How to Create a Kubernetes-based Architecture in Azure using Azure DevOps and Terraform - Part I

How to Create a Kubernetes-based Architecture in Azure using Azure DevOps and Terraform - Part I

In this article, I'll describe the whole process for creating the following architecture using Azure DevOps and Terraform:

No alt text provided for this image
Architecture

Despite the number of components, the architecture is quite straightforward.

Azure Container Registry (ACR)

The ACR is responsible to store our application's docker images and the Helm Charts Packages. It will be our docker and helm private registry. Off course, ACR can store others types of containerized application images, like vagrant images.

Azure Key Vault

Azure Key Vault is a cloud service for securely storing and accessing secrets. API keys, passwords, certificates, and cryptographic keys are examples of things you might want to keep private. In this article, we are going to store the X.509 certificate used by the Application Gateway to serve TLS 1.2 requests in Azure Key Vault. Also, the SSH public key used to connect to the autoscaling group`s Virtual Machines will be stored as a secret in Key Vault.

Azure Kubernetes Service (AKS)

Managing a Kubernetes control plane is something that can't be classified as a simple task. For sure, someone with a deep understanding of the Kubernetes details will be required. AKS is the managed offer from Azure. The control plane node is managed by Microsoft at no cost, and the user must take care (and pay) for the nodes attached to the AKS cluster, where the application's Pods will be running.

Azure Application Gateway (AGW)

AGW is an OSI layer 7 load balancer. An OSI layer 7 load balancer can perform routing based on URI parameters or request headers. The difference between traditional load balancers which operate at layer 4 from the OSI model is that they execute routing based on source IP and port to a destination IP and port. AGW can perform routing based on URL parameters. 

Routing in the present architecture where an AKS cluster is main piece won't be performed only by AGW. Azure Application Gateway Ingress Controller (AGIC) will be running as a set of Pods inside our AKS cluster. By using a managed identity, it will be responsible to create the necessary resources in the AGW. Those resources will be responsible for, given a request path for example, routing the request to the appropriate Pod.

HTTP Request Flow Through the Architecture Components

  1. Before a client sends a request to an application gateway, it resolves the domain name of the application gateway by using a Domain Name System (DNS) server. Azure controls the DNS entry because all application gateways are in the azure.com domain. Off course, we can create an A record in any domain name server pointing to the AGW public IP or a CNAME record pointing to the AGW Azure-created URL.
  2. The Azure DNS returns the IP address to the client, which is the frontend IP address of the application gateway.
  3. The application gateway accepts incoming traffic on one or more listeners. A listener is a logical entity that checks for connection requests. It's configured with a frontend IP address, protocol, and port number for connections from clients to the application gateway.
  4. If a web application firewall (WAF) is in use, the application gateway checks the request headers and the body, if present, against WAF rules. This action determines if the request is a valid request or a security threat. If the request is valid, it's routed to the backend. If the request isn't valid and WAF is in Prevention mode, it's blocked as a security threat. If it's in Detection mode, the request is evaluated and logged, but still forwarded to the backend server.
  5. If a request is valid and not blocked by WAF, the application gateway evaluates the request routing rule that's associated with the listener. This action determines which backend pool to route the request to.
  6. When the application gateway selects the backend pool, it sends the request to one of the healthy backend servers in the pool (y.y.y.y). The health of the server is determined by a health probe. If the backend pool contains multiple servers, the application gateway uses a round-robin algorithm to route the requests between healthy servers. This load balances the requests on the servers.
  7. After the request is routed to the backend pool, it will hit the ingress resource rule created and managed by the AGIC Pods during the image deployment. Those rules determine the Service responsible to handle this request inside the AKS cluster.
  8. The Service is a method for exposing a network application that is running as one or more Pods in your cluster. A key aim of Services in Kubernetes is that you don't need to modify your existing application to use an unfamiliar service discovery mechanism. You can run code in Pods, whether this is code designed for a cloud-native world, or an older app you've containerized. The service will then route the request to a healthy Pod.

Pre-Requisites

To debug this overall tutorial and get the most out of it, it's nice to have the following tools installed on your local machine:

Make sure to set up a Service Connection between an Azure Subscription and your Azure DevOps Project:

No alt text provided for this image
Azure AD App Registration for the Service Connection

Create manually the resource group to store terraform state

Terraform allows us to define, preview, and deploy the creation of cloud infrastructure. After you create your configuration files, you create an execution plan that allows you to preview your infrastructure changes before they're deployed. Once you verify the changes, you apply the execution plan to deploy the infrastructure. By default, Terraform state is stored locally, which isn't ideal for the following reasons:

  • Local state doesn't work well in a team or collaborative environment.
  • Terraform state can include sensitive information.
  • Storing state locally increases the chance of inadvertent deletion.

To store remotely our terraform state, create a Resource Group, Storage Account, and a Storage Account Container:

No alt text provided for this image
Storage Account for the Terraform State

In the following steps, we will need the Storage Account resource group name, Storage Account name, and Storage Account container name created. They will be the place where the terraform state for the terraform apply command will be stored.

Create the Azure AD Group manually

A Key Vault access policy determines whether a given security principal, namely a user, application, or user group, can perform different operations on Key Vault secrets, keys, and certificates. To avoid the need to specify Key Vault permissions user by user we created one Azure AD Group named KeyVaultAKS. Access policies are applied to this group.

No alt text provided for this image
Azure AD Group used as the Pricipal for Key Vault Access Policies

Create the Azure Key Vault

Azure Key Vault is an easy and cheap tool to solve the following problems:

  • Secrets Management
  • Key Management
  • Certificate Management

In this tutorial, Key Vault will be used as the central store for secrets and a self-signed certificate.

Terraform Code

The source code described here is available in this URL.

The terraform is quite simple. Following, we will discuss the main files and lines of code.

main.tf

Inside the backend azurerm provider section, we specify the storage account information required to store the terraform state. Off course, this storage account is the same one created in the first section.

provider "azurerm" {
  features {
     key_vault {
      purge_soft_deleted_secrets_on_destroy = true
      recover_soft_deleted_secrets          = true
    }
  }
}

terraform {
  required_providers {
    azuread = {
      source  = "hashicorp/azuread"
      version = "=2.36.0"
    }
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.0.0"
    }
  }
  backend "azurerm" {
    resource_group_name  = "ric-eastus-all-rg-terraform"
    storage_account_name = "riceastusallstgterraform"
    container_name       = "ricprdvault"
    key                  = "terraform.tfstate"
  }
}        

vault.tf

The first interesting section is the access policies code:

access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id = data.azuread_group.admin.id

    certificate_permissions = [        

The access policy created by the code above grants the necessary permissions for the Azure AD group KeyVaultAKS, while the following access policy code grants permissions for the Principal executing the terraform apply operation which creates the Key Vault Resource. It can be a little bit fuzzy but without the following code, even an administrator user would not be able to see the secrets and certificates created by the terraform code here. Key Vault Access Policies can be understood as a second security layer to the secrets store inside. The Azure AD permissions aren't enough to perform operations upon Key Vault secrets.

access_policy {
    tenant_id = data.azurerm_client_config.current.tenant_id
    object_id    = data.azurerm_client_config.current.object_id

    certificate_permissions = [        

As an example, we also create one secret and one certificate inside the newly created Key Vault. The certificate is a self-signed one.

resource "azurerm_key_vault_secret" "akssshpublickey" {
  name         = "ssh-public-key"
  value        = "ssh-public-key"
  key_vault_id = azurerm_key_vault.kv.id
}

resource "azurerm_key_vault_certificate" "example" {
  name         = "x509selfsigned"
  key_vault_id = azurerm_key_vault.kv.id

  certificate {
    contents = filebase64("domain.pfx")
    password = ""
  }
}        

Azure DevOps Pipelines

We are using the Azure DevOps Classic Editor for the Build and Release Pipelines.

Build Pipeline

The build pipeline is responsible to create the artifacts holding the terraform scripts. You can visit this pipeline using  this URL.

No alt text provided for this image
Build Pipeline for Azure Key Vault

Release Pipeline

The first step we need to do is install the terraform on the Agent and also execute the terraform init command:

No alt text provided for this image
Terraform init command task

The storage account information also needs to be provided. The terraform state will be stored there:

No alt text provided for this image
Terraform init command task storage account details

Next, it's time to set up the plan task. The extra parameters here refer to the Azure Subscription Service Connection:

No alt text provided for this image
Terraform plan command task

And finally, we set up the apply task:

No alt text provided for this image
Terraform apply command task

Now we are ready to execute the release pipeline:

No alt text provided for this image
Key Vault Release Pipeline Results

And then, the X.509 certificate stored in the created Key Vault:

No alt text provided for this image
X.509 certificate which will be used by the Application Gateway

You can also visit this release pipeline by clicking here.

Update the SSH public key

As of the time that this article is written, there was no way in Azure Portal to store a multiline secret in Azure Key Vault secret. Therefore, Make sure to execute the following commands to store the SSH public key in Key Vault:

Create the RSA certificate:

ssh-keygen \
-t rsa \
-b 4096 \
-C "100-days-linux-vm" \
-f ~/.ssh/100-days-linux-vm \
-N "$SSH_KEY_PASSWORD"        

Store the public key in variables:

SSH_PUBLIC_KEY=$(cat ~/.ssh/100-days-linux-vm.pub) && \
SSH_PRIVATE_KEY=$(cat ~/.ssh/100-days-linux-vm) && \
rm -rf ~/.ssh/100-days-linux-vm\*        

Set the secret value (assuming that az login was already executed):

az keyvault secret set \
--name "ssh-public-key" \
--vault-name "ric-eastus-all-kv-vault" \
--value "$SSH_PUBLIC_KEY" \
--output none        

Conclusion

In this first article, the Azure Key Vault is already set up. In the next section, we are going to create the Azure Kubernetes Service, Application Gateway, and Container Registry.









To view or add a comment, sign in

More articles by Richard Sobreiro

Insights from the community

Others also viewed

Explore topics