Before getting started, you'll need these:
- This repo
- An Azure Free Trial Subscription
- An Azure Devops organisation
- A Personal Access Token
- An Agent Pool
- A Service Connection
- Some Permissions
Clone or fork a copy of this repo to your SCM of choice -- Github, Bitbucket, Azure Git Repos etc.
To get a free 12-month trial of Azure, follow the instructions here.
If you don't already have one, create a free Azure DevOps organisation, as per these instructions. You'll also need to create a Project.
Once you've create your Azure DevOps organisation, you'll need a Personal Access Token(PAT) with the authorized scopes Agent Pools(read, manage). To do this you'll need to:
-
Create the PAT with the required scopes. Set the name and expiration as you see fit. Make sure to copy the token in the next screen.
-
Name the Variable Group and Variable exactly as shown. Paste the value for the PAT in 'Value', and click the lock icon so that the Variable is stored as a Secret Variable.
❗Note: If you want to rename the Variable Group, you'll have to update some values in this pipeline first.
Create the 'k8s' agent pool.
To enable Azure DevOps to deploy into our Azure Subscription, we need to connect those services using a Service Connection. To do this:
-
Navigate to the 'Project Settings' page and click on 'New Service Connection'. Select type 'Azure Resource Manager'.
-
On the next screen, select the 'Service Principal' authentication method.
-
Enter the connection details as required (leave Resource Group blank) and save.
❗Note: By default all Pipelines default the Service Connection name to 'azure'. This can be overriden when a Pipeline is run. If you name the Service Connection something other than 'azure', be sure to do this in the next section!
Next we need to give the newly-created Service Principal permission to deploy Resources. To do this:
-
In the Azure Portal, navigate to the Azure Active Directory (AAD) Blade
-
Select 'App Registrations' and find the newly-created App Registration. The name should follow the pattern: <Azure Devops Organisation Name><Azure DevOps Project Name><Azure Subscription ID> Take a note of the name and ID for later.
-
Add the API permission 'Azure Active Directory Graph/Application.ReadWrite.OwnedBy', and click the 'Grant Admin consent' button on the next screen to approve the permissions assignment. You should see the message 'Successfully granted admin consent for the requested permissions'.
-
Next, go to your Subscription, and give the App Registration the Owner IAM Role for your Subscription.
❗Note: The 'Owner' Role is required to provision another Service Principal, required by Azure Kubernetes Service, and bind permissions to it so that it can Pull images from the Azure Container Registry. Obviously this doesn't follow least priviledge.
Before taking this solution anywhere near an Enterprise Subscription, it would be recommended to create a Custom Role, and providing the Azure DevOps App Registration Just in Time Access for the initial deployment of the Kubernetes Service.