cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Simplifying Azure Kubernetes Service Authentication Part 3
By
emiller635
Published Mar 10 2024 08:39 PM 1,271 Views
emiller635
Microsoft
‎Mar 10 2024 08:39 PM

Simplifying Azure Kubernetes Service Authentication Part 3

‎Mar 10 2024 08:39 PM

Welcome to the third installment of this series simplifying azure Kubernetes service authentication. Part two is here Part 2  .In this third part we’ll continue from where we left off and set up cert manager, create a CA issuer, upgrade our ingress routes, register our app, and create secrets and a cookie for authentication. You can also refer to the official documentation here for some of the steps TLS with an ingress controller.

Install cert-manager Let’s Encrypt

In the previous post we uploaded cert manager images to our ACR. Now lets install the cert manager images by running the following:

 

# Set variable for ACR location to use for pulling images
$AcrUrl = (Get-AzContainerRegistry -ResourceGroupName $ResourceGroup -Name $RegistryName).LoginServer

# Label the ingress-basic namespace to disable resource validation
kubectl label namespace ingress-basic cert-manager.io/disable-validation=true

# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io

# Update your local Helm chart repository cache
helm repo update

# Install the cert-manager Helm chart
helm install cert-manager jetstack/cert-manager --namespace ingress-basic --version $CertManagerTag --set installCRDs=true --set nodeSelector."kubernetes\.io/os"=linux --set image.repository="${AcrUrl}/${CertManagerImageController}" --set image.tag=$CertManagerTag --set webhook.image.repository="${AcrUrl}/${CertManagerImageWebhook}" --set webhook.image.tag=$CertManagerTag --set cainjector.image.repository="${AcrUrl}/${CertManagerImageCaInjector}" --set cainjector.image.tag=$CertManagerTag

 

You should get some output and make sure the READY column is set to True.

Create a CA Issuer

A certificate authority (CA) validates the identities of entities (such as websites, email addresses, companies, or individual persons) and binds them to cryptographic keys through the issuance of digital certificates. We are using the letsencrypt CA. We can create a CA by applying a ClusterIssuer to our ingress-basic namespace. Create the following cluster-issuer.yaml file:

 

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: MY_EMAIL_ADDRESS
    privateKeySecretRef:
      name: letsencrypt
    solvers:
    - http01:
        ingress:
          class: nginx
          podTemplate:
            spec:
              nodeSelector:
                "kubernetes.io/os": linux

 

 

Now apply this yaml file by running the following kubectl command:

 

kubectl apply -f cluster-issuer.yaml --namespace ingress-basic

 

Update your ingress route

In the previous part of this series we created a FQDN which enabled us to route to our apps in the web browser via a URL. We need to update our ingress routes to handle this change. Update the hello-world-ingress.yaml as follows:

 

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: hello-world-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/use-regex: "true"
    cert-manager.io/cluster-issuer: letsencrypt
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - hello-world-ingress.MY_CUSTOM_DOMAIN
    secretName: tls-secret
  rules:
  - host: hello-world-ingress.MY_CUSTOM_DOMAIN
    http:
      paths:
      - path: /hello-world-one(/|$)(.*)
        pathType: Prefix
        backend:
          service:
            name: aks-helloworld-one
            port:
              number: 80
      - path: /hello-world-two(/|$)(.*)
        pathType: Prefix
        backend:
          service:
            name: aks-helloworld-two
            port:
              number: 80
      - path: /(.*)
        pathType: Prefix
        backend:
          service:
            name: aks-helloworld-one
            port:
              number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: hello-world-ingress-static
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/rewrite-target: /static/$2
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - hello-world-ingress.MY_CUSTOM_DOMAIN
    secretName: tls-secret
  rules:
  - host: hello-world-ingress.MY_CUSTOM_DOMAIN
    http:
      paths:
      - path: /static(/|$)(.*)
        pathType: Prefix
        backend:
          service:
            name: aks-helloworld-one
            port:
              number: 80

 

Then apply the update:

 

kubectl apply -f hello-world-ingress.yaml --namespace ingress-basic

 

You should get some output and make sure the READY column is set to True.

Register your app in Entra ID and create a client secret

An Azure Active Directory (AAD) App referred to as Entra ID now, is an application registered in Entra ID, which allows it to interact with Azure services and authenticate users. We can then use the Entra ID App to obtain a client secret for authentication purposes. Perform the following actions to register an app and create a client secret.

  • In the Azure portal search for Microsoft Entra ID
  • Click App registrations in the left side navigation
  • Click new registration button
  • Add a name and enter your redirect URL (Web) https://FQDN/oauth2/callback
  • Register and take note of your Application (client) ID
  • Click Certificates and Secrets and click New client secret and take note of the Secret Value

Create a cookie secret and set Kubernetes secrets

Now register the following client-id, client-secret, and cookie secret. Remember this series is for educational purposes and thus may not meet all security requirements. If you need to store your secrets in a more secure location you can also refer to how to use Key Vault to do so here Key Vault. Run the following commands in PowerShell:

 

$cookie_secret=“$(openssl rand -hex 16)” 

# or with python 
python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'

kubectl create secret generic client-id --from-literal=oauth2_proxy_client_id=<APPID> -n ingress-basic
kubectl create secret generic client-secret --from-literal=oauth2_proxy_client_secret=<SECRETVALUE> -n ingress-basic
kubectl create secret generic cookie-secret --from-literal=oauth2_proxy_cookie_secret=<COOKIESECRET> -n ingress-basic

 

Create a Redis Password

 Azure uses large cookies when authenticating over Oauth2, thus it is recommended to setup Redis to handle these large cookies. For now we will create a Redis password and set the Kubernetes secret. In the next post we will install and setup Redis. Run the following command in PowerShell:

 

$REDIS_PASSWORD=“<YOUR_PASSWORD>”
kubectl create secret generic redis-password --from-literal=redis-password=$REDIS_PASSWORD -n ingress-basic

 

This ends the third post in our series. Look out for the fourth and final post.

0 Likes
Like
Co-Authors
Version history
Last update:
‎Mar 10 2024 08:39 PM
Updated by:
Labels