Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

App Configuration - Key Vault Integration update #22365

Closed
my3sons opened this issue Jun 17, 2021 · 9 comments
Closed

App Configuration - Key Vault Integration update #22365

my3sons opened this issue Jun 17, 2021 · 9 comments
Assignees
Labels
App Configuration Azure.ApplicationModel.Configuration customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-author-feedback Workflow: More information is needed from author to address the issue. no-recent-activity There has been no recent activity on this issue. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@my3sons
Copy link

my3sons commented Jun 17, 2021

Hello @mssfang and @mrm9084

I see that there have been some recent updates to the app configuration source code to expand on the App Configuration/Key Vault integration, as it looks like that rather than just returning the secret URI from App Configuration, there is an implementation to return the actual secret value (see below). If this is the case, do you know when there might be a preview version available we can play with?

public KeyVaultSecret getSecret(URI secretIdentifier, int timeout) {
    if (secretClient == null) {
        build();
    }
    String[] tokens = secretIdentifier.getPath().split("/");

    String name = (tokens.length >= 3 ? tokens[2] : null);
    String version = (tokens.length >= 4 ? tokens[3] : null);
    return secretClient.getSecret(name, version).block(Duration.ofSeconds(timeout));
}
@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jun 17, 2021
@mrm9084
Copy link
Member

mrm9084 commented Jun 17, 2021

@my3sons I don't think there is a plan for that as it is just a hook into the Key Vault Secrets library. Do you have a link to where you saw the reference? It might just be a sample as that is the main use case.

@mrm9084 mrm9084 self-assigned this Jun 17, 2021
@mrm9084 mrm9084 added App Configuration Azure.ApplicationModel.Configuration and removed needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. labels Jun 17, 2021
@my3sons
Copy link
Author

my3sons commented Jun 17, 2021

Hello @mrm9084

I am referring to this class here: https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/appconfiguration/azure-spring-cloud-appconfiguration-config/src/main/java/com/azure/spring/cloud/config/stores/KeyVaultClient.java

I guess my thought is that this capability (getting Key Vault Secret directly from App configuration client) should be there by default. Currently, if you implement your com.azure.data.appconfiguration.ConfigurationClient and ask it to return a ConfigurationSetting that references a KeyVault secret, the ConfigurationClient returns the URI of the secret, and not the actual secret value. The KeyVault API does not even support getting a secret value based on URI, but only secret name. Therefore, we now are left with creating a KeyVault client, parsing the response we got back from ConfigurationClient to get the secret name from the URI and then make another API call to get the actual secret value. Ideally, the ConfigurationClient should do all of that for us and based on the KeyVaultClient class referenced in my link above, it looks like you folks are going that direction, unless I am missing something.

@mrm9084
Copy link
Member

mrm9084 commented Jun 17, 2021

Hi @my3sons that library is for Spring Boot/Spring Cloud users. It takes a user provided credential and accesses Key Vault with it to return the Secret. App Configuration will never have access to users secrets stored in Key Vault. The method used here is the intended way for this operation to happen.

@mrm9084
Copy link
Member

mrm9084 commented Jun 17, 2021

If you use the latest version of the SDK will parse the information for you in the next minor release, which is in beta right now. https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/appconfiguration/azure-data-appconfiguration/CHANGELOG.md#120-beta1-2021-04-09. It is expected that the client makes a second request for key vault secrets.

@my3sons
Copy link
Author

my3sons commented Jun 17, 2021

Hello @mrm9084

Yea, the longer back story to all this is that we do have a number of Spring Boot App Services that we have implemented using App Configuration and for the most part using the pattern depicted here: https://docs.microsoft.com/en-us/azure/azure-app-configuration/quickstart-java-spring-app. For these apps, other than our Configuration Properties class, we had to implement almost zero code to leverage App Configuration for both standard key/value pairs, as well as KeyVault referenced properties/settings. It all works great!

We recently have deployed a few Spring Boot apps to our Vnets. The problem we are now facing (and one that we have faced before with KeyVault) is that the Azure Java SDKs use the reactor netty implementation under the hood, and the http client that netty is using does not honor the default DNS nameresolver (and instead uses Google DNS), and we have firewall rules on our Vnet that deny that, so the Azure ConfigurationClient fails because it cannot resolve the hostname for our App Configuration endpoint, see this link for more details: https://docs.microsoft.com/en-us/answers/questions/307797/azure-key-vault-uri-dns-name-resolver-exception.html

Given that there does not seem to be a way via configuration to change the DNS resolver associated to the http client, we seem to be forced into implementing the ConfigurationClient the old-fashioned way using the Azure SDK and doing something like the below. So now that we rolling our own ConfigurationClient, we end up back where this started and how do we best deal with KeyVault based configuration settings. I will check out the link you provided above to see how this might simplify things for us, thanks!

   reactor.netty.http.client.HttpClient nettyHttpClient =
            reactor.netty.http.client.HttpClient.create()
                    .resolver(DefaultAddressResolverGroup.INSTANCE);

    HttpClient httpClient= new NettyAsyncHttpClientBuilder(nettyHttpClient).build();


    DefaultAzureCredential tokenCredential = new DefaultAzureCredentialBuilder().build();
    final ConfigurationClient client = new ConfigurationClientBuilder()
            .credential(tokenCredential) // use Managed Identity
            .httpClient(httpClient)
            .endpoint("myConfigEndpoint")
            .buildClient();

@mrm9084
Copy link
Member

mrm9084 commented Jun 17, 2021

@my3sons Sorry, I thought you were using just the SDK. We have seen the issue you are having before. I think this is what you are looking for https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/appconfiguration/azure-spring-cloud-starter-appconfiguration-config#client-builder-customization

@my3sons
Copy link
Author

my3sons commented Jun 17, 2021

Thanks @mrm9084, will check this out!

@mrm9084
Copy link
Member

mrm9084 commented Aug 3, 2021

@my3sons did this solve your issue?

@alzimmermsft alzimmermsft added the needs-author-feedback Workflow: More information is needed from author to address the issue. label Jan 13, 2023
@ghost ghost added the no-recent-activity There has been no recent activity on this issue. label Jan 20, 2023
@ghost
Copy link

ghost commented Jan 20, 2023

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!

@ghost ghost closed this as completed Feb 4, 2023
azure-sdk pushed a commit to azure-sdk/azure-sdk-for-java that referenced this issue Feb 22, 2023
Networking 2022-09-01 release (Azure#22639)

* Adds base for updating Microsoft.Network from version stable/2022-07-01 to version 2022-09-01

* Updates readme

* Updates API version in new specs and examples

* Added flowlog property in virtual network (Azure#21790)

Co-authored-by: Krishna Mishra <krmishr@microsoft.com>

* commit1 (Azure#22111)

Co-authored-by: Khushboo Baheti <khbaheti@microsoft.com>

* adding auth status property to circuit (Azure#22024)

* Make auth status readonly (Azure#22365)

* make auth status read only

* fixing model validation

* prettier fix

* Add support for State flag in Custom Rule (Azure#22457)

* Fix LRO header model validation (Azure#22506)

* Add new status code for application gateway custom error page (Azure#22151)

* Add new status code for application gateway custom error page

* Fix prettier

* Adding words to Custom-Words list

* Fix missing resource id in application gateway list example (Azure#22509)

* Resolving merge conflicts with main branch

---------

Co-authored-by: Mikhail <mitryakh@microsoft.com>
Co-authored-by: KRISHNA MISHRA <krishmi139@gmail.com>
Co-authored-by: Krishna Mishra <krmishr@microsoft.com>
Co-authored-by: Khushboo Baheti <37917868+Khushboo-Baheti@users.noreply.github.com>
Co-authored-by: Khushboo Baheti <khbaheti@microsoft.com>
Co-authored-by: utbarn-ms <66377251+utbarn-ms@users.noreply.github.com>
Co-authored-by: tejasshah7 <49326906+tejasshah7@users.noreply.github.com>
Co-authored-by: Prateek Sachan <42961174+prateek2211@users.noreply.github.com>
azure-sdk pushed a commit to azure-sdk/azure-sdk-for-java that referenced this issue Feb 22, 2023
Networking 2022-09-01 release (Azure#22639)

* Adds base for updating Microsoft.Network from version stable/2022-07-01 to version 2022-09-01

* Updates readme

* Updates API version in new specs and examples

* Added flowlog property in virtual network (Azure#21790)

Co-authored-by: Krishna Mishra <krmishr@microsoft.com>

* commit1 (Azure#22111)

Co-authored-by: Khushboo Baheti <khbaheti@microsoft.com>

* adding auth status property to circuit (Azure#22024)

* Make auth status readonly (Azure#22365)

* make auth status read only

* fixing model validation

* prettier fix

* Add support for State flag in Custom Rule (Azure#22457)

* Fix LRO header model validation (Azure#22506)

* Add new status code for application gateway custom error page (Azure#22151)

* Add new status code for application gateway custom error page

* Fix prettier

* Adding words to Custom-Words list

* Fix missing resource id in application gateway list example (Azure#22509)

* Resolving merge conflicts with main branch

---------

Co-authored-by: Mikhail <mitryakh@microsoft.com>
Co-authored-by: KRISHNA MISHRA <krishmi139@gmail.com>
Co-authored-by: Krishna Mishra <krmishr@microsoft.com>
Co-authored-by: Khushboo Baheti <37917868+Khushboo-Baheti@users.noreply.github.com>
Co-authored-by: Khushboo Baheti <khbaheti@microsoft.com>
Co-authored-by: utbarn-ms <66377251+utbarn-ms@users.noreply.github.com>
Co-authored-by: tejasshah7 <49326906+tejasshah7@users.noreply.github.com>
Co-authored-by: Prateek Sachan <42961174+prateek2211@users.noreply.github.com>
@github-actions github-actions bot locked and limited conversation to collaborators May 5, 2023
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
App Configuration Azure.ApplicationModel.Configuration customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-author-feedback Workflow: More information is needed from author to address the issue. no-recent-activity There has been no recent activity on this issue. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Development

No branches or pull requests

3 participants