How to Create a Kubernetes-based Architecture in Azure using Azure DevOps and Terraform - Part I
In this article, I'll describe the whole process for creating the following architecture using Azure DevOps and Terraform:
Despite the number of components, the architecture is quite straightforward.
The ACR is responsible to store our application's docker images and the Helm Charts Packages. It will be our docker and helm private registry. Off course, ACR can store others types of containerized application images, like vagrant images.
Azure Key Vault is a cloud service for securely storing and accessing secrets. API keys, passwords, certificates, and cryptographic keys are examples of things you might want to keep private. In this article, we are going to store the X.509 certificate used by the Application Gateway to serve TLS 1.2 requests in Azure Key Vault. Also, the SSH public key used to connect to the autoscaling group`s Virtual Machines will be stored as a secret in Key Vault.
Managing a Kubernetes control plane is something that can't be classified as a simple task. For sure, someone with a deep understanding of the Kubernetes details will be required. AKS is the managed offer from Azure. The control plane node is managed by Microsoft at no cost, and the user must take care (and pay) for the nodes attached to the AKS cluster, where the application's Pods will be running.
AGW is an OSI layer 7 load balancer. An OSI layer 7 load balancer can perform routing based on URI parameters or request headers. The difference between traditional load balancers which operate at layer 4 from the OSI model is that they execute routing based on source IP and port to a destination IP and port. AGW can perform routing based on URL parameters.
Routing in the present architecture where an AKS cluster is main piece won't be performed only by AGW. Azure Application Gateway Ingress Controller (AGIC) will be running as a set of Pods inside our AKS cluster. By using a managed identity, it will be responsible to create the necessary resources in the AGW. Those resources will be responsible for, given a request path for example, routing the request to the appropriate Pod.
HTTP Request Flow Through the Architecture Components
Pre-Requisites
To debug this overall tutorial and get the most out of it, it's nice to have the following tools installed on your local machine:
Make sure to set up a Service Connection between an Azure Subscription and your Azure DevOps Project:
Create manually the resource group to store terraform state
Terraform allows us to define, preview, and deploy the creation of cloud infrastructure. After you create your configuration files, you create an execution plan that allows you to preview your infrastructure changes before they're deployed. Once you verify the changes, you apply the execution plan to deploy the infrastructure. By default, Terraform state is stored locally, which isn't ideal for the following reasons:
To store remotely our terraform state, create a Resource Group, Storage Account, and a Storage Account Container:
In the following steps, we will need the Storage Account resource group name, Storage Account name, and Storage Account container name created. They will be the place where the terraform state for the terraform apply command will be stored.
Create the Azure AD Group manually
A Key Vault access policy determines whether a given security principal, namely a user, application, or user group, can perform different operations on Key Vault secrets, keys, and certificates. To avoid the need to specify Key Vault permissions user by user we created one Azure AD Group named KeyVaultAKS. Access policies are applied to this group.
Create the Azure Key Vault
Azure Key Vault is an easy and cheap tool to solve the following problems:
In this tutorial, Key Vault will be used as the central store for secrets and a self-signed certificate.
Terraform Code
The source code described here is available in this URL.
The terraform is quite simple. Following, we will discuss the main files and lines of code.
main.tf
Inside the backend azurerm provider section, we specify the storage account information required to store the terraform state. Off course, this storage account is the same one created in the first section.
provider "azurerm" {
features {
key_vault {
purge_soft_deleted_secrets_on_destroy = true
recover_soft_deleted_secrets = true
}
}
}
terraform {
required_providers {
azuread = {
source = "hashicorp/azuread"
version = "=2.36.0"
}
azurerm = {
source = "hashicorp/azurerm"
version = "=3.0.0"
}
}
backend "azurerm" {
resource_group_name = "ric-eastus-all-rg-terraform"
storage_account_name = "riceastusallstgterraform"
container_name = "ricprdvault"
key = "terraform.tfstate"
}
}
vault.tf
The first interesting section is the access policies code:
Recommended by LinkedIn
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azuread_group.admin.id
certificate_permissions = [
The access policy created by the code above grants the necessary permissions for the Azure AD group KeyVaultAKS, while the following access policy code grants permissions for the Principal executing the terraform apply operation which creates the Key Vault Resource. It can be a little bit fuzzy but without the following code, even an administrator user would not be able to see the secrets and certificates created by the terraform code here. Key Vault Access Policies can be understood as a second security layer to the secrets store inside. The Azure AD permissions aren't enough to perform operations upon Key Vault secrets.
access_policy {
tenant_id = data.azurerm_client_config.current.tenant_id
object_id = data.azurerm_client_config.current.object_id
certificate_permissions = [
As an example, we also create one secret and one certificate inside the newly created Key Vault. The certificate is a self-signed one.
resource "azurerm_key_vault_secret" "akssshpublickey" {
name = "ssh-public-key"
value = "ssh-public-key"
key_vault_id = azurerm_key_vault.kv.id
}
resource "azurerm_key_vault_certificate" "example" {
name = "x509selfsigned"
key_vault_id = azurerm_key_vault.kv.id
certificate {
contents = filebase64("domain.pfx")
password = ""
}
}
Azure DevOps Pipelines
We are using the Azure DevOps Classic Editor for the Build and Release Pipelines.
Build Pipeline
The build pipeline is responsible to create the artifacts holding the terraform scripts. You can visit this pipeline using this URL.
Release Pipeline
The first step we need to do is install the terraform on the Agent and also execute the terraform init command:
The storage account information also needs to be provided. The terraform state will be stored there:
Next, it's time to set up the plan task. The extra parameters here refer to the Azure Subscription Service Connection:
And finally, we set up the apply task:
Now we are ready to execute the release pipeline:
And then, the X.509 certificate stored in the created Key Vault:
Update the SSH public key
As of the time that this article is written, there was no way in Azure Portal to store a multiline secret in Azure Key Vault secret. Therefore, Make sure to execute the following commands to store the SSH public key in Key Vault:
Create the RSA certificate:
ssh-keygen \
-t rsa \
-b 4096 \
-C "100-days-linux-vm" \
-f ~/.ssh/100-days-linux-vm \
-N "$SSH_KEY_PASSWORD"
Store the public key in variables:
SSH_PUBLIC_KEY=$(cat ~/.ssh/100-days-linux-vm.pub) && \
SSH_PRIVATE_KEY=$(cat ~/.ssh/100-days-linux-vm) && \
rm -rf ~/.ssh/100-days-linux-vm\*
Set the secret value (assuming that az login was already executed):
az keyvault secret set \
--name "ssh-public-key" \
--vault-name "ric-eastus-all-kv-vault" \
--value "$SSH_PUBLIC_KEY" \
--output none
Conclusion
In this first article, the Azure Key Vault is already set up. In the next section, we are going to create the Azure Kubernetes Service, Application Gateway, and Container Registry.