Skip to content

Latest commit

 

History

History
71 lines (62 loc) · 3.31 KB

README.md

File metadata and controls

71 lines (62 loc) · 3.31 KB
Raw

DevSquad Workload Identity Project

This is a collection of sample projects for Cloud Application Developer using Azure Cloud Platform. The sample projects are arranged in different topics about microservice development and deployment on Azure Kubernetes Service supported by Secure DevOps Practices.

Kubernetes workload identity and access, reference architecture: Deploy AKS cluster managed identities

Steps to deploy:

  • Deploy AKS Cluster: You can use GitHub Workflow Deploy AKS
  • Get OIDC URI: You can us GitHub Workflow Get OIDC URI
az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv
  • Deploy Identity: You can us GitHub Workflow Deploy Identity
  • Get Access to AKS az aks get-credentials -n spAKSCluster -g "${RESOURCE_GROUP}"
  • Create Service Account
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    azure.workload.identity/client-id: "${USER_ASSIGNED_CLIENT_ID}"
  name: "${SERVICE_ACCOUNT_NAME}"
  namespace: "${SERVICE_ACCOUNT_NAMESPACE}"
EOF
  • Validate Service Account creation kubectl get sa
  • Create Azure Storage Account and assign identity with "Contributor Role"
az storage account create -n "${STORAGE_ACCOUNT_NAME}" -g "${RESOURCE_GROUP}" -l westus --sku Standard_LRS
  • Deploy Pod with Managed Identity support
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: pod-workload-identity
  namespace: "${SERVICE_ACCOUNT_NAMESPACE}"
  labels:
    azure.workload.identity/use: "true"
spec:
  serviceAccountName: "${SERVICE_ACCOUNT_NAME}"
  containers:
  - name: oaidentity
    image: oaviles/oaidentity:latest
    imagePullPolicy: Always
    env:
    - name: STORAGE_ACCOUNT_NAME
      value: "${STORAGE_ACCOUNT_NAME}"
    - name: STORAGE_ACCOUNT_CONTAINER_NAME
      value: "oafiles"
EOF
  • Validate pod execution kubectl logs pod-workload-identity

More Resources

Check More DevSquad Projects

Note: This page is getting updated so make sure to check regularly for new resources.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.