search

Azure / Azure-Spring-Apps

Azure Spring Cloud
MIT License
8 stars 6 forks source link

Azure Spring Cloud Config Server integration with Azure Key Vault should be supported & documented. #9

Open ezYakaEagle442 opened 2 years ago

ezYakaEagle442 commented 2 years ago

A basic strong requirement is to configure a DB connection string including password injected from Azure Key Vault.

Assuming we have the here yunder secrets stored in KV: 

    az keyvault secret set --vault-name ${KEY_VAULT} --name "MYSQL_SERVER_NAME" --value ${MYSQL_SERVER_NAME}
    az keyvault secret set --vault-name ${KEY_VAULT} --name "MYSQL-SERVER-FULL-NAME" --value ${MYSQL_SERVER_FULL_NAME}
    az keyvault secret set --vault-name ${KEY_VAULT} --name "MYSQL-SERVER-ADMIN-NAME" --value ${MYSQL_SERVER_ADMIN_NAME}
    az keyvault secret set --vault-name ${KEY_VAULT} --name "MYSQL-SERVER-ADMIN-LOGIN-NAME" --value ${MYSQL_SERVER_ADMIN_LOGIN_NAME}
    az keyvault secret set --vault-name ${KEY_VAULT} --name "MYSQL-SERVER-ADMIN-PASSWORD" --value ${MYSQL_SERVER_ADMIN_PASSWORD}
    az keyvault secret set --vault-name ${KEY_VAULT} --name "MYSQL-DATABASE-NAME" --value ${MYSQL_DATABASE_NAME}

application.yml should look like: 

spring:
  cloud:
    azure:
      keyvault:
        secret:
          property-sources:
            - credential:
                client-id: ${AZURE_CLIENT_ID}
                client-secret: ${AZURE_CLIENT_SECRET}
              endpoint: ${ENDPOINT}
              profile:
                tenant-id: ${AZURE_TENANT_ID}
---
spring:
  config:
    activate:
      on-profile: mysql
  datasource:
    schema: classpath*:db/mysql/schema.sql
    data: classpath*:db/mysql/data.sql
    url: jdbc:mysql://${MYSQL-SERVER-FULL-NAME}:3306/${MYSQL-DATABASE-NAME}?useSSL=true&requireSSL=true&enabledTLSProtocols=TLSv1.2&verifyServerCertificate=true

    username: ${MYSQL-SERVER-ADMIN-LOGIN-NAME} # ${MYSQL_SERVER_ADMIN_LOGIN_NAME}
    password: ${MYSQL-SERVER-ADMIN-PASSWORD} # ${MYSQL_SERVER_ADMIN_PASSWORD}
    initialization-mode: NEVER # ALWAYS
    platform: mysql

See Azure KV SDK integration doc.

See issue https://github.com/MicrosoftDocs/azure-docs/issues/91311

See issue https://github.com/Azure/azure-sdk-for-java/issues/28128

ezYakaEagle442 commented 2 years ago

@xscript @msftgits Could you please update this issue and consider this request as a P1 ?

I have seen the API has been updated, see https://github.com/Azure/azure-sdk-for-java/issues/28310)

There is also now a Learn module with CLI but not a single sample with Azure Bicep + GitHub Action workflow, which anyone would look for.

Spring Reference doc : https://docs.spring.io/spring-boot/docs/2.7.3/reference/html/application-properties.html#appendix.application-properties.data

Here is my config (to be tested) :

https://github.com/ezYakaEagle442/spring-petclinic-microservices-config/blob/main/application.yml#L64

spring:
  cloud:
    azure:
      profile: # spring.cloud.azure.profile
        # subscription-id:
        tenant-id: ${AZURE_TENANT_ID}
      credential:
        managed-identity-enabled: true        
      keyvault:
        secret:
          enabled: true
          property-sources:
            - name: kv-property-source-endpoint
              endpoint: ${AZURE_KEY_VAULT_ENDPOINT}
              credential.managed-identity-enabled: true # https://microsoft.github.io/spring-cloud-azure/current/reference/html/index.html#configuration-17
              # credential:
              #  client-id: ${AZURE_CLIENT_ID}
              #  client-secret: ${AZURE_CLIENT_SECRET}
              # profile:
              #  tenant-id: ${AZURE_TENANT_ID}

spring:
  config:
    activate:
      on-profile: mysql
  datasource:
    schema: classpath*:db/mysql/schema.sql
    data: classpath*:db/mysql/data.sql
    # spring.datasource.url, spring.datasource.username and spring.datasource.password will be automatically injected from KV secrets SPRING-DATASOURCE-URL, SPRING-DATASOURCE-USERNAME and SPRING-DATASOURCE-PASSWORD
    # url: jdbc:mysql://${MYSQL-SERVER-FULL-NAME}:3306/${MYSQL-DATABASE-NAME}?useSSL=true&requireSSL=true&enabledTLSProtocols=TLSv1.2&verifyServerCertificate=true    
    # username: ${MYSQL-SERVER-ADMIN-LOGIN-NAME} # ${MYSQL_SERVER_ADMIN_LOGIN_NAME}
    # password: ${MYSQL-SERVER-ADMIN-PASSWORD} # ${MYSQL_SERVER_ADMIN_PASSWORD}
    initialization-mode: ALWAYS # NEVER
    platform: mysql
allxiao commented 1 year ago

The KeyVault integration in Spring Boot applications are provided by the Spring Cloud Azure project. You can also find the KeyVault integration documentation.

This is more like a general way to load properties from KeyVaults for all kinds of Spring Boot applications, not necessarily Spring Cloud applications, or applications run in Azure Spring Apps service.

Apart from KeyVault, Spring Cloud Azure also provides integrations with other Azure services. We do not want to create a page in Azure Spring Apps documentation for each of them, because that will be duplicate with the Spring Cloud Azure documentation and requires large amount of effort.

It may be better to add some links in our documentation to the Spring Cloud Azure capabilities. @hangwan97 for follow-up.