How-To: Deploy Microservice Application with Pod Identity Using Helm Chart
Published Apr 12 2021 04:30 PM 3,551 Views
Microsoft

 

In the last blog we discussed how to deploy AKS fully integrated with AAD. Also we discussed deploying add-on for Azure Pod Identity and Azure CSI driver. In the article we will discuss how to create an application that using Pod Identity to access Azure Resources.

 

What is Pod Identity?

Pod Identity is a feature allows applications deployed to communicate with AAD, request a token then use the token to access Azure resources. The simplified workflow for pod managed identity is shown in the following diagram:

magdysalem_1-1618267540439.png

 

You can review Microsoft docs about pod identity best practice here

 

How to Create an application using Pod Identity?

 

In order to use pod identity in our code we will need AKS cluster to be configured with Azure AAD and Pod Identity deployed as we discussed in our pervious post.

Depending on the application, we will need to use an authentication MSI library to request a token from AAD. You can review example here

 

In our previous post we show after deploying Pod Identity addon, terraform script deployed a managed Identity to namespace “demo” and updated the Key Vault access policy to include this managed identity.

 

In our demo today, we will show how to build application access Azure Key Vault to retrieve secrets using Pod Identity. Sample code exists here. The repo contains sample codes using C#, Java and Python.

 

Before staring we need to double check out environment to make sure all necessary deployment are deployed

  • AAD Azure Identity Pods under Kube-System namespace:
    kubectl get pods -n kube-system| grep aad”
  • Azure Identity  resource under target namespace
    kubectl get azureIdentity -n demo​
  •  Azure Identity Binding resource under target namespace
    kubectl get azureIdentity -n demo​

Once we confirm the resources then we are ready to start coding.

 

Java Demo

 

Source Code Review

The Java demo is a sample java spring boot RestAPI application. Here are few points about the code

  • Add Azure Key vault to pom.xml file
    <dependency>
       <groupId>com.azure.spring</groupId>
       <artifactId>azure-spring-boot-starter-keyvault-secrets</artifactId>
    </dependency>​
  • Under application.properties set key vault properties to managed Identity modemagdysalem_4-1618267844589.png
  • main class shows how we retrieve the secrets using annotationmagdysalem_5-1618267863106.png

 

Helm Chart Review

 

The helm chart will be the same chart for all demos (java/C#/Python) we will override the values.yaml during the pipeline run to fit every demo needs. The chart will deploy the following:

 

magdysalem_6-1618267918164.png

 

  • Applications pods deployment: we can control how many replica from values.yaml
  • Service deployment:
  • Ingress deployment: map incoming request to app services

The main area we point here will be the metadata label aadpodbinding. The pod deployment file MUST have this label. In our environment we deployed the AzureIdentity and AzureIdentityBinding with same name like environment namespace hence we passing the namespace as value for aadpodbinding

 

magdysalem_7-1618268007659.png

 

Pipeline Review

 

The pipeline “azure-pipelines-java-kv.yml” has 3 stages as shows in the following figure:

 

magdysalem_8-1618268059320.png

 

  • Java Build: using Maven will package the app and publish it with chart
  • Docker Build: using docker will build an image and publish it to ACR
  • Helm Deployment: using helm will connect to AKS then install helm chart under namespace “demo”. Please notice how we passing new chart values as argumentmagdysalem_0-1618268123225.png

 

 

 

 

 

 

 

 

 

Once it runs, we should see the following:

magdysalem_1-1618268181936.png

 

Check our work:

 

magdysalem_2-1618268229456.png

magdysalem_3-1618268243551.png

magdysalem_4-1618268264159.png

magdysalem_5-1618268273250.png

magdysalem_6-1618268282577.png

magdysalem_7-1618268291673.png

 

Finally Use Postman and query the Java app.

magdysalem_8-1618268331471.png

 

C# Demo

 

Source Code Review

 

Demo is identical to Java code. Rest API service that shows secret from KV. The API class is under controller folder and it expect KV URL to pass as environment variable exactly like Java example.

 

magdysalem_9-1618268370048.png

 

The pipeline for “azure-pipelines-csharp-kv.yml” is follow same structure of 3 stages

  • CSharp Build: using dotnet will package the app and publish it with chart
  • Docker Build: using docker will build an image and publish it to ACR
  • Helm Deployment: using helm will connect to AKS then install helm chart under namespace “demo”. Please notice how we are passing new chart values as arguments 

 

Python Demo

 

Source Code Review

 

Python code is a FlaskRest API example.

magdysalem_10-1618268413828.png

 

The pipeline for “azure-pipelines-python-kv.yml” is follow same structure of 2 stages.

  • Docker Build: using docker will build an image and publish it to ACR
  • Helm Deployment: using helm will connect to AKS then install helm chart under namespace “demo”. Please notice how we are passing new chart values as arguments. 

 

Check our work:

 

Once we get pipelines deployed for all application, we can review the deployed resources.

magdysalem_11-1618268501712.pngmagdysalem_12-1618268509379.png

magdysalem_13-1618268517743.pngmagdysalem_14-1618268530622.png

 

Use Postman to call apps using ingress host.

 

Java Demo

magdysalem_15-1618268549890.png

 

Python Demo

magdysalem_16-1618268557672.png

 

C# Demo

magdysalem_17-1618268563847.png

 

Summary

 

We discussed in detail how to setup and configure your application to use Pod Identity. It is great feature to utilize Azure Managed Identity to access Azure resources. In our next blog will discuss Azure secret store provider for csi driver

 

 

 

Disclaimer
The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

 

Co-Authors
Version history
Last update:
‎Apr 13 2021 08:16 AM
Updated by: