Integrating Azure Container Registry with Azure Kubernetes Service
TypeScriptIntegrating Azure Container Registry (ACR) with Azure Kubernetes Service (AKS) involves several steps. You'll need to create the ACR instance, an AKS cluster, and configure the AKS cluster to authenticate with ACR so it can pull container images for deployment.
Here's an overview of the resources used in this program:
azure-native.containerregistry.Registry
: Represents an Azure Container Registry where you can store Docker images and other container formats.azure-native.containerservice.ManagedCluster
: Represents an Azure Kubernetes Service (AKS) cluster that can run your applications within a managed Kubernetes environment.azure-native.containerservice.AgentPool
: Represents a pool of virtual machines that the Kubernetes nodes run on.
In the following program, we will:
- Create an Azure Container Registry using
Registry
. - Create an Azure Kubernetes Service cluster using
ManagedCluster
. - Configure the AKS cluster to authenticate to ACR so it can pull images.
Here is the Pulumi program in TypeScript to achieve the above:
import * as pulumi from "@pulumi/pulumi"; import * as azureNative from "@pulumi/azure-native"; // Create an Azure Container Registry. const containerRegistry = new azureNative.containerregistry.Registry("myContainerRegistry", { resourceGroupName: "myResourceGroup", // Replace with your resource group name. location: "westus", // Replace with your desired location. sku: { name: "Basic" }, // Replace with your desired SKU. adminUserEnabled: true, // Enabling admin user to access the registry credentials. }); // Create an AKS cluster. const aksCluster = new azureNative.containerservice.ManagedCluster("myAksCluster", { resourceGroupName: "myResourceGroup", // Replace with your resource group name. location: "westus", // Replace with your desired location. agentPoolProfiles: [{ name: "agentpool", count: 1, // The desired number of agent nodes. vmSize: "Standard_DS2_v2", // The desired VM size for each node. }], dnsPrefix: "myaks", // Replace with your desired DNS prefix. enableRBAC: true, // Here we link the AKS cluster with the ACR registry. identity: { type: "SystemAssigned", }, }); // Grant AKS-generated identity pull access to ACR. const registryName = containerRegistry.name.apply(name => name); const aksManagedClusterId = aksCluster.identityProfile.apply(profile => profile!.get("kubeletidentity")!.objectId); // Attach the ACR to the AKS to allow pulling of images. const roleAssignment = new azureNative.authorization.RoleAssignment("acrPullRole", { principalId: aksManagedClusterId, roleDefinitionId: "/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d", // The role definition ID for ACRPull permissions. scope: pulumi.interpolate`/subscriptions/<subscription-id>/resourceGroups/myResourceGroup/providers/Microsoft.ContainerRegistry/registries/${registryName}`, // Modify the <subscription-id> and resource group. }); // Export the ACR login server name, which will be used when tagging and pushing images to this registry. export const acrLoginServer = containerRegistry.loginServer;
Make sure to replace placeholder values including
myResourceGroup
,westus
,myaks
,<subscription-id>
, and others as per your setup in Azure.In the context of this program:
- We create an instance of
Registry
which is our ACR. - Then we create the AKS cluster via the
ManagedCluster
resource. - An important step is to ensure that AKS can pull images from the ACR, which we do by creating a
RoleAssignment
.- The role definition ID
7f951dda-4ed3-4680-a7ca-43fe172d538d
corresponds to theACRPull
role, which allows for image pull operations from ACR. - We obtain the AKS service principal ID dynamically from the managed cluster's identity profile and assign it the
ACRPull
role on the ACR's scope.
- The role definition ID
Lastly, we've used an export statement to output the ACR login server's URL. This is useful when you'll tag and push Docker images to the ACR.