Blog

The intent of this post is to help you understand how to connect an Azure Function to a Storage Account privately so all traffic flows through a VNet therefore enhancing the security of your solutions and blobs. The Case: # Supose you have the following Azure Function written in C# which only copies a blob from one conatiner to another:

In this post I’ll show you how to expose your “Daprized” applications using and NGINX ingress controller. Prerequistes # A working kubernetes cluster with Dapr installed. If you need instructions please find them here Deploy an application to your Kubernetes cluster # I’ll be using a simple Azure Function I created back in 2017 in the following post: Run a Precompiled .NET Core Azure Function in a Container which exposes a simple validation function.

Dapr is an event-driven, portable runtime for building microservices on cloud and edge. Dapr supports the fundamental features you’ll need such as: service invocation, state management, publish/subscribe messaging and since version 0.5.0 the ability to read from secret stores! This post will show you to read kubernetes secrets using Dapr and .NET Core:

a couple of weeks ago I was trying to deploy MongoDB in AKS using the MongoDB Enterprise Operator and had trouble finding a simple tutorial to make the thing work. This post intends to fill that gap with a straight to the point approach. Prerequisites # Be sure to deploy AKS with a set of nodes with at least 8GB of RAM. I used Standard_D3_v2

So you are new to Dapr and you are trying to understand how it works with you .NET Core application. You already tried launching your app with the Dapr CLI and then you find yourself wondering on how to debug the mix with Visual Studio Code. Well, follow this simple steps and you’ll be ready:

For the last 3 years this blog was written using Jekyll which has a series of requirements such as Ruby that I don’t want to keep installing or maintaining on my PC. So I created this Developer Container for those who want to use Jekyll from an isolated container. Let’s check the container definition:

What if I tell you that it’s possible to connect you AKS pods to an Azure Key Vault using identities but without having to use credentials in an explicit way? Well with AAD Pod Identities you can enable your Kubernetes applications to access Azure cloud resources securely using Azure Active Directory (AAD) including Azure Key Vault.

Durante el mes de Octubre tuve la suerte de grabar en LinkedIn Learning mi primer curso online sobre Kubernetes. Aun me queda mucho por aprender y mejorar en este formato, ya que mientras grabas los cursos no recibes feedback inmediato como sí ocurre cuando das una charla o haces una presentación.

Recently I learned about GitOps which is a way to manage your Kubernetes clusters and the applications you run on top using Git. The idea is that you can declaratively describe the desired state of your systems in Git and roll out changes as soon as merges occur. You can immediately see the main benefits of such an approach: Your Git repositories become the single source of truth for both your infrastructure and application code, allowing the teams to increase productivity and stability (you get the Git log to audit changes).

Two weeks ago I got an email message from Microsoft Azure explaining that Azure Kubernetes Services had been patched but that I had to restart my nodes (reboot the clusters) to complete the operation. The first thing you need to know is that, when things like this happens, the Azure platform creates a file called /var/run/reboot-required in each of the nodes of your cluster.

After collaborating with the Azure Ansible container I decided to also develop a Developer Container for those who want or need to use the Azure Blockchain Development Kit for Ethereum to create smart contracts, taking away the burden of installing Python, Truffle, Ganache and NodeJS on your machine. Once again I collaborated with Chuck Lantz and the container definition resulted in the following two files:

Last year I was working on a project for deploying Azure services using Ansible, and let me tell you something: Back then a feature like Visual Studio Remote Containers would have helped us so much! Why? Because just installing Visual Studio Code, the Remote Development Extension Pack, and Docker you have a killer combo that makes it possible to create a Development environment in a snap and share it with your source code.

Let’s start: Create a folder for your new project # Open a command prompt an run: mkdir kuberenetes.scale Create the project # cd kuberenetes.scale dotnet new api Add the references to KubernetesClient # dotnet add package KubernetesClient -v 1.5.18 dotnet restore Create a PodsController.cs with the following code # using System; using System.Collections.Generic; using System.Linq; using System.Threading.Tasks; using k8s; using k8s.Models; using Microsoft.AspNetCore.JsonPatch; using Microsoft.AspNetCore.Mvc; using Microsoft.Extensions.Configuration; namespace kubernetes.scale { [Route("api/[controller]")] [ApiController] public class PodsController : ControllerBase { private KubernetesClientConfiguration k8sConfig = null; public PodsController(IConfiguration config) { // Reading configuration to know if running inside a cluster or in local mode. var useKubeConfig = bool.Parse(config["UseKubeConfig"]); if (!useKubeConfig) { // Running inside a k8s cluser k8sConfig = KubernetesClientConfiguration.InClusterConfig(); } else { // Running on dev machine k8sConfig = KubernetesClientConfiguration.BuildConfigFromConfigFile(); } } [HttpPatch("scale")] public IActionResult Scale([FromBody]ReplicaRequest request) { // Use the config object to create a client. using (var client = new Kubernetes(k8sConfig)) { // Create a json patch for the replicas var jsonPatch = new JsonPatchDocument<V1Scale>(); // Set the new number of repplcias jsonPatch.Replace(e => e.Spec.Replicas, request.Replicas); // Creat the patch var patch = new V1Patch(jsonPatch); // Patch the "minions" Deployment in the "default" namespace client.PatchNamespacedDeploymentScale(patch, request.Deployment, request.Namespace); return NoContent(); } } } public class ReplicaRequest { public string Deployment { get; set; } public string Namespace { get; set; } public int Replicas { get; set; } } } Replace the contents of the appsettings.Development.json file # Note the UseKubeConfig property is set to true.

Recently I had to update a bunch of Log Analytics Workspaces resources to enable the Container Monitoring Solution. So I came up with this ARM Template that I want to share with you: { "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "LogAnalyticsWorkspaceName": { "type": "string", "metadata": { "description": "Log Analytics Workspace name" } } }, "variables": { "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('LogAnalyticsWorkspaceName'))]", "containerSolutionName": "[concat(parameters('LogAnalyticsWorkspaceName'), '-containers')]" }, "resources": [ { "type": "Microsoft.OperationsManagement/solutions", "apiVersion": "2015-11-01-preview", "name": "[variables('containerSolutionName')]", "location": "[resourceGroup().location]", "plan": { "name": "[variables('containerSolutionName')]", "product": "[concat('OMSGallery/', 'ContainerInsights')]", "promotionCode": "", "publisher": "Microsoft" }, "properties": { "workspaceResourceId": "[variables('workspaceResourceId')]" } } ], "outputs": {} } Hope it helps!

Next Saturday the Global Azure Bootcamp will be celebrated all over the world and as in previous years their will be a Science Lab where we’ll try to discover a planet!!!. Isn’t that cool? Well to make this fast you can run the Science Lab using Azure Container Instances following the instructions found here or you can use the following gist to run the workload in an existing kubernetes cluster:

If you install the Azure Application Gateway Ingress Controller for your AKS clusters you may want to expose more than one service through the same Public IP just changing the url path. In order to make this work you must use the backend-path-prefix annotation. In the following sample I create an ingress with the following behavior:

In order to deploy a Persistent Volume in your AKS cluster using an existing Storage Account you should take the following steps: Create a Storage Class with a reference to the Storage Account. Create a Secret with the credentials used to access the Storage Account. Create a Persistent Volume with a reference to the Storage Class, the secret and the File Share. Create a Persistent Volume Claim with a reference to the volume by name. Use the following yaml as a template for the resources described above. Save the contents as aks-existing-storage-account-pv.yaml:

Lately I’ve been learning Go and this week I started a side project named kube-sherlock. The purpose of this small program is to list any pod that does not have the labels that your organization requires. For kube-sherlock I created a dockerfile were both the program (kube-sherlock) and the default configuration (config.yaml) are placed in the app folder:

Many of you come to my site to read the post Step by step: Serilog with ASP.NET Core which I wrote in 2016 and is completely out of date, so with this post I will show you how to setup Serilog to work with your ASP.NET Core 2.2 applications. Create an ASP.NET Core project # md aspnet.serilog.sample cd aspnet.serilog.sample dotnet new mvc Add the following dependencies to your project # dotnet add package Serilog.AspNetCore dotnet add package Serilog.Extensions.Logging dotnet add package Serilog.Sinks.ColoredConsole Change your Program.cs file to look like the following # using System; using System.Collections.Generic; using System.IO; using System.Linq; using System.Threading.Tasks; using Microsoft.AspNetCore; using Microsoft.AspNetCore.Hosting; using Microsoft.Extensions.Configuration; using Microsoft.Extensions.Logging; using Serilog; using Serilog.Core; using Serilog.Events; namespace aspnet.serilog.sample { public class Program { public static void Main(string[] args) { Log.Logger = new LoggerConfiguration() .Enrich.FromLogContext() .MinimumLevel.Debug() .WriteTo.ColoredConsole( LogEventLevel.Verbose, "{NewLine}{Timestamp:HH:mm:ss} [{Level}] ({CorrelationToken}) {Message}{NewLine}{Exception}") .CreateLogger(); try { CreateWebHostBuilder(args).Build().Run(); } finally { Log.CloseAndFlush(); } } public static IWebHostBuilder CreateWebHostBuilder(string[] args) => WebHost.CreateDefaultBuilder(args) .UseSerilog() .UseStartup<Startup>(); } } Inject the logger to your services or controllers # Change the home controller and log some actions:

When you install a AKS cluster you can configure it to deploy the http application routing addon or you you can update an existing cluster to deploy it. Either way you end up with an NGINX Ingress Controller running, in the kube-system namespace of your cluster, with the following properties: ingress-class: addon-http-application-routing annotations-prefix: nginx.ingress.kubernetes.io Does this means that you can use this controller for TLS termination? The answer is yes! And you can also use rate limits, and whitelisting as described in my post Secure your Kubernetes services with NGINX ingress controller, tls and more.