Blog Post

FastTrack for Azure

5 MIN READ

Using Azure DevOps to deploy an application on AKS Private Cluster in Azure US Government

srinipadala

Microsoft

Jan 08, 2021

Overview

This article details building and deploying a container to an Azure Kubernetes Service(AKS) cluster in Azure Government cloud using Azure DevOps.

Private AKS Clusters has the API Server accessible only within the virtual network. This limits the deployments from Hosted Azure DevOps agents. To overcome this, a self-hosted agent within the same virtual network needs to be deployed.

Access to Azure Container Registry (ACR) can be restricted to the virtual network using Private Endpoints. This will limit ACR exposure to public internet. Since private ACR is available only within the vnet, self-hosted devops agents comes to the rescue.

Lastly, to ensure that Azure Pipelines can deploy to Azure Government Clouds, Azure Resource Manager Service Connection should be created with an Environment parameter.

Setup

The following steps replicates the above setup. The setup has 3 subnets with the following components

Azure Container Registry Private Endpoint
Azure DevOps self hosted agent
Azure Kubernetes Service

Network setup

Create a Virtual Network and add 3 subnets.

Use the below values for reference:

Address Space: 10.0.0.0/16

Subnet name	Address Space
acr-snt	10.0.1.0/24
devops-snt	10.0.2.0/24
aks-snt	10.0.4.0/22

az group create --name gov-devops --location usgovtexas

az network vnet create \
  --name gov-devops-vnet \
  --resource-group gov-devops \
  --subnet-name default
  
az network vnet subnet create \
  --address-prefixes 10.0.1.0/24\
  --name acr-snt \
  --resource-group gov-devops \
  --vnet-name gov-devops-vnet
  
az network vnet subnet create \
  --address-prefixes 10.0.2.0/24\
  --name devops-snt \
  --resource-group gov-devops \
  --vnet-name gov-devops-vnet
  
az network vnet subnet create \
  --address-prefixes 10.0.4.0/22\
  --name aks-snt \
  --resource-group gov-devops \
  --vnet-name gov-devops-vnet

Create ACR

Create a Container Registry in the premium tier (required for private link)

az acr create --resource-group gov-devops \
  --name mygovacr --sku Premium

Create the registry’s private endpoint in the acr-snt subnet

az network vnet subnet update \
 --name acr-snt \
 --vnet-name gov-devops-vnet \
 --resource-group gov-devops \
 --disable-private-endpoint-network-policies
 
az network private-dns zone create \
  --resource-group gov-devops \
  --name "privatelink.azurecr.io"
  
az network private-dns link vnet create \
  --resource-group gov-devops \
  --zone-name "privatelink.azurecr.io" \
  --name govdns \
  --virtual-network gov-devops-vnet \
  --registration-enabled false
  
REGISTRY_ID=$(az acr show --name mygovacr \
  --query 'id' --output tsv)

az network private-endpoint create \
    --name myPrivateEndpoint \
    --resource-group gov-devops \
    --vnet-name gov-devops-vnet \
    --subnet acr-snt \
    --private-connection-resource-id $REGISTRY_ID \
    --group-id registry \
    --connection-name myConnection

NETWORK_INTERFACE_ID=$(az network private-endpoint show \
  --name myPrivateEndpoint \
  --resource-group gov-devops \
  --query 'networkInterfaces[0].id' \
  --output tsv)
  
PRIVATE_IP=$(az resource show \
  --ids $NETWORK_INTERFACE_ID \
  --api-version 2019-04-01 \
  --query 'properties.ipConfigurations[1].properties.privateIPAddress' \
  --output tsv)

DATA_ENDPOINT_PRIVATE_IP=$(az resource show \
  --ids $NETWORK_INTERFACE_ID \
  --api-version 2019-04-01 \
  --query 'properties.ipConfigurations[0].properties.privateIPAddress' \
  --output tsv)
  
az network private-dns record-set a create \
  --name mygovacr \
  --zone-name privatelink.azurecr.io \
  --resource-group gov-devops

# Specify registry region in data endpoint name
az network private-dns record-set a create \
  --name mygovacr.usgovtexas.data \
  --zone-name privatelink.azurecr.io \
  --resource-group gov-devops
  
az network private-dns record-set a add-record \
  --record-set-name mygovacr \
  --zone-name privatelink.azurecr.io \
  --resource-group gov-devops \
  --ipv4-address $PRIVATE_IP

# Specify registry region in data endpoint name
az network private-dns record-set a add-record \
  --record-set-name mygovacr.usgovtexas.data \
  --zone-name privatelink.azurecr.io \
  --resource-group gov-devops \
  --ipv4-address $DATA_ENDPOINT_PRIVATE_IP
  
az acr update --name mygovacr --public-network-enabled false

Choose one of the below authentication methods to perform docker login from the DevOps pipelines

az acr update -n mygovacr --admin-enabled true

Note the admin username and password from the ACR Access Keys blade in the portal

Create AKS

Create a private AKS cluster in the aks-snt subnet

Integrate ACR with AKS or create a pull secret

kubectl create secret docker-registry regcred \
  --docker-server=<your-registry-server> \
  --docker-username=<your-name> \
  --docker-password=<your-pword> \
  --docker-email=<your-email>

Create a VM and deploy DevOps agent

Create a Linux VM in devops-snt subnet to host the DevOps agent.

az vm create \
  --resource-group gov-devops \
  --name devopsagent \
  --image UbuntuLTS \
  --admin-username azureuser \
  --generate-ssh-keys \
  --subnet devops-snt \
  --vnet-name gov-devops-vnet

Note the publicIpAddress from the output

Deploy the DevOps agent on the VM

Generate a PAT token
Create an Agent Pool
- Click Add Pool
- Select New
- Select pool Type as Self-hosted
- Enter a name as govpool
- Select New Agent -> Linux
Copy the Agent Download link
Deploy the agent on the VM

ssh azureuser@publicIpAddress

curl -O <<url copied above>
mkdir myagent && cd myagent
tar zxvf ../{tar file name}

./config.sh
sudo ./svc.sh install
sudo ./svc.sh start

Install docker, az cli and kubectl

sudo apt -y update
sudo apt -y install apt-transport-https ca-certificates curl gnupg-agent software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io
sudo usermod -aG docker $USER
newgrp docker

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
sudo az aks install-cli

Create the pipeline

Create Service Connections

From Azure DevOps, create a Docker Registry Service Connection

Navigate to Project Settings
Click New Service Connection
Select Docker Registry
Select Registry Type as Others
Provide the below details:
- Docker Registry: { ACR url eg: https://mygovacr.azurecr.us }
- Docker ID: { admin username or Service principal App ID }
- Docker Password: { admin password or service principal secret }
- Service Connection name: { Connection name }

To run kubectl task against the AKS cluster, Create Service Principal and grant contributor access to the resource group

From Azure DevOps, create an Azure Resource Manager Service Connection

Navigate to Project Settings
Click New Service Connection
Select Azure Resource Manager
Select Service Principal (manual)
Provide the below details:
- Environment: Azure US Government
- Subscription Id: { Gov Subscription ID }
- Subscription Name: { Gov Subscription Name }
- Service Principal Id: { Create Service Principal using Portal or PowerShell }
- Credential: Service Principal key: { Secret of the Service Principal }
- Tenant Id: { Gov Tenant ID }
- Service Connection name: { Connection name }

Create pipeline

Fork the sample repo
Copy the contents below to a deploy.yaml file in the repo (Remove imagePullSecrets if ACR integrated with AKS)

apiVersion: v1
kind: Pod
metadata:
  name: private-reg
spec:
  containers:
  - name: private-reg-container
    image: mygovacr.azurecr.us/nginx-echo-headers:latest
  imagePullSecrets:
  - name: regcred

Navigate to the project in Azure DevOps
Go to Pipelines, and then select New Pipeline
Select GitHub as the location of your source code and select your repository
Select Starter pipeline
Replace the contents of the yaml in the Review tab

trigger:
- master

pool:
  name: 'govpool'

steps:
- task: Docker@2
  inputs:
    containerRegistry: '{Docker Registry Service Connection Name}'
    repository: 'nginx-echo-headers'
    command: 'buildAndPush'
    Dockerfile: 'Dockerfile'
    tags: 'latest'
- task: Kubernetes@1
  inputs:
    connectionType: 'Azure Resource Manager'
    azureSubscriptionEndpoint: '{Azure Resource Manager Service Connection Name}'
    azureResourceGroup: 'gov-devops'
    kubernetesCluster: '{aks cluster name}'
    command: 'apply'
    arguments: '-f deploy.yaml'

Summary

The setup facilitates secure deployments to private ACR/AKS on Azure Government Cloud using Pipelines.

Updated Jan 08, 2021

Version 1.0

Cloud Native Apps

srinipadala

Microsoft

Joined December 29, 2020

View Profile

FastTrack for Azure

Follow this blog board to get notified when there's new activity

14 Comments

cbissegger
Copper Contributor
Nov 03, 2022
doitaway Sorry for late answer... from my notes taken at that time:
- Create your service principal
- Export environment variables AAD_SERVICE_PRINCIPAL_CLIENT_ID and AAD_SERVICE_PRINCIPAL_CLIENT_SECRET with service principal ID and password to myagent/.env
- Add your service principal as contributor to the resource group of AKS
- Add the service principal to the AKS IAM group Azure Kubernetes Service RBAC Cluster Admin Role
- login to azure as service principal: az login --service-principal -u your_service_principal_id -p your_service_principal_pwd -t your_tenant_id
- retreive credentials: az aks get-credentials --resource-group your_aks_rg --name your_aks_cluster
- convert them to kubelogin format: kubelogin convert-kubeconfig -l spn

Hope this helps
sumanthkannedari
Copper Contributor
Sep 14, 2022
@srinipadala @MonikaNag , I have followed the same procedure but in my scenario I have 3 yaml files (ConfigMap, Deployment and Secret) and my release pipeline looks like below. Please help me how to add secret.yaml file in the pipeline. I have all the 3 yaml files in deployment folder and if I use configuration: '$(System.DefaultWorkingDirectory)/deployment' in what order the yaml files will be deployed.

            - task: Kubernetes@1
              displayName: Deploying Manifests into AKS
              inputs:
                connectionType: 'Azure Resource Manager'
                azureSubscriptionEndpoint: 'aks'
                azureResourceGroup: 'test-rg'
                kubernetesCluster: 'test-aks'
                namespace: 'prod'
                command: 'apply'
                useConfigurationFile: true
                configuration: '$(System.DefaultWorkingDirectory)/deployment/webinar-app.yaml'
                secretType: 'dockerRegistry'
                containerRegistryType: 'Azure Container Registry'
                useConfigMapFile: true
                configMapFile: '$(System.DefaultWorkingDirectory)/deployment/configmap.yaml'
doitaway
Copper Contributor
Aug 27, 2022
cbissegger how did you use kubelogin to resolve the login issue? Can you please share?
cbissegger
Copper Contributor
Aug 10, 2022
Solved... Actually my service principal had just the authorization to create deployment, not to list nodes as I tested...
cbissegger
Copper Contributor
Aug 10, 2022
srinipadala MonikaNag
Thanks for this step-by-step.
Everything looks good, except that the Service Principal keeps being denied access to cluster ressources. I'm authenticating using the new kubelogin method, and it seems to be working.
The service principal is in an AD group which has Cluster Admin privileges. but kubectl get node keeps answering that the service principal is not allowed to access resources.

Any hint on where I should look to correct that?
Thanks a lot
MonikaNag
Microsoft
Mar 11, 2022
vichusharma This issue is primarily happening since you are using az login which by default redirects the user interactively for device login. I would suggest using the following command "az login --identity" to get this issue resolved. Also, make sure to have relevant permissions assigned to the service connection being used in the pipeline and you should be good with the authentication to the private AKS.
vichusharma
Copper Contributor
Mar 11, 2022
srinipadala We have followed this document to the . and we are still stuck and can't complete the kubectl commands.

Our setup

1. Private AKS cluster
2. Agent in the same Vnet
3. Azure devops pipeline can't run we get the following

/usr/local/bin/kubectl apply -f deploy.yaml -o json
##[debug]Called Toolrunner exec() method asynchronously. Returning the promise.
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ZZZZZZ to authenticate.
Unable to connect to the server: context deadline exceeded (Client.Timeout exceeded while awaiting headers)
##[debug]Exit code 1 received from tool '/usr/local/bin/kubectl'
##[debug]STDIO streams have closed for tool '/usr/local/bin/kubectl'
##[debug]Toolrunner exec() method returned error for the kubectl command. Error: Error: The process '/usr/local/bin/kubectl' failed with exit code 1.
##[error]To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXXX to authenticate.
##[debug]Processed: ##vso[task.issue type=error;]To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXXX to authenticate.
##[error]Unable to connect to the server: context deadline exceeded (Client.Timeout exceeded while awaiting headers)
##[debug]Processed: ##vso[task.issue type=error;]Unable to connect to the server: context deadline exceeded (Client.Timeout exceeded while awaiting headers)
alessandroromano
Copper Contributor
Aug 25, 2021
EDIT: we solved by putting in the /etc/resolve.conf of the VM created
a dedicated IP of our Vnet as nameresolver

Hi srinipadala julie-ng we followed this useful guide, and configured bot the Agent Pool in the same VNet of the AKS and the Service Principal, look athe the YAML of the kubectl step

still we are getting this errore like when we weren't using our dedicated Agent pool:
amans9909
Copper Contributor
Jun 21, 2021
srinipadala , many thanks for quick response. that's exactly the way left to access private cluster from Azure dev ops portal and i configured in this way and it works very well. Thanks
would there be a "Public endpoint" for private cluster in future?
srinipadala
Microsoft
Jun 21, 2021
amans9909 - The service principal will be used by the devops agent in the vnet to fetch the kubeconfig. Since the agent has line of sight to the API server, it can obtain the kubeconfig. For teh service connection creation in the portal, it is just the ARM api call and should not have any trouble listing the AKS resource with a contributor access, even though it is in the vnet. Please share the step where you are stuck so that we can help.