Java Spring Boot on Azure

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello I'm Kristen go apartment it is May the 23rd 2019 and I wanted to record a quick session on how to host a spring food application on top of a sure setup a pretty simple form of continuous integration have people sign in via Azure Active Directory and also use sequel asier in the bag in a secure way the code for this prototype you can find on my github repository which is anim username CH Koya and then kind of the thing called spring good a adq keyboard so when I navigate to that page I am looking so currently the code base that I am playing with is commit number 7f something so this is basically the code base that we are playing around with so first of all let's have a quick look around how particularly is this repository behave so what we are going to demonstrate so this is the overall architecture of the system so simply speaking we want to have this green thing in the middle of spring boots application and I want to host this on an edge container instance which means I need to have a docker container to run this instance so the flow from the deployment perspective is like this we have a source code base down here on my laptop which I've pushed to get up in step number one each time I push to get up I want a notification being sent into Azure in step number two where somebody in our case an azure container registry is going to build it in step number three our container registry is in the simplest form basically a repository where I can store docker images but in addition to this it also has a capability where we can define so-called tasks and such a task can be hey when there is a new version of the software in github basically takes a software build a new version and this is step number three so once we have a compiled docker image with our spring boot application in our container registry we want an edger to bring up an agile container instance up here which basically in step number four pulses image and brings the whole thing up so that's kind of the deployment part of the story when we look into the actual interaction with the system we have a user who basically in step number five hits our spring root end point let's bring boot application is currently not defined in you know with with funky UI or something like that but it's configured to immediately redirect into Azure Active Directory step number six so that the user can authenticate an azure ad for that particular relying party and in step number seven the users and gets redirected into the spring bootie application and the spring good application uses a token which was provided by the user in step eight to pull in additional information such as group membership and so on so now the application after step eight finish the application knows who the user is it then needs to talk to the azure sequel a sequel Azure database or whatever we call it these days that makes us managed sequel server instance and therefore it needs a connection string in order to avoid storing the connection string alongside with web applications the connection string is an azure keyboard so we need to fetch it from there so the azure container instance needs to itself fetch a token from our active directory in step nine to be authorized to talk to keyboard in step 10 fetch the connection string and then finally hits a sequel database and then return the result to the user so that is the actual flow of information and so the next thing we are going to do is inside this repository there is a script and currently the script is create info this is basically a shell script and in this shell by the way also there are no secrets no nothing checked into this repository here so in the next step we will interactively be running the contents of this create infra a sing step-by-step to actually create our infrastructure so let's close these pointers I opened the repository or the the git repository in Visual Studio code down here I have a terminal window and I'm here in the windows subsystem for Linux so I basically have an interactive linux shell where i can say show me what's up here and so on so here we have our create info and I will simply basically run this script line by line so the active directory tenant that we are playing with is my custom as ready tenant CH go afte photo memory it on microsoft.com that's basically my tenant ID the data center in which we are going to run will be Western Europe and before we start let's quickly navigate to the azure portal into the resource groups collection and there we have five resource groups but not the one which we want to create in which all these things live so we want to create a resource group and also let's quickly have a look in Azure Active Directory so this is my user ID tenant and inside that ad tenant in the up registrations pane we basically help there is just a lift over from a previous session sorry for that let's just kill this one remove this service principle and actually we can also delete this one because I forgot the password anyway so now and actually why we edit just delete everything and then we're good to go so we have no application registrations here no service principles no nothing so all the things we create belong to us so the first thing in the is we need a resource group actually so the resource group we want to call spring demo so let's set this variable and let's also use a prefix you will see later that prefix is basically used for naming resources so we are going to go in this directory run spring demo in Western Europe just one thing which I forgot so I have in Active Directory I've created a group a users group which I call it Christian and the reasoning behind this group is that all the different identities which I have my business identities and my foreign identities and so on they all kind of are in the same group so essentially that group is contains seven members but in essence it's just one human being which which has access so this particular group and this is a group which we we will be using later let me just zoom out a little bit here so here now we are naming a bunch of things so basically I'm using the prefix with the characters equal to say so when I say here echo dollar sequel server name spring demo sequel will be essentially the name of our server instance or situation so the first thing we do is we create the resource group so as you see using the AC command line ACS measures CLI we basically say create a resource group with a certain name in a certain location so this will now spin up a resource group here in Western Europe it's it's actually not it created so once a resource group exists the next thing we will do is we will generate two passwords we need one password for the sequel server database and we need one password or one one secret credential for the service principle actually now here you can see that research group creation was finished so I just create a simple folder here locally in my instance I used OpenSSL to create some password and I also write that password down here so this will be so sequel instance password subsequently and we also create a service principle password now we're there as I mentioned previously you might remember in step number let's go to the readme and let's go back to the readme go to the picture you might remember in step number eight the Spring Buddha plication needs to be able to talk to as active directory and validate the group memberships of this particular user and this is why it needs access to the azure ad graph api and then instead of the capability to sign in and read user profiles so these are some magical it's from our documentation and i'm basically just creating a single simple JSON file here's this manifest JSON which contains these descriptions here so that's it so the first thing is we are going to say azure active directory application create so I create or I register a new application called demo principle with a symmetric key and here we will be settings there's a secret key or not so secret key well actually this is a secret key which you generated previously and given the fact that we will be hosting that thing on an azure container instance let me quickly Nicolle dollar so the the hostname where we are going to hostessing later that must be recorded in the reply urls will be spring demo as a container instance in western europe so and when this command returns it creates a bunch of JSON and with this query app ID I basically fetch the application ID programmatically out of the response and also you see here is a manifest.json or the ad manifest.json basically points to our our description so this here is a single command and when we run this one it now talks to Azure ad and creates our registers and application so we can navigate in the back by the way let's see it just really fresh here's now our spring demo resource group that's great and when we go to a sure ad we should also there we should also be seeing the application showing up under the app registrations so let's have a quick look here and the app registrations and here we have the spring demo service principle and this 8 8 4 1 something should be now the application ID which we got back that's great and let's also just write the application ID here down to our and we don't need the manifest Jason the next thing is inside inside the manifest for this as your ad application down here when I look into the into the manifest configuration you can see that currently it is being defined with a sign an audience of either Active Directory my org so only users from that particular organization can sign in so users who live in the CH go afte Azure ad but I wanna change this so that also users from other organizations from as Active Directory tenants can sign in and I'm doing so by updating my application ID and say that this application is also available to other edger ad tenants by saying available to other tenants equals true so this will basically change the sign and audience down here [Music] let's give it a second until this call goes through and so this means at that point in time our web application assuming it lives somewhere that web application would be able to allow users to sign in so it can basically consume tokens after the fact so let's quickly go here to the I haven't figured out how I can simply reload the manifest now I go back into the manifest scroll down to the bottom and down actually that didn't work let's go to the app registrations let's go into this app again that is some browser refresh problem which I'm having here now we can see the sign an audience is ready multiple arcs so for example I can you also use my Microsoft work account to to sign in to my to this particular application that's cool the next thing is we create a service principle out of this application so we converted or promoted to be a service principle so for example we can write policy or in in key vault on it up to now and also we need to grant this service principle permissions to use the azure ad graph API this is C Azure ad a permission grant so up till this point we only have created basically a single object in Azure ad and that's pretty much it so this means our resource group down here if we navigate to the resource group in the resource Explorer know in the research group section our spring boots demo resource group is yet completely empty because we haven't created any resources that will change now because in the next step we will create C as a sequel server so we say secret server create in the given resource group in the given location and the username will be and the password this is the ones which we defined a couple of seconds ago upstairs so the same and because if you in case you want to wireless provisions let's quickly have a look at some other things down here because you can also host that application on your laptop so I basically allow and it's basically make it possible that you can run that docker build command locally on your laptop and also hosted locally and the things which we then need to get into the system are our Asia ad tenant ID the client ID and the secret the azure active directory group which we allow the users to be in NC address of the keyboard so it can talk to the back and currently it exposes port 8080 now in the meantime our sequel server database exists when we refresh the view down here in the resource group as you can see you can see nothing that can't be now there it is here we have our sequel server so on top of that sequel server we are now going to create a database in case you want to run that stuff from your laptop by default the firewall rules for the sequel instance are locked down so that you you can only talk to the sequel instance from Asia hosted services in case you wanna also do this from your laptop you basically can set a firewall where you include your IP range or a specific IP address and I'll selectively open the firewall for this one in this case I have a pretty unselective rule which basically says that every imaginable IP address is authorized tool to talk to this machine so you can also see these things here when I go into the into the into the sequel instance you know it's basically everything you do in the console you can also do here in portal and when we look varices down here in firewalls there is indeed a firewall rule with a marvelous name don't do that in production which contains our broad MIP range we could also actually selectively just add the current IP address this is my local IP address down here in Germany and doesn't offer so now we would simply allow one very specific IP address to little to hit to its instance the next thing now that the serve exists we create a small toy database so inside that server we create a database with the database name and a specific service objective basic which is kind of the it's a sequel a equivalent of a Raspberry Pi so to say the next thing is while this is running we will be having two helper functions here so this helper function here creates a connection string so this is a JDBC connection string where we record the server the database the username the password and all these things in basically in a big connection string this is a spring connection string function which gets server database user and password and the other thing is like in spring boot sorry in spring boot properties have the form spring dot data source that URL which would be our connection string to the database unfortunately as your key vault doesn't allow us to use you know keys for keys you know they're in a key value pair to use dots in the key it must be dashes and that's why I have here a small batch function which basically converts all dots in a in a pattern into dashes so these are the spring property name two key vault name and the spring connection string function so let's quickly bring these into the shell scope as well and now it's time to create the keyboard so if you remember back in the picture we now created an object down here in Asia ad and we now create it it's a sequel database in the next step we create our answer keyboard so in Azure keyboard actually enabled for deployment disk encryption and template deployment I actually can or could delete this real lines they are not not really relevant for our scenario here um just create a standard skew off of keyboard and one set exists we need to authorize our application ID our service principle so we say he vault set policy and we authorize that service principle to lists available secrets and to fetch an individual secret so this is exactly the permission needed in step number ten so after our application or authenticates to Azure ad and fetches are talking for keyboard in step number nine when it presents a token in step number ten key world needs to know that this particular service principle the spring publication is authorized to list keys and to fetch keys in in keyboard so we now set the permission on the keyboard by saying is a keyboard set policy and once that's done we actually inject the concrete connection string which is a secret into keyboard so the name is basically spring - data source - URL that's what I use my little converter function for and the value is full connection string so if we would be running if we would for example now here echo the connection string you can see here it contains the username the password and also the demo thing so now we said we stall the connection string and Azure keyboard while this is happening we can quickly reload the resources on the resource view here so now you can see we have our sequel server on top of that we have a sequel database and we have a spring demo key world and inside that key world when we go into the access policies we can see that the spring demo demo principle has a couple of permissions on on the keyboard specifically the get in the list permissions the next thing is we need an azure container registry so let's quickly trigger this thing so the azure container registry if you remember was it thing down here which can not only store docker images which we push to it but it can also build docker images with a builds task and we will use it built a subsequently so when we refresh we now also have our spring demo and your container registry sitting in the same data center now actually let's do one thing we fetch the PC one of the to Azure container registry passwords because we need this and all that further for the tasks to be able to store and doctor images right so the image name which I came up with is called spring ad um build let's renames is somebody and let me just quickly hit the post so the next step is in this Asia container registry we create a task called build spring ad and this task means o is defined to fetch the source code from my repository in the master branch use a docker file to create an image so let's shoot this off so from now on each time I push to my github repository that task will this task inside seizure container its registry will kick off and build the latest I'm docker image and check it not only was the sequence number of the concrete run ID but also with the latest tech please note I provided a an access github token here to the edge' container registry and to register itself in for a web poke here and so when we now navigate back into our resource group inside the edge of spring demo ace as your container registry we can go to the tasks pane and there are currently no tasks running and what we do now is we trigger an initial image build so I say as your container registry run the specific task at hand and so when i refresh here actually we don't need to refresh because we should see the output from that task in our local consoles so the output from that task it basically so it's cute now with a certain built ID container build and number one it's waiting for an agent to do what what we want to do and so it now fetched the source code from github and it's using our docker file while this is running is a good time to look into what the docker file actually does the docker file is a multi-stage built for for for spring boot so if essentially we are starting with um the first image layer the first image is which I called Gradle is essentially an updated JDK image with the Gradle tool in it from that I inherit and create a built image where I copy my source code in and in line number thirteen which happens now actually on our and on our instance run the actual compile process so this is where my main jar is being created and then we have a plain vanilla Alpine of JDK Alpine image where I copy the azure ad jar so the spring boot self-contained jar from the build image up here copies at ad or one snapshot jar into our application directory together was a small prepare shell script actually I'm not sure I got this from a sample I'm not even sure if this is relevant or not and this end will will be our executable our executable an application that process here that compile process still takes oh no actually compilation is finished so we should simply wait for a second until the image is completely created because then we can continue with our infrastructure preparation and create our running container instance and this is actually the last step we need to take from a deployment perspective so to quickly walk you through this once we said we want to create a container instance the TNS label means it will not only have some public IP address but it will have our concrete hostname which we defined previously in West Europe using our using an image from the container registry and you might remember I fetched the azure container registry password so when I echoes this password and call this one this is actually one of the two passwords which we have here in our container registry by the way quickly let's have a look here so our in our tasks list we should be seeing that spilled spring ad finished and that was manually triggered from the command line so now let's kick off the infrastructure and bring up the container bloom so just understand actually so my web application is currently hosted on port 8080 on a public IP address and the information which we want to pass in is we need to tell the application like in which as your ad tenant the the credentials belong to the credentials our our client ID our application ID and the password please note that I have public environment variables and secure environment variables which means these are not displayed in the UI we have the entities the active directory group which allow the the application tool to to pull membership form and the the actual key vault URL where the sequel connection string is living so once this is done we will be having a public endpoint running and we will be able to hit the application let's quickly navigate back to our resource group fresh and see what we have so here we can already see a container instance running our Acra in the container instance in the containers section we can its it seems to be already running that's great so let's have a look at the properties so the properties which we brought in we tell it like you can find the keyboard this is a directory in which you live in this this is your kind of username when your client ID and because it was a secret property we can see you the password value in here and when we look in the locks and I hope we don't see any strange things in here when we see in the locks that now needs to connect to some back-end service and pull the container locks but actually it's it's certainly more interesting to anyhow look at the running instance so in the overview like spring demo ncii in Western Europe is our machine so let's hit this end point and what you notice is without further ado it redirected me to Azure Active Directory so inside Asia Active Directory you can now see I am currently signed in with my work account and it asks me whether I want to authorize a spring demo principle to sign me into that application and read my profile from Essure ID and when I allows us it redirects me back into the application and now we are kind of in Java Spaceland and this what I do here so kind of the slash endpoint is essentially welcoming me and say that I am apparently in the Christian Azure ad group and just for me as a kind of debug mechanism I was spitting out a full sequel as a DB connection string in here um let's now look into the actual job spring boots or Scott which might be interesting so the demo application I mean this is just a kind of skeleton which came out of the spring boot generator the sequel classes here are and actually let me copy this thing because I don't know sequel so I need to remember how this works the repository is essentially just a JDBC type of thing which can talk to a relational database and pet is a small data structure for a name and species and unique ID the really interesting thing is the hello controller so inside the hello controller we bring brought in we we have the ioc container to wire up our pet repository because this is kind of a thing which allows us to talk to the database and the first web method we have in here is the some christian method which is hooked up to the past slash and in line 33 you can see the pre-authorized attribute which validates that i'm in a certain role the has role christian type of thing actually before we continue let's quickly look in the application configuration in the application properties in here you can see the first four properties the azure active directory tenant ID i'm taking out of the docker containers environment that's why i pass them down into the environment you might remember here and create infra i push these five and very environment variables into the docker container and here i'm reading these insights at docker container so i have chid tenant ID either groups the client ID and the secret these four settings are necessary for validating inbound user requests i am reusing the client ID and the client secret also for the azure cabal's client ID and client key and this is where the fifth parameter the keyboard UI slips in and i'm specifying that i always want to english the database so if the schema is not yet there the schema is here it's basically create a table pet with a name and species and the driver is the MS sequel driver that's why this thing here is called schema MS sequel so back to the hello controller so inside the hello controller I Here I am basically spitting out connection string and the series interesting so this is not configured on the source code side of things and Springwood says okay I can't find the setting anywhere but apparently I have a keyboard provider so let's give it a try replace these things by dashes and pull up some let's replace these things here by - by dashes and then try if we have a key or a secret in Azure keyboard which corresponds to this thing so this is how the repository actually gets connection string to the underlying database so the path slash just validates that I am in the road question and that's why it's saying hey you are apparently in the question Asia ad group the next endpoint which I have is called claims and the claims endpoint tells me all the different claims which were enter security token like I am in the Royal question I'm a certain subject all-in-one something i authenticated was multi-factor authentication the issuer is the Microsoft Azure ad the audience is our application here this is my full name my appear IP address and my my unique name my email address is all the same so that's what we can see in the claims endpoint so the claims endpoint can be hit by anybody who is authenticated and for that we simply grab the security contacts authentication information and spit out the the principal in form and now to validate that we're actually talking to the database let's hit the slash pet endpoint which iterates over all entries in our database so when we hit Pet our database is empty which is not a big surprise because we just created it so let's do something something funky and let's go to the database for that to happen I need my sequel password which was auto general which was generated by OpenSSL let's go to the resource group let's go to the database and inside the database let's hit the query editor so I could authorize my Active Directory account CH go at microsoft.com also to talk as your ID single sign-on to the database but that didn't yet have them so I just punch in the password and we are now basically on a sequel prompt inside the database and now I just need to look at my cheat sheet inside the pet repository how does an insert statement look like it looks like so insert into pet and the values I think this is not needed and the value is dark and it is mama I guess right and shark is fish and we also run this one and when I now refresh that endpoint we basically see here the entries or when we pull for a certain entry like a entry number one or entry number two we would be seeing this and I think that is pretty much it for my side I hope that all made sense and let's talk soon

Info

Channel: Christian Geuer-Pollmann

Views: 8,388

Rating: undefined out of 5

Keywords:

Id: EO0hdV5Ko1c

Channel Id: undefined

Length: 39min 58sec (2398 seconds)

Published: Thu May 23 2019