#azure (2021-01)

azure

Archive: https://archive.sweetops.com/azure/

2021-01-06

Padarn avatar
Padarn
02:20:56 AM

Hi all: reading https://stackoverflow.com/questions/60338757/how-do-i-import-an-azure-ad-service-principal-password-into-terraform I’m a bit confused between APP and SP passwords: It seems to indicate that to authenticate with a SP you can use a password for the APP. Is this the case? If so, why do we need SP passwords at all?

How do I import an Azure AD Service Principal Password into Terraform?

We’re using Terraform to build our cloud infrastructure. Previously we had a few service principals created without Terraform that are being used right now on production and can’t be changed. Now w…

Pierre-Yves avatar
Pierre-Yves
01:13:35 PM

Hello @Padarn, I had the same question as you !

you should read the link below then everything will be clear !

https://kliushnikov.medium.com/azure-active-directory-application-or-service-principal-b5a5e14f2a23 and https://kliushnikov.medium.com/azure-active-directory-application-or-service-principal-b5a5e14f2a23

Azure Active Directory: Application or Service Principal?attachment image

What should you choose to grant access to Azure Key Vault: Service Principal or Application?

Padarn avatar
Padarn
11:36:07 AM

Saved my life

2021-01-11

Pierre-Yves avatar
Pierre-Yves
01:06:37 PM

Hi, I have setup a private AKS cluster by following this guide and setting it up with terraform https://docs.microsoft.com/en/azure/aks/private-clusters now I have deployed an helm charts for the nginx-ingress

release_name=nginx
version=3.19.0
chart_name=ingress-nginx/ingress-nginx

But when I do kubectl describe svc nginx-ingress-nginx-controller -n ingress-nginx the loadbalancer Ingress is a public ip addresses ! ok the node port is private but … cluster public ips directly on internet !!! what did I missed ? ..

$ kubectl describe svc nginx-ingress-nginx-controller -n ingress-nginx
Name:                     nginx-ingress-nginx-controller
Namespace:                ingress-nginx
Labels:                   app.kubernetes.io/component=controller
                          app.kubernetes.io/instance=nginx
                          app.kubernetes.io/managed-by=Helm
                          app.kubernetes.io/name=ingress-nginx
                          app.kubernetes.io/version=0.43.0
                          helm.sh/chart=ingress-nginx-3.19.0
Annotations:              meta.helm.sh/release-name: nginx
                          meta.helm.sh/release-namespace: ingress-nginx
Selector:                 app.kubernetes.io/component=controller,app.kubernetes.io/instance=nginx,app.kubernetes.io/name=ingress-nginx
Type:                     LoadBalancer
IP:                       10.0.xx.xx
LoadBalancer Ingress:     20.74.yy.zz
Port:                     http  80/TCP
TargetPort:               http/TCP
NodePort:                 http  32006/TCP
Endpoints:                10.244.7.107:80
Port:                     https  443/TCP
TargetPort:               https/TCP
NodePort:                 https  32448/TCP
Endpoints:                10.yy.z.zz:443
Session Affinity:         None
External Traffic Policy:  Cluster
Events:                   <none>
Create a private Azure Kubernetes Service cluster - Azure Kubernetes Service

Learn how to create a private Azure Kubernetes Service (AKS) cluster

Pierre-Yves avatar
Pierre-Yves
01:09:45 PM

I just found the following related docs https://docs.microsoft.com/fr-fr/azure/aks/ingress-internal-ip

Contrôleur d’entrée sur le réseau interne - Azure Kubernetes Service

Découvrez comment installer et configurer un contrôleur d’entrée NGINX pour un réseau privé interne dans un cluster Azure Kubernetes Service (AKS).

Padarn avatar
Padarn
11:37:43 AM

Can’t read that doc but we had the same problem. By default even private cluster can create public load balancer

Padarn avatar
Padarn
11:38:22 AM

We used an azure policy to disallow this. If you didn’t solve yet I can send it to you later

Pierre-Yves avatar
Pierre-Yves
12:31:36 PM

I fixed it by attributing a private ip address and it works flawlessly. But yes if you can share the azure policy then I’ll disallow the aks to create public ip !

Padarn avatar
Padarn
12:35:41 PM

Cool can do. Will share in a few hours

Padarn avatar
Padarn
01:49:59 PM

dm you

1

2021-01-12

2021-01-13

2021-01-18

Pierre-Yves avatar
Pierre-Yves
09:46:32 AM

what’s the best way to import terraform module from azure devops ? In the example below the guy uses his personnal ssh key , is there a way to use an Azure service principal ? and he warns about it “Note that unlike PAT tokens, you cannot scope SSH keys. Using the SSH key will give you the same rights as the user who’s account this key belongs to, so use them carefully.” https://samcogan.com/using-terraform-modules-from-git-in-azure-devops/

Using Terraform Modules from Git in Azure DevOps

Did you know you can reference custom Terraform modules direct from Git? Here’s how to do it, and how to make this work with an Azure DevOps pipeline

    keyboard_arrow_up