How to manage

Подписаться 7 тыс.

Просмотров 10 тыс.

50% 1

#kubernetes #secrets #azurekeyvault #azurecontaineregistry
This video walks through the process of integrating Azure Key Vault (AKV) with Azure Kubernetes Service (AKS).
The AKS cluster is created using Managed Identity and integrates with Azure Container Registry (ACR) to pull images.
The Azure Key Vault (AKV) is used to store secrets related to RabbitMQ configurations. These are mounted as Kubernetes secrets using Secret Store CSI Azure Provider.
An updated version of the video is available at
• Manage Kubernetes secr...
▬▬▬▬▬▬ ⏱ Chapters⏱ ▬▬▬▬▬▬
00:00 - Introduction
0:55 - Overview of demo application
1:40 - Kubernetes Environment variables
3:50 - Pre-requisites for running the demo
5:35 - Create Azure Key Vault (AKV)
6:45 - Access Key Vault using Azure Portal
7:50 - AKV Access Policies
10:19 - Assign Get permission to Managed Identity for AKV secrets
11:20 - Kubernetes Secrets Store CSI Driver
13:45 - Azure Provider for CSI
14:08 - Deploy Azure Provider for CSI using Helm
16:00 - Sync AKV secrets with Kubernetes Secret object
23:15 - Update Kubernetes Deployment manifest to use Volume Mounts
24:30 - Update Env variables to populate using Kubernetes secrets
26:30 - Deploy RabbitMQ Producer & Consumer
30:30 - KEDA auto-scaler in action
33:00 - Azure Key Vault Provider for Secrets Store Driver Capabilities
34:00 - Helm install AKV Provider
35:00 - Secrets Store Provider modes
39:15 - 5 step process
39:30 - Octant Resource Viewer
▬▬▬▬▬▬ 👋 Contact me 👋 ▬▬▬▬▬▬
Connect with me here:
- 🔗 Subscribe: / @nilesh-gule
- 🔗 RU-vid : / @nilesh-gule
- 🔗 GitHub: github.com/nileshgule
- 🔗 Twitter: / nileshgule
- 🔗 Website: www.HandsOnArchitect.com/
- 🔗 LinkedIn : / nileshgule
#akv #aks #csi #Azure #kubernetes #k8s #AzureKeyVault #AzureContainerRegistry #AzureKubernetesService #ManagedIdentity #KEDA #CSI #secretsstoreprovider #howto #demo #tutorial

Наука

Опубликовано:

2 авг 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 39

@nilesh-gule 5 месяцев назад

There is an updated version of the video available. Please refer to this ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-pWjGYOrM-h0.html

@swapnilpotnis7904 4 года назад

Thank You for the Tutorial. Keep up the Good Work. :)

@nilesh-gule 4 года назад

Glad it helped!

@kris4202 3 года назад

Good one. Thanks for sharing your knowledge. I really appreciate it.

@nilesh-gule 3 года назад

Glad it was helpful!

@ShahulHameed-ly8ub 8 месяцев назад

Great session

@nilesh-gule 8 месяцев назад

Thanks. Glad that you found it useful.

@kalankaraivilakkam 2 года назад

Hi Nilesh, Great stuff with neat presentation. I have a question. I have my TLS certificates stored in AKV Secrets, How can I use those certificates in my Ingress Resource? Is this possible with your approach. Can you please guide me with the steps or a next video tutorial? Thanks a lot

@nilesh-gule 2 года назад

Here are couple of examples of using AKV for storing TKS cert and integrating that with Ingress resource blog.baeke.info/2020/12/07/certificates-with-azure-key-vault-and-nginx-ingress-controller/amp/ github.com/mspnp/aks-baseline-multi-region/blob/main/docs/deploy/08-secret-managment-and-ingress-controller.md

@shamstabrez2986 9 месяцев назад

plz upload the updated content its been 3 years that u have uploaded this

@nilesh-gule 9 месяцев назад

hi Tabrez Thanks for the feedback. indeed, it has been quite a while since this video was published. i'll add it to my to do list to update the content.

@nilesh-gule 5 месяцев назад

The content has been updated. Please refer to this new video ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-pWjGYOrM-h0.html

@cartierin 4 года назад

Great!! Video. Do you know if we can use certs saved in KV to be used for NGINX Ingress TLS? If, do you know if anyone documented this process?

@nilesh-gule 4 года назад

hi J Thomas, As per the documentation, the CSI secret store provider supports keys, secrets and certificates. You can refer to this readme file for more details github.com/Azure/secrets-store-csi-driver-provider-azure There are some examples related to NGINX in the examples of CSI Store driver github.com/Azure/secrets-store-csi-driver-provider-azure/tree/master/examples Since this is open source project, if the documentation doesn't exist you can raise a request and I am sure somebody will be able to help.

@cartierin 4 года назад

Nilesh Gule thank you!

@mukulbadhan5336 Год назад

How these steps will change if we use self build kubernates cluster on azure vm instead of AKS and can we use harbour instead of Azure container registry

@nilesh-gule Год назад

You will need to use a solution which integrates with Harbour instead of Azure container registry. Usually, you can use image pull secrets to pull images from different container registry. Here are few links stackoverflow.com/questions/72880842/pulling-image-from-private-container-registry-harbor-in-kubernetes kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

@n3x4r3 3 года назад

First at all great tutorial, but I have a problem with the CSI, it doesn't sync the keys, if in the server I change the secret it never change until I kill the pod

@nilesh-gule 3 года назад

hi @n3x4r As per the documentation of the Azure Key Vault Provider for the Secret store CSI driver, the secrets will only sync once you start a pod. Refer to the doc for more details azure.github.io/secrets-store-csi-driver-provider-azure/configurations/sync-with-k8s-secrets/

@nilesh-gule 3 года назад

@n3x4r Came across a feature to enable / disable auto rotation of secrets docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver This seems to be in preview currently as of May 2021

@sadhufit 3 года назад

hello nilesh, Can we use secret name as APP_ENV in azure key vault. I tried it and it says i cannot use special characters like _

@nilesh-gule 3 года назад

as per the naming conventions for objects in Azure Key Vault _ is not allowed Refer to the Azure Key Vault documentation for more details docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#:~:text=Vault%20name%20and%20Managed%20HSM,a%2Dz%2C%20A%2DZ%2C%20and%20%2D.&text=The%20type%20of%20the%20object,%22%2C%20or%20%27certificates%27.&text=An%20object%2Dname%20is%20a,unique%20within%20a%20Key%20Vault.

@dhirajraj8498 3 года назад

Sir, a quick question, can we use AKV with eks cluster?

@nilesh-gule 3 года назад

hi Dhiraj Each cloud provider has their own implementation of secret management service. AKV is specific to Azure and integrates well with the Azure services. AWS has a similar service called AWS secret manager. There is a request to integrate this with the Secret Store CSI provider. github.com/aws/containers-roadmap/issues/895 AKV provides a RET API (docs.microsoft.com/en-us/rest/api/keyvault/). So technically it might be possible to pull the secrets stored in AKV and use them with EKS cluster using some scripting approach. However it looks like an overkill to me to try to do such a thing.

@T03avs03001 4 года назад

Could you pls help me connect akv via springboot app running in aks?

@nilesh-gule 4 года назад

hi Prabu, there are couple of articles online which explain step by step process of integrating Azure Key Vault with Spring Boot applications 1- medium.com/devopsturkiye/how-to-integrate-azure-kubernetes-and-key-vault-to-keep-secrets-in-secure-for-spring-boot-1d5fe1c5bf90 2 - medium.com/javarevisited/spring-boot-microservices-architecture-on-azure-kubernetes-service-aks-2986154f025a 3 - docs.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault Hope this helps

@T03avs03001 4 года назад

@@nilesh-gule thank you, I am facing a peculiar problem running my spring boot app in aks and connecting to akv takes longer boot up time (25 mins) than usual. I wanted to know how to connect springboot apps to akv using bootstrap. yaml file? ** The same app is running fine in app service

@nilesh-gule 4 года назад

விஜய் prabu I am not very familier with Spring Boot. But 25 mins to bootstrap is not normal. Have you tried raising a support ticket with Microsoft for this issue?

@T03avs03001 4 года назад

@@nilesh-gule not an issue, yes, i raised a support ticket, however its yet to be assigned to right person.

@T03avs03001 4 года назад

@@nilesh-gule may I know your twitter id, will follow you

@rishabhgargg 3 года назад

Can we get that Initialise AKV script

@nilesh-gule 3 года назад

Hi Rishabh You can find the initialize script in my github repo github.com/NileshGule/pd-tech-fest-2019

@rishabhgargg 3 года назад

@@nilesh-gule Thanks a lot.

@umeshshridar5487 Год назад

where is the code to run rabbit mq

@nilesh-gule Год назад

hi Umesh I am not sure what is the exact question. Assuming you are asking where is the code to install RabbitMQ on the AKS cluster. RabbitMQ is installed using Helm chart. You can find the PowerShell script which deployed the helm chart for RabbitMQ github.com/NileshGule/pd-tech-fest-2019/blob/master/Powershell/deployRabbitMQ.ps1 If your question is about the code related to RabbitMQ Producer for Producing Messages it is available in github.com/NileshGule/pd-tech-fest-2019/tree/master/src/TechTalksMQProducer If you are looking for the consumer code, it can be found at github.com/NileshGule/pd-tech-fest-2019/tree/master/src/TechTalksMQConsumer Hope that answers your query.

@umeshshridar5487 Год назад

@@nilesh-gule thanks Nilesh it will workout