@lab.Title
This workshop demonstrates how to migrate and modernize the iconic Spring Boot PetClinic application from local execution to Azure AKS Automatic. You'll experience the complete modernization journey using AI-powered tools such as GitHub Copilot app modernization and Containerization Assist MCP Server.
By the end of this workshop, you will be able to:
- Run Spring Boot PetClinic locally with PostgreSQL and basic authentication.
- Modernize the codebase using GitHub Copilot app modernization.
- Migrate the database to Azure PostgreSQL Flexible Server integrated with Microsoft Entra ID.
- Containerize the app using Containerization Assist MCP Server.
- Deploy to AKS Automatic using Workload Identity and Service Connector.
Your virtual machine already includes all the required tools:
- Azure CLI
- Java 17 or 21 (Microsoft OpenJDK)
- Maven 3.8+
- Docker Desktop
- Visual Studio Code with:
- Java Extension Pack
- GitHub Copilot App Modernization Extension Pack
- kubectl
- Windows Terminal with Bash (WSL)
- Git
===
To begin, log into the virtual machine using the following credentials: +++@lab.VirtualMachine(Win11-Pro-Base).Password+++
-
Open Microsoft Edge and log into Azure with the credentials in the Resources tab: +++https://portal.azure.com/+++
!IMAGEresources.png
-
Next, in a terminal window, sign in to uze azure cli:
az login
-
Press the
CTRLkey and then click on the URL in the terminal. This will open a new tab in Edge. !IMAGEaz-cli-click-url.png -
Pick your user account to finish logging in.
!IMAGEaz-cli-login2.png
-
Back in the terminal window, press Enter to select the current subscription
- In a terminal, run the following command to install the service-connector:
az extension add --name serviceconnector-passwordless --upgrade
nohup bash -c 'az aks connection create postgres-flexible --connection pg --source-id @lab.CloudResourceTemplate(LAB502).Outputs[aksClusterId] --target-id @lab.CloudResourceTemplate(LAB502).Outputs[postgresDatabaseId] --workload-identity @lab.CloudResourceTemplate(LAB502).Outputs[userAssignedIdentityId] --client-type none --kube-namespace default | tee ~/spring-petclinic/k8s/sc.json' > ~/spring-petclinic/k8s/sc.log 2>&1 &[!note] This script will log its output into the ~/spring-petclinic/k8s/sc.log file. You can check for its progress opening that file.
Before deploying to AKS, you need to configure kubectl to use Azure RBAC authentication.
- In your terminal window, run the following commands:
# add Admin to your user
az role assignment create --assignee @lab.CloudPortalCredential(User1).Username --role "Azure Kubernetes Service RBAC Cluster Admin" --scope @lab.CloudResourceTemplate(LAB502).Outputs[aksClusterId]
# Get AKS credentials (this downloads the kubeconfig)
az aks get-credentials --resource-group @lab.CloudResourceGroup(myResourceGroup).Name --name @lab.CloudResourceTemplate(LAB502).Outputs[aksClusterName]
# Configure kubectl to use Azure RBAC authentication
kubelogin convert-kubeconfig --login azurecli
# Test AKS access
kubectl get nodes[!note] The
kubelogin convert-kubeconfig --login azureclicommand configures kubectl to use Entra (Azure AD) authentication with the Azure RBAC roles assigned to your user account. This is required for AKS Automatic clusters with Azure RBAC enabled.
To use GitHub Copilot, sign in with the GitHub account provided in your lab environment.
-
In Edge, open +++https://github.com/enterprises/skillable-events/sso+++
-
Click on Continue
!IMAGEcontinue-with-github.png
-
Log in with the credentials listed in the Resources tab.
After signing in to GitHub, open VS Code and complete the Copilot setup:
-
In your terminal, run the following command to launch a new VS Code instance into the
spring-petclinicsource directory:cd ~/spring-petclinic code .
-
Click the account icon (bottom right) → Sign in to use Copilot.
!IMAGEsigned-out.png
-
Select Continue with GitHub
!IMAGEcontinue-to-github.png
-
Authorize VS Code to access your GitHub account.
!IMAGEauthorize-github.png
-
Click Connect, then Authorize Visual-Studio-Code.
!IMAGEauthorized-github.png
-
When prompted, choose to always allow vscode.dev to open links.
!IMAGEallow-vs-code.png
-
Back in VS Code, open the GitHub Copilot Chat window and switch the model to Claude Sonnet 4.5.
!IMAGEgithub-claude.png
Your environment is now configured. Next, you'll verify the local PetClinic application and begin the migration and modernization journey.
===
What You'll Do: Confirm that the locally deployed PetClinic application is running with PostgreSQL, and explore its main features.
What You'll Learn: How to verify a local Spring Boot application connected to a Docker-based PostgreSQL database and navigate its core functionality.
-
In VS Code, open a new terminal by pressing
Ctrl+`(backstick) or go to Terminal → New Terminal in the menu. -
In the new terminal, run the petclinic
mvn clean compile && mvn spring-boot:run \ -Dspring-boot.run.arguments="--spring.messages.basename=messages/messages --spring.datasource.url=jdbc:postgresql://localhost/petclinic --spring.sql.init.mode=always --spring.sql.init.schema-locations=classpath:db/postgres/schema.sql --spring.sql.init.data-locations=classpath:db/postgres/data.sql --spring.jpa.hibernate.ddl-auto=none"
-
Open your browser and go to
http://localhost:8080to confirm the PetClinic application is running.
!IMAGEpeclinic.png
Explore the PetClinic Application:
Once it's running, try out the key features:
-
Find Owners: Select "FIND OWNERS", leave the Last Name field blank, and click "Find Owner" to list all 10 owners.
-
View Owner Details: Click an owner (e.g., Betty Davis) to see their information and pets.
-
Edit Pet Information: From an owner's page, click "Edit Pet" to view or modify pet details.
-
Review Veterinarians: Go to "VETERINARIANS" to see the 6 vets and their specialties (radiology, surgery, dentistry).
After exploring the PetClinic application, you can stop it by pressing CTRL+C
===
What You'll Do: Use GitHub Copilot app modernization to assess, remediate, and modernize the Spring Boot application in preparation to migrate the workload to AKS Automatic.
What You'll Learn: How GitHub Copilot app modernization works, demonstration of modernizing elements of legacy applications, and the modernization workflow
Next let's begin our modernization work.
-
Select
GitHub Copilot app modernizationextension
Now that you have GitHub Copilot setup, you can use the assessment tool to analyze your Spring Boot PetClinic application using the configured analysis parameters.
-
Navigate the Extension Interface and click Migrate to Azure to begin the modernization process.
[!hint] You can follow the progress of the upgrade by looking at the Terminal in vscode !IMAGEassessment-rules.png
Assessment results are consumed by GitHub Copilot App Modernization (AppCAT). AppCAT examines the scan findings and produces targeted modernization recommendations to prepare the application for containerization and migration to Azure.
- target: the desired runtime or Azure compute service you plan to move the app to.
- mode: the analysis depth AppCAT should use.
Analysis targets
Target values select the rule sets and guidance AppCAT will apply.
| Target | Description |
|---|---|
| azure-aks | Guidance and best practices for deploying to Azure Kubernetes Service (AKS). |
| azure-appservice | Guidance and best practices for deploying to Azure App Service. |
| azure-container-apps | Guidance and best practices for deploying to Azure Container Apps. |
| cloud-readiness | General recommendations to make the app "cloud-ready" for Azure. |
| linux | Recommendations to make the app Linux-ready (packaging, file paths, runtime details). |
| openjdk11 | Compatibility and runtime recommendations for running Java 8 apps on Java 11. |
| openjdk17 | Compatibility and runtime recommendations for running Java 11 apps on Java 17. |
| openjdk21 | Compatibility and runtime recommendations for running Java 17 apps on Java 21. |
Analysis modes
Choose how deep AppCAT should inspect the project.
| Mode | Description |
|---|---|
| source-only | Fast analysis that examines source code only. |
| full | Full analysis: inspects source code and scans dependencies (slower, more thorough). |
[!knowledge] Where to change these options
You can customize this report by editing the file at .github/appmod-java/appcat/assessment-config.yaml to change targets and modes.
For this lab, AppCAT runs with the following configuration:
appcat: - target: - azure-aks - azure-appservice - azure-container-apps - cloud-readiness mode: source-onlyIf you want a broader scan (including dependency checks) change
modetofull, or add/remove entries undertargetto focus recommendations on a specific runtime or Azure compute service.
After the assessment completes, you'll see a success message in the GitHub Copilot chat summarizing what was accomplished:
!IMAGEmodule2-assessment-report-overview.png
The assessment analyzed the Spring Boot Petclinic application for cloud migration readiness and identified the following:
Key Findings:
- 8 cloud readiness issues requiring attention (1)
- 1 Java upgrade opportunity for modernization (2)
Resolution Approach: More than 50% of the identified issues can be automatically resolved through code and configuration updates using GitHub Copilot's built-in app modernization capabilities (3).
Issue Prioritization: Issues are categorized by urgency level to guide remediation efforts:
- Mandatory (Purple) - Critical issues that must be addressed before migration.
- Potential (Blue) - Performance and optimization opportunities.
- Optional (Gray) - Nice-to-have improvements that can be addressed later.
This prioritization framework ensures teams focus on blocking issues first while identifying opportunities for optimization and future enhancements.
Click on individual issues in the report to see detailed recommendations. In practice, you would review all recommendations and determine the set that aligns with your migration and modernization goals for the application.
[!note] For this lab, we will spend our time focusing on one modernization recommendation: updating the code to use modern authentication via Azure Database for PostgreSQL Flexible Server with Entra ID authentication.
| Aspect | Details |
|---|---|
| Modernization Lab Focus | Database Migration to Azure PostgreSQL Flexible Server |
| What was found | PostgreSQL database configuration using basic authentication detected in Java source code files |
| Why this matters | External dependencies like on-premises databases with legacy authentication must be resolved before migrating to Azure |
| Recommended solution | Migrate to Azure Database for PostgreSQL Flexible Server |
| Benefits | Fully managed service with automatic backups, scaling, and high availability |
===
Based on the assessment findings, GitHub Copilot app modernization provides two types of migration actions to assist with modernization opportunities:
-
Using the guided migrations ("Run Task" button), which offer fully guided, step-by-step remediation flows for common migration patterns that the tool has been trained to handle.
-
Using the unguided migrations ("Ask Copilot" button), which provide AI assistance with context aware guidance and code suggestions for more complex or custom scenarios.
!IMAGEmodule2-step11-guided-migration-vs-copilot-prompts.png
For this workshop, we'll focus on one modernization area that demonstrates how to externalize dependencies in the workload to Azure PaaS before deploying to AKS Automatic. We'll migrate from self-hosted PostgreSQL with basic authentication to Azure PostgreSQL Flexible Server using Entra ID authentication with AKS Workload Identity.
Begin the modernization by selecting the desired migration task. For our Spring Boot application, we will migrate to Azure PostgreSQL Flexible Server using the Spring option. The other options shown are for generic JDBC usage.
!IMAGEmodule2-step12-select-postgres-migration-task.png
[!note]: Choose the "Spring" option for Spring Boot applications, as it provides Spring-specific optimizations and configurations. The generic JDBC options are for non-Spring applications.
Click the Run Task button described in the previous section to kick off the modernization changes needed in the PetClinic app. This will update the Java code to work with PostgreSQL Flexible Server using Entra ID authentication.
!IMAGEmodule2-step12-run-migration-task.png
The tool will execute the appmod-run-task command for managed-identity-spring/mi-postgresql-spring, which will examine the workspace structure and initiate the migration task to modernize your Spring Boot application for Azure PostgreSQL with managed identity authentication. If prompted to run shell commands, please review and allow each command as the Agent may require additional context before execution.
The App Modernization tool has analyzed your Spring Boot application and generated a comprehensive migration plan in its chat window and in the plan.md file. This plan outlines the specific changes needed to implement Azure Managed Identity authentication for PostgreSQL connectivity.
!IMAGEmodule2-step14-review-migration-plan.png
To Begin Migration type "Continue" in the GitHub Agent Chat to start the code refactoring.
Once you confirm with "Continue", the migration tool begins implementing changes using a structured, two-phase approach designed to ensure traceability and commit changes to a new dedicated code branch for changes to enable rollback if needed.
Two-Phase Migration Process:
[!knowledge] Phase 1: Update Dependencies
- Purpose: Add the necessary Azure libraries to your project.
- Changes made:
- Updates
pom.xmlwith Spring Cloud Azure BOM and PostgreSQL starter dependency - Updates
build.gradlewith corresponding Gradle dependencies - Adds Spring Cloud Azure version properties.
- Updates
[!knowledge] Phase 2: Configure Application Properties
- Purpose: Update configuration files to use managed identity authentication.
- Changes made:
- Updates
application.propertiesto configure PostgreSQL with managed identity (9 lines added, 2 removed) - Updates
application-postgres.propertieswith Entra ID authentication settings (5 lines added, 4 removed) - Replaces username/password authentication with managed identity configuration.
- Updates
Progress Tracking:
The progress.md file provides real-time visibility into the migration process:
- Change documentation: Detailed
- log of what changes are being made and why.
- File modifications: Clear tracking of which files are being updated.
- Rationale: Explanation of the reasoning behind each modification.
- Status updates: Real-time progress of the migration work.
[!hint] How to Monitor Progress:
- Watch the GitHub Copilot chat for real-time status updates
- Check the
progress.mdfile in the migration directory for detailed - change logs
- Review the
plan.mdfile to understand the complete migration strategy - Monitor the terminal output for any build or dependency resolution messages
[!hint]
Upon successful completion of the validation process, the App Modernization tool presents a comprehensive migration summary report confirming the successful implementation of Azure Managed Identity authentication for PostgreSQL in your Spring Boot application.
!IMAGEmodule2-step17-migration-success-summary.png
The migration has successfully transformed your application from password-based Postgres authentication to Azure Managed Identity for PostgreSQL, removing the need for credentials in code while maintaining application functionality. The process integrated Spring Cloud Azure dependencies, updated configuration properties for managed identity authentication, and ensured all validation stages passed including: CVE scanning, build validation, consistency checks, and test execution.
[!knowledge] Because the workload is based on Java Spring Boot, an advantage of this migration is that no Java code changes were required. Spring Boot's configuration-driven architecture automatically handles database connection details based on the configuration files.
When switching from password authentication to managed identity, Spring reads the updated configuration and automatically uses the appropriate authentication method. Your existing Java code for database operations (such as saving pet records or retrieving owner information) continues to function as before, but now connects to the database using the more secure managed identity approach.
Files Modified:
The migration process updated the following configuration files:
-
pom.xmlandbuild.gradle- Added Spring Cloud Azure dependencies. -
application.propertiesandapplication-postgres.properties- Configured managed identity authentication. -
Test configurations - Updated to work with the new authentication method
[!hint] Througout this lab, the GitHub Copilot App Modernization extension will create, edit and change various files. The Agent will give you an option to Keep or Undo these changes which will be saved into a new Branch, preserving your original files in case you need to rollback any changes. !IMAGEkeep-or-undo.png
After implementing the migration changes, the App Modernization tool automatically validates the results through a comprehensive testing process to ensure the migration changes are secure, functional, and consistent.
!IMAGEmodule2-step16-cve-validation-iteration-loop.png
Validation Stages:
| Stage | Validation | Details |
|---|---|---|
| 1 | CVE Validation | Scans newly added dependencies for known security vulnerabilities. |
| 2 | Build Validation | Verifies the application compiles and builds successfully after migration changes. |
| 3 | Consistency Validation | Ensures all configuration files are properly updated and consistent. |
| 4 | Test Validation | Executes application tests to verify functionality remains intact. |
[!note] During these stages, you might be prompted to allow the GitHub Copilot app modernization extension to access GitHub. Allow it and select your user account when asked.
!IMAGEallow-ghcp-cve.png
Automated Error Detection and Resolution:
The tool includes intelligent error detection capabilities that automatically identify and resolve common issues:
- Parses build output to detect compilation errors.
- Identifies root causes of test failures.
- Applies automated fixes for common migration issues.
- Continues through validation iterations (up to 10 iterations) until the build succeeds.
[!hint] User Control: At any point during this validation process, you may interrupt the automated fixes and manually resolve issues if you prefer to handle specific problems yourself. The tool provides clear feedback on what it's attempting to fix and allows you to take control when needed at any time.
This systematic approach ensures your Spring Boot application is successfully modernized for Azure PostgreSQL with Entra ID authentication while maintaining full functionality. [!hint]
===
What You'll Do: Use AI-powered tools to generate Docker and Kubernetes manifests for your modernized Spring Boot application.
What You'll Learn: How to create production-ready containerization assets - including optimized Dockerfiles and Kubernetes manifests configured with health checks, secrets, and workload identity.
In the GitHub Copilot agent chat, use the following prompt to generate production-ready Docker and Kubernetes manifests:
/petclinic Help me containerize the application. Create me a new Dockerfile and update my ACR with @lab.CloudResourceTemplate(LAB502).Outputs[acrLoginServer]
[!note] To expedite your lab experience, you can allow the Containerization Assist MCP server to run on this Workspace. Select Allow in this Workspace or Always Allow.
!IMAGEca-mcp-allow.png
You will also need to allow the MCP server to make LLM requests. Select Always. !IMAGEca-mcp-llm.png
The Containerization Assist MCP Server will analyze your repository and generate:
-
Dockerfile: Multi-stage build with optimized base image
-
Kubernetes Deployment: With Azure workload identity, PostgreSQL secrets, health checks, and resource limits
-
Kubernetes Service: LoadBalancer configuration for external access
Expected Result: Kubernetes manifests in the k8s/ directory.
[!tip] You are almost there. You will deploy the AI generated files, but they might need some tuning later. Before deploying it to your cluster, double check the image location, the use of workload identity and if the service connector secret reference in the deployment file are correct to your environment.
Build the containerized application and push it to your Azure Container Registry:
-
In your terminal window, login to ACR using Azure CLI
az acr login --name @lab.CloudResourceTemplate(LAB502).Outputs[acrName]
-
Build the Docker image in Azure Container Registry
az acr build -t petclinic:0.0.1 . -r @lab.CloudResourceTemplate(LAB502).Outputs[acrName]
===
What You'll Do: Deploy the modernized application to AKS Automatic using Service Connector secrets for passwordless authentication with PostgreSQL.
What You'll Learn: Kubernetes deployment with workload identity, Service Connector integration, and testing deployed applications with Entra ID authentication.
[!knowledge] About AKS Automatic: AKS Automatic is a new mode for Azure Kubernetes Service that provides an optimized and simplified Kubernetes experience. It offers automated cluster management, built-in security best practices, intelligent scaling, and pre-configured monitoring - making it ideal for teams who want to focus on applications rather than infrastructure management.
Using Containerization Assist we have built a Kubernetes manifest for the Petclini application. In the next steps we will deploy it to the AKS Automatic cluster and verify that it is working:
-
Deploy the application:
kubectl apply -f k8s/petclinic.yaml
-
Monitor deployment status
kubectl get pods,services,deployments
It might take a minute for the AKS Automatic cluster to provision new nodes for the workload so it is normal to see your pods in a
Pendingstate until the new nodes are available. You can verify is there are nodes available with thekubectl get nodescommand.NAME READY STATUS RESTARTS AGE petclinic-deployment-5f9db48c65-qpb8l 0/1 Pending 0 2m2s
Test the deployed application and verify Entra ID authentication:
-
Port forward to access the application
kubectl port-forward svc/spring-petclinic-service 9090:8080 ```
- To test the application, open a new tab in Microsoft Edge and go to
http://localhost:9090
Verify that the application is using passwordless authentication:
-
Check environment variables in the pod (get first pod with label)
POD_NAME=$(kubectl get pods -l app=spring-petclinic -o jsonpath='{.items[0].metadata.name}') kubectl exec $POD_NAME -- env | grep POSTGRES
Expected output:
AZURE_POSTGRESQL_PORT=5432 AZURE_POSTGRESQL_DATABASE=petclinic AZURE_POSTGRESQL_USERNAME=aad_pg AZURE_POSTGRESQL_CLIENTID=1094a914-1837-406a-ad58-b9dcc499177a AZURE_POSTGRESQL_HOST=db-petclinic55954159.postgres.database.azure.com AZURE_POSTGRESQL_SSL=true POSTGRES_USER=aad_pg
-
Verify no password environment variables are present
kubectl exec $POD_NAME -- env | grep -i pass
Expected output:
SPRING_DATASOURCE_AZURE_PASSWORDLESS_ENABLED=true
-
Check application logs for successful authentication
kubectl logs -l app=spring-petclinic --tail=100 | grep -i "hibernate"
Expected outcome:
[...] Hibernate: drop table if exists pets cascade Hibernate: drop table if exists specialties cascade Hibernate: drop table if exists types cascade Hibernate: drop table if exists vet_specialties cascade [...]
Expected Outcome: The application is successfully deployed to AKS with passwordless authentication to PostgreSQL using Entra ID and workload identity.
===
Congratulations! You've successfully completed a comprehensive application modernization journey, transforming a legacy Spring Boot application into a cloud-native, secure, and scalable solution on Azure.
!IMAGEpetclinic-on-azure.png
Local Environment Setup
- Set up Spring Boot PetClinic with PostgreSQL in Docker
- Validated local application functionality and database connectivity
Application Modernization
- Used GitHub Copilot App Modernization to assess code for cloud readiness
- Migrated from basic PostgreSQL authentication to Azure PostgreSQL Flexible Server
- Implemented Microsoft Entra ID authentication with managed identity
- Applied automated code transformations for cloud-native patterns
Containerization
- Generated Docker containers using AI-powered tools
- Created optimized Kubernetes manifests with health checks and security best practices
- Built and pushed container images to Azure Container Registry
Cloud Deployment
- Deployed to AKS Automatic with enterprise-grade security
- Configured passwordless authentication using workload identity
- Integrated Azure Service Connector for seamless database connectivity
- Validated production deployment with secure authentication
Continue Your Azure Journey:
- AKS Automatic Documentation - Deep dive into automatic cluster management
- Azure Well-Architected Framework - Learn enterprise architecture best practices
- AKS Engineering Blog - Stay updated with latest AKS features and patterns
Hands-On Labs:
- AKS Labs - Interactive learning experiences
- Azure Architecture Center - Reference architectures and patterns
- Microsoft Learn - AKS Learning Path - Structured learning modules
This workshop demonstrated how AI-powered tools can dramatically accelerate application modernization while maintaining code quality and security standards. The combination of GitHub Copilot App Modernization and Azure's managed services enables teams to focus on business value rather than infrastructure complexity.
===
In this section you can find tips on how to troubleshoot your lab.
If the application fails to start:
- Check Docker is running:
docker ps - Verify PostgreSQL container is healthy:
docker logs petclinic-postgres - Check application logs:
tail -f ~/app.log - Ensure port 8080 is not in use:
lsof -i :8080
If the database connection fails:
- Verify PostgreSQL container is running on port 5432:
docker port petclinic-postgres - Test database connectivity:
docker exec -it petclinic-postgres psql -U petclinic -d petclinic -c "SELECT 1;"
Before you can use Containerization Assist, you must first retrieve the PostgreSQL Service Connector configuration from your AKS cluster.
This information ensures that your generated Kubernetes manifests are correctly wired to the database using managed identity and secret references.
-
Open a new tab in the Edge browser and navigate to +++https://portal.azure.com/+++
-
In the top search bar, type aks-petclinic and select the AKS Automic cluster.
!IMAGEselect-aks-petclinic.png
-
In the left-hand menu under Settings, select Service Connector.
!IMAGEselect-sc.jpg
-
You'll see the service connection that was automatically created PostgreSQL connection with a name that starts with postgresflexible_ connecting to your PostgreSQL flexible server.
-
Select the DB for PostgreSQL flexible server and click the YAML snippet button in the action bar
!IMAGEyaml-snippet.png
-
Expand this connection to see the variables that were created by the
sc-postgresflexiblebft3u-secretin the cluster!IMAGEsc-variables.png
The Azure Portal will display a YAML snippet showing how to use the Service Connector secrets for PostgreSQL connectivity.
[+] Service Connector YAML snippet
!IMAGEsample-yaml.jpg
Note
- The portal shows a sample deployment with workload identity configuration
- Key Elements:
- Service account:
sc-account-d4157fc8-73b5-4a68-acf4-39c8f22db792 - Secret reference:
sc-postgresflexiblebft3u-secret - Workload identity label:
azure.workload.identity/use: "true"
The Service Connector secret (sc-postgresflexiblebft3u-secret in this example), will contain the following variables:
- AZURE_POSTGRESQL_HOST
- AZURE_POSTGRESQL_PORT
- AZURE_POSTGRESQL_DATABASE
- AZURE_POSTGRESQL_CLIENTID (map to both AZURE_CLIENT_ID and AZURE_MANAGED_IDENTITY_NAME)
- AZURE_POSTGRESQL_USERNAME
If for some reason you've made here and your deployment did not work, your deployment file should ressemble this example.
[!hint] Key areas to pay close attention to are:
azure.workload.identity/use: "true"serviceAccountName: sc-account-XXXXthis needs to reflect the service account created earlier during the PostgreSQL Service Connectorimage: <acr-login-server>/petclinic:0.0.1this should point to your ACR and image created earlier.
apiVersion: apps/v1
kind: Deployment
metadata:
name: spring-petclinic
labels:
app: spring-petclinic
version: v1
spec:
replicas: 1
selector:
matchLabels:
app: spring-petclinic
template:
metadata:
labels:
app: spring-petclinic
version: v1
azure.workload.identity/use: "true" # Enable Azure Workload Identity
spec:
serviceAccountName: sc-account-71b8f72b-9bed-472a-8954-9b946feee95c # change this
containers:
- name: spring-petclinic
image: acrpetclinic556325.azurecr.io/petclinic:0.0.1 # change this value
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
name: http
protocol: TCP
# Environment variables from Azure Service Connector secret
env:
# Azure Workload Identity - automatically injected by webhook
# AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_FEDERATED_TOKEN_FILE are set by workload identity
# Map PostgreSQL host from secret - with Azure AD authentication parameters
- name: POSTGRES_URL
value: "jdbc:postgresql://$(AZURE_POSTGRESQL_HOST):$(AZURE_POSTGRESQL_PORT)/$(AZURE_POSTGRESQL_DATABASE)?sslmode=require&authenticationPluginClassName=com.azure.identity.extensions.jdbc.postgresql.AzurePostgresqlAuthenticationPlugin"
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: sc-postgresflexible4q7w6-secret # change this value
key: AZURE_POSTGRESQL_USERNAME
# Client ID is also needed for Spring Cloud Azure
- name: AZURE_CLIENT_ID
valueFrom:
secretKeyRef:
name: sc-postgresflexible4q7w6-secret # change this value
key: AZURE_POSTGRESQL_CLIENTID
optional: true
- name: AZURE_MANAGED_IDENTITY_NAME
valueFrom:
secretKeyRef:
name: sc-postgresflexible4q7w6-secret # change this value
key: AZURE_POSTGRESQL_CLIENTID
- name: AZURE_POSTGRESQL_HOST
valueFrom:
secretKeyRef:
name: sc-postgresflexible4q7w6-secret # change this value
key: AZURE_POSTGRESQL_HOST
- name: AZURE_POSTGRESQL_PORT
valueFrom:
secretKeyRef:
name: sc-postgresflexible4q7w6-secret # change this value
key: AZURE_POSTGRESQL_PORT
- name: AZURE_POSTGRESQL_DATABASE
valueFrom:
secretKeyRef:
name: sc-postgresflexible4q7w6-secret # change this value
key: AZURE_POSTGRESQL_DATABASE
- name: SPRING_PROFILES_ACTIVE
value: "postgres"
# Spring Cloud Azure configuration for workload identity
- name: SPRING_CLOUD_AZURE_CREDENTIAL_MANAGED_IDENTITY_ENABLED
value: "true"
- name: SPRING_DATASOURCE_AZURE_PASSWORDLESS_ENABLED
value: "true"
# Make all secret keys available in the pod
envFrom:
- secretRef:
name: sc-postgresflexible4q7w6-secret # change this value
# Health check probes
livenessProbe:
httpGet:
path: /actuator/health
port: 8080
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
timeoutSeconds: 3
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /actuator/health
port: 8080
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 5
timeoutSeconds: 3
successThreshold: 1
failureThreshold: 3
# Resource limits and requests
resources:
requests:
memory: "512Mi"
cpu: "500m"
limits:
memory: "1Gi"
cpu: "1000m"
# Security context
securityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
capabilities:
drop:
- ALL
# Pod security context
securityContext:
fsGroup: 1000
# Restart policy
restartPolicy: Always