Deploy Dapr pluggable components
Important
Azure IoT Operations Preview – enabled by Azure Arc is currently in preview. You shouldn't use this preview software in production environments.
You'll need to deploy a new Azure IoT Operations installation when a generally available release becomes available. You won't be able to upgrade a preview installation.
For legal terms that apply to Azure features that are in beta, in preview, or otherwise not yet released into general availability, see the Supplemental Terms of Use for Microsoft Azure Previews.
The Distributed Application Runtime (Dapr) is a portable, serverless, event-driven runtime that simplifies the process of building distributed applications. Dapr lets you build stateful or stateless apps without worrying about how the building blocks function. Dapr provides several building blocks: pub/sub, state management, service invocation, actors, and more.
Azure IoT Operations supports two of these building blocks, powered by MQTT broker:
- Publish and subscribe
- State management
To use the Dapr pluggable components, define the component spec for each of the APIs and then register with the cluster. The Dapr components listen to a Unix domain socket placed on the shared volume. The Dapr runtime connects with each socket and discovers all services from a given building block API that the component implements.
Install Dapr runtime
To install the Dapr runtime, use the following Helm command:
Note
If you completed the provided Azure IoT Operations Preview quickstart, you already installed the Dapr runtime and the following steps are not required.
helm repo add dapr https://dapr.github.io/helm-charts/
helm repo update
helm upgrade --install dapr dapr/dapr --version=1.13 --namespace dapr-system --create-namespace --wait
Register MQTT broker pluggable components
To register the pub/sub and state management pluggable components, create the component manifest yaml, and apply it to your cluster.
To create the yaml file, use the following component definitions:
| Component | Description |
|---|---|
metadata:name |
The component name is important and is how a Dapr application references the component. |
metadata:annotations:dapr.io/component-container |
Component annotations used by Dapr sidecar injector, defining the image location, volume mounts and logging configuration |
spec:type |
The type of the component, which needs to be declared exactly as shown |
spec:metadata:keyPrefix |
Defines the key prefix used when communicating to the statestore backend. See more information, see Dapr documentation for more information |
spec:metadata:hostname |
The MQTT broker hostname. Default is aio-broker |
spec:metadata:tcpPort |
The MQTT broker port number. Default is 18883 |
spec:metadata:useTls |
Define if TLS is used by the MQTT broker. Default is true |
spec:metadata:caFile |
The certificate chain path for validating the MQTT broker. Required if useTls is true. This file must be mounted in the pod with the specified volume name |
spec:metadata:satAuthFile |
The Service Account Token (SAT) file is used to authenticate the Dapr components with the MQTT broker. This file must be mounted in the pod with the specified volume name |
Save the following yaml, which contains the Azure IoT Operations component definitions, to a file named
components.yaml:apiVersion: dapr.io/v1alpha1 kind: Component metadata: name: iotoperations-pubsub namespace: azure-iot-operations annotations: dapr.io/component-container: > { "name": "iot-operations-dapr-components", "image": "ghcr.io/azure/iot-operations-dapr-components:latest", "volumeMounts": [ { "name": "mqtt-client-token", "mountPath": "/var/run/secrets/tokens" }, { "name": "aio-ca-trust-bundle", "mountPath": "/var/run/certs/aio-internal-ca-cert" } ], "env": [ { "name": "pubSubLogLevel", "value": "Information" }, { "name": "stateStoreLogLevel", "value": "Information" }, { "name": "defaultLogLevel", "value": "Warning" } ] } spec: type: pubsub.azure.iotoperations version: v1 metadata: - name: hostname value: aio-broker - name: tcpPort value: 18883 - name: useTls value: true - name: caFile value: /var/run/certs/aio-internal-ca-cert/ca.crt - name: satAuthFile value: /var/run/secrets/tokens/mqtt-client-token --- apiVersion: dapr.io/v1alpha1 kind: Component metadata: name: iotoperations-statestore namespace: azure-iot-operations spec: type: state.azure.iotoperations version: v1 metadata: - name: hostname value: aio-broker - name: tcpPort value: 18883 - name: useTls value: true - name: caFile value: /var/run/certs/aio-internal-ca-cert/ca.crt - name: satAuthFile value: /var/run/secrets/tokens/mqtt-client-tokenApply the component yaml to your cluster by running the following command:
kubectl apply -f components.yamlVerify the following output:
component.dapr.io/iotoperations-pubsub created component.dapr.io/iotoperations-statestore created
Create authorization policy for MQTT broker
To configure authorization policies to MQTT broker, first you create a BrokerAuthorization resource.
Note
If Broker Authorization is not enabled on this cluster, you can skip this section as the applications will have access to all MQTT topics, including those needed to access the MQTT broker State Store.
Save the following yaml, which contains a BrokerAuthorization definition, to a file named
aio-dapr-authz.yaml:apiVersion: mqttbroker.iotoperations.azure.com/v1beta1 kind: BrokerAuthorization metadata: name: my-dapr-authz-policies namespace: azure-iot-operations spec: listenerRef: - my-listener # change to match your listener name as needed authorizationPolicies: enableCache: false rules: - principals: attributes: - group: dapr-workload # match to the attribute annotated to the service account brokerResources: - method: Connect - method: Publish topics: - "$services/statestore/#" - method: Subscribe topics: - "clients/{principal.clientId}/services/statestore/#"Apply the BrokerAuthorizaion definition to the cluster:
kubectl apply -f aio-dapr-authz.yaml
Next steps
Now that the Dapr components are deployed to the cluster, you can Use Dapr to develop distributed applications.