Implemented automatic fetching secrets from Azure KeyVault

deployment/deploy.yaml

@@ -0,0 +1,159 @@
+---
+# Namespace (opcjonalnie)
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: todolist
+---
+# MySQL Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mysql
+  namespace: todolist
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mysql
+  template:
+    metadata:
+      labels:
+        app: mysql
+    spec:
+      containers:
+        - name: mysql
+          image: mysql:lts
+          env:
+            - name: MYSQL_USER
+              value: guflwhvcmw
+            - name: MYSQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: mysql-password
+                  key: MYSQL_PASSWORD
+            - name: MYSQL_ROOT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: mysql-root-password
+                  key: MYSQL_ROOT_PASSWORD
+            - name: MYSQL_DATABASE
+              value: todolist
+          ports:
+            - containerPort: 3306
+          volumeMounts:
+            - name: mysql-pv
+              mountPath: /var/lib/mysql
+            - name: secrets-store
+              mountPath: "/mnt/secrets"
+              readOnly: true
+      volumes:
+        - name: mysql-pv
+          emptyDir: {}
+        - name: secrets-store
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: "dev-aks"
+---
+# MySQL Service
+apiVersion: v1
+kind: Service
+metadata:
+  name: db
+  namespace: todolist
+spec:
+  ports:
+    - port: 3306
+  selector:
+    app: mysql
+---
+# API Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: todolist-api
+  namespace: todolist
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: todolist-api
+  template:
+    metadata:
+      labels:
+        app: todolist-api
+    spec:
+      containers:
+        - name: api
+          image: marcin00.azurecr.io/todolist-api:1.1
+          ports:
+            - containerPort: 80
+          env:
+            - name: SQLALCHEMY_DATABASE_URI
+              valueFrom:
+                secretKeyRef:
+                  name: sqlalchemy-database-uri
+                  key: SQLALCHEMY_DATABASE_URI
+          volumeMounts:
+            - name: secrets-store
+              mountPath: "/mnt/secrets"
+              readOnly: true
+      volumes:
+        - name: secrets-store
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: "dev-aks"
+---
+# API Service
+apiVersion: v1
+kind: Service
+metadata:
+  name: api
+  namespace: todolist
+spec:
+  selector:
+    app: todolist-api
+  ports:
+    - port: 80
+      targetPort: 80
+---
+# Frontend Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: todolist-frontend
+  namespace: todolist
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: todolist-frontend
+  template:
+    metadata:
+      labels:
+        app: todolist-frontend
+    spec:
+      containers:
+        - name: frontend
+          image: marcin00.azurecr.io/todolist-frontend:1.1
+          ports:
+            - containerPort: 80
+---
+# Frontend Service
+apiVersion: v1
+kind: Service
+metadata:
+  name: todolist-frontend
+  namespace: todolist
+spec:
+  selector:
+    app: todolist-frontend
+  ports:
+    - port: 80
+      targetPort: 80
+      protocol: TCP
+

deployment/ingress.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: todolist-ingress
+  namespace: todolist
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: todolist.marcin00.pl
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: todolist-frontend
+            port:
+              number: 80

deployment/rbac-role.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: deployer-binding
+subjects:
+- kind: User
+  name: daabce80-f745-413f-8377-00472517521c
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io

deployment/secret-store.yaml

@@ -0,0 +1,41 @@
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: dev-aks
+  namespace: todolist
+spec:
+  provider: azure
+  secretObjects:
+    - secretName: todolist-sqlalchemy-database-uri
+      type: Opaque
+      data:
+        - objectName: todolist-sqlalchemy-database-uri
+          key: SQLALCHEMY_DATABASE_URI
+    - secretName: todolist-mysql-password
+      type: Opaque
+      data:
+        - objectName: todolist-mysql-password
+          key: MYSQL_PASSWORD
+    - secretName: todolist-mysql-root-password
+      type: Opaque
+      data:
+        - objectName: todolist-mysql-root-password
+          key: MYSQL_ROOT_PASSWORD
+  parameters:
+    usePodIdentity: "false"
+    useVMManagedIdentity: "true"
+    userAssignedIdentityID: "0c2780e4-8594-4aab-8f1a-8a19f71924bd" # client_id of the user-assigned managed identity
+    clientID: "0c2780e4-8594-4aab-8f1a-8a19f71924bd"               # client_id of the user-assigned managed identity
+    keyvaultName: "dev-aks"
+    objects:  |
+      array:
+        - |
+          objectName: todolist-sqlalchemy-database-uri
+          objectType: secret
+        - |
+          objectName: todolist-mysql-password
+          objectType: secret
+        - |
+          objectName: todolist-mysql-root-password
+          objectType: secret
+    tenantID: "f4e3e6f7-d21c-460e-b201-2192174e7f41"