Azure Kubernetes Service (AKS) with Azure Key Vault (AKV) Part 2— akv2k8s

Step-by-Step Guidance

# get the AKS associated service principal
az aks show -g <resource group name> -n <AKS name> | grep identityProfile -A 5
# note down the object ID of the service principal
# create resource group
az group create --name <resource group name> --location <ex: westus, eastus>
# create azure key vault via AZ CLI
az keyvault create -g <resource group name> -l <location> -n <AKV name>
Ref: az keyvault | Microsoft Docs# create azure key vault via Azure portal
Quickstart - Create an Azure Key Vault with the Azure portal | Microsoft Docs
# provide AAD SP the permission to get certificates
az keyvault set-policy --name <AKV name> --object-id <AAD SP objectId> --certificate-permissions get
# provide AAD SP the permission to get secrets
az keyvault set-policy --name <AKV name> --object-id <objectId> --secret-permissions get
Ref: az keyvault | Microsoft Docs
# create a new namespace
kubectl create ns akv2k8s
## install via HELM
# add HELM repo
helm repo add spv-charts https://charts.spvapi.no
# update HELM repo
helm repo update
# install akv2k8s
helm upgrade --install akv2k8s spv-charts/akv2k8s \
--namespace akv2k8s
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.45.0/deploy/static/provider/baremetal/deploy.yaml
# replace the namespace with something you need
sed -i ‘s/namespace: ingress-nginx/namespace: <new namespace name>/g’ input.txt
# create the NGINX Ingress Controller
kubectl apply -f <whatever name you save>.yaml
# the sample YAML file
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin
labels:
app: httpbin
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
template:
metadata:
labels:
app: httpbin
spec:
containers:
- name: httpbin
image: kennethreitz/httpbin
---
apiVersion: v1
kind: Service
metadata:
name: realtime
labels:
app: httpbin
spec:
selector:
app: httpbin
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-akv2k8s
annotations:
kubernetes.io/ingress.class: nginx
spec:
tls:
- hosts:
- helloworld.info
secretName: nginx-cert
rules:
- host: helloworld.info
http:
paths:
- path: /
backend:
serviceName: realtime
servicePort: 80
# create the deployment, service and Ingress
kubectl apply -f <whatever name you have>.yaml -n <namespace name>

Demonstration

# get the Ingress public IP address
kubectl get ing -n <namespace name>
# check the self-signed certificate
openssl s_client -connect <IP you see in Ingress>:443 -servername <server FQDN> -status -tlsextdebug
# check the Ingress service
curl -vk --resolve <hostname set in certificate>:443:<IP address see in Ingress> https://<hostname in certificate>

Troubleshooting

kubectl -n akv2k8s logs deployment/akv2k8s-controller

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store