Exercise - Securely store variables in secrets

  • 10 minutes

Create a resource group and AKS cluster

Note

This exercise is optional. If you want to complete this exercise, you'll need to create an Azure subscription before you begin. If you don't have an Azure account or you don't want to create one at this time, you can read through the instructions so you understand the information that's being presented.

  1. Create environment variables for your resource group, cluster, DNS zone, and location. Make sure you update the LOCATION variable with the region closest to you, for example, eastus.

    export RESOURCE_GROUP=rg-ship-manager
export CLUSTER_NAME=ship-manager-cluster
export ZONE_NAME=ship-$RANDOM.com
export LOCATION={location}

  2. Run the following command to view the values of your environment variables and make a note of them for later use.

    echo "RESOURCE_GROUP:" $RESOURCE_GROUP
echo "CLUSTER_NAME:"$CLUSTER_NAME
echo "ZONE_NAME:" $ZONE_NAME
echo "LOCATION:"$LOCATION

  3. Create a resource group using the az group create command.

    az group create --location $LOCATION --name $RESOURCE_GROUP

  4. Create an AKS cluster using the az aks create command.

    az aks create \
 -g $RESOURCE_GROUP \
 -n $CLUSTER_NAME \
 --location $LOCATION \
 --node-count 1 \
 --node-vm-size Standard_B2s \
 --generate-ssh-keys

  5. Enable the application routing add-on with the following command.

    az aks approuting enable -g $RESOURCE_GROUP -n $CLUSTER_NAME

    Note

    If you see a message asking you to install the aks-preview extension, enter Y to install it and continue.

  6. Create a DNS zone using the az network dns zone create command.

    az network dns zone create -g $RESOURCE_GROUP -n $ZONE_NAME

  7. Retrieve the ID of your DNS zone and use it as part of the command to add the zone to your cluster for app routing.

    ZONEID=$(az network dns zone show -g $RESOURCE_GROUP -n $ZONE_NAME --query "id" --output tsv)
az aks approuting zone add -g $RESOURCE_GROUP -n $CLUSTER_NAME --ids=${ZONEID} --attach-zones

  8. Get the credentials for your cluster using the az aks get-credentials command.

    az aks get-credentials -n $CLUSTER_NAME -g $RESOURCE_GROUP

Create a Secret

Note

In the application documentation, you can see this application has two parts: the front end and the back end. Only the back end needs to use a Secret, because it has the MongoDB connection string as an environment variable.

  1. Deploy a MongoDB database to support the application using the az cosmosdb create command.

    export DATABASE_NAME=contoso-ship-manager-$RANDOM && \
az cosmosdb create \
 -n $DATABASE_NAME \
 -g $RESOURCE_GROUP \
 --kind MongoDB

  2. Once the database is created, get the connection string using the az cosmosdb keys list command and copy the output value.

    az cosmosdb keys list \
  --type connection-strings \
  -g $RESOURCE_GROUP \
  -n $DATABASE_NAME \
  -o tsv \
  --query "connectionStrings[0].connectionString"

  3. Create a new YAML file named backend-secret.yaml and paste in the following code to create the Secret spec. Make sure to replace the placeholder string with the connection string from the previous output.

    apiVersion: v1
kind: Secret
metadata:
  name: ship-manager-database
  namespace: default
type: Opaque
stringData:
  database_mongodb_uri: "<paste the connection string here>"

  4. Save and close the file.

  5. Apply the secret using the kubectl apply command.

    kubectl apply -f backend-secret.yaml

  6. Check the result by querying for the secret using the kubectl get secret command.

    kubectl get secret ship-manager-database

    You should get an output similar to the following example:

    NAME                    TYPE     DATA   AGE
ship-manager-database   Opaque   1      5s

Create the application

  1. Create a new YAML file named backend-application.yaml and paste in the following code to create the Deployment spec.

    apiVersion: apps/v1
kind: Deployment
metadata:
  name: ship-manager-backend
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ship-manager-backend
  template:
    metadata:
      labels:
        app: ship-manager-backend
    spec:
      containers:
        - image: mcr.microsoft.com/mslearn/samples/contoso-ship-manager:backend
          name: ship-manager-backend
          ports:
            - containerPort: 3000
              name: http
          env:
            - name: DATABASE_MONGODB_URI
              valueFrom:
                secretKeyRef:
                  key: database_mongodb_uri
                  name: ship-manager-database
            - name: DATABASE_MONGODB_DBNAME
              value: ship_manager

    Notice that in the env section, we use the valueFrom and the secretKeyRef keys. The order of these keys tells the deployment to use the value from the key present in the Secret defined in the name key.

  2. Add three dashes below the last line in the backend-application.yaml file to separate the next section.

    # Previous lines from the deployment
value: ship_manager
---
apiVersion: v1
kind: Service
metadata:
  name: ship-manager-backend
  namespace: default
spec:
  selector:
    app: ship-manager-backend
  ports:
    - name: http
      port: 80
      targetPort: 3000
---

  3. Below the three dashes, paste in the following code to create the Ingress spec.

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ship-manager-backend
  namespace: default
  annotations:
    spec.ingressClassName: webapprouting.kubernetes.azure.com
spec:
  rules:
    - host: ship-manager-backend.<paste the ZONE_NAME here>
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: ship-manager-backend
                port:
                  name: http

  4. Change the DNS zone in the host: to match the name of your DNS zone. Use the value of the ZONE_NAME variable you created earlier.

  5. Save and close the file.

  6. Apply the changes to your cluster using the kubectl apply command.

    kubectl apply -f backend-application.yaml