Add spec.metadata.pemContents to MySQL & MariaDB binding spec

[edwardfward]

Describe the feature

Azure Container Apps does not provide a readily apparent way to mount volumes or files, specifically certs required for MySQL connections, to Dapr to create secure binding components. The only option for MySQL is using spec.metadata.pemPath.

This new feature would add spec.metadata.pemContents to the MySQL & MariaDB Binding Spec and give developers the ability to establish secure component bindings in Azure Container Apps simply by passing a string with the contents of the certificate file (e.g. Microsoft's public SSL certificate which must be downloaded in certain environments like Azure Government Cloud) or leveraging various secret stores.

Example of the new bindings.mysql component:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: <NAME>
spec:
  type: bindings.mysql
  version: v1
  metadata:
    - name: url # Required, define DB connection in DSN format
      value: "<CONNECTION_STRING>"
    - name: pemPath # Optional
      value: "<PEM PATH>"
    - name: pemContents # Optional but supersedes pemPath
      value: "<PEM CONTENTS>"
    - name: maxIdleConns
      value: "<MAX_IDLE_CONNECTIONS>"
    - name: maxOpenConns
      value: "<MAX_OPEN_CONNECTIONS>"
    - name: connMaxLifetime
      value: "<CONNECTION_MAX_LIFE_TIME>"
    - name: connMaxIdleTime
      value: "<CONNECTION_MAX_IDLE_TIME>"

An example usage in Microsoft Azure:

1. Create Azure Key Vault mysecrets and service principal with the requisite permissions to access the vault. Azure Key Vault Secret Store
2. Create a new secret mypemcontents and copy the PEM certificate file contents into the secret.
3. Create a new secret myconnectionString and copy the connection string to the Azure MySQL:
   <user>:<password>@tcp(<server>:3306)/<database>?allowNativePasswords=true&tls=custom
4. Create or apply the following Dapr secret store component in Azure Container Apps

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
spec:
  type: secretstores.azure.keyvault
  version: v1
  metadata:
  - name: vaultName
    value: "mysecrets"
  - name: azureTenantId
    value: "[your_tenant_id]"
  - name: azureClientId
    value: "[your_client_id]"
  - name: azureClientSecret
    value : "[your_client_secret]"

5. Create the secure MySQL binding using spec.metadata.pemContents:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: mysql-binding
spec:
  type: bindings.mysql
  version: v1
  metadata:
    - name: url
      secretKeyRef:
        name: myconnectionString
        key: myconnectionString
    - name: pemContents
      secretKeyRef:
        name: mypemcontents
        key: mypemcontents
auth: azurekeyvault

Release Note

RELEASE NOTE: ADD MySQL/MariaDB binding now supports PEM contents and PEM path

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged (pinned, good first issue, help wanted or triaged/resolved) or other activity occurs. Thank you for your contributions.