Deploy Dapr pluggable components

The Distributed Application Runtime (Dapr) is a portable, serverless, event-driven runtime that simplifies the process of building distributed applications. Dapr lets you build stateful or stateless apps without worrying about how the building blocks function. Dapr provides several building blocks: pub/sub, state management, service invocation, actors, and more.

Azure IoT Operations supports two of these building blocks, powered by MQTT broker:

  • Publish and subscribe
  • State management

To use the Dapr pluggable components, define the component spec for each of the APIs and then register with the cluster. The Dapr components listen to a Unix domain socket placed on the shared volume. The Dapr runtime connects with each socket and discovers all services from a given building block API that the component implements.

Install Dapr runtime

To install the Dapr runtime, use the following Helm command:

Note

If you completed the provided Azure IoT Operations quickstart, you already installed the Dapr runtime and the following steps are not required.

helm repo add dapr https://dapr.github.io/helm-charts/
helm repo update
helm upgrade --install dapr dapr/dapr --version=1.14 --namespace dapr-system --create-namespace --wait

Register MQTT broker pluggable components

To register the pub/sub and state management pluggable components, create the component manifest yaml, and apply it to your cluster.

To create the yaml file, use the following component definitions:

Component Description
metadata:name The component name is important and is how a Dapr application references the component.
metadata:annotations:dapr.io/component-container Component annotations used by Dapr sidecar injector, defining the image location, volume mounts and logging configuration
spec:type The type of the component, which needs to be declared exactly as shown
spec:metadata:keyPrefix Defines the key prefix used when communicating to the statestore backend. See more information, see Dapr documentation for more information
spec:metadata:hostname The MQTT broker hostname. Default is aio-broker
spec:metadata:tcpPort The MQTT broker port number. Default is 18883
spec:metadata:useTls Define if TLS is used by the MQTT broker. Default is true
spec:metadata:caFile The certificate chain path for validating the MQTT broker. Required if useTls is true. This file must be mounted in the pod with the specified volume name
spec:metadata:satAuthFile The Service Account Token (SAT) file is used to authenticate the Dapr components with the MQTT broker. This file must be mounted in the pod with the specified volume name
  1. Save the following yaml, which contains the Azure IoT Operations component definitions, to a file named components.yaml:

    apiVersion: dapr.io/v1alpha1
    kind: Component
    metadata:
      name: iotoperations-pubsub
      namespace: azure-iot-operations
      annotations:
        dapr.io/component-container: >
          {
            "name": "iot-operations-dapr-components",
            "image": "ghcr.io/azure/iot-operations-dapr-components:latest",
            "volumeMounts": [
              { "name": "mqtt-client-token", "mountPath": "/var/run/secrets/tokens" },
              { "name": "aio-ca-trust-bundle", "mountPath": "/var/run/certs/aio-internal-ca-cert" }
            ],
            "env": [
                { "name": "pubSubLogLevel", "value": "Information" },
                { "name": "stateStoreLogLevel", "value": "Information" },
                { "name": "defaultLogLevel", "value": "Warning" }
            ]
          }
    spec:
      type: pubsub.azure.iotoperations
      version: v1
      metadata:
      - name: hostname
        value: aio-broker
      - name: tcpPort
        value: 18883
      - name: useTls
        value: true
      - name: caFile
        value: /var/run/certs/aio-internal-ca-cert/ca.crt
      - name: satAuthFile
        value: /var/run/secrets/tokens/mqtt-client-token
    ---
    apiVersion: dapr.io/v1alpha1
    kind: Component
    metadata:
      name: iotoperations-statestore
      namespace: azure-iot-operations
    spec:
      type: state.azure.iotoperations
      version: v1
      metadata:
      - name: hostname
        value: aio-broker
      - name: tcpPort
        value: 18883
      - name: useTls
        value: true
      - name: caFile
        value: /var/run/certs/aio-internal-ca-cert/ca.crt
      - name: satAuthFile
        value: /var/run/secrets/tokens/mqtt-client-token    
    
  2. Apply the Component to your cluster by running the following command:

    kubectl apply -f components.yaml
    

    Verify the following output:

    component.dapr.io/iotoperations-pubsub created
    component.dapr.io/iotoperations-statestore created
    

Create authorization policy for MQTT broker

To configure authorization policies to MQTT broker, first you create a BrokerAuthorization resource.

Note

If Broker Authorization is not enabled on this cluster, you can skip this section as the applications will have access to all MQTT topics, including those needed to access the MQTT broker State Store.

  1. Save the following yaml, which contains a BrokerAuthorization definition, to a file named aio-dapr-authz.yaml:

    apiVersion: mqttbroker.iotoperations.azure.com/v1
    kind: BrokerAuthorization
    metadata:
      name: my-dapr-authz-policies
      namespace: azure-iot-operations
    spec:
      listenerRef:
        - my-listener # change to match your listener name as needed
      authorizationPolicies:
        enableCache: false
        rules:
          - principals:
              attributes:
                - group: dapr-workload # match to the attribute annotated to the service account
            brokerResources:
              - method: Connect
              - method: Publish
                topics:
                  - "$services/statestore/#"
              - method: Subscribe
                topics:
                  - "clients/{principal.clientId}/services/statestore/#"
    
  2. Apply the BrokerAuthorization definition to the cluster:

    kubectl apply -f aio-dapr-authz.yaml
    

Next steps

Now that the Dapr components are deployed to the cluster, you can Use Dapr to develop distributed applications.