Implementation of instruction to use PostgreSQL in the application

docs/01_lab_plan/0103.md

@@ -11,9 +11,9 @@ Now that you identified the viable compute platforms, you need to decide which A
 
 The Azure platform offers several database-as-a-services options, including [Azure SQL Database](https://docs.microsoft.com/azure/azure-sql/database/sql-database-paas-overview?view=azuresql), [Azure Database for MySQL](https://docs.microsoft.com/azure/mysql/), [Azure Cosmos DB](https://docs.microsoft.com/azure/cosmos-db/introduction), and [Azure Database for PostgreSQL](https://docs.microsoft.com/azure/postgresql/). Your choice of the database technology should be based on the following requirements for the Spring Petclinic application:
 
-* The target database service should simplify the migration path from the on-premises MySQL deployment.
+* The target database service should simplify the migration path from the on-premises MySQL and PostgreSQL deployment.
 * The target database service must support automatic backups.
 * The target database service needs to support automatic patching.
 
-Based on these requirements, you decided to use Azure Database for MySQL Flexible Server.
+Based on these requirements, you will be having two options, either you can use PostgreSQL or MySQL based on your preference.
 

docs/01_lab_plan/0104.md

@@ -23,7 +23,7 @@ In case you chose to use Azure Spring Apps, you have the option to deploy Azure
 
 In case you chose AKS as the hosting platform, you will need at least one subnet in a virtual network to run the nodes of your AKS cluster. This subnet for now can be small, such as `/26`, which allows for a total of 64 IP addresses (although some of them are pre-allocated for the platform use).
 
-The Azure Database for MySQL deployment will not require any virtual network connectivity for the first phase of the migration of the application. This will also change in one of the subsequent exercises, when you will implement additional security measures to protect the full application stack.
+The Azure Database for MySQL or PostgreSQL deployment will not require any virtual network connectivity for the first phase of the migration of the application. This will also change in one of the subsequent exercises, when you will implement additional security measures to protect the full application stack.
 
 ## Are there any supporting services you would need for running the application?
 

docs/02_lab_migrate/0201.md

@@ -53,7 +53,7 @@ As a first step you will need to create your Azure Container Apps (ACA) environm
    az provider register --namespace Microsoft.OperationalInsights
    ```
 
-1. Run the following commands to create a resource group that will contain all of your resources (replace the `<azure-region>` placeholder with the name of any Azure region in which you can create an ACA and an Azure Database for MySQL Flexible Server instance, see [this page](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=container-apps) for regional availability details of those services:
+1. Run the following commands to create a resource group that will contain all of your resources (replace the `<azure-region>` placeholder with the name of any Azure region in which you can create an ACA and an Azure Database for MySQL or PostgreSQL Flexible Server instance, see [this page](https://azure.microsoft.com/explore/global-infrastructure/products-by-region/?products=container-apps) for regional availability details of those services:
 
    ```bash
    UNIQUEID=$(openssl rand -hex 3)

docs/02_lab_migrate/0203.md

@@ -1,7 +1,7 @@
 ---
-title: '3. MySQL database'
+title: '3.1 MySQL database'
 layout: default
-nav_order: 3
+nav_order: 4
 parent: 'Lab 2: Migrate to Azure Container Apps'
 ---
 

docs/02_lab_migrate/0203_postgres_application.yaml

@@ -0,0 +1,80 @@
+# COMMON APPLICATION PROPERTIES
+
+# embedded database init, supports PostgreSQL too trough the 'PostgreSQL' spring profile
+spring:
+datasource:
+   url: jdbc:postgresql://<your-postgresql-server-name>.database.azure.com:5432/petclinic?sslmode=require
+   username: myadmin
+   password: <your-postgresql-password>
+sql:
+   init:
+      schema-locations: classpath*:db/postgres/schema.sql
+      data-locations: classpath*:db/postgres/data.sql
+      mode: ALWAYS
+jms:
+   queue:
+      visits-requests: visits-requests
+      visits-confirmations: visits-confirmations
+   servicebus:
+      enabled: false  # disable messaging support by default
+      namespace: ${SERVICEBUS_NAMESPACE}
+      pricing-tier: premium
+      passwordless-enabled: true
+      credential:
+      managed-identity-enabled: true
+      client-id: ${CLIENT_ID}
+sleuth:
+   sampler:
+      probability: 1.0
+cloud:
+   config:
+      # Allow the microservices to override the remote properties with their own System properties or config file
+      allow-override: true
+      # Override configuration with any local property source
+      override-none: true
+jpa:
+   open-in-view: false
+   hibernate:
+      ddl-auto: none
+   show-sql: true
+
+# Spring Boot 1.5 makes actuator secure by default
+management.security.enabled: false
+# Enable all Actuators and not only the two available by default /health and /info starting Spring Boot 2.0
+management.endpoints.web.exposure.include: "*"
+
+# Temporary hack required by the Spring Boot 2 / Spring Cloud Finchley branch
+# Waiting issue https://github.com/spring-projects/spring-boot/issues/13042
+spring.cloud.refresh.refreshable: false
+
+# Logging
+logging.level.org.springframework: INFO
+
+# enable health probes
+management.health.livenessState.enabled: true
+management.health.readinessState.enabled: true
+management.endpoint.health.probes.enabled: true
+
+# Metrics
+management:
+endpoint:
+   metrics:
+      enabled: true
+   prometheus:
+      enabled: true
+endpoints:
+   web:
+      exposure:
+      include: '*'
+metrics:
+   export:
+      prometheus:
+      enabled: true
+eureka:
+client:
+   serviceUrl:
+      defaultZone: http://discovery-server:8761/eureka/
+   enableSelfPreservation: true
+   registryFetchIntervalSeconds: 20
+instance:
+   preferIpAddress: true

docs/02_lab_migrate/0203_postgresql.md

@@ -0,0 +1,101 @@
+---
+title: '3.2 PostgreSQL database [OPTIONAL]'
+layout: default
+nav_order: 3
+parent: 'Lab 2: Migrate to Azure Container Apps'
+---
+
+# Create an Azure PostgreSQL Database service
+
+You now have the compute service that will host your applications and the config server that will be used by your migrated application. Before you start deploying individual microservices as Azure Container Apps, you need to first create an Azure Database for PostgreSQL Flexible Server-hosted database for them. To accomplish this, you can use the following guidance:
+
+- [Quickstart: Create an Azure Database for PostgreSQL Flexible Server using Azure CLI](https://learn.microsoft.com/azure/PostgreSQL/flexible-server/quickstart-create-server-cli).
+
+You will also need to update the config for your applications to use the newly provisioned PostgreSQL Server. This will involve updating the application.yml config file in your private git config repo with the values provided in the PostgreSQL Server connection string.
+
+Your PostgreSQL database will also have a firewall enabled. This firewall will by default block all incoming calls. You will need to open this firewall in case you want to connect to it from your microservices running in the ACA environment.
+
+## Step by step guidance
+
+1. Run the following commands to create an instance of PostgreSQL Flexible server. Note that the name of the server must be globally unique, so adjust it accordingly in case the randomly generated name is already in use. Keep in mind that the name can contain only lowercase letters, numbers and hyphens. In addition, replace the `<sqladmin-password>` placeholder with a complex password and record its value.
+   {: .note }
+   > Here we use PostgreSQL admin password for apps to connect to sql server, this is for demo/test/learn purpose,  not recommand in production environment. Please refer to [Lab 04: Connect to Database securely using identity](https://azure-samples.github.io/java-microservices-aca-lab/docs/04_lab_secrets/04_openlab_secrets_aca.html) for the secured managed identity solution.
+
+   ```bash
+   POSTGRES_SERVER_NAME=postgres-$APPNAME-$UNIQUEID
+   POSTGRES_ADMIN_USERNAME=sqladmin
+   POSTGRES_ADMIN_PASSWORD="<sqladmin-password>"
+   DATABASE_NAME=petclinic
+
+   az postgres flexible-server create \
+       --admin-user myadmin \
+       --admin-password "$POSTGRES_ADMIN_PASSWORD" \
+       --name "$POSTGRES_SERVER_NAME" \
+       --resource-group "$RESOURCE_GROUP"
+   ```
+
+   {: .note }
+   > During the creation you will be asked whether access for your IP address should be added and whether access for all IP's should be added. Answer `n` for no on both questions.
+
+   {: .note }
+   > In case this statement fails with the message `ERROR: Unable to prompt for confirmation as no tty available`, add the `--yes` flag to the above statement. This will auto-install any missing resource providers. 
+
+   {: .note }
+   > Wait for the provisioning to complete. This might take about 3 minutes.
+
+1. Once the Azure Database for PostgreSQL Flexible Server instance gets created, it will output details about its settings. In the output, you will find the server connection string. Record its value since you will need it later in this exercise.
+
+1. Run the following commands to create a database in the Azure Database for PostgreSQL Flexible Server instance.
+
+   ```bash
+    az postgres flexible-server db create \
+        --server-name $POSTGRES_SERVER_NAME \
+        --resource-group $RESOURCE_GROUP \
+        -d $DATABASE_NAME
+   ```
+
+1. You will also need to allow connections to the server from your ACA environment. For now, to accomplish this, you will create a server firewall rule to allow inbound traffic from all Azure Services.
+
+   Check the status of your sql server
+   ![SQL Server Networking](../../images/sql-server-manage-firewall.png)
+
+   Checking `Allow Azure services and resources to access this server` adds an IP based firewall rule with start and end IP address of `0.0.0.0`, See [Connections from inside Azure](https://learn.microsoft.com/en-us/azure/azure-sql/database/firewall-configure?view=azuresql#connections-from-inside-azure).
+
+   This way your apps running in Azure Container Apps will be able to reach the PostgreSQL database. In one of the upcoming exercises, you will restrict this connectivity to limit it exclusively to the apps hosted by your ACA.
+
+   ```bash
+    az postgres flexible-server firewall-rule create \
+        --rule-name allAzureIPs \
+        --name $POSTGRES_SERVER_NAME \
+        --resource-group $RESOURCE_GROUP \
+        --start-ip-address 0.0.0.0 --end-ip-address 0.0.0.0
+   ```
+
+   Check the sql server firewall rules with command
+   ```bash
+    az postgres flexible-server firewall-rule list \
+       --name $POSTGRES_SERVER_NAME \
+       --resource-group $RESOURCE_GROUP \
+   ```
+
+1. From the Git Bash window, in the config repository you cloned locally, use your favorite text editor to open the _application.yml_ file. Replace the full contents of the _application.yml_ file with the contents of [this application.yml](0203_postgres_application.yaml) file. The updated _application.yml_ file includes the following changes:
+
+   * It removes the default `0` value for the `server.port` on line 5.
+   * It changes the default `spring.sql.init` values to use `PostgreSQL` configuration on lines 15 to 19.
+   * It adds a `spring.datasource` property for your PostgreSQL database on lines 10 to 14.
+   * It adds extra `eureka` config on lines 61 to 66.
+   * It removes the `chaos-monkey` and `PostgreSQL` profiles.
+
+1. In the part you pasted, update the values of the target datasource endpoint on line 6, the corresponding admin user account on line 7, and its password on line 8 to match your configuration. Set these values by using the information in the Azure Database for PostgreSQL Flexible Server connection string you recorded earlier in this task.
+
+1. Save the changes and push the updates you made to the _application.yml_ file to your private GitHub repo by running the following commands from the Git Bash prompt:
+
+   ```bash
+   git add .
+   git commit -m 'azure postgres info'
+   git push
+   ```
+
+   {: .note }
+   > At this point, the admin account user name and password are stored in clear text in the application.yml config file. In one of upcoming exercises, you will remediate this potential vulnerability by removing clear text credentials from your configuration.
+

docs/02_lab_migrate/0204.md

@@ -1,7 +1,7 @@
 ---
 title: '4. Java Components'
 layout: default
-nav_order: 4
+nav_order: 5
 parent: 'Lab 2: Migrate to Azure Container Apps'
 ---
 

docs/02_lab_migrate/0205.md

@@ -1,7 +1,7 @@
 ---
 title: '5. Deploy to ACA'
 layout: default
-nav_order: 5
+nav_order: 6
 parent: 'Lab 2: Migrate to Azure Container Apps'
 ---
 
@@ -66,7 +66,7 @@ Make sure the api-gateway and admin-server microservices have public IP addresse
       --runtime java
    ```
 
-1. Wait for the provisioning to finish, now you can create the other microservices, `customers`, `vets` and `visits`. These will be internal microservices, exposed by the `api-gateway`. Since these microservices connect to the MySQL database, you will also assign them the user assigned managed identity.
+1. Wait for the provisioning to finish, now you can create the other microservices, `customers`, `vets` and `visits`. These will be internal microservices, exposed by the `api-gateway`. Since these microservices connect to the MySQL or PostgreSQL database, you will also assign them the user assigned managed identity.
 
    ```bash
    APP_NAME=customers-service

docs/02_lab_migrate/0206.md

@@ -1,7 +1,7 @@
 ---
 title: '6. Test'
 layout: default
-nav_order: 6
+nav_order: 7
 parent: 'Lab 2: Migrate to Azure Container Apps'
 ---
 
@@ -48,15 +48,23 @@ You will need to look for the `properties.configuration.ingress.fqdn` property.
 
    You now have the Spring Petclinic application running properly on Azure Container Apps.
 
-1. In case you are not seeing any data in your application, you can troubleshoot this issue by interactively connecting to your MySQL Flexible Server and querying your databases and tables.
+1. In case you are not seeing any data in your application, you can troubleshoot this issue by interactively connecting to your MySQL or PostgreSQL Flexible Server and querying your databases and tables.
 
    ```bash
-   az mysql flexible-server connect -n $MYSQL_SERVER_NAME -u myadmin -p $MYSQL_ADMIN_PASSWORD --interactive
+   az mysql flexible-server connect -n $MySQL_SERVER_NAME -u myadmin -p $MySQL_ADMIN_PASSWORD --interactive
    show databases;
    use petclinic;
    show tables;
    select * from owners;
    ```
 
+   ```bash
+   az postgres flexible-server connect -n $POSTGRES_SERVER_NAME -u myadmin -p $POSTGRES_ADMIN_PASSWORD --interactive
+   show databases;
+   use petclinic;
+   show tables;
+   select * from owners;
+
+
    {: .note }
-   > For the MySQL Flexible Server connection to work, you will need to have your local IP address added to the MySQL Flexible Server firewall.
+   > For the MySQL or PostgreSQL Flexible Server connection to work, you will need to have your local IP address added to the MySQL or PostgreSQL Flexible Server firewall.

docs/02_lab_migrate/0207.md

@@ -1,7 +1,7 @@
 ---
 title: '7. Review'
 layout: default
-nav_order: 7
+nav_order: 8
 parent: 'Lab 2: Migrate to Azure Container Apps'
 ---
 
@@ -11,7 +11,7 @@ In this lab, you migrated your existing Spring Petclinic microservices applicati
 
 - Create an Azure Container Apps environment
 - Set up a configuration repository
-- Created an Azure MySQL Database service
+- Created an Azure MySQL or PostgreSQL Database service 
 - Created the config and discovery server as java components on ACA
 - Deployed the microservices of the Spring Petclinic app as Azure container apps
 - Tested the application through the publicly available endpoint

docs/02_lab_migrate/02_openlab_setup_aca.md

@@ -19,7 +19,7 @@ After you complete this lab, you will be able to:
 
 - Create an Azure Container Apps environment
 - Set up a configuration repository
-- Create an Azure MySQL Database service
+- Create an Azure MySQL or PostgreSQL Database service
 - Create the java components for your config and discovery server
 - Deploy the microservices of the Spring Petclinic app to ACA and bind them to java components
 - Test the application through the publicly available endpoint
@@ -38,7 +38,7 @@ During the process you'll:
 
 - Create an Azure Container Apps environment
 - Set up a configuration repository
-- Create an Azure MySQL Database service
+- Create an Azure MySQL or PostgreSQL Database service
 - Create the java components for your config and discovery server
 - Deploy the microservices of the Spring Petclinic app to ACA and bind them to java components
 - Test the application through the publicly available endpoint

docs/04_lab_secrets_postgres/0401_postgres.md

@@ -0,0 +1,74 @@
+---
+title: '1. Create db admin account'
+layout: default
+nav_order: 1
+parent: 'Lab 4: Connect to Database securely using identity [PostgreSQL]'
+---
+
+# Create a database administrator account
+
+You are already using a managed Identity to connect to the Azure Container Registry. You can use this same identity to also connect to the database. This will allow you to remove the username and password from the config repository.
+
+- [Configure passwordless database connections for Java apps](https://learn.microsoft.com/azure/developer/java/ee/how-to-configure-passwordless-datasource?toc=%2Fazure%2Fdeveloper%2Fintro%2Ftoc.json&bc=%2Fazure%2Fdeveloper%2Fintro%2Fbreadcrumb%2Ftoc.json&tabs=postgresql-passwordless-flexible-server)
+
+## Step by step guidance
+
+1. Before creating the administrator account, you need to enable Microsoft Entra Authentication from the portal.
+
+1. In the Azure Portal, navigate to your PostgreSQL server page.
+
+1. On your PostgreSQL page, select Authentication (1) from left menu under security, check PostgreSQL and Microsoft Entra authentication (2) option and save it using the Save (3) option from top menu.
+
+  ![](/images/postgres-enable.png)
+
+1. You will need to allow the user assigned managed identity access to the database. To configure this, you will need to first make your current logged in user account database administrator. For this to work on a PostgreSQL database you first need an additional managed identity.
+
+   ```bash
+   DB_ADMIN_USER_ASSIGNED_IDENTITY_NAME=uid-dbadmin-$APPNAME-$UNIQUEID
+
+   ADMIN_IDENTITY_RESOURCE_ID=$(az identity create \
+      --name $DB_ADMIN_USER_ASSIGNED_IDENTITY_NAME \
+      --resource-group $RESOURCE_GROUP \
+      --query id \
+      --output tsv)
+   ```
+
+1. This identity needs to be assigned to your PostgreSQL server.
+
+   ```bash
+   az postgres flexible-server identity assign \
+       --resource-group $RESOURCE_GROUP \
+       --server-name $POSTGRES_SERVER_NAME \
+       --identity $DB_ADMIN_USER_ASSIGNED_IDENTITY_NAME
+
+
+   az postgres flexible-server identity list \
+       --resource-group $RESOURCE_GROUP \
+       --server-name $POSTGRES_SERVER_NAME 
+   ```
+
+1. Get the current logged in user and object ID. This will give you the info of the user account you are currently logged in with in the Azure CLI.
+
+   ```bash
+   CURRENT_USER=$(az account show --query user.name --output tsv)
+   echo $CURRENT_USER
+   CURRENT_USER_OBJECTID=$(az ad signed-in-user show --query id --output tsv)
+   echo $CURRENT_USER_OBJECTID
+   ```
+
+1. Next you create a database administrator based on your current user account.
+
+   ```bash
+   az postgres flexible-server ad-admin create \
+       --resource-group $RESOURCE_GROUP \
+       --server-name $POSTGRES_SERVER_NAME \
+       --object-id $CURRENT_USER_OBJECTID \
+       --display-name $CURRENT_USER \
+
+   DB_ID=$(az postgres flexible-server db show \
+        --server-name $POSTGRES_SERVER_NAME \
+        --resource-group $RESOURCE_GROUP \
+        -d $DATABASE_NAME \
+        --query id \
+        -o tsv)
+   ```