Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds EntraID auth support to all Redis Components #3470

Merged
merged 10 commits into from
Jul 2, 2024
Merged

Adds EntraID auth support to all Redis Components #3470

merged 10 commits into from
Jul 2, 2024

Conversation

berndverst
Copy link
Member

Description

Implements EntraID / AAD support for Azure Cache for Redis across all components

For a component yaml file to use Azure Cache for Redis with Entra ID see this:

This will assume that either your UserPrincipal (via AzureCLICredential) or the SystemAssigned Managed Identity have the RedisDataOwner role permission. If a user-assigned identity is to be used the azureClientID property needs to be specified.

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: statestore
spec:
  type: state.redis
  initTimeout: 30s
  metadata:
    - name: redisHost
      value: MYHOSTNAME.redis.cache.windows.net:6380
    - name: useEntraID
      value: "true"
    - name: enableTLS
      value: "true"

Issue reference

Adds #3088

Checklist

Please make sure you've completed the relevant tasks for this PR, out of the following list:

Testing

Manually modified certification and conformance tests to run again Azure Cache for Redis using modified component configurations to exercise the new auth mechanism.

@berndverst berndverst requested review from a team as code owners June 29, 2024 05:22
@berndverst
Copy link
Member Author

I will cherry pick this into Release 1.14 once merged.

@berndverst
Update metadata
9e1cfa3 
Signed-off-by: Bernd Verst <[email protected]>
@berndverst
Lint
7c83b34 
Signed-off-by: Bernd Verst <[email protected]>
@berndverst
update redundant type declaration for linter
85920e5 
Signed-off-by: Bernd Verst <[email protected]>
@berndverst
gofumpt
392488d 
Signed-off-by: Bernd Verst <[email protected]>
ItalyPaleAle
ItalyPaleAle suggested changes Jul 1, 2024
View reviewed changes
Copy link
Contributor

@ItalyPaleAle ItalyPaleAle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this PR, it solves a long-standing open issue. Overall seems good, I just have some comments.

common/component/redis/redis.go Outdated Show resolved Hide resolved
common/component/redis/redis.go Outdated Show resolved Hide resolved
common/component/redis/redis.go Show resolved Hide resolved
common/component/redis/redis.go Outdated Show resolved Hide resolved
common/component/redis/redis.go Outdated Show resolved Hide resolved
common/component/redis/redis.go Outdated Show resolved Hide resolved
common/component/redis/redis.go Outdated Show resolved Hide resolved
bindings/redis/metadata.yaml Outdated Show resolved Hide resolved
@berndverst
Address code review
ca59a95 
Signed-off-by: Bernd Verst <[email protected]>
@berndverst berndverst requested a review from ItalyPaleAle July 1, 2024 23:49
berndverst added 2 commits July 1, 2024 16:51
@berndverst
go 1.22.4; make modtidy-all
6d911de 
Signed-off-by: Bernd Verst <[email protected]>
@berndverst
lint only new issues
778c677 
Signed-off-by: Bernd Verst <[email protected]>
ItalyPaleAle
ItalyPaleAle approved these changes Jul 2, 2024
View reviewed changes
Copy link
Contributor

@ItalyPaleAle ItalyPaleAle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@berndverst berndverst merged commit b656b0d into dapr:main Jul 2, 2024
87 of 88 checks passed
berndverst added a commit to berndverst/components-contrib that referenced this pull request Jul 2, 2024
@berndverst
Adds EntraID auth support to all Redis Components (dapr#3470)
f9c6412 
Signed-off-by: Bernd Verst <[email protected]>
This was referenced Jul 2, 2024
Merged
Closed
Closed
@berndverst
Copy link
Member Author

The feature will work like this for all Redis components:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: statestore
spec:
  type: state.redis
  initTimeout: 30s
  metadata:
    - name: redisHost
      value: MYHOSTNAME.redis.cache.windows.net:6380
    - name: useEntraID
      value: "true"
    - name: enableTLS
      value: "true"

(change the component type of course)

TLS must be enabled, and the useEntraID property must be set. Beyond that you only need to specify the hostname with port (6380 seems to be the Azure Redis default).

This will automatically support all forms of EntraID (AAD) authentication, including Workload Identity, Managed Identities and also Azure CLI Credential (User principal). For more details on all those see:
https://docs.dapr.io/developing-applications/integrations/azure/azure-authentication/authenticating-azure/

Of course don't forget to enable Entra ID authentication on your Azure Redis server itself! And enabling it takes a few minutes to propagate as well.

@berndverst
Copy link
Member Author

In my own testing I just assigned myself (my user) the Azure Redis Data Owner role, then refreshed my CLI Credential. Then I used the above component yaml locally (with my server name). Everything worked perfectly fine.

@berndverst berndverst mentioned this pull request Jul 2, 2024
Closed
@hhunter-ms hhunter-ms mentioned this pull request Jul 8, 2024
Merged
@berndverst berndverst added this to the v1.14 milestone Jul 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ItalyPaleAle ItalyPaleAle ItalyPaleAle approved these changes

Assignees

@ItalyPaleAle ItalyPaleAle

Labels
None yet
Projects
None yet
Milestone
v1.14
Development

Successfully merging this pull request may close these issues.
2 participants
@berndverst @ItalyPaleAle