update custom domain in migrate to aca

haochenghuang · haochenghuang · commit 08034ba79fda · 2025-06-17T15:43:50.000+08:00
diff --git a/articles/spring-apps/migration/migrate-to-azure-container-apps-custom-domain.md b/articles/spring-apps/migration/migrate-to-azure-container-apps-custom-domain.md
@@ -117,140 +117,122 @@ For more information, see the [Peer-to-peer encryption](../../container-apps/net
 
 ## Traffic to external services
 
-### Reference a certificate from Key Vault and mount certificates in a volume
+When you define a certificate, you create a reference to a certifiacte stored in Azure Key Vault. You can enable TLS and mTLS for traffic to external services by loading the certificate from Azure Key Vault with `spring-cloud-azure-starter-keyvault-jca`.
 
-When you define a certificate, you create a reference to a certificate stored in Azure Key Vault. Azure Container Apps automatically retrieves the certificate value from Key Vault and makes it available as a secret in your container app.
+To use this feature, your java project must be Spring Boot 3.1+ and adding the following dependency to your `pom.xml`:
 
-To reference a certificate from Key Vault, you must first enable managed identity in your container app and grant the identity access to the Key Vault secrets.
-
-To enable managed identity in your container app, see [Managed identities in Azure Container Apps](../../container-apps/managed-identity.md).
-
-To grant access to a Key Vault certificate, add the role assignment `Key Vault Secrets User` in Key Vault for the managed identity you created. For more information, see [Best Practices for individual keys, secrets, and certificates role assignments](/azure/key-vault/general/rbac-guide#best-practices-for-individual-keys-secrets-and-certificates-role-assignments).
-
-When you create a container app, certificates are defined using the `--secrets` parameter and using the following guidelines:
-
-- The parameter accepts a space-delimited set of name/value pairs.
-- Each pair is delimited by an equals sign (`=`).
-- To specify a Key Vault reference, use the format `<certificate-name>=keyvaultref:<key-vault-secret-identifier-of-certificate>,identityref:<managed-identity-ID>`. For example, `my-cert=keyvaultref:https://mykeyvault.vault.azure.net/secrets/mycert,identityref:/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-identity`.
-
-The following command provides an example:
-
-```azurecli
-az containerapp create \
-    --resource-group "my-resource-group" \
-    --name "my-app" \
-    --environment "my-environment-name" \
-    --image <image_name> \
-    --user-assigned "<user-assigned-identity-ID>" \
-    --secrets "my-cert=keyvaultref:<key-vault-secret-identifier-of-certificate>,identityref:<user-assigned-identity-ID>"
-    --secret-volume-mount "/mnt/cert"
+```xml
+<dependency>
+    <groupId>com.azure.spring</groupId>
+    <artifactId>spring-cloud-azure-starter-keyvault-jca</artifactId>
+    <version>5.21.0</version>
+</dependency>
 ```
 
-Here, a certificate is declared in the `--secrets` parameter. Replace `<key-vault-secret-identifier-of-certificate>` with the Secret Identifier URI of your certificate in Key Vault. Replace `<user-assigned-identity-ID>` with the resource ID of the user assigned identity. For a system assigned identity, use `system` instead of the resource ID. The certificate mounted in a volume is named `my-cert` of type Secret. The volume is mounted at the path **/mnt/cert**. The application can then read the secrets as files in the volume mount.
-
-For an existing container app, you can use following commands to reference a secret from Key Vault and mount it to a volume:
-
-```azurecli
-az containerapp secret set \
-    --resource-group "my-resource-group" \
-    --name "my-app" \
-    --secrets "my-cert=keyvaultref:<key-vault-secret-identifier-of-certificate>,identityref:<user-assigned-identity-ID>"
-
-az containerapp update \
-    --resource-group "my-resource-group" \
-    --name "my-app" \
-    --secret-volume-mount "/mnt/cert"
+### Load certificate into truststore from Key Vault with SSL bundle
+
+1. Generate or import certificates in Azure Key Vault. For more information, see [Create and import certificates in Azure Key Vault](/azure/key-vault/certificates/certificate-scenarios#creating-and-importing-certificates).
+1. Enable managed identity in your container app. To enable managed identity in your container app, see [Managed identities in Azure Container Apps](../../container-apps/managed-identity.md).
+1. Grant the `Key Vault Certificate User` role to the managed identity in your Key Vault. For more information, see [Best Practices for individual keys, secrets, and certificates role assignments](/azure/key-vault/general/rbac-guide#best-practices-for-individual-keys-secrets-and-certificates-role-assignments).
+1. Configure `application.yml`:
+
+```yml
+spring:
+  ssl:
+    bundle:
+      keyvault:
+        tlsClientBundle:
+          truststore:
+            keyvault-ref: keyvault1
+cloud:
+  azure:
+    keyvault:
+      jca:
+        vaults:
+          keyvault1:
+            endpoint: ${KEY_VAULT_SSL_BUNDLES_KEYVAULT_URI_01}
+            profile:
+              tenant-id: ${KEY_VAULT_SSL_BUNDLES_TENANT_ID}  # Required for user-assigned managed identity
+            credential:
+              client-id: ${KEY_VAULT_SSL_BUNDLES_CLIENT_ID}  # Required for user-assigned managed identity
+              managed-identity-enabled: true
 ```
 
-### Load a certificate from code
-
-Your loaded certificates are available in your defined mounted path - for example, **/mnt/cert/my-cert**. Use the following Java code to load a certificate in an application in Azure Container Apps.
-
-Because the certificate is mounted as a secret, its content is encoded in Base64, so you might need to decode it before use.
+1. Update your `RestTemplate` or `WebClient` bean configuration to apply the Key Vault SSL bundle:
 
 ```java
-try {
-  byte[] encodedBytes = Files.readAllBytes(Paths.get("/mnt/cert/my-cert"));
-  PKCS12PfxPdu pfx = new PKCS12PfxPdu(Base64.getDecoder().decode(encodedBytes));
-  List<Certificate> certificates = new ArrayList<>();
-  for (ContentInfo contentInfo : pfx.getContentInfos()) {
-    if (contentInfo.getContentType().equals(PKCSObjectIdentifiers.encryptedData)) {
-      PKCS12SafeBagFactory safeBagFactory = new PKCS12SafeBagFactory(contentInfo,
-        new JcePKCSPBEInputDecryptorProviderBuilder().build("\0".toCharArray()));
-      PKCS12SafeBag[] safeBags = safeBagFactory.getSafeBags();
-      for (PKCS12SafeBag safeBag : safeBags) {
-        Object bagValue = safeBag.getBagValue();
-        if (bagValue instanceof X509CertificateHolder) {
-          CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
-          InputStream in = new ByteArrayInputStream(((X509CertificateHolder) bagValue).getEncoded());
-          certificates.add(certFactory.generateCertificate(in));
-        }
-      }
-    }
-  }
-
-  // use the loaded certificate in 'certificates'
-} catch (PKCSException | CertificateException | IOException e) {
-  // handle exception
+// For RestTemplate
+@Bean
+RestTemplate restTemplateWithTLS(RestTemplateBuilder restTemplateBuilder, SslBundles sslBundles) {
+  return restTemplateBuilder.sslBundle(sslBundles.getBundle("tlsClientBundle")).build();
 }
-```
-
-In this sample code, you need to import [org.bouncycastle.bcpkix-lts8on](https://mvnrepository.com/artifact/org.bouncycastle/bcpkix-lts8on) to your project to parse the certificate data.
-
-### Load a certificate into the trust store
-
-Use the following steps to load a certificate:
-
-1. Set up a storage account - for example, `/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Storage/storageAccounts/mystorageaccount`.
 
-1. Download and upload the JCA library. Get the latest version of the JCA library from the Maven repository [azure-security-keyvault-jca](https://mvnrepository.com/artifact/com.azure/azure-security-keyvault-jca) and upload the JAR file to a file share in the storage account - for example, **/jca/lib/azure-security-keyvault-jca.jar**.
-
-1. Use the following steps to modify and upload a Java security configuration:
-
-    1. Make a copy of the **java.security** file in your JDK. For Java version 8 or earlier, you can find the **java.security** file at **$JAVA_HOME/jre/lib/security/java.security**. For Java version 11 or later, you can find the **java.security** file at **$JAVA_HOME/conf/security**.
-
-    1. Locate `security.provider.<#>=` property in the file and add the following line:
-
-       ```text
-       security.provider.<#>=com.azure.security.keyvault.jca.KeyVaultJcaProvider
-       ```
-
-       In this line, the number sign placeholder `<#>` represents one increment above the last number in the list - for example, `security.provider.14`.
-
-    1. Upload the modified **java.security** file to a file share in the storage account - for example, **/jca/security/java.security**.
-
-1. Upload the certificates that need to be loaded into the trust store to the file share in the storage account - for example, **/jca/truststore/**.
-
-1. Add the volume mount. To add a volume mount for the JCA library and certificates in the container app, see [Tutorial: Create an Azure Files volume mount in Azure Container Apps](../../container-apps/storage-mounts-azure-files.md). You can mount it, for example, as **/mnt/jca/**.
-
-1. Update your image with JCA-related parameters. Modify your Dockerfile as shown in the following example:
-
-   ```dockerfile
-   # filename: JAR.dockerfile
-
-   FROM mcr.microsoft.com/openjdk/jdk:17-mariner
-
-   ARG JAR_FILENAME
+// For WebClient
+@Bean
+WebClient webClientWithTLS(WebClientSsl ssl) {
+  return WebClient.builder().apply(ssl.fromBundle("tlsClientBundle")).build();
+}
+```
 
-   COPY $JAR_FILENAME /opt/app/app.jar
-   ENTRYPOINT ["java", "-Dsecurity.overridePropertiesFile=true", "-Djava.security.properties=/mnt/jca/security/java.security", \
-       "--module-path", "/mnt/jca/lib", "--add-modules=com.azure.security.keyvault.jca", "-Djavax.net.ssl.trustStoreType=AzureKeyVault", \
-       "-Dazure.cert-path.custom=/mnt/jca/truststore/", "-jar", "/opt/app/app.jar"]
-   ```
+### Enable mTLS communication
+
+Set up mTLS for two-way authentication between client and server.
+
+1. Generate or import both client and server certificates to Azure Key Vault. For more information, see [Create and import certificates in Azure Key Vault](/azure/key-vault/certificates/certificate-scenarios#creating-and-importing-certificates).
+1. Enable managed identity for your container app. To enable managed identity in your container app, see [Managed identities in Azure Container Apps](../../container-apps/managed-identity.md).
+1. Grant `Key Vault Certificate User` role to the managed identity for both Key Vaults. For more information, see [Best Practices for individual keys, secrets, and certificates role assignments](/azure/key-vault/general/rbac-guide#best-practices-for-individual-keys-secrets-and-certificates-role-assignments).
+1. Configure `application.yml` for mTLS:
+
+```yml
+spring:
+  ssl:
+    bundle:
+      keyvault:
+        mtlsClientBundle:
+          key:
+            alias: client
+          for-client-auth: true
+          keystore:
+            keyvault-ref: keyvault2
+          truststore:
+            keyvault-ref: keyvault1
+cloud:
+  azure:
+    keyvault:
+      jca:
+        vaults:
+          keyvault1:
+            endpoint: ${KEY_VAULT_SSL_BUNDLES_KEYVAULT_URI_01}
+            profile:
+              tenant-id: ${KEY_VAULT_SSL_BUNDLES_TENANT_ID}  # Required for user-assigned managed identity
+            credential:
+              client-id: ${KEY_VAULT_SSL_BUNDLES_CLIENT_ID}  # Required for user-assigned managed identity
+              managed-identity-enabled: true
+          keyvault2:
+            endpoint: ${KEY_VAULT_SSL_BUNDLES_KEYVAULT_URI_02}
+            profile:
+              tenant-id: ${KEY_VAULT_SSL_BUNDLES_TENANT_ID}  # Required for user-assigned managed identity
+            credential:
+              client-id: ${KEY_VAULT_SSL_BUNDLES_CLIENT_ID}  # Required for user-assigned managed identity
+              managed-identity-enabled: true
+```
 
-1. Rebuild the image with the following command and then upload it to the container registry:
+1. Update your `RestTemplate` or `WebClient` bean configuration to apply the Key Vault SSL bundle:
 
-   ```azurecli
-   docker build -t <image-name>:<image-tag> \
-       -f JAR.dockerfile \
-       --build-arg JAR_FILENAME=<path-to-jar> \
-       .
-   ```
-
-1. Create or update your container app. For more information, see [Quickstart: Deploy your first container app using the Azure portal](../../container-apps/quickstart-portal.md).
+```java
+// For RestTemplate
+@Bean
+RestTemplate restTemplateWithMTLS(RestTemplateBuilder restTemplateBuilder, SslBundles sslBundles) {
+  return restTemplateBuilder.sslBundle(sslBundles.getBundle("mtlsClientBundle")).build();
+}
 
-For more information on using the JCA Provider for Azure Key Vault in your Java application, see [JCA Provider Example](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/keyvault/azure-security-keyvault-jca#examples).
+// For WebClient
+@Bean
+WebClient webClientWithMTLS(WebClientSsl ssl) {
+  return WebClient.builder().apply(ssl.fromBundle("mtlsClientBundle")).build();
+}
+```
 
-This method maintains consistency with the behavior of Azure Spring Apps. You can also use other ways to load certificates into the trust store.
+For more information on using the `spring-cloud-azure-starter-keyvault-jca` in your Spring Boot application, see [Introducing Spring Cloud Azure Starter Key Vault JCA: Streamlined TLS and mTLS for Spring Boot](https://devblogs.microsoft.com/azure-sdk/introducing-spring-cloud-azure-starter-key-vault-jca-streamlined-tls-and-mtls-for-spring-boot/).
 
 By following these steps, you can successfully migrate your custom domain with TLS/SSL from Azure Spring Apps to Azure Container Apps, maintaining secure and efficient communication across all traffic types.
