How to manage
Рет қаралды 9,585
Күн бұрын#kubernetes #secrets #azurekeyvault #azurecontaineregistry
This video walks through the process of integrating Azure Key Vault (AKV) with Azure Kubernetes Service (AKS).
The AKS cluster is created using Managed Identity and integrates with Azure Container Registry (ACR) to pull images.
The Azure Key Vault (AKV) is used to store secrets related to RabbitMQ configurations. These are mounted as Kubernetes secrets using Secret Store CSI Azure Provider.
An updated version of the video is available at
• Manage Kubernetes secr...
▬▬▬▬▬▬ ⏱ Chapters⏱ ▬▬▬▬▬▬
00:00 - Introduction
0:55 - Overview of demo application
1:40 - Kubernetes Environment variables
3:50 - Pre-requisites for running the demo
5:35 - Create Azure Key Vault (AKV)
6:45 - Access Key Vault using Azure Portal
7:50 - AKV Access Policies
10:19 - Assign Get permission to Managed Identity for AKV secrets
11:20 - Kubernetes Secrets Store CSI Driver
13:45 - Azure Provider for CSI
14:08 - Deploy Azure Provider for CSI using Helm
16:00 - Sync AKV secrets with Kubernetes Secret object
23:15 - Update Kubernetes Deployment manifest to use Volume Mounts
24:30 - Update Env variables to populate using Kubernetes secrets
26:30 - Deploy RabbitMQ Producer & Consumer
30:30 - KEDA auto-scaler in action
33:00 - Azure Key Vault Provider for Secrets Store Driver Capabilities
34:00 - Helm install AKV Provider
35:00 - Secrets Store Provider modes
39:15 - 5 step process
39:30 - Octant Resource Viewer
▬▬▬▬▬▬ 👋 Contact me 👋 ▬▬▬▬▬▬
Connect with me here:
- 🔗 Subscribe: / @nilesh-gule
- 🔗 KZbin : / @nilesh-gule
- 🔗 GitHub: github.com/nileshgule
- 🔗 Twitter: / nileshgule
- 🔗 Website: www.HandsOnArchitect.com/
- 🔗 LinkedIn : / nileshgule
#akv #aks #csi #Azure #kubernetes #k8s #AzureKeyVault #AzureContainerRegistry #AzureKubernetesService #ManagedIdentity #KEDA #CSI #secretsstoreprovider #howto #demo #tutorial
@nilesh-gule 5 ай бұрын
There is an updated version of the video available. Please refer to this kzbin.info/www/bejne/pojNeIyFp7JgnpI
@kris4202 3 жыл бұрын
Good one. Thanks for sharing your knowledge. I really appreciate it.
@nilesh-gule 3 жыл бұрын
Glad it was helpful!
@swapnilpotnis7904 3 жыл бұрын
Thank You for the Tutorial. Keep up the Good Work. :)
@nilesh-gule 3 жыл бұрын
Glad it helped!
@ShahulHameed-ly8ub 8 ай бұрын
Great session
@nilesh-gule 8 ай бұрын
Thanks. Glad that you found it useful.
@cartierin 3 жыл бұрын
Great!! Video. Do you know if we can use certs saved in KV to be used for NGINX Ingress TLS? If, do you know if anyone documented this process?
@nilesh-gule 3 жыл бұрын
hi J Thomas, As per the documentation, the CSI secret store provider supports keys, secrets and certificates. You can refer to this readme file for more details github.com/Azure/secrets-store-csi-driver-provider-azure There are some examples related to NGINX in the examples of CSI Store driver github.com/Azure/secrets-store-csi-driver-provider-azure/tree/master/examples Since this is open source project, if the documentation doesn't exist you can raise a request and I am sure somebody will be able to help.
@cartierin 3 жыл бұрын
Nilesh Gule thank you!
@mukulbadhan5336 Жыл бұрын
How these steps will change if we use self build kubernates cluster on azure vm instead of AKS and can we use harbour instead of Azure container registry
@nilesh-gule Жыл бұрын
You will need to use a solution which integrates with Harbour instead of Azure container registry. Usually, you can use image pull secrets to pull images from different container registry. Here are few links stackoverflow.com/questions/72880842/pulling-image-from-private-container-registry-harbor-in-kubernetes kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
@kalankaraivilakkam 2 жыл бұрын
Hi Nilesh, Great stuff with neat presentation. I have a question. I have my TLS certificates stored in AKV Secrets, How can I use those certificates in my Ingress Resource? Is this possible with your approach. Can you please guide me with the steps or a next video tutorial? Thanks a lot
@nilesh-gule 2 жыл бұрын
Here are couple of examples of using AKV for storing TKS cert and integrating that with Ingress resource blog.baeke.info/2020/12/07/certificates-with-azure-key-vault-and-nginx-ingress-controller/amp/ github.com/mspnp/aks-baseline-multi-region/blob/main/docs/deploy/08-secret-managment-and-ingress-controller.md
@n3x4r3 3 жыл бұрын
First at all great tutorial, but I have a problem with the CSI, it doesn't sync the keys, if in the server I change the secret it never change until I kill the pod
@nilesh-gule 3 жыл бұрын
hi @n3x4r As per the documentation of the Azure Key Vault Provider for the Secret store CSI driver, the secrets will only sync once you start a pod. Refer to the doc for more details azure.github.io/secrets-store-csi-driver-provider-azure/configurations/sync-with-k8s-secrets/
@nilesh-gule 3 жыл бұрын
@n3x4r Came across a feature to enable / disable auto rotation of secrets docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver This seems to be in preview currently as of May 2021
@sadhufit 3 жыл бұрын
hello nilesh, Can we use secret name as APP_ENV in azure key vault. I tried it and it says i cannot use special characters like _
@nilesh-gule 3 жыл бұрын
as per the naming conventions for objects in Azure Key Vault _ is not allowed Refer to the Azure Key Vault documentation for more details docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates#:~:text=Vault%20name%20and%20Managed%20HSM,a%2Dz%2C%20A%2DZ%2C%20and%20%2D.&text=The%20type%20of%20the%20object,%22%2C%20or%20%27certificates%27.&text=An%20object%2Dname%20is%20a,unique%20within%20a%20Key%20Vault.
@shamstabrez2986 9 ай бұрын
plz upload the updated content its been 3 years that u have uploaded this
@nilesh-gule 9 ай бұрын
hi Tabrez Thanks for the feedback. indeed, it has been quite a while since this video was published. i'll add it to my to do list to update the content.
@nilesh-gule 5 ай бұрын
The content has been updated. Please refer to this new video kzbin.info/www/bejne/pojNeIyFp7JgnpI
@dhirajraj8498 3 жыл бұрын
Sir, a quick question, can we use AKV with eks cluster?
@nilesh-gule 3 жыл бұрын
hi Dhiraj Each cloud provider has their own implementation of secret management service. AKV is specific to Azure and integrates well with the Azure services. AWS has a similar service called AWS secret manager. There is a request to integrate this with the Secret Store CSI provider. github.com/aws/containers-roadmap/issues/895 AKV provides a RET API (docs.microsoft.com/en-us/rest/api/keyvault/). So technically it might be possible to pull the secrets stored in AKV and use them with EKS cluster using some scripting approach. However it looks like an overkill to me to try to do such a thing.
@T03avs03001 4 жыл бұрын
Could you pls help me connect akv via springboot app running in aks?
@nilesh-gule 4 жыл бұрын
hi Prabu, there are couple of articles online which explain step by step process of integrating Azure Key Vault with Spring Boot applications 1- medium.com/devopsturkiye/how-to-integrate-azure-kubernetes-and-key-vault-to-keep-secrets-in-secure-for-spring-boot-1d5fe1c5bf90 2 - medium.com/javarevisited/spring-boot-microservices-architecture-on-azure-kubernetes-service-aks-2986154f025a 3 - docs.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault Hope this helps
@T03avs03001 4 жыл бұрын
@@nilesh-gule thank you, I am facing a peculiar problem running my spring boot app in aks and connecting to akv takes longer boot up time (25 mins) than usual. I wanted to know how to connect springboot apps to akv using bootstrap. yaml file? ** The same app is running fine in app service
@nilesh-gule 4 жыл бұрын
விஜய் prabu I am not very familier with Spring Boot. But 25 mins to bootstrap is not normal. Have you tried raising a support ticket with Microsoft for this issue?
@T03avs03001 4 жыл бұрын
@@nilesh-gule not an issue, yes, i raised a support ticket, however its yet to be assigned to right person.
@T03avs03001 4 жыл бұрын
@@nilesh-gule may I know your twitter id, will follow you
@rishabhgargg 3 жыл бұрын
Can we get that Initialise AKV script
@nilesh-gule 3 жыл бұрын
Hi Rishabh You can find the initialize script in my github repo github.com/NileshGule/pd-tech-fest-2019
@rishabhgargg 3 жыл бұрын
@@nilesh-gule Thanks a lot.
@umeshshridar5487 Жыл бұрын
where is the code to run rabbit mq
@nilesh-gule Жыл бұрын
hi Umesh I am not sure what is the exact question. Assuming you are asking where is the code to install RabbitMQ on the AKS cluster. RabbitMQ is installed using Helm chart. You can find the PowerShell script which deployed the helm chart for RabbitMQ github.com/NileshGule/pd-tech-fest-2019/blob/master/Powershell/deployRabbitMQ.ps1 If your question is about the code related to RabbitMQ Producer for Producing Messages it is available in github.com/NileshGule/pd-tech-fest-2019/tree/master/src/TechTalksMQProducer If you are looking for the consumer code, it can be found at github.com/NileshGule/pd-tech-fest-2019/tree/master/src/TechTalksMQConsumer Hope that answers your query.
@umeshshridar5487 Жыл бұрын
@@nilesh-gule thanks Nilesh it will workout
Abhishek.Veeramalla
Рет қаралды 18 М.
Mr. K Talks Tech
Рет қаралды 4,9 М.
John Savill's Technical Training
Рет қаралды 77 М.
tech on target
Рет қаралды 706
Learn with GVR
Рет қаралды 1,8 М.
lev89k
Рет қаралды 2 МЛН