This article is contributed. See the original author and article here.

In the last blog we discussed how to deploy AKS fully integrated with AAD. Also we discussed deploying add-on for Azure Pod Identity and Azure CSI driver. In the article we will discuss how to create an application that using Pod Identity to access Azure Resources.


What is Pod Identity?


Pod Identity is a feature allows applications deployed to communicate with AAD, request a token then use the token to access Azure resources. The simplified workflow for pod managed identity is shown in the following diagram:


magdysalem_1-1618267540439.png


You can review Microsoft docs about pod identity best practice here


How to Create an application using Pod Identity?


In order to use pod identity in our code we will need AKS cluster to be configured with Azure AAD and Pod Identity deployed as we discussed in our pervious post.


Depending on the application, we will need to use an authentication MSI library to request a token from AAD. You can review example here


 


In our pervious post we show after deploying Pod Identity addon, terraform script deployed a managed Identity to namespace “demo” and updated the Key Vault access policy to include this managed identity.


 


In our demo today, we will show how to build application access Azure Key Vault to retrieve secrets using Pod Identity. Sample code exists here. The repo contains sample codes using C#, Java and Python.


Before staring we need to double check out environment to make sure all necessary deployment are deployed



  • AAD Azure Identity Pods under Kube-System namespace:

    kubectl get pods -n kube-system| grep aad”


  • Azure Identity  resource under target namespace

    kubectl get azureIdentity -n demo​


  •  Azure Identity Binding resource under target namespace

    kubectl get azureIdentity -n demo​



Once we confirm the resources then we are ready to start coding.


Java Demo


Source Code Review


The Java demo is a sample java spring boot RestAPI application. Here are few points about the code



  • Add Azure Key vault to pom.xml file

    <dependency>
       <groupId>com.azure.spring</groupId>
       <artifactId>azure-spring-boot-starter-keyvault-secrets</artifactId>
    </dependency>​


  • Under application.properties set key vault properties to managed Identity modemagdysalem_4-1618267844589.png

  • main class shows how we retrieve the secrets using annotationmagdysalem_5-1618267863106.png


Helm Chart Review


The helm chart will be the same chart for all demos (java/C#/Python) we will override the values.yaml during the pipeline run to fit every demo needs. The chart will deploy the following:


magdysalem_6-1618267918164.png


 



  • Applications pods deployment: we can control how many replica from values.yaml

  • Service deployment:

  • Ingress deployment: map incoming request to app services


The main area we point here will be the metadata label aadpodbinding. The pod deployment file MUST have this label. In our environment we deployed the AzureIdentity and AzureIdentityBinding with same name like environment namespace hence we passing the namespace as value for aadpodbinding


magdysalem_7-1618268007659.png


 


Pipeline Review


The pipeline “azure-pipelines-java-kv.yml” has 3 stages as shows in the following figure


magdysalem_8-1618268059320.png


 



  • Java Build: using Maven will package the app and publish it with chart

  • Docker Build: using docker will build an image and publish it to ACR

  • Helm Deployment: using helm will connect to AKS then install helm chart under namespace “demo”. Please notice how we passing new chart values as argumentmagdysalem_0-1618268123225.png


 


 


Once it runs, we should see the following:


magdysalem_1-1618268181936.png


Check our work:


 


magdysalem_2-1618268229456.png


magdysalem_3-1618268243551.png


magdysalem_4-1618268264159.png


magdysalem_5-1618268273250.png


magdysalem_6-1618268282577.png


magdysalem_7-1618268291673.png


 


Finally Use Postman and query the Java app.


magdysalem_8-1618268331471.png


C# Demo


Source Code Review


Demo is identical to Java code. Rest API service that shows secret from KV. The API class is under controller folder and it expect KV URL to pass as environment variable exactly like Java example.


magdysalem_9-1618268370048.png


The pipeline for “azure-pipelines-csharp-kv.yml” is follow same structure of 3 stages



  • CSharp Build: using dotnet will package the app and publish it with chart

  • Docker Build: using docker will build an image and publish it to ACR

  • Helm Deployment: using helm will connect to AKS then install helm chart under namespace “demo”. Please notice how we are passing new chart values as arguments 


Python Demo


Source Code Review


Python code is a FlaskRest API example.


magdysalem_10-1618268413828.png


The pipeline for “azure-pipelines-python-kv.yml” is follow same structure of 2 stages.



  • Docker Build: using docker will build an image and publish it to ACR

  • Helm Deployment: using helm will connect to AKS then install helm chart under namespace “demo”. Please notice how we are passing new chart values as arguments. 


Check our work:


Once we get pipelines deployed for all application, we can review the deployed resources.


magdysalem_11-1618268501712.pngmagdysalem_12-1618268509379.png


magdysalem_13-1618268517743.pngmagdysalem_14-1618268530622.png


 


Use Postman to call apps using ingress host.


Java Demo


magdysalem_15-1618268549890.png


 


Python Demo


magdysalem_16-1618268557672.png


C# Demo


magdysalem_17-1618268563847.png


Summary


We discussed in detail how to setup and configure your application to use Pod Identity. It is great feature to utilize Azure Managed Identity to access Azure resources. In our next blog will discuss Azure secret store provider for csi driver


 


 

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

%d bloggers like this: