Exercise - Securely store variables in secrets
Create a resource group and AKS cluster
Note
This exercise is optional. If you want to complete this exercise, you'll need to create an Azure subscription before you begin. If you don't have an Azure account or you don't want to create one at this time, you can read through the instructions so you understand the information that's being presented.
Create environment variables for your resource group, cluster, DNS zone, and location. Make sure you update the LOCATION variable with the region closest to you, for example,
eastus
.export RESOURCE_GROUP=rg-ship-manager export CLUSTER_NAME=ship-manager-cluster export ZONE_NAME=ship-$RANDOM.com export LOCATION={location}
Run the following command to view the values of your environment variables and make a note of them for later use.
echo "RESOURCE_GROUP:" $RESOURCE_GROUP echo "CLUSTER_NAME:"$CLUSTER_NAME echo "ZONE_NAME:" $ZONE_NAME echo "LOCATION:"$LOCATION
Create a resource group using the
az group create
command.az group create --location $LOCATION --name $RESOURCE_GROUP
Create an AKS cluster using the
az aks create
command.az aks create \ -g $RESOURCE_GROUP \ -n $CLUSTER_NAME \ --location $LOCATION \ --node-count 1 \ --node-vm-size Standard_B2s \ --generate-ssh-keys
Enable the application routing add-on with the following command.
az aks approuting enable -g $RESOURCE_GROUP -n $CLUSTER_NAME
Note
If you see a message asking you to install the aks-preview extension, enter
Y
to install it and continue.Create a DNS zone using the
az network dns zone create
command.az network dns zone create -g $RESOURCE_GROUP -n $ZONE_NAME
Retrieve the ID of your DNS zone and use it as part of the command to add the zone to your cluster for app routing.
ZONEID=$(az network dns zone show -g $RESOURCE_GROUP -n $ZONE_NAME --query "id" --output tsv) az aks approuting zone add -g $RESOURCE_GROUP -n $CLUSTER_NAME --ids=${ZONEID} --attach-zones
Get the credentials for your cluster using the
az aks get-credentials
command.az aks get-credentials -n $CLUSTER_NAME -g $RESOURCE_GROUP
Create a Secret
Note
In the application documentation, you can see this application has two parts: the front end and the back end. Only the back end needs to use a Secret, because it has the MongoDB connection string as an environment variable.
Deploy a MongoDB database to support the application using the
az cosmosdb create
command.export DATABASE_NAME=contoso-ship-manager-$RANDOM && \ az cosmosdb create \ -n $DATABASE_NAME \ -g $RESOURCE_GROUP \ --kind MongoDB
Once the database is created, get the connection string using the
az cosmosdb keys list
command and copy the output value.az cosmosdb keys list \ --type connection-strings \ -g $RESOURCE_GROUP \ -n $DATABASE_NAME \ -o tsv \ --query "connectionStrings[0].connectionString"
Create a new YAML file named
backend-secret.yaml
and paste in the following code to create the Secret spec. Make sure to replace the placeholder string with the connection string from the previous output.apiVersion: v1 kind: Secret metadata: name: ship-manager-database namespace: default type: Opaque stringData: database_mongodb_uri: "<paste the connection string here>"
Save and close the file.
Apply the secret using the
kubectl apply
command.kubectl apply -f backend-secret.yaml
Check the result by querying for the secret using the
kubectl get secret
command.kubectl get secret ship-manager-database
You should get an output similar to the following example:
NAME TYPE DATA AGE ship-manager-database Opaque 1 5s
Create the application
Create a new YAML file named
backend-application.yaml
and paste in the following code to create the Deployment spec.apiVersion: apps/v1 kind: Deployment metadata: name: ship-manager-backend namespace: default spec: replicas: 1 selector: matchLabels: app: ship-manager-backend template: metadata: labels: app: ship-manager-backend spec: containers: - image: mcr.microsoft.com/mslearn/samples/contoso-ship-manager:backend name: ship-manager-backend ports: - containerPort: 3000 name: http env: - name: DATABASE_MONGODB_URI valueFrom: secretKeyRef: key: database_mongodb_uri name: ship-manager-database - name: DATABASE_MONGODB_DBNAME value: ship_manager
Notice that in the
env
section, we use thevalueFrom
and thesecretKeyRef
keys. The order of these keys tells the deployment to use the value from thekey
present in the Secret defined in thename
key.Add three dashes below the last line in the
backend-application.yaml
file to separate the next section.# Previous lines from the deployment value: ship_manager --- apiVersion: v1 kind: Service metadata: name: ship-manager-backend namespace: default spec: selector: app: ship-manager-backend ports: - name: http port: 80 targetPort: 3000 ---
Below the three dashes, paste in the following code to create the Ingress spec.
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ship-manager-backend namespace: default annotations: spec.ingressClassName: webapprouting.kubernetes.azure.com spec: rules: - host: ship-manager-backend.<paste the ZONE_NAME here> http: paths: - path: / pathType: Prefix backend: service: name: ship-manager-backend port: name: http
Change the DNS zone in the
host:
to match the name of your DNS zone. Use the value of the ZONE_NAME variable you created earlier.Save and close the file.
Apply the changes to your cluster using the
kubectl apply
command.kubectl apply -f backend-application.yaml