ACR Integration with AKS for Simpler Authentication
This article provides a practical technical introduction to CI/CD, GitHub, Azure, and Kubernetes.
I'm in the midst of fine-tuning my Location Insights/Geofencing API Service. This service is all about offering businesses smart, location-based solutions to boost their efficiency and connect more effectively with customers. With tools for live geofencing, tracking, and spatial analysis, our platform is designed to help companies make informed choices. Kicking things off with a .NET 8 Core app deployed on Azure App Service, I'm now on the path to getting everything production-ready. Part of this process involves weaving in a User Management microservice to streamline how user accounts are handled - making it easier than ever for businesses to sign up, manage accounts, and assign subscriptions without a hitch.
With my history as a Software Architect tackling big projects, I've spent a good chunk of time in the world of DevOps. But even with all that experience, I keep running into fresh challenges and lessons. I recently decided to break my API service down into smaller, easier-to-manage pieces, a move that's right in line with the Domain-Driven Design (DDD) way of thinking. This led me to shift over to Kubernetes on Azure (AKS) to get more room to grow and more ways to adapt.
Getting Azure set up exactly how I wanted was easy, thanks to some clever automated tricks. However, when it came time to launch the first service, I ran into an old enemy - the imagePullSecret issue. It's a problem I've struggled with from time to time in past Kubernetes deployments, and it's always a key test of whether everything is set up correctly.
I remember I used the imagePullSecret argument in the deplyoment manifest very often, because in most cases the ACR and AKS were in different accounts, as follows.
apiVersion: apps/v1
kind: Deployment
metadata:
name: useraccountservice-deployment
namespace: ${NAMESPACE}
labels:
app: useraccountservice
spec:
replicas: 1
selector:
matchLabels:
app: useraccountservice
template:
metadata:
labels:
app: useraccountservice
spec:
containers:
- name: useraccountservice
image: ${ACR_NAME}/useraccountservice:latest
ports:
- containerPort: 80
resources:
requests:
memory: "128Mi"
cpu: "250m"
limits:
memory: "256Mi"
cpu: "500m"
env:
- name: ASPNETCORE_ENVIRONMENT
value: "Production"
imagePullSecrets:
- name: acr-secret
Using the imagePullSecret method for Kubernetes deployments requires manual setup and management of secrets, which can add complexity and introduce security vulnerabilities if not handled properly. Additionally, updating secrets, such as for rotating Docker registry credentials, requires additional steps that can potentially disrupt services if not performed correctly. This approach, while functional, presents challenges from both a security and operational efficiency perspective.
To switch to a more efficient method, when using Azure Container Registry (ACR) and Kubernetes (K8s) within the same account, I eliminate manual secrets management. By using the --attach-acr command during or after AKS cluster creation, ACR is directly integrated, eliminating the need for imagePullSecrets.
$ az aks update -n MyAKSCluster -g MyResourceGroup --attach-acr <acrName>
This seamless connection simplifies deployments, increases security by automating authentication between AKS and ACR, and streamlines the process, allowing me to focus on improving service with the assurance of simplicity and increased security in deployments.
In summary, the integration between Azure Container Registry (ACR) and Azure Kubernetes Service (AKS) simplifies the deployment of container images and reduces the operational and security complexities associated with manual secret management. This enhancement not only strengthens security, but also streamlines the deployment process, allowing developers to focus more on refining their services.
If you need help with CI/CD pipelines with GitHub and Azure and are looking for guidance or support, feel free to reach out. My experience and insights may provide the help you need to navigate these processes more efficiently.
You can reach me on LinkedIn: https://www.linkedin.com/in/ricofritzsche/