From e365d629aa307432a024ae3ac8d8064dd68cebb0 Mon Sep 17 00:00:00 2001 From: Wenhao Zhang Date: Tue, 29 Mar 2022 16:14:29 +0800 Subject: [PATCH 1/6] Update readme to explain the tls feature support for enterprise tier --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 9edc376..3f3148c 100644 --- a/README.md +++ b/README.md @@ -368,6 +368,12 @@ az spring-cloud app append-loaded-public-certificate \ --certificate-name ${CLIENT_SSL_CERTIFICATE_NAME} --load-trust-store true ``` +> [!Reminder] +> Currently the auto-wiring of “--load-trust-store” is not compatible with java apps which requires build service, that includes java apps deployed from source code and all java apps in enterprise tier. We are now working on supporting these apps and it would be coming soon. +> +> For these apps which could not use the auto-wiring of “--load-trust-store”, we could still take the convenience of this feature to put the certificate into app's local environment by using append-loaded-public-certificate command with "--load-trust-store" set to false. Under that condition, the certificate could be found under folder /etc/azure-spring-cloud/certs/public/ in app's environment with the name you give it, you could load that manually by any way you want. +> + Build and deploy `greeting-external-service-v2` ```bash From dff17a2021cbb2a5a1c8610437e9a6290b842ad9 Mon Sep 17 00:00:00 2001 From: Wenhao Zhang Date: Tue, 29 Mar 2022 20:42:53 +0800 Subject: [PATCH 2/6] Update according to comment --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3f3148c..d9d4d07 100644 --- a/README.md +++ b/README.md @@ -369,9 +369,10 @@ az spring-cloud app append-loaded-public-certificate \ ``` > [!Reminder] -> Currently the auto-wiring of “--load-trust-store” is not compatible with java apps which requires build service, that includes java apps deployed from source code and all java apps in enterprise tier. We are now working on supporting these apps and it would be coming soon. > -> For these apps which could not use the auto-wiring of “--load-trust-store”, we could still take the convenience of this feature to put the certificate into app's local environment by using append-loaded-public-certificate command with "--load-trust-store" set to false. Under that condition, the certificate could be found under folder /etc/azure-spring-cloud/certs/public/ in app's environment with the name you give it, you could load that manually by any way you want. +> Currently “--load-trust-store” is not supported in enterprise tier and we are now working on supporting it. +> +> When not specifying "--load-trust-store" or when specifying "--load-trust-store false", the certificate could be found under folder /etc/azure-spring-cloud/certs/public/ in app's environment with the name you give it, you could load that manually by any way you want. > Build and deploy `greeting-external-service-v2` From b5121175b37884ef043578296283a5365fb975f0 Mon Sep 17 00:00:00 2001 From: Wenhao Zhang Date: Thu, 11 Aug 2022 17:44:11 +0800 Subject: [PATCH 3/6] Add docs about enterprise tier solution --- .../setup-env-variables-azure-template.sh | 10 ++- README.md | 76 +++++++++++++++++-- enterprise/byos.json | 13 ++++ enterprise/type | 1 + 4 files changed, 92 insertions(+), 8 deletions(-) create mode 100755 enterprise/byos.json create mode 100644 enterprise/type diff --git a/.scripts/setup-env-variables-azure-template.sh b/.scripts/setup-env-variables-azure-template.sh index 99b39ce..142d83d 100755 --- a/.scripts/setup-env-variables-azure-template.sh +++ b/.scripts/setup-env-variables-azure-template.sh @@ -65,4 +65,12 @@ export EXTERNAL_SERVICE_MANAGED_IDENTITY_NAME=external-service # EXTERNAL_SERVICE_MANAGED_IDENTITY_SERVICE_PRINCIPAL will be auto-set by the script export EXTERNAL_SERVICE_MANAGED_IDENTITY_SERVICE_PRINCIPAL= # EXTERNAL_SERVICE_MANAGED_IDENTITY_RESOURCE_ID will be auto-set by the script -export EXTERNAL_SERVICE_MANAGED_IDENTITY_RESOURCE_ID= \ No newline at end of file +export EXTERNAL_SERVICE_MANAGED_IDENTITY_RESOURCE_ID= + +# Enterprise Tier +export CLIENT_SSL_CERTIFICATE_NAME_LOCAL=self-signed.pem +export STORAGE_ACCOUNT_NAME=enterprise-byos-demo +export STORAGE_RESOURCE_NAME=enterprise-byos-demo +export SHARE_NAME=cacerts +export BINDING_TYPE_FILE=enterprise/type +export STORAGE_JSON_FILE=enterprise/byos.json \ No newline at end of file diff --git a/README.md b/README.md index d9d4d07..85d12e3 100644 --- a/README.md +++ b/README.md @@ -327,6 +327,8 @@ In this app, we only use [Azure Key Vault Certificates Spring Boot Starter](http For the secure communication with external service, azure spring cloud would take care of it. +### Basic/Standard Tier + Grant Azure Spring Cloud access to your key vault ```bash export TLS_FPA_OBJECT_ID=$(az ad sp show --id e8de9221-a19c-4c81-b814-fd37c6caf9d2 | jq -r '.objectId') @@ -368,13 +370,6 @@ az spring-cloud app append-loaded-public-certificate \ --certificate-name ${CLIENT_SSL_CERTIFICATE_NAME} --load-trust-store true ``` -> [!Reminder] -> -> Currently “--load-trust-store” is not supported in enterprise tier and we are now working on supporting it. -> -> When not specifying "--load-trust-store" or when specifying "--load-trust-store false", the certificate could be found under folder /etc/azure-spring-cloud/certs/public/ in app's environment with the name you give it, you could load that manually by any way you want. -> - Build and deploy `greeting-external-service-v2` ```bash @@ -385,6 +380,73 @@ az spring-cloud app deploy --name greeting-external-service-v2 \ ``` +### Enterprise Tier + +In Enterprise Tier, we recommand to use azure spring apps provided [bring your own persistent storage](https://docs.microsoft.com/en-us/azure/spring-apps/how-to-custom-persistent-storage?tabs=Azure-portal) feature and enterprise tier internal build pack [Paketo CA Certificates Buildpack](https://github.com/paketo-buildpacks/ca-certificates) to enable `greeting-external-service-v2` call external service. + +The bring your own persistent storage enables you to upload anything you want into a storage account that you control and mount that to your applications and the Paketo CA Certificates Buildpack cloud adds CA Certificates to the system truststore at runtime. Certificates must be provided with a binding of type ca-certificates and each certificate in the binding should contain exactly one PEM encoded CA certificate. + +Create an azure storage account. + +```bash +az storage account create --name ${STORAGE_ACCOUNT_NAME} --region ${REGION} --kind StorageV2 \ + --sku Standard_ZRS --enable-large-file-share --output none +``` + +Create an azure file share in the storage account + +```bash +az storage share-rm create --storage-account ${STORAGE_ACCOUNT_NAME} --name ${SHARE_NAME} \ + --access-tier "TransactionOptimized" --quota 1024 --output none +``` + +Download the **public portion** of the client certificate from Key Vault. + +```bash +az keyvault certificate download --file ${CLIENT_SSL_CERTIFICATE_NAME_LOCAL} \ + --encoding PEM --name ${CLIENT_SSL_CERTIFICATE_NAME} --vault-name ${KEY_VAULT} +``` + +Upload the downloaded public certificate into the created azure file share + +```bash +az storage file upload --account-name ${STORAGE_ACCOUNT_NAME} \ + --share-name ${SHARE_NAME} --source ${CLIENT_SSL_CERTIFICATE_NAME_LOCAL} +``` + +Upload the binding type file which indicates the files in this file share are all in type ca-certificates + +```bash +az storage file upload --account-name ${STORAGE_ACCOUNT_NAME} \ + --share-name ${SHARE_NAME} --source ${BINDING_TYPE_FILE} +``` +Bind your Azure Storage account as a storage resource in your Azure Spring Apps instance: + +```bash +az spring storage add --resource-group ${RESOURCE_GROUP} --service ${SPRING_CLOUD_SERVICE} \ + --name ${STORAGE_RESOURCE_NAME} --storage-type StorageAccount \ + --account-name ${STORAGE_ACCOUNT_NAME} --account-key +``` + +Create an app with your own persistent storage, please pay attention that the storage mount path **must** under `/bindings` and the environment variable `SERVICE_BINDING_ROOT` **must** be `/bindings` + +```bash +az spring app create --name greeting-external-service-v2 \ + --instance-count 1 --memory 2 --jvm-options='-Xms2048m -Xmx2048m -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -XX:+UseG1GC -Djava.awt.headless=true -Dreactor.netty.http.server.accessLogEnabled=true' \ + --persistent-storage ${STORAGE_JSON_FILE} + --env EXTERNAL_SERVICE_ENDPOINT=${EXTERNAL_SERVICE_ENDPOINT} \ + EXTERNAL_SERVICE_PORT=${EXTERNAL_SERVICE_PORT} \ + SERVICE_BINDING_ROOT=/bindings +``` + +Deploy apps using build service + +```bash +az spring app deploy --name greeting-external-service-v2 \ + --builder default --source-path ${GREETING_EXTERNAL_SERVICE_V2_SOURCE} +``` + +### Standard/Basic Tier and Enterprise Tier Open the app and test it. ```bash diff --git a/enterprise/byos.json b/enterprise/byos.json new file mode 100755 index 0000000..894c43c --- /dev/null +++ b/enterprise/byos.json @@ -0,0 +1,13 @@ +{ + "customPersistentDisks": [ + { + "storageName": "enterprise-byos-demo", + "customPersistentDiskProperties": { + "type": "AzureFileVolume", + "shareName": "cacerts", + "mountPath": "/bindings/cacerts", + "readOnly": true + } + } + ] + } \ No newline at end of file diff --git a/enterprise/type b/enterprise/type new file mode 100644 index 0000000..a779e5d --- /dev/null +++ b/enterprise/type @@ -0,0 +1 @@ +ca-certificates From 67c9615d1e111a8bc9b641a0427b6f2d18f48901 Mon Sep 17 00:00:00 2001 From: Wenhao Zhang Date: Thu, 11 Aug 2022 19:21:23 +0800 Subject: [PATCH 4/6] change append storage command to append-persistent-storage --- .scripts/setup-env-variables-azure-template.sh | 2 +- README.md | 6 ++++-- enterprise/byos.json | 13 ------------- 3 files changed, 5 insertions(+), 16 deletions(-) delete mode 100755 enterprise/byos.json diff --git a/.scripts/setup-env-variables-azure-template.sh b/.scripts/setup-env-variables-azure-template.sh index 142d83d..3666def 100755 --- a/.scripts/setup-env-variables-azure-template.sh +++ b/.scripts/setup-env-variables-azure-template.sh @@ -73,4 +73,4 @@ export STORAGE_ACCOUNT_NAME=enterprise-byos-demo export STORAGE_RESOURCE_NAME=enterprise-byos-demo export SHARE_NAME=cacerts export BINDING_TYPE_FILE=enterprise/type -export STORAGE_JSON_FILE=enterprise/byos.json \ No newline at end of file +export GREETING_EXTERNAL_SERVICE_V2_SOURCE=greeting-external-service-v2 \ No newline at end of file diff --git a/README.md b/README.md index 85d12e3..29196d2 100644 --- a/README.md +++ b/README.md @@ -428,15 +428,17 @@ az spring storage add --resource-group ${RESOURCE_GROUP} --service ${SPRING_CLOU --account-name ${STORAGE_ACCOUNT_NAME} --account-key ``` -Create an app with your own persistent storage, please pay attention that the storage mount path **must** under `/bindings` and the environment variable `SERVICE_BINDING_ROOT` **must** be `/bindings` +Create an app with `SERVICE_BINDING_ROOT` environment variables and append the Azure File to the app, please pay attention that the storage mount path **must** under `/bindings` and the environment variable `SERVICE_BINDING_ROOT` **must** be `/bindings` ```bash az spring app create --name greeting-external-service-v2 \ --instance-count 1 --memory 2 --jvm-options='-Xms2048m -Xmx2048m -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -XX:+UseG1GC -Djava.awt.headless=true -Dreactor.netty.http.server.accessLogEnabled=true' \ - --persistent-storage ${STORAGE_JSON_FILE} --env EXTERNAL_SERVICE_ENDPOINT=${EXTERNAL_SERVICE_ENDPOINT} \ EXTERNAL_SERVICE_PORT=${EXTERNAL_SERVICE_PORT} \ SERVICE_BINDING_ROOT=/bindings + +az spring-cloud app append-persistent-storage --mount-path /bindings/cacerts --name greeting-external-service-v2 \ + --persistent-storage-type AzureFileVolume --share-name ${SHARE_NAME} --storage-name ${STORAGE_RESOURCE_NAME} ``` Deploy apps using build service diff --git a/enterprise/byos.json b/enterprise/byos.json deleted file mode 100755 index 894c43c..0000000 --- a/enterprise/byos.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "customPersistentDisks": [ - { - "storageName": "enterprise-byos-demo", - "customPersistentDiskProperties": { - "type": "AzureFileVolume", - "shareName": "cacerts", - "mountPath": "/bindings/cacerts", - "readOnly": true - } - } - ] - } \ No newline at end of file From f2977bee57ed618c1a5cec2672d5b72fa51629dc Mon Sep 17 00:00:00 2001 From: Wenhao Zhang Date: Thu, 11 Aug 2022 19:23:39 +0800 Subject: [PATCH 5/6] minor --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 29196d2..000324c 100644 --- a/README.md +++ b/README.md @@ -428,7 +428,7 @@ az spring storage add --resource-group ${RESOURCE_GROUP} --service ${SPRING_CLOU --account-name ${STORAGE_ACCOUNT_NAME} --account-key ``` -Create an app with `SERVICE_BINDING_ROOT` environment variables and append the Azure File to the app, please pay attention that the storage mount path **must** under `/bindings` and the environment variable `SERVICE_BINDING_ROOT` **must** be `/bindings` +Create an app with `SERVICE_BINDING_ROOT` environment variable and append the Azure File to the app, please pay attention that the storage mount path **must** under `/bindings` and the environment variable `SERVICE_BINDING_ROOT` **must** be `/bindings` ```bash az spring app create --name greeting-external-service-v2 \ From 86edd1cfc629c21f8a2686fd49ed5fb63f787964 Mon Sep 17 00:00:00 2001 From: Wenhao Zhang Date: Thu, 11 Aug 2022 23:49:34 +0800 Subject: [PATCH 6/6] fix a typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 000324c..08d6bc2 100644 --- a/README.md +++ b/README.md @@ -428,7 +428,7 @@ az spring storage add --resource-group ${RESOURCE_GROUP} --service ${SPRING_CLOU --account-name ${STORAGE_ACCOUNT_NAME} --account-key ``` -Create an app with `SERVICE_BINDING_ROOT` environment variable and append the Azure File to the app, please pay attention that the storage mount path **must** under `/bindings` and the environment variable `SERVICE_BINDING_ROOT` **must** be `/bindings` +Create an app with `SERVICE_BINDING_ROOT` environment variable and append the Azure File to the app, please pay attention that the storage mount path **must** be under `/bindings` and the environment variable `SERVICE_BINDING_ROOT` **must** be `/bindings` ```bash az spring app create --name greeting-external-service-v2 \