Skip to content

Latest commit

 

History

History
151 lines (94 loc) · 6.76 KB

README.md

File metadata and controls

151 lines (94 loc) · 6.76 KB

aksbicep

An example to create an AKS cluster with secrets from Azure Key Vault with Bicep and GitHub actions. Once the cluster is created, the workflow will apply manifests/deployment.yml that's a pre-created image.

Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. It provides concise syntax, reliable type safety, and support for code reuse. We believe Bicep offers the best authoring experience for your infrastructure-as-code solutions in Azure.

GitHub Actions helps you automate your software development workflows from within GitHub. You can deploy workflows in the same place where you store code and collaborate on pull requests and issues.

Azure Key Vault protects cryptographic keys, certificates (and the private keys associated with the certificates), and secrets (such as connection strings and passwords) in the cloud.

Azure Kubernetes Service Easily define, deploy, debug, and upgrade even the most complex Kubernetes applications, and automatically containerize your applications. Use modern application development to accelerate time to market.

Pre-requisites

To create a key:

ssh-keygen -m PEM -t rsa -b 4096

If you're not familiar with the format of an SSH public key, you can display your public key with the following cat command, replacing ~/.ssh/id_rsa.pub with the path and filename of your own public key file if needed: cat ~/.ssh/id_rsa.pub

Deployment

  • Get your subscription ID, set as a variable
SUBSCRIPTION=(`az account show --query "id" -o tsv`)
  • Create a unique Azure Resource Group. We're using this as a paramater for several portions of the workshop, so please ensure the name is unique. For example aksbicepcreate

Shell enviroment variables:

LOCATION="eastus"
NAME="<uniquename>"

Create the RG in shell.

az group create -n $NAME --location $LOCATION

az ad sp create-for-rbac --name $NAME --role contributor --scopes /subscriptions/$SUBSCRIPTION/resourceGroups/$NAME --sdk-auth > sp.txt

This sp.txt file now contains your service principal credentials to login to your Azure account when running GitHub Actions. Now to add them as secrets within the GitHub Secrets environment variables.

AZURE_CREDENTIALS is the output of sp.txt AZURE_RG is your resource group name set in the $NAME variable. AZURE_SUBSCRIPTION is the subscription ID in your $SUBSCRIPTION variable.

  • Go to your GitHub repo you created from template. Click Settings, then click Secrets.
  • Click "New Repository Secret"
  • Create secrets in the repo for AZURE_CREDENTIALS, AZURE_RG, and AZURE_SUBSCRIPTION to connect your Azure account to the GitHub repo for actions to run.
  • Paste the entire contents of the JSON generated for the service principal in AZURE_CREDENTIALS. AZURE_RG and AZURE_SUBSCRIPTION should be single lines of both values.

Azure Credentials Secret in GitHub Actions

CLI

az keyvault create --name "$NAME" --resource-group "$NAME" --location "$LOCATION" --enabled-for-template-deployment=true --enabled-for-disk-encryption --enabled-for-deployment

or Portal

  • Click Create at top of resource group

  • Search for Key Vault

  • Click Create

  • Give a unique name in the Key vault name section

  • Click to "Access Policy" section and select the three tick boxes:

    ✔️ Azure Virtual Machines for deployment
    
    ✔️ Azure Resource Manager for template deployment
    
    ✔️ Azure Disk Encryption for volume encryption
    
  • Leave the rest as default

  • Click Review and Create

  • Store your credentials as secrets

    sshRSAPublicKey, servicePrincipalClientId, and servicePrincipalClientSecret

    These secrets will have your SSH keys to access the cluster nodes for troubleshooting and your Service Principal credentials.

    • Create a secret to store sshRSAPublicKey
      • Go to your key vault
      • Click Secrets
      • Click Generate/Import
      • Create secret:
        • Name: sshRSAPublicKey
        • Value: output of your ssh key
      • Click create
    • Repeat steps for servicePrincipalClientId and servicePrincipalClientSecret

Azure Key Vault Secrets

Update the sshRSAPublicKey, servicePrincipalClientId, and servicePrincipalClientSecret details:

To let your template reference KeyVault secrets from parameters, update the id to point to the KeyVault you created earlier.

 "id": "/subscriptions/{subscriptionID}/resourceGroups/{resource group}/providers/Microsoft.KeyVault/vaults/{keyvault name}"

Azure Resource Group

Finally the manifests/deployment.yml file is loaded which provides you with the Azure Voting App, a Python/Flask app with Redis as your data component. You do not need to make any changes here.

When you commit to the main branch, it will kick off a build. You'll get an AKS cluster with a service principal. You can add custom names and features to the parameters file.

Kicking off the build

To access your public IP from the loadbalancer:

az aks get-credentials --name $NAME --resource-group $NAME

kubectl get services --all-namespaces

Your output should be something like this:

NAMESPACE     NAME                             TYPE           CLUSTER-IP     EXTERNAL-IP    PORT(S)         AGE
default       kubernetes                       ClusterIP      10.0.0.1       <none>         443/TCP         47h
kube-system   healthmodel-replicaset-service   ClusterIP      10.0.228.13    <none>         25227/TCP       47h
kube-system   kube-dns                         ClusterIP      10.0.0.10      <none>         53/UDP,53/TCP   47h
kube-system   metrics-server                   ClusterIP      10.0.212.100   <none>         443/TCP         47h
voteappprod   azure-vote-back                  ClusterIP      10.0.62.6      <none>         6379/TCP        47h
voteappprod   azure-vote-front                 LoadBalancer   10.0.19.38     1.2.3.4   80:30305/TCP    47h

Voting App