github.com/Azure/aad-pod-identity@v1.8.17/website/content/en/docs/Demo/java-blob.md

github.com/Azure/aad-pod-identity@v1.8.17/website/content/en/docs/Demo/java-blob.md (about)

     1  ---
     2  title: "Spring Boot + Azure Storage + AAD Pod Identity"
     3  linkTitle: "Spring Boot + Azure Storage + AAD Pod Identity"
     4  weight: 2
     5  description: >
     6    Sample code and instructions demonstrating how you can access Azure Storage using a user-assigned identity with the aid of AAD Pod Identity from a spring boot application.
     7  ---
     8  
     9  ## Prerequisites
    10  
    11  * an AKS cluster with [managed identity enabled](https://docs.microsoft.com/en-us/azure/aks/use-managed-identity)
    12  * AAD Pod Identity installed and configured
    13  * Azure Container Registry
    14  * Azure Storage
    15      * Make sure you have already created a container
    16  
    17  ## Setup
    18  
    19  ### Create a Managed Identity and Assign Roles
    20  
    21  In this step, we'll create a new user-assigned identity which will be used to interact with the Azure Storage account.
    22  
    23  > this step can be skipped if you already have a managed identity you'd like to reuse.
    24  
    25  1. Setup:
    26  
    27      ```sh
    28      git clone https://github.com/Azure/aad-pod-identity $GOPATH/src/github.com/Azure/aad-pod-identity
    29      cd $GOPATH/src/github.com/Azure/aad-pod-identity/examples/java-blob
    30  
    31      CLUSTER_NAME=<YOUR_AKS_CLUSTER_NAME>
    32      CLUSTER_RESOURCE_GROUP=$(az aks list --query "[?name == '$CLUSTER_NAME'].resourceGroup" -o tsv)
    33  
    34      IDENTITY_NAME=<YOUR_IDENTITY_NAME>
    35      IDENTITY_RESOURCE_GROUP=$(az aks show -g $CLUSTER_RESOURCE_GROUP -n $CLUSTER_NAME --query nodeResourceGroup -otsv)
    36  
    37      STORAGE_ACCOUNT_NAME=<STORAGE_ACCOUNT_NAME>
    38      STORAGE_ACCOUNT_RESOURCE_GROUP=$(az storage account list --query "[?name == '$STORAGE_ACCOUNT_NAME'].resourceGroup" -o tsv)
    39  
    40      CLUSTER_MSI_CLIENT_ID=$(az aks show \
    41          -n $CLUSTER_NAME \
    42          -g $CLUSTER_RESOURCE_GROUP \
    43          --query "identityProfile.kubeletidentity.clientId" \
    44          -o tsv)
    45  
    46      STORAGE_ACCOUNT_RESOURCE_ID=$(az storage account show \
    47          --name $STORAGE_ACCOUNT_NAME \
    48          --query 'id' -o tsv)
    49      ```
    50  
    51  2. Create a managed identity:
    52  
    53      ```sh
    54      IDENTITY_RESOURCE_ID=$(az identity create \
    55          --name $IDENTITY_NAME \
    56          --resource-group $IDENTITY_RESOURCE_GROUP \
    57          --query 'id' -o tsv)
    58  
    59      IDENTITY_CLIENT_ID=$(az identity show \
    60          -n $IDENTITY_NAME \
    61          -g $IDENTITY_RESOURCE_GROUP \
    62          --query 'clientId' -o tsv)
    63      ```
    64  
    65  3. Assign role to allow AAD Pod Identity to access our newly created managed identity:
    66  
    67      ```sh
    68      az role assignment create \
    69          --role "Managed Identity Operator" \
    70          --assignee $CLUSTER_MSI_CLIENT_ID \
    71          --scope $IDENTITY_RESOURCE_ID
    72      ```
    73  
    74  4. Grant permission to specific storage container in the Azure Storage Account:
    75  
    76      ```sh
    77      CONTAINER=test
    78  
    79      az role assignment create \
    80          --role "Storage Blob Data Contributor" \
    81          --assignee $IDENTITY_CLIENT_ID \
    82          --scope "$STORAGE_ACCOUNT_RESOURCE_ID/blobServices/default/containers/$CONTAINER"
    83      ```
    84  
    85  > if you want the managed identity to access your entire Storage Account, you can ignore `/blobServices/default/containers/$CONTAINER`.
    86  
    87  ### Configure AAD Pod Identity
    88  
    89  The following step will create a new `AzureIdentity` resource in Kubernetes in the `blob` namespace. If your namespace is something different then change NAMESPACE to match the namespace you want to deploy into.
    90  
    91  ```sh
    92  NAMESPACE=blob
    93  kubectl create namespace $NAMESPACE
    94  
    95  cat << EOF | kubectl apply -f -
    96  apiVersion: "aadpodidentity.k8s.io/v1"
    97  kind: AzureIdentity
    98  metadata:
    99    name: $IDENTITY_NAME
   100    namespace: $NAMESPACE
   101  spec:
   102    type: 0
   103    resourceID: $IDENTITY_RESOURCE_ID
   104    clientID: $IDENTITY_CLIENT_ID
   105  EOF
   106  ```
   107  
   108  Now we'll create the `AzureIdentityBinding` and specify the selector.
   109  
   110  ```sh
   111  POD_LABEL_SELECTOR=$IDENTITY_NAME
   112  
   113  cat << EOF | kubectl apply -f -
   114  apiVersion: aadpodidentity.k8s.io/v1
   115  kind: AzureIdentityBinding
   116  metadata:
   117    name: $IDENTITY_NAME-binding
   118    namespace: $NAMESPACE
   119  spec:
   120    azureIdentity: $IDENTITY_NAME
   121    selector: $POD_LABEL_SELECTOR
   122  EOF
   123  ```
   124  
   125  ## Build
   126  
   127  In the root of this project contains a `Dockerfile`. All you need to do is build the container and push to Azure Container Registry.
   128  
   129  ```sh
   130  ACR=<YOUR_ACR>
   131  IMG=$ACR.azurecr.io/azure-storage-example:1
   132  
   133  az acr login --name $ACR
   134  
   135  docker build -t $IMG .
   136  docker push $IMG
   137  ```
   138  
   139  ## Deploy
   140  
   141  ```sh
   142  cat << EOF | kubectl apply -f -
   143  apiVersion: apps/v1
   144  kind: Deployment
   145  metadata:
   146    name: demo-blob-deployment
   147    namespace: $NAMESPACE
   148  spec:
   149    replicas: 1
   150    selector:
   151      matchLabels:
   152        name: demo-blob
   153    template:
   154      metadata:
   155        name: demo-blob
   156        labels:
   157          name: demo-blob
   158          aadpodidbinding: $POD_LABEL_SELECTOR
   159      spec:
   160        containers:
   161        - name: demo-blob
   162          image: $IMG
   163          env:
   164            - name: AZURE_CLIENT_ID
   165              value: $IDENTITY_CLIENT_ID
   166            - name: BLOB_ACCOUNT_NAME
   167              value: $STORAGE_ACCOUNT_NAME
   168            - name: BLOB_CONTAINER_NAME
   169              value: $CONTAINER
   170        nodeSelector:
   171          kubernetes.io/os: linux
   172  ---
   173  apiVersion: v1
   174  kind: Service
   175  metadata:
   176    name: demo-blob-service
   177    namespace: $NAMESPACE
   178  spec:
   179    type: NodePort
   180    selector:
   181      name: demo-blob
   182    ports:
   183      - port: 8080
   184        targetPort: 8080
   185  EOF
   186  ```
   187  ## Test
   188  
   189  To interact with the `demo-blob` pod running in AKS, we first need a pod with cURL installed. The following command create a new pod called `curl` using the `curlimages/curl` image, and then execute into the pod.
   190  
   191  ```sh
   192  kubectl run curl --rm -i --tty --image=curlimages/curl:7.73.0 -n blob -- sh
   193  ```
   194  
   195  Once you have access into the `curl` pod, run the following command to upload a new blob into the Azure Storage Account:
   196  
   197  ```sh
   198  curl -d 'new message' -H 'Content-Type: text/plain' demo-blob-service:8080/
   199  ```
   200  
   201  Assuming everything works, this will create a new `.txt` file the container created earlier with the text `new message`.
   202  
   203  You should receive the following message:
   204  
   205  ```sh
   206  file quickstart-8fea77d9-d133-4cb1-8f16-391dc8e4e3f7.txt was uploaded
   207  ```
   208  
   209  To retrieve the contents of the blob, assuming the file was saved under `quickstart-8fea77d9-d133-4cb1-8f16-391dc8e4e3f7.txt`, make the following `GET` request:
   210  
   211  ```sh
   212  curl -X GET http://demo-blob-service:8080/?fileName=quickstart-8fea77d9-d133-4cb1-8f16-391dc8e4e3f7.txt
   213  ```
   214  
   215  You should get back the following:
   216  
   217  ```sh
   218  new message
   219  ```