How to deploy to AWS Kubernetes from Azure DevOps

Question

I'm using Azure DevOps, to handle PBI, repos, PRS, and builds, but all my infrastructure, including Kubernetes is managed by AWS.

There's not documentation, neither "the right and easy way" of how to deploy to AWS EKS using Azure DevOps Tasks.

I found this solution, its a good solution, but would be awesome to know how you guys resolve it, or if there are more approaches.

Answer 1

After a research and try and failure, I found another way to do it, without messing around with shell scripts.

You just need to apply the following to Kubernetes, It will create a ServiceAccount and bind it to a custom Role, that role will have the permissions to create/delete deployments and pods (tweak it for services permissions).

deploy-robot-conf.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: deploy-robot
automountServiceAccountToken: false
---
apiVersion: v1
kind: Secret
metadata:
  name: deploy-robot-secret
  annotations:
    kubernetes.io/service-account.name: deploy-robot
type: kubernetes.io/service-account-token
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: deploy-robot-role
  namespace: default
rules: # ## Customize these to meet your requirements ##
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["create", "delete"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create", "delete"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: global-rolebinding
  namespace: default
subjects:
- kind: ServiceAccount
  name: deploy-robot
  namespace: default
roleRef:
  kind: Role
  name: deploy-robot-role
  apiGroup: rbac.authorization.k8s.io

This will have the minimum permissions needed for Azure DevOps be able to deploy to the cluster.

Note: Please tweak the rules at the role resource to meet your need, for instance services resources permissions.

Then go to your release and create a Kubernetes Service Connection:

Fill the boxes, and follow the steps required to get your secret from the service account, remember that is deploy-robot if you didn't change the yaml file.

And then just use your Kubernetes Connection:

Answer 2

Another option would be to use 'kubeconf' based authentication, where 'kubeconf' file can be obtained with following AWS CLI command:

aws eks --region region update-kubeconfig --name cluster_name --kubconfig ~/.kube/AzureDevOpsConfig

Answer 3

found a new solution with credentials for kubernetes service connection type and kubeconfig option:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: xxx
    server: https://xxx.amazonaws.com
  name: arn:aws:eks:xxx:nnn:cluster/NNN
- cluster:
    certificate-authority-data: xxx
    server: https://xxx.amazonaws.com
  name: arn:aws:eks:xxx:nnn:cluster/NNN
contexts:
- context:
    cluster: arn:aws:eks:xxx:nnn:cluster/NNN
    user: arn:aws:eks:xxx:nnn:cluster/NNN
  name: arn:aws:eks:xxx:nnn:cluster/NNN
- context:
    cluster: arn:aws:eks:xxx:nnn:cluster/NNN2
    user: arn:aws:eks:xxx:nnn:cluster/NNN2
  name: arn:aws:eks:xxx:nnn:cluster/NNN2
current-context: arn:aws:eks:xxx:nnn:cluster/NNN2
kind: Config
preferences: {}
users:
- name: arn:aws:eks:xxx:nnn:cluster/NNN
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - token
      - -i
      - <cluster-name>
      command: aws-iam-authenticator
      env:
      - name: AWS_ACCESS_KEY_ID
        value: "XXX"
      - name: AWS_SECRET_ACCESS_KEY
        value: "XXX"
      interactiveMode: IfAvailable
      provideClusterInfo: false
- name: arn:aws:eks:xxx:nnn:cluster/NNN2
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - token
      - -i
      - <cluster-name-2>
      command: aws-iam-authenticator
      env:
      - name: AWS_ACCESS_KEY_ID
        value: "xxx"
      - name: AWS_SECRET_ACCESS_KEY
        value: "xxx"
      interactiveMode: IfAvailable
      provideClusterInfo: false
    ```
this is a kubeconfig for azure with credentials for two clusters.