Add the secret store in the transversal challenge for Azure Container Apps
This commit is contained in:
Родитель
3652379747
Коммит
64fadbc707
|
@ -0,0 +1,17 @@
|
|||
componentType: secretstores.azure.keyvault
|
||||
version: v1
|
||||
metadata:
|
||||
- name: vaultName
|
||||
value: "[your_keyvault_name]"
|
||||
- name: azureTenantId
|
||||
value: "[your_tenant_id]"
|
||||
- name: azureClientId
|
||||
value: "[your_client_id]"
|
||||
- name: azureClientSecret
|
||||
secretRef: azure-client-secret
|
||||
secrets:
|
||||
- name: azure-client-secret
|
||||
value: "[your_client_secret]"
|
||||
scopes:
|
||||
- traffic-control-service
|
||||
- fine-collection-service
|
|
@ -7,7 +7,7 @@ spec:
|
|||
version: v1
|
||||
metadata:
|
||||
- name: vaultName
|
||||
value: "kv-dapr-java-workshop"
|
||||
value: "[your_keyvault_name]"
|
||||
- name: azureTenantId
|
||||
value: "[your_tenant_id]"
|
||||
- name: azureClientId
|
||||
|
|
|
@ -0,0 +1,152 @@
|
|||
<!-- Require 'stepNumber' as input: the number of the first step of this include.
|
||||
Return the number of the last step in this include -->
|
||||
## Step {{stepNumber}}: Create an Azure AD application
|
||||
|
||||
1. Open a terminal window.
|
||||
|
||||
1. Create an Azure AD application:
|
||||
|
||||
```bash
|
||||
az ad app create --display-name dapr-java-workshop-fine-collection-service
|
||||
```
|
||||
|
||||
1. Set the application ID in `APP_ID`:
|
||||
|
||||
- Linux/Unix shell:
|
||||
|
||||
```bash
|
||||
APP_ID=$(az ad app list --display-name dapr-java-workshop-fine-collection-service --query [].appId -o tsv)
|
||||
```
|
||||
|
||||
- Powershell:
|
||||
|
||||
```powershell
|
||||
$APP_ID = az ad app list --display-name dapr-java-workshop-fine-collection-service --query [].appId -o tsv
|
||||
```
|
||||
|
||||
1. Create the client secret using the following command:
|
||||
|
||||
```bash
|
||||
az ad app credential reset --id $APP_ID --years 2
|
||||
```
|
||||
|
||||
Take note of the values above, which will be used in the Dapr component's metadta to allow Dapr to authenticate with Azure:
|
||||
|
||||
- `appId` is the value for `azureClientId`
|
||||
- `password` is the value for `azureClientSecret`
|
||||
- `tenant` is the value for `azureTenantId`
|
||||
|
||||
{% assign stepNumber = stepNumber | plus: 1 %}
|
||||
## Step {{stepNumber}}: Create a Service Principal
|
||||
|
||||
1. Create a Service Principal using the following command and replace `<appId>` with the application ID you noted down in the previous step:
|
||||
|
||||
```bash
|
||||
az ad sp create --id $APP_ID
|
||||
```
|
||||
|
||||
1. Set the Service Principal ID in `SERVICE_PRINCIPAL_ID`. You will need it to assign the role to access the Key Vault.
|
||||
|
||||
- Linux/Unix shell:
|
||||
|
||||
```bash
|
||||
SERVICE_PRINCIPAL_ID=$(az ad sp list --display-name dapr-java-workshop-fine-collection-service --query [].id -o tsv)
|
||||
```
|
||||
|
||||
- Powershell:
|
||||
|
||||
```powershell
|
||||
$SERVICE_PRINCIPAL_ID = az ad sp list --display-name dapr-java-workshop-fine-collection-service --query [].id -o tsv
|
||||
```
|
||||
|
||||
{% assign stepNumber = stepNumber | plus: 1 %}
|
||||
## Step {{stepNumber}}: Create an Azure Key Vault
|
||||
|
||||
1. Open a terminal window.
|
||||
|
||||
1. [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/general/) is a manage service to securely store and access secrets. This key vault needs to be globally unique. Use the following command to generate a unique name:
|
||||
|
||||
- Linux/Unix shell:
|
||||
|
||||
```bash
|
||||
UNIQUE_IDENTIFIER=$(LC_ALL=C tr -dc a-z0-9 </dev/urandom | head -c 5)
|
||||
KEY_VAULT="kv-daprworkshopjava$UNIQUE_IDENTIFIER"
|
||||
echo $KEY_VAULT
|
||||
```
|
||||
|
||||
- PowerShell:
|
||||
|
||||
```powershell
|
||||
$ACCEPTED_CHAR = [Char[]]'abcdefghijklmnopqrstuvwxyz0123456789'
|
||||
$UNIQUE_IDENTIFIER = (Get-Random -Count 5 -InputObject $ACCEPTED_CHAR) -join ''
|
||||
$KEY_VAULT = "kv-daprworkshopjava$UNIQUE_IDENTIFIER"
|
||||
$KEY_VAULT
|
||||
```
|
||||
|
||||
Note the name of the Key Vault. You will need it when creating the Dapr component.
|
||||
|
||||
1. Create an Azure Key Vault:
|
||||
|
||||
```bash
|
||||
az keyvault create --name $KEY_VAULT --resource-group rg-dapr-workshop-java --location eastus --enable-rbac-authorization true
|
||||
```
|
||||
|
||||
1. Set the id of the subscription in `SUBSCRIPTION_ID`. You will need it in the next step.
|
||||
|
||||
- Linux/Unix shell:
|
||||
|
||||
```bash
|
||||
SUBSCRIPTION_ID=$(az account show --query id -o tsv)
|
||||
```
|
||||
|
||||
- Powershell:
|
||||
|
||||
```powershell
|
||||
$SUBSCRIPTION_ID = az account show --query id -o tsv
|
||||
```
|
||||
|
||||
1. Assign a role using RBAC to the Azure AD application to access the Key Vault. The role "Key Vault Secrets User" is sufficient for this workshop.
|
||||
|
||||
```bash
|
||||
az role assignment create --role "Key Vault Secrets User" --assignee $SERVICE_PRINCIPAL_ID --scope "/subscriptions/$SUBSCRIPTION_ID/resourcegroups/rg-dapr-workshop-java/providers/Microsoft.KeyVault/vaults/$KEY_VAULT"
|
||||
```
|
||||
|
||||
{% assign stepNumber = stepNumber | plus: 1 %}
|
||||
## Step {{stepNumber}}: Create a secret in the Azure Key Vault
|
||||
|
||||
The service principal created in the previous steps has the role `Key Vault Secrets User` assigned. It means this service principal can only read secrets. When assignining a role, it is recommended to use the [least privilege principle](https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices#use-role-based-access-control) during all stages of development and deployment. This means that in this workshop, you could have assigned the `Key Vault Secret User` to a specific role instead to the key vault itself. However, for simplicity, you assigned the role to the key vault.
|
||||
|
||||
To create a secret in the Azure Key Vault, you can use the Azure Portal or the Azure CLI. In this workshop, you will use the Azure CLI. First you need to assign you the role of `Key Vault Secrets Officer` to be able to create secrets in the Key Vault. To know more about the different roles, see [Azure built-in roles for Key Vault data plane operations](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations).
|
||||
|
||||
To assign to you the role of `Key Vault Secrets Officer`, follow these steps:
|
||||
|
||||
1. Open a terminal window.
|
||||
|
||||
1. Set your user id in `USER_ID`. You will need it in the next step.
|
||||
|
||||
- Linux/Unix shell:
|
||||
|
||||
```bash
|
||||
USER_ID=$(az ad user show --id <your-email-address> --query id -o tsv)
|
||||
```
|
||||
|
||||
- Powershell:
|
||||
|
||||
```powershell
|
||||
$USER_ID = az ad user show --id <your-email-address> --query id -o tsv
|
||||
```
|
||||
|
||||
Replace `<your-email-address>` with your email address.
|
||||
|
||||
1. Assign you `Key Vault Secrets Officer` role:
|
||||
|
||||
```bash
|
||||
az role assignment create --role "Key Vault Secrets Officer" --assignee $USER_ID --scope "/subscriptions/$SUBSCRIPTION_ID/resourcegroups/rg-dapr-workshop-java/providers/Microsoft.KeyVault/vaults/$KEY_VAULT"
|
||||
```
|
||||
|
||||
|
||||
1. To create a secret in the Azure Key Vault, use the following command and replace `<secret-name>` and `<secret-value>` with the name and value of the secret you want to create:
|
||||
|
||||
```bash
|
||||
az keyvault secret set --vault-name $KEY_VAULT --name <secret-name> --value <secret-value>
|
||||
```
|
|
@ -0,0 +1,81 @@
|
|||
## Step 1: Create a secret in the Azure Key Vault for the license key
|
||||
|
||||
1. Open a terminal window.
|
||||
|
||||
1. Create a secret in the Azure Key Vault for the license key:
|
||||
|
||||
```bash
|
||||
az keyvault secret set --vault-name $KEY_VAULT --name license-key --value HX783-5PN1G-CRJ4A-K2L7V
|
||||
```
|
||||
|
||||
## Step 2: Use the secret in the application `FineCollectionService`
|
||||
|
||||
1. Open the file `FineCollectionService/src/main/java/dapr/fines/fines/DaprCalulator.java` in your code editor, and inspect it.
|
||||
|
||||
It implements the `FineCalculator` interface, which is used by the `FineCollectionService` to calculate the fine for a car. The `FineCalculator` interface has a method `calculateFine` that takes the `excessSpeed` as input and returns the amount of the fine as output. If the excess speed is too high, it return `-1`.
|
||||
|
||||
The object `FineFines` that computes the fine requires a license Key. The license key is used to validate the license of the fine calculator. This `DaprFineCalculator` is getting the license key from the secret store when the `FineCalculator` bean is created in the class `FineCollectionConfiguration`. The license key is stored in the secret store with the name `license-key`.
|
||||
|
||||
```java
|
||||
public class DaprFineCalculator implements FineCalculator {
|
||||
private final String fineCalculatorLicenseKey;
|
||||
private final FineFines fineFines;
|
||||
|
||||
public DaprFineCalculator(final DaprClient daprClient) {
|
||||
if (daprClient == null) {
|
||||
throw new IllegalArgumentException("daprClient");
|
||||
}
|
||||
final Map<String, String> licenseKeySecret = daprClient.getSecret("secretstore", "license-key").block();
|
||||
if (licenseKeySecret == null || licenseKeySecret.isEmpty()) {
|
||||
throw new RuntimeException("'license-key' is not part of the secret store.");
|
||||
}
|
||||
this.fineCalculatorLicenseKey = licenseKeySecret.get("license-key");
|
||||
this.fineFines = new FineFines();
|
||||
}
|
||||
|
||||
@Override
|
||||
public int calculateFine(final int excessSpeed) {
|
||||
return fineFines.calculateFine(this.fineCalculatorLicenseKey, excessSpeed);
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
1. Open the file `FineCollectionService/src/main/java/dapr/fines/FineCollectionConfiguration.java` in your code editor.
|
||||
|
||||
1. **Comment out** the following lines as the license key is now retrieved from the secret store instead of the environment variable:
|
||||
```java
|
||||
@Value("${finefines.license-key}")
|
||||
private String fineCalculatorLicenseKey;
|
||||
```
|
||||
|
||||
1. **Comment out** the following @Bean method that creates the bean `FineCalculator`:
|
||||
```java
|
||||
@Bean
|
||||
public FineCalculator fineCalculator() {
|
||||
return new DefaultFineCalculator(fineCalculatorLicenseKey);
|
||||
}
|
||||
```
|
||||
|
||||
1. **Uncomment** the following @Bean method that creates the bean `FineCalculator`:
|
||||
```java
|
||||
// @Bean
|
||||
// public FineCalculator fineCalculator(final DaprClient daprClient) {
|
||||
// return new DaprFineCalculator(daprClient);
|
||||
// }
|
||||
```
|
||||
|
||||
This method requires the `DaprClient` as input.
|
||||
|
||||
1. **Uncomment** the following @Bean method that creates the bean `DaprClient`:
|
||||
```java
|
||||
// @Bean
|
||||
// public DaprClient daprClient() {
|
||||
// return new DaprClientBuilder().build();
|
||||
// }
|
||||
```
|
||||
|
||||
1. Check all your code-changes are correct by building the code. Execute the following command in the terminal window:
|
||||
|
||||
```bash
|
||||
mvn package
|
||||
```
|
|
@ -0,0 +1,12 @@
|
|||
## Step 1: Create a secret in the Azure Key Vault for the connetion string
|
||||
|
||||
Azure Service Bus' connection string will be store as a string/literal secret:
|
||||
|
||||
1. Open a terminal window.
|
||||
|
||||
1. Create a secret in the Azure Key Vault for Azure Service Bus' connection string:
|
||||
|
||||
```bash
|
||||
az keyvault secret set --vault-name $KEY_VAULT --name azSericeBusconnectionString --value "<connection-string>"
|
||||
```
|
||||
Replace `<connection-string>` with the connection string of the Azure Service Bus created in assignement 3.
|
|
@ -0,0 +1,37 @@
|
|||
## Step {{stepNumber}}: Deploy Azure Key Vault secret store component
|
||||
|
||||
1. **Copy or Move** this file `dapr/aca-azure-keyvault-secretstore.yam` to `dapr/components/` folder.
|
||||
|
||||
1. Open the copied file `dapr/components/aca-azure-keyvault-secretstore.yaml` in your code editor.
|
||||
|
||||
1. Set the following values in the metadata section of the component:
|
||||
|
||||
- `vaultName`: The name of the Azure Key Vault you created in step 3.
|
||||
- `azureTenantId`: The value for `tenant` you noted down in step 1.
|
||||
- `azureClientId`: The value for `appId` you noted down in step 1.
|
||||
|
||||
1. Set the following values in the secrets section of the component:
|
||||
|
||||
- `azure-client-secret`: The value for `password` you noted down in step 1.
|
||||
|
||||
1. Go to the root folder of the repository.
|
||||
|
||||
1. Enter the following command to deploy the `secretstore` Dapr component:
|
||||
|
||||
```bash
|
||||
az containerapp env dapr-component set \
|
||||
--name cae-dapr-workshop-java \
|
||||
--resource-group rg-dapr-workshop-java \
|
||||
--dapr-component-name secretstore \
|
||||
--yaml ./dapr/components/aca-azure-keyvault-secretstore.yaml
|
||||
```
|
||||
|
||||
{: .important-title }
|
||||
> Managed Identity
|
||||
>
|
||||
> By setting a secret in a Dapr component for Azure Container Apps environmnet, the secret is stored [using platform-managed Kubernetes secrets](https://learn.microsoft.com/en-us/azure/container-apps/dapr-overview?tabs=bicep1%2Cyaml#using-platform-managed-kubernetes-secrets). This is useful when connecting non-Azure services or in DEV/TEST scenarios for quickly deployment Dapr components.
|
||||
>
|
||||
> In production scenarios, it is recommended to use [Azure Key Vault secret store](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/) with a [managed identity](https://docs.dapr.io/developing-applications/integrations/azure/azure-authentication/authenticating-azure/#about-authentication-with-azure-ad) instead and to not store secrets as Kubernetes secrets.
|
||||
>
|
||||
> TODO Add managed identity bonus assignment
|
||||
>
|
|
@ -0,0 +1,28 @@
|
|||
In this step, you will rebuild and redeploy the `FineCollectionService` to use the secret store (i.e. Azure Key Vault) to get the license key of the fine calculator.
|
||||
|
||||
1. Delete the image from local docker:
|
||||
|
||||
```bash
|
||||
docker rmi fine-collection-service:1.0-SNAPSHOT
|
||||
```
|
||||
|
||||
1. In the root folder of `FineCollectionService`, run the following command to build and push the image:
|
||||
|
||||
```bash
|
||||
mvn spring-boot:build-image
|
||||
docker tag fine-collection-service:1.0-SNAPSHOT "$CONTAINER_REGISTRY.azurecr.io/fine-collection-service:3.0"
|
||||
docker push "$CONTAINER_REGISTRY.azurecr.io/fine-collection-service:3.0"
|
||||
```
|
||||
|
||||
Where `$CONTAINER_REGISTRY` is the name of your Azure Container Registry.
|
||||
|
||||
1. Update `FineCollectionService` container app with the new image:
|
||||
|
||||
```bash
|
||||
az containerapp update \
|
||||
--name ca-fine-collection-service \
|
||||
--resource-group rg-dapr-workshop-java \
|
||||
--image "$CONTAINER_REGISTRY.azurecr.io/fine-collection-service:3.0"
|
||||
```
|
||||
|
||||
Where `$CONTAINER_REGISTRY` is the name of your Azure Container Registry.
|
|
@ -0,0 +1,50 @@
|
|||
1. Open the file `dapr/components/aca-azure-servicebus-pubsub.yaml` (created in assignment 3) in your code editor, and inspect it.
|
||||
|
||||
1. Add the following line after`version: v1`:
|
||||
|
||||
```yaml
|
||||
secretStoreComponent: "secretstore"
|
||||
```
|
||||
|
||||
This tells Dapr to use the secret store component `secretstore` to retrieve the secret.
|
||||
|
||||
1. **Replace** value:
|
||||
|
||||
```yaml
|
||||
value: "Endpoint=sb://{ServiceBusNamespace}.servicebus.windows.net/;SharedAccessKeyName={PolicyName};SharedAccessKey={Key};EntityPath={ServiceBus}"
|
||||
```
|
||||
with:
|
||||
|
||||
```yaml
|
||||
secretRef: azSericeBusconnectionString
|
||||
```
|
||||
|
||||
This tells Dapr to use the secret `azSericeBusconnectionString` from the secret store.
|
||||
|
||||
It should look like:
|
||||
|
||||
```yaml
|
||||
componentType: pubsub.azure.servicebus
|
||||
version: v1
|
||||
secretStoreComponent: "secretstore"
|
||||
metadata:
|
||||
- name: connectionString
|
||||
secretRef: azSericeBusconnectionString
|
||||
scopes:
|
||||
- traffic-control-service
|
||||
- fine-collection-service
|
||||
```
|
||||
|
||||
1. **Update** Darp component using the following command in the root of the project:
|
||||
|
||||
```bash
|
||||
az containerapp env dapr-component set \
|
||||
--name cae-dapr-workshop-java \
|
||||
--resource-group rg-dapr-workshop-java \
|
||||
--dapr-component-name pubsub \
|
||||
--yaml ./dapr/components/aca-azure-servicebus-pubsub.yaml
|
||||
```
|
||||
|
||||
{: .note }
|
||||
> To know more about how to use a secret in a Dapr component with Azure Container Apps, please refer to [this documentation](https://learn.microsoft.com/en-us/azure/container-apps/dapr-overview?tabs=bicep1%2Cyaml#referencing-dapr-secret-store-components).
|
||||
>
|
|
@ -0,0 +1,49 @@
|
|||
1. Run the following command to identify the running revision of fine collection service container apps:
|
||||
|
||||
- Linux/Unix shell:
|
||||
|
||||
```bash
|
||||
FINE_COLLECTION_SERVICE_REVISION=$(az containerapp revision list -n ca-fine-collection-service -g rg-dapr-workshop-java --query "[0].name" -o tsv)
|
||||
echo $FINE_COLLECTION_SERVICE_REVISION
|
||||
```
|
||||
|
||||
- Powershell:
|
||||
|
||||
```powershell
|
||||
$FINE_COLLECTION_SERVICE_REVISION = az containerapp revision list -n ca-fine-collection-service -g rg-dapr-workshop-java --query "[0].name" -o tsv
|
||||
$FINE_COLLECTION_SERVICE_REVISION
|
||||
```
|
||||
|
||||
1. Restart fine collection service revision:
|
||||
|
||||
```bash
|
||||
az containerapp revision restart \
|
||||
--name ca-fine-collection-service \
|
||||
--resource-group rg-dapr-workshop-java \
|
||||
--revision $FINE_COLLECTION_SERVICE_REVISION
|
||||
```
|
||||
|
||||
1. Run the following command to identify the running revision of traffic control service container apps:
|
||||
|
||||
- Linux/Unix shell:
|
||||
|
||||
```bash
|
||||
TRAFFIC_CONTROL_SERVICE_REVISION=$(az containerapp revision list -n ca-traffic-control-service -g rg-dapr-workshop-java --query "[0].name" -o tsv)
|
||||
echo $TRAFFIC_CONTROL_SERVICE_REVISION
|
||||
```
|
||||
|
||||
- Powershell:
|
||||
|
||||
```powershell
|
||||
$TRAFFIC_CONTROL_SERVICE_REVISION = az containerapp revision list -n ca-traffic-control-service -g rg-dapr-workshop-java --query "[0].name" -o tsv
|
||||
$TRAFFIC_CONTROL_SERVICE_REVISION
|
||||
```
|
||||
|
||||
1. Restart traffic control service revision:
|
||||
|
||||
```bash
|
||||
az containerapp revision restart \
|
||||
--name ca-traffic-control-service \
|
||||
--resource-group rg-dapr-workshop-java \
|
||||
--revision $TRAFFIC_CONTROL_SERVICE_REVISION
|
||||
```
|
|
@ -21,7 +21,7 @@ has_toc: true
|
|||
{:toc}
|
||||
</details>
|
||||
|
||||
This bonus assignment is about using Azure Cosmos DB as a [state store](https://docs.dapr.io/operations/components/setup-state-store/) for the `TrafficControlService` instead of keeping the sate in memory. You will use the [Azure Cosmos DB state store component](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-azure-cosmosdb/) provided by Dapr.
|
||||
This bonus assignment is about using [Azure Cosmos DB](https://learn.microsoft.com/en-us/azure/cosmos-db/) as a [state store](https://docs.dapr.io/operations/components/setup-state-store/) for the `TrafficControlService` instead of keeping the sate in memory. You will use the [Azure Cosmos DB state store component](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-azure-cosmosdb/) provided by Dapr.
|
||||
|
||||
## Step 1: Create an Azure Cosmos DB
|
||||
|
||||
|
|
|
@ -21,7 +21,7 @@ has_toc: true
|
|||
{:toc}
|
||||
</details>
|
||||
|
||||
In this assignment, you will deploy the Azure Cosmos DB state store to Azure Kubernetes Service (AKS). You will use the [Azure Cosmos DB state store component](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-azure-cosmosdb/) provided by Dapr.
|
||||
In this bonus assignment, you will deploy the Azure Cosmos DB state store to Azure Kubernetes Service (AKS). You will use the [Azure Cosmos DB state store component](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-azure-cosmosdb/) provided by Dapr.
|
||||
|
||||
{: .important-title }
|
||||
> Pre-requisite
|
||||
|
|
|
@ -21,7 +21,7 @@ has_toc: true
|
|||
{:toc}
|
||||
</details>
|
||||
|
||||
In this assignment, you will deploy the Azure Cosmos DB state store to Azure Container Apps (ACA). You will use the [state management building block](https://docs.dapr.io/developing-applications/building-blocks/state-management/state-management-overview/) provided by Dapr.
|
||||
In this bonus assignment, you will deploy the Azure Cosmos DB state store to Azure Container Apps (ACA). You will use the [state management building block](https://docs.dapr.io/developing-applications/building-blocks/state-management/state-management-overview/) provided by Dapr.
|
||||
|
||||
{: .important-title }
|
||||
> Pre-requisite
|
||||
|
|
|
@ -8,7 +8,7 @@ layout: default
|
|||
|
||||
# Using Azure Cosmos DB as a state store
|
||||
|
||||
This bonus assignment is about using Azure Cosmos DB as a [state store](https://docs.dapr.io/operations/components/setup-state-store/) for the `TrafficControlService`. You will use the [Azure Cosmos DB state store component](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-azure-cosmosdb/) provided by Dapr.
|
||||
This bonus assignment is about using [Azure Cosmos DB](https://learn.microsoft.com/en-us/azure/cosmos-db/) as a [state store](https://docs.dapr.io/operations/components/setup-state-store/) for the `TrafficControlService`. You will use the [Azure Cosmos DB state store component](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-azure-cosmosdb/) provided by Dapr.
|
||||
|
||||
{: .important-title }
|
||||
> Pre-requisite
|
||||
|
|
|
@ -1,153 +0,0 @@
|
|||
---
|
||||
title: Setup Azure Keyvault as a secret store
|
||||
parent: Use Azure Keyvault as a secret store
|
||||
grand_parent: Bonus Assignments
|
||||
has_children: false
|
||||
nav_order: 1
|
||||
layout: default
|
||||
has_toc: true
|
||||
---
|
||||
|
||||
# Setup Azure Key Vault as a secret store
|
||||
|
||||
{: .no_toc }
|
||||
|
||||
<details open markdown="block">
|
||||
<summary>
|
||||
Table of contents
|
||||
</summary>
|
||||
{: .text-delta }
|
||||
- TOC
|
||||
{:toc}
|
||||
</details>
|
||||
|
||||
This bonus assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/). You will create the [Azure Key Vault secret store component](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/) provided by Dapr.
|
||||
|
||||
## Step 1: Create an Azure AD application
|
||||
|
||||
1. Open a terminal window.
|
||||
|
||||
1. Create an Azure AD application
|
||||
```bash
|
||||
az ad app create --display-name dapr-java-workshop-fine-collection-service
|
||||
```
|
||||
|
||||
1. Get the application ID and note it down. You will need it in the next step.
|
||||
```bash
|
||||
az ad app list --display-name dapr-java-workshop-fine-collection-service --query [].appId -o tsv
|
||||
```
|
||||
|
||||
1. Create the client secret using the following command and replace `<appId>` with the application ID you noted down in the previous step:
|
||||
```bash
|
||||
az ad app credential reset --id <appId> --years 2
|
||||
```
|
||||
Take note of the values above, which will be used in the Dapr component's metadta to allow Dapr to authenticate with Azure:
|
||||
- `appId` is the value for `azureClientId`
|
||||
- `password` is the value for `azureClientSecret`
|
||||
- `tenant` is the value for `azureTenantId`
|
||||
|
||||
## Step 2: Create a Service Principal
|
||||
|
||||
1. Create a Service Principal using the following command and replace `<appId>` with the application ID you noted down in the previous step:
|
||||
```bash
|
||||
az ad sp create --id <appId>
|
||||
```
|
||||
|
||||
1. Get the Service Principal ID and note it down. You will need it to assign the role to access the Key Vault.
|
||||
```bash
|
||||
az ad sp list --display-name dapr-java-workshop-fine-collection-service --query [].id -o tsv
|
||||
```
|
||||
|
||||
## Step 3: Create an Azure Key Vault
|
||||
|
||||
1. Open a terminal window.
|
||||
|
||||
1. [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/general/) is a manage service to securely store and access secrets. This key vault needs to be globally unique. Use the following command to generate a unique name:
|
||||
|
||||
- Linux/Unix shell:
|
||||
|
||||
```bash
|
||||
UNIQUE_IDENTIFIER=$(LC_ALL=C tr -dc a-z0-9 </dev/urandom | head -c 5)
|
||||
KEY_VAULT="kv-daprworkshopjava$UNIQUE_IDENTIFIER"
|
||||
echo $KEY_VAULT
|
||||
```
|
||||
|
||||
- PowerShell:
|
||||
|
||||
```powershell
|
||||
$ACCEPTED_CHAR = [Char[]]'abcdefghijklmnopqrstuvwxyz0123456789'
|
||||
$UNIQUE_IDENTIFIER = (Get-Random -Count 5 -InputObject $ACCEPTED_CHAR) -join ''
|
||||
$KEY_VAULT = "kv-daprworkshopjava$UNIQUE_IDENTIFIER"
|
||||
$KEY_VAULT
|
||||
```
|
||||
|
||||
1. Create an Azure Key Vault
|
||||
```bash
|
||||
az keyvault create --name $KEY_VAULT --resource-group rg-dapr-workshop-java --location eastus --enable-rbac-authorization true
|
||||
```
|
||||
|
||||
1. Get the id of the subscription and note it down. You will need it in the next step.
|
||||
```bash
|
||||
az account show --query id -o tsv
|
||||
```
|
||||
|
||||
1. Assign a role using RBAC to the Azure AD application to access the Key Vault. The role "Key Vault Secrets User" is sufficient for this workshop. Replace `<servicePrincipalId>` with the Service Principal ID you noted down and `<subscriptionId>` with the value you noted in the previous step:
|
||||
```bash
|
||||
az role assignment create --role "Key Vault Secrets User" --assignee <servicePrincipalId> --scope "/subscriptions/<subscriptionid>/resourcegroups/dapr-workshop-java/providers/Microsoft.KeyVault/vaults/$KEY_VAULT"
|
||||
```
|
||||
|
||||
## Step 4: Create a secret in the Azure Key Vault
|
||||
|
||||
The service principal created in the previous steps has the role `Key Vault Secrets User` assigned. It means this service principal can only read secrets.
|
||||
|
||||
To create a secret in the Azure Key Vault, you can use the Azure Portal or the Azure CLI. In this workshop, you will use the Azure CLI. First you need to assign you the role of `Key Vault Secrets Officer` to be able to create secrets in the Key Vault. To know more about the different roles, see [Azure built-in roles for Key Vault data plane operations](https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide?tabs=azure-cli#azure-built-in-roles-for-key-vault-data-plane-operations).
|
||||
|
||||
To assign to you the role of `Key Vault Secrets Officer`, follow these steps:
|
||||
|
||||
1. Open a terminal window.
|
||||
|
||||
1. Get your user id and note it down. You will need it in the next step.
|
||||
```bash
|
||||
az ad user show --id <your-email-address> --query id -o tsv
|
||||
```
|
||||
Replace `<your-email-address>` with your email address.
|
||||
|
||||
1. Assign you `Key Vault Secrets Officer` role:
|
||||
```bash
|
||||
az role assignment create --role "Key Vault Secrets Officer" --assignee <userId> --scope "/subscriptions/<subscriptionid>/resourcegroups/dapr-workshop-java/providers/Microsoft.KeyVault/vaults/$KEY_VAULT"
|
||||
```
|
||||
Replace `<userId>` with the value you noted down in the previous step.
|
||||
|
||||
|
||||
To create a secret in the Azure Key Vault, use the following command and replace `<secret-name>` and `<secret-value>` with the name and value of the secret you want to create:
|
||||
```bash
|
||||
az keyvault secret set --vault-name $KEY_VAULT --name <secret-name> --value <secret-value>
|
||||
```
|
||||
|
||||
## Step 5: Set the Azure Key Vault secret store component
|
||||
|
||||
1. **Copy or Move** this file `dapr/azure-keyvault-secretstore.yam` to `dapr/components/` folder.
|
||||
|
||||
1. Open the copied file `dapr/components/azure-keyvault-secretstore.yaml` in your code editor.
|
||||
|
||||
1. Set the following values in the metadata section of the component:
|
||||
- `azureTenantId`: The value for `tenant` you noted down in step 1.
|
||||
- `azureClientId`: The value for `appId` you noted down in step 1.
|
||||
- `azureClientSecret`: The value for `password` you noted down in step 1.
|
||||
|
||||
{: .important }
|
||||
> Certificate can be used instead of client secret, see [Azure Key Vault secret store](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/).
|
||||
>
|
||||
> When deployed to Azure Kubernetes Service, the client secret is a kubernetes secret and not set in the component's YAML file. See the *Kubernetes* tab in *Configure the component* of [Azure Key Vault secret store](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/).
|
||||
>
|
||||
> When deployed to Azure Kubernetes Service or Azure Container Apps, managed identity can be used instead of client secret. See [Using Managed Service Identities](https://docs.dapr.io/developing-applications/integrations/azure/authenticating-azure/#using-managed-service-identities).
|
||||
>
|
||||
|
||||
<!-- ----------------------------- NAVIGATION ------------------------------ -->
|
||||
|
||||
<span class="fs-3">
|
||||
[Retreive a secret in the application]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/2-azure-key-vault-secret-store-code.md %}){: .btn .mt-7 }
|
||||
</span>
|
||||
<span class="fs-3">
|
||||
[Reference a secret in a component]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/3-azure-key-vault-secret-store-component.md %}){: .btn .ml-3 }
|
||||
</span>
|
|
@ -0,0 +1,59 @@
|
|||
---
|
||||
title: Setup Azure Key Vault as a secret store
|
||||
parent: Using Azure Key Vault as a secret store
|
||||
grand_parent: Bonus Assignments
|
||||
has_children: false
|
||||
nav_order: 1
|
||||
layout: default
|
||||
has_toc: true
|
||||
---
|
||||
|
||||
# Setup Azure Key Vault as a secret store
|
||||
|
||||
{: .no_toc }
|
||||
|
||||
<details open markdown="block">
|
||||
<summary>
|
||||
Table of contents
|
||||
</summary>
|
||||
{: .text-delta }
|
||||
- TOC
|
||||
{:toc}
|
||||
</details>
|
||||
|
||||
This bonus assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/). You will create the [Azure Key Vault secret store component](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/) provided by Dapr.
|
||||
|
||||
<!-- ------------------------ SETUP AZURE KEYVAULT ------------------------- -->
|
||||
|
||||
{% assign stepNumber = 1 %}
|
||||
{% include 09-bonus-assignments/03-secret-store/1-setup-azure-key-vault.md %}
|
||||
|
||||
{% assign stepNumber = stepNumber | plus: 1 %}
|
||||
## Step {{stepNumber}}: Set the Azure Key Vault secret store component
|
||||
|
||||
1. **Copy or Move** this file `dapr/azure-keyvault-secretstore.yam` to `dapr/components/` folder.
|
||||
|
||||
1. Open the copied file `dapr/components/azure-keyvault-secretstore.yaml` in your code editor.
|
||||
|
||||
1. Set the following values in the metadata section of the component:
|
||||
- `vaultName`: The name of the Azure Key Vault you created in step 3.
|
||||
- `azureTenantId`: The value for `tenant` you noted down in step 1.
|
||||
- `azureClientId`: The value for `appId` you noted down in step 1.
|
||||
- `azureClientSecret`: The value for `password` you noted down in step 1.
|
||||
|
||||
{: .important }
|
||||
> Certificate can be used instead of client secret, see [Azure Key Vault secret store](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/).
|
||||
>
|
||||
> When deployed to Azure Kubernetes Service, the client secret is a kubernetes secret and not set in the component's YAML file. See the *Kubernetes* tab in *Configure the component* of [Azure Key Vault secret store](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/).
|
||||
>
|
||||
> When deployed to Azure Kubernetes Service and Azure Container Apps, managed identity can should used instead of client secret for production workloads. See [Using Managed Service Identities](https://docs.dapr.io/developing-applications/integrations/azure/azure-authentication/authenticating-azure/#about-authentication-with-azure-ad).
|
||||
>
|
||||
|
||||
<!-- ----------------------------- NAVIGATION ------------------------------ -->
|
||||
|
||||
<span class="fs-3">
|
||||
[Retreive a secret in the application]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/2-use-secret-store-in-code.md %}){: .btn .mt-7 }
|
||||
</span>
|
||||
<span class="fs-3">
|
||||
[Reference a secret in a component]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/3-use-secret-in-dapr-component.md %}){: .btn .ml-3 }
|
||||
</span>
|
|
@ -1,159 +0,0 @@
|
|||
---
|
||||
title: Retrieve a secret in the application
|
||||
parent: Use Azure Keyvault as a secret store
|
||||
grand_parent: Bonus Assignments
|
||||
has_children: false
|
||||
nav_order: 2
|
||||
layout: default
|
||||
has_toc: true
|
||||
---
|
||||
|
||||
# Retrieve a secret in the application
|
||||
|
||||
{: .no_toc }
|
||||
|
||||
<details open markdown="block">
|
||||
<summary>
|
||||
Table of contents
|
||||
</summary>
|
||||
{: .text-delta }
|
||||
- TOC
|
||||
{:toc}
|
||||
</details>
|
||||
|
||||
Previously, you have created an Azure Key Vault and added the Dapr component. Now, you will use the secret in the application. This bonus assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/) for the `FineCollectionService` to get the license key.
|
||||
|
||||
{: .important-title }
|
||||
> Pre-requisite
|
||||
>
|
||||
> If the setup of the Azure Key Vault is not done yet, please follow the instructions in [Part 1 - Setup Azure Key Vault as a secret store]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-azure-key-vault-secret-store-setup.md %}).
|
||||
>
|
||||
|
||||
## Step 1: Create a secret in the Azure Key Vault for the license key
|
||||
|
||||
1. Open a terminal window.
|
||||
|
||||
1. Create a secret in the Azure Key Vault for the license key:
|
||||
```bash
|
||||
az keyvault secret set --vault-name $KEY_VAULT --name license-key --value HX783-5PN1G-CRJ4A-K2L7V
|
||||
```
|
||||
|
||||
## Step 2: Use the secret in the application `FineCollectionService`
|
||||
|
||||
1. Open the file `FineCollectionService/src/main/java/dapr/fines/fines/DaprCalulator.java` in your code editor, and inspect it.
|
||||
|
||||
1. It implements the `FineCalculator` interface, which is used by the `FineCollectionService` to calculate the fine for a car. The `FineCalculator` interface has a method `calculateFine` that takes the `excessSpeed` as input and returns the amount of the fine as output. If the excess speed is too high, it return `-1`.
|
||||
|
||||
The object `FineFines` that computes the fine requires a license Key. The license key is used to validate the license of the fine calculator. This `DaprFineCalculator` is getting the license key from the secret store when the `FineCalculator` bean is created in the class `FineCollectionConfiguration`. The license key is stored in the secret store with the name `license-key`.
|
||||
|
||||
```java
|
||||
public class DaprFineCalculator implements FineCalculator {
|
||||
private final String fineCalculatorLicenseKey;
|
||||
private final FineFines fineFines;
|
||||
|
||||
public DaprFineCalculator(final DaprClient daprClient) {
|
||||
if (daprClient == null) {
|
||||
throw new IllegalArgumentException("daprClient");
|
||||
}
|
||||
final Map<String, String> licenseKeySecret = daprClient.getSecret("secretstore", "license-key").block();
|
||||
if (licenseKeySecret == null || licenseKeySecret.isEmpty()) {
|
||||
throw new RuntimeException("'license-key' is not part of the secret store.");
|
||||
}
|
||||
this.fineCalculatorLicenseKey = licenseKeySecret.get("license-key");
|
||||
this.fineFines = new FineFines();
|
||||
}
|
||||
|
||||
@Override
|
||||
public int calculateFine(final int excessSpeed) {
|
||||
return fineFines.calculateFine(this.fineCalculatorLicenseKey, excessSpeed);
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
1. Open the file `FineCollectionService/src/main/java/dapr/fines/FineCollectionConfiguration.java` in your code editor.
|
||||
|
||||
1. **Comment out** the following lines as the license key is now retrieved from the secret store instead of the environment variable:
|
||||
```java
|
||||
@Value("${finefines.license-key}")
|
||||
private String fineCalculatorLicenseKey;
|
||||
```
|
||||
|
||||
1. **Comment out** the following @Bean method that creates the bean `FineCalculator`:
|
||||
```java
|
||||
@Bean
|
||||
public FineCalculator fineCalculator() {
|
||||
return new DefaultFineCalculator(fineCalculatorLicenseKey);
|
||||
}
|
||||
```
|
||||
|
||||
1. **Uncomment** the following @Bean method that creates the bean `FineCalculator`:
|
||||
```java
|
||||
// @Bean
|
||||
// public FineCalculator fineCalculator(final DaprClient daprClient) {
|
||||
// return new DaprFineCalculator(daprClient);
|
||||
// }
|
||||
```
|
||||
|
||||
This method requires the `DaprClient` as input.
|
||||
|
||||
1. **Uncomment** the following @Bean method that creates the bean `DaprClient`:
|
||||
```java
|
||||
// @Bean
|
||||
// public DaprClient daprClient() {
|
||||
// return new DaprClientBuilder().build();
|
||||
// }
|
||||
```
|
||||
|
||||
## Step 3: Test the application
|
||||
|
||||
You're going to start all the services now.
|
||||
|
||||
1. Make sure no services from previous tests are running (close the command-shell windows).
|
||||
|
||||
1. Open the terminal window and make sure the current folder is `VehicleRegistrationService`.
|
||||
|
||||
1. Enter the following command to run the VehicleRegistrationService:
|
||||
|
||||
```bash
|
||||
mvn spring-boot:run
|
||||
```
|
||||
|
||||
1. Open a **new** terminal window and change the current folder to `FineCollectionService`.
|
||||
|
||||
1. Enter the following command to run the FineCollectionService with a Dapr sidecar:
|
||||
|
||||
* Ensure you have run `dapr init` command prior to running the below command
|
||||
|
||||
```bash
|
||||
dapr run --app-id finecollectionservice --app-port 6001 --dapr-http-port 3601 --dapr-grpc-port 60001 --components-path ../dapr/components mvn spring-boot:run
|
||||
```
|
||||
|
||||
1. Open a **new** terminal window and change the current folder to `TrafficControlService`.
|
||||
|
||||
1. Enter the following command to run the TrafficControlService:
|
||||
|
||||
```bash
|
||||
mvn spring-boot:run
|
||||
```
|
||||
|
||||
1. Open a **new** terminal window and change the current folder to `Simulation`.
|
||||
|
||||
1. Start the simulation:
|
||||
|
||||
```bash
|
||||
mvn spring-boot:run
|
||||
```
|
||||
|
||||
You should see the same logs as **Assignment 1**. Obviously, the behavior of the application is exactly the same as before.
|
||||
|
||||
{: .important-title }
|
||||
> Cleanup
|
||||
>
|
||||
> When the workshop is done, please follow the [cleanup instructions]({{ site.baseurl }}{% link modules/10-cleanup/index.md %}) to delete the resources created in this workshop.
|
||||
>
|
||||
|
||||
<!-- ----------------------------- NAVIGATION ------------------------------ -->
|
||||
|
||||
<span class="fs-3">
|
||||
[< Secret Store setup]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-azure-key-vault-secret-store-setup.md %}){: .btn .mt-7 }
|
||||
</span>
|
|
@ -0,0 +1,85 @@
|
|||
---
|
||||
title: Retrieve a secret in the application
|
||||
parent: Using Azure Key Vault as a secret store
|
||||
grand_parent: Bonus Assignments
|
||||
has_children: false
|
||||
nav_order: 2
|
||||
layout: default
|
||||
has_toc: true
|
||||
---
|
||||
|
||||
# Retrieve a secret in the application
|
||||
|
||||
{: .no_toc }
|
||||
|
||||
<details open markdown="block">
|
||||
<summary>
|
||||
Table of contents
|
||||
</summary>
|
||||
{: .text-delta }
|
||||
- TOC
|
||||
{:toc}
|
||||
</details>
|
||||
|
||||
Previously, you have created an Azure Key Vault and added the Dapr component. Now, you will use the [secret in the application](https://docs.dapr.io/developing-applications/building-blocks/secrets/howto-secrets/). This bonus assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/) for the `FineCollectionService` to get the license key of the fine calculator.
|
||||
|
||||
{: .important-title }
|
||||
> Pre-requisite
|
||||
>
|
||||
> If the setup of the Azure Key Vault is not done yet, please follow the instructions in [Setup Azure Key Vault as a secret store]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-setup-azure-key-vault.md %}).
|
||||
>
|
||||
|
||||
<!-- -------------------- CREATE SECRET AND UPDATE CODE -------------------- -->
|
||||
|
||||
{% include 09-bonus-assignments/03-secret-store/2-use-secret-store-in-code.md %}
|
||||
|
||||
## Step 3: Test the application
|
||||
|
||||
You're going to start all the services now.
|
||||
|
||||
1. Make sure no services from previous tests are running (close the command-shell windows).
|
||||
|
||||
1. Open the terminal window and make sure the current folder is `VehicleRegistrationService`.
|
||||
|
||||
1. Enter the following command to run the VehicleRegistrationService:
|
||||
|
||||
```bash
|
||||
mvn spring-boot:run
|
||||
```
|
||||
|
||||
1. Open a **new** terminal window and change the current folder to `FineCollectionService`.
|
||||
|
||||
1. Enter the following command to run the FineCollectionService with a Dapr sidecar:
|
||||
|
||||
* Ensure you have run `dapr init` command prior to running the below command
|
||||
|
||||
```bash
|
||||
dapr run --app-id finecollectionservice --app-port 6001 --dapr-http-port 3601 --dapr-grpc-port 60001 --components-path ../dapr/components mvn spring-boot:run
|
||||
```
|
||||
|
||||
1. Open a **new** terminal window and change the current folder to `TrafficControlService`.
|
||||
|
||||
1. Enter the following command to run the TrafficControlService:
|
||||
|
||||
```bash
|
||||
mvn spring-boot:run
|
||||
```
|
||||
|
||||
1. Open a **new** terminal window and change the current folder to `Simulation`.
|
||||
|
||||
1. Start the simulation:
|
||||
|
||||
```bash
|
||||
mvn spring-boot:run
|
||||
```
|
||||
|
||||
You should see the same logs as **Assignment 1**. Obviously, the behavior of the application is exactly the same as before.
|
||||
|
||||
<!-- ----------------------------- NAVIGATION ------------------------------ -->
|
||||
|
||||
<span class="fs-3">
|
||||
[Reference a secret in a component]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/3-use-secret-in-dapr-component.md %}){: .btn .mt-7 }
|
||||
</span>
|
||||
<span class="fs-3">
|
||||
[Deploy to ACA]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/5-deploying-to-aca.md %}){: .btn }
|
||||
</span>
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
title: Reference a secret in components
|
||||
parent: Use Azure Keyvault as a secret store
|
||||
title: Reference a secret in Dapr components
|
||||
parent: Using Azure Key Vault as a secret store
|
||||
grand_parent: Bonus Assignments
|
||||
has_children: false
|
||||
nav_order: 3
|
||||
|
@ -8,7 +8,7 @@ layout: default
|
|||
has_toc: true
|
||||
---
|
||||
|
||||
# Reference a secret in components
|
||||
# Reference a secret in Dapr components
|
||||
|
||||
{: .no_toc }
|
||||
|
||||
|
@ -21,27 +21,20 @@ has_toc: true
|
|||
{:toc}
|
||||
</details>
|
||||
|
||||
Previously, you have created an Azure Key Vault and added the Dapr component. Now, you will use the secret in the application. This bonus assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/) to store the connection string of the Azure Service Bus.
|
||||
Previously, you have created an Azure Key Vault and added the Dapr component. Now you will [use a secret from a secret store in another Dapr component](https://docs.dapr.io/operations/components/component-secrets/). This bonus assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/) to store the connection string of the Azure Service Bus and use it in the `pubsub` component.
|
||||
|
||||
{: .important-title }
|
||||
> Pre-requisite
|
||||
>
|
||||
> If the setup of the Azure Key Vault is not done yet, please follow the instructions in [Part 1 - Setup Azure Key Vault as a secret store]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-azure-key-vault-secret-store-setup.md %}).
|
||||
> If the setup of the Azure Key Vault is not done yet, please follow the instructions in [Setup Azure Key Vault as a secret store]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-setup-azure-key-vault.md %}).
|
||||
>
|
||||
> The `Assignment 3 - Setup Azure Service Bus` is also a pre-requisite for this assignment. If not done yet, please follow the instructions in [Assignment 3 - Setup Azure Service Bus]({{ site.baseurl }}{% link modules/03-assignment-3-azure-pub-sub/1-azure-service-bus.md %}).
|
||||
>
|
||||
|
||||
|
||||
## Step 1: Create a secret in the Azure Key Vault for the connetion string
|
||||
<!-- ------------------------ SET CONNECTION STRING ------------------------ -->
|
||||
|
||||
Azure Service Bus' connection string will be store as a string/literal secret:
|
||||
|
||||
1. Open a terminal window.
|
||||
|
||||
1. Create a secret in the Azure Key Vault for Azure Service Bus' connection string:
|
||||
```bash
|
||||
az keyvault secret set --vault-name $KEY_VAULT --name azSericeBusconnectionString --value "<connection-string>"
|
||||
```
|
||||
Replace `<connection-string>` with the connection string of the Azure Service Bus created in assignement 3.
|
||||
{% include 09-bonus-assignments/03-secret-store/3-1-create-sb-connection-string-secret.md %}
|
||||
|
||||
## Step 2: Use the secret in the application `FineCollectionService`
|
||||
|
||||
|
@ -67,8 +60,8 @@ Azure Service Bus' connection string will be store as a string/literal secret:
|
|||
auth:
|
||||
secretStore: secretstore
|
||||
```
|
||||
This tells Dapr to use the secret store component `secretstore` to retrieve the secret.
|
||||
|
||||
This tells Dapr to use the secret store component `secretstore` to retrieve the secret.
|
||||
|
||||
## Step 3: Test the application
|
||||
|
||||
|
@ -127,5 +120,8 @@ You should see the same logs as **Assignment 3** with Azure Service Bus. Obvious
|
|||
<!-- ----------------------------- NAVIGATION ------------------------------ -->
|
||||
|
||||
<span class="fs-3">
|
||||
[< Secret Store setup]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-azure-key-vault-secret-store-setup.md %}){: .btn .mt-7 }
|
||||
[Retreive a secret in the application]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/2-use-secret-store-in-code.md %}){: .btn .mt-7 }
|
||||
</span>
|
||||
<span class="fs-3">
|
||||
[Deploy to ACA]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/5-deploying-to-aca.md %}){: .btn }
|
||||
</span>
|
|
@ -0,0 +1,89 @@
|
|||
---
|
||||
title: Deploying Azure Key Vault secret store to Azure Container Apps
|
||||
parent: Using Azure Key Vault as a secret store
|
||||
grand_parent: Bonus Assignments
|
||||
has_children: false
|
||||
nav_order: 5
|
||||
layout: default
|
||||
has_toc: true
|
||||
---
|
||||
|
||||
# Deploying Azure Key Vault secret store to Azure Container Apps
|
||||
|
||||
{: .no_toc }
|
||||
|
||||
<details open markdown="block">
|
||||
<summary>
|
||||
Table of contents
|
||||
</summary>
|
||||
{: .text-delta }
|
||||
- TOC
|
||||
{:toc}
|
||||
</details>
|
||||
|
||||
In this bonus assignment, you will deploy the Azure Key Vault secret store to Azure Container Apps. You will use the [secret management building block](https://docs.dapr.io/developing-applications/building-blocks/secrets/) provided by Dapr. The first step is the deployment of the `secretstore` component to Azure Container Apps.
|
||||
|
||||
It is followed by 2 steps that can be done in any order (at least one of them must be done):
|
||||
|
||||
- a. Deploy `FineCollectionService` to use the secret store for the license key of fine calculator
|
||||
- b. Use the secret store for the service bus connection string of the `pubsub` component
|
||||
|
||||
{: .important-title }
|
||||
> Pre-requisite
|
||||
>
|
||||
> If the setup of the Azure Key Vault is not done yet, please follow the instructions in [Setup Azure Key Vault as a secret store]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-setup-azure-key-vault.md %}).
|
||||
>
|
||||
|
||||
<!-- ---------------- DEPLOY SECRET STORE COMPONENT TO ACA ----------------- -->
|
||||
|
||||
{% assign stepNumber = 1 %}
|
||||
{% include 09-bonus-assignments/03-secret-store/5-1-deploy-secret-store-component-to-aca.md %}
|
||||
|
||||
## Step 2: Deploy to Azure Container Apps
|
||||
|
||||
### Step 2.a: Retrieve a secret in the application
|
||||
|
||||
{: .important-title }
|
||||
> Pre-requisite
|
||||
>
|
||||
> The second part [Retrieve a secret in the application]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/2-use-secret-store-in-code.md %}) is a pre-requisite for this step.
|
||||
>
|
||||
|
||||
To deploy the retrieving of the license key of the fine calculator to Azure Container Apps, you will need to update the `FineCollectionService` container app to use the secret store for the license key of fine calculator.
|
||||
|
||||
#### Build and redeploy fine collection service
|
||||
|
||||
{% include 09-bonus-assignments/03-secret-store/5-2-a-rebuild-fine-collection-service.md %}
|
||||
|
||||
### Step 2.b: Reference a secret in Dapr components
|
||||
|
||||
{: .important-title }
|
||||
> Pre-requisite
|
||||
>
|
||||
> The third part [Reference a secret in Dapr components]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/3-use-secret-in-dapr-component.md %}) is a pre-requisite for this step.
|
||||
>
|
||||
|
||||
#### Use a secret in `pubsub` component
|
||||
|
||||
{% include 09-bonus-assignments/03-secret-store/5-2-b-1-use-secret-in-pubsub.md %}
|
||||
|
||||
#### Restart `FineCollectionService` and `TrafficControlService`
|
||||
|
||||
{% include 09-bonus-assignments/03-secret-store/5-2-b-2-restart-services.md %}
|
||||
|
||||
<!-- -------------------------------- TEST --------------------------------- -->
|
||||
|
||||
{% assign stepNumber = 3 %}
|
||||
{% include 05-assignment-5-aks-aca/02-aca/0-3-test-application.md %}
|
||||
|
||||
{: .important-title }
|
||||
> Cleanup
|
||||
>
|
||||
> When the workshop is done, please follow the [cleanup instructions]({{ site.baseurl }}{% link modules/10-cleanup/index.md %}) to delete the resources created in this workshop.
|
||||
>
|
||||
|
||||
<!-- ----------------------------- NAVIGATION ------------------------------ -->
|
||||
|
||||
<span class="fs-3">
|
||||
[< Secret Store setup]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-setup-azure-key-vault.md %}){: .btn .mt-7 }
|
||||
</span>
|
|
@ -1,16 +1,20 @@
|
|||
---
|
||||
title: Use Azure Keyvault as a secret store
|
||||
title: Using Azure Key Vault as a secret store
|
||||
parent: Bonus Assignments
|
||||
has_children: true
|
||||
nav_order: 3
|
||||
layout: default
|
||||
---
|
||||
|
||||
# Use Azure Keyvault as a secret store
|
||||
# Using Azure Key Vault as a secret store
|
||||
|
||||
This bonus assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/) for the `FineCollectionService`. You will use the [Azure Key Vault secret store component](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/) provided by Dapr.
|
||||
This bonus assignment is about using [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/general/) as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/) for the `FineCollectionService`. You will use the [Azure Key Vault secret store component](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/) provided by Dapr.
|
||||
|
||||
The [first part]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-azure-key-vault-secret-store-setup.md %}) is the setup of the Azure Key Vault. The [second part]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/2-azure-key-vault-secret-store-code.md %}) is the configuration of the `FineCollectionService` to use the Azure Key Vault as a secret store for the license key of the fine calculator. The [third part]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/3-azure-key-vault-secret-store-component.md %}) is to use the secret store in the `FineCollectionService` and the `TrafficControllerService` to get the connection string for Azure Service Bus.
|
||||
There are 3 main parts in this bonus assignment:
|
||||
|
||||
1. [Setup of the Azure Key Vault as a secret store]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-setup-azure-key-vault.md %})
|
||||
2. [Update of `FineCollectionService` to retrieve the license key from the Azure Key Vault using Dapr secret store component]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/2-use-secret-store-in-code.md %}). The license key is used by the fine calculator engine
|
||||
3. [Use secrets of Azure Key Vault in the definition of other components]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/3-use-secret-in-dapr-component.md %}). Using Dapr, component definitions can reference secrets in a secret store. This is used to reference the Azure Service Bus connection string and the Azure Cosmos DB master key in the definition of the Azure Service Bus and Azure Cosmos DB components
|
||||
|
||||
{: .important-title }
|
||||
> Pre-requisite
|
||||
|
@ -21,5 +25,5 @@ The [first part]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secre
|
|||
<!-- ----------------------------- NAVIGATION ------------------------------ -->
|
||||
|
||||
<span class="fs-3">
|
||||
[Let's start!]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-azure-key-vault-secret-store-setup.md %}){: .btn .mt-7 }
|
||||
[Let's start!]({{ site.baseurl }}{% link modules/09-bonus-assignments/03-secret-store/1-setup-azure-key-vault.md %}){: .btn .mt-7 }
|
||||
</span>
|
||||
|
|
|
@ -20,7 +20,7 @@ has_toc: true
|
|||
{:toc}
|
||||
</details>
|
||||
|
||||
This assignment is about using Azure Cosmos DB as a [state store](https://docs.dapr.io/operations/components/setup-state-store/) for the `TrafficControlService` instead of keeping the sate in memory. You will use the [Azure Cosmos DB state store component](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-azure-cosmosdb/) provided by Dapr. This is the third step to reach the final state of the application for this challenge. It is represented by the diagram below.
|
||||
This assignment is about using [Azure Cosmos DB](https://learn.microsoft.com/en-us/azure/cosmos-db/) as a [state store](https://docs.dapr.io/operations/components/setup-state-store/) for the `TrafficControlService` instead of keeping the sate in memory. You will use the [Azure Cosmos DB state store component](https://docs.dapr.io/reference/components-reference/supported-state-stores/setup-azure-cosmosdb/) provided by Dapr. This is the third step to reach the final state of the application for this challenge. It is represented by the diagram below.
|
||||
|
||||
![Azure Container Apps Challenge - Third Deployment](../../../assets/images/aca-deployment-3.png)
|
||||
|
||||
|
@ -66,5 +66,5 @@ This assignment is about using Azure Cosmos DB as a [state store](https://docs.d
|
|||
[< Assignment 5 - Service invocation]({{ site.baseurl }}{% link modules/11-aca-challenge/05-service-invocation/index.md %}){: .btn .mt-7 }
|
||||
</span>
|
||||
<span class="fs-3">
|
||||
[Assignment 5 - Service invocation >]({{ site.baseurl }}{% link modules/11-aca-challenge/05-service-invocation/index.md %}){: .btn .float-right .mt-7 }
|
||||
[Assignment 7 - Key Vault as a secret store >]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/index.md %}){: .btn .float-right .mt-7 }
|
||||
</span>
|
|
@ -0,0 +1,43 @@
|
|||
---
|
||||
title: Setup Azure Key Vault as a secret store
|
||||
parent: Assignment 7 - Using Azure Key Vault as a secret store
|
||||
grand_parent: Azure Container Apps Challenge
|
||||
has_children: false
|
||||
nav_order: 1
|
||||
layout: default
|
||||
has_toc: true
|
||||
---
|
||||
|
||||
# Setup Azure Key Vault as a secret store
|
||||
|
||||
{: .no_toc }
|
||||
|
||||
<details open markdown="block">
|
||||
<summary>
|
||||
Table of contents
|
||||
</summary>
|
||||
{: .text-delta }
|
||||
- TOC
|
||||
{:toc}
|
||||
</details>
|
||||
|
||||
The first part of this assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/). It consists in the creation of the Azure Key Vault resource and the deployment of [Azure Key Vault secret store component](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/) to Azure Container Apps environment.
|
||||
|
||||
<!-- ------------------------ SETUP AZURE KEYVAULT ------------------------- -->
|
||||
|
||||
{% assign stepNumber = 1 %}
|
||||
{% include 09-bonus-assignments/03-secret-store/1-setup-azure-key-vault.md %}
|
||||
|
||||
<!-- ---------------- DEPLOY SECRET STORE COMPONENT TO ACA ----------------- -->
|
||||
|
||||
{% assign stepNumber = stepNumber | plus: 1 %}
|
||||
{% include 09-bonus-assignments/03-secret-store/5-1-deploy-secret-store-component-to-aca.md %}
|
||||
|
||||
<!-- ----------------------------- NAVIGATION ------------------------------ -->
|
||||
|
||||
<span class="fs-3">
|
||||
[< Assignment 7 - Key Vault as a secret store]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/index.md %}){: .btn .mt-7 }
|
||||
</span>
|
||||
<span class="fs-3">
|
||||
[Retreive a secret in the application >]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/2-use-secret-store-in-code.md %}){: .btn .float-right .mt-7 }
|
||||
</span>
|
|
@ -0,0 +1,46 @@
|
|||
---
|
||||
title: Retrieve a secret in the application
|
||||
parent: Assignment 7 - Using Azure Key Vault as a secret store
|
||||
grand_parent: Azure Container Apps Challenge
|
||||
has_children: false
|
||||
nav_order: 2
|
||||
layout: default
|
||||
has_toc: true
|
||||
---
|
||||
|
||||
# Retrieve a secret in the application
|
||||
|
||||
{: .no_toc }
|
||||
|
||||
<details open markdown="block">
|
||||
<summary>
|
||||
Table of contents
|
||||
</summary>
|
||||
{: .text-delta }
|
||||
- TOC
|
||||
{:toc}
|
||||
</details>
|
||||
|
||||
Previously, you have created an Azure Key Vault and added the Dapr component to Azure Container Apps environmnet. Now, you will use the [secret in the application](https://docs.dapr.io/developing-applications/building-blocks/secrets/howto-secrets/). This second part of the assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/) for the `FineCollectionService` to get the license key of the fine calculator.
|
||||
|
||||
<!-- -------------------- CREATE SECRET AND UPDATE CODE -------------------- -->
|
||||
|
||||
{% include 09-bonus-assignments/03-secret-store/2-use-secret-store-in-code.md %}
|
||||
|
||||
## Step 3: Build and redeploy fine collection service
|
||||
|
||||
{% include 09-bonus-assignments/03-secret-store/5-2-a-rebuild-fine-collection-service.md %}
|
||||
|
||||
<!-- -------------------------------- TEST --------------------------------- -->
|
||||
|
||||
{% assign stepNumber = 4 %}
|
||||
{% include 05-assignment-5-aks-aca/02-aca/0-3-test-application.md %}
|
||||
|
||||
<!-- ----------------------------- NAVIGATION ------------------------------ -->
|
||||
|
||||
<span class="fs-3">
|
||||
[< Setup Azure Key Vault]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/1-setup-azure-key-vault.md %}){: .btn .mt-7 }
|
||||
</span>
|
||||
<span class="fs-3">
|
||||
[Reference a secret in Dapr components >]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/3-use-secret-in-dapr-component.md %}){: .btn .float-right .mt-7 }
|
||||
</span>
|
|
@ -0,0 +1,53 @@
|
|||
---
|
||||
title: Reference a secret in Dapr components
|
||||
parent: Assignment 7 - Using Azure Key Vault as a secret store
|
||||
grand_parent: Azure Container Apps Challenge
|
||||
has_children: false
|
||||
nav_order: 3
|
||||
layout: default
|
||||
has_toc: true
|
||||
---
|
||||
|
||||
# Reference a secret in Dapr components
|
||||
|
||||
{: .no_toc }
|
||||
|
||||
<details open markdown="block">
|
||||
<summary>
|
||||
Table of contents
|
||||
</summary>
|
||||
{: .text-delta }
|
||||
- TOC
|
||||
{:toc}
|
||||
</details>
|
||||
|
||||
Previously, you have use a secret in `FineCollectionService` code using the `secretstore` component (i.e. Azure Key Vault). Now you will [use a secret from a secret store in another Dapr component](https://docs.dapr.io/operations/components/component-secrets/). This third part of the assignment is about using Azure Key Vault as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/) to store the connection string of the Azure Service Bus and use it in the `pubsub` component.
|
||||
|
||||
<!-- ------------------------ SET CONNECTION STRING ------------------------ -->
|
||||
|
||||
{% include 09-bonus-assignments/03-secret-store/3-1-create-sb-connection-string-secret.md %}
|
||||
|
||||
## Step 2: Use a secret in `pubsub` component
|
||||
|
||||
{% include 09-bonus-assignments/03-secret-store/5-2-b-1-use-secret-in-pubsub.md %}
|
||||
|
||||
## Step 3: Restart `FineCollectionService` and `TrafficControlService`
|
||||
|
||||
{% include 09-bonus-assignments/03-secret-store/5-2-b-2-restart-services.md %}
|
||||
|
||||
<!-- -------------------------------- TEST --------------------------------- -->
|
||||
|
||||
{% assign stepNumber = 4 %}
|
||||
{% include 05-assignment-5-aks-aca/02-aca/0-3-test-application.md %}
|
||||
|
||||
{: .new-title }
|
||||
> Challenge
|
||||
>
|
||||
> You can use the secret store to store Cosmos DB master key as well. Try it out! More information on Cosmos DB as a state store can be found in [Bonus Assignment: State Store]({{ site.baseurl }}{% link modules/09-bonus-assignments/02-state-store/index.md %}).
|
||||
>
|
||||
|
||||
<!-- ----------------------------- NAVIGATION ------------------------------ -->
|
||||
|
||||
<span class="fs-3">
|
||||
[< Retreive a secret in the application]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/2-use-secret-store-in-code.md %}){: .btn .mt-7 }
|
||||
</span>
|
|
@ -0,0 +1,27 @@
|
|||
---
|
||||
title: Assignment 7 - Using Azure Key Vault as a secret store
|
||||
parent: Azure Container Apps Challenge
|
||||
has_children: true
|
||||
nav_order: 8
|
||||
layout: default
|
||||
has_toc: true
|
||||
---
|
||||
|
||||
This assignment is about using [Azure Key Vault](https://learn.microsoft.com/en-us/azure/key-vault/general/) as a [secret store](https://docs.dapr.io/operations/components/setup-secret-store/) for the `FineCollectionService`. You will use the [Azure Key Vault secret store component](https://docs.dapr.io/reference/components-reference/supported-secret-stores/azure-keyvault/) provided by Dapr. This the fourth and last step to reach the final state of the application for this challenge. It is represented in the diagram below.
|
||||
|
||||
![Final architecture of the challenge](../../../assets/images/fine-collection-service-secret-store.png)
|
||||
|
||||
There are 3 main parts in this assignment:
|
||||
|
||||
1. [Setup of the Azure Key Vault as a secret store]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/1-setup-azure-key-vault.md %})
|
||||
2. [Update of `FineCollectionService` to retrieve the license key from the Azure Key Vault using Dapr secret store component]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/2-use-secret-store-in-code.md %}). The license key is used by the fine calculator engine
|
||||
3. [Use secrets of Azure Key Vault in the definition of other components]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/3-use-secret-in-dapr-component.md %}). Using Dapr, component definitions can reference secrets in a secret store. This is used to reference the Azure Service Bus connection string and the Azure Cosmos DB master key in the definition of the Azure Service Bus and Azure Cosmos DB components
|
||||
|
||||
<!-- ----------------------------- NAVIGATION ------------------------------ -->
|
||||
|
||||
<span class="fs-3">
|
||||
[< Assignment 6 - Cosmos DB as a state store]({{ site.baseurl }}{% link modules/11-aca-challenge/06-state-store/index.md %}){: .btn .mt-7 }
|
||||
</span>
|
||||
<span class="fs-3">
|
||||
[Setup Azure Key Vault >]({{ site.baseurl }}{% link modules/11-aca-challenge/07-secret-store/1-setup-azure-key-vault.md %}){: .btn .float-right .mt-7 }
|
||||
</span>
|
|
@ -17,7 +17,7 @@ In this challenge, you will cover most of the topics covered in the workshop and
|
|||
|
||||
The following diagram shows the architecture, that is the final state of this challenge:
|
||||
|
||||
![Architecture](../../assets/images/fine-collection-service-secret-store.png)
|
||||
![Final architecture of the challenge](../../assets/images/fine-collection-service-secret-store.png)
|
||||
|
||||
<span class="fs-3">
|
||||
[Let's start!]({{ site.baseurl }}{% link modules/11-aca-challenge/00-intro/1-dapr-overview.md %}){: .btn .mt-7 }
|
||||
|
|
Загрузка…
Ссылка в новой задаче