Connect Container Apps to a database by using Azure Service Connector

Now that your application configurations are updated, you need to create new service connectors for each of the three affected applications, configure each container app to use the passwordless connection method, and then redeploy the updated apps to Azure.

For more information about connecting resources to Azure Service Connector, refer to Tutorial: Create a passwordless connection to a database service via Service Connector.

Step-by-step guidance

1. Get the account and resource information to create a Service Connector, and store them as environment variables for later use:

   SUBID=$(az account show --query id -o tsv)
   APPS_IDENTITY_CLIENT_ID=$(az identity show --resource-group $RESOURCE_GROUP --name $APPS_IDENTITY --query clientId --output tsv)
   
   DB_ID=$(az mysql flexible-server db show \
       --server-name $MYSQL_SERVER_NAME \
       --resource-group $RESOURCE_GROUP \
       --database-name $DATABASE_NAME \
       --query id \
       -o tsv)
   

2. Create the Service Connector connection for the customers-service app:

   APP_NAME=customers-service
   APP_ID=$(az containerapp show \
           --resource-group $RESOURCE_GROUP \
           --name $APP_NAME \
           --query id \
           -o tsv)
   
   az containerapp connection create mysql-flexible \
       --resource-group $RESOURCE_GROUP \
       --connection mysql_conn \
       --source-id $APP_ID \
       --target-id $DB_ID \
       --client-type SpringBoot \
       --user-identity client-id=$APPS_IDENTITY_CLIENT_ID subs-id=$SUBID mysql-identity-id=$ADMIN_IDENTITY_RESOURCE_ID user-object-id=$AAD_USER_ID \
       --container $APP_NAME \
       --yes
   

3. Test the new connection with the validate command:

   az containerapp connection validate \
       --resource-group $RESOURCE_GROUP \
       --name $APP_NAME \
       --connection mysql_conn \
       -o table
   

   This command’s output should confirm that the connection was made successfully.

4. In the Azure portal, go to your customers-service container app and select the Service Connector menu item.

   Notice that this screen includes details for the connection:

   • You should find the service connector’s config values, like spring.datasource.url and spring.datasource.username, but you should not find a spring.datasource.password value. These values are used as environment variables for your app at runtime.
   • Instead of spring.datasource.password, you should find a spring.cloud.azure.credential.client-id value, which is the client ID of your managed identity.
   • You should also find two additional variables, spring.datasource.azure.passwordless-enabled and spring.cloud.azure.credential.managed-identity-enabled, both of which should indicate that the connection is configured for passwordless connectivity.
5. Apply the changes to your container apps:

   • In the Git repository’s config folder, there is a Spring profile configuration file (application-passwordless.yml). In this file, we omit the spring.datasource property, and as a result, we don’t set a database URL, username, or password. (They’re no longer needed.)

     spring:
         sql:
             init:
                 schema-locations: classpath*:db/mysql/schema.sql
                 data-locations: classpath*:db/mysql/data.sql
                 mode: ALWAYS
     

     When we set the environment variable SPRING_PROFILES_ACTIVE=passwordless on each app, they’ll use this new configuration.

   • Note that the back-end applications already have a managed identity assigned to pull images from Azure Container Registry. You can confirm this by going to the Azure portal and, in each of the container apps, selecting Settings > Identity > User assigned.

   • After the changes are applied, neither the environment variables for SQL Server connections nor the secret to hold the SQL password are required.

6. Update the app to use the new JAR file, apply the new passwordless profile, and then redeploy the app to Azure:

   PROFILE=passwordless
   az containerapp update \
       --name $APP_NAME \
       --resource-group $RESOURCE_GROUP \
       --source ./spring-petclinic-$APP_NAME \
       --set-env-vars SPRING_PROFILES_ACTIVE=$PROFILE \
       --remove-env-vars SQL_SERVER SQL_USER SQL_PASSWORD
   

7. Remove the SQL password secret, which is no longer needed:

   az containerapp secret remove \
       --name $APP_NAME \
       --resource-group $RESOURCE_GROUP \
       --secret-names sql-password
   

8. Repeat these steps for the vets-service and visits-service apps.

   Alternatively, to accelerate the process, you can run the ../tools/update-apps-passwordless.sh script:

   export SUBID RESOURCE_GROUP DB_ID APPS_IDENTITY_CLIENT_ID ADMIN_IDENTITY_RESOURCE_ID AAD_USER_ID
   ../tools/update-apps-passwordless.sh
   

   This script includes all the steps to create service connections and update the target apps, and it runs the operations for each app in parallel to save the lab execution time. For more details, open the file.

   This process redeploys each of your apps. After the redeployment is complete, verify that you’re still able to connect to the database and that the apps contain the data. If you need to troubleshoot issues, access the app and service logs.