.yaml` in your code editor.
1. Set the following values in the metadata section of the component:
- `vaultName`: The name of the Azure Key Vault you created in step 3.
- `azureTenantId`: The value for `tenant` you noted down in step 1.
- `azureClientId`: The value for `appId` you noted down in step 1.
1. Set the following values in the secrets section of the component:
- `azure-client-secret`: The value for `password` you noted down in step 1.
1. Go to the root folder of the repository.
1. Enter the following command to deploy the `secretstore` Dapr component:
```bash
az containerapp env dapr-component set \
--name cae-dapr-workshop-java \
--resource-group rg-dapr-workshop-java \
--dapr-component-name secretstore \
--yaml ./dapr/components/aca-azure-keyvault-secretstore.yaml
```
{: .important-title }
> Managed Identity
>
> By setting a secret in a Dapr component for Azure Container Apps environmnet, the secret is stored [using platform-managed Kubernetes secrets](https://learn.microsoft.com/en-us/azure/container-apps/dapr-overview?tabs=bicep1%2Cyaml#using-platform-managed-kubernetes-secrets). This is useful when connecting non-Azure services or in DEV/TEST scenarios for quickly deployment Dapr components.
>
> In production scenarios, it is recommended to use [Azure Key Vault secret store](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/) with a [managed identity](https://docs.dapr.io/developing-applications/integrations/azure/azure-authentication/authenticating-azure/#about-authentication-with-azure-ad) instead and to not store secrets as Kubernetes secrets.
>
> TODO Add managed identity bonus assignment
>

28
docs/_includes/09-bonus-assignments/03-secret-store/5-2-a-rebuild-fine-collection-service.md Normal file
Просмотреть файл

@ -0,0 +1,28 @@
In this step, you will rebuild and redeploy the `FineCollectionService` to use the secret store (i.e. Azure Key Vault) to get the license key of the fine calculator.
1. Delete the image from local docker:
```bash
docker rmi fine-collection-service:1.0-SNAPSHOT
```
1. In the root folder of `FineCollectionService`, run the following command to build and push the image:
```bash
mvn spring-boot:build-image
docker tag fine-collection-service:1.0-SNAPSHOT "$CONTAINER_REGISTRY.azurecr.io/fine-collection-service:3.0"
docker push "$CONTAINER_REGISTRY.azurecr.io/fine-collection-service:3.0"
```
Where `$CONTAINER_REGISTRY` is the name of your Azure Container Registry.
1. Update `FineCollectionService` container app with the new image:
```bash
az containerapp update \
--name ca-fine-collection-service \
--resource-group rg-dapr-workshop-java \
--image "$CONTAINER_REGISTRY.azurecr.io/fine-collection-service:3.0"
```
Where `$CONTAINER_REGISTRY` is the name of your Azure Container Registry.

50
docs/_includes/09-bonus-assignments/03-secret-store/5-2-b-1-use-secret-in-pubsub.md Normal file
Просмотреть файл

@ -0,0 +1,50 @@
1. Open the file `dapr/components/aca-azure-servicebus-pubsub.yaml` (created in assignment 3) in your code editor, and inspect it.
1. Add the following line after`version: v1`:
```yaml
secretStoreComponent: "secretstore"
```
This tells Dapr to use the secret store component `secretstore` to retrieve the secret.
1. **Replace** value:
```yaml
value: "Endpoint=sb://{ServiceBusNamespace}.servicebus.windows.net/;SharedAccessKeyName={PolicyName};SharedAccessKey={Key};EntityPath={ServiceBus}"
```
with:
```yaml
secretRef: azSericeBusconnectionString
```
This tells Dapr to use the secret `azSericeBusconnectionString` from the secret store.
It should look like:
```yaml
componentType: pubsub.azure.servicebus
version: v1
secretStoreComponent: "secretstore"
metadata:
- name: connectionString
secretRef: azSericeBusconnectionString
scopes:
- traffic-control-service
- fine-collection-service
```
1. **Update** Darp component using the following command in the root of the project:
```bash
az containerapp env dapr-component set \
--name cae-dapr-workshop-java \
--resource-group rg-dapr-workshop-java \
--dapr-component-name pubsub \
--yaml ./dapr/components/aca-azure-servicebus-pubsub.yaml
```
{: .note }
> To know more about how to use a secret in a Dapr component with Azure Container Apps, please refer to [this documentation](https://learn.microsoft.com/en-us/azure/container-apps/dapr-overview?tabs=bicep1%2Cyaml#referencing-dapr-secret-store-components).
>

49
docs/_includes/09-bonus-assignments/03-secret-store/5-2-b-2-restart-services.md Normal file
Просмотреть файл

@ -0,0 +1,49 @@
1. Run the following command to identify the running revision of fine collection service container apps:
- Linux/Unix shell:
```bash
FINE_COLLECTION_SERVICE_REVISION=$(az containerapp revision list -n ca-fine-collection-service -g rg-dapr-workshop-java --query "[0].name" -o tsv)
echo $FINE_COLLECTION_SERVICE_REVISION
```
- Powershell:
```powershell
$FINE_COLLECTION_SERVICE_REVISION = az containerapp revision list -n ca-fine-collection-service -g rg-dapr-workshop-java --query "[0].name" -o tsv
$FINE_COLLECTION_SERVICE_REVISION
```
1. Restart fine collection service revision:
```bash
az containerapp revision restart \
--name ca-fine-collection-service \
--resource-group rg-dapr-workshop-java \
--revision $FINE_COLLECTION_SERVICE_REVISION
```
1. Run the following command to identify the running revision of traffic control service container apps:
- Linux/Unix shell:
```bash
TRAFFIC_CONTROL_SERVICE_REVISION=$(az containerapp revision list -n ca-traffic-control-service -g rg-dapr-workshop-java --query "[0].name" -o tsv)
echo $TRAFFIC_CONTROL_SERVICE_REVISION
```
- Powershell:
```powershell
$TRAFFIC_CONTROL_SERVICE_REVISION = az containerapp revision list -n ca-traffic-control-service -g rg-dapr-workshop-java --query "[0].name" -o tsv
$TRAFFIC_CONTROL_SERVICE_REVISION
```
1. Restart traffic control service revision:
```bash
az containerapp revision restart \
--name ca-traffic-control-service \
--resource-group rg-dapr-workshop-java \
--revision $TRAFFIC_CONTROL_SERVICE_REVISION
```

2
docs/modules/09-bonus-assignments/02-state-store/1-azure-cosmos-db-state-store.md
Просмотреть файл

@ -21,7 +21,7 @@ has_toc: true
{:toc}
</details>
This bonus assignment is about using Azure Cosmos DB as a [state store](https://docs.dapr.io/operations/components/setup-state-store/) for the `TrafficControlService` instead of keeping the sate in memory. You will use the [Azure Cosmos DB state store component](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-azure-cosmosdb/) provided by Dapr.
This bonus assignment is about using [Azure Cosmos DB](https://learn.microsoft.com/en-us/azure/cosmos-db/) as a [state store](https://docs.dapr.io/operations/components/setup-state-store/) for the `TrafficControlService` instead of keeping the sate in memory. You will use the [Azure Cosmos DB state store component](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-azure-cosmosdb/) provided by Dapr.
## Step 1: Create an Azure Cosmos DB

2
docs/modules/09-bonus-assignments/02-state-store/2-deploying-to-aks.md
Просмотреть файл

@ -21,7 +21,7 @@ has_toc: true
{:toc}
</details>
In this assignment, you will deploy the Azure Cosmos DB state store to Azure Kubernetes Service (AKS). You will use the [Azure Cosmos DB state store component](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-azure-cosmosdb/) provided by Dapr.
In this bonus assignment, you will deploy the Azure Cosmos DB state store to Azure Kubernetes Service (AKS). You will use the [Azure Cosmos DB state store component](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-azure-cosmosdb/) provided by Dapr.
{: .important-title }
> Pre-requisite

2
docs/modules/09-bonus-assignments/02-state-store/3-deploying-to-aca.md
Просмотреть файл

@ -21,7 +21,7 @@ has_toc: true
{:toc}
</details>
In this assignment, you will deploy the Azure Cosmos DB state store to Azure Container Apps (ACA). You will use the [state management building block](https://docs.dapr.io/developing-applications/building-blocks/state-management/state-management-overview/) provided by Dapr.
In this bonus assignment, you will deploy the Azure Cosmos DB state store to Azure Container Apps (ACA). You will use the [state management building block](https://docs.dapr.io/developing-applications/building-blocks/state-management/state-management-overview/) provided by Dapr.
{: .important-title }
> Pre-requisite

2
docs/modules/09-bonus-assignments/02-state-store/index.md
Просмотреть файл

@ -8,7 +8,7 @@ layout: default
# Using Azure Cosmos DB as a state store
This bonus assignment is about using Azure Cosmos DB as a [state store](https://docs.dapr.io/operations/components/setup-state-store/) for the `TrafficControlService`. You will use the [Azure Cosmos DB state store component](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-azure-cosmosdb/) provided by Dapr.
This bonus assignment is about using [Azure Cosmos DB](https://learn.microsoft.com/en-us/azure/cosmos-db/) as a [state store](https://docs.dapr.io/operations/components/setup-state-store/) for the `TrafficControlService`. You will use the [Azure Cosmos DB state store component](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-azure-cosmosdb/) provided by Dapr.
{: .important-title }
> Pre-requisite

153
docs/modules/09-bonus-assignments/03-secret-store/1-azure-key-vault-secret-store-setup.md
Просмотреть файл

@ -1,153 +0,0 @@
---
title: Setup Azure Keyvault as a secret store
parent: Use Azure Keyvault as a secret store
grand_parent: Bonus Assignments
has_children: false
nav_order: 1
layout: default
has_toc: true
---
# Setup Azure Key Vault as a secret store
{: .no_toc }
<details open markdown="block">
<summary>
Table of contents
</summary>
{: .text-delta }
- TOC
{:toc}
</details>
This bonus assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/). You will create the [Azure Key Vault secret store component](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/) provided by Dapr.
## Step 1: Create an Azure AD application
1. Open a terminal window.
1. Create an Azure AD application
```bash
az ad app create --display-name dapr-java-workshop-fine-collection-service
```
1. Get the application ID and note it down. You will need it in the next step.
```bash
az ad app list --display-name dapr-java-workshop-fine-collection-service --query [].appId -o tsv
```
1. Create the client secret using the following command and replace `<appId>` with the application ID you noted down in the previous step:
```bash
az ad app credential reset --id <appId> --years 2
```
Take note of the values above, which will be used in the Dapr component's metadta to allow Dapr to authenticate with Azure:
- `appId` is the value for `azureClientId`
- `password` is the value for `azureClientSecret`
- `tenant` is the value for `azureTenantId`
## Step 2: Create a Service Principal
1. Create a Service Principal using the following command and replace `<appId>` with the application ID you noted down in the previous step:
```bash
az ad sp create --id <appId>
```
1. Get the Service Principal ID and note it down. You will need it to assign the role to access the Key Vault.
```bash
az ad sp list --display-name dapr-java-workshop-fine-collection-service --query [].id -o tsv
```
## Step 3: Create an Azure Key Vault
1. Open a terminal window.
1. [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/general/) is a manage service to securely store and access secrets. This key vault needs to be globally unique. Use the following command to generate a unique name:
- Linux/Unix shell:
```bash
UNIQUE_IDENTIFIER=$(LC_ALL=C tr -dc a-z0-9 </dev/urandom | head -c 5)
KEY_VAULT="kv-daprworkshopjava$UNIQUE_IDENTIFIER"
echo $KEY_VAULT
```
- PowerShell:
```powershell
$ACCEPTED_CHAR = [Char[]]'abcdefghijklmnopqrstuvwxyz0123456789'
$UNIQUE_IDENTIFIER = (Get-Random -Count 5 -InputObject $ACCEPTED_CHAR) -join ''
$KEY_VAULT = "kv-daprworkshopjava$UNIQUE_IDENTIFIER"
$KEY_VAULT
```
1. Create an Azure Key Vault
```bash
az keyvault create --name $KEY_VAULT --resource-group rg-dapr-workshop-java --location eastus --enable-rbac-authorization true
```
1. Get the id of the subscription and note it down. You will need it in the next step.
```bash
az account show --query id -o tsv
```
1. Assign a role using RBAC to the Azure AD application to access the Key Vault. The role "Key Vault Secrets User" is sufficient for this workshop. Replace `<servicePrincipalId>` with the Service Principal ID you noted down and `<subscriptionId>` with the value you noted in the previous step:
```bash
az role assignment create --role "Key Vault Secrets User" --assignee <servicePrincipalId> --scope "/subscriptions/<subscriptionid>/resourcegroups/dapr-workshop-java/providers/Microsoft.KeyVault/vaults/$KEY_VAULT"
```
## Step 4: Create a secret in the Azure Key Vault
The service principal created in the previous steps has the role `Key Vault Secrets User` assigned. It means this service principal can only read secrets.
To create a secret in the Azure Key Vault, you can use the Azure Portal or the Azure CLI. In this workshop, you will use the Azure CLI. First you need to assign you the role of `Key Vault Secrets Officer` to be able to create secrets in the Key Vault. To know more about the different roles, see [Azure built-in roles for Key Vault data plane operations](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations).
To assign to you the role of `Key Vault Secrets Officer`, follow these steps:
1. Open a terminal window.
1. Get your user id and note it down. You will need it in the next step.
```bash
az ad user show --id <your-email-address> --query id -o tsv
```
Replace `<your-email-address>` with your email address.
1. Assign you `Key Vault Secrets Officer` role:
```bash
az role assignment create --role "Key Vault Secrets Officer" --assignee <userId> --scope "/subscriptions/<subscriptionid>/resourcegroups/dapr-workshop-java/providers/Microsoft.KeyVault/vaults/$KEY_VAULT"
```
Replace `<userId>` with the value you noted down in the previous step.
To create a secret in the Azure Key Vault, use the following command and replace `<secret-name>` and `<secret-value>` with the name and value of the secret you want to create:
```bash
az keyvault secret set --vault-name $KEY_VAULT --name <secret-name> --value <secret-value>
```
## Step 5: Set the Azure Key Vault secret store component
1. **Copy or Move** this file `dapr/azure-keyvault-secretstore.yam` to `dapr/components/` folder.
1. Open the copied file `dapr/components/azure-keyvault-secretstore.yaml` in your code editor.
1. Set the following values in the metadata section of the component:
- `azureTenantId`: The value for `tenant` you noted down in step 1.
- `azureClientId`: The value for `appId` you noted down in step 1.
- `azureClientSecret`: The value for `password` you noted down in step 1.
{: .important }
> Certificate can be used instead of client secret, see [Azure Key Vault secret store](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/).
>
> When deployed to Azure Kubernetes Service, the client secret is a kubernetes secret and not set in the component's YAML file. See the *Kubernetes* tab in *Configure the component* of [Azure Key Vault secret store](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/).
>
> When deployed to Azure Kubernetes Service or Azure Container Apps, managed identity can be used instead of client secret. See [Using Managed Service Identities](https://docs.dapr.io/developing-applications/integrations/azure/authenticating-azure/#using-managed-service-identities).
>
<!-- ----------------------------- NAVIGATION ------------------------------ -->
<span class="fs-3">
[Retreive a secret in the application]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/2-azure-key-vault-secret-store-code.md %}){: .btn .mt-7 }
</span>
<span class="fs-3">
[Reference a secret in a component]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/3-azure-key-vault-secret-store-component.md %}){: .btn .ml-3 }
</span>

59
docs/modules/09-bonus-assignments/03-secret-store/1-setup-azure-key-vault.md Normal file
Просмотреть файл

@ -0,0 +1,59 @@
---
title: Setup Azure Key Vault as a secret store
parent: Using Azure Key Vault as a secret store
grand_parent: Bonus Assignments
has_children: false
nav_order: 1
layout: default
has_toc: true
---
# Setup Azure Key Vault as a secret store
{: .no_toc }
<details open markdown="block">
<summary>
Table of contents
</summary>
{: .text-delta }
- TOC
{:toc}
</details>
This bonus assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/). You will create the [Azure Key Vault secret store component](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/) provided by Dapr.
<!-- ------------------------ SETUP AZURE KEYVAULT ------------------------- -->
{% assign stepNumber = 1 %}
{% include 09-bonus-assignments/03-secret-store/1-setup-azure-key-vault.md %}
{% assign stepNumber = stepNumber | plus: 1 %}
## Step {{stepNumber}}: Set the Azure Key Vault secret store component
1. **Copy or Move** this file `dapr/azure-keyvault-secretstore.yam` to `dapr/components/` folder.
1. Open the copied file `dapr/components/azure-keyvault-secretstore.yaml` in your code editor.
1. Set the following values in the metadata section of the component:
- `vaultName`: The name of the Azure Key Vault you created in step 3.
- `azureTenantId`: The value for `tenant` you noted down in step 1.
- `azureClientId`: The value for `appId` you noted down in step 1.
- `azureClientSecret`: The value for `password` you noted down in step 1.
{: .important }
> Certificate can be used instead of client secret, see [Azure Key Vault secret store](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/).
>
> When deployed to Azure Kubernetes Service, the client secret is a kubernetes secret and not set in the component's YAML file. See the *Kubernetes* tab in *Configure the component* of [Azure Key Vault secret store](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/).
>
> When deployed to Azure Kubernetes Service and Azure Container Apps, managed identity can should used instead of client secret for production workloads. See [Using Managed Service Identities](https://docs.dapr.io/developing-applications/integrations/azure/azure-authentication/authenticating-azure/#about-authentication-with-azure-ad).
>
<!-- ----------------------------- NAVIGATION ------------------------------ -->
<span class="fs-3">
[Retreive a secret in the application]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/2-use-secret-store-in-code.md %}){: .btn .mt-7 }
</span>
<span class="fs-3">
[Reference a secret in a component]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/3-use-secret-in-dapr-component.md %}){: .btn .ml-3 }
</span>

159
docs/modules/09-bonus-assignments/03-secret-store/2-azure-key-vault-secret-store-code.md
Просмотреть файл

@ -1,159 +0,0 @@
---
title: Retrieve a secret in the application
parent: Use Azure Keyvault as a secret store
grand_parent: Bonus Assignments
has_children: false
nav_order: 2
layout: default
has_toc: true
---
# Retrieve a secret in the application
{: .no_toc }
<details open markdown="block">
<summary>
Table of contents
</summary>
{: .text-delta }
- TOC
{:toc}
</details>
Previously, you have created an Azure Key Vault and added the Dapr component. Now, you will use the secret in the application. This bonus assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/) for the `FineCollectionService` to get the license key.
{: .important-title }
> Pre-requisite
>
> If the setup of the Azure Key Vault is not done yet, please follow the instructions in [Part 1 - Setup Azure Key Vault as a secret store]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-azure-key-vault-secret-store-setup.md %}).
>
## Step 1: Create a secret in the Azure Key Vault for the license key
1. Open a terminal window.
1. Create a secret in the Azure Key Vault for the license key:
```bash
az keyvault secret set --vault-name $KEY_VAULT --name license-key --value HX783-5PN1G-CRJ4A-K2L7V
```
## Step 2: Use the secret in the application `FineCollectionService`
1. Open the file `FineCollectionService/src/main/java/dapr/fines/fines/DaprCalulator.java` in your code editor, and inspect it.
1. It implements the `FineCalculator` interface, which is used by the `FineCollectionService` to calculate the fine for a car. The `FineCalculator` interface has a method `calculateFine` that takes the `excessSpeed` as input and returns the amount of the fine as output. If the excess speed is too high, it return `-1`.
The object `FineFines` that computes the fine requires a license Key. The license key is used to validate the license of the fine calculator. This `DaprFineCalculator` is getting the license key from the secret store when the `FineCalculator` bean is created in the class `FineCollectionConfiguration`. The license key is stored in the secret store with the name `license-key`.
```java
public class DaprFineCalculator implements FineCalculator {
private final String fineCalculatorLicenseKey;
private final FineFines fineFines;
public DaprFineCalculator(final DaprClient daprClient) {
if (daprClient == null) {
throw new IllegalArgumentException("daprClient");
}
final Map<String, String> licenseKeySecret = daprClient.getSecret("secretstore", "license-key").block();
if (licenseKeySecret == null || licenseKeySecret.isEmpty()) {
throw new RuntimeException("'license-key' is not part of the secret store.");
}
this.fineCalculatorLicenseKey = licenseKeySecret.get("license-key");
this.fineFines = new FineFines();
}
@Override
public int calculateFine(final int excessSpeed) {
return fineFines.calculateFine(this.fineCalculatorLicenseKey, excessSpeed);
}
}
```
1. Open the file `FineCollectionService/src/main/java/dapr/fines/FineCollectionConfiguration.java` in your code editor.
1. **Comment out** the following lines as the license key is now retrieved from the secret store instead of the environment variable:
```java
@Value("${finefines.license-key}")
private String fineCalculatorLicenseKey;
```
1. **Comment out** the following @Bean method that creates the bean `FineCalculator`:
```java
@Bean
public FineCalculator fineCalculator() {
return new DefaultFineCalculator(fineCalculatorLicenseKey);
}
```
1. **Uncomment** the following @Bean method that creates the bean `FineCalculator`:
```java
// @Bean
// public FineCalculator fineCalculator(final DaprClient daprClient) {
// return new DaprFineCalculator(daprClient);
// }
```
This method requires the `DaprClient` as input.
1. **Uncomment** the following @Bean method that creates the bean `DaprClient`:
```java
// @Bean
// public DaprClient daprClient() {
// return new DaprClientBuilder().build();
// }
```
## Step 3: Test the application
You're going to start all the services now.
1. Make sure no services from previous tests are running (close the command-shell windows).
1. Open the terminal window and make sure the current folder is `VehicleRegistrationService`.
1. Enter the following command to run the VehicleRegistrationService:
```bash
mvn spring-boot:run
```
1. Open a **new** terminal window and change the current folder to `FineCollectionService`.
1. Enter the following command to run the FineCollectionService with a Dapr sidecar:
* Ensure you have run `dapr init` command prior to running the below command
```bash
dapr run --app-id finecollectionservice --app-port 6001 --dapr-http-port 3601 --dapr-grpc-port 60001 --components-path ../dapr/components mvn spring-boot:run
```
1. Open a **new** terminal window and change the current folder to `TrafficControlService`.
1. Enter the following command to run the TrafficControlService:
```bash
mvn spring-boot:run
```
1. Open a **new** terminal window and change the current folder to `Simulation`.
1. Start the simulation:
```bash
mvn spring-boot:run
```
You should see the same logs as **Assignment 1**. Obviously, the behavior of the application is exactly the same as before.
{: .important-title }
> Cleanup
>
> When the workshop is done, please follow the [cleanup instructions]({{ site.baseurl }}{% link modules/10-cleanup/index.md %}) to delete the resources created in this workshop.
>
<!-- ----------------------------- NAVIGATION ------------------------------ -->
<span class="fs-3">
[< Secret Store setup]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-azure-key-vault-secret-store-setup.md %}){: .btn .mt-7 }
</span>

85
docs/modules/09-bonus-assignments/03-secret-store/2-use-secret-store-in-code.md Normal file
Просмотреть файл

@ -0,0 +1,85 @@
---
title: Retrieve a secret in the application
parent: Using Azure Key Vault as a secret store
grand_parent: Bonus Assignments
has_children: false
nav_order: 2
layout: default
has_toc: true
---
# Retrieve a secret in the application
{: .no_toc }
<details open markdown="block">
<summary>
Table of contents
</summary>
{: .text-delta }
- TOC
{:toc}
</details>
Previously, you have created an Azure Key Vault and added the Dapr component. Now, you will use the [secret in the application](https://docs.dapr.io/developing-applications/building-blocks/secrets/howto-secrets/). This bonus assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/) for the `FineCollectionService` to get the license key of the fine calculator.
{: .important-title }
> Pre-requisite
>
> If the setup of the Azure Key Vault is not done yet, please follow the instructions in [Setup Azure Key Vault as a secret store]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-setup-azure-key-vault.md %}).
>
<!-- -------------------- CREATE SECRET AND UPDATE CODE -------------------- -->
{% include 09-bonus-assignments/03-secret-store/2-use-secret-store-in-code.md %}
## Step 3: Test the application
You're going to start all the services now.
1. Make sure no services from previous tests are running (close the command-shell windows).
1. Open the terminal window and make sure the current folder is `VehicleRegistrationService`.
1. Enter the following command to run the VehicleRegistrationService:
```bash
mvn spring-boot:run
```
1. Open a **new** terminal window and change the current folder to `FineCollectionService`.
1. Enter the following command to run the FineCollectionService with a Dapr sidecar:
* Ensure you have run `dapr init` command prior to running the below command
```bash
dapr run --app-id finecollectionservice --app-port 6001 --dapr-http-port 3601 --dapr-grpc-port 60001 --components-path ../dapr/components mvn spring-boot:run
```
1. Open a **new** terminal window and change the current folder to `TrafficControlService`.
1. Enter the following command to run the TrafficControlService:
```bash
mvn spring-boot:run
```
1. Open a **new** terminal window and change the current folder to `Simulation`.
1. Start the simulation:
```bash
mvn spring-boot:run
```
You should see the same logs as **Assignment 1**. Obviously, the behavior of the application is exactly the same as before.
<!-- ----------------------------- NAVIGATION ------------------------------ -->
<span class="fs-3">
[Reference a secret in a component]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/3-use-secret-in-dapr-component.md %}){: .btn .mt-7 }
</span>
<span class="fs-3">
[Deploy to ACA]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/5-deploying-to-aca.md %}){: .btn }
</span>

30
docs/modules/09-bonus-assignments/03-secret-store/3-azure-key-vault-secret-store-component.md → docs/modules/09-bonus-assignments/03-secret-store/3-use-secret-in-dapr-component.md
Просмотреть файл

@ -1,6 +1,6 @@
---
title: Reference a secret in components
parent: Use Azure Keyvault as a secret store
title: Reference a secret in Dapr components
parent: Using Azure Key Vault as a secret store
grand_parent: Bonus Assignments
has_children: false
nav_order: 3
@ -8,7 +8,7 @@ layout: default
has_toc: true
---
# Reference a secret in components
# Reference a secret in Dapr components
{: .no_toc }
@ -21,27 +21,20 @@ has_toc: true
{:toc}
</details>
Previously, you have created an Azure Key Vault and added the Dapr component. Now, you will use the secret in the application. This bonus assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/) to store the connection string of the Azure Service Bus.
Previously, you have created an Azure Key Vault and added the Dapr component. Now you will [use a secret from a secret store in another Dapr component](https://docs.dapr.io/operations/components/component-secrets/). This bonus assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/) to store the connection string of the Azure Service Bus and use it in the `pubsub` component.
{: .important-title }
> Pre-requisite
>
> If the setup of the Azure Key Vault is not done yet, please follow the instructions in [Part 1 - Setup Azure Key Vault as a secret store]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-azure-key-vault-secret-store-setup.md %}).
> If the setup of the Azure Key Vault is not done yet, please follow the instructions in [Setup Azure Key Vault as a secret store]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-setup-azure-key-vault.md %}).
>
> The `Assignment 3 - Setup Azure Service Bus` is also a pre-requisite for this assignment. If not done yet, please follow the instructions in [Assignment 3 - Setup Azure Service Bus]({{ site.baseurl }}{% link modules/03-assignment-3-azure-pub-sub/1-azure-service-bus.md %}).
>
## Step 1: Create a secret in the Azure Key Vault for the connetion string
<!-- ------------------------ SET CONNECTION STRING ------------------------ -->
Azure Service Bus' connection string will be store as a string/literal secret:
1. Open a terminal window.
1. Create a secret in the Azure Key Vault for Azure Service Bus' connection string:
```bash
az keyvault secret set --vault-name $KEY_VAULT --name azSericeBusconnectionString --value "<connection-string>"
```
Replace `<connection-string>` with the connection string of the Azure Service Bus created in assignement 3.
{% include 09-bonus-assignments/03-secret-store/3-1-create-sb-connection-string-secret.md %}
## Step 2: Use the secret in the application `FineCollectionService`
@ -67,8 +60,8 @@ Azure Service Bus' connection string will be store as a string/literal secret:
auth:
secretStore: secretstore
```
This tells Dapr to use the secret store component `secretstore` to retrieve the secret.
This tells Dapr to use the secret store component `secretstore` to retrieve the secret.
## Step 3: Test the application
@ -127,5 +120,8 @@ You should see the same logs as **Assignment 3** with Azure Service Bus. Obvious
<!-- ----------------------------- NAVIGATION ------------------------------ -->
<span class="fs-3">
[< Secret Store setup]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-azure-key-vault-secret-store-setup.md %}){: .btn .mt-7 }
[Retreive a secret in the application]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/2-use-secret-store-in-code.md %}){: .btn .mt-7 }
</span>
<span class="fs-3">
[Deploy to ACA]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/5-deploying-to-aca.md %}){: .btn }
</span>

89
docs/modules/09-bonus-assignments/03-secret-store/5-deploying-to-aca.md Normal file
Просмотреть файл

@ -0,0 +1,89 @@
---
title: Deploying Azure Key Vault secret store to Azure Container Apps
parent: Using Azure Key Vault as a secret store
grand_parent: Bonus Assignments
has_children: false
nav_order: 5
layout: default
has_toc: true
---
# Deploying Azure Key Vault secret store to Azure Container Apps
{: .no_toc }
<details open markdown="block">
<summary>
Table of contents
</summary>
{: .text-delta }
- TOC
{:toc}
</details>
In this bonus assignment, you will deploy the Azure Key Vault secret store to Azure Container Apps. You will use the [secret management building block](https://docs.dapr.io/developing-applications/building-blocks/secrets/) provided by Dapr. The first step is the deployment of the `secretstore` component to Azure Container Apps.
It is followed by 2 steps that can be done in any order (at least one of them must be done):
- a. Deploy `FineCollectionService` to use the secret store for the license key of fine calculator
- b. Use the secret store for the service bus connection string of the `pubsub` component
{: .important-title }
> Pre-requisite
>
> If the setup of the Azure Key Vault is not done yet, please follow the instructions in [Setup Azure Key Vault as a secret store]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-setup-azure-key-vault.md %}).
>
<!-- ---------------- DEPLOY SECRET STORE COMPONENT TO ACA ----------------- -->
{% assign stepNumber = 1 %}
{% include 09-bonus-assignments/03-secret-store/5-1-deploy-secret-store-component-to-aca.md %}
## Step 2: Deploy to Azure Container Apps
### Step 2.a: Retrieve a secret in the application
{: .important-title }
> Pre-requisite
>
> The second part [Retrieve a secret in the application]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/2-use-secret-store-in-code.md %}) is a pre-requisite for this step.
>
To deploy the retrieving of the license key of the fine calculator to Azure Container Apps, you will need to update the `FineCollectionService` container app to use the secret store for the license key of fine calculator.
#### Build and redeploy fine collection service
{% include 09-bonus-assignments/03-secret-store/5-2-a-rebuild-fine-collection-service.md %}
### Step 2.b: Reference a secret in Dapr components
{: .important-title }
> Pre-requisite
>
> The third part [Reference a secret in Dapr components]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/3-use-secret-in-dapr-component.md %}) is a pre-requisite for this step.
>
#### Use a secret in `pubsub` component
{% include 09-bonus-assignments/03-secret-store/5-2-b-1-use-secret-in-pubsub.md %}
#### Restart `FineCollectionService` and `TrafficControlService`
{% include 09-bonus-assignments/03-secret-store/5-2-b-2-restart-services.md %}
<!-- -------------------------------- TEST --------------------------------- -->
{% assign stepNumber = 3 %}
{% include 05-assignment-5-aks-aca/02-aca/0-3-test-application.md %}
{: .important-title }
> Cleanup
>
> When the workshop is done, please follow the [cleanup instructions]({{ site.baseurl }}{% link modules/10-cleanup/index.md %}) to delete the resources created in this workshop.
>
<!-- ----------------------------- NAVIGATION ------------------------------ -->
<span class="fs-3">
[< Secret Store setup]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-setup-azure-key-vault.md %}){: .btn .mt-7 }
</span>

14
docs/modules/09-bonus-assignments/03-secret-store/index.md
Просмотреть файл

@ -1,16 +1,20 @@
---
title: Use Azure Keyvault as a secret store
title: Using Azure Key Vault as a secret store
parent: Bonus Assignments
has_children: true
nav_order: 3
layout: default
---
# Use Azure Keyvault as a secret store
# Using Azure Key Vault as a secret store
This bonus assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/) for the `FineCollectionService`. You will use the [Azure Key Vault secret store component](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/) provided by Dapr.
This bonus assignment is about using [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/general/) as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/) for the `FineCollectionService`. You will use the [Azure Key Vault secret store component](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/) provided by Dapr.
The [first part]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-azure-key-vault-secret-store-setup.md %}) is the setup of the Azure Key Vault. The [second part]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/2-azure-key-vault-secret-store-code.md %}) is the configuration of the `FineCollectionService` to use the Azure Key Vault as a secret store for the license key of the fine calculator. The [third part]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/3-azure-key-vault-secret-store-component.md %}) is to use the secret store in the `FineCollectionService` and the `TrafficControllerService` to get the connection string for Azure Service Bus.
There are 3 main parts in this bonus assignment:
1. [Setup of the Azure Key Vault as a secret store]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-setup-azure-key-vault.md %})
2. [Update of `FineCollectionService` to retrieve the license key from the Azure Key Vault using Dapr secret store component]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/2-use-secret-store-in-code.md %}). The license key is used by the fine calculator engine
3. [Use secrets of Azure Key Vault in the definition of other components]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/3-use-secret-in-dapr-component.md %}). Using Dapr, component definitions can reference secrets in a secret store. This is used to reference the Azure Service Bus connection string and the Azure Cosmos DB master key in the definition of the Azure Service Bus and Azure Cosmos DB components
{: .important-title }
> Pre-requisite
@ -21,5 +25,5 @@ The [first part]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secre
<!-- ----------------------------- NAVIGATION ------------------------------ -->
<span class="fs-3">
[Let's start!]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-azure-key-vault-secret-store-setup.md %}){: .btn .mt-7 }
[Let's start!]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-setup-azure-key-vault.md %}){: .btn .mt-7 }
</span>

6
docs/modules/11-aca-challenge/06-state-store/index.md
Просмотреть файл

@ -20,7 +20,7 @@ has_toc: true
{:toc}
</details>
This assignment is about using Azure Cosmos DB as a [state store](https://docs.dapr.io/operations/components/setup-state-store/) for the `TrafficControlService` instead of keeping the sate in memory. You will use the [Azure Cosmos DB state store component](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-azure-cosmosdb/) provided by Dapr. This is the third step to reach the final state of the application for this challenge. It is represented by the diagram below.
This assignment is about using [Azure Cosmos DB](https://learn.microsoft.com/en-us/azure/cosmos-db/) as a [state store](https://docs.dapr.io/operations/components/setup-state-store/) for the `TrafficControlService` instead of keeping the sate in memory. You will use the [Azure Cosmos DB state store component](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-azure-cosmosdb/) provided by Dapr. This is the third step to reach the final state of the application for this challenge. It is represented by the diagram below.
![Azure Container Apps Challenge - Third Deployment](../../../assets/images/aca-deployment-3.png)
@ -66,5 +66,5 @@ This assignment is about using Azure Cosmos DB as a [state store](https://docs.d
[< Assignment 5 - Service invocation]({{ site.baseurl }}{% link modules/11-aca-challenge/05-service-invocation/index.md %}){: .btn .mt-7 }
</span>
<span class="fs-3">
[Assignment 5 - Service invocation >]({{ site.baseurl }}{% link modules/11-aca-challenge/05-service-invocation/index.md %}){: .btn .float-right .mt-7 }
</span>
[Assignment 7 - Key Vault as a secret store >]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/index.md %}){: .btn .float-right .mt-7 }
</span>

43
docs/modules/11-aca-challenge/07-secret-store/1-setup-azure-key-vault.md Normal file
Просмотреть файл

@ -0,0 +1,43 @@
---
title: Setup Azure Key Vault as a secret store
parent: Assignment 7 - Using Azure Key Vault as a secret store
grand_parent: Azure Container Apps Challenge
has_children: false
nav_order: 1
layout: default
has_toc: true
---
# Setup Azure Key Vault as a secret store
{: .no_toc }
<details open markdown="block">
<summary>
Table of contents
</summary>
{: .text-delta }
- TOC
{:toc}
</details>
The first part of this assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/). It consists in the creation of the Azure Key Vault resource and the deployment of [Azure Key Vault secret store component](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/) to Azure Container Apps environment.
<!-- ------------------------ SETUP AZURE KEYVAULT ------------------------- -->
{% assign stepNumber = 1 %}
{% include 09-bonus-assignments/03-secret-store/1-setup-azure-key-vault.md %}
<!-- ---------------- DEPLOY SECRET STORE COMPONENT TO ACA ----------------- -->
{% assign stepNumber = stepNumber | plus: 1 %}
{% include 09-bonus-assignments/03-secret-store/5-1-deploy-secret-store-component-to-aca.md %}
<!-- ----------------------------- NAVIGATION ------------------------------ -->
<span class="fs-3">
[< Assignment 7 - Key Vault as a secret store]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/index.md %}){: .btn .mt-7 }
</span>
<span class="fs-3">
[Retreive a secret in the application >]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/2-use-secret-store-in-code.md %}){: .btn .float-right .mt-7 }
</span>

46
docs/modules/11-aca-challenge/07-secret-store/2-use-secret-store-in-code.md Normal file
Просмотреть файл

@ -0,0 +1,46 @@
---
title: Retrieve a secret in the application
parent: Assignment 7 - Using Azure Key Vault as a secret store
grand_parent: Azure Container Apps Challenge
has_children: false
nav_order: 2
layout: default
has_toc: true
---
# Retrieve a secret in the application
{: .no_toc }
<details open markdown="block">
<summary>
Table of contents
</summary>
{: .text-delta }
- TOC
{:toc}
</details>
Previously, you have created an Azure Key Vault and added the Dapr component to Azure Container Apps environmnet. Now, you will use the [secret in the application](https://docs.dapr.io/developing-applications/building-blocks/secrets/howto-secrets/). This second part of the assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/) for the `FineCollectionService` to get the license key of the fine calculator.
<!-- -------------------- CREATE SECRET AND UPDATE CODE -------------------- -->
{% include 09-bonus-assignments/03-secret-store/2-use-secret-store-in-code.md %}
## Step 3: Build and redeploy fine collection service
{% include 09-bonus-assignments/03-secret-store/5-2-a-rebuild-fine-collection-service.md %}
<!-- -------------------------------- TEST --------------------------------- -->
{% assign stepNumber = 4 %}
{% include 05-assignment-5-aks-aca/02-aca/0-3-test-application.md %}
<!-- ----------------------------- NAVIGATION ------------------------------ -->
<span class="fs-3">
[< Setup Azure Key Vault]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/1-setup-azure-key-vault.md %}){: .btn .mt-7 }
</span>
<span class="fs-3">
[Reference a secret in Dapr components >]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/3-use-secret-in-dapr-component.md %}){: .btn .float-right .mt-7 }
</span>

53
docs/modules/11-aca-challenge/07-secret-store/3-use-secret-in-dapr-component.md Normal file
Просмотреть файл

@ -0,0 +1,53 @@
---
title: Reference a secret in Dapr components
parent: Assignment 7 - Using Azure Key Vault as a secret store
grand_parent: Azure Container Apps Challenge
has_children: false
nav_order: 3
layout: default
has_toc: true
---
# Reference a secret in Dapr components
{: .no_toc }
<details open markdown="block">
<summary>
Table of contents
</summary>
{: .text-delta }
- TOC
{:toc}
</details>
Previously, you have use a secret in `FineCollectionService` code using the `secretstore` component (i.e. Azure Key Vault). Now you will [use a secret from a secret store in another Dapr component](https://docs.dapr.io/operations/components/component-secrets/). This third part of the assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/) to store the connection string of the Azure Service Bus and use it in the `pubsub` component.
<!-- ------------------------ SET CONNECTION STRING ------------------------ -->
{% include 09-bonus-assignments/03-secret-store/3-1-create-sb-connection-string-secret.md %}
## Step 2: Use a secret in `pubsub` component
{% include 09-bonus-assignments/03-secret-store/5-2-b-1-use-secret-in-pubsub.md %}
## Step 3: Restart `FineCollectionService` and `TrafficControlService`
{% include 09-bonus-assignments/03-secret-store/5-2-b-2-restart-services.md %}
<!-- -------------------------------- TEST --------------------------------- -->
{% assign stepNumber = 4 %}
{% include 05-assignment-5-aks-aca/02-aca/0-3-test-application.md %}
{: .new-title }
> Challenge
>
> You can use the secret store to store Cosmos DB master key as well. Try it out! More information on Cosmos DB as a state store can be found in [Bonus Assignment: State Store]({{ site.baseurl }}{% link modules/09-bonus-assignments/02-state-store/index.md %}).
>
<!-- ----------------------------- NAVIGATION ------------------------------ -->
<span class="fs-3">
[< Retreive a secret in the application]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/2-use-secret-store-in-code.md %}){: .btn .mt-7 }
</span>

27
docs/modules/11-aca-challenge/07-secret-store/index.md Normal file
Просмотреть файл

@ -0,0 +1,27 @@
---
title: Assignment 7 - Using Azure Key Vault as a secret store
parent: Azure Container Apps Challenge
has_children: true
nav_order: 8
layout: default
has_toc: true
---
This assignment is about using [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/general/) as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/) for the `FineCollectionService`. You will use the [Azure Key Vault secret store component](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/) provided by Dapr. This the fourth and last step to reach the final state of the application for this challenge. It is represented in the diagram below.
![Final architecture of the challenge](../../../assets/images/fine-collection-service-secret-store.png)
There are 3 main parts in this assignment:
1. [Setup of the Azure Key Vault as a secret store]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/1-setup-azure-key-vault.md %})
2. [Update of `FineCollectionService` to retrieve the license key from the Azure Key Vault using Dapr secret store component]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/2-use-secret-store-in-code.md %}). The license key is used by the fine calculator engine
3. [Use secrets of Azure Key Vault in the definition of other components]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/3-use-secret-in-dapr-component.md %}). Using Dapr, component definitions can reference secrets in a secret store. This is used to reference the Azure Service Bus connection string and the Azure Cosmos DB master key in the definition of the Azure Service Bus and Azure Cosmos DB components
<!-- ----------------------------- NAVIGATION ------------------------------ -->
<span class="fs-3">
[< Assignment 6 - Cosmos DB as a state store]({{ site.baseurl }}{% link modules/11-aca-challenge/06-state-store/index.md %}){: .btn .mt-7 }
</span>
<span class="fs-3">
[Setup Azure Key Vault >]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/1-setup-azure-key-vault.md %}){: .btn .float-right .mt-7 }
</span>

2
docs/modules/11-aca-challenge/index.md
Просмотреть файл

@ -17,7 +17,7 @@ In this challenge, you will cover most of the topics covered in the workshop and
The following diagram shows the architecture, that is the final state of this challenge:
![Architecture](../../assets/images/fine-collection-service-secret-store.png)
![Final architecture of the challenge](../../assets/images/fine-collection-service-secret-store.png)
<span class="fs-3">
[Let's start!]({{ site.baseurl }}{% link modules/11-aca-challenge/00-intro/1-dapr-overview.md %}){: .btn .mt-7 }