In the last blog we discussed how to deploy AKS fully integrated with AAD. Also we discussed deploying add-on for Azure Pod Identity and Azure CSI driver. In the article we will discuss how to create an application that using Pod Identity to access Azure Resources.
Pod Identity is a feature allows applications deployed to communicate with AAD, request a token then use the token to access Azure resources. The simplified workflow for pod managed identity is shown in the following diagram:
You can review Microsoft docs about pod identity best practice here
In order to use pod identity in our code we will need AKS cluster to be configured with Azure AAD and Pod Identity deployed as we discussed in our pervious post.
Depending on the application, we will need to use an authentication MSI library to request a token from AAD. You can review example here
In our previous post we show after deploying Pod Identity addon, terraform script deployed a managed Identity to namespace “demo” and updated the Key Vault access policy to include this managed identity.
In our demo today, we will show how to build application access Azure Key Vault to retrieve secrets using Pod Identity. Sample code exists here. The repo contains sample codes using C#, Java and Python.
Before staring we need to double check out environment to make sure all necessary deployment are deployed
kubectl get pods -n kube-system| grep aad”
kubectl get azureIdentity -n demo
kubectl get azureIdentity -n demo
Once we confirm the resources then we are ready to start coding.
The Java demo is a sample java spring boot RestAPI application. Here are few points about the code
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>azure-spring-boot-starter-keyvault-secrets</artifactId>
</dependency>
The helm chart will be the same chart for all demos (java/C#/Python) we will override the values.yaml during the pipeline run to fit every demo needs. The chart will deploy the following:
The main area we point here will be the metadata label aadpodbinding. The pod deployment file MUST have this label. In our environment we deployed the AzureIdentity and AzureIdentityBinding with same name like environment namespace hence we passing the namespace as value for aadpodbinding
The pipeline “azure-pipelines-java-kv.yml” has 3 stages as shows in the following figure:
Once it runs, we should see the following:
Check our work:
Finally Use Postman and query the Java app.
Demo is identical to Java code. Rest API service that shows secret from KV. The API class is under controller folder and it expect KV URL to pass as environment variable exactly like Java example.
The pipeline for “azure-pipelines-csharp-kv.yml” is follow same structure of 3 stages
Python code is a FlaskRest API example.
The pipeline for “azure-pipelines-python-kv.yml” is follow same structure of 2 stages.
Once we get pipelines deployed for all application, we can review the deployed resources.
Use Postman to call apps using ingress host.
Java Demo
Python Demo
C# Demo
We discussed in detail how to setup and configure your application to use Pod Identity. It is great feature to utilize Azure Managed Identity to access Azure resources. In our next blog will discuss Azure secret store provider for csi driver
Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.