Skip to content

Latest commit

 

History

History
124 lines (95 loc) · 6.39 KB

README.md

File metadata and controls

124 lines (95 loc) · 6.39 KB
Raw

Azure Spring Boot Key Vault Certificates

Key concepts

This sample illustrates how to use Azure Spring Boot Starter Key Vault Certificates .

This sample should work together with azure-spring-boot-sample-keyvault-certificates-server-side.

Getting started

  • Start azure-spring-boot-sample-keyvault-certificates-server-side's SampleApplication.

Run sample with service principal

  1. Option 1 - If you created the resources via the script, you need set environment variables created in azure-spring-boot-sample-keyvault-certificates-server-side application by running command: 
    source script/setup.sh
  2. Option 2 - If you created the resource via the Azure Portal, you need configure the application.yml manually, please replace the placeholders with the resources you created.

    Attention: The service principal must be configured with permissions:
    Certificate Permissions: configure with get and list permissions.
    Key Permissions: configure with get permission.
    Secret Permissions: configure with get permission.

Using TLS with service principal

  1. Start azure-spring-boot-sample-keyvault-certificates-client-side's SampleApplication by running command:

    mvn spring-boot:run

  2. To use RestTemplate, access http://localhost:8080/resttemplate/tls

    Then you will get

    Response from restTemplate tls "https://localhost:8443/": Hello World

  3. To use WebClient, access http://localhost:8080/webclient/tls

    Then you will get

    Response from webClient tls "https://localhost:8443/": Hello World

Using mTLS with service principal

  1. In the sample AzureKeyVaultKeyStoreUtil.java, change the self-signed to your certificate alias.

    private static final String CLIENT_ALIAS = "self-signed";

  2. Add properties in application.yml of server side on the base of current configuration:

    server:
  ssl:
    client-auth: need        # Used for mTLS
    trust-store-type: AzureKeyVault   # Used for mTLS

  3. Start azure-spring-boot-sample-keyvault-certificates-client-side's SampleApplication by running command:

    mvn spring-boot:run

  4. When the mTLS server starts, restTemplate tls endpoint(http://localhost:8080/resttemplate/tls) and webClient tls endpoint(http://localhost:8080/webclient/tls) will not be able to access the resource.

  5. To use RestTemplate, access http://localhost:8080/resttemplate/mtls

    Then you will get

    Response from restTemplate mtls "https://localhost:8443/": Hello World

  6. To use WebClient, access http://localhost:8080/webclient/mtls

    Then you will get

    Response from webClient mtls "https://localhost:8443/": Hello World

Run sample with managed identity

  1. If you are using managed identity instead of service principal, use below properties in your application.yml:

    azure:
  keyvault:
    uri: ${KEY_VAULT_URI}
    managed-identity: # client-id of the user-assigned managed identity to use. If empty, then system-assigned managed identity will be used.

    Make sure the managed identity can access target Key Vault.

  2. Set environment variables created in azure-spring-boot-sample-keyvault-certificates-server-side application by running command:

    source script/setup.sh

Using TLS/mTLS with managed identity

  1. Replace the CREDENTIAL_TYPE value in AzureKeyVaultKeyStoreUtil.java as 
    private static final CredentialType CREDENTIALTYPE = CredentialType.ManagedIdentity;
  2. Follow the above step of Using TLS with service principal to use TLS.
  3. Follow the above step of Using mTLS with service principal to use mTLS.

(Optional) Use the KeyVaultKeyStore with local certificates as the trust resources.

  • For example, there are some well known CAs. You can put them into a folder, then configure in the application.yml the azure:cert-path:well-known=<yourFolderPath>. The certificates in this folder will be loaded by KeyVaultKeystore. If you don't configure such a property, the default well-known path will be /etc/certs/well-known/.
  • Besides the well-known path, you can also put your customized certificates into another folder specified by azure:cert-path:custom=<yourCustomPath>, by default, the custom path is /etc/certs/custom/.
  • You can also put certificates under the class path, build a folder named keyvault and configure it under the class path, then all the certificates in this folder will be loaded by key vault keystore.

To configure the local certificates, please uncomment and configure the optional local certificates path.

azure:
  #cert-path: 
    #well-known:  # Optional local certificates path. Your local path that holds the well-known certificates.
    #custom: # Optional local certificates path. Your local path that holds your customized certificates.

Deploy to Azure Spring Apps

Now that you have the Spring Boot application running locally, it's time to move it to production. Azure Spring Apps makes it easy to deploy Spring Boot applications to Azure without any code changes. The service manages the infrastructure of Spring applications so developers can focus on their code. Azure Spring Apps provides lifecycle management using comprehensive monitoring and diagnostics, configuration management, service discovery, CI/CD integration, blue-green deployments, and more. To deploy your application to Azure Spring Apps, see Deploy your first application to Azure Spring Apps.