Merge pull request #31 from matthchr/feature/cosmos-todo-mi

Add cosmos-todo-mi sample focused on Managed Identity workflow

Author: matthchr

README.md

@@ -13,6 +13,7 @@ The example deployments currently contained in this repository:
 Examples using the v2 operator with code-generated resources for full coverage.
 * [azure-votes-postgresql](./azure-votes-postgresql) - Go voting web app using PostgreSQL server
 * [cosmos-todo-list](./cosmos-todo-list) - .NET todo-list web application using Cosmos DB SQL API for storage
+* [cosmos-todo-list-mi](./cosmos-todo-list-mi) - .NET todo-list web application using Cosmos DB SQL API for storage, with a managed identity
 
 ## Getting Started
 

cosmos-todo-list-mi/README.md

@@ -0,0 +1,116 @@
+# Azure Service Operator Cosmos DB with Managed Identity demo
+
+This sample is a demonstration of how to use the Azure Service Operator (ASO) to provision a Cosmos DB backed
+application using Azure Managed Identities. This solution applies the principle of least priviledge to create
+an identity dedicated to the To-Do list application with the minimum set of permissions needed to run the application.
+
+This involves provisioning the following resources through Kubernetes:
+- A User Managed Identity and associted Federated Identity Credential (for use with Azure Workload Identity).
+- A Cosmos DB SQL database and container.
+- A web application (Service, Deployment, Pods) which uses the Comsos DB container to store its data.
+
+## Prerequisites
+
+To deploy this demo application you'll need the following:
+
+1. An Azure subscription to create Azure resources under.
+
+2. An [Azure Kubernetes Service (AKS) cluster](https://docs.microsoft.com/azure/aks/tutorial-kubernetes-deploy-cluster)
+   deployed in your subscription, with [`kubectl`](https://kubernetes.io/docs/tasks/tools/#kubectl) configured to talk to it.
+   The AKS cluster must have [OIDC issuer](https://learn.microsoft.com/azure/aks/cluster-configuration#oidc-issuer) enabled.
+
+3. The OIDC issuer of the cluster retrieved and stored in an enviornment variable along with the Azure Subscription ID.
+   This can be done with the az cli via:
+
+   ```
+   export AKS_OIDC_ISSUER=$(az aks show -n myAKScluster -g myResourceGroup --query "oidcIssuerProfile.issuerUrl" -otsv)
+   export AZURE_SUBSCRIPTION_ID=<azure subscription id>
+   ```
+
+## Set up Azure Workload Identity
+
+Install Azure Workload Identity. You should already have your clusters OIDC issuer saved in a variable `AKS_OIDC_ISSUER` 
+from above so you can just 
+install the [Azure Workload Identity webhook](https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html).
+
+## Set up Azure Service Operator
+
+ASO lets you manage Azure resources using Kubernetes tools.
+The operator is installed in your cluster and propagates changes to resources there to the Azure Resource Manager.
+[Read more about how ASO works](https://github.com/azure/azure-service-operator#what-is-it)
+
+Follow [these instructions](https://azure.github.io/azure-service-operator/#installation) to install the ASO v2 
+operator in your cluster.
+Part of this installs
+the [custom resource definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) for the Azure and Cosmos DB resources
+we're going to create next: ResourceGroup, DatabaseAccount,
+SqlDatabase, SqlDatabaseContainer, UserAssignedIdentity, and FederatedIdentityCredential
+
+
+## Create the Cosmos DB resources
+
+The YAML documents in [cosmos-sql-demo.yaml](cosmos-sql-demo.yaml) create a number of things:
+
+* A Kubernetes namespace named `cosmos-todo`,
+* An Azure resource group named `aso-cosmos-demo`,
+* A User Assigned Identity named `cosmos-todo-identity` and associated Federated Identity Credential,
+* A Cosmos DB database account,
+* A SQL database and
+* A container (equivalent to a table in the [Cosmos DB resource model](https://docs.microsoft.com/en-us/azure/cosmos-db/account-databases-containers-items))
+
+Before running `kubectl apply` we must insert the OIDC URL retrieved above into the `FederatedIdentityCredential` resource. For example purposes this is most easily done
+by manually by editing the `cosmos-sql-demo.yaml` file, or using `envsubst`. We show the `envsubst` method below. In production, we would recommend using a tool like Kubebuilder
+to inject these values.
+
+Create the resources by applying the file:
+```sh
+envsubst <cosmos-sql-demo.yaml | kubectl apply -f -
+```
+
+The operator will start creating the resource group and Cosmos DB items in Azure.
+You can monitor their progress with:
+```sh
+watch kubectl get -n cosmos-todo resourcegroup,databaseaccount,sqldatabase,sqldatabasecontainer,userassignedidentity,federatedidentitycredential
+```
+You can also find the resource group in the [Azure portal](https://portal.azure.com) and watch the Cosmos DB resources being created there.
+
+It could take a few minutes for the Cosmos DB resources to be provisioned.
+In that time you might see some `ResourceNotFound` errors, or messages indicating that the database account isn't ready, on the SQL database or container.
+This is OK!
+The operator will keep creating them once the account is available and the errors should eventually resolve themselves.
+
+## Deploy the web application
+
+Now we can create the application deployment and service by running:
+```sh
+kubectl apply -f cosmos-app.yaml
+```
+
+You can watch the state of the pod with:
+```sh
+watch kubectl get -n cosmos-todo pods
+```
+
+Once the pod's running, we need to expose the service outside the cluster so we can make requests to the todo app.
+There are a [number of ways](https://kubernetes.io/docs/tutorials/kubernetes-basics/expose/expose-intro/) to do this in Kubernetes, but a simple option for this demonstration is using port-forwarding.
+Run this command to set it up:
+```sh
+kubectl port-forward -n cosmos-todo service/cosmos-todo-service 8080:80
+```
+
+Now visiting [http://localhost:8080](http://localhost:8080) in your browser will hit the Cosmos DB application.
+You can create todo items and mark them as complete!
+
+Use the Cosmos DB account Data Explorer on the portal to expand the database and container, and you can see the todo-list items stored by the web app.
+
+If you're interested in how the todo application uses the Cosmos DB API, the code is available [here](https://github.com/Azure-Samples/cosmos-dotnet-core-todo-app/tree/main/src).
+
+## Clean up
+
+When you're finished with the sample application you can clean all of the Kubernetes and Azure resources up by deleting the `cosmos-todo` namespace in your cluster.
+```sh
+kubectl delete namespace cosmos-todo
+```
+
+Kubernetes will delete the web application pod and the operator will delete the Azure resource group and all the Cosmos DB resources.
+(Deleting a Cosmos DB account can take several minutes.)

cosmos-todo-list-mi/cosmos-app.yaml

@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cosmos-service-account
+  namespace: cosmos-todo
+  labels:
+    azure.workload.identity/use: "true"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: cosmos-todo-app
+  name: cosmos-todo-app
+  namespace: cosmos-todo
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: cosmos-todo-app
+  template:
+    metadata:
+      labels:
+        app: cosmos-todo-app
+      annotations:
+        azure.workload.identity/inject-proxy-sidecar: "true"
+    spec:
+      serviceAccountName: cosmos-service-account
+      containers:
+      - name: app
+        image: mcr.microsoft.com/k8s/asodemos/cosmostodo:latest
+        env:
+          - name: CosmosDB__Account
+            valueFrom:
+              secretKeyRef:
+                name: cosmos-connection-settings  # This is the secret created by ASO associated with the CosmosDB Account. See the DatabaseAccount resource for more details.
+                key: documentEndpoint
+                optional: false
+          - name: CosmosDB__DatabaseName
+            value: "sample-sql-db"
+          - name: CosmosDB__ContainerName
+            value: "sample-sql-container"
+          - name: AZURE_CLIENT_ID
+            valueFrom:
+              configMapKeyRef:
+                key: clientId
+                name: cosmos-todo-identity-settings # This is the configmap created by ASO associated with the Managed Identity. See the UserAssignedIdentity resource for more details.
+                optional: false
+        ports:
+        - containerPort: 80
+          name: webserver
+          protocol: TCP
+        resources:
+          limits:
+            cpu: 500m
+            memory: 512Mi
+          requests:
+            cpu: 200m
+            memory: 256Mi
+      terminationGracePeriodSeconds: 10
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: cosmos-todo-service
+  namespace: cosmos-todo
+spec:
+  ports:
+  - port: 80
+    targetPort: 80
+  selector:
+    app: cosmos-todo-app

cosmos-todo-list-mi/cosmos-sql-demo.yaml

@@ -0,0 +1,112 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cosmos-todo
+---
+apiVersion: resources.azure.com/v1alpha1api20200601
+kind: ResourceGroup
+metadata:
+  name: aso-cosmos-demo
+  namespace: cosmos-todo
+spec:
+  location: westcentralus
+---
+apiVersion: managedidentity.azure.com/v1beta20181130
+kind: UserAssignedIdentity
+metadata:
+  name: cosmos-todo-identity
+  namespace: cosmos-todo
+spec:
+  location: westcentralus
+  owner:
+    name: aso-cosmos-demo
+  operatorSpec:
+    configMaps:
+      principalId:
+        name: cosmos-todo-identity-settings
+        key: principalId
+      clientId:
+        name: cosmos-todo-identity-settings
+        key: clientId
+---
+apiVersion: managedidentity.azure.com/v1beta20220131preview
+kind: FederatedIdentityCredential
+metadata:
+  name: cosmos-todo-fic
+  namespace: cosmos-todo
+spec:
+  owner:
+    name: cosmos-todo-identity
+  audiences:
+    # For Workload Identity, Audiences should always be "api://AzureADTokenExchange"
+    - api://AzureADTokenExchange
+  # For Workload Identity, Issuer should be the OIDC endpoint of the cluster. For AKS this will look like
+  # https://oidc.prod-aks.azure.com/00000000-0000-0000-0000-00000000000/
+  issuer: ${AKS_OIDC_ISSUER}
+  # For Workload Identity, Subject should always be system:serviceaccount:<namespace>:<serviceaccount>
+  subject: system:serviceaccount:cosmos-todo:cosmos-service-account
+---
+apiVersion: documentdb.azure.com/v1alpha1api20210515
+kind: DatabaseAccount
+metadata:
+  name: cosmostodoacct
+  namespace: cosmos-todo
+spec:
+  location: westcentralus
+  owner:
+    name: aso-cosmos-demo
+  kind: GlobalDocumentDB
+  databaseAccountOfferType: Standard
+  locations:
+    - locationName: westcentralus
+  operatorSpec:
+    secrets:
+      documentEndpoint:
+        name: cosmos-connection-settings
+        key: documentEndpoint
+---
+apiVersion: documentdb.azure.com/v1alpha1api20210515
+kind: SqlDatabase
+metadata:
+  name: sample-sql-db
+  namespace: cosmos-todo
+spec:
+  location: westcentralus
+  owner:
+    name: cosmostodoacct
+  options:
+    autoscaleSettings:
+      maxThroughput: 4000
+  resource:
+    id: sample-sql-db
+---
+apiVersion: documentdb.azure.com/v1alpha1api20210515
+kind: SqlDatabaseContainer
+metadata:
+  name: sample-sql-container
+  namespace: cosmos-todo
+spec:
+  location: westcentralus
+  owner:
+    name: sample-sql-db
+  resource:
+    id: sample-sql-container
+    partitionKey:
+      kind: Hash
+      paths: ["/id"]
+---
+apiVersion: documentdb.azure.com/v1beta20210515
+kind: SqlRoleAssignment
+metadata:
+  name: cosmos-role-assignment
+  namespace: cosmos-todo
+spec:
+  owner:
+    name: cosmostodoacct
+  azureName: 31edb778-9702-4f43-a47a-5817594044af # This can be any UUID
+  principalIdConfigRef:
+    name: cosmos-todo-identity-settings
+    key: principalId
+  # This RoleDefinition corresponds to "Cosmos DB Built-in Data Contributor". See https://docs.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#built-in-role-definitions for more.
+  roleDefinitionId: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/cosmos-todo-rg/providers/Microsoft.DocumentDB/databaseAccounts/cosmostodoacct/sqlRoleDefinitions/00000000-0000-0000-0000-000000000002
+  scope: /subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/cosmos-todo-rg/providers/Microsoft.DocumentDB/databaseAccounts/cosmostodoacct

cosmos-todo-list/README.md

@@ -36,7 +36,7 @@ SqlDatabase, and SqlDatabaseContainer.
 
 The YAML documents in [cosmos-sql-demo.yaml](cosmos-sql-demo.yaml) create a number of things:
 
-* A Kubernetes namespace named `cosmosdb`,
+* A Kubernetes namespace named `cosmos-todo`,
 * An Azure resource group named `aso-cosmos-demo`,
 * A Cosmos DB database account,
 * A SQL database and
@@ -50,7 +50,7 @@ kubectl apply -f cosmos-sql-demo.yaml
 The operator will start creating the resource group and Cosmos DB items in Azure.
 You can monitor their progress with:
 ```sh
-watch kubectl get -n cosmosdb resourcegroup,databaseaccount,sqldatabase,sqldatabasecontainer
+watch kubectl get -n cosmos-todo resourcegroup,databaseaccount,sqldatabase,sqldatabasecontainer
 ```
 You can also find the resource group in the [Azure portal](https://portal.azure.com) and watch the Cosmos DB resources being created there.
 
@@ -59,46 +59,23 @@ In that time you might see some `ResourceNotFound` errors, or messages indicatin
 This is OK!
 The operator will keep creating them once the account is available and the errors should eventually resolve themselves.
 
-## Create the `cosmos-settings` secret
-
-We need to provide the web application with access to the database.
-Once the database account is created, store the connection details into environment variables with the following commands:
-```sh
-COSMOS_DB_ACCOUNT="$(az cosmosdb show --resource-group aso-cosmos-demo --name sampledbaccount -otsv --query 'locations[0].documentEndpoint')"
-COSMOS_DB_KEY="$(az cosmosdb keys list --resource-group aso-cosmos-demo --name sampledbaccount -otsv --query 'primaryMasterKey')"
-```
-
-Another option is to get the account URI and key from the [portal](https://portal.azure.com).
-You can find them on the Keys page of the Cosmos DB account.
-
-Then create the secret the pod will use with:
-```sh
-kubectl --namespace cosmosdb create secret generic cosmos-settings \
-        --from-literal=Account="$COSMOS_DB_ACCOUNT" \
-        --from-literal=Key="$COSMOS_DB_KEY" \
-        --from-literal=DatabaseName="sample-sql-db" \
-        --from-literal=ContainerName="sample-sql-container"
-```
-
-(Secret handling is an area we're still working on in ASO - in the future the operator should automatically get these details from Azure and create the secret itself once the database account is ready. See [#1471](https://github.com/Azure/azure-service-operator/issues/1471) for more details.)
-
 ## Deploy the web application
 
 Now we can create the application deployment and service by running:
 ```sh
-kubectl apply -f deploy-cosmos-app.yaml
+kubectl apply -f cosmos-app.yaml
 ```
 
 You can watch the state of the pod with:
 ```sh
-watch kubectl get -n cosmosdb pods
+watch kubectl get -n cosmos-todo pods
 ```
 
 Once the pod's running, we need to expose the service outside the cluster so we can make requests to the todo app.
 There are a [number of ways](https://kubernetes.io/docs/tutorials/kubernetes-basics/expose/expose-intro/) to do this in Kubernetes, but a simple option for this demonstration is using port-forwarding.
 Run this command to set it up:
 ```sh
-kubectl port-forward -n cosmosdb service/cosmos-todo-service 8080:80
+kubectl port-forward -n cosmos-todo service/cosmos-todo-service 8080:80
 ```
 
 Now visiting [http://localhost:8080](http://localhost:8080) in your browser will hit the Cosmos DB application.
@@ -110,9 +87,9 @@ If you're interested in how the todo application uses the Cosmos DB API, the cod
 
 ## Clean up
 
-When you're finished with the sample application you can clean all of the Kubernetes and Azure resources up by deleting the `cosmosdb` namespace in your cluster.
+When you're finished with the sample application you can clean all of the Kubernetes and Azure resources up by deleting the `cosmos-todo` namespace in your cluster.
 ```sh
-kubectl delete namespace cosmosdb
+kubectl delete namespace cosmos-todo
 ```
 
 Kubernetes will delete the web application pod and the operator will delete the Azure resource group and all the Cosmos DB resources.