Western Devs2026-03-22T17:42:31.816Zhttps://westerndevs.com/Western Devshttps://westerndevs.cominfo@westerndevs.comHexoKubernetes - My Journeyhttps://westerndevs.com/kubernetes/kubernetes-my-journey/2020-05-22T17:00:00.000Z2026-03-22T17:42:31.816ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comThe Journey
This is a series of articles chronicling my learning journey as I was asked to build an IdentityServer4-based authentication system for one of my clients. This story included details about my adoption of Kubernetes, Azure Kubernetes Service, and all the things that I had to do to stand-up this client's new IdentityServer4 authentication implementation.
As with most learning experiences, I've made mistakes, arrived at working applications, adjusted my implementations, and continued to grow. My hope is that this series will continue to grow and evolve and be a bit of a living series of documents. I'll actively change articles when I discover something new or a better way to describe things. I'll add new articles or maybe alternate paths through the series as new topics present themselves. And I'm certainly not an authority on all of these topics, so as I get feedback from friends and peers, I'll certainly be making adjustments.
I have two primary goals with this series. Documenting the learning journey is the first one, but the second and almost as important goal was to provide someone (you) with a complete set of steps to get a Kubernetes cluster up and running with an IdentityServer4 implementation running inside of it. Once someone has this platform up and running, they can continue to learn and grow in the same manner that I will but hopefully they're path getting to this point was a little smoother than mine was.
As always, comments and feedback are encouraged and very welcome.
I've decided to break this series into discrete posts to make this easier to write and consume. I'll have specific topics for a post that are aligned with the overall vision, and you'll be able to read the parts that are important to you.
This series is going to strive to demonstrate work that is completely done. Every bit of code in each post should work and be complete. I'll point out bits of knowledge and wisdom I've learned along the way, but the intention is to give you a working system that you can then alter/re-create and learn from that experience.
All the code, projects, manifests, etc. are (or will be) in Github here.
]]>
<h1>The Journey</h1>
<p>This is a series of articles chronicling my learning journey as I was asked to build an IdentityServer4-based authen
Kubernetes - My Journey - Part 1https://westerndevs.com/kubernetes/kubernetes-my-journey-part-1/2020-05-22T16:00:00.000Z2026-03-22T17:42:31.814ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comSeries Table of Contents
The Business Problem
My client has been in business since 1993. As you can imagine, software has been an integral part of their ability to deliver services to their customers. About 10 years ago, they had a re-platforming initiative that was the start of their current monolithic, critical LOB system. It is an ASP.NET MVC 5.x application that has evolved over time and is certainly reaching the limits of what its architecture can provide. It isn't "cloud-native" and it basically continues to be enhanced/evolved based on assumptions that were made 10 years ago.
For this project, the important part to understand is that it used forms authentication and has a user store internally that manages all of the user accounts and authorization rules. It currently only uses cookies to store authenticated user details on the client and doesn't support any modern sort of token-based activities that are needed for modern applications.
It is also important to understand that the platform is growing as users and customers demand more modern and specific user experiences. New web applications (React), mobile devices (native), IoT devices, and system-to-system integrations are all being added to the platform and all these new applications need to participate in the authentication scheme. In some cases, new applications have been created but because the current LOB system doesn't support modern authentication techniques, they cloned the existing user store and used the data to implement the appropriate authentication techniques for their specific use case. This has led to a bunch of applications re-implementing their own authentication, with everyone sharing the user store (or a copy of it) of the core LOB system.
So, the current system has demonstrated a few key problems that the new system needs to address.
Security is hard and incredibly important
One of the plagues of modern business is bad actors attacking various systems trying to gain access and cause lots of troubles. This is an ever-present problem for most corporations. Security needs to be a first-class citizen in all projects. Using modern authentication platforms that are proven and community-reviewed is seen as a requirement.
Speaking of security, in this series, you will find a lot of usernames, passwords, and internal details about the systems that is being built. I would ask that you please take a great deal of care when building your systems! I'm not worried about presenting these details as I'm tearing all of this down all the time and it won't be left running on my Azure accounts. I will change passwords, usernames, and all kinds of other details to make it harder for anyone to break into a running system. I strongly encourage you to do the same.
Decentralized identity management sucks
The platform is currently a monolithic LOB system that provides all functional aspects for the various business groups. The platform is also growing a collection of loosely related applications that basically represent specific implementations that are tailored for each individual area of the business. All the systems are re-implementing authentication while using, in most cases, a copy of the LOB user store. This basically means that we have multiple user stores that all must be managed independently. There are SSIS workflows trying to keep the right data in sync while not clobbering specific customizations to the user store data.
This is all complicated, complex, and error prone. We generally don't have a lot of troubles with authentication, but it is expensive and time-consuming to setup and maintain and as new applications are added, it adds more things to manage and has more things that can go wrong.
New applications require modern Identity technologies
In 2020, business that used to be well-served by a monolithic web application, are finding that this is no longer the case. Native applications, new web applications based on new technologies (SPA), IoT devices and System-to-System integrations all require more modern authentication technologies and these applications are being added to platform ecosystems at an increasing pace.
Reduce the costs of running applications
One of the overall initiatives for this client is to become more cloud-native and reduce the running costs of applications. There is already an initiative to move all the platform servers to Azure, but we didn't want any new applications continuing the pattern of "lift and shift" used for the existing apps. There is a strong desire to leverage containers (docker) and orchestrators (Kubernetes) at an increasing rate for all the applications in order to reduce overall run costs.
Being able to scale up is important
As with all businesses, we expect growth. My client is heavily reliant on devices for their current business needs and will be adding customers, native apps, and IoT devices at an ever-increasing rate. This means that having the ability to scale vertically or horizontally needs to be present from the start. Growth was anticipated (pre-COVID19) to be > 30% year over year for the next 3-5 years so there were going to be lots of people and devices needing to use the system in the future.
Summary (TL;DR;)
Security is hard! De-centralized (read: many) authentication systems are expensive. Old Application are ... well... old! Modern applications need support! Moving to the cloud is happening! And businesses grow!!
I hope that this gives some context that helps you understand some of the decisions that I'll be sharing in the next section!
]]>
<p><a href="/kubernetes/kubernetes-my-journey">Series Table of Contents</a></p>
<h1>The Business Problem</h1>
<p>My client has been in busin
Kubernetes - My Journey - Part 2https://westerndevs.com/kubernetes/kubernetes-my-journey-part-2/2020-05-22T15:00:00.000Z2026-03-22T17:42:31.815ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comSeries Table of Contents
There are some assumptions that were made before my involvement with this company that made some of this decision making easy. Those assumptions were driven by the business problems we discussed previously.
Some of these decisions were made by me throughout this project. It was important for me to understand the organization's business, goals, and culture when making these decisions so they weren't as easy to make. The good thing is that I've got a great group of leaders and developers in this organization that helped me and trusted me to make better decisions on their behalf.
Pre-defined Assumptions
So, there are a bunch of things that we're decided before me arriving on the scene! These decisions governed my initial decision making to just get the project started.
We're going to the cloud
I'm not sure this needs a lot of elaboration. Everyone is going to the cloud. Owning and operating data centres is hard. Companies like Microsoft, Amazon, and Google have commoditized hardware setup, management, and maintenance so much so that it almost doesn't makes sense to own your own data centre. So, anything I did should strive to be cloud-native.
Azure
Azure was chosen as the vendor for all our cloud services prior to my involvement. This certainly plays to my strength as a Microsoft-based technologist and an avid Azure user for all my own projects.
ASP.NET Core (C#)
This company is a Microsoft shop. All the developers are C# developers who are familiar with Microsoft technologies, so it only makes sense that we are going to leverage the existing people and skills that are present in the organization. Using .NET Core and ASP.NET Core 3+ in all projects going forward was made a requirement (and is probably simple common sense) by the assumption of moving to the cloud.
I couldn't build something that only I could maintain or would require the company to go and try to find new developers or acquire new skills in their current developers. There is going to be a lot of learning being done by everyone here, but we don't need to add to the pile of new stuff to learn.
HTTPS
One of the things that seems obvious, but turns out isn't always obvious, is the fact that in today's world, we should be using HTTPS everywhere. It has become easier and easier to do this, and part of this project's mandate was to ensure that we accelerated the adoption of HTTPS throughout the deployed platform and make it easier to own and maintain. Simply doing an Identity implementation will drive this.
Decisions I made
During the planning of this project, I had the flexibility to make a lot of decisions. I didn't make them in isolation, but I did get to make the final decisions.
Containers and Orchestration
Going to the cloud can be as simple as lift-and-shift. Pick up your server, virtualize it if necessary, and place it in the cloud. In some cases, we can make this even simpler by provisioning a VM with all the pre-installed parts we need and simply deploying our application into that new VM. This is certainly "going to the cloud" but it isn't considered cloud-native.
Docker
I'm not an expert on what cloud-native entirely means, but I've discerned that one thing you need to do is containers. So today, that means Docker. Being a Microsoft shop, going to Azure, using Visual Studio and the az cli as tools, Docker was a no-brainer for a container engine with all the great tool support in Visual Studio, Azure DevOps Server, and the other tools, so I just rolled with it.
Kubernetes
When using Azure and running containers in the cloud, you have several options. Two easy ones are Azure Container Instances (server-less container hosting) and Azure Kubernetes Services (aka AKS). Since our environment was going to be far more complicated than running a bunch of single containers in the cloud, we needed an orchestration platform. There are two options for that today: Kubernetes and DockerCompose and we chose Kubernetes. The community support for Kubernetes is incredible, the momentum it has in the marketplace can't be denied, and it is natively supported by Azure via the AKS product, so it was another easy decision.
Cloud-Hosted
I sort of covered this one off, but there is an option to stand up your own Kubernetes cluster manually in Azure simply using Virtual Machines. AKS effectively took this option off the table. In my experience so far, AKS is a polished product, easy to use, and the control plane components are included for free. You simply pay for all the other Azure products that will make up your cluster. These include VMs, Storage, Networking, and any other products you leverage in your implementation.
Azure Kubernetes Service (AKS)
AKS also makes some of our ability to scale requirements much easier to address. You can scale vertically by dynamically increasing the size of the VMs in the cluster and we can scale horizontally by dynamically adding (or removing) nodes from the cluster.
Identity Implementation
While this project has many objectives, they key objective for all this work was to deliver a new Identity management implementation to the platform that would enable a secure, modern way for all users, applications, and devices to authenticate with each other.
One of the underlying cultural desires at this client that I should state is a strong desire to minimize subscriptions and dependencies on 3rd party vendors. This desire precluded us from selecting any of the current Identity providers that exist on the marketplace today. AuthO and Okta are two such companies and while I'm sure they have great products, wedecided to build our own Identity system.
IdentityServer4
Now, we didn't want to build all the identity system from scratch! That doesn't make sense. We'd have to become experts in OAuth, OpenID Connect, flows, encryption, tokens, and all those technologies that are implemented by great communities out there already. This OSS frameworks are also scrutinized and vetted by the community, so you know that a lot of people care that they are done right. Basically, we wanted to take the best implementation of a security framework in the Microsoft open-source community, host it in our infrastructure, and be able to customize it to our specific use-cases. This led us to IdentityServer4, which is the core technical component of our Identity implementation.
Skoruba IdentityServer4 Admin
One of the things about identity implementations is that there is a lot of configuration and user data to manage. To be honest, client configuration and user data is one of the biggest PITA about doing Identity work. Once you get it, it isn't so bad but so much of a successful roll-out with an identity platform hinges on getting all this data right. And to do that, it helps to have a good administrative platform.
While I'd love to have had the time to write an application that gives a good user experience for the administration of this data, I didn't have that time. So, I went looking for something in the community that used IdentityServer4 as a foundational component and added the user experience I wanted. And after several pilots, I found and selected Skoruba IdentityServer4 Admin. This is an ASP.NET Core 3.x web application that provides the Security Token Service (STS), and Administrative Application, and an Administrative API, all in one easy to use package! I've been really happy that I found it.
Data Persistence
The Skoruba templates allows for the selection of one from three different built-in persistence providers via Entity Framework Core. SqlServer, MySql and Postgres.
Postgres
Postgres was the database provider the I selected. This reduced our licensing costs, provides the appropriate level of performance and functionality, and with us being in Azure, we always have the option of moving to Azure Database for PostgreSQL which has single instance SKU and an HA/Hyperscale SKU if that eventually becomes a needed capability. There is also a ton of community support around the product, which means libraries, documentation, and examples are plentiful.
Logging
I cannot under-state how important logging is when developing, maintaining, and owning a multi-container environment, spread across multiple servers (nodes) that are hosted in the cloud. This isn't the first and hopefully won't be the last blog post to emphasize this point. The community building cloud-based applications already blogs about this, you've almost certainly read about it somewhere before here, but it still may not have sunk in that, perhaps, this needs to be the first thing you figure out in your new container-based platform. I paid some attention at the beginning, but not enough.
Seq - Log Ingestion and Analytics
When I first arrived at my client, they were still relying on file-based logging, spread over all the servers in the farm. They had a lot of logging in the application, but it wasn't easily accessible, and it wasn't easy at all to find out what happened across a workflow, sometimes broken, that traversed a bunch of servers.
The other thing that wasn't possible was querying and basic analytics of the log data that was being generated. It was inconsistent, unstructured, and just barely helping them solve problems.
At a previous engagement, I had used Splunk and really came to love it! The tool was great. Powerful queries, visualization, dashboard, alerts, integrations! Splunk has it all. There was only one problem. Splunk is expensive. That isn't a problem if your needs justify the spend and you have the required expertise in owning and operating Splunk, but that wasn't the case here, so I needed to find something easier to bring into the ecosystem. This was when I found Seq!
Seq is a great entry-level tool (that keeps on getting better) for organizations that are just getting started on getting logs into a central product and using that log data to analyze problems and operational aspects of the platform. Seq is built by Datalust.co, who also makes Serilog the .NET library that we use for logging internally in the application. This combination has turned out to be a cost-effective, easy to learn, setup and maintain logging infrastructure for our apps, so it was quite easy for me to bring this into the Identity project and the Kubernetes (k8s) infrastructure.
Fluentd
In addition to the identity applications that are in the k8s cluster that will be logging to Seq, the infrastructure applications in the cluster itself will generate an incredible amount of information about its operations and problems. This is a non-trivial log ingestion problem that has been made very approachable with a product called fluentd. Built to live inside of k8s clusters, fluentd is basically an event processing pipeline implementation that takes events from log files that are written all over the k8s cluster. It takes care of finding the files, processing them as they get additional entries, and sending those events "somewhere". In this case, I used an fluentd docker image that emits logs to graylog consumers, which thankfully, Seq is with an addon. So, with Serilog in the applications, fluentd in the cluster using a graylog variant and Seq running in the cluster to ingest and aggregate all the log information, we have a very compact, useful logging strategy to get us started.
I don't know how far this logging implementation will grow with the cluster into the future, but it is designed to have pieces replaced as we outgrow their capabilities.
Learning Resources
This adventure required an incredible amount of learning on my part. The way that I learn best is by reading/learning enough to get started, and then building like crazy, discovering deficiencies in what I know, resolving the deficiency, and then finding the next thing I don't know.
This series of blog posts will hopefully capture some of that learning experience, but I wanted to make sure I shared the places that I started.
Pluralsight
There are a lot of courses on Pluralsight. I think I've enjoyed all them, with some courses being better than others for me at that point in my learning. For this project, I didn't need any help with C# or ASP.NET Core or any of that part. I needed to get familiar with Kubernetes and I needed to become familiar with authentication flows using OAuth2 and OpenID Connect.
The k8s courses were from Nigel Poulton were great places to get started with k8s. The ones that I watched are:
There is a new version of Kevin Dockx course available using ASP.NET Core 3 here
Kubernetes.io
Based on what and how I was learning k8s from Nigel on Pluralsight, Kubernetes.io became an invaluable resource for me to learn about k8s and its ecosystem. Nigel's courses encourage you to work with manifests, building your k8s cluster in a declarative manner, and kubernetes.io supported that approach well. I would highly recommend working with manifests and understanding them and how they work when learning k8s. We'll discover later that I don't work directly with manifests when provisioning my cluster resources, but you have to know manifests because all the examples in the communities are in manifests!
Community blogs
This would have been much harder without the incredibly vibrant community of bloggers in the world who are sharing what they are doing, the problems, and how they are solving those problems. I'm hoping that my addition in writing this blog fills a gap and makes it a bit easier for you or someone else to put this all together, but this would have been incredibly difficult without this vibrant community.
]]>
<p><a href="/kubernetes/kubernetes-my-journey">Series Table of Contents</a></p>
<p><strong>Previously:</strong>
<a href="/kubernetes/kuberne
Kubernetes - My Journey - Part 3https://westerndevs.com/kubernetes/kubernetes-my-journey-part-3/2020-05-22T14:00:00.000Z2026-03-22T17:42:31.815ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comSeries Table of Contents
Tooling is an incredibly important aspect of a developer's daily life. IDEs, CLIs, Automations, Visualizations; the list goes on and on. Sifting through the set of tools that are available and finding out if they work for you can take a lot of time. As a former Microsoft MVP (Dev Tools), I'm always interested in tooling because I know the importance it can make in developer productivity and the overall productivity and quality for an organization! I'm hoping that by sharing my base set of tools, and what I use them for, you'll get a bit of tool-curation time savings back to spend on learning other things.
These are the tools I use every day on this project.
Visual Studio
Visual Studio has come a long, long way since the first time I ever used is as Microsoft Visual Studio 97 (5.x). Wow! This IDE has been my constant companion for the entirety of my development career, and I have to say that the current VS 2019 version of the tool is a pleasure to work with. Given the complex nature of building projects and supporting all of the ecosystems that we build projects for, VS 2019 does a fantastic job of supporting my needs.
With this project, I obviously appreciate all of the normal C# coding functions that are present, but the docker/docker-compose support is particularly important and the ability to debug applications running in docker containers is great.
I still have ReSharper and I still have many extensions (Thanks Mads!) running in Visual Studio, but this IDE is the workhorse of my day-to-day activities when I'm working in C#.
I don't recommend that you download and try to use Microsoft Visual Studio 97!
VS Code
Visual Studio Code is a fantastic, light-weight text editor with an incredible extensibility feature that the community has taken full advantage of! Out of the box, it is very good at one thing. Editing text files. With all the extensions being written and placed on the marketplace, it has become some people's full-time IDE. The great thing about VS Code is that it runs on macOS, Linux, and Windows, so you take it wherever you go! And, it's free! It has mostly replaced all my other text editors, with the exception of Notepad. Still use that one from time to time.
I use VS Code for editing all my manifests, Pulumi Typescript applications, and markdown files for documentation. This blog post was written in Markdown using VS Code! With an integrated terminal window using PS Core, I can do pretty much all my k8s deployment and resource work without leaving VS Code.
Pulumi
I've mentioned that while I find manifests a great way to learn k8s, I've adopted a different approach for deploying k8s. That approach is from a company called Pulumi! What they've basically done is built a platform and multiple SDKs in various languages that allow us to do Infrastructure as Code in a programming language of our choice!! It's a great way to define and manage your cloud resources. Once you have written your application that knows what you want to do, you simply tell the pulumi cli to up or destroy your infrastructure! pulumi up and it will create or update your infrastructure resources as needed, and pulumi destroy tears it all down and cleans everything up!
Git
Git is the most popular and arguably the defacto source control system in the world today. All my manifests and pulumi typescript files are version controlled in git, as are all the Identity application projects that we'll be building later on.
Azure DevOps Services (Server 2019)
Azure DevOps (Server) is our DevOps management software. Source control (Git and TFVC), Work Item Management, Builds, and Deployments are all provided by this service. It provides us a tremendous amount of automation, and it gives us a place to make our knowledge about how to build and deploy our applications concrete! If you haven't tried Azure DevOps recently, you really should give it another go. It's been a tremendously valuable addition to the development process.
Kubernetes Web UI (Dashboard)
Kubernetes Web UI (Dashboard) is a great dashboard that is built into your k8s cluster that provides a User experience to help you visualize and manage your k8s cluster.
Octant
Octant is a dashboard for your k8s cluster, similar to the Kubernetes Dashboard, but it doesn't require you to port-forward to your local machine to get at the dashboard, it simply runs on your local development machine and uses the kubectl current context to access the cluster! This makes is quite easy to spin up. It provides port-forwarding capabilities in addition to many of the capabilities present in the Kubernetes Web UI. I find myself using them both quite often throughout the day.
K9s
K9s is a console-based user experience for managing your k8s cluster! As with Octant, it uses kubectl and your current context to determine which k8s cluster it is managing. I quite like it! I also find it really interesting how I have three different tools for managing the k8s cluster and depending on what I'm doing or even my mood, I can pick from any of the three tools.
Honorable Mention - Docker Desktop for Windows
Docker Desktop for Windows is the easiest way to get docker containers running on a windows desktop. You need a CPU that supports virtualization and you have to have Windows 10 Pro for the HyperV/WSL2 support. There are other options if you aren't running Windows 10 Pro and up, but I'll leave that as an exercise for you to figure out. But during initial development of the Skoruba project, it was immensely helpful to be able to build, deploy, and debug the application without having to deal with k8s or minikube. There are additional complexities involved with that that you will want to defer for a while.
]]>
<p><a href="/kubernetes/kubernetes-my-journey">Series Table of Contents</a></p>
<p><strong>Previously:</strong>
<a href="/kubernetes/kuberne
Kubernetes - My Journey - Part 4https://westerndevs.com/kubernetes/kubernetes-my-journey-part-4/2020-05-22T13:00:00.000Z2026-03-22T17:42:31.815ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comSeries Table of Contents
Building an ASP.NET Core IdentityServer Implementation
This is where the articles start to get a bit longer. I've broken a couple up into a-b parts. We won't be talking about tasks in k8s for a bit, so if you want to skip on to that, you can go here.
There are, in my opinion, 2 parts that need to be considered when building up this IdentityServer4 implementation, and the 2nd part can arguably be split into 2 smaller parts, which is how this implementation is built.
The first part of the system needs to be the Security Token Services (STS) implementation. This part of the system is simply responsible for managing tokens. This means validating log in credentials, creating tokens, refreshing tokens, and sending along the appropriate metadata and claims. I would want this broken into a separate service because it will probably have different operational characteristics then the other parts of the application, and so we can scale is separately. If there are 1000s of request per minute to generate/validate/refresh tokens and send along metadata, that is different than administrating the data that the system relies on. Additionally, it makes it easier to secure the administrative access if it is a separate application.
The second part of the system is the Administrative (Admin) implementation. The application that provides a user experience that will help identity administrators do the right things.
In our implementation, which is based on the Skoruba project, there is actually a third part to the administrative side of the system and that is a Admin WebAPI that does all of the actual CRUD on the database. I'm happy with this setup and I'm glad the Skoruba project went in this direction.
Let's get into the details of what I did.
Start Learning with the IdentityServer4 Quickstart
If you are new to IdentityServer4 or even newer to OAuth2 and OpenID Connect, your first stop needs to be the IdentityServer4 Quickstarts. These quickstart modules will walk you through all of the steps required to incrementally build an IdentityServer4 server. They are all self-contained, building your knowledge from one to the next, and by the end of the quickstarts, you've built a functional IdentityServer4 implementation. I'm not going to re-produce any of these quickstarts or even how to get you started on them, other than providing the link and some encouragement. Go do the quickstarts, then come back here and continue reading!
It was during the quickstarts that I side-stepped and did the Pluralsight courses on OAuth2 and OpenID Connect.
Starting your project with Skoruba
So, you've done the quickstarts, or you're already experienced with IdentityServer4 and the real reason you are here is because the quickstarts left you wanting more! You wanted an Administrative application!! You wanted databases to persist all of this configuration and the quickstarts don't give you any of that! You're in the right place! I was in that position just a little while ago myself.
After doing the quickstarts, I realized I had to build/find an administrative experience for our platform. It isn't hard to find a couple when you google IdentityServer4 Administration. There are a number of Github repos that you'll find, and perhaps a couple products that you can purchase. Again, because of the desire to build/own vs. buy/subscribe, we continued looking until we found the Skoruba IdentityServer4 Admin project on Github. This is a great project and I've been very happy that I found it. It is put together well and is super easy to get started with.
In order to use the project, you'll need to have the latest ASP.NET Core 3.x SDK and development tools.
The first thing I did was get the awesome template that the Skoruba team build to get you started using their project. This command tells the dotnet tooling to go off to nuget.org and get the template.
dotnet new -i Skoruba.IdentityServer4.Admin.Templates::1.0.0-rc1-update2
Once you have the template, you are ready to start creating your solution. You can start by using the template.
A couple notes about that command that make sense once you have done the ID4 Quickstarts:
-adminrole IdentityAdminRole is the User Role that will be used in the Admin application and the AdminAPI to know if a user is an administrator of the Identity system. This role will be assigned to your admin user account.
-adminclientid MyClientId is the ClientId (username of your application) for the Admin application in the STS. Your Admin application needs this id to be allowed to access the STS.
-adminclientsecret MyClientSecret is the ClientSecret (password of your application) for the Admin application in the STS. It is used with ClientId.
Since we are planning to run this all in Docker locally and eventually deploying this to a k8s cluster, Docker support is required. All of the yaml examples in this post are in the docker-compose.yml file.
Once that command has run, you should have a project that looks something like this:
Select your DB Platform
One of the cool things about the Skoruba template is that it comes out of the box with 3 different database persistence mechanism already waiting for you. You can just select the one you want to use, and off it goes. I don't need to provide the ability to switch mechanisms, so I'm simply going to remove the templated MySql and SqlServer options.
If you are planning to use SqlServer in your k8s cluster, you can skip these instructions and the next Postgres/pgAdmin4 instructions. You could delete everything except for SqlServer implementation details. I understand why the template spits it out, but your running application probably won't need persistence choices.
So you selected PostgreSQL
PostgreSQL (Postgres) is an open-source database that is more than sufficient for our use-cases. It is free to use/run and has great support in the community. In order to minimize costs, I choose to use PostgresSQL.
The first thing I did was delete the MySql and SqlServer projects. I wasn't planning to use them and as such, just deleting them is the right course. They can always be put back in if the need ever arose to migrate to a different database platform. This is going to immediately break your solution. You can just go and delete/fix all of the broken code. You're just removing using statements and adjusting/removing if {} blocks. I also deleted all of the database types/selection code and configuration settings.
That should leave you with a solution that builds and that only contains these projects.
You probably also want to delete the db entry in the docker-compose.yml file. The SqlServer image is a large image and you don't necessarily need to download it.
In case you didn't know, Docker Desktop is the local image registry for all things Docker on your Windows workstation. All images will be downloaded and cached here. Docker Desktop is not the local image registry for k8s (minikube).
Backend Containers - Postgres, pgAdmin4 & Seq
Now, your solution is building and ready to run, but our local infrastructure isn't quite there yet. We're going to need a Postgres database instance on our local machine to run this in Visual Studio, so we can do that in the docker-compose.yml file.
To bring a Postgres database container into Docker Desktop, add the following:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
postgresdb: image:postgres:alpine hostname:postgres ports: -5432:5432 container_name:postgresdb environment: -"POSTGRES_USER=admin" -"POSTGRES_PASSWORD=P@ssw0rd!" -"POSTGRES_DB=identity"# this is the DB name that will be generated by EFCore volumes: -postgresdata:/var/lib/postgresql/data networks: default: aliases: -postgres
What this does is get the latest version of the Postgres container image from DockerHub. It exposes the default Postgres port of 5432, gives this container an alias in the DNS of postgres, and hooks the container up to a persistent volume, mapped to a volume on the local host, to store its identity data. We need to add that mapping near the bottom of the existing docker-compose.yml file. We will add a mapping for pgAdmin4 while we are at it.
There is a lot of YAML in k8s and docker. You are going to have to become familiar with it. I'm going to assume that you'll work through any yaml syntax errors that may come out of working through the articles.
After adding in Postgre, we can now add in our pgAdmin4 container instance. pgAdmin4 is a database management tool built as a web application. If you have another Postgre management tool, you don't need to follow these steps.
The pgAdmin4 container doesn't need an alias. We gave the Postgre instance a DNS alias so that all of the running containers in the cluster can simply reference the database (in the connection string) by the DNS entry of postgres. The IdentityServer4 apps and pgAdmin4 don't really need this kind of mapping so we'll leave them as accessible at the http://127.0.0.1.xip.io:port addresses.
If you want to explore more options in the pgAdmin4 configuration that are available to you, you can go to the pgAdmin4 Container Configuration page for more details.
We're also going to add a Seq instance into our docker-compose.yml file.
When I added the Seq container, I did not give it a persistent volume on the host to store log data. In the case of Seq, I'm using it for transient purposes in docker so I don't really care if the history of log entries goes away when the container is re-started. If you do want to keep your log files, you can give it a persistent volume on the host, in the same way as the databases.
Persistent Volumes do not survive a Docker Desktop data purge.
We are going to add one more little container that I want to introduce now before it really appeared in my story, but I wish that I had found it earlier. It is a small little container from Google that helps me do DNS diagnostics and debugging in the containers/k8s network. You can quickly and easily add this container at just about any time, do your diagnostics, and then remove it from the cluster. It automatically stops after 1 hour as well.
We aren't quite ready to run things yet. We need to make some more configuration adjustments.
You should be prepared to make a lot of configuration adjustments in your IdentityServer4 and k8s career!
Here are the things I've done to make this easier/cleaner for running locally.
Change all usernames to admin
Change all admin passwords to P@ssw0rd!
Change all Role entries to IdentityAdminRole
Delete all of the unnecessary launchSettings profiles
Tweak the URL configuration values
Change all of the database connection strings to point at our local Postgres instance
Tweak the code to always run migrations and seeding data on startup
Configure Serilog to use Seq and the console
Change Credentials and Role
You will have lots of chances once you've explored and learned about all of these configurations to change usernames, potentially move to Azure Managed Identities, or use something like Azure KeyVault to store your credentials. For the time being, we want this to be quite easy to do, so we're going to simplify this and make all the admin accounts the same.
Postgres - If you revisit the Postgre yaml snippet, you see the default Postgre power user is admin and P@ssword!.
pgAdmin4 - You'll see that the pgAdmin4 wants an email address, so in the yaml snippet we see the username admin@codingwithdave.xyz and P@ssw0rd!
Seq - currently requires no authentication
There are three .json files in a file in the root of the solution called shared. These files hold seed data for the applications. They are joined to the docker containers and are used by the running instances of the applications when they are in docker. You need to edit the copies of these files.
I added a solution folder to the solution and added these files to it.
I changed the following:
identitydata.json
change the initial username credentials to admin and P@ssw0rd!
change the Roles entry to IdentityAdminRole.
In the three projects, we need to make a few tweaks in the appsettings.json files. I did this for a little added clarity.
appsettings.json in MyProject.Admin
appsettings.json in MyProject.Admin.Api
appsettings.json in MyProject.STS.Identity
change the AdminApiConfiguration:AdministrationRole to IdentityAdminRole
Here is an example from the STS appsettings.json file.
This one is fairly simple and just a cleaning exercise. I can debug with Docker Desktop and the DockerCompose project, so good riddance to all the other clutter! I don't plan to run this in IIS or single Docker containers, so I can remove those profiles and settings. I will leave the Kestrel settings since I can envision someone doing that. Otherwise, I'm only planning to run ecosystem this via DockerCompose or sending it to a k8s cluster.
Identity implementations require a lot of information about people and applications in order to work. One of those pieces of information is the URL of the caller. The Skoruba template spits out all of the URLs in the form of 127.0.0.1.xip.io. These URLs are using the xip.io service provided by the makers of Basecamp. This DNS server basically takes the DNS entry request, pulls the IP address out of it, and send that IP address base as the resolved IP. You can basically get a public DNS to resolve to an IP address that is your local machine.
One thing I found while looking over the project was a blend of localhost configurations and 127.0.0.1.xip.io. Because of the way that xip.io works, we can get rid of all of the localhost references. So, you can do a Replace in Files and replace all of the localhost with 127.0.0.1.xip.io.
We could also replace all of the 127.0.0.1.xip.io with lvh.me which is a public DNS entry that resolves to 127.0.0.1 as well. This link describes lvh.me and some other good utilities.
These URLs are in the launchSettings.json file and the appsettings.json. Remember that in ASP.NET Core applications, by convention the environmental variable configurations are loaded last and overwrite anything in the appsettings.json files.
One thing about configuration in this adventure is making sure that your configuration supports anywhere you run. That is why you see this crazy overlap of appsettings.json files or environmental variables managed all over the place. You have to develop a good understanding of how the configuration systems work in the runtime environments and take advantage of them.
While we are doing this work, I also adjusted the ports that everything lives at. There are some mistakes in the Skoruba template that state that the Admin API is at 5001. So in this exercise I've set:
STS to port 80 (no port)
Admin is at port 9000
Admin API is at port 5000
These go along with pgAdmin4 already being at port 5050 and Seq being at port 5341.
Database Connection strings
The Skoruba uses 5 different DbContext to do its work. This in theory allows you to maintain smaller, more specific entity sets and could also spread some of this persistence work across different servers, but in practice, we'll only use one server. You can replace all connection strings with this one connection string.
1
Server=postgres; User Id=admin; Database=identity; Port=5432; Password=P@ssw0rd!; SSL Mode=Prefer; Trust Server Certificate=true;
Notice that we can reference the Postgre DB at its DNS alias of postgres.
Tweak Code to Run Migrations Always
You can see that the Skoruba team already had this idea in mind when they created the template. You just need to make the switch in Program.cs around line 32 and the MyProject.Admin project.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
// Uncomment this to seed upon startup, alternatively pass in `dotnet run /seed` to seed using CLI await DbMigrationHelpers.EnsureSeedData<IdentityServerConfigurationDbContext, AdminIdentityDbContext, IdentityServerPersistedGrantDbContext, AdminLogDbContext, AdminAuditLogDbContext, UserIdentity, UserIdentityRole>(host); //if (seed) //{ // await DbMigrationHelpers // .EnsureSeedData<IdentityServerConfigurationDbContext, AdminIdentityDbContext, // IdentityServerPersistedGrantDbContext, AdminLogDbContext, AdminAuditLogDbContext, // UserIdentity, UserIdentityRole>(host); //}
Configure Serilog to use Seq
This is going to require a little bit of work in Visual Studio. The Skoruba template already makes use of Serilog as the logging engine, but it doesn't have the Seq sink that will be used to send all of the structured log messages to Seq. We need to add that bit to the Identity applications.
Add the Serilog.Sinks.Seq package to all three Identity projects
Change the configuration in the /shared/serilog.json file that will be used by the docker containers.
Optional Change the individual serilog.json files in each project to approximately match. Remember that the docker containers all use the shared/serilog.json file, not the individual serilog.json file via the volumes: directive
Alright! We've scaffolded the IdentityServer4/Skoruba applications, we've put all of our infrastructure in place, and we've adjusted all of our configuration! We should be ready to run this application!
Select the docker-compose project in the solution explorer!
You should see only the docker-compose option in the Visual Studio Run button
Run your docker-compose orchestration!
Now we can start to explore what we've got running in the container network.
Once we've logged in! We need to add a connection to the Postgre database into pgAdmin4.
Create Server Listing Entry
Enter server location (DNS)
Enter Postgre server admin credentials
1 2 3 4 5 6 7 8 9 10
postgresdb: image:postgres:alpine hostname:postgres ports: -"5432:5432" container_name:postgresdb environment: -"POSTGRES_USER=admin" -"POSTGRES_PASSWORD=P@ssw0rd!" -"POSTGRES_DB=identity"# this is the DB name that will be generated by EFCore
And voila! We can administer our Postgre-based Identity store that is used by the 3 applications in the platform!
We can now run Postgre queries and sql commands to look at or manipulate our data.
Seq
Looking at Seq is a little easier! We just need to go to the http://127.0.0.1.xip.io:5341 URL. Since we are in a single-user license and with no authentication turned on or hooked up, we'll simply land on the query screen!
Now, we can start to just get a taste of the benefit of a embedded log-ingestion application. We can see that the apps are all logging into the Seq platform.
And now we can start to look at basic loads across all three applications in the same timeframe.
I'll leave a much deeper exploration of what Seq can do for you as homework! I know your probably already at home (or work?!?!) but I'm not going to directly explore Seq's capabilities in this blog post! I'll save that for another series. But you should definitely go check out Seq by DataLust.co.
I am not affiliated with Datalust or Seq in anyway. I get no money for this. I just really like the product.
Once we are logged into the STS, we can see that users can manage their details. They can look at the applications they've granted permissions to, they can look at their profile data. They can delete their personal data, turn on MFA, and change their password! Phew!
Again, I'll leave a deeper exploration of the STS for homework. You should have enough familiarity after working through the IdentityServer4 Quickstarts that most of this will seem familiar. Also, this is only the user profile information, so it isn't exciting.
Admin
Next, we'll open a tab to the Admin application. If you are already logged into the STS, you won't be challenged for a username/password but have no doubt, you were authenticated!
If you were not logged in, you would have been re-directed to the STS to enter your credentials, prove who you were, and then returned to the Admin page. Give it a try. Log out of the STS and try going to the admin URL again!
There is a lot to learn about administering an IdentityServer4 implementation. I'm going to cop out again and leave you to explore this as homework.
Admin Api
Last but not least, the Swashbuckle Api Explorer application (swagger) that is embedded in the AdminApi project!
The Api Explorer is already setup to leverage token-based authentication, so if you hit the Authorize button, you'll be directed to log in (authenticate) with the STS (if you haven't already). If you are already authenticated, you may be asked by the Api Explorer app for your consent to use your profile details, but you won't have to type in your username/password again. And if you allow your consent to be remembered, you won't be challenged for it again.
If you execute any of the API methods before you are authorized, you'll get the dreaded 401 Unauthorized HTTP status code!
Now get authenticated!
And this time, we are authorized and our API call succeeds!
Summary
Now that is it! Wow! That was a lot of work! But we have been rewarded by a fully functioning IdentityServer4 running on our machine with a Postgres DB as persistence, pgAdmin4 for database administration, and Seq for log ingestion!
One thing I didn't do for demonstration purposes is do any sort of custom-branding on the Skoruba applications, but they are just ASP.NET Core 3.1 web applications that you already know how to modify and enhance. The Skoruba template has a little bit of built-in branding configuration, but you can certainly charge ahead and make this look however you'd like.
So, there we go. We have a fully functional system running in Docker, but that isn't going to help us where we are going. Time for the next step and we move our platform to Kubernetes!!
]]>
<p><a href="/kubernetes/kubernetes-my-journey">Series Table of Contents</a></p>
<p><strong>Previously:</strong>
<a href="/kubernetes/kuberne
Kubernetes - My Journey - Part 5ahttps://westerndevs.com/kubernetes/kubernetes-my-journey-part-5a/2020-05-22T12:00:00.000Z2026-03-22T17:42:31.815ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comSeries Table of Contents
Getting Started with Kubernetes - Minikube - Part A
We're finally getting to the part of the series where we have a group of applications and we want to have them live in Kubernetes (k8s). In order to do that, we need to have k8s on our local development machine and we are going to use Minikube to do that.
Important Caveat
I'm going to make an assumption that at a minimum, you've reviewed various types of k8s resources on kubernetes.io and in a best case scenario, you've watched Nigel Poulton's Pluralsight course Getting Started with Kubernetes. If you haven't, my discussions about these topics may be harder to understand because they do not cover these basics.
Also, my understanding of Kubernetes is certainly not as extensive as I'd like. I'm not sure I'd hazard calling myself an expert. I've got a working cluster and applications in that cluster but I am not going to make the statement that I've done it all right or with the current best practices in place. This is a learning exercise for me (and you) and while I want to get you with a cluster up and running as soon as possible, I expect you to learn/challenge/grow your k8s cluster knowledge as well.
Getting started
Thankfully, I don't have to create a huge blog post on this! There is already some great documentation at kubernetes.io that gets you setup with a learning environment based on minikube so I'll just let you go there and read the installation guide! I'm using v1.9.2 of minikube during the creation of this series of articles.
A Powershell Script
It is certainly easy enough to remember some commands when standing up your environment, but as we work through getting everything into minikube using the command-line and manifests, it can become quite a list of commands and so I'd recommend creating a powershell script that you can capture your commands in the order that you are likely to execute them.
The way that I've been structuring my source files is:
1 2 3 4
project_root |- infra |- manifests |- src
The src folder is where the ASP.NET Core applications are. You can ignore the infra directory for a while, but for this part of the journey, we'll be using the manifests folder to store all of our k8s declarative manifest files. This is also where I store my stand-up.ps1 powershell script file!
The first line in your stand-up.ps1 file should probably be (if your on windows):
with 4 logical CPUS (4 of the n you have in Task Manager - Performance Tab)
with 16 gb of memory
20 gb of disk space (default value)
and expanding the range of usable ports in minikube
You're going to want to adjust these numbers to what make sense for your workstation. I have a i9-9900k with 64 gbs of memory, so these numbers makes sense for me. You can certainly run all of this on 1 CPU and 4 gb of RAM with no problems. As you build k8s clusters with more hosted pods, you'll probably need to increase the values when starting minikube.
It is important to understand that this command creates a virtual machine, running linux, in hyperv, on your local workstation. If you want to change these parameters, you'll need to destroy your current minikube instance and re-create a new one.
Out of the box, k8s (minikube) limits the port range of containers in the cluster to 30000-33000. I've expanded this range because I want to use the same port values that we used in docker. This expanded range allows k8s in minikube to use more ports, but it doesn't claim all of them.
After the minikube VM has been created (which may take a few minutes), we can then invoke our next command to make sure it is up and running!
1 2 3
# Start a tunnel from your local machine into minikube and the kubernetes dashboard # 127.0.0.1 should open in a browser window for you and it should be the Kubernetes Web UI in minikube Start-Process-NoNewWindow minikube dashboard
Using this powershell command, the process creating the tunnel is started and control of the shell is returned to you, but the process remains running. When you close down this shell, the running process will also be closed and the tunnel will close.
Hopefully, the tunnel started, a browser window opened and you can see the Kubernetes Web UI for your new minikube k8s cluster! Let's leave this browser window open and we can keep our eyes on it.
Putting your backend into the cluster
Now that k8s is running on your local machine, we can start to install our backend services into the cluster. We'll do this activity first, with easy to configure pods, to get used to working with manifests. Installing our IdentityServer4-based applications will require some additional resources and automation.
In this section, we will start the process of converting our docker-compose.yml into a bunch of k8smanifest files. We could do this as a monolithic manifest file, but I prefer smaller manifest files. They are easier to think about and just as easy to use.
Postgres manifests
If we look at the postgres section of our docker-compose.yml file, we will see a couple of things.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
postgresdb: image:postgres:alpine hostname:postgres ports: -"5432:5432" container_name:postgresdb environment: -"POSTGRES_USER=admin" -"POSTGRES_PASSWORD=P@ssw0rd!" -"POSTGRES_DB=identity"# this is the db name that will be generated by EFCore volumes: -postgresdata:/var/lib/postgresql/data networks: default: aliases: -postgres
an image from DockerHub
container name
ports that are exposed
environmental variable declarations
attached persistent volumes
network alias
In k8s, those concepts are separated into different types of resources that we will want to provision. Generally speaking, the container-based resources will be described in a Deployment manifest and the network-based resources will be described in a Service manifest.
I tend to clump container-based concerns into a manifest file. So in this case, with postgres, I will also describe the PersistentVolume resources in with the Deployment resources.
Let's decompose that Deployment manifest in more detail.
PersistenVolume
From kubernetes.io...
A PersistentVolume (PV) is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Classes. It is a resource in the cluster just like a node is a cluster resource.
So we need to have some disk space made available for us to use in the cluster.
The TL;DR; (too long; didn't read it) description of this resource description is:
Create a volume on the linux host (k8snode)
at the path described
make it 1Gi large
only let one node (VM/host) connect to it
PersistentVolumeClaim
From kubernetes.io...
A PersistentVolumeClaim (PVC) is a request for storage by a user. It is similar to a Pod. Pods consume node resources and PVCs consume PV resources. Pods can request specific levels of resources (CPU and Memory).
We need to claim some of the disk resources from the cluster (the PersistentVolume) in the same way that we would request some CPU or memory capacity from the cluster. It is important to explore the relationship between PV and PVC. This blog article provides some insights as does this Stack Overflow Question/Answer.
As I understand it, we will need to do this PV+PVC technique because we are using minikube, not AKS, and the storageClassName that we are using (manual) doesn't allow for dynamic provisioning of the storage resource. This will change when we move to AKS.
apiVersion:apps/v1 kind:Deployment metadata: name:postgres-dep labels: app:postgres spec: replicas:1 revisionHistoryLimit:2 selector: matchLabels: app:postgres template: metadata: labels: app:postgres spec: volumes:#this pod is going to claim this PVC and call it postgres-pv-storage -name:postgres-pv-storage persistentVolumeClaim: claimName:postgres-pv-claim containers: -name:postgres image:postgres:alpine env: -name:POSTGRES_USER value:"admin" -name:POSTGRES_PASSWORD value:"P@ssw0rd!" -name:POSTGRES_DB value:"identity" ports: -containerPort:5432 volumeMounts:# this container is going to mount the volume that is the claimed PVC -mountPath:"/var/lib/postgresql/data" name:postgres-pv-storage
There is a lot that goes into a Deployment manifest. You can see more details here in the event that you need a refresher.
We've created this manifest that will stand-up Postgres in the k8s cluster. Now we can use kubectl to run this manifest against our cluster.
First, let's make sure our kubectl is configured to point at minikube.
kubectl config current-context should report minikube.
Next, let's run the postgre-dep.yml file through kubectl.
persistentvolume/postgres-pv-volume created persistentvolumeclaim/postgres-pv-claim created deployment.apps/postgres-dep created
PS D:\temp\testidentity\MyProject\manifests>
Now go to the browser window that is showing you the Kubernetes Web UI and you should see all of the new resources in your cluster!
PersistentVolume In the Cluster
Notice how this PV is a resource in the cluster and not related to any particular pod.
Postgres-based Resources
If you'd like to see only the Postgres resources,you can use the Search bar to filter everything else out.
And now we can see all of the resources we just deployed, and explore them in more detail individually.
So that completes putting our Postgres database into the cluster! Now we have to expose it.
Postgres Service Manifest
From kubernetes.io...
An abstract way to expose an application running on a set of Pods as a network service.With Kubernetes you don’t need to modify your application to use an unfamiliar service discovery mechanism. Kubernetes gives Pods their own IP addresses and a single DNS name for a set of Pods, and can load-balance across them.
Generally, you want to present as little surface area for security reasons as possible, so I have no desire to expose the database outside of the cluster. We still need a service resource created so that the container gets a DNS name within the cluster, and as containers/pods come and go, the cluster will ensure that the DNS entry always points to the right place.
So in this service manifest, we are basically telling k8s to map the DNS entry postgres-svc to whatever pod spins up with the label app:postgres.
The pgAdmin4 deployment manifest is very similar to the postgres-dep.yml file we've created already. So I'll just post it in here so you can take a look at it. The only things that are really different are the environmental variables and the names of things.
Since I do want to be able to access the pgAdmin4 application from outside of the cluster, we need to make a service manifest that exposes the pgAdmin4 pod.
Simply speaking, this manifest says to create a NodePort service resource for this pod and expose it on port 5050. Notice that the spec: selector: is saying that this service will be applied to pods with the same label of pgadmin4. Remember, in k8s, labels are usually very important. And because of the type: NodePort on this service, we will be able to access this pod from outside of the cluster.
If you want to expose your Postgres resource outside of the cluster, you can change that manifest to create a type: NodePort service exposing the postgres pod on port 5432.
Now we need to use kubectl to create this resource in the cluster.
kubectl create -f .\pgadmin4-svc.yml
You should see the new pgAdmin4 resources in your cluster.
We can also now use another feature of minikube which allows you to expose services in your cluster to the outside world on minikube's IP address. In order to expose pgAdmin4, simply type:
minikube service pgadmin4-svc
Minikube should then create a tunnel into the cluster for you, and open a web browser to the URL that was generated!
You can also use minikube service list at any time to see a list of the exposed services in your cluster.
1 2 3 4 5 6 7 8 9 10 11 12
PS D:\temp\testidentity\MyProject\manifests> minikube service list
|----------------------|---------------------------|--------------|----------------------------| | NAMESPACE | NAME | TARGET PORT | URL | |----------------------|---------------------------|--------------|----------------------------| | default | kubernetes | No node port | | | default | pgadmin4-svc | 80 | http://172.28.129.202:5050 | | default | postgres-svc | No node port | | | kube-system | kube-dns | No node port | | | kubernetes-dashboard | dashboard-metrics-scraper | No node port | | | kubernetes-dashboard | kubernetes-dashboard | No node port | | |----------------------|---------------------------|--------------|----------------------------|
You should be able to log into pgAdmin4 with the credentials we've come to know and love (user: admin@codingwithdave.xyz pwd: P@ssw0rd!). Once in there, you will be able to re-create your server list entry, but this time, the location of the server is the name of the postgres service, as described in the metadata: element of the yaml.
1 2
metadata: name:postgres-svc
Seq Deployment manifests
The Seq deployment manifest is very similar to the others we've created already. So take a look, and then put Seq into your minikube cluster.
kubectl create -f .\seq-dep.yml will get your service resource created!
Then expose your service via:
minikube service seq-svc
And voila! A browser window opens and you'll see Seq!! Nothing is logging there yet, but it's there! Woo hoo!!
Summary
Hopefully now, you've shifted all of the backend services required for our IdentityServer4 applications into minikube! They are all up and running, and you've been able to access pgAdmin4 (connected to the postgres db) and you've been able to access Seq, even if nothing is logging to it!
This has been really long post, so I'm going to take a break, let you have a break, and continue on to Part B of putting our system in Minikube!
]]>
<p><a href="/kubernetes/kubernetes-my-journey">Series Table of Contents</a></p>
<p><strong>Previously:</strong>
<a href="/kubernetes/kuberne
Kubernetes - My Journey - Part 5bhttps://westerndevs.com/kubernetes/kubernetes-my-journey-part-5b/2020-05-22T11:00:00.000Z2026-03-22T17:42:31.815ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comSeries Table of Contents
Getting Started with Kubernetes - Minikube - Part B
We're finally getting to the part of the series where we have a group of applications and we want to have them live in Kubernetes (k8s). In order to do that, we need to have k8s on our local development machine and we are going to use Minikube to do that.
Important Caveat
I'm going to make an assumption that at a minimum, you've reviewed various types of k8s resources on kubernetes.io and in a best case scenario, you've watched Nigel Poulton's Pluralsight course Getting Started with Kubernetes. If you haven't, some of the stuff I discuss will not have sufficient detail in this post to close the gap.
Also, my understanding of Kubernetes is certainly not as extensive as I'd like. I'm not sure I'd hazzard calling myself an expert. I've got a working cluster and applications in that cluster but I am not going to make the statement that I've done it all right or with the current best practices in place. This is a learning exercise for me (and you) and while I want to get you with a cluster up and running as soon as possible, I expect you to learn/challenge/grow your k8s cluster knowledge as well.
Continuing on...
So we've now deployed all of our backend services into minikube. There is a little detail that probably went un-noticed until now. Where did minikube get the container images from? In this case, it pulled the postgres, pgAdmin4, and Seq container images from DockerHub, a public container registry. So if you want to publish your custom-built Skoruba templates to DockerHub, everything will keep on working without any changes. But chances are, your going to want to publish those images to a private container registry such a DockerHub (private) or in my case, an Azure Container Registry hosted in our Azure subscription.
What about my local docker repository?
You may be asking, you've built your app locally and deployed it to Docker Desktop registry, why can't I just get it from there?
Minikube (k8s in the VM) has it's own docker daemon instance running, so now you have two docker daemons running on your machine. One in Docker Desktop and one in minikube. And the one in minikube didn't build/deploy your applications, the Docker Desktop one did. But minikube doesn't use that one. It uses its own internal docker container registry or a public/private one from the internet. I've read that you can use minikube's docker daemon for builds, but I don't want to make any adjustments to your environment that might break the Docker Desktop experience so we'll just continue on with creating a private container registry. We need to get there eventually no matter what, so let's keep going!
Azure Container Registry (ACR)
For this part of the journey, we are going to leave Visual Studio and the comfort of C# and yaml and journey to the Azure Subscription that we want to host our private container registry in!
At this point, you'll need to have access to a Azure subscription. Microsoft has made it very easy to create them (they are free) and use them (there are lots of free services)! The ACR service is not free, but it is pretty inexpensive for the Basic SKU which holds up to 10gb of container images.
If an Azure ACR is not in the cards for you, you can continue (without my help for the moment) with a free DockerHub public registry, or a private container registry that you may already have access to.
For this part of the project, I'll be using my Depth Consulting Azure Subscription and Azure DevOps Service instance. My client, who has the identity management business problem, also has Azure DevOps Server 2019 and an Azure subscription that holds their private ACR.
Follow the wizard and complete the creation of your ACR
pick the Basic SKU. It is more than enough for now and you can upgrade later.
The Basic ACR costs about $0.17 per day for 10GiB of storage.
Tada! ACR created!
I could create the ACR via Pulumi but it is a one-and-done kind of activity, so I didn't do that. It's just easier to create it in the portal.
Secrets! Secrets! Secrets!
In order to access a private container registry, you need credentials! And more specifically, your k8scluster needs the credentials for your private container registry. And it isn't just k8s that needs those credentials, your DevOps pipeline will need those credentials as well in order to publish container images into the registry.
Our ACR credentials are available in the Azure Portal. You can find the ones we'll need there.
Remember where they are. When we get back to manifest land, we'll need them.
Azure DevOps Service (Server 2019)
Now that we have a private container registry, we need to build our IdentityServer4 applications and publish those container images to our ACR. If you do not have an Azure DevOps Service instance, you can create one for free.
I will try to create blog post sometime doing something like this from GitHub, using GitHub Actions with a public DockerHub Registry.
Assumptions
I'm progressing on the assumption that your IdentityServer4 implementation projects have been checked into a git repository somewhere. If this is in an Azure DevOps Services instance, that's great, but it can be GitHub or any other repository that Azure DevOps Pipelines can monitor for changes.
Build and Publish in one Pipeline
The next step is to build and publish our applications. For this, we're going to leverage Azure DevOps Pipelines that contain a couple DockerCompose tasks. Thankfully, this is very easy to setup in thanks to the pipeline templates and the integration between Azure Portal and Azure DevOps Services.
Go to your Pipelines in Azure DevOps Service instance
Create a new Pipeline
Connect the pipeline to your repository
On the Configure your pipeline wizard step, select Docker - Build and Push an Image to Azure Container Registry
Select your Azure subscription with the ACR in it
Select your ACR that you want the images in
don't worry about the image name or Dockerfile parameters. They'll be deleted in a moment
variables: # Container registry service connection established during pipeline creation dockerRegistryServiceConnection:'<your service connection Id>' imageRepository:'identityserver'# <-- delete containerRegistry:'depthconsulting.azurecr.io'# <-- delete dockerfilePath:'$(Build.SourcesDirectory)/src/DepthConsulting.Identity.Admin.Api/Dockerfile'# <-- delete tag:'$(Build.BuildId)'
With your cursor under the steps yaml entry, Add a Docker Compose task
Work through the wizard and the Command is build
With your cursor under the last DockerCompose@0 task, Add another Docker Compose task
Work through the wizard again and the Command is push
Save the pipeline and run it!
You may need to give your pipeline permission to use a service principal to connect to the ACR. If you see that your pipeline is queued and waiting for persmission, go ahead and give it permission.
Your final pipeline yaml should look something like this.
# Docker # Build and push an image to Azure Container Registry # https://docs.microsoft.com/azure/devops/pipelines/languages/docker
trigger: -master
resources: -repo:self
variables: # Container registry service connection established during pipeline creation dockerRegistryServiceConnection:'<your service connection guid here>' tag:'$(Build.BuildId)' # Agent VM image name vmImageName:'ubuntu-latest'
stages: -stage:Build displayName:Buildandpushstage jobs: -job:Build displayName:Build pool: vmImage:$(vmImageName) steps: -task:DockerCompose@0 inputs: containerregistrytype:'Azure Container Registry' azureSubscription:'<your subscription id here>' azureContainerRegistry:'{"loginServer":"depthconsulting.azurecr.io", "id" : "/subscriptions/<your subscription id here>/resourceGroups/<your resource group here>/providers/Microsoft.ContainerRegistry/registries/depthconsulting"}' dockerComposeFile:'**/docker-compose.yml' action:'Run a Docker Compose command' dockerComposeCommand:'build' -task:DockerCompose@0 inputs: containerregistrytype:'Azure Container Registry' azureSubscription:'<your subscription id here>' azureContainerRegistry:'{"loginServer":"depthconsulting.azurecr.io", "id" : "/subscriptions/<your subscription id here>/resourceGroups/<your resource group here>/providers/Microsoft.ContainerRegistry/registries/depthconsulting"}' dockerComposeFile:'**/docker-compose.yml' action:'Run a Docker Compose command' dockerComposeCommand:'push'
After the build has run, we should now see our IdentityServer4 container images in the ACR!
You should navigate the ACR repositories and look at what images are in each repository. Also, all of our images were tagged as latest so every time the build runs, we'll have new a latest image that will be pulled down as needed by the k8s cluster. I'll leave container image tag management to another blog post. We're just trying to get to k8s today.
Adding our ACR Secrets to minikube
Now that we have our IdentityServer4 applications published to a container registery, we need to give our k8s cluster the credentials that will allow it to pull those images down from the ACR into the cluster. To do that, we will create a k8s Secret resource.
Put this command in your start-up.ps1 file for now
This will create a Secret resource in the k8s cluster that it's docker daemon will use to access your private container registry. You can look at the secret that was created using kubectl.
kubectl get secrets
1 2 3
NAME TYPE DATA AGE default-token-7n4h4 kubernetes.io/service-account-token 3 26h docker-credentials kubernetes.io/dockerconfigjson 1 17s
And you can look at the specific secret in yaml with kubectl as well.
You could take this yaml and create a docker-secret.yml manifest file and declaratively create your secret. I'll leave that to you as homework.
Now our k8s cluster should be able to get the container images. We'll prove that in the next section!
Deploying our IdentityServer4 applications to minikube
Now that we have our applications in our container registry, we can build up the manifest files for these applications and we can reasonablly expect our k8s to be able to fulfill the Deployments that we have in those manifest files.
STS
Here is the deployment and service manifests for the STS.
Now we can kubectl all of these manifests into our k8s cluster and we should see them all appear in the Web UI.
kubectl create -f .\sts-dep.yml
kubectl create -f .\sts-svc.yml
kubectl create -f .\admin-dep.yml
kubectl create -f .\admin-svc.yml
kubectl create -f .\adminapi-dep.yml
kubectl create -f .\adminapi-svc.yml
Feel free to put put these into a single manifest file or any other combination that makes sense to you.
Now expose all of the services from minikube.
1 2 3 4
# expose the services from minikube minikube service identity-sts-svc minikube service identity-admin-svc minikube service identity-admin-api-svc
Inspect The Pods In Kubernetes
Now is a good time, before we go try to use these applications, to see if the Pods are up and healthy in your k8s cluster in minikube. If you haven't yes, you can use the minikube dashboard command to get to the Kubernetes Web UI or you can go to a command prompt and type octant to start that tool if you've installed it.
Octant
We're taking a look at the state of the pods now because with our approach to putting pod resources into k8s, we are taking an indirect path to getting actual pods running. Our approach is to:
create a Deployment resource
which creates a ReplicateSet resource
which creates Pod resource(s) as necessary
In our previous steps, the backend infrastructure resources that we wanted running came from DockerHub (a public repository) and they are pretty easy to get started, so we were unlikely to see any Pod start-up failures. With our own Skoruba-based applications in a private repository, there is a greater chance that our pods will fail to start up, and we'd like to see that now.
Hopefully, everything worked and what you see in Octant is this:
What we see in this image is all the pods having fulfilled their ReplicaSet replicas: pod count and that they are all running.
When I did this the first time, my Pods did not all end up running. I encountered for the first time the dreaded ImagePullBackoff error condition! This is a condition where the k8es control plane is having troubles acquiring an image, for any of a number of reasons, and is now slowing down the rate that it tries to acquire the image.
In this case, I've simply changed the image that the Deployment is trying to pull to create this error condition. If the image name is incorrect, this error condition will occur.
Another reason that it occurred for me was because I had my private container registry credentials wrong. If you are missing the docker-secret or you have the wrong username/password in that secret, you will also get an ImagePullBackoff error condition.
I'd encourage you to give this a try! You only need to kubectl apply -f .\identity-sts-dep.yml with an incorrect image name and you'll see this error. Change it back and apply again and you'll see it fixed. You could also remove the docker-secret to see how that affects things.
It should go without saying, that if you have this problem, you have to resolve this prior to continuing.
We need DNS entries for IdentityServer4
The combination of hosting our k8s cluster on minikube and running this all on our local machine and the fact that this is an bunch of Identity applications where the hostname is really important, we have to do a little extra work. You're going to want to put this into your start-up.ps1 file.
Update your Windows host file
We need to be able to use hostnames for our web applications, so we are going to have to alter our host file in order to make that happen. Here is a powershell script (that you should 100% review yourself!) that will udpate your host file to make this work with the 127.0.0.1.xip.io DNS/hostname. This should not damage your existing host file entries, but please back-up your hosts file first.
# edit your workstations host file to add minikube ip and DNS alias $hostFileLocation = "C:\Windows\System32\drivers\etc\hosts" $ip = minikube ip # get the minikube IP adddress put the address in a variable call $ip $localDnsEntry = "127.0.0.1.xip.io"# our fake DNS entry/hostname
Write-Host"We are going to set the minikube IP address $ip to DNS entry of $localDnsEntry" $dump = Get-Content-Path$hostFileLocation $hostFile = [System.Collections.Generic.List[string]] $dump $entriesCount = $hostFile.Count Write-host"Found $entriesCount entries in the hosts file" if($hostFile.Contains("# minikube section")) { Write-Host"Found a minikube section... replacing it." $hostFile.Remove("# minikube section") | Out-Null $hostFile.FindAll({param($line) $line.Contains($localDnsEntry)}) | % { $hostFile.Remove($_) | Out-Null } $hostFile.Remove("# minikube end section") | Out-Null } $hostFile.Add("# minikube section") $hostFile.Add("$ip`t$localDnsEntry") $hostFile.Add("# minikube end section")
if ($hostFile.Count -ge$entriesCount) # test to ensure we don't put fewer entries back in host file { Write-Host"Updating our hosts file with $($hostFile.Count) entries." Set-Content-path C:\Windows\System32\drivers\etc\hosts $hostFile } Write-Host"Done"
This powershell script will change the way that the DNS system works on your Windows workstation. The hosts file takes precedence over a DNS query to the internet, so once we do this, our Windows machine will resolve the IP address we've stated and not the one that would have been return by xip.io. This will break our ability to use DockerCompose. Comment out the entry to use DockerCompose again. The alternative is to create separate domains/configurations for each environment (Docker & minikube) on your local workstation. This is a bit cumbersome with the way seed data is handled today, but it is a problem that could be solved.
You should now be able to visit the following URLs and only be challenged for your username/password once and you will be asked for consent from each set that you visit.
With the Admin Application, if you have not already logged in, you should be re-directed to the STS login page, hence the single-sign on aspect of our authentication ecosystem!
Victory!!
So! I'm crossing my fingers (virtually and into perpetuity) that you've arrived at a place that you can test the IdentityServer4 applications (all three), running in a minikube-based K8S cluster! If you can't, you'll have to work at it a bit and if you really get stuck, try reaching out to me on Twitter! I'm usually paying attention to notifications there!
I certainly encourage you to explore and experiment with k8s and IdentityServer4 in this environment. With these instructions, your manifests, and a little bit of luck, you should be able to always get back to a known working state, even if that means a little bit of lost data.
You can always start from scratch very easily from a minikube k8s cluster perspective. The following commands will tear down and re-build you minikube cluster. This destroys everything and gives you a totally clean slate.
]]>
<p><a href="/kubernetes/kubernetes-my-journey">Series Table of Contents</a></p>
<p><strong>Previously:</strong>
<a href="/kubernetes/kuberne
Kubernetes - My Journey - Part 6https://westerndevs.com/kubernetes/kubernetes-my-journey-part-6/2020-05-22T10:00:00.000Z2026-03-22T17:42:31.815ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comSeries Table of Contents
There was a point in this development effort that things started to click in my head, and I wanted to put this chapter in here as a more concrete reflection point and not leave it to luck that you'll have yours as well. I also wanted to share my epiphany(s) so this spot makes as good a place as any.
There were a bunch of things that clicked for me after moving this from docker to k8s.
Kubernetes is not hard
Kubernetes, all by itself, is very approachable with the tools and the self-guided training I started. With minikube, kubernetes.io, and Pluralsight, I was able to stand-up a cluster and just do simple things like put resources into the cluster! Sure there are some things that turned out to be a bit of a pain in the butt that we'll discuss later on, but Kubernetes itself isn't hard.
Getting a running system in Kubernetes IS hard
So, as easy as kubernetes was, getting an actual working business solution running in kubernetes was much harder! This exercise has really adjusted my perspective about the scope of DevOps and it has adjusted my perspective of what "full-stack" could really mean. Let's step back for a second and look at what I had to create and stand-up in my k8s cluster for things to work.
a database (Postgres)
needs Postgres-specific configuration
needs networking configuration
needs persistent volumes
needs secrets
a database administration application (pgAdmin4)
needs pgAdmin-specific configuration
needs networking configuration
needs persistent volumes
needs secrets
log ingestion (Seq)
needs Seq-specific configuration (minimal)
needs networking configuration
needs persistent volumes
raw log consumption (fluentd/graylog/sqelf)
needs fluentd-specific configuration
needs rule pipelines designed
needs networking configuration
the identityserver4 group (STS, Admin, AdminAPI)
build the applications (ASP.NET Core, Web Apps, etc)
OAuth2, OpenID Connect is all about configuration!
needs networking configuration
Ingress Controller (nginx and/or traefik)
needs nginx-specific configuration
needs traefik-specific configuration
Azure-specific annotations
DNS rules (CoreDNS)
forwarding and rewrite rule configuration
certificate management (CertManager)
The interesting thing about all of these applications is that they are all completely independent pieces of software/products that you need to become proficient, if not an expert, in configuring, running, and maintaining. Kubernetes makes it pretty easy to put all of these things in the cluster. Making it all work, in a manner than you can own and operate in an enterprise production setting, is non-trivial and I'll just come out and say it, Hard!
I don't want it to be a doom and gloom story though. There is a light at the end of the tunnel. These are modern pieces of software that are really good to work with. But you still should plan to work with them if you are doing this yourself. If you are on a bigger team with lots of support, then make sure you delegate tasks to those with skills and or experience to get that part of it done. Then automate it, and share the knowledge you've learned.
Getting it running in the cloud is not bad
The good thing about getting it working in the cloud is, your probably going to focus on one cloud. Could you get it working in multiple clouds? You bet! The k8s resources are all the same, it would just be the cloud provisioning application(s) that would be different. Getting to be really familiar with what services your cloud provider offers and how to use those services will be key. But, again, you will need to be very proficient if not an expert in your cloud providers services to own and operate your k8s cluster in the cloud.
The Azure services that we are using and need to understand are:
Azure Kubernetes Service
Public IP Address
Load Balancer
Azure Storage Accounts
azureFile
azureDisk
Virtual Network
Virutal Machine Scale Set
Route Table
Network Security Group
Thankfully, programmatically approaching my infrastructure with Pulumi has made this much easier, especially with intellisense support, so don't worry about this too much. I'll show you what I did shortly.
You do not need to master ALL runtime environments
One thing I discovered quickly is I don't need to keep my web applications running in:
Windows Native - IIS
Kestrel
Docker
AKS
Trying to do this will lead to a lot of work that just isn't going to be needed. It is potentially a valuable learning experience so I'm not saying don't do it, but once you decide on your runtime environment(s), do what is best to make sure it is configured and runnable there.
In this case, I felt I did want to keep it running in Docker for the local developer debugging experience. But my primary runtime target was going to be AKS so I didn't spend any time keeping this running in Kestrel or IIS via Visual Studio from a configuration perspective, and Docker did not get the full-fidelity experience that eventually AKS did. I do keep the DockerCompose experience working so I can debug the IdentityServer4 applications on my local machine.
Cluster Logging from the Start
When I started this, I already knew I wanted to do logging in my applications, but I really didn't think about logging across the cluster. I knew it happened and I did solve some problems by looking at the logs in various pods, I should have explored and found fluentd sooner in my journey. Logs are so important in this environment because we have many applications and kubernetes itself spread across multiple nodes and who knows how many pods.
IaC and Automation are Awesome
I am really glad that I started down the path of Infrastructure as Code right from the very start of the AKS journey, and I'm going to get my Pulumi IaC applications running against minikube as well. Being able to capture what you've learned about your infrastructure as application code is a fantastic benefit, in addition to the actual automation that you can invoke with a couple key strokes, the push of a button, or a commit/push. If I was going to give myself some advice, I'd tell myself I should really make sure I pay attention to the next post in the series.
Be Prepared to need a LOT of Permissions
At the beginning of your project, if you aren't in full control of the whole ecosystem, you should start the process of getting the required permissions. This whole series generally assumes you have full-control when we start working on the AKS components, but you'll also need access to DNS registrations, and you may need permissions to acquire and use some of the tooling.
Summary
This was intended to be a brief stop. A chance to pause, catch your breath, and reflect on what you might of learned based on what I did learn. Don't be discouraged if all of this is hard or tricky or taking longer than you expected. This has been an incredible amount of learning if you started from scratch like me with k8s and you should be proud of where you've gotten too.
]]>
<p><a href="/kubernetes/kubernetes-my-journey">Series Table of Contents</a></p>
<p><strong>Previously:</strong>
<a href="/kubernetes/kuberne
Kubernetes - My Journey - Part 7ahttps://westerndevs.com/kubernetes/kubernetes-my-journey-part-7a/2020-05-22T09:00:00.000Z2026-03-22T17:42:31.815ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comSeries Table of Contents
It would be great if we could get this all working in minikube and call it done, but we're not quite that lucky! We're probably going to need a platform with a bit more breathing room and additional capabilities to run our production workloads, so we'll have to figure out a way to move all of this into that platform. In our case, that platform is going to be Azure and the Azure Kubernetes Services (AKS).
With the desire to move our resources into a new k8s cluster in the cloud, there are a lot of moving parts in the infrastructure as compared to what minikube has. Here is a picture of the basic resources we'll have in Azure after we stand up this k8s cluster.
I also had to consider managing the k8s resources (apps in manifests). I want that to be a part of any automation as well.
With all of this in mind, I knew I was going to want something more than a collection of PowerShell scripts to manage the AKS resources and the k8s resources in our cluster. Thankfully, a new product called Pulumi had recently joined the market that looked like it would fit the bill as far as ease of use, community support, and a full IaC ecosystem for me to work with.
This part of the series is mostly going to be about Pulumi, with side discussions about the specific Azure resources that we will instantiate with Pulumi.
Important Assumption
Now that we are moving our activites off of our development machines and into the cloud, it is very important that you have all of the required permissions to act (or for Pulumi to act on your behalf) in your Azure subscription. We will be creating many resources in Azure and you must have permission to create these resources.
A cloud-platform that stores data about your preferences, your settings for projects (stacks), and the results of your executions.
Multiple language-specific SDKs (see languages below) that allow you to create a Pulumi application that will run and deploy your infrastructure. You can choose the language you are most comfortable with to write your application.
The Pulumi CLI tool that will allow you to manage your infrastructure and run your application to stand-up, tear down, or manage your project (stack).
In addition to the actual tooling, there is a tremendous amount of documentation and community support. I've generally been happy with the documentation even though I think it is still lacking in a couple places, but the community support has been really good. Pulumi has a Slack that anyone can join; it has logical channels that will generally meet your needs, and the Pulumi team have been very responsive in this slack whenever I encountered a problem.
I don't know about you, but when I have a programming problem, I skip all of the "conceptual" stuff, dive in, and thrash around a bunch. But, if you are inclined to understand the core Pulumi architecture and concepts, you should start reading here.
Creating an Account
Pulumi is a platform and a part of that platform are cloud-based services, associated to an account, that stores your settings, secrets, and outcomes from deployments. Pulumi has 4 pricing tiers, the first of which is Community and is free! This is the one I'm currently using. In the Community edition, your user is basically mapped one to one with an Organization and this organziation can have stacks which are (sort of) the Pulumi term for a deployment target. These stacks are associated with deployment projects so a project can have n stacks in it. The Community SKU of Pulumi is free and so far, it has been everything I needed.
You may already know that you need to have more than one person working on this or you may be concerned that you'll outgrow the Community edition, but you shouldn't be concerned. It looks like Pulumi has a seamless upgrade path (that I haven't used) and Pulumi also has a feature that allows you to transfer a stack to another account, so you aren't going to be stuck as you grow with the platform. Additionally, everything that you create to use Pulumi (apps and scripts) is yours and can be version controlled, shared, and re-used as you see fit. It would be quite easy to re-create a stack in a new organization as needed.
So, unless you know you are going to have multiple people involved in the IaC part of the project, you can just create a Community-based account and start deploying!
Install the Tools
Pulumi has a great set of tutorials here for getting started with Azure. I'm going to repeat some of it, but you should definitely check out their learning resources.
Now that you've created an account, it is time to start building your application! First, you'll need to install the Pulumi CLI in your development environment and sign into your cloud account.
Once you have the CLI, you can login via a username/password redirect to a browser or you can use an access token that you've created in the web admin pages for your Pulumi account.
You can use the pulumi whoami to see if you are currently logged in (or who you are logged in as) as well.
Language-specific SDKs
Next, you'll need to consider what language you are going to use when creating your Pulumi application. There are many choices. Typescript/JavaScript, Go, .NET Core (C#, F#, VB), and Python. Pick whichever one your organization has the most skills in. I like Typescript so that is what I picked and what my code will be written in. If you want, you can write an SDK in your favorite language. This is all open-source.
Project Structure
Once you've selected a language, you can use the Pulumi CLI to create your first deployment project and stack. I treat a stack as a deployment that I want to put in a specific environment. For example, I would have 2 stacks for my k8s infrastructure. One is the dev infrastructure in our Development Azure subscription, and the other is the production infrastructure which would be in the Production Azure subscription. These 2 stacks stand-up all of the Azure AKS resources. I would also have 2 stacks for the k8s resources that go into those k8s clusters.
Projects are mostly containers for stacks (configuration, history) and an application. Stacks have specific configuration settings and histories that are important. The application that you run for the project can use each stack for specific deployment details.
A monolithic stack with a single app is a good way to learn and this is how most of the tutorials work. However, I found that it wasn't how I wanted to manage my deployments.
I originally created a single monolithic project with a single stack and one application but have since changed this to two projects with a single application and a dev/prod stack each. The first project for the AKS infrastructure was less volatile and I didn't need to tear it all down all the time. It takes about 18 minutes to stand-up our cluster and 10 minutes to tear it all down. The second project for the k8s resources changed much more frequently and I would often want to clear out the k8s cluster and start from a clean slate. k8s resources can be added or removed from the cluster quickly and frequently. This series will only show the multi-project approach.
First, using the Pulumi CLI, we are going to create a deployment application, in the Typescript language, for the Azure cloud, for only the AKS infrastructure. We'll do our k8s resource deployment application later.
Let's create a folder in our infrastructure folder for the AKS deployment stack.
Once that is done, we can use the Pulumi CLI to build our new project with its initial stack.
pulumi new azure-typescript --secrets-provider=passphrase
This will kick off the workflow to acquire some details before it creates the stack. In my case, I answered the workflow questions with:
project name (aks) <-- hit enter and accepted default
stack name: (dev) <-- hit enter and accepted default
Enter your passphrase to protect config/secrets: P@ssw0rd!
azure:environment: (public) <-- hit enter and accept default
azure:location: (WestUS) WestUS
After answering those questions, the CLI will finish off by:
creating your project and first stack
saving them in the cloud - this happens automatically
scaffolding out the initial application files locally
pulling down all of the correct npm modules based on your cloud provider selection and language choices.
We can also look in the web portal for our Pulumi account and see the new stack is available there!
You can click the the stack to see what information has been published to the Pulumi cloud. There isn't much there yet, but there are some instructions on how to get more information there. We'll see that shortly.
A Note about --secrets-provider
You should have noticed that I've used the --secrets-provider parameter in the pulumi CLI invocation. If you are going to be building a single stack like many of the pulumi examples you'll find, you will not use or see this parameter. By default, each stack as a unique secrets provider and stacks cannot read each other's secrets. I already plan to have multiple stacks that I want to be able to share secrets between so I need to use this parameter in order to create secrets providers that can reach each other's secrets.
Passphrase is the simplest to use and get working so I'm using that for this article, but you can also use external 3rd party secrets providers. Support providers include:
We will re-visit secrets in a little while. Now back to our new project.
Scaffolded Files
If we inspect the scaffolded application in the aks folder, we'll see the following:
node_modules
This is where our SDK lives, we use NPM to add SDK components
.gitignore
Version controlled application development, just like you already do!
index.ts
the entry-point for our TypeScript-based IaC application
packages.json
The list of packages used in our application
Pulumi.dev.yaml
stack-specific configuration values
Pulumi.yaml
project-specific values
tsconfig.json
TypeScript application configuration
More Tooling - azure-cli
So, we have the Pulumi CLI, maybe git CLI, and now we need to make sure we have one more tool in place. We need the azure-cli command line tool. Pulumi will use the azure-cli to actually do all of the work in the correct subscription.
You'll need to install the azure-cli with instructions here. I like the little PowerShell script that does it for you myself.
Once the azure-cli is installed, you'll need to log into your Azure subscription that you want to work with.
az login will open a browser window and help you log into your subscription.
az account list will list all of the available subscriptions (if there is more than one)
az account set <subscription name> will set the current context to the desired subscription
If you have multiple subscriptions, you'll probably spend a bit of time switching back and forth. One thing I would suggest is to be careful when working with multiple subscriptions. Pulumi, via the current azure-cli context, will happily deploy or tear-down your infrastructure when asked. There are some safe-guards in place with regard to tear-down or changing, but I've found Pulumi is always happy to stand new things up into a subscription! I accidentally installed a minecraft server into my client's development subscription this way once! Ok, maybe twice!
With Pulumi ready and azure-cli ready, we should be ready to start coding! If you haven't done this already, it's time to open VS Code or your favorite text editor!
Your first Pulumi Application
I like to open VS Code right away for a couple reasons. It is a nice text editor with excellent TypeScript support and it also has a built-in terminal window that I can set to use PowerShell Core and I can leave the directory set to the one that holds the files I'm working in.
Open your index.ts file and take a look at what the Pulumi CLI scaffolded.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
import * as pulumi from"@pulumi/pulumi"; // Add the Pulumi core SDK module to your application import * as azure from"@pulumi/azure"; // Add the Azure core SDK module to your application
// Create an Azure Resource Group const resourceGroup = new azure.core.ResourceGroup("resourceGroup");
// Create an Azure resource (Storage Account) const account = new azure.storage.Account("storage", { // The location for the storage account will be derived automatically from the resource group. resourceGroupName: resourceGroup.name, accountTier: "Standard", accountReplicationType: "LRS", });
// Export the connection string for the storage account exportconst connectionString = account.primaryConnectionString;
At the top, you'll see that two modules have been added for you. The Pulumi Core SDK module and the Azure Core SDK module. Depending on what you need, you only add the modules to your application that you are actually using. If you need additional modules, we can use npm install @pulumi/<module name> to get those SDK modules.
Next, we see code that is creating a new ResourceGroup in Azure to hold all of our new resources.
Then, we see code that is creating a new Storage account.
And finally, we have a snippet of code that is going to export the storage account's connection string for use later.
Anything that you export in your TypeScript will be published to the cloud for review or use by another Pulumi stack/application at a later date. If you don't want these properties publicly accessible, do not export them. We will demonstrate this later. This is important to understand when working with stacks that are dependent on other stacks.
The next step is deploying this stack! Go ahead! Type:
pulumi up
You will see the Pulumi CLI kick off your IaC application. It builds the app, does some analysis of what it wants to do, and then asks you if you'd like to continue!
If your TypeScript application won't build, the process stops here, and you have to fix it.
Once you accept, it finishes doing what you've coded, and it deploys your new Azure infrastructure to your subscription.
And it also publishes details into your Pulumi cloud account for this project/stack. You can see the exported connnectionString. Also available in the cloud is a historical log of what has happened in this stack in the Activity tab.
And here are the Azure resources that were created.
Notice that Pulumi has appended a segment of characters on your resource names to try and ensure they are unique within the subscription. I haven't tried to alter that behaviour. You can create a resource directly in Azure and import it into your stack and Pulumi will respect the name it was given.
That's pretty cool! The only problem is, I don't want a lone storage account in my Azure subscription.
So, what do we do now? Tear it all down and let Pulumi clean up everything it created.
pulumi destroy
This will ask you for confirmation, so you are protected that way. Just let the Pulumi CLI finish it's work and go look in your Azure subscriptions! It will be clean as a whistle!
Deploying an AKS
I hope that was a good introduction to Pulumi, but what we really wanted to do was build an application that would deploy our AKS into our subscription. Let's get to that.
Before getting started, delete all of the existing lines of code in your index.ts. We will not be using anything created during the initial scaffolding.
Importing more Pulumi SDK modules
Standing up an AKS service cluster is move involved that a simple storage account. We will need more SDK modules in our application in order to make that happen. Let's add some import statements into our Pulumi application.
1 2 3 4
import * as azure from"@pulumi/azure"; import * as pulumi from"@pulumi/pulumi"; import * as k8s from"@pulumi/kubernetes"; import * as azuread from"@pulumi/azuread";
This is what the top of you index.ts should look like. If you are doing this in VS Code, you probably have some red squiggly lines under the bottom two imports. This is where we ask NPM to go get those modules for us!
npm install @pulumi/kubernetesGet kubernetes module of the SDKnpm install @pulumi/azureadGet Azure ActiveDirectory module of the SDK
Once that is done, the red squiggly lines should go away and you'll see that you can use those SDK modules in your application now.
Initial Configuration Values
The next part of our app initializes and exports configuration variables that we'll need for the AKS provisioning. The names for these variables are intended to be informative, but they are names that I've chosen. The values are determined by the intended usage. Azure expects some of these values to be specific, such as location or nodeSize. The nodeCount variable needs to be an int. The string const values that I export are for consistency in the same way that you would have an enum or a class containing consts values in a C# application. I believe this initial list of variables are the bare minimum you need to create a cluster. You may eventually have many more in your application.
This is what the configuration section will look like when it is complete. We will add these lines of code into the application as we work though the configuration setup so that we can pulumi up multiple times and see the incremental changes.
The first thing we do is ask the Pulumi SDK to get our stacks configuration in the form of an object of type pulumi.Config. This object lets us get configuration values (secret/non-secret) for our application, specific to this stack, from the Pulumi cloud. You're probably wondering how they got there though?
The Pulumi CLI has a number of methods that allow us to manage our stack configuration values. In this case, we need to get 5 different values from the cloud.
Passwords and Secrets
Here we get to meet another part of the Pulumi cloud infrastructure. Stacks can contain plaintext configuration information, and they can also contain secret configuration information. We can acquire this configuration information from the cloud when our application runs in order to provision our cluster. Let's work through this for a moment.
This password will be used for our administrative user in our AKS cluster. We probably don't want this to be saved as plaintext anywhere, so we're going to use the --secret flag when we use the Pulumi CLI to set this configuration value in our stack.
1
pulumi config set password --secret [your-cluster-password-here] # P@ssw0rd!
This command tells the Pulumi CLI to set a property on our stack configuration called password to the value provided and make sure it is treated securely.
Since we delete all of the text, let's pulumi up and get that value into the cloud to see what happens.
Other than the initial pulumi new azure-typescript CLI command, any changes we make to our local context wil not be available in the web portal until we use the pulumi up command.
In order to access this secret from the pulumi.Config object, we add this line of code to our application.
const password = config.require("password");
You can use config.requireSecret("password") to mark a variable as secret and at that point it's safe to export because it will always be encrypted/masked (in the state as well as CLI and console)
SSH Public Key
If you'd like to be able to SSH into your linux nodes (VMs) that are in the cluster, you'll need to provide an SSH key that is provisioned into your nodes. Using a tool called ssh-keygen we can create an SSH key and then we can put that key into our Pulumi stack config for use anytime we create the cluster.
ssh-keygen will walk you through the process of creating an SSH key.
Then we will use the Pulumi config to set the sshPublicKey configuration variable on the stack. If you are running a PowerShell terminal, this won't work. PowerShell doesn't like the < operator. You can get around that by using this command.
cmd.exe /c "pulumi config set sshPublicKey < key.rsa.pub"
Now you can pulumi up and go take a look at your configuration in the web portal again.
In order to use this variable in our application, add this line of code to our application.
In this code, we look for a configuration value called stackLocation that we can set if we want. This supports DR/HA-specific stack scenarios that I'll discuss later. If it isn't present, we can use the the default location set in the azure:location configuration value that was set for us when we created the project. You can take a look again with the Pulumi CLI command pulumi config get "azure:location" or you can look in the web portal as well. In the event that there is no configuration values, we've provided a fallback value of WestUS.
I love being able to use programmatic logic in my infrastructure deployments!!
az account list-locations will list supported regions for the current subscription. It will spit out a JSON blob of regions and you can use the name property. It seems that commands that take a region parameter name are case-insensitive.
In order to create a k8s cluster, we need VMs (nodes) in the cluster. We can configure how big we want cluster to be and store that data in the stack configuration. Our fallback value is 2.
pulumi config set nodeCount 2
A k8 cluster only needs 1 node to operate. This is certainly sufficient for dev contexts, but you probably want 3+ nodes in production.
Add export const nodeCount = config.getNumber("nodeCount") || 2; to the application.
Azure also needs to know what SKU our nodes (VMs) should be.
az vm list-skus is the azure-cli command that will list out all of the SKUs you can pick from but it spews an enormous JSON blob that lists them all and their capabilities. You're probably better off visiting here to help you decide what SKU to use.
pulumi config set nodeSize Standard_B2s
Add export const nodeSize = config.get("nodeSize") || "Standard_B2s"; to the application.
Again, we provided a fallback value in the application.
pulumi up and look at the configuration values in the web portal.
Exports From Your Application
Finally, we want to provide some const values that will be available in the stack, displayed in the web portal, and also available to any other stack that belongs to the Pulumi organization.
pulumi up and you'll see all the rest of our configuration values in the web portal. Exports are shown in a different group in the web portal. The are considered outputs of the stack.
You should recognize when you export a value that you will get a value in the outputs section of the web portal and it also be in the config. You don't have to export const values if you want to avoid that confusion.
Getting the Azure Subscription Id
We need one more value for our application and that is the subscriptionId. In this case, we could use the pulumi config set command to manually set it, but we can get the subscription from the Azure context that we are already connected to. This is exposed via an SDK component.
1 2 3
// getClientConfig is an async call, so wrap in pulumi.output const clientConfig = pulumi.output(azure.core.getClientConfig()); exportconst subscriptionId = clientConfig.subscriptionId;
Add AKS resources to Azure
Now that we have the basic configuration values that are required for our AKS cluster resources, we can start to add them into our Pulumi application.
After each section, you can pulumi up and see what happens. When you are done that increment, you can pulumi destroy to clean up the resources.
A Pre-Defined ResourceGroup
While Pulumi is quite capable of building a ResourceGroup from scratch, you may want to use one that already exists in your Azure subscription. Financial reporting, permissions, operational activities, etc may be leveraging ResourceGroups in this way. For this example, we are going to use a pre-existing ResourceGroup. This code is also the reason that we acquired the subscriptionId and set the resourceGroupName in our configuration section.
You will need to create this ResourceGroup in Azure via the azure-cli or in the Azure Portal. The `azure-cli command is
1 2
# this resourceGroupName matches our const value in the config section az group create --location WestUs --name rg_identity_dev_zwus_aks
Here is the code to get the resourceGroup object for using in the application code.
1 2 3
// get the Azure Resource Group var resouceGroupId = pulumi.interpolate `/subscriptions/${subscriptionId}/resourceGroups/${resourceGroupName}`; const resourceGroup = azure.core.ResourceGroup.get(resourceGroupName, resouceGroupId);
TypeScript string interpolation doesn't work very good with Pulumi Output objects. You need to use the pulumi.interpolate syntax to create strings from Output
Creating an Azure Service Principal
Your new AKS service instance is going to need to be able to create a lot of Azure resources. It will do all of this for you, but in order to create these resources, it will need to log in as a Service Principal that you've created in your subscription. The first thing we'll do is get our application to create that Service Principal.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
// Original example: https://github.com/pulumi/examples/blob/master/azure-ts-aks-helm/README.md // Create an Azure AD Application const adApp = new azuread.Application("aksSSO"); exportconst adAppId = adApp.applicationId;
// Create an Azure Service Principal for that application const adSp = new azuread.ServicePrincipal("aksSSOSp", { applicationId: adApp.applicationId }); exportconst adSpId = adSp.id;
// Assign the password from our configuration values to the Service Principal const adSpPassword:any = new azuread.ServicePrincipalPassword("aksSpPassword", { servicePrincipalId: adSpId, value: password, endDate: "2099-01-01T00:00:00Z" });
We are not exporting any of these values. We won't need to see them in the Pulumi web portal or use them in any other project or stack. You can see this application and Service Principal in the AAD that your subscription is connected to.
Creating an AAD Service Principal sometimes takes a bit of time. Operations that depend on the SP being created (the AKS Service creation code) may fail until the SP is finished being created. If this happens, simply pulumi up again.
Storage Account for Database backups
Our business problem requires a database and a good thing to do once in a while is backup that database and put those backups somewhere. For this activity, we are creating an Azure Storage Account, in our AKS specific resource group, that we will use as a volume in the pgAdmin4 pod.
You'll notice that during the creation of the storage account, we get back the connection strings and keys which we'll need to use later on. We can use the pulumi.secret() method to ensure that these are treated as secrets by the Pulumi cloud infrastructure.
Azure Kubernetes Service
We are finally going to create our Azure Kubernetes Service (AKS) instance! w00 h00!! Or I should say, we're going to code it up in Pulumi and we'll let Pulumi take care of creating it!
// Creates an AKS cluster. const k8sCluster = new azure.containerservice.KubernetesCluster("aksCluster", { resourceGroupName: resourceGroupName, kubernetesVersion: "1.17.3", location: stackLocation, defaultNodePool:{ name: "aksagentpool", nodeCount: nodeCount, enableAutoScaling: false, vmSize: nodeSize }, dnsPrefix: k8sDnsName, linuxProfile: { adminUsername: "aksuser", sshKey: { keyData: sshPublicKey } }, servicePrincipal: { clientId: adAppId, clientSecret: password, }, /* This is commented out because we do not want to do this. Please see my blurb about LogAnalytics at the bottom of this post. addonProfile: { omsAgent: { enabled: true, logAnalyticsWorkspaceId: loganalytics.id, }, } */ });
This is a pretty simple pulumi declaration given everything it took to get here. You'll notice the following parameters are mostly using our configuration. This is important when we add additional stacks (deployment target environments):
resourceGroupName
kubernetesVersion: "1.17.3"
you can only use kubernetes versions supported by Azure. This is the most recent at the time of writing
location
nodeCount
vmSize
dnsPrefix
sshKey
servicePrincpal
generated during creation
One of the things that does happen when Azure creates this AKS instance is that the cluster will use the Service Principal to create all of the resources and that all of the cluster resources will be placed in a in an auto-generated ResourceGroup. I haven't discovered to how to alter this behaviour. The name of the resource group that you create the AKS service in will be a component of this auto-generated ResourceGroup's name.
If you pulumi up after this section be aware that creating a cluster takes time and requires the Service Principal to exist as well. pulumi destroy also takes a few minutes to run when an AKS instance is involved.
Interacting with Kubernetes in our Cluster
Now that we have an k8s cluster running, we need to start interacting with the cluster and not Azure. In order to do that, we need a Pulumi object that is comparable to kubectl. In Pulumi, this is the k8s.Provider object.
1 2 3 4 5 6 7 8 9 10 11 12
// Expose a k8s provider instance using our custom cluster instance. const k8sProvider = new k8s.Provider("aksK8s", { kubeconfig: k8sCluster.kubeConfigRaw, });
// put our new clusterName in Pulumi service exportconst clusterName = k8sCluster.name; // put the az aks get-credentials command in Pulumi service exportconst kubeCtrlCredentialsCommand = pulumi.interpolate `az aks get-credentials --resource-group ${resourceGroupName} --name ${clusterName} --context "MyProject.Identity"`;
// Export the kubeConfig exportconst kubeConfig = pulumi.secret(k8sCluster.kubeConfigRaw);
In this code, you can see that we create a k8s.Provider instance using the kubeConfig that we can get from our AKS cluster instance. We also want to export that kubeConfig so that we can use it in our next Pulumi application that will create all of the k8s resources in the cluster. Remember, the kubeConfig is credentials to get into your cluster, so you should treat it as a very important secret.
I've also exported the new clusterName and a helper output value of the az aks get-credentials command that will help you put your new k8s credentials in your local kubeConfig file.
We will use the k8sProvider object in the remainder of this script to interact with our k8s cluster.
Kubernetes Secrets
The finish our basic AKS deployment, I am going to install a couple secrets that our k8s cluster will need to operate.
For our Azure Container Registry secrets, we need to get the ACR instance, ask it for it's secrets, and put them into k8s. This is the safest way to manage these secrets since we don't want them in our code base.
Please treat these and all other secrets with all due care.
We will also need to create a way for our k8s cluster to connect to the various storage providers that are available to us in Azure. In this case, we want to enable k8s to connect to the file storage we are going to use for our database backups. This uses some of the variables that we captured when creating our Storage Account as well as a helper function.
import * as azure from"@pulumi/azure"; import * as pulumi from"@pulumi/pulumi"; import * as k8s from"@pulumi/kubernetes"; import * as azuread from"@pulumi/azuread";
// Import some stack configuration and export used configuration variables for the AKS stack. const config = new pulumi.Config(); const password = config.requireSecret("password"); const sshPublicKey = config.require("sshPublicKey"); exportconst stackLocation = config.get("stackLocation") || (config.get("azure:location") || "WestUS"); exportconst nodeCount = config.getNumber("nodeCount") || 2; exportconst nodeSize = config.get("nodeSize") || "Standard_B2s"; exportconst storageClassName = "managed-premium"; exportconst resourceGroupName = "rg_identity_dev_zwus_aks"; exportconst publicIpAddressName = "pip_identity_dev_zwus_aks"; exportconst k8sDnsName = "identity-auth-dev"; exportconst acrSecretName = "docker-credentials";
// Get reference to pre-existing Azure ResourceGroup // get the Azure Resource Group var resouceGroupId:pulumi.Output<string> = pulumi.interpolate `/subscriptions/${subscriptionId}/resourceGroups/${resourceGroupName}`; const resourceGroup = azure.core.ResourceGroup.get(resourceGroupName, resouceGroupId);
// Create AAD Application and Service Principal for AKS Cluster to use to create resources in the subscription // https://github.com/pulumi/examples/blob/master/azure-ts-aks-helm/README.md // Create the AD service principal for the k8s cluster. const adApp = new azuread.Application("aksSSO"); exportconst adAppId = adApp.applicationId;
// Expose a k8s provider instance using our custom cluster instance. const k8sProvider = new k8s.Provider("aksK8s", { kubeconfig: k8sCluster.kubeConfigRaw, });
// put our new clusterName in Pulumi service exportconst clusterName = k8sCluster.name; // put the az aks get-credentials command in Pulumi service exportconst kubeCtrlCredentialsCommand = pulumi.interpolate `az aks get-credentials --resource-group ${resourceGroupName} --name ${clusterName} --context "MyProject.Identity"`;
// Export the kubeConfig as a secret exportconst kubeConfig = pulumi.secret(k8sCluster.kubeConfigRaw);
// Create secrets in **k8s** cluster to allow certain operations
A last pulumi up and you should have your AKS cluster completely provisioned in your Azure subscription.
Creating a Production Stack
One of the things about using a Pulumi application with multiple stacks is that each stack holds environment-specific configuration, so we can re-use our application for different environments via stacks. You will probably create your dev and prod stacks, but you could also manage your Disaster Recover(DR) or High-Availability (HA) (different region) as stacks as well.
In this case, we're going to use the Pulumi CLI to create a prod stack for our k8s infrastructure. To create a new stack, the command is:
pulumi stack init prod
We can list all available stacks in a project using:
pulumi stack ls and selecting a different stack is pulumi stack select <stack-name>
Once our production stack is created, we can set all of the pulumi config variables that are required for the stack to operate and voila! We can create a prod deployment of our AKS infrastructure that should look exactly like our dev stack infrastructure.
Summary
This has been a very long post! I hope you've been able to successfully deploy your AKS instance. We will need it for the next article in this series where we put our resources into that k8s cluster!
A Note about Log Analytics
In your research about AKS you will probably come across examples that show attaching Log Analytics instances to your AKS cluster.
I did this and a week or so later, I was looking at costs in my Azure subscription and I saw that our AKS resource group had cost way more than I expected! Digging into the reasons, I found that Log Analytics actually cost more than our AKS VM resources! I immediately turned it off. Log Analytics is too expensive for us at this point in time. Perhaps when you have a large Kubernetes installation it is worth it, but right now, our Log Analytics bill couldn't be justified!
When I was turning it off, I wanted to make sure that we removed all traces of it from our subscription and the AKS cluster. First, I deleted the Log Analytics components in Azure. The cluster still worked! Great! Stop the billing and keep everything working. Then I wanted to clean out all of the omsagents from the cluster, but those pods/deployments/services are impossible to remove from the AKS Cluster. I'm guessing that something on the outside that is managing the cluster is watching them and putting them in there all the time. I had to do something else, which lead me to this document.
For the time being, because I have a lot of internal logging happening in the cluster and I don't want to spend more money on monitoring than the cluster itself, I'll just leave it off and recommend that you start without it.
If you do want Log Analytics in your AKS cluster, you can add this code into your application...
... and un-comment out these JSON parameters in the AKS cluster creation method.
1 2 3 4 5 6 7 8
/* This is commented out because we do not want to do this. Please see my blurb about LogAnalytics at the bottom of this post. addonProfile: { omsAgent: { enabled: true, logAnalyticsWorkspaceId: loganalytics.id, }, } */
]]>
<p><a href="/kubernetes/kubernetes-my-journey">Series Table of Contents</a></p>
<p><strong>Previously:</strong>
<a href="/kubernetes/kuberne
Kubernetes - My Journey - Part 7bhttps://westerndevs.com/kubernetes/kubernetes-my-journey-part-7b/2020-05-22T08:00:00.000Z2026-03-22T17:42:31.816ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comSeries Table of Contents
We're really making some progress! We should have our AKS cluster running now and ready for use to start putting some resources into. If you don't, head on back to the previous article in the series and get your k8s standing up in Azure!
Continuing with Pulumi
In the prevoius article, we used Pulumi exclusively to describe what we wanted in our AKS infrastructure and we had the Pulumi CLI do all the hard work of provisioning our k8s cluster. Now we are going to ask Pulumi to do a little more work and help us get our k8s resources into the cluster.
First, let's create a new Pulumi Project and Stack to hold our resource specific configuration values, application, and history.
Let's create a folder in our infrastructure folder for the k8s deployment stack. Starting in your infra folder, run the command:
mkdir k8s && cd k8s
Now use the Pulumi CLI to build our new project with its initial stack.
pulumi new azure-typescript --secrets-provider=passphrase
This will kick off the workflow to acquire some details before it creates the stack. In my case, I answered the workflow questions with:
project name (k8s) <-- hit enter and accepted default
stack name: (dev) <-- hit enter and accepted default
Enter your passphrase to protect config/secrets: P@ssw0rd!
azure:environment: (public) <-- hit enter and accept default
azure:location: (WestUS) WestUS
This will scaffold our new project and submit the project and stack details to our Pulumi cloud. Let's open VS Code, open the index.ts and delete everything from the file.
We are going to need to add the Pulumi kubernetes SDK module to our project.
npm install @pulumi/kubernetes
Now, at the top of our empty index.ts file, we can add the following imports.
1 2
import * as pulumi from"@pulumi/pulumi"; import * as k8s from"@pulumi/kubernetes";
Getting Configuration Values
In our AKS Pulumi project/stack, we had a number of configuration values that we stored in our Pulumi service. One of those important configuration values was the kubeConfig file that contains the credentials required to connect to our k8s instance. We are now going to use the Pulumi SDK to get that kubeConfig value so that we can use it in this project.
// setup config const env = pulumi.getStack(); // reference to this stack const stackId = `dave/aks/${env}`; const aksStack = new pulumi.StackReference(stackId); const kubeConfig = aksStack.getOutput("kubeConfig"); const k8sProvider = new k8s.Provider("k8s", { kubeconfig: kubeConfig });
// output kubeConfig for debugging purposes let _ = aksStack.getOutput("kubeConfig").apply(unwrapped =>console.log(unwrapped));
If we break down this fragment of Typescript, we see that:
Get a reference to the current stack
Ask Pulumi for an object reference to our AKS stack variables. We want the kubeConfig secret from it.
Create a k8s.Provider using the acquired kubeConfig values
(Option) - Output the kubeConfig to the console for debugging
pulumi up to test your application. It should simply compile, access our aks8 stack, and output the kubeConfig!
Labels
Almost everything in k8s uses labels to perform important actions. For example, Services expose Deployments that match the selector labels. Also, you can use labels to do queries via kubectl or as filters in octant, k9s, or the Kubernetes Web UI. You'll see labels used throughout the manifests and the Pulumi code.
We will define some common label groups that we'll use throughout our application, merging them with service/deployment specific sets of labels as required. You can add to these groups as required for your situation.
Now that we have a k8s.Provider that we can use to send instructions to our AKS cluster, we need to create the Pulumi instructions to start putting resources into our k8s cluster. Starting with postgres, let's take a look at our manifest that we used when putting resources into minikube.
We're going to ignore the first resource in the manifest. Because we are using AKS, we are able to take advantage of the dynamic persistent volume mechanism that is provided. We simply need to create PersistentVolumeClaim with the correct storageClass and Azure/AKS will take care of provisioning an actual persistent volume for us and attaching it to the correct host/node.
The second resource is the PersistentVolumeClaim. The important differnce between the manifest and the Pulumi application is going to be the use of the storageClassName configuration value that is coming from our aksStack configuration. In the AKS stack, this value is set to managed-premium.
For our third resource, the actual Deployment, we mostly want to map the values from our manifest into the TypeScript/JSON notation.
Last but not least, we map the Service manifest settings that will give the postgres-dep resource some network (internal to cluster) configuration into our Pulumi application.
pulumi up to compile our application and deploy postgres into the k8s cluster!
Moving pgAdmin4 from Manifest to Pulumi
Our next step is to migrate the pgAdmin4 manifest settings into Pulumi. This is going to be mostly the same as the postgres migration. I'll point out a few differences below.
For brevity, I've already removed the PersistentVolume manifest declaration.
There are a few items that are different as we move to Pulumi because we are using Pulumi for the Azure production (eventually) environment and the operationalization of our stack. We will be using pgAdmin4 (the container, if not the application) to do database backups. The pgAdmin4 container has all of the tooling and settings required to do backups. What we need though is somewhere to put the backups. In this case, we will leverage another feature of AKS called azureFile storage provider for k8s. This bit of configuration instructs k8s, via Azure and AKS, to use a storage account file share as a volume in our pod.
1 2 3 4 5 6
name: pgAdminAzureVolumeName, // <-- This is "azure" azureFile: { secretName: azureStorageSecretName, shareName: azureFileShareName, readOnly: false }
Recall that these resources were created in the AKS project so we need these values from our other stack configuration.
Eventually, I expect we will move to a managed Azure Database for Postgres SaaS offering, so all of this may eventually disappear. For now, we'll manage it all ourselves.
pulumi up will put the pgAdmin4 application/images into our k8s cluster. With the given configuration, it will be able to connect to the postgres database.
Moving Seq from Manifest to Pulumi
The final step (for now) of moving all of our infrastructure/backend components into pulumi is the Seq instance. This will be similar to the postgres instance as it also uses a PersistentVolumeClaim to get an azureDisk attached to the VM for saving our log data.
There are two notable differences in Pulumi Application code that were not in the manifests.
First of all, we are adding a side-car container to this pod now that we are moving to Azure. This means that there are two containers running in this Pod. They are separate images (applications) but they will share the same network space and be able to access each other at the DNS localhost with the appropriate port. The side-car container we are adding is a container image called sqelf which is a product produced by datalust.co that allows use to ingest log events in the graylog message format and send them directly into Seq.
The second change is in the Service description. We need to expose the sqelf service on a UDP port so that eventually, fluentd will be able to send log event messages, in the graylog format, to the sqelf container. The squelf container then just sends it on to Seq. We'll discuss fluentd in another article.
pulumi up will get the Seq pod up and running, with 2 containers, in our k8s infrastructure.
Moving IdentityServer4 from Manifest to Pulumi
The final bit of work to get our platform moved from minikube to AKS is to move our applications. There is nothing terribly special or noteworthy from a container perspective in this mapping. None of these pods need durable storage. The only difference with these pods is that they indicate that they want to use docker-credentials secret to access the private ACR.
There is a particularly important difference for our application when it comes to networking and accessing our applications. Our k8s has a public IP address and all of our applications will eventually be accessed via a unique DNS entry, not a shared DNS entry with different ports. I imagine you could use the shared DNS/multiple ports approach, but I did not. I don't think it helps human beings understand what they are using or working on to hide the intention behind a port abstraction. So, we will give everything its own URL.
This has consequences on our initial database seed data. Once this is all deployed, we will have to go into pgAdmin4 and run a script to update our configuration. Otherwise, the authentication system won't work. The Admin needs to be able and allowed to access the STS from its hostname location so we'll need to change the STS seed data. We're also going to change the configuration that is stored in the environmental variables which are appsettings.json overrides.
I'm so glad that Pulumi is a programatic IaC model. One thing I can do here before we get to far along is move my DB connection strings (and the list) into variables and then use them where needed.
pulumi up will push all of your applications up into AKS.
Verify all the Pods are Up and Running
With our last pulumi up we should have all of our AKS infrastructure up and hosting our k8s cluster, and we should have all of our applications/services/resources from our second pulumi stack in the k8s cluster. We should now be able to go into a one of our tools and verify that the apps are running.
If you used the pulumi application in our previous post, you should have a az aks get-credentials ... in your pulumi output for that stack. It should look something like this:
1 2
az aks get-credentials --resource-group rg_identity_dev_zwus_aks ` --name aksclusterfbfa950e --context"MyProject.Identity"
You can run that command, with your specific values, and have the azure-cli append this k8s context details into your kubeConfig file. Once that is done, we can type octant on the command line and look at our pods.
Using octant (v0.12.1), we can see that all of our pods are present in the cluster.
We will click into the pgAdmin4 pod as an example in the article, but you should eventually click into all of the pods to ensure they are functioning.
Looking at the pgAdmin4 pod, we can see that it is initialized and ready! If we go down a bit further, we'll see the port forward functionality of octant waiting for us to press the button.
Once we press the button, we'll see that we now have an option to navigate to the port-forward URL.
When we click on that link, you'll see the pgAdmin4 log in screen and once you log in, you should be able to create a server entry in our list to our postgres pod. The k8s network DNS name for our postgres pod should be postgres-svc from our Service resource. Once the entry is connected, we should be able to see our postgres database!
You should work your way through all of the pods. They should all be up and running. The whole authentication/authorization system won't be working yet. We'll wait until the next article to fix that up and test it out.
Problems
When you have problems in k8s, you have to start looking in two places. First, you have to look in the logs. octant has a nice screen for looking at the log files directly on a pod. Remember, we don't have log ingestion and tooling setup for the k8s cluster yet, so we have to go look in the pods themselves. Here you can see pgAdmin4 running just fine, but if it wasn't working, you'll find clues as to why here.
Once we have all of our log ingestion infrastructure in place, we will be able to go to Seq to look log entries across the cluster, but you should always be ready to go look directly in the pods for the log entries.
And the other place you will probably want to inspect is the running pod itself. You can use the terminal tab in octant to look at various settings in your pod.
Not Quite Done Yet
This article is going to end in a bit of a "not quite working as I'd like" state. All of the pods are up and running, but our IdentityServer4 needs some configuration changes in order to work. And in order to do that, we need to be able to access our k8s publicly, give it a DNS entry (hostname), and then configure our IdentityServer4 system to allow those hostnames to interact with the STS.
Our next stop will be adding an Ingress Controller to our k8s cluster and getting all of these services publicly available.
]]>
<p><a href="/kubernetes/kubernetes-my-journey">Series Table of Contents</a></p>
<p><strong>Previously:</strong>
<a href="/kubernetes/kuberne
Kubernetes - My Journey - Part 8https://westerndevs.com/kubernetes/kubernetes-my-journey-part-8/2020-05-22T07:00:00.000Z2026-03-22T17:42:31.816ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comSeries Table of Contents
Making Your Kubernetes Cluster Publicly Accessible
Hopefully you've arrived at this article with two Pulumi applications that you can use to create an Azure Kubernetes Service-based Kubernetes (k8s) cluster with a collection of k8s resources (container images) inside of it that all function together to provide a IdentityServer4 based authentication system. If not, you should probably go back and re-read those articles since we're going to build off of that effort in this article.
In this article, we're going to go through the process of making our k8s cluster publicly accessible with proper DNS entries (hostname) so that the authentication system can be configured and works properly.
Pre-requisites
Up until now, I've done my best to ensure you can do as much as possible on your developer machine with minimal financial requirements. From this point forward, I will be assuming that you have a custom domain that you can use for your configuration. On my part, I will be using the codingwithdave.xyz domain for the remainder of the articles.
Daily Ritual
I want to share a side-note about one of my processes.
One thing I really appreciate about my infrastructure automation while I'm doing all of this development and writing is the ability to stand up and tear down the k8s cluster every day. I start my day by doing a pulumi up command and it stands up all the cluster. I do another pulumi up and it puts all of the applications in the cluster. And at the end of the day, I reverse my start of day activities by doing a pulumi destroy on the resources and then a pulumi destroy on the cluster itself. I do this for two reasons. First, it saves money. This cluster only runs when I'm working on this article or doing some k8s research and then it goes away. This is a great benefit for a development process. Second, it forces me to make sure that my automation is working at the beginning and end of each day.
Standing up the k8s cluster daily makes this get-credentials command a nice output that we capture in Pulumi. This is generated in the Pulumi application that stands up the aks services. All of my k8s development tooling uses this set of credentials.
1
az aks get-credentials --resource-group rg_identity_dev_zwus_aks --name akscluster5b1237c2 --context"MyProject.Identity"
Consider rate limited activities like Let's Encrypt when standing-up and tearing down resources.
Ingress and Ingress Controllers
A k8s cluster, kind of by default, is a closed system. You can access it administratively which is certainly dangerous, but unless you make conscious decisions about how and when to expose your services, only the cluster services themselves are exposed so that tools like kubectl can work. There are a number of mechanisms for exposing your services but in this article, we are going to discuss the Ingress resource and the IngressController resource as the means by which we expose services in our cluster to the public.
Ingress Controllers
In order to expose the IdentityServer4 services, my first step was to create an IngressController resource. An IngressController is something that you put into your k8s cluster that will watch for Ingress resources, interpret them, create the appropriate external resources for your cluster to interact with the outside, and then route all traffic that comes in through your ingress point to the appropriate services inside of your cluster.
There are many IngressController implementations that you can use, and if you find that you don't like one after a bit of use, it isn't terribly hard to change to another one. There are certainly considerations to make when picking on, but for me, honestly, it was originally ease of getting it working, so I choose the nginx IngressController. There are many examples of how to put this controller into your k8s cluster and how to create the Ingress rules that nginx will follow.
For the IngressController, there is no manifest. I didn't put one into the minikube instance. So we'll only have Pulumi code for this part of the journey.
Deploying nginx Ingress Controller
Up until now, we've mostly been dealing with single-container resources. A self-contained application that for the most part can provide it's own bit of functionality. Arguably, the IdentityServer4 group of containers should always be deployed together, but I haven't set that up yet. The way that you do that in k8s is by using Helm, basically a package manager for your k8s resources. Eventually, I will figure out how to author a Helm package, but for the time being, I'm just going to use them.
Installing Helm is very easy. In our case, on Windows, we can use chocolatey to install it.
Once you have Helm installed, Pulumi is capable of using it to push Helm charts into your k8s cluster.
To give you a sense of what a Helm chart will do to your cluster, you can see that when we ask Pulumi to put a Helm chart into the cluster, a lot of things actually happen.
Let's take a look at the pulumi typescript code required to install this Helm chart.
Most of the parameters in the ChartOpts parameter of the object we created are easy to understand.
chart - The chart we want to install
namespace - The namespace that we are going to put this chart into
repo - The Helm repository to get the chart from
After that, we get into some options parameters that are a bit harder to deduce and I had to dig a bit into how Helm works to understand them and what Pulumi needed in order to make this work.
In our options we have created a values object that has additional properties. The values object is how we pass configurable values into Helm. This is comparable to the values.yaml in the chart definition. There are a number of different ways to pass in these values when using Helm charts directly, but this is how Pulumi provides these values to Helm.
This are parameters that are for the kubernetes resource for what will eventually be provisioned in k8s. They are resource requests for the Pod template in the Deployment, the service type for the nginx Service resource, and a nodeCount (replicas) for the Deployment resource.
The next part of these values is where we encounter some of the complicated aspects of IngressControllers. They are a resource in your k8s cluster that needs to work with things outside of the cluster. In this case, the nginx IngressController needs to be able to talk to Azure and create a LoadBalancer and PublicIP outside of the cluster. The same nginx IngressController would need to talk to AWS if this was deployed there. We can give these IngressControllers some information that helps them understand which external provider to work with and what that provider needs. We can add provider-specific values via annotations which could be provided in the values.yaml file but in our case, we will provide them via the values: object in the Pulumi ChartOpts class.
In this case, we are telling the IngressController to tell Azure that we want to use k8sDnsName as the DNS name label on the PublicIP that is created for our load balancer.
NOTEAt this time, this annotation is not working. I'll update as soon as I figure out what is going on. I've updated the code snippet as I've figured out how this works now. Another blog post (short) will be written up.
Now that the Pulumi script is working, we don't need to use this PowerShell but I will leave it here as an example of using the azure-cli with some PowerShell. After our IngressController has been provisioned, we can run this PowerShell script against the azure-cli command to do this for us.
1 2 3 4 5 6 7 8
# get the PublicIP object for our load balancer $pip = az network public-ip list --query"[?tags.service=='kube-system/nginx-nginx-ingress-controller']" | ConvertFrom-Json # update the --dns-name and refresh our object in PowerShell $pip = az network public-ip update -n$pip.name -g$pip.resourceGroup --dns-name"identity-auth-dev" | ConvertFrom-Json # set the clusterFQDN in Pulumi pulumi config set clusterFQDN $pip.dnsSettings.fqdn # verify that we can resolve our DNS entry nslookup $pip.dnsSettings.fqdn
The important thing about this activity in regard to progressing toward a working IdentityServer4 implementation is that we now have a single public IP address that we can create DNS entries for. We also have a single DNS entry provided to us by Azure that we can use as a CNAME entry, but we still need individual DNS entries for each service that we are going to expose.
We aren't quite done yet though. We have 3-5 apps (depending on how you feel) that we need to expose as separate applications from our cluster. In order to do that, we need to a couple more things.
For the next steps, let's assume that:
our the FQDN is identity-auth-dev.westus.cloudapp.azure.com
our public IPv4 is 137.135.18.68
I abandon IP address all the time. Please don't expect this one to work. After this effort, I wouldn't expect the FQDN to be around either. It might be, but don't count on it.
Configuring Public DNS Records
In order to make this authentication system work on your custom domain, you can simply take the following sub-domains and make a CNAME entry in your DNS provider for each that points at our Azure-provided DNS entry.
Record Type
Name
Value
TTL
CNAME
auth
identity-auth-dev.westus.cloudapp.azure.com
1hr
CNAME
auth-admin
identity-auth-dev.westus.cloudapp.azure.com
1hr
CNAME
auth-admin-api
identity-auth-dev.westus.cloudapp.azure.com
1hr
I'm no longer trying to keep this all on my local machine. There are no hosts file instructions going forward.
Give it a try
After a quick pulumi up with the IngressController code added to our application, we should have a couple new Azure resources and a bunch of new k8s resources.
In Azure, you should find:
A load balanceraz network lb list
A public IPaz network public-ip list
In k8s you should find a bunch of nginx-based resources in the kube-system namespace. This should show you some, but not all, of these resources.
1 2 3
kubectl get deployments --namespace kube-system-l app=nginx-ingress-controller kubectl get pods --namespace kube-system-l app=nginx-ingress-controller kubectl get services --namespace kube-system-l app=nginx-ingress-controller
The great thing about the nginx IngressController Helm chart is that it installs a default backend for all un-managed routes. We will add rules for managing routes in the Ingress resource next, but until then, if you go to any of the URLs we setup, they should all work, with all of the traffic getting routed to the nginx backend web server!
Now, lets add certificates!
Certificates
Big Caveat Here
If you are still trying to use the host-file approach to access your applications, you won't be able to follow all of my steps for adding certificates management or HTTPs to your cluster. You will need to step outside of these articles to figure out how to provide a certificate to cert-manager that you can use. My guidance uses lets-encrypt and lets-encrypt needs to be able to access your public DNS entries to ensure that you are who you say you are. At this point, you should probably start thinking about getting a custom domain to make all of this a bit easier.
Adding cert-manager
One of the goals of the project was to ensure that everything has certificates, is using HTTPs, and it is easy to manage. With k8s that is very easy with cert-manager. In this case, we simply need to install cert-manager into our cluster with some pulumi code.
This file, which you can look at on github, will install a lot of resources into your k8s cluster. You don't need to know a lot about them to use the certificate acquisition properties. I'm using lets-encrypt so I need to understand any limitations or restrictions imposed by them which in this case means the rate limits for acquiring certificates. These are important to understand so please read up and manage your certificate usage appropriately.
Adding a ClusterIssuer
Once cert-manager is installed into your cluster, it will be able to acquire/issue local cluster self-signed certificates. If you'd like to acquire certificates from Let's Encrypt or another supported issuer, you need to add an Issuer or a ClusterIssuer resource so that cert-manager can get certs. In our case, we are going to add two ClusterIssuers so that we can get staging certificates from Let's Encrypt and we can get production certificates from Let's Encrypt as well.
You should also take into consideration that we are using nginx as our IngressController. Each IngressController will have different configuration and classes that you need to setup and use.
Currently, Pulumi doesn't have a API/SDK module for cert-manager so we need to create a .yaml file and then use Pulumi to read it and bring the resources into the cluster.
// create certificate issuers for lets-encrypt const caClusterIssuer = new k8s.yaml.ConfigFile("ca-cluster-issuer", { file: "ca-cluster-issuer.yaml", }, {provider: k8sProvider});
Once you've created this .yaml file and TypeScript fragment, you can pulumi up to get these resources into your cluster.
Ingress Resource
Now that we have cert-manager installed and issuers configured, we can add our Ingress Resource.
An Ingress resource tells an IngressController what rules to setup for accessing services in the cluster. You can switch IngressControllers if you need to and the Ingress resource may not have to change. The rules can stay the same as long as the controller supports all of the rules laid out in the Ingress resource.
const ingressName = "identity-ingress"; const ingressFrontEnd = new k8s.networking.v1beta1.Ingress(ingressName,{ metadata:{ name: ingressName, annotations: { "kubernetes.io/ingress.class": "nginx", // <-- we are using an nginx ingress controller "cert-manager.io/cluster-issuer": "letsencrypt-staging"// <-- we are using test certificates } }, spec: { tls:[{ // <-- we want certificates for all of these domains hosts:[ "auth.codingwithdave.xyz", "auth-admin.codingwithdave.xyz", "auth-admin-api.codingwithdave.xyz" ], secretName: "tls-secret-certificate"// <-- store the cert in this secret }], rules: [ { host: "auth.codingwithdave.xyz", http:{ paths: [{ path: "/", backend: { serviceName: "identity-sts-svc", servicePort: 80 } }] } }, { host: "auth-admin.codingwithdave.xyz", http:{ paths: [{ path: "/", backend: { serviceName: "identity-admin-svc", servicePort: 80 } }] } }, { host: "auth-admin-api.codingwithdave.xyz", http:{ paths: [{ path: "/", backend: { serviceName: "identity-admin-api-svc", servicePort: 80 } }] } } ] } },{provider: k8sProvider});
The rules in this particular Ingress definition are all using host-based rules. When someone visits our IdentityServer4 sites, the host-name that they used to get there will be pulled out of the request, and the nginx IngressController will look for that host in the rules, and if it finds it, send the request to the appropriate service. If it doesn't find it, it goes to the default backend controller.
Internally, the k8s cluster only uses http. I'm sure there is a security reason to have HTTPs everywhere internally in the cluster, but I don't understand why, so I haven't implemented any of that.
In these rules, we can see we need to declare a host and the path. Once that is in place, we simply describe what service to go to, using the internal k8s DNS entry and the port.
If you are using cert-manager, you can see that there are some instructions in the ingress for cert-manager.
"cert-manager.io/cluster-issuer": "letsencrypt-staging" - this tells cert-manager to use letsencrypt-prod generates production certificates but also has important rate limits
tls:[{ ... }] - this parameter will be used by cert-manager to determine what domains to generate certificates for.
At this point, you should now be able to pulumi up and add cert-manager and the Ingress resource to your cluster. This will do a lot of things for you. If you are not generating production certificates, you should use the "cert-manager.io/cluster-issuer": "letsencrypt-staging" issuer in cert-manager. There are no rate limits on generating staging certificates. If you are generating production certificates, you'll need to switch to the letsencrypt-prod issuer and understand the rate limits.
Once that is done, you can start visiting your sites and you should hit something other than the default nginx backend.
If you used the letsencrypt-staging ClusterIssuer then you are going to get certificate error, but you can inspect the certificate before you acknowledge and continue. The certificates and certificate path should look like the following:
In the case of the STS, you should land on a functioning page. You should be able to login with admin/P@ssw0rd!
For the Admin site, you should not land on the default backend, but you will probably land on a developer exception page because the admin site configuration in the IdentityServer4 database does not have the correct URLs anymore. We'll fix that in a moment.
For the AdminApi Swagger page, you should see the Swashbuckle Api Explorer frame, but the app will complain that it has a CORS issue. This will also be fixed by configuration now that we know our host names.
But this is progress! We are now able to access our services in the cluster!
Updating our Client Configuration
In order to fix all of our sites and get all of this working, we need to make some configuration changes in the IdentityServer4 database and in the Environmental Variables for our ASP.NET Core sites. Let's do that quickly.
For now, we have not exposed pgAdmin4 via the Ingress rules so we are going to need to connect to our cluster, create a port-forward to our local machines, and then browse to the pgAdmin4 app to do our data configuration changes via sql. I'm going to do this via octant again. We did exactly this activity back in this article.
Once you have pgAdmin4 open and connected to our postgres database, we can run the SQL script below in pgAdmin4.
Remember to ensure the custom domain we are using is corrected in the scripts.
We also need to update the configuration for the environmental variables for our IdentityServer4 applications in our pulumi script. You will find these lines (approximately) in 3 Deployment resources in our scripts. You need to update them all.
1 2 3 4
// find these lines in deployment env: [{ }] blocks and make the appropriate custom domain name changes {name: "AdminApiConfiguration__IdentityServerBaseUrl", value: "https://auth.codingwithdave.xyz"}, {name: "AdminApiConfiguration__ApiBaseUrl", value: "https://auth-admin-api.codingwithdave.xyz"}, {name: "AdminConfiguration__IdentityAdminRedirectUri", value: "https://auth-admin.codingwithdave.xyz/signin-oidc"},
Once you've changed your pulumi application, a simple pulumi up will get everything setup for you.
We should now have functional (or mostly functional) set of applications! If you used the letsencrypt-staging certificates, the Admin site will generate SSL errors since it can't create a valid TLS connection yet.
nginx, IdentityServer4 and Aggravation
When this cluster and Pulumi application were originally written, I had this problem. When I started writing these articles and building the assets, it went away. I'm guessing that a default in nginx changed in one of the containers, but I'm not certain. I'm going to leave this here as a precaution.
So, configuration is changed, services are running, everything is accessible, and you log into the STS. This works! Check the Admin Api Swashbuckle API Explorer and our page loads! But you can't log into the Admin application! What is going on!?!?
This particular problem vexed me for several days. I had gotten to this point pretty early in my journey, and I've done some (not all) things in these articles so far to help you have a chance to not spend several days on this problem or a problem like this one.
One thing I've done is the Seq log ingestion. You should be able to port-forward to the Seq application and look at the logs for our IdentityServer4 applications. This will allow you to see all of the applications logs in one spot. When I was looking at the Seq logs, I could see that some traffic simply wasn't flowing between the STS and the Admin application when a use performed an action. Technically, when you try to log into the Admin application, you go to the Admin application first, it determines you are not logged in, and then it re-directs you to the STS application to log in. Via Seq, I saw that this was not happening.
But there were things that I couldn't see directly in Seq, which was the motivation for our next chapter, but for now, the way this project is currently configured, you will miss log entries from all of our other applications/resources in k8s like nginx, coredns, and kubernetes itself.
In this case, I went to the nginx log entries and saw some problems that indicated that something was too small to handle the communications with STS.
In the logs, I found this error.
upstream sent too big header while reading response header from upstream
That little error snippet ended up sending me down a path where it took a couple days to refine my google-foo enough to find the solution to this problem. I tried a lot of different tricks during those couple days, but amazingly, I eventually found this exact problem on another blog that I read a lot, but I hadn't read this article! Andrew Lock does a LOT of good writing for the .NET community and he had run into the exact same problem 2 years earlier!
Andrew fully describes the problem in a really good way. I'm not going to repeat it. I had the exact same problem and his solution worked. What I am going to present is the Pulumi application code that creates a ConfigMap that nginx will find to make the adjustments.
Morale of the story - You have to be ready to explore ALL of the logs in your cluster. If you have to do it manually, you should still be prepared to do it.
We have arrived! If everything is going the way I hoped if not necessarily the way I planned, you (and I) should have a functional, basic Azure Kubernetes Service-based k8s cluster running an IdentityServer4 implementation in a completely self-sustained manner. It is publicly accessible, our backend infrastructure is not exposed but is accessible, and you can begin integrating your application into this authentication system.
My hope was that you were going to share my learning journey so that you could have a hands-on platform to continue your learning journey. Mine certainly isn't done. The next step is to show you how I made my logging a lot more comprehensive in a very easy manner!
]]>
<p><a href="/kubernetes/kubernetes-my-journey">Series Table of Contents</a></p>
<p><strong>Previously:</strong>
<a href="/kubernetes/kuberne
Kubernetes - My Journey - Part 9https://westerndevs.com/kubernetes/kubernetes-my-journey-part-9/2020-05-22T06:00:00.000Z2026-03-22T17:42:31.816ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comSeries Table of Contents
In this article, we are going to add some logging infrastructure to our k8s cluster to address the problems I had when an application doesn't log directly to the log ingestion platform I was using. (Seq).
This article is mostly Pulumi application code with a bit of an origin story, but to be honest, I haven't fully refined my understanding of fluentd for the article to be much more. I will add to and refine this article as I refine my fluentd implementation. This article will get your whole-cluster logging working though.
fluentd
As I mentioned before, fluentd is one of several k8s log ingestion solutions that is out there right now. It has a lot of community support, so it was really easy to get started with it.
Service Account and Roles
In order to get fluentd running in the cluster, there are a bunch of resources that need to be in place. Because fluentdneeds access to all of the pods in the cluster to get at their logs, it needs a fairly empowered service account but we also want to make sure that service account only has the minimum amount of permissions as required to do it's job.
We now have a properly configured service account to use with our fluentd pods. Remember, fluentd is just another application running in the cluster performing its duties. And applications run in pods/containers.
In this section, we are going to see code that creates our first DaemonSet set of resources in the cluster. A DaemonSet is similar to a Deployment with the primary difference being that a DaemonSet is used when you want to make sure there is one pod, that is described in the DaemonSet spec, on each node in the cluster. As nodes are added, the DaemonSet will ensure that the pods in its spec are automatically added.
fluentd is an application that is running on the node basically scraping log files. All of the log files are stored in the node file system, so in order to get all of the logs, we have to have a fluentd instance per node. DaemonSets are how we do that in k8s.
There is a bunch of configurations in here that are standard, but there are two things that are unique to this Pulumi application.
The first unique item is the flavour of fluentd that we are using. There are numerous container images that are available from fluentd's repository and I was really fortunate to find the graylog-flavoured image. This image creates containers that natively talk using the graylog logging format.
The second unique item is a derivative of the first. Because we are using graylog, we need to give the fluentd pod some environmental configuration telling it where to send the logs to. In this case, we will be sending them to sqelf which will in turn send them directly into Seq. We can finally see this pair of containers in action in the Seq-dep pod.
You should notice that we've used the FQDN of the seq-svc because the fluentd application is not in the same namespace in the k8s cluster as Seq/sqelf.
Next Steps for fluentd
That is most of what I've done so far with fluentd. I've got it working, and the local Seq instance is ingesting a lot of log entries. This is ok because this is all in the same cluster, so network traffic isn't a concern I am currently worried about. It is something I'm more aware of because the Seq logs are full of log entries and it makes it a bit harder to find what I'm looking for.
fluentd has an approach to describe the pipeline that all log entries flow through. This is the kubernetes.conf file and you can replace the default configuration with one in a ConfigMap. This yaml resource file is an example:
My next learning steps are refining this pipeline so that I can better manage how much data is flowing to sqelf and Seq.
Another thing I need to get a handle on is doing ConfigMap declarations in Pulumi. Currently, a YAML ConfigMap examples is a PITA to convert to a Pulumi declaration. That will be another chapter, eventually, in this series. I've also asked Pulumi to start providing better examples of ConfigMaps in their documentation. A recipe book for many common YAML ConfigMaps would be great.
]]>
<p><a href="/kubernetes/kubernetes-my-journey">Series Table of Contents</a></p>
<p><strong>Previously:</strong>
<a href="/kubernetes/kuberne
Kubernetes - My Journey - Part 10https://westerndevs.com/kubernetes/kubernetes-my-journey-part-10/2020-05-22T05:00:00.000Z2026-03-22T17:42:31.814ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comSeries Table of Contents
We now have a full-functional cluster, producing metrics, logging, running applications, the whole ball of wax! We are now in the place where we can start to tune the performance characteristics of our cluster.
I have just started down this path myself, and as such, I don't have a lot of experience with the current cluster as it is running. It is just being rolled out into production now and so over the next days, weeks, and months, we will be learning how to monitor the performance of the cluster and making adjustments to the CPU and Memory requests that we can define in our pods.
I will be adding to this article as I learn but I also wanted a place to publicly share some links that I find and like.
Basic Resource Requests
Going back one chapter to the fluentd pulumi declarations, we can see that in the DaemonSet resource, we are describing requests and limits for our pod resources.
You can use these requests and limits in any pod spec and you can make adjustments as you learn. Just a reminder, pods are intended to be ephemeral and any changes will cause pods to go be deleted and new replacements are created. You can make changes in your pulumi application, do a quick pulumi up and see the difference in node resource consumption nearly immediately.
Monitoring Resource Usage
It's important to remember that pods use node resources, so if you are going to monitor resources, they would be at the cluster/node level and not any particular application or namespace.
Using Octant, we can navigate to a node to get a sense of how it is doing.
On the same node details page, we can find a section called Conditions where k8s is telling you how it feels about the current resources available vs. allocated. I don't have any ideas or guidance yet on what these ratios should be yet.
I've actually found that I really like the Kubernetes Dashboard WebUI is a great place to also look at resource utilizations and configurations.
Clicking into a single node gives details about Conditions on that node.
Summary
As mentioned, this is certainly a work in progress. As we monitor the cluster and how it behaves, we'll make adjustments. I'm certain we'll also make adjustments as to how we monitor. I expect at least one prometheus article in the near future, so I'll just leave the Next Up link space at the bottom of the article as TBD. :D
]]>
<p><a href="/kubernetes/kubernetes-my-journey">Series Table of Contents</a></p>
<p><strong>Previously:</strong>
<a href="/kubernetes/kuberne
Scrum with Kanban Class of Servicehttps://westerndevs.com/Kanban/Kanban_Helps_Scrum_with_Emergent_Work/2017-07-14T16:00:00.000Z2026-03-22T17:42:31.810ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comInspired by Steve Porter's efforts to bring process practitioners closer together and educate Scrum practitioners, I'm writing a shadow series of posts that will follow the Kanban and Scrum - Stronger Together series and continue my own efforts to clear up misconceptions between practitioners of these methods.
In my last post, I discussed how a Scrum team could add the concepts of WIP limits to their process and derive measurable delivery performance benefits. In this post, I'm hoping to show how we can use Kanban's concept of Class of Service to help Scrum teams deal with emergent work.
Emergent/Unplanned Work
One of the things that is very natural in Kanban but less so in Scrum implementations is the ability to deal with emergent or unplanned work during a Sprint. In this case, I am not talking about the anticipated, natural growth of a User Story or PBI as more information is discovered about it. I am talking about un-anticipated work such as emergency issues, newly discovered high-value opportunities, or newly understood schedule risks.
I want to be clear that Scrum does not mandate that work cannot be introduced into the Sprint. The Scrum Guide allows for a negotiation to occur that would allow work to be introduce into the Sprint if there is capacity available, either by removing an existing PBI or by understanding that there is more room in the sprint than anticipated. In my experience, this does not come naturally to Scrum teams. Years of defending the Sprint backlog make this thinking hard to change.
But emergent and unplanned work are a reality for many knowledge work teams, especially in our DevOps world where increments of work are discovered, triaged, implemented, and deployed daily, if not many times per day. And as we will learn, this work can be easily tracked, analyzed, and we may be able to anticipate it.
A brief Introduction to Class of Service
Before I get too deep, I wanted to present a description of Class of Service.
Description
A Class of Service is simply a policy that a team will explicitly create in order to guide team behaviour in scheduling and delivering an increment of work. They may take the form of rules for prioritization, swarming, or delaying the uptake of work by the team. There are 4 classic policy examples (Standard, Expedite, Due Date, Intangible) but you can create more or less. It is important to remember though that they are simply a policy which can be discussed, altered, or abandoned.
Our First Class of Service
As a Scrum team, it is very easy to add your first class of service policy without any significant change to your Scrum practices. We will focus on a very common class of service policy, the Expedite class of service. This policy indicates that we have discovered work where the risk of delaying it is higher than we are comfortable with and we need to start a negotiation with the Product Owner about altering the Sprint Plan. We may also have to swarm on the work as a team because the impact of delay is severe. Instances of this type of emergent work happen often in DevOps scenarios where the development team is also responsible for problems that occur in the system in production.
Our goal with trying out this minimum viable change to our Scrum process is to make expedite work very visible, make it very explicit, and try to understand how this risk mitigation policy is impacting our Sprints.
Note - By creating an expedite Class of Service policy, we have actually created 2 Class of Service policies. Standard work (everything that is not expedited) and Expedite. Standard work is just normal so we won't really discuss it further.
The Expedite Lane
Keeping in mind our goal with this experiment, the first thing we want to do is simply make the Expedite policy and work visible, and we can easily do this with a simple change to our board. I will continue using our example board from the previous blog post.
There are many ways that we can indicate that a work needs to be expedited. We could annotate a card, change its color, or put it in a special place on our board. To keep this simple and in the spirit of using boards, I'm going to suggest that we create a location on our board to indicate that we have an expedite policy and what work is currently affected by that policy.
What you see in the image is a visualization of our policy that indicates:
we have an explicit Expedite policy
our policy is that we only work on one expedite item at a time
the swimlane has a WIP limit of 1 PBI
What is not clear on my board, but could be made clear with a Definition of Done (DoD) or similar annotations on the board, is
expedited work is top priority
teams may be required to swarm to get that work done, which pauses all normally PBIs
work in the Expedite lane does not obey column WIP limits
We do not need to alter our cards in any way. Their presence in the lane indicates that the policy is being applied.
One additional change I would ask a team to make is that once a card enters the expedite lane and is now managed by the policy, mark the card/PBI with some sort of indicator that it was expedited.
And that is it! We haven't changed how items get into that lane. We will still perform the negotiation with the Product Owner. We probably haven't changed our behaviour around emergent work, but we have made it clear that it is a reality for us and when something is in that lane, we are probably swarming on it if necessary to get it fixed before everything else.
So Why Do this?
I would suggest using this technique to a team as a possible solution to a few problems.
There is not clear or commonly understood policy
There is a problem understanding/communicating when there is emergency work
in the team or external to the team
There is a problem understanding how much emergency work there is
There is a problem understanding how emergency work impacts our Sprint
There is a problem with the team not being designed to handle this kind of work
By understanding the problem that prompted the team to adopt this practice, we will understand if the practice is working and/or adding value and make adjustments as necessary.
Early Benefits
Now that we have an explicit policy and we are tracking our expedited work, we can reflect on that work.
We can look at how that work flows in conjunction with our normal PBIs and try to determine how one affects the other. Emergency work tends to be disruptive: we put down everything else, re-plan, negotiate, etc. All of these things add to the amount of time it takes for a team to deliver.
With that information, we could re-design our work flow to minimize the impact of expedites on the PBIs in the original Sprint Plan. We could have a conversation with a sponsor to offload that type of work onto another team. Many opportunities, to design a system that satisfy all the types of work we need to do, can be explored with the information we know have because we are explicitly tracking emergent work.
And we may discover that while this work is not planned, it can be anticipated. And in anticipating it, we can more effectively deliver all of our work.
What's Next
Those are just some of the opportunities that you have! I'm not suggesting you can't find those opportunities elsewhere, but you shouldn't be afraid to approach kanban! It will happily support the way you want to work today and help you continue your growth into the future!
In our next post, we will discuss how a Scrum team could enhance their understanding of how long it takes them to deliver a PBI by calculating a Lead Time!
]]>
Kanban's concept of Class of Service helps Scrum teams deal with emergent work
A review of Scrum for Kanban Teamshttps://westerndevs.com/Kanban/Scrum_for_Kanban_Teams/2017-07-14T16:00:00.000Z2026-03-22T17:42:31.810ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comInspired by Steve Porter's efforts to bring process practitioners closer together and educate Scrum practitioners, I'm writing a shadow series of posts that will follow the Kanban and Scrum - Stronger Together series and continue my own efforts to clear up misconceptions between practitioners of these methods.
First off, I have to say that I'm not 100% certain how I feel about Yuval's blog post. It feels like a forced comparison of apples and oranges. But in critically reading it, it forces me to think about why I feel that way. And as always, these are all just my opinions. No harm in sharing them, right?
TL;DR
In case you haven't read Yuval's post, basically it presents a map of values and practices in Scrum to Kanban language, and encourages Kanban teams to approach Scrum from a practices point of view. It also encourages everyone to review/adopt the values (in Scrum language) that can help software development teams succeed in building software. You should go read it now. :D
Values
As I wrote in 2013, Scrum and Kanban both share a use of values to encourage users of the methods to behave a certain way. The explicit inclusion of the Scrum Values is a relatively recent (2016 Scrum Guide) addition, but the Agile Manifesto is definitely a value system and Scrum fully supports those values.
The Kanban Method also has principles that have been included since its formation. The presentation of these principles have been refined and one addition was made for clarity. And recently, a significant amount of work has been made to further evolve our understanding of the principles and turn them into a description of more concrete values. Andy Carmchael and David J Anderson have created a freeEssential Kanban Condensed eBook that lays out the value system for the Kanban Method on Page 3, and Mike Burrows has written a fantastic book Kanban from the Inside that discusses the values of Kanban in great detail.
I think it is great that Yuval is including the values mappings in his primer, but I think that some of the mappings he has created reinforce my apples and oranges feelings. He doesn't compare the current state of the art in Kanban values and maps some kanban practices to Scrum values.
I would encourage you to quickly read the values section (3 minutes) of the Essential Kanban Condensed eBook starting on Page 3 and judge for yourself how the values comparison feels to you.
And, as hard as this is to say because I think the values are important, the Scrum guide seems to specify an intent as opposed to a way to think. Values shouldn't be expressed as goals like they are in the Scrum Guide. And maybe that isn't how Scrum is taught. I haven't been to a modern PSM class.
Roles
I'm glad that Yuval presents the Scrum roles. The Kanban Method neither advocates nor condemns any of these roles. It really has no opinion. The Kanban community has discovered that there are specialists who are good at fulfilling useful services when optimizing virtual kanban systems and participating in Kanban implementations. A Service Request Manager is focused on the needs and expectations of the customer. This is comparable to a Product Owner. A Service Delivery Manager is focused on kanban system performance. A Kanban Coach is focused on organizational adoption.
To be clear, the Kanban Method has no opinion about roles. It guides people to respect everything until you've gained the emotional maturity as an organization to change. The Kanban community has discovered, in practice, that there are roles and responsibilities that should be encouraged to appear and supported as organizations progress down the Kanban path.
Events
This is probably the set of things that, regardless of the name, Scrum and Kanban teams will have the most in common. Kanban teams are fully capable of doing everything that Scrum teams do, described as some sort of feedback meetings that happen on a cadence. People on software development teams, regardless of Scrum or Kanban, will goal set, seek feedback, deliver increments of product, and reflect on how they work. If you are a team that is not performing this practices in some form, you should look at either Scrum or Kanban.
One of the things that is spiritually very different about the Scrum events (as described in the Scrum Guide) and the Kanban feedback meetings is usually that the Scrum events are focusing on what people do during the meeting. Kanban feedback guidance focuses on the work that needs to be done.
An example of this is the description of the daily stand-up. In the Scrum guide, this is the following description of the daily scrum:
During the meeting, the Development Team members explain:
What did I do yesterday that helped the Development Team meet the Sprint Goal?
What will I do today to help the Development Team meet the Sprint Goal?
Do I see any impediment that prevents me or the Development Team from meeting the Sprint Goal?
In the Kanban community, we have The Kanban Meeting, a daily 'stand-up' style meeting whose focus is work items. You can find a brief description of this meeting on page 25 of Essential Kanban Condensed. And Yuval also makes this point in his mapping.
Kanban teams typically focus on the flow of work instead of the people doing the work. They work the board right to left focusing on flow problems.
I will state that being prescriptive of what people should do is not necessarily a bad thing. That is one of the things that Kanban has suffered with in that people want prescriptive guidance and in the past, the Kanban community didn't an authoritative source of concrete practices. That has changed dramatically in the last couple years with many initiatives within the Kanban community providing kanban practitioners with examples of concrete practices that could be used prescriptively. Essential Kanban Condensed provides specific examples. Enterprise Services Planning or ESP as it is commonly referred as in the Kanban community, is full of specific activities that large organizations adopting Kanban at scale will benefit from implementing and understanding.
Artifacts
Generally speaking, Yuval hits this point right on the head. Software development teams, striving to be agile, using Scrum or Kanban, will generally need/produce the same things. They need PBIs/User Stories/Work Items to describe demand. They will produce Features/Functions/Components that are cohesive. They will ship increments of software on a cadence or on demand.
Yuval suggested that Kanban teams limit the size of a product backlog, which may be true in some cases, but this guidance is not from The Kanban Method. Now a days, Kanban teams may have an Upstream Kanban System that is full of work items that are being refined, analyzed, discarded, or finally passed on to the development team as a User Story/PBI that needs to be delivered. Smaller teams can do this within their own kanban system.
I think Yuval's options in his conclusion are all viable experiments to try! Kanban teams should never be afraid to take practices from anywhere that they see them. Arguably, kanban actively promotes the constant experimentation of practices to see if they improve the delivery capability of an organization or team.
My Final Thoughts
While I may disagree with some of the details as outlined in this post, I agree with the spirit of what Yuval is suggesting in his article. Kanban teams need to be open minded when looking for practices that may enhance the way that they work. They should not be afraid to look at Scrum as a source of those activities. And I sincerely hope that everyone came away more educated about Scrum AND Kanban having read these articles.
]]>
A review of a Scrum Primer for Kanban teams
Scrum with Kanban WIP Limitshttps://westerndevs.com/Kanban/Scrum_with_WIP_Limits/2017-07-07T00:00:00.000Z2026-03-22T17:42:31.809ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comInspired by Steve Porter's efforts to bring process practitioners closer together and educate Scrum practitioners, I'm writing a shadow series of posts that will follow the Kanban and Scrum - Stronger Together series and continue my own efforts to clear up misconceptions between practitioners of these methods.
In my last post, I discussed how a Scrum team could change nothing about their process and organically start describing how they work in Kanban terms. In this post, I'm hoping to show a minimally viable change to their process that could lead to enhanced team delivery performance.
Scrum's WIP Limit Policy
As we described last post, many Scrum teams limit work in progress (WIP) at the beginning of the Sprint by filling the Sprint Plan with work. The teams are given the ownership of deciding how much work to pull into the sprint. In kanban terms, we would probably call this a CONWIP (CONstant Work In Progress) WIP control policy. We have constant WIP in the sprint, and we don't control WIP at individual stages of the workflow. One thing that Scrum teams will do that doesn't exactly fit with a CONWIP policy is that CONWIP policies normally just counts cards. In Scrum, cards are assigned a relative size value (Story point) that describes the size of the card. So instead of having a CONWIP limit of 5 cards, Scrum teams will a CONWIP policy of 25 story points. That may be 3 cards, it may be 20 cards, depending on the nature of the work.
We're not going to change that at all. Limiting work in any manner is a GREAT start!
What we can do though is introduce count-based WIP limits at stages in the virtual kanban system. And that is it! Remember we are doing a minimum viable change to minimize risk, build experience and comfort, and see if this even works.
Scrum is naturally enhanced by Kanban
Kanban practitioners usually strive to enhance the effect of the WIP limit policies on their system, constantly tuning them to get optimal performance. In order to do this, Kanban tends to promote more fine-grained WIP policies at the workflow stage level. This isn't the only place or way that we can use WIP policies, but it is a really great next step for a Scrum team to take.
So very simply, the next step for Scrum teams to take is to put a WIP limit policy indicator at the top of a their kanban board!
Let's walk thorough an example and see how simple that would be!
Scrum CONWIP policy controlled board
We can see here that we are only controlling WIP for the entire system by limiting how much work can be pulled in per sprint. This is a great start to limiting WIP, but we might be able to improve the overall flow of work within the team's workflow. I have seen Scrum teams that start everything at the beginning of the sprint instead of starting only as much as they can handle and trying to finish that before starting a new story. Starting everything at once isn't good behaviour or encouraged behaviour in a Scrum team, but it happens without any other policies to guide team members to better behaviour.
Scrum Board with Workflow Stage WIP control policies added
We can see here that we have simply added some indicators of the WIP limit policy on the Kanban board. I just put a few sample numbers in place, but it is now clear what the policy is for the team with regard to pulling the work through the sprint and not just pulling work into the sprint.
So what these numbers mean is that we believe that there should only be n # of PBIs in a stage at once. Anything more is going to lead to emotional distress due to overburdening and probably slow delivery due to multi-tasking. Using these policies as an example, we believe we should only have 2 PBIs in analysis at a time and if someone is not busy in Dev and Test, they can help out with work on Analysis of a PBI to help flow work through the system.
It is also very important to understand that in the same way that the sprint capacity is determined during the Sprint Planning meeting and adjusted per sprint, these intra-sprint WIP limit policies should be adjusted when there is new information available about the capabilities of the team.
We also gain and share information about how we believe the team should behave to help deliver PBIs more effectively. We can discuss work and policies instead of discussing people and why they are working a certain way.
And that is it! That is as easy as it is to add the idea of intra-workflow WIP limit policies to a Scrum team's kanban board. We didn't have to change anything about the way that we worked. We just enhanced and communicated our team's understanding of how we want to work.
Did it Work?!?!
Before we call this experiment a success, we need to know, did this even work to improve our delivery capability?
If you're been practicing Scrum for a bit, you will have some historical information and hopefully trend data about your team's ability to deliver Story Points/PBIs to the customer. It is this information that we use in the Sprint Planning meeting to determine what our CONWIP number should be.
After you've implemented your intra-workflow WIP limit policies, doing nothing else, you should be able to detect if these policies helped you, or hindered you by measuring your Story Point/PBI delivery rate per sprint. You may also be able to capture some qualitative information in your Sprint Retrospective about the positive or negative impact of these policies on the team members.
If the experiment produced a measurable improvement in your team's ability to delivery, congratulations!! That is great news and I'd love to hear about it!
If the experiment produced no measurable improvement in your team's delivery rate, congratulations!! You've discovered that it didn't work! And you have more information and I'd love to hear about it! But if we had hoped to improve and discovered we didn't, we have a decision to make. Revert the changes as easily as removing the WIP limits from your board and continue life as it was before, or dig into why the policies didn't have the desired effect. Did you constantly exceed the WIP limits? Did you not measure all work? We know from experience that reducing WIP should improve delivery rates.
But again, if you don't want to figure that out, just remove the WIP limits from your board. Easy!
Is there more
There is more to the Kanban Method and virtual kanban systems, but we were just planning to demonstrate a minimum viable change that gives Scrum teams a chance to try out a little kanban practice. Once we've mastered the understanding of WIP limits and their implementation, we can pick our next technique to start to learn about like demand shaping, kanban system designs that are fit for purpose, capacity allocations, managing emergent work, or any of the other practices that our community uses as we gain experience with Kanban.
What's Next
Those are just some of the opportunities that you have! I'm not suggesting you can't find those opportunities elsewhere, but you shouldn't be afraid to approach kanban! It will happily support the way you want to work today and help you continue your growth into the future!
In our next post, we will discuss how a Scrum team could enhance their practices to handle emergent (or emergency) work!
]]>
A natural, easy first step for enhancing Scrum with a Kanban practice is a WIP limit
Nothing in Kanban Prevents Scrumhttps://westerndevs.com/Kanban/Nothing_in_Kanban_Prevents_Scrum/2017-07-02T00:00:00.000Z2026-03-22T17:42:31.809ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comInspired by Steve Porter's efforts to bring process practitioners closer together and educate Scrum practitioners, I'm writing a shadow series of posts that will follow the Kanban and Scrum - Stronger Together series and continue my own efforts to clear up misconceptions between practitioners of these methods.
Kanban Easily Supports All of Scrum
One of the things that I see very often is a belief that Scrum and Kanban cannot work together and nothing is farther from the true. If we look at one of the core values of The Kanban Method you'll see that the first principle is:
Start with what you do now
This should instantly put many change-fearing professionals at ease with regard to The Kanban Method, if not the practitioner helping you with it. But in this conversation, this should put Scrum team members at ease. There is nothing in the method that will disrespect your current practices or experiences.
Yuval Yeret has done a great job of giving us a Primer to Kanban from Scrum Teams but I thought I'd step back from that without introducing too much Kanban and try to diminish this fear that you can't do both by showing that it can be done easily.
One thing that a Scrum team would naturally want to do is understand the parallels or mappings between the two processes. Familiarity promotes comfort, so let's build a bit of a map for a pure Scrum team to describe their approach in Kanban terms because generally speaking, Scrum teams are already doing kanban.
Sprint/Iteration
One of the core tenants of Scrum is the Sprint. This time box is designed to give teams a few things:
consistent schedule for important, collaborative activities
control over work selection for the time period
meet daily to discuss current state and plan for the day
reduction in changes induced by external parties
an end date that the delivery team can use as a goal for delivery
an end date that a customer can use as an expectation
Scrum achieves these goals by using particular activities around and in the time box. As an example, let us say that a Scrum team has a 2 week Sprint, so at the start of a 2 week period, they replenish their sprint backlog in the Spring Planning meeting. They will select how much work to accept as the goal (Sprint goal/forecast) for the 2 week period. They will not acceptstrongly discourage changes to the contents of the sprint backlog for the 2 week period. They will meet daily to discuss the current state of things and adjust any daily plans as appropriate. They will strive to complete the Sprint goal (all of the forecasted work) by the end of the Sprint, and they will plan to demonstrate their accomplishments to external parties in a Sprint Review. They will also plan reflect on their own activities and try to identify opportunities to improve their own capabilities in a Sprint Retrospective.
So what we've discovered is that:
They have a meeting at the start of the 2 week period to fill the Sprint backlog
the Scrum name: Sprint Planning meeting
The team chooses how much work goes into that backlog
The team will generally be allowed to finish that work before starting new work
They will meet daily to create effective daily plans
the Scrum name: Daily Scrum
They will have a meeting at the end of the 2 week period to review what they have produces
The Scrum name: Sprint Review
They will have a meeting at the end of the 2 week period to review their own process
the Scrum name: Sprint Retrospective
How do we model that in kanban?
Cadences
... are the kanban term used to describe the things that happen on schedule. Kanban easily supports the Sprint Planning activity by creating an analogous cadence for a Replenishment activity, where the team interacts with an upstream partner (read: customer) to determine what to work on until the next time we get to meet with the customer. A Scrum team can easily describe their scheduled meeting as happening on predictable cadences.
Once every two weeks, we will collaborate to fill our backlog
a kanban name: Replenishment meeting
the team understand how much work will occur in 2 weeks
They will meet daily to discuss current state and plan for the day
a kanban name: Kanban meeting
Once every two weeks, we will meet to discuss/demonstrate what we've accomplished
a kanban name: Product demo
Once every two weeks, we will discuss our own processes with an eye on improvement
a kanban name: Service Delivery Review
WIP Limits
... are the kanban equivalent to picking (pulling) the work that we feel we can accomplish and being allowed to focus on finishing that work before starting or being interrupted by new work
A Scrum team picks how much work to pull into the Sprint. The kanban name for this is a WIP limit. A Kanban team can pull 10 PBIs into their process every 2 weeks.
In Kanban, teams are not required to put WIP limits on columns. This is a natural growth path for many teams, but it certainly isn't required. A limit on the # of items accepted into the sprint is an acceptable form of limiting WIP. These limits are guides to optimal workflow behaviour, but they are not laws. Kanban teams, just like Scrum teams, can adapt their plan to accomodate newly discovered information.
Visualize
... is the kanban approach to using visualizations of intangible work (code, features, etc) to help us understand and manager our own process. We typically classify the things as work items but they often have more descriptive names.
Most Scrum teams already use boards and they use PBIs to describe intangible things like software and code.
Is there more
There is more to the Kanban Method, but we were just planning to model what a Scrum team does in kanban terms in a comfort-building exercise. Kanban does not require you to remove estimation (planning poker) as a means of filling your sprint. Kanban does not require you to abandon story points as a means of representing size or effort. You can still use story points as a means of measuring how much you did.
And that's it! Scrum teams visualize work, limit WIP, and have cadences! Any Scrum team can call themselves a Kanban team. They simply need to make the decision.
What's Next
Well, if you are a new to Kanban team, there is lots of opportunity to grow. You have the opportunity to:
refine your understanding of your work
better know who your customers really are
understand what you do and how you do it
how we measure progress
how we maximize flow (team level)
who are your partners in your organization helping you deliver to your customers
how we maximize flow (organization level)
how we scale our approach across the organizations, not just multiple development teams
kanban in the HR dept. Who knew?!?! :D
Those are just some of the opportunities that you have! I'm not suggesting you can't find those opportunities elsewhere, but you shouldn't be afraid to approach kanban! It will happily support the way you want to work today!
]]>
Inspired by a colleague
Kanban and Scrum Together - Not so fasthttps://westerndevs.com/Kanban/Kanban_and_Scrum_Together/2017-06-30T00:00:00.000Z2026-03-22T17:42:31.809ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comA colleague of mine who works at Scrum.org now posted a blog about how Kanban and Scrum are stronger together. Steve Porter had this to say in his blog post...
You might find my first comment there if someone at Scrum.org approves it in the pursuit of open and shared discussions.
Update The comments have finally been approved.
Since it hasn't been approved at the time of me writing this blog post, here it is again...
Hey Steve,
I've been sitting with this tab open for a month, trying to decide what to say. I felt like it was time to close the tab by providing my thoughts. To be clear, I'm speaking about The Kanban Method when I use the word kanban and I believe that is what this article is talking about when it says Kanban and Scrum are stronger together.
Let me start out stating that I believe that teams and organizations need to be better at addressing customer demand. That pressure is what drives organizations and teams to adopt a 'process' that they think will help. We would call those processes Scrum and Kanban and that is probably the first point of failure. It is unfortunate that these processes are seen as incompatible and I applaud your decision to try and change that thinking. It isn't the practices that are incompatible, but the religions that sprout up around the organizations that evangelize the processes.
Part of me is disappointed with the misconceptions of what kanban is and how it can be applied as demonstrated by the comments. Going through some of the the comments, I see...
Hiren Pandya ... the requirements needed to transition to kanban.
Anyone can begin transitioning to kanban at any time because of the lack of prescription of "the one" kanban approach. Kanban has a natural and specific mindset that accommodates the current state and an evolutionary path to maturity, of which we are all at different points in our journey. Honestly, transitioning to kanban is as simple as changing the label we use describe our mindset and values.
Bruno Baketarić Create hybrids: Beware! --and-- along with an absence of time-boxes or any other time-bound constraint (the Kanban cadences are not constraints).
The problem with this statement is that any approach that is open to adding/removing practices as their value to the team changes will create a hybrid solution. Kanban by it's very nature creates hybrid solutions as teams take tactical practices from anywhere they choose to enhance they way they deliver value to their customers. The kanban value system openly embraces the concept of taking practices from anywhere that might improve your team/organizations ability to deliver value to customers. It has to accept all practices with respect.
Regarding cadences not being constraints, I would posit that a Replenishment meeting with a cadence of 2 weeks is exactly the same kind of time-bound constraint as a Sprint Planning meeting that happens every 2 weeks. Practically, they are equivalent constraints.
Mark Chapman I don't quite get what the point is here, they have different uses for different teams.
This seems to be a reinforcement of the myth that Kanban is for Type A teams and Type B teams shouldn't use it. Which is a myth.
Final Thoughts...
After reading your article, and the comments, it makes me wonder why people think that a team couldn't implement a fully "Scrum" set of practices and processes and name it Kanban. It is 100% possible to do that. I don't know that the opposite is true, in that a team would fully implement a kanban system and call it Scrum. Kanban allows for far more variation than the Scrum guide does.
I guess in the long run, we are trying to foster collaboration and enhance the strength of our professions by bringing these two communities together, which I think is very noble and the right thing to do. What I would like to see though is a properly educated discussion about where and how they (Kanban and Scrum) are different (or not) so that people can make decisions from how to describe what they are doing.
Thank you and Dan for stepping forward and taking on this challenge.
(I added some Markdown to simulate the Disqus formatting)
Steve kindly responded (without approving the original comment) with some questions..
if you can truly transition to a Kanban system as easily as you described
and
if you're not limiting WIP, you're not implementing a Kanban system
I responded with this still considered spam and unapproved comment. Update - The comments have finally been approved.
First of all, I spoke of transitioning to The Kanban Method as being very easy. I didn't discuss the implementation of a virtual kanban system as easy, although in truth, most Scrum teams are already using a virtual kanban system.
Dan and I have had great conversations about WIP limits. Last time might have been in Germany over cocktails, but it was a great conversation.
There are many ways to limit WIP. I, and probably Dan too, would actually probably prefer to call it an optimal WIP policy, but if we are speaking only about limiting WIP, there are different kinds of policies along the maturity curve that we can use to limit WIP, all with different pros and cons that are discovered as we go. We choose which of those policies to start with based on organization emotional resistance and education/experience, all the while understanding that we are using this first policy as a starting point and we expect it to change, sometime frequently, as information about team workflow evolves.Some possible policies include...
A Sprint backlog is a WIP limiting policy.
A policy of not starting anything new until your current work is done, is a WIP limit.
Stating everyone can work on 2 things at a time is a WIP limit policy.
A visual token indicating there is capacity to pull is the visualization of a WIP limit policy.
Keeping a flow efficiency number high is a WIP limiting policy.
Canonically, a number at the top of a column on a kanban board is a visualization of an explicit WIP limit policy.
The problem with WIP policies (and this certainly applies to many Scrum teams I've seen) is that there is usually no penalty for breaking the policy. It is an indicator of bad behaviour if the team violates a WIP limit, but it isn't a law and we acknowledge that sometimes we have to violate our WIP limits due to unforeseen events.
So while I speak about limiting WIP, I don't necessarily write a # on the kanban board until the team discovers the problem with the # not being on the board, then we decide what to do about it. If I recall correctly, Dan always puts a # on the board, but makes it high enough that there should be no emotional resistance to it, and then he starts talking about lowering it. I think both approaches have merit.
About 'no WIP limit == no kanban system', generally speaking, I'd state that you have an immature virtual kanban system if you don't have pull-based work scheduling mechanics in play to manage the flow of work. This is subtly different than saying if your not limiting WIP, you're not implementing kanban.
I'm presenting all of this for a couple reasons.
I don't like being censored
It is, imho, really important for the community to get access to all of the information
If someone is going to present two competitive concepts and state that they shouldn't be competitive, that is great. And I've stated that Kanban and Scrum should not be seen as competitive and and incompatible.
But if you are going to explore the merits of each concept and allow for the continued misunderstanding of a either of those concepts in your dialog, you're biased and doing a disservice to the community.
Please check back soon for my exploration of each comparison that arises as we follow Steve's series of posts.
]]>
A colleague of mine who works at Scrum.org now posted a blog about how Kanban and Scrum are stronger together.
Hour of Code Challenge - Completedhttps://westerndevs.com/Community/Hour-of-Code-Challenge-Completed/2016-12-14T00:00:00.000Z2026-03-22T17:42:31.808ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comIn case you missed it, I threw down the gauntlet to my fellow WesternDev members in September, stating that I will donate $100 CAD to Code.org®if any of them are able to participate in Computer Science Education Week.
First, I had to step up and walk the walk, and I succeeded better than I had expected.
2 Days - 4 Classes - 79 Grade 3 Students == Success
This year it was very easy to organize an hour of code session at my youngest son's school. We had tried 2 years ago and the school board was leary so we didn't get a chance to do it.Last year, the school board was aware of Hour of Code and already actively encouraging teachers to try and participate so we did 2 classes last year.
This year we were able to organize 4 classes of Hour Of Code sessions for the all of the Grade 3 kids in the school. I did 2 back-to-back on a Tuesday morning, and another 2 on the Thursday morning.This ended up being a really great schedule and made running the sessions very easy because all of the Grade 3 students are in a school building together and the classrooms are side-by-side.
And now for the proof...
WesternDevs Response
When I issued the challenge to my fellow WesternDev members, I recognized it is actually a very hard task to organize and execute an #HourOfCode event. The technical aspects of #HourOfCode is very easy,but the logistics of coordinating with schools/organizations to get classroom time and computers is very difficult.
That said, one of my fellow WesternDev members, James Chambers was able to get TWO (2) session organized! They will be run during the week of Dec. 19. I know this isn't technically duringComputer Science Education Week but I'm going to let that slide and donate $100 CAD to Code.org® for James Chambers meeting the challenge. James has promised me that a blog post (with PICS!)will be following in the coming weeks! I'll update this post when that happens!
I'm also going to donate $100 CAD to Code.org® for myself as I think that besides my time, this is a very important cause and they need our financial support as well as our support in time and effort.
Thank you all for reading. I hope I've encouraged you all to run an #HourOfCode session in your local community in the near future!!
]]>
79 Grade 3 kids had a blast being introduced to the world of computer science!
Hour of Code Challengehttps://westerndevs.com/Community/Hour-of-Code-Challenge/2016-09-23T23:55:48.000Z2026-03-22T17:42:31.807ZDave Whitedmhwhite@gmail.comhttps://westerndevs.comIn case you haven't heard, there is this little thing called Computer Science Education Week which supports our industrieseffort to get more computer science education happening for kids in the K-12 grade range. Please visit the Computer Science Education Weekfor all of the deals, or take my word that this is an important initiative!
To support this initiative and provide resources on a year-round basis, there is the Code.org organization! To take a snippetfrom their website:
Launched in 2013, Code.org® is a non-profit dedicated to expanding access to computer science, and increasing participationby women and underrepresented students of color.
Ok! This sounds like another good thing! A whole organization trying to expand access to computer science education!
Put the two of these things together and we get The Hour of Code, a movement that provides 1 hour computer programming tutorials for all age groups in 45 different languages.And during Computer Science Education Week, which run from December 5-11, 2016, The Hour of Code movement issues a challenge to reach as many childrenas possible during the week with these 1 hour tutorials!
This is where I'm laying down my challenge to all of my fellow WD members!
For the last 2 years, I've participate in the CSED Week! In year one, I spent 1 hour with 12 kids at the Boys and Girls Club of Calgary!Last year, I was able to get into my sons' school and spent 1 hour with a a Gr. 2 and Gr. 4 class! It was a fantastic experience and I've already started the processof getting organized with the schools again this year!
My Challenge to WesternDevs
I am challenging all of my fellow WesternDevs to arrange 1 Hour of Code event! This can be with their kids' schools, a local kids club, orevent a public event inviting kids to attend!
I'm issuing his challenge because there are logistics and permissions that sometimes need to be arranged and this should give my fellow WDmore than enough time to get these things sorted out!
I'm also willing to put up a bounty! For every WD member who performs 1 or more sessions, I will donate $100 CAD to Code.org® to supportthis organization! In order to claim the bounty, there will need to be:
Blog post talking about the event
Picture with the organizer (permissions allowing)
So there it is! My challenge! I hope this encourages all of the WD (and anyone who follows us) to get involved with this fantastic opportunity to give back to the community and our children.I'll look forward to seeing all of your posts in December!
]]>
I'm throwing down the gauntlet! I'm challenging my fellow WD members to get involved with Hour of Code!
