Merge pull request #301414 from haochenghuang/haochuang/migration-jca

[ASA] Update loading certificates from key vault in custom domain part of migration docs

Author: JillGrant615

articles/spring-apps/migration/migrate-to-azure-container-apps-custom-domain.md

@@ -46,7 +46,7 @@ If you need to secure your custom domain in Azure Container Apps, you can use a
 
 If you have a private certificate stored locally, you can upload it. For more information, see [Custom domain names and bring your own certificates in Azure Container Apps](../../container-apps/custom-domains-certificates.md).
 
-If your certificate is from Azure Key Vault, see [Import certificates from Azure Key Vault to Azure Container Apps](../../container-apps/key-vault-certificates-manage.md) for more information.
+If your certificate is from Azure Key Vault, you can import certificates to Azure Container Apps directly. For more information, see [Import certificates from Azure Key Vault to Azure Container Apps](../../container-apps/key-vault-certificates-manage.md).
 
 If you want to continue using the original certificate and domain name from Azure Spring Apps, you can upload the certificate to container apps or Azure Key Vault. Also, you can update the A record or CNAME in your DNS provider to redirect the original domain name to the container app IP or URL.
 
@@ -117,140 +117,122 @@ For more information, see the [Peer-to-peer encryption](../../container-apps/net
 
 ## Traffic to external services
 
-### Reference a certificate from Key Vault and mount certificates in a volume
+This sample shows how to enable TLS and mTLS for traffic to external services by loading the certificate from Azure Key Vault using the `spring-cloud-azure-starter-keyvault-jca` library. Your Java project must use Spring Boot 3.1+ and include the following dependency in your **pom.xml** file:
 
-When you define a certificate, you create a reference to a certificate stored in Azure Key Vault. Azure Container Apps automatically retrieves the certificate value from Key Vault and makes it available as a secret in your container app.
-
-To reference a certificate from Key Vault, you must first enable managed identity in your container app and grant the identity access to the Key Vault secrets.
-
-To enable managed identity in your container app, see [Managed identities in Azure Container Apps](../../container-apps/managed-identity.md).
-
-To grant access to a Key Vault certificate, add the role assignment `Key Vault Secrets User` in Key Vault for the managed identity you created. For more information, see [Best Practices for individual keys, secrets, and certificates role assignments](/azure/key-vault/general/rbac-guide#best-practices-for-individual-keys-secrets-and-certificates-role-assignments).
-
-When you create a container app, certificates are defined using the `--secrets` parameter and using the following guidelines:
-
-- The parameter accepts a space-delimited set of name/value pairs.
-- Each pair is delimited by an equals sign (`=`).
-- To specify a Key Vault reference, use the format `<certificate-name>=keyvaultref:<key-vault-secret-identifier-of-certificate>,identityref:<managed-identity-ID>`. For example, `my-cert=keyvaultref:https://mykeyvault.vault.azure.net/secrets/mycert,identityref:/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-identity`.
-
-The following command provides an example:
-
-```azurecli
-az containerapp create \
-    --resource-group "my-resource-group" \
-    --name "my-app" \
-    --environment "my-environment-name" \
-    --image <image_name> \
-    --user-assigned "<user-assigned-identity-ID>" \
-    --secrets "my-cert=keyvaultref:<key-vault-secret-identifier-of-certificate>,identityref:<user-assigned-identity-ID>"
-    --secret-volume-mount "/mnt/cert"
+```xml
+<dependency>
+    <groupId>com.azure.spring</groupId>
+    <artifactId>spring-cloud-azure-starter-keyvault-jca</artifactId>
+    <version>5.23.0</version>
+</dependency>
 ```
 
-Here, a certificate is declared in the `--secrets` parameter. Replace `<key-vault-secret-identifier-of-certificate>` with the Secret Identifier URI of your certificate in Key Vault. Replace `<user-assigned-identity-ID>` with the resource ID of the user assigned identity. For a system assigned identity, use `system` instead of the resource ID. The certificate mounted in a volume is named `my-cert` of type Secret. The volume is mounted at the path **/mnt/cert**. The application can then read the secrets as files in the volume mount.
+### Load a certificate into the truststore from Key Vault with SSL bundle
 
-For an existing container app, you can use following commands to reference a secret from Key Vault and mount it to a volume:
+Use the following steps to load a certificate into the truststore from Azure Key Vault using the `spring-cloud-azure-starter-keyvault-jca` library:
 
-```azurecli
-az containerapp secret set \
-    --resource-group "my-resource-group" \
-    --name "my-app" \
-    --secrets "my-cert=keyvaultref:<key-vault-secret-identifier-of-certificate>,identityref:<user-assigned-identity-ID>"
+1. Generate or import certificates in Azure Key Vault. For more information, see [Create and import certificates in Azure Key Vault](/azure/key-vault/certificates/certificate-scenarios#creating-and-importing-certificates).
 
-az containerapp update \
-    --resource-group "my-resource-group" \
-    --name "my-app" \
-    --secret-volume-mount "/mnt/cert"
-```
-
-### Load a certificate from code
-
-Your loaded certificates are available in your defined mounted path - for example, **/mnt/cert/my-cert**. Use the following Java code to load a certificate in an application in Azure Container Apps.
-
-Because the certificate is mounted as a secret, its content is encoded in Base64, so you might need to decode it before use.
-
-```java
-try {
-  byte[] encodedBytes = Files.readAllBytes(Paths.get("/mnt/cert/my-cert"));
-  PKCS12PfxPdu pfx = new PKCS12PfxPdu(Base64.getDecoder().decode(encodedBytes));
-  List<Certificate> certificates = new ArrayList<>();
-  for (ContentInfo contentInfo : pfx.getContentInfos()) {
-    if (contentInfo.getContentType().equals(PKCSObjectIdentifiers.encryptedData)) {
-      PKCS12SafeBagFactory safeBagFactory = new PKCS12SafeBagFactory(contentInfo,
-        new JcePKCSPBEInputDecryptorProviderBuilder().build("\0".toCharArray()));
-      PKCS12SafeBag[] safeBags = safeBagFactory.getSafeBags();
-      for (PKCS12SafeBag safeBag : safeBags) {
-        Object bagValue = safeBag.getBagValue();
-        if (bagValue instanceof X509CertificateHolder) {
-          CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
-          InputStream in = new ByteArrayInputStream(((X509CertificateHolder) bagValue).getEncoded());
-          certificates.add(certFactory.generateCertificate(in));
-        }
-      }
-    }
-  }
-
-  // use the loaded certificate in 'certificates'
-} catch (PKCSException | CertificateException | IOException e) {
-  // handle exception
-}
-```
+1. Enable managed identity in your container app. To enable managed identity in your container app, see [Managed identities in Azure Container Apps](../../container-apps/managed-identity.md).
 
-In this sample code, you need to import [org.bouncycastle.bcpkix-lts8on](https://mvnrepository.com/artifact/org.bouncycastle/bcpkix-lts8on) to your project to parse the certificate data.
+1. Grant the `Key Vault Certificate User` role to the managed identity in your Key Vault. For more information, see [Best Practices for individual keys, secrets, and certificates role assignments](/azure/key-vault/general/rbac-guide#best-practices-for-individual-keys-secrets-and-certificates-role-assignments).
 
-### Load a certificate into the trust store
+1. Add the following configuration to your **application.yml** file:
 
-Use the following steps to load a certificate:
-
-1. Set up a storage account - for example, `/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Storage/storageAccounts/mystorageaccount`.
-
-1. Download and upload the JCA library. Get the latest version of the JCA library from the Maven repository [azure-security-keyvault-jca](https://mvnrepository.com/artifact/com.azure/azure-security-keyvault-jca) and upload the JAR file to a file share in the storage account - for example, **/jca/lib/azure-security-keyvault-jca.jar**.
-
-1. Use the following steps to modify and upload a Java security configuration:
-
-    1. Make a copy of the **java.security** file in your JDK. For Java version 8 or earlier, you can find the **java.security** file at **$JAVA_HOME/jre/lib/security/java.security**. For Java version 11 or later, you can find the **java.security** file at **$JAVA_HOME/conf/security**.
-
-    1. Locate `security.provider.<#>=` property in the file and add the following line:
-
-       ```text
-       security.provider.<#>=com.azure.security.keyvault.jca.KeyVaultJcaProvider
-       ```
-
-       In this line, the number sign placeholder `<#>` represents one increment above the last number in the list - for example, `security.provider.14`.
-
-    1. Upload the modified **java.security** file to a file share in the storage account - for example, **/jca/security/java.security**.
-
-1. Upload the certificates that need to be loaded into the trust store to the file share in the storage account - for example, **/jca/truststore/**.
-
-1. Add the volume mount. To add a volume mount for the JCA library and certificates in the container app, see [Tutorial: Create an Azure Files volume mount in Azure Container Apps](../../container-apps/storage-mounts-azure-files.md). You can mount it, for example, as **/mnt/jca/**.
-
-1. Update your image with JCA-related parameters. Modify your Dockerfile as shown in the following example:
-
-   ```dockerfile
-   # filename: JAR.dockerfile
+   ```yml
+   spring:
+     ssl:
+       bundle:
+         keyvault:
+           tlsClientBundle:
+             truststore:
+               keyvault-ref: keyvault1
+   cloud:
+     azure:
+       keyvault:
+         jca:
+           vaults:
+             keyvault1:
+               endpoint: ${KEY_VAULT_SSL_BUNDLES_KEYVAULT_URI_01}
+               credential:
+                 client-id: ${KEY_VAULT_SSL_BUNDLES_CLIENT_ID}  # Required for user-assigned managed identity
+                 managed-identity-enabled: true
+   ```
 
-   FROM mcr.microsoft.com/openjdk/jdk:17-mariner
+1. To apply the Key Vault SSL bundle, update your `RestTemplate` or `WebClient` bean configuration, as shown in the following example:
 
-   ARG JAR_FILENAME
+   ```java
+   // For RestTemplate
+   @Bean
+   RestTemplate restTemplateWithTLS(RestTemplateBuilder restTemplateBuilder, SslBundles sslBundles) {
+     return restTemplateBuilder.sslBundle(sslBundles.getBundle("tlsClientBundle")).build();
+   }
 
-   COPY $JAR_FILENAME /opt/app/app.jar
-   ENTRYPOINT ["java", "-Dsecurity.overridePropertiesFile=true", "-Djava.security.properties=/mnt/jca/security/java.security", \
-       "--module-path", "/mnt/jca/lib", "--add-modules=com.azure.security.keyvault.jca", "-Djavax.net.ssl.trustStoreType=AzureKeyVault", \
-       "-Dazure.cert-path.custom=/mnt/jca/truststore/", "-jar", "/opt/app/app.jar"]
+   // For WebClient
+   @Bean
+   WebClient webClientWithTLS(WebClientSsl ssl) {
+     return WebClient.builder().apply(ssl.fromBundle("tlsClientBundle")).build();
+   }
    ```
 
-1. Rebuild the image with the following command and then upload it to the container registry:
-
-   ```azurecli
-   docker build -t <image-name>:<image-tag> \
-       -f JAR.dockerfile \
-       --build-arg JAR_FILENAME=<path-to-jar> \
-       .
+### Enable mTLS communication
+
+Use the following steps to set up mTLS for two-way authentication between client and server:
+
+1. Generate or import both client and server certificates to Azure Key Vault. For more information, see [Create and import certificates in Azure Key Vault](/azure/key-vault/certificates/certificate-scenarios#creating-and-importing-certificates).
+
+1. Enable managed identity for your container app. To enable managed identity in your container app, see [Managed identities in Azure Container Apps](../../container-apps/managed-identity.md).
+
+1. Grant the `Key Vault Certificate User` role to the managed identity for both key vaults. For more information, see [Best Practices for individual keys, secrets, and certificates role assignments](/azure/key-vault/general/rbac-guide#best-practices-for-individual-keys-secrets-and-certificates-role-assignments).
+
+1. Add the following configuration to your **application.yml** file for mTLS:
+
+   ```yml
+   spring:
+     ssl:
+       bundle:
+         keyvault:
+           mtlsClientBundle:
+             key:
+               alias: client
+             for-client-auth: true
+             keystore:
+               keyvault-ref: keyvault2
+             truststore:
+               keyvault-ref: keyvault1
+   cloud:
+     azure:
+       keyvault:
+         jca:
+           vaults:
+             keyvault1:
+               endpoint: ${KEY_VAULT_SSL_BUNDLES_KEYVAULT_URI_01}
+               credential:
+                 client-id: ${KEY_VAULT_SSL_BUNDLES_CLIENT_ID}  # Required for user-assigned managed identity
+                 managed-identity-enabled: true
+             keyvault2:
+               endpoint: ${KEY_VAULT_SSL_BUNDLES_KEYVAULT_URI_02}
+               credential:
+                 client-id: ${KEY_VAULT_SSL_BUNDLES_CLIENT_ID}  # Required for user-assigned managed identity
+                 managed-identity-enabled: true
    ```
 
-1. Create or update your container app. For more information, see [Quickstart: Deploy your first container app using the Azure portal](../../container-apps/quickstart-portal.md).
+1. To apply the Key Vault SSL bundle, update your `RestTemplate` or `WebClient` bean configuration, as shown in the following example:
 
-For more information on using the JCA Provider for Azure Key Vault in your Java application, see [JCA Provider Example](https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/keyvault/azure-security-keyvault-jca#examples).
+   ```java
+   // For RestTemplate
+   @Bean
+   RestTemplate restTemplateWithMTLS(RestTemplateBuilder restTemplateBuilder, SslBundles sslBundles) {
+     return restTemplateBuilder.sslBundle(sslBundles.getBundle("mtlsClientBundle")).build();
+   }
+
+   // For WebClient
+   @Bean
+   WebClient webClientWithMTLS(WebClientSsl ssl) {
+     return WebClient.builder().apply(ssl.fromBundle("mtlsClientBundle")).build();
+   }
+   ```
 
-This method maintains consistency with the behavior of Azure Spring Apps. You can also use other ways to load certificates into the trust store.
+For more information on using the `spring-cloud-azure-starter-keyvault-jca` library in your Spring Boot application, see [Introducing Spring Cloud Azure Starter Key Vault JCA: Streamlined TLS and mTLS for Spring Boot](https://devblogs.microsoft.com/azure-sdk/introducing-spring-cloud-azure-starter-key-vault-jca-streamlined-tls-and-mtls-for-spring-boot/).
 
 By following these steps, you can successfully migrate your custom domain with TLS/SSL from Azure Spring Apps to Azure Container Apps, maintaining secure and efficient communication across all traffic types.