azure-k8s-config
TypeScript icon, indicating that this package has built-in type declarations

1.0.0 • Public • Published

App Configuration + Key Vault Kubernetes Secrets

Node.js based tool for generating Kubernetes Secret Configurations from Azure App Configuration and Azure Key Vault data.

Compatible with environments that use environment variables (eg. Node.js).

Note: This package creates opaque Kubernetes secrets, which are base64 encoded and not securely encrypted.

Features

  • Version control your configurations without commiting sensitive data.
  • Kubernetes vendor agnostic.
  • Mix App Configuration keys with local variables.
  • Written in TypeScript, typings included.

Services used:

How it works

Instead of directly entering the data values in your Secrets, you enter the key of your wanted App Configuration key-value pair. The application then fetches the value associated with the key, base64 encodes it and returns the ready to use configuration.

Example

An example secret configuration.

apiVersion: v1
kind: Secret
metadata:
  name: backend-secrets
  namespace: production
type: Opaque
data:
  JWT_SECRET: backend-service/production/jwt-secret
  BASE_URL: backend-service/production/base-url

returns:

apiVersion: v1
kind: Secret
metadata:
  name: backend-secrets
  namespace: production
type: Opaque
data:
  JWT_SECRET: c2llbmkgZWkgb2xlIGthc3Zp
  BASE_URL: aHR0cHM6Ly9leGFtcGxlLmFwcA==

Usage

There are two ways to use this library, either the Command-Line or programmatically in a Node script.

Using the Command Line (npx)

npx azure-k8s-config input/ output/

Using in a node script

npm install azure-k8s-config
const generateSecrets = require("azure-k8s-config");

generateSecrets({
  input: "<input-dir>",
}).then((configs) => { /* ... */ });

API

azure-k8s-config <INPUT-DIRECTORY> <OUPUT-DIRECTORY> [FLAGS]

Flags

  • --force (alias -f, default: false) – allow usage of locally defined variables not defined in App Configuration.
  • --recursive (alias -r, default: false) – Recursively search through subdirectories for kubernetes configurations

Setting up Azure

This workflow requires you to setup a few Azure resources to get everything working correctly. This package only requires App Configuration and can be used without the Azure Key Vault service.

Create Service Principal

Create App Configuration Resource:

az appconfig create --name <app-configuration-resource-name> \
	--resource-group <resource-group-name> \
	--location eastus

Create Key Vault Resource: (optional)

az keyvault create --name <key-vault-resource-name> \
	--resource-group <resource-group-name> \
	--location eastus

Create Service Principal:

az ad sp create-for-rbac -n example-app --skip-assignment

which outputs:

{
  "appId": "xxxx-xxxx-xxxx",
  "displayName": "example-app",
  "name": "http://example-app",
  "password": "xxxx-xxxx-xxxx",
  "tenant": "xxxx-xxxx-xxxx"
}

Next create an .env file in the project root directory.

Your .env file should look like this:

AZURE_APP_CONFIG_NAME="<app-configuration-resource-name>"
AZURE_TENANT_ID="<tenant>"
AZURE_CLIENT_ID="<appId>"
AZURE_CLIENT_SECRET="<password>"
AZURE_KEYVAULT_NAME="<key-vault-resource-name>" # optional

Note

Make sure to save your service principal password, as you cannot retrieve it again after this step. If you've lost your password you need to generate a new password using the following command:

 az ad sp credential reset --name <service principal's appId>

If you're using Key Vault, you also need to add Key Vault permissions for the Service Principal account

az keyvault set-policy --name <key-vault-resource-name> \
	--spn <appId> \
	--secret-permissions get

Add Reader permissions for service principal

az role assignment create --role "App Configuration Data Reader" \
	--assignee <appId> \
	--resource-group <resource-group-name>

Setting up Azure Event Grid (optional)

This step is optional but recommended if you want to keep your Kubernetes Secret configurations synced with Azure App Configuration.

Azure Event Grid can be used to listen to App Configuration changes and trigger events based on that, eg. a webhook to trigger your Continuous Deployment (CD) tool.

Register Azure Event Grid if you haven't already

az provider register -n Microsoft.EventGrid

The registration might take a while, you can check the status with the following command

az provider show -n Microsoft.EventGrid --query "registrationState"

After the registration is finished you'll be able to create subscriptions to your Event Grid. The following example subscribes to the App Configuration resource and hits the given endpoint every time a key is added, updated or removed.

az eventgrid event-subscription create \
  --source-resource-id <app-configuration-resource-name> \
  --name <event-subscription-name> \
  --endpoint <webhook-endpoint>

Development

Add dev setup instructions

License

MIT 2021 - Jim Saari

Dependents (0)

Package Sidebar

Install

npm i azure-k8s-config

Weekly Downloads

3

Version

1.0.0

License

MIT

Unpacked Size

23.4 kB

Total Files

31

Last publish

Collaborators

  • jsaari