Deploying Azure Key Vault secret store to Azure Container Apps

Table of contents

• Step 1: Deploy Azure Key Vault secret store component
• Step 2: Deploy to Azure Container Apps
  • Step 2.a: Retrieve a secret in the application
  • Step 2.b: Reference a secret in Dapr components
• Step 3 - Run the simulation
• Step 4 - Test the microservices running in ACA
  • Traffic Control Service
  • Fine Collection Service
  • Vehicle Registration Service

In this bonus assignment, you will deploy the Azure Key Vault secret store to Azure Container Apps. You will use the secret management building block provided by Dapr. The first step is the deployment of the secretstore component to Azure Container Apps.

It is followed by 2 steps that can be done in any order (at least one of them must be done):

• a. Deploy FineCollectionService to use the secret store for the license key of fine calculator
• b. Use the secret store for the service bus connection string of the pubsub component

Pre-requisites

• If the setup of the Azure Key Vault is not done yet, please follow the instructions in Setup Azure Key Vault as a secret store.
• Assignment 5 - Deploying to Azure Container Apps is also a pre-requisite for this assignment.

Step 1: Deploy Azure Key Vault secret store component

1. Copy or Move this file dapr/aca-azure-keyvault-secretstore.yam to dapr/components/ folder.

2. Open the copied file dapr/components/aca-azure-keyvault-secretstore.yaml in your code editor.

3. Set the following values in the metadata section of the component:

   • vaultName: The name of the Azure Key Vault you created in step 3.
   • azureTenantId: The value for tenant you noted down in step 1.
   • azureClientId: The value for appId you noted down in step 1.

4. Set the following values in the secrets section of the component:

   • azure-client-secret: The value for password you noted down in step 1.

5. Go to the root folder of the repository.

6. Enter the following command to deploy the secretstore Dapr component:

    az containerapp env dapr-component set \
      --name cae-dapr-workshop-java \
      --resource-group rg-dapr-workshop-java \
      --dapr-component-name secretstore \
      --yaml ./dapr/components/aca-azure-keyvault-secretstore.yaml
   

Managed Identity

By setting a secret in a Dapr component for Azure Container Apps environmnet, the secret is stored using platform-managed Kubernetes secrets. This is useful when connecting non-Azure services or in DEV/TEST scenarios for quickly deployment Dapr components.

In production scenarios, it is recommended to use Azure Key Vault secret store with a managed identity instead and to not store secrets as Kubernetes secrets.

Step 2: Deploy to Azure Container Apps

Step 2.a: Retrieve a secret in the application

Pre-requisite

The second part Retrieve a secret in the application is a pre-requisite for this step.

To deploy the retrieving of the license key of the fine calculator to Azure Container Apps, you will need to update the FineCollectionService container app to use the secret store for the license key of fine calculator.

Build and redeploy fine collection service

In this step, you will rebuild and redeploy the FineCollectionService to use the secret store (i.e. Azure Key Vault) to get the license key of the fine calculator.

1. Delete the image from local docker:

    docker rmi fine-collection-service:1.0-SNAPSHOT
   

2. In the root folder of FineCollectionService, run the following command to build and push the image:

    mvn spring-boot:build-image
    docker tag fine-collection-service:1.0-SNAPSHOT "$CONTAINER_REGISTRY.azurecr.io/fine-collection-service:3.0"
    docker push "$CONTAINER_REGISTRY.azurecr.io/fine-collection-service:3.0"
   

   Where $CONTAINER_REGISTRY is the name of your Azure Container Registry.

3. Update FineCollectionService container app with the new image:

    az containerapp update \
      --name ca-fine-collection-service \
      --resource-group rg-dapr-workshop-java \
      --image "$CONTAINER_REGISTRY.azurecr.io/fine-collection-service:3.0"
   

   Where $CONTAINER_REGISTRY is the name of your Azure Container Registry.

Step 2.b: Reference a secret in Dapr components

Pre-requisite

The third part Reference a secret in Dapr components is a pre-requisite for this step.

Use a secret in pubsub component

1. Open the file dapr/components/aca-azure-servicebus-pubsub.yaml (created in assignment 3) in your code editor, and inspect it.

2. Add the following line afterversion: v1:

    secretStoreComponent: "secretstore"
   

   This tells Dapr to use the secret store component secretstore to retrieve the secret.

3. Replace value:

    value: "Endpoint=sb://{ServiceBusNamespace}.servicebus.windows.net/;SharedAccessKeyName={PolicyName};SharedAccessKey={Key};EntityPath={ServiceBus}"
   

   with:

    secretRef: azSericeBusconnectionString
   

   This tells Dapr to use the secret azSericeBusconnectionString from the secret store.

   It should look like:

    componentType: pubsub.azure.servicebus
    version: v1
    secretStoreComponent: "secretstore"
    metadata:
      - name: connectionString
        secretRef: azSericeBusconnectionString
    scopes:
      - traffic-control-service
      - fine-collection-service
   

4. Update Darp component using the following command in the root of the project:

    az containerapp env dapr-component set \
      --name cae-dapr-workshop-java \
      --resource-group rg-dapr-workshop-java \
      --dapr-component-name pubsub \
      --yaml ./dapr/components/aca-azure-servicebus-pubsub.yaml
   

To know more about how to use a secret in a Dapr component with Azure Container Apps, please refer to this documentation.

Restart FineCollectionService and TrafficControlService

1. Run the following command to identify the running revision of fine collection service container apps:

   • Linux/Unix shell:

     FINE_COLLECTION_SERVICE_REVISION=$(az containerapp revision list -n ca-fine-collection-service -g rg-dapr-workshop-java --query "[0].name" -o tsv)
     echo $FINE_COLLECTION_SERVICE_REVISION
     

   • Powershell:

     $FINE_COLLECTION_SERVICE_REVISION = az containerapp revision list -n ca-fine-collection-service -g rg-dapr-workshop-java --query "[0].name" -o tsv
     $FINE_COLLECTION_SERVICE_REVISION
     

2. Restart fine collection service revision:

    az containerapp revision restart \
      --name ca-fine-collection-service \
      --resource-group rg-dapr-workshop-java \
      --revision $FINE_COLLECTION_SERVICE_REVISION
   

3. Run the following command to identify the running revision of traffic control service container apps:

   • Linux/Unix shell:

     TRAFFIC_CONTROL_SERVICE_REVISION=$(az containerapp revision list -n ca-traffic-control-service -g rg-dapr-workshop-java --query "[0].name" -o tsv)
     echo $TRAFFIC_CONTROL_SERVICE_REVISION
     

   • Powershell:

     $TRAFFIC_CONTROL_SERVICE_REVISION = az containerapp revision list -n ca-traffic-control-service -g rg-dapr-workshop-java --query "[0].name" -o tsv
     $TRAFFIC_CONTROL_SERVICE_REVISION
     

4. Restart traffic control service revision:

    az containerapp revision restart \
      --name ca-traffic-control-service \
      --resource-group rg-dapr-workshop-java \
      --revision $TRAFFIC_CONTROL_SERVICE_REVISION
   

Step 3 - Run the simulation

1. Set the following environment variable:

   • Linux/Unix shell:

     export TRAFFIC_CONTROL_SERVICE_BASE_URL=https://$TRAFFIC_CONTROL_SERVICE_FQDN
     

   • Powershell:

     $env:TRAFFIC_CONTROL_SERVICE_BASE_URL = "https://$TRAFFIC_CONTROL_SERVICE_FQDN"
     

2. In the root folder of the simulation (Simulation), start the simulation:

    mvn spring-boot:run
   

Step 4 - Test the microservices running in ACA

You can access the log of the container apps from the Azure Portal or directly in a terminal window. To access the logs in the portal, you need to go to your resource group rg-dapr-workshop-java and select the container app for which you need the log. Then select Log stream in Monitoring section.

To access the logs from the terminal, follow the instructions below for each microservice.

The logs can take a few minutes to appear in the Log Analytics Workspace. If the logs are not updated, open the log stream in the Azure Portal.

Traffic Control Service

1. Run the following command to identify the running revision of traffic control service container apps:

   • Linux/Unix shell:

     TRAFFIC_CONTROL_SERVICE_REVISION=$(az containerapp revision list -n ca-traffic-control-service -g rg-dapr-workshop-java --query "[0].name" -o tsv)
     echo $TRAFFIC_CONTROL_SERVICE_REVISION
     

   • Powershell:

     $TRAFFIC_CONTROL_SERVICE_REVISION = az containerapp revision list -n ca-traffic-control-service -g rg-dapr-workshop-java --query "[0].name" -o tsv
     $TRAFFIC_CONTROL_SERVICE_REVISION
     

2. Run the following command to get the last 10 lines of traffic control service logs from Log Analytics Workspace:

    az monitor log-analytics query \
      --workspace $LOG_ANALYTICS_WORKSPACE_CUSTOMER_ID \
      --analytics-query "ContainerAppConsoleLogs_CL | where RevisionName_s == '$TRAFFIC_CONTROL_SERVICE_REVISION' | project TimeGenerated, Log_s | sort by TimeGenerated desc | take 10" \
      --out table
   

Fine Collection Service

1. Run the following command to identify the running revision of fine collection service container apps:

   • Linux/Unix shell:

     FINE_COLLECTION_SERVICE_REVISION=$(az containerapp revision list -n ca-fine-collection-service -g rg-dapr-workshop-java --query "[0].name" -o tsv)
     echo $FINE_COLLECTION_SERVICE_REVISION
     

   • Powershell:

     $FINE_COLLECTION_SERVICE_REVISION = az containerapp revision list -n ca-fine-collection-service -g rg-dapr-workshop-java --query "[0].name" -o tsv
     $FINE_COLLECTION_SERVICE_REVISION
     

2. Run the following command to get the last 10 lines of fine collection service logs from Log Analytics Workspace:

    az monitor log-analytics query \
      --workspace $LOG_ANALYTICS_WORKSPACE_CUSTOMER_ID \
      --analytics-query "ContainerAppConsoleLogs_CL | where RevisionName_s == '$FINE_COLLECTION_SERVICE_REVISION' | project TimeGenerated, Log_s | sort by TimeGenerated desc | take 10" \
      --out table
   

Vehicle Registration Service

1. Run the following command to identify the running revision of vehicle registration service container apps:

   • Linux/Unix shell:

     VEHICLE_REGISTRATION_SERVICE_REVISION=$(az containerapp revision list -n ca-vehicle-registration-service -g rg-dapr-workshop-java --query "[0].name" -o tsv)
     echo $VEHICLE_REGISTRATION_SERVICE_REVISION
     

   • Powershell:

     $VEHICLE_REGISTRATION_SERVICE_REVISION = az containerapp revision list -n ca-vehicle-registration-service -g rg-dapr-workshop-java --query "[0].name" -o tsv
     $VEHICLE_REGISTRATION_SERVICE_REVISION
     

2. Run the following command to get the last 10 lines of vehicle registration service logs from Log Analytics Workspace:

    az monitor log-analytics query \
      --workspace $LOG_ANALYTICS_WORKSPACE_CUSTOMER_ID \
      --analytics-query "ContainerAppConsoleLogs_CL | where RevisionName_s == '$VEHICLE_REGISTRATION_SERVICE_REVISION' | project TimeGenerated, Log_s | sort by TimeGenerated desc | take 10" \
      --out table
   

Cleanup

When the workshop is done, please follow the cleanup instructions to delete the resources created in this workshop. Do not forget to delete application in Azure AD, its service principal and the role assigned to the service principal.

< Secret Store setup

---