This repository demonstrates how to create a Terraform based Infrastructure as Code (IaC) multi-cluster Arc-enabled Kubernetes environment that serves traffic through Traefik to multiple sample microservices applications across the clusters. The deployment includes:
- Multiple Kubernetes clusters (AKS, k3d, EKS, and GKE) connected to Azure Arc
- Traefik deployment from Azure Arc Marketplace
- Sample microservices application deployment using FluxCD
- Automated TLS certificate generation and management using Let's Encrypt and Traefik
- Securing API using OAuth2.0 and Microsoft Entra ID
- API Management using Traefik
- Developer Portal using Traefik
The deployment is split into four main components:
- Clusters: AKS, k3d, EKS, and GKE cluster creation and Arc enablement
- Traefik: Deployment of Traefik from Azure Arc Marketplace
- Routing: Sample application deployment with basic HTTP routing
- TLS: Automatic HTTPS with Let's Encrypt certificates
- OAuth2.0: Securing API using OAuth2.0 and Microsoft Entra ID
- API Management: API Management using Traefik
- Developer Portal: Developer Portal using Traefik
-
Install or update Azure CLI to version 2.65.0 and above. Use the below command to check your current installed version.
az --version
-
[Optional] Install k3d
-
[Optional] Install and configure awscli if you plan to deploy EKS
-
[Optional] Install and configure gcloud if you plan to deploy GKE
-
[Optional] Install gke-cloud-auth-plugin if you plan to deploy GKE
-
Create Azure service principal (SP)
The Azure service principal assigned with the "Owner" role is required to complete the scenario and its related automation. To create it, log in to your Azure account run the below command (you could also do this in Azure Cloud Shell).
az login subscriptionId=$(az account show --query id --output tsv) az ad sp create-for-rbac -n "<Unique SP Name>" --role "Owner" --scopes /subscriptions/$subscriptionId
For example:
az login subscriptionId=$(az account show --query id --output tsv) az ad sp create-for-rbac -n "JumpstartArcK8s" --role "Owner" --scopes /subscriptions/$subscriptionId
Output should look like this:
{ "appId": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX", "displayName": "JumpstartArcK8s", "password": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX", "tenant": "XXXXXXXXXXXXXXXXXXXXXXXXXXXX" }Note: If you create multiple subsequent role assignments on the same service principal, your client secret (password) will be destroyed and recreated each time. Therefore, make sure you grab the correct password.
-
Enable subscription with the two resource providers for Azure Arc-enabled Kubernetes. Registration is an asynchronous process, and registration may take approximately 10 minutes.
az provider register --namespace Microsoft.Kubernetes az provider register --namespace Microsoft.KubernetesConfiguration az provider register --namespace Microsoft.ExtendedLocation az provider register --namespace Microsoft.ContainerService
You can monitor the registration process with the following commands:
az provider show -n Microsoft.Kubernetes -o table az provider show -n Microsoft.KubernetesConfiguration -o table az provider show -n Microsoft.ExtendedLocation -o table az provider show -n Microsoft.ContainerService -o table
-
Install the Azure Arc for Kubernetes CLI extensions connectedk8s and k8s-configuration:
az extension add --name connectedk8s az extension add --name k8s-configuration
Note: If you already used this guide before and/or have the extensions installed, use the below commands.
az extension update --name connectedk8s az extension update --name k8s-configuration
-
Accept Terms for Traefik for Azure Arc. You can either choose to run this command to accept the Traefik terms or accept the terms in the Azure Arc marketplace.
az term accept --publisher containous --product traefik-on-arc --plan traefik-byol