Using GRPC with ingress-nginx add-on with AKS

In previous articles in this series, I covered how to publish end points for applications that are deployed on Kubernetes, ultimately detailing how to use Ingress resources with automation support for TLS certificates and updating DNS records. This article pick that up, but shows how to support gRPC, a popular protocol for efficient web APIs.

In supporting web interfaces, traditionally with RESTful APIs, that is ultimately a CRUD (Create, Read, Update, Delete) interface using HTTP/1.1 protocol. Part of using such web interfaces requires converting data-structures to and from a JSON format, a process called serialization and deserialization. …


Securing Secrets using Vault and AppRole Auth

Security is an essential and a core part of operations and thus keeping secrets secured is vital. Unfortunately, for many an organization, this is often not a priority.

The lack of zeal toward managing secrets is likely related toward the complexity involved. Managing configuration artifacts have well established patterns using change configuration (Puppet, Chef, Ansible, Salt Stack) tools, using service discovery with KV stores (etcd, Consul, Zookeeper), or through simpler means like environment vars and config files.

When the configuration artifacts are secrets, called secrets artifacts, you have to not only encrypt the secrets, but also secure who or what…


Securing internal traffic with Linkerd on AKS

The two most often neglected domains of cloud operations are security and o11y (observability). This should come as no surprise because adding security, such as encryption-in-transit with mutual TLS (where both client and server verify each other), and adding traffic monitoring and tracing on short lived transitory pods is by its very nature complex.

What if you could add automation for both security and o11y in less than 15 minutes of effort?

The solution to all of this complexity involves deploying a service mesh, and as unbelievable as it seems, the above statement can really happen with Linkerd.

This article…


Using Calico Network Policy with Azure Kubernetes Server

Network policies in Kubernetes are essentially firewalls for pods. By default, pods are accessible from anywhere with no protections. If you like to to use network policies, you’ll need to install a network plugin that supports this feature. This article will demonstrate how to use this feature with Calico network plugin on AKS.

Default Kubenet network plugin

The default network plugin for AKS as well as many other Kubernetes implementations is kubenet:

a very basic, simple network plugin, on Linux only. It does not, of itself, implement more advanced features like cross-node networking or network policy (ref)

Though the kubenet network plugin is limited…


Using Azure container registry with Azure Kubernetes Server

A private container registry is useful for building, well, private images, but it is also invaluable republish images that may not be otherwise available, due to outages or low availability, such images on the Quay registry in the last few years, or less reliable registries like GHCR (GitHub Container Registry).

In this article, we will cover using Azure Container Registry with Azure Kubernetes Service. Separately these components by themselves are not too complex, but combined together, logistically, process of deploying applications can get complex.

What this article will cover

This article will cover building a Python client that will connect to the Dgraph distributed graph…


Using cert-manager add-on with AKS

This article details how to secure web traffic using TLS with a certificate from a trusted CA and a public domain. This will use Let’s Encrypt through a popular Kubernetes add-on cert-manager.

In this article we’ll use the following components:

Overview of cert-manager

One common scenario for securing web applications or services, it to have encrypted traffic with TLS certificates, where the encryption will be terminated at the load balancer. Before the arrival of Kubernetes, nginx was a popular solution for this process.

On the…


Using ingress-nginx add-on with Azure LB and AKS

This article covers adding an ingress controller called ingress-nginx to AKS (Azure Kubernetes Service). An ingress is a reverse proxy that allows routing web traffic to appropriate targeted services using a single load balancer.

Using example applications (Dgraph and hello-kubernetes), this article covers configuring an ingress to route traffic by an FQDN host name, which is configured automatically in Azure DNS using external-dns.

This article will configure the following components:

Articles in the Series

These articles are part of a series, and below is a list…


Using external-dns add-on with Azure DNS and AKS

Update (2021年06月28日): removed envsubt & terraform for simplicity

This article covers using ExternalDNS to automate updating DNS records when applications are deployed on Kubernetes. This is needed if you wish to use a public endpoint and would prefer a friendlier DNS name rather than a public IP address.

This article will configure the following components:

Blog Source Code

The blog source code for this article has instructions for using other tools like Terraform (terraform) for cloud resources and gettext (envsubst) for using the shell as…


Managing DNS Records with Azure DNS

After creating a system with a public IP, you can add a friendly DNS name to reference this such as appvm.example.com.

Terraform can automatically create or update DNS records for many services: Azure DNS, AWS Route53, Google Cloud DNS, GoDaddy, CloudFlare, etc.

Once you purchased a domain name, such as through a service like GoDaddy, you have a few options for automating DNS:

  1. update records for your domain (e.g. example.com) directly with GoDaddy DNS servers
  2. create a subdomain, e.g. dev.example.com, and have Azure DNS manage records for your subdomain, e.g. dev.example.com.
  3. update records for your domain, e.g. example.com, …

Getting Started on Azure VM and Infrastructure

When getting started on a new technology, one method is to take what you know and just do the same sort of things on the new platform.

For this guide, I will essentially do this: ❶ create network infrastructure and ❷ put a Linux VM machine on that network infrastructure.

We’ll also create some storage that can be used for boot diagnostics, should the system fail in a way that is not captured by the logs.

This article will teach two conceptual domains:

  • Azure cloud resources: Linux VM + network infrastructure
  • Terraform modularization using modules

Tool Requirements

Joaquín Menchaca (智裕)

Linux NinjaPants Automation Engineering Mutant — exploring DevOps, Kubernetes, CNI, IAC

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store