Exercise - Securely store variables in secrets

Completed

Create a resource group and AKS cluster

Note

This exercise is optional. If you want to complete this exercise, you'll need to create an Azure subscription before you begin. If you don't have an Azure account or you don't want to create one at this time, you can read through the instructions so you understand the information that's being presented.

  1. Create environment variables for your resource group, cluster, DNS zone, and location. Make sure you update the LOCATION variable with the region closest to you, for example, eastus.

    export RESOURCE_GROUP=rg-ship-manager
    export CLUSTER_NAME=ship-manager-cluster
    export ZONE_NAME=ship-$RANDOM.com
    export LOCATION={location}
    
  2. Run the following command to view the values of your environment variables and make a note of them for later use.

    echo "RESOURCE_GROUP:" $RESOURCE_GROUP
    echo "CLUSTER_NAME:"$CLUSTER_NAME
    echo "ZONE_NAME:" $ZONE_NAME
    echo "LOCATION:"$LOCATION
    
  3. Create a resource group using the az group create command.

    az group create --location $LOCATION --name $RESOURCE_GROUP
    
  4. Create an AKS cluster using the az aks create command.

    az aks create \
     -g $RESOURCE_GROUP \
     -n $CLUSTER_NAME \
     --location $LOCATION \
     --node-count 1 \
     --node-vm-size Standard_B2s \
     --generate-ssh-keys
    
  5. Enable the application routing add-on with the following command.

    az aks approuting enable -g $RESOURCE_GROUP -n $CLUSTER_NAME
    

    Note

    If you see a message asking you to install the aks-preview extension, enter Y to install it and continue.

  6. Create a DNS zone using the az network dns zone create command.

    az network dns zone create -g $RESOURCE_GROUP -n $ZONE_NAME
    
  7. Retrieve the ID of your DNS zone and use it as part of the command to add the zone to your cluster for app routing.

    ZONEID=$(az network dns zone show -g $RESOURCE_GROUP -n $ZONE_NAME --query "id" --output tsv)
    az aks approuting zone add -g $RESOURCE_GROUP -n $CLUSTER_NAME --ids=${ZONEID} --attach-zones
    
  8. Get the credentials for your cluster using the az aks get-credentials command.

    az aks get-credentials -n $CLUSTER_NAME -g $RESOURCE_GROUP
    

Create a Secret

Note

In the application documentation, you can see this application has two parts: the front end and the back end. Only the back end needs to use a Secret, because it has the MongoDB connection string as an environment variable.

  1. Deploy a MongoDB database to support the application using the az cosmosdb create command.

    export DATABASE_NAME=contoso-ship-manager-$RANDOM && \
    az cosmosdb create \
     -n $DATABASE_NAME \
     -g $RESOURCE_GROUP \
     --kind MongoDB
    
  2. Once the database is created, get the connection string using the az cosmosdb keys list command and copy the output value.

    az cosmosdb keys list \
      --type connection-strings \
      -g $RESOURCE_GROUP \
      -n $DATABASE_NAME \
      -o tsv \
      --query "connectionStrings[0].connectionString"
    
  3. Create a new YAML file named backend-secret.yaml and paste in the following code to create the Secret spec. Make sure to replace the placeholder string with the connection string from the previous output.

    apiVersion: v1
    kind: Secret
    metadata:
      name: ship-manager-database
      namespace: default
    type: Opaque
    stringData:
      database_mongodb_uri: "<paste the connection string here>"
    
  4. Save and close the file.

  5. Apply the secret using the kubectl apply command.

    kubectl apply -f backend-secret.yaml
    
  6. Check the result by querying for the secret using the kubectl get secret command.

    kubectl get secret ship-manager-database
    

    You should get an output similar to the following example:

    NAME                    TYPE     DATA   AGE
    ship-manager-database   Opaque   1      5s
    

Create the application

  1. Create a new YAML file named backend-application.yaml and paste in the following code to create the Deployment spec.

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: ship-manager-backend
      namespace: default
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: ship-manager-backend
      template:
        metadata:
          labels:
            app: ship-manager-backend
        spec:
          containers:
            - image: mcr.microsoft.com/mslearn/samples/contoso-ship-manager:backend
              name: ship-manager-backend
              ports:
                - containerPort: 3000
                  name: http
              env:
                - name: DATABASE_MONGODB_URI
                  valueFrom:
                    secretKeyRef:
                      key: database_mongodb_uri
                      name: ship-manager-database
                - name: DATABASE_MONGODB_DBNAME
                  value: ship_manager
    

    Notice that in the env section, we use the valueFrom and the secretKeyRef keys. The order of these keys tells the deployment to use the value from the key present in the Secret defined in the name key.

  2. Add three dashes below the last line in the backend-application.yaml file to separate the next section.

    # Previous lines from the deployment
    value: ship_manager
    ---
    apiVersion: v1
    kind: Service
    metadata:
      name: ship-manager-backend
      namespace: default
    spec:
      selector:
        app: ship-manager-backend
      ports:
        - name: http
          port: 80
          targetPort: 3000
    ---
    
  3. Below the three dashes, paste in the following code to create the Ingress spec.

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: ship-manager-backend
      namespace: default
      annotations:
        spec.ingressClassName: webapprouting.kubernetes.azure.com
    spec:
      rules:
        - host: ship-manager-backend.<paste the ZONE_NAME here>
          http:
            paths:
              - path: /
                pathType: Prefix
                backend:
                  service:
                    name: ship-manager-backend
                    port:
                      name: http
    
  4. Change the DNS zone in the host: to match the name of your DNS zone. Use the value of the ZONE_NAME variable you created earlier.

  5. Save and close the file.

  6. Apply the changes to your cluster using the kubectl apply command.

    kubectl apply -f backend-application.yaml