Azure Kubernetes Service (AKS) with Azure Key Vault (AKV) Part 2— akv2k8s

Step-by-Step Guidance

  • Get AKS user-assigned identity
# get the AKS associated service principal
az aks show -g <resource group name> -n <AKS name> | grep identityProfile -A 5
# note down the object ID of the service principal
  • Create an AKV
# create resource group
az group create --name <resource group name> --location <ex: westus, eastus>
# create azure key vault via AZ CLI
az keyvault create -g <resource group name> -l <location> -n <AKV name>
Ref: az keyvault | Microsoft Docs# create azure key vault via Azure portal
Quickstart - Create an Azure Key Vault with the Azure portal | Microsoft Docs
  • Provide the AAD SP the access and permissions to get both secrets and certificates within the target AKV. We are creating certificates in AKV but storing it as secrets in AKS. So, in this case, we would need both permissions.
# provide AAD SP the permission to get certificates
az keyvault set-policy --name <AKV name> --object-id <AAD SP objectId> --certificate-permissions get
# provide AAD SP the permission to get secrets
az keyvault set-policy --name <AKV name> --object-id <objectId> --secret-permissions get
Ref: az keyvault | Microsoft Docs
  • Install akv2k8s on AKS
# create a new namespace
kubectl create ns akv2k8s
## install via HELM
# add HELM repo
helm repo add spv-charts https://charts.spvapi.no
# update HELM repo
helm repo update
# install akv2k8s
helm upgrade --install akv2k8s spv-charts/akv2k8s \
--namespace akv2k8s
  • Create a resource of AzureKeyVaultSecret
  • Create a NGINX Ingress Controller
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.45.0/deploy/static/provider/baremetal/deploy.yaml
# replace the namespace with something you need
sed -i ‘s/namespace: ingress-nginx/namespace: <new namespace name>/g’ input.txt
# create the NGINX Ingress Controller
kubectl apply -f <whatever name you save>.yaml
  • Create a test application deployment, service and Ingress
# the sample YAML file
apiVersion: apps/v1
kind: Deployment
metadata:
name: httpbin
labels:
app: httpbin
spec:
replicas: 1
selector:
matchLabels:
app: httpbin
template:
metadata:
labels:
app: httpbin
spec:
containers:
- name: httpbin
image: kennethreitz/httpbin
---
apiVersion: v1
kind: Service
metadata:
name: realtime
labels:
app: httpbin
spec:
selector:
app: httpbin
ports:
- protocol: TCP
port: 80
targetPort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-akv2k8s
annotations:
kubernetes.io/ingress.class: nginx
spec:
tls:
- hosts:
- helloworld.info
secretName: nginx-cert
rules:
- host: helloworld.info
http:
paths:
- path: /
backend:
serviceName: realtime
servicePort: 80
# create the deployment, service and Ingress
kubectl apply -f <whatever name you have>.yaml -n <namespace name>

Demonstration

# get the Ingress public IP address
kubectl get ing -n <namespace name>
# check the self-signed certificate
openssl s_client -connect <IP you see in Ingress>:443 -servername <server FQDN> -status -tlsextdebug
# check the Ingress service
curl -vk --resolve <hostname set in certificate>:443:<IP address see in Ingress> https://<hostname in certificate>

Troubleshooting

kubectl -n akv2k8s logs deployment/akv2k8s-controller

--

--

--

Learning new things about Kubernetes every day. Hopefully, the learning notes could help people on the same journey!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Lab 7: Naruto Ballet using a DC Motor

Priming CMSampleBuffer containing AAC-encoded data using Apple’s Core Media API

Programming Languages you should learn in 2022

Searching with Alfred

Hogwarts: Dobby Walkthrough

Introducing Joget DX, the Next Generation Open Source Digital Transformation Platform

Building your own quadcopter! (S500 Frame + APM 2.8)

Network Protocol Breakdown: Ethernet and Go

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonathan

Jonathan

Learning new things about Kubernetes every day. Hopefully, the learning notes could help people on the same journey!

More from Medium

Create Azure DevOps Service Connection using Managed Identity

Creating and Provisioning Azure Container Apps with Bicep

Extending VNET for AKS Cluster

AZURE AD APP REGISTRATION — CREATE APP ROLES USING MS GRAPH API AND POWERSHELL