Quickstart: Deploy an application using the Dapr cluster extension for Azure Kubernetes Service (AKS) or Arc-enabled Kubernetes

In this quickstart, you use the Dapr cluster extension in an AKS or Arc-enabled Kubernetes cluster. You deploy a hello world example, which consists of a Python application that generates messages and a Node.js application that consumes and persists the messages.

Prerequisites

• An Azure subscription. If you don't have an Azure subscription, you can create a free account.
• Azure CLI or Azure PowerShell installed.
• An AKS Cluster with:
  • Workload identity enabled
  • Managed identity created in the same subscription
  • A Kubernetes service account
  • Federated identity credential
  • Dapr cluster extension installed on the AKS cluster
• kubectl installed locally.

Clone the repository

1. Clone the Dapr quickstarts repository using the git clone command.

   git clone https://github.com/Azure-Samples/dapr-aks-extension-quickstart.git
   

2. Change to the dapr-aks-extension-quickstart directory.

Create and configure a Redis store

Open the Azure portal to start the Azure Cache for Redis creation flow.

1. Fill out the recommended information according to the "Create an open-source Redis cache" quickstart instructions.
2. Select Create to start the Redis instance deployment.

Verify resource information

1. Once the Redis resource is deployed, navigate to its overview page.
2. Take note of:
   • The hostname, found in the Essentials section of the cache overview page. The hostname format looks similar to: xxxxxx.redis.cache.windows.net.
   • The SSL port, found in the cache's Advanced Settings blade. The default value is 6380.
3. Navigate to the Authentication blade and verify Microsoft Entra Authentication is enabled on your resource.

Add managed identity

1. In the Authentication blade, type the name of the Managed Identity you created as a prerequisite in the field under Enable Microsoft Entra Authentication checkbox.

   

2. Verify your managed identity is added as a Redis User assigned Data Owner Access Policy permissions.

Enable public network access

For this scenario, your Redis cache uses public network access. Be sure to clean up resources when you're finished with this quickstart.

1. Navigate to the Private Endpoint blade.
2. Click Enable public network access from the top menu.

Configure the Dapr components

In redis.yaml, the component is configured to use Entra ID Authentication using workload identity enabled for AKS cluster. No access keys are required.

- name: useEntraID
  value: "true"
- name: enableTLS
  value: true

1. In your preferred code editor, navigate to the deploy directory in the sample and open redis.yaml.

2. For redisHost, replace the placeholder <REDIS_HOST>:<REDIS_PORT> value with the Redis cache hostname and SSL port you saved earlier from Azure portal.

   - name: redisHost
   value: <your-cache-name>.redis.cache.windows.net:6380
   

Apply the configuration

1. Apply the redis.yaml file using the kubectl apply command.

   kubectl apply -f ./deploy/redis.yaml
   

2. Verify your state store was successfully configured using the kubectl get components.redis command.

   kubectl get components.redis -o yaml
   

   Expected output

   component.dapr.io/statestore created
   

Deploy the Node.js app with the Dapr sidecar

Configure the Node.js app

In node.yaml, the pod spec has the label added to use workload identity,:

labels:
  app: node
  azure.workload.identity/use: "true"

1. Navigate to the deploy directory and open node.yaml.

2. Replace the placeholder <SERVICE_ACCOUNT_NAME> value for serviceAccountName with the service account name you created.

   • This value should be the same service account you used to create the federated identity credential.

Apply the configuration

1. Apply the Node.js app deployment to your cluster using the kubectl apply command.

   kubectl apply -f ./deploy/node.yaml
   

2. Kubernetes deployments are asynchronous, so before moving on to the next steps, verify the deployment is complete with the following command:

   kubectl rollout status deploy/nodeapp
   

3. Access your service using the kubectl get svc command.

   kubectl get svc nodeapp
   

4. Make note of the EXTERNAL-IP in the output.

Verify the Node.js service

1. Using curl, call the service with your EXTERNAL-IP.

   curl $EXTERNAL_IP/ports
   

   Example output

   {"DAPR_HTTP_PORT":"3500","DAPR_GRPC_PORT":"50001"}
   

2. Submit an order to the application.

   curl --request POST --data "@sample.json" --header Content-Type:application/json $EXTERNAL_IP/neworder
   

3. Confirm the order.

   curl $EXTERNAL_IP/order
   

   Expected output

   { "orderId": "42" }
   

Deploy the Python app with the Dapr sidecar

Configure the Python app

In python.yaml, the pod spec has the label added to use workload identity,:

labels:
  app: node
  azure.workload.identity/use: "true"

1. Navigate to the deploy directory and open python.yaml.

2. Replace the placeholder <SERVICE_ACCOUNT_NAME> value for serviceAccountName with the service account name you created.

   • This value should be the same service account you used to create the federated identity credential.

Apply the configuration

1. Deploy the Python app to your Kubernetes cluster using the kubectl apply command.

   kubectl apply -f ./deploy/python.yaml
   

2. Kubernetes deployments are asynchronous, so before moving on to the next steps, verify the deployment is complete with the following command:

   kubectl rollout status deploy/pythonapp
   

Observe messages and confirm persistence

Now that both the Node.js and Python applications are deployed, you can watch messages come through.

1. Get the logs of the Node.js app using the kubectl logs command.

   kubectl logs --selector=app=node -c node --tail=-1
   

   Expected output

   Got a new order! Order ID: 1
   Successfully persisted state
   Got a new order! Order ID: 2
   Successfully persisted state
   Got a new order! Order ID: 3
   Successfully persisted state
   

2. Using curl, call the Node.js app's order endpoint to get the latest order.

   curl $EXTERNAL_IP/order
   

   You should see the latest JSON output in the response.

Clean up resources

If you no longer plan to use the resources from this quickstart, you can delete all associated resources by removing the resource group.

Azure CLI

Remove the resource group, cluster, namespace, and all related resources using the az group delete command.

az group delete --name MyResourceGroup

Azure PowerShell

Remove the resource group, cluster, namespace, and all related resources using the Remove-AzResourceGroup command.

Remove-AzResourceGroup -Name MyResourceGroup

Next steps

Learn how to create the Dapr extension