fix guide including using passwordless approach with '--registry-identity' option to pull image from acr in aca

majguo · majguo · commit 0e11068481c2 · 2024-10-10T13:52:07.000+08:00
Signed-off-by: Jianguo Ma &lt;jiangma@microsoft.com&gt;
diff --git a/articles/container-apps/tutorial-java-quarkus-connect-managed-identity-postgresql-database.md b/articles/container-apps/tutorial-java-quarkus-connect-managed-identity-postgresql-database.md
@@ -6,7 +6,7 @@ author: KarlErickson
 ms.topic: tutorial
 ms.author: edburns
 ms.service: azure-container-apps
-ms.date: 06/04/2024
+ms.date: 10/10/2024
 ms.custom: devx-track-azurecli, devx-track-extended-java, devx-track-java, devx-track-javaee, devx-track-javaee-quarkus, passwordless-java, service-connector, devx-track-javaee-quarkus-aca
 ---
 
@@ -34,7 +34,6 @@ What you will learn:
 * [Java JDK](/azure/developer/java/fundamentals/java-support-on-azure)
 * [Maven](https://maven.apache.org)
 * [Docker](https://docs.docker.com/get-docker/)
-* [GraalVM](https://www.graalvm.org/downloads/)
 
 ## 2. Create a container registry
 
@@ -43,16 +42,25 @@ Create a resource group with the [az group create](/cli/azure/group#az-group-cre
 The following example creates a resource group named `myResourceGroup` in the East US Azure region.
 
 ```azurecli-interactive
-az group create --name myResourceGroup --location eastus
+RESOURCE_GROUP="myResourceGroup"
+LOCATION="eastus"
+
+az group create --name $RESOURCE_GROUP --location $LOCATION
 ```
 
-Create an Azure container registry instance using the [az acr create](/cli/azure/acr#az-acr-create) command. The registry name must be unique within Azure, contain 5-50 alphanumeric characters. All letters must be specified in lower case. In the following example, `mycontainerregistry007` is used. Update this to a unique value.
+Create an Azure container registry instance using the [az acr create](/cli/azure/acr#az-acr-create) command and retrieve its login server using the [az acr show](/cli/azure/acr#az-acr-show) command. The registry name must be unique within Azure, contain 5-50 alphanumeric characters. All letters must be specified in lower case. In the following example, `mycontainerregistry007` is used. Update this to a unique value.
 
 ```azurecli-interactive
+REGISTRY_NAME=mycontainerregistry007
 az acr create \
-    --resource-group myResourceGroup \
-    --name mycontainerregistry007 \
+    --resource-group $RESOURCE_GROUP \
+    --name $REGISTRY_NAME \
     --sku Basic
+
+REGISTRY_SERVER=$(az acr show \
+    --name $REGISTRY_NAME \
+    --query 'loginServer' \
+    --output tsv | tr -d '\r')
 ```
 
 ## 3. Clone the sample app and prepare the container image
@@ -72,9 +80,9 @@ cd quarkus-quickstarts/hibernate-orm-panache-quickstart
 
    ```xml
    <dependency>
-       <groupId>com.azure</groupId>
-       <artifactId>azure-identity-providers-jdbc-postgresql</artifactId>
-       <version>1.0.0-beta.1</version>
+      <groupId>com.azure</groupId>
+      <artifactId>azure-identity-extensions</artifactId>
+      <version>1.1.20</version>
    </dependency>
    ```
 
@@ -85,8 +93,6 @@ cd quarkus-quickstarts/hibernate-orm-panache-quickstart
    Delete the existing content in *application.properties* and replace with the following to configure the database for dev, test, and production modes:
 
    ```properties
-   quarkus.package.type=uber-jar
-
    quarkus.hibernate-orm.database.generation=drop-and-create
    quarkus.datasource.db-kind=postgresql
    quarkus.datasource.jdbc.max-size=8
@@ -95,17 +101,14 @@ cd quarkus-quickstarts/hibernate-orm-panache-quickstart
    quarkus.hibernate-orm.sql-load-script=import.sql
    quarkus.datasource.jdbc.acquisition-timeout = 10
 
-   %dev.quarkus.datasource.username=${AZURE_CLIENT_NAME}
-   %dev.quarkus.datasource.jdbc.url=jdbc:postgresql://${DBHOST}.postgres.database.azure.com:5432/${DBNAME}?\
-   authenticationPluginClassName=com.azure.identity.providers.postgresql.AzureIdentityPostgresqlAuthenticationPlugin\
-   &sslmode=require\
-   &azure.clientId=${AZURE_CLIENT_ID}\
-   &azure.clientSecret=${AZURE_CLIENT_SECRET}\
-   &azure.tenantId=${AZURE_TENANT_ID}
-
-   %prod.quarkus.datasource.username=${AZURE_MI_NAME}
-   %prod.quarkus.datasource.jdbc.url=jdbc:postgresql://${DBHOST}.postgres.database.azure.com:5432/${DBNAME}?\
-   authenticationPluginClassName=com.azure.identity.providers.postgresql.AzureIdentityPostgresqlAuthenticationPlugin\
+   %dev.quarkus.datasource.username=${CURRENT_USERNAME}
+   %dev.quarkus.datasource.jdbc.url=jdbc:postgresql://${AZURE_POSTGRESQL_HOST}:${AZURE_POSTGRESQL_PORT}/${AZURE_POSTGRESQL_DATABASE}?\
+   authenticationPluginClassName=com.azure.identity.extensions.jdbc.postgresql.AzurePostgresqlAuthenticationPlugin\
+   &sslmode=require
+
+   %prod.quarkus.datasource.username=${AZURE_POSTGRESQL_USERNAME}
+   %prod.quarkus.datasource.jdbc.url=jdbc:postgresql://${AZURE_POSTGRESQL_HOST}:${AZURE_POSTGRESQL_PORT}/${AZURE_POSTGRESQL_DATABASE}?\
+   authenticationPluginClassName=com.azure.identity.extensions.jdbc.postgresql.AzurePostgresqlAuthenticationPlugin\
    &sslmode=require
 
    %dev.quarkus.class-loading.parent-first-artifacts=com.azure:azure-core::jar,\
@@ -122,8 +125,7 @@ cd quarkus-quickstarts/hibernate-orm-panache-quickstart
    io.netty:netty-transport::jar,\
    io.netty:netty-buffer::jar,\
    com.azure:azure-identity::jar,\
-   com.azure:azure-identity-providers-core::jar,\
-   com.azure:azure-identity-providers-jdbc-postgresql::jar,\
+   com.azure:azure-identity-extensions::jar,\
    com.fasterxml.jackson.core:jackson-core::jar,\
    com.fasterxml.jackson.core:jackson-annotations::jar,\
    com.fasterxml.jackson.core:jackson-databind::jar,\
@@ -140,45 +142,46 @@ cd quarkus-quickstarts/hibernate-orm-panache-quickstart
    com.nimbusds:nimbus-jose-jwt::jar,\
    net.minidev:json-smart::jar,\
    net.minidev:accessors-smart::jar,\
-   io.netty:netty-transport-native-unix-common::jar
+   io.netty:netty-transport-native-unix-common::jar,\
+   net.java.dev.jna:jna::jar
    ```
 
 ### Build and push a Docker image to the container registry
 
 1. Build the container image.
 
-   Run the following command to build the Quarkus app image. You must tag it with the fully qualified name of your registry login server. The login server name is in the format *\<registry-name\>.azurecr.io* (must be all lowercase), for example, *mycontainerregistry007.azurecr.io*. Replace the name with your own registry name.
+   Run the following command to build the Quarkus app image. You must tag it with the fully qualified name of your registry login server.
 
    ```bash
-   mvnw quarkus:add-extension -Dextensions="container-image-jib"
-   mvnw clean package -Pnative -Dquarkus.native.container-build=true -Dquarkus.container-image.build=true -Dquarkus.container-image.registry=mycontainerregistry007 -Dquarkus.container-image.name=quarkus-postgres-passwordless-app -Dquarkus.container-image.tag=v1
+   CONTAINER_IMAGE=${REGISTRY_SERVER}/quarkus-postgres-passwordless-app:v1
+
+   mvn quarkus:add-extension -Dextensions="container-image-jib"
+   mvn clean package -Dquarkus.container-image.build=true -Dquarkus.container-image.image=${CONTAINER_IMAGE}
    ```
 
 1. Log in to the registry.
 
-   Before pushing container images, you must log in to the registry. To do so, use the [az acr login][az-acr-login] command. Specify only the registry resource name when signing in with the Azure CLI. Don't use the fully qualified login server name.
+   Before pushing container images, you must log in to the registry. To do so, use the [az acr login][az-acr-login] command.
 
    ```azurecli-interactive
-   az acr login --name <registry-name>
+   az acr login --name $REGISTRY_NAME
    ```
 
    The command returns a `Login Succeeded` message once completed.
 
 1. Push the image to the registry.
 
-   Use [docker push][docker-push] to push the image to the registry instance. Replace `mycontainerregistry007` with the login server name of your registry instance. This example creates the `quarkus-postgres-passwordless-app` repository, containing the `quarkus-postgres-passwordless-app:v1` image.
+   Use [docker push][docker-push] to push the image to the registry instance. This example creates the `quarkus-postgres-passwordless-app` repository, containing the `quarkus-postgres-passwordless-app:v1` image.
 
    ```bash
-   docker push mycontainerregistry007/quarkus-postgres-passwordless-app:v1
+   docker push $CONTAINER_IMAGE
    ```
 
 ## 4. Create a Container App on Azure
 
 1. Create a Container Apps instance by running the following command. Make sure you replace the value of the environment variables with the actual name and location you want to use.
 
    ```azurecli-interactive
-   RESOURCE_GROUP="myResourceGroup"
-   LOCATION="eastus"
    CONTAINERAPPS_ENVIRONMENT="my-environment"
 
    az containerapp env create \
@@ -187,22 +190,20 @@ cd quarkus-quickstarts/hibernate-orm-panache-quickstart
        --location $LOCATION
    ```
 
-1. Create a container app with your app image by running the following command. Replace the placeholders with your values. To find the container registry admin account details, see [Authenticate with an Azure container registry](/azure/container-registry/container-registry-authentication)
+1. Create a container app with your app image by running the following command.
 
    ```azurecli-interactive
-   CONTAINER_IMAGE_NAME=quarkus-postgres-passwordless-app:v1
-   REGISTRY_SERVER=mycontainerregistry007
-   REGISTRY_USERNAME=<REGISTRY_USERNAME>
-   REGISTRY_PASSWORD=<REGISTRY_PASSWORD>
-
+   APP_NAME=my-container-app
    az containerapp create \
        --resource-group $RESOURCE_GROUP \
-       --name my-container-app \
-       --image $CONTAINER_IMAGE_NAME \
+       --name $APP_NAME \
+       --image $CONTAINER_IMAGE \
        --environment $CONTAINERAPPS_ENVIRONMENT \
        --registry-server $REGISTRY_SERVER \
-       --registry-username $REGISTRY_USERNAME \
-       --registry-password $REGISTRY_PASSWORD
+       --registry-identity system \
+       --ingress 'external' \
+       --target-port 8080 \
+       --min-replicas 1
    ```
 
 ## 5. Create and connect a PostgreSQL database with identity connectivity
@@ -213,65 +214,66 @@ Next, create a PostgreSQL Database and configure your container app to connect t
 
    ```azurecli-interactive
    DB_SERVER_NAME='msdocs-quarkus-postgres-webapp-db'
-   ADMIN_USERNAME='demoadmin'
-   ADMIN_PASSWORD='<admin-password>'
 
    az postgres flexible-server create \
        --resource-group $RESOURCE_GROUP \
        --name $DB_SERVER_NAME \
        --location $LOCATION \
-       --admin-user $DB_USERNAME \
-       --admin-password $DB_PASSWORD \
-       --sku-name GP_Gen5_2
+       --public-access None \
+       --sku-name Standard_B1ms \
+       --tier Burstable \
+       --active-directory-auth Enabled
    ```
 
    The following parameters are used in the above Azure CLI command:
 
    * *resource-group* &rarr; Use the same resource group name in which you created the web app, for example `msdocs-quarkus-postgres-webapp-rg`.
    * *name* &rarr; The PostgreSQL database server name. This name must be **unique across all Azure** (the server endpoint becomes `https://<name>.postgres.database.azure.com`). Allowed characters are `A`-`Z`, `0`-`9`, and `-`. A good pattern is to use a combination of your company name and server identifier. (`msdocs-quarkus-postgres-webapp-db`)
-   * *location* &rarr; Use the same location used for the web app.
-   * *admin-user* &rarr; Username for the administrator account. It can't be `azure_superuser`, `admin`, `administrator`, `root`, `guest`, or `public`. For example, `demoadmin` is okay.
-   * *admin-password* &rarr; Password of the administrator user. It must contain 8 to 128 characters from three of the following categories: English uppercase letters, English lowercase letters, numbers, and non-alphanumeric characters.
-
-     > [!IMPORTANT]
-     > When creating usernames or passwords **do not** use the `$` character. Later in this tutorial, you will create environment variables with these values where the `$` character has special meaning within the Linux container used to run Java apps.
-
+   * *location* &rarr; Use the same location used for the web app. Change to a different location if it doesn't work.
    * *public-access* &rarr; `None` which sets the server in public access mode with no firewall rules. Rules will be created in a later step.
-   * *sku-name* &rarr; The name of the pricing tier and compute configuration, for example `GP_Gen5_2`. For more information, see [Azure Database for PostgreSQL pricing](https://azure.microsoft.com/pricing/details/postgresql/server/).
+   * *sku-name* &rarr; The name of the pricing tier and compute configuration, for example `Standard_B1ms`. For more information, see [Azure Database for PostgreSQL pricing](https://azure.microsoft.com/pricing/details/postgresql/server/).
+   * *tier* &rarr; The compute tier of the server. For more information, see [Azure Database for PostgreSQL pricing](https://azure.microsoft.com/pricing/details/postgresql/server/).
+   * *active-directory-auth* &rarr; `Enabled` to enable Microsoft Entra authentication.
 
 1. Create a database named `fruits` within the PostgreSQL service with this command:
 
    ```azurecli-interactive
+   DB_NAME=fruits
    az postgres flexible-server db create \
        --resource-group $RESOURCE_GROUP \
        --server-name $DB_SERVER_NAME \
-       --database-name fruits
+       --database-name $DB_NAME
    ```
 
 1. Install the [Service Connector](../service-connector/overview.md) passwordless extension for the Azure CLI:
 
    ```azurecli-interactive
-   az extension add --name serviceconnector-passwordless --upgrade
+   az extension add --name serviceconnector-passwordless --upgrade --allow-preview true
    ```
 
 1. Connect the database to the container app with a system-assigned managed identity, using the connection command.
 
    ```azurecli-interactive
    az containerapp connection create postgres-flexible \
        --resource-group $RESOURCE_GROUP \
-       --name my-container-app \
+       --name $APP_NAME \
        --target-resource-group $RESOURCE_GROUP \
        --server $DB_SERVER_NAME \
-       --database fruits \
-       --managed-identity
+       --database $DB_NAME \
+       --system-identity \
+       --container $APP_NAME
    ```
 
 ## 6. Review your changes
 
 You can find the application URL(FQDN) by using the following command:
 
 ```azurecli-interactive
-az containerapp list --resource-group $RESOURCE_GROUP
+echo https://$(az containerapp show \
+    --name $APP_NAME \
+    --resource-group $RESOURCE_GROUP \
+    --query properties.configuration.ingress.fqdn \
+    -o tsv)
 ```
 
 When the new webpage shows your list of fruits, your app is connecting to the database using the managed identity. You should now be able to edit fruit list as before.
