Skip to content

Azure Quick Start#

Much of the following includes the process of setting up credentials for Azure. To better understand how Project 2A uses credentials, read the Credential System.

Prerequisites#

2A Management Cluster#

You need a Kubernetes cluster with 2A installed.

Software prerequisites#

Before deploying Kubernetes clusters on Azure using Project 2A, ensure you have:

The Azure CLI (az) is required to interact with Azure resources. Install it by following the Azure CLI installation instructions.

Run the az login command to authenticate your session with Azure.

Register resource providers#

If you're using a new subscription that has never been used to deploy 2A or CAPI clusters, ensure the following resource providers are registered:

  • Microsoft.Compute
  • Microsoft.Network
  • Microsoft.ContainerService
  • Microsoft.ManagedIdentity
  • Microsoft.Authorization

To register these providers, run the following commands in the Azure CLI:

az provider register --namespace Microsoft.Compute
az provider register --namespace Microsoft.Network
az provider register --namespace Microsoft.ContainerService
az provider register --namespace Microsoft.ManagedIdentity
az provider register --namespace Microsoft.Authorization

You can follow the official documentation guide to register the providers.

Before creating a cluster on Azure, set up credentials. This involves creating an AzureClusterIdentity and a Service Principal (SP) to let CAPZ (Cluster API Azure) communicate with Azure.

Step 1: Find Your Subscription ID#

List all your Azure subscriptions:

az account list -o table

Look for the Subscription ID of the account you want to use.

Example output:

Name                     SubscriptionId                        TenantId
-----------------------  -------------------------------------  --------------------------------
My Azure Subscription    12345678-1234-5678-1234-567812345678  87654321-1234-5678-1234-12345678

Copy your chosen Subscription ID for the next step.

Step 2: Create a Service Principal (SP)#

The Service Principal is like a password-protected user that CAPZ will use to manage resources on Azure.

In your terminal, run the following command. Replace <subscription-id> with the ID you copied earlier:

az ad sp create-for-rbac --role contributor --scopes="/subscriptions/<subscription-id>"

You will see output like this:

{
 "appId": "12345678-7848-4ce6-9be9-a4b3eecca0ff",
 "displayName": "azure-cli-2024-10-24-17-36-47",
 "password": "12~34~I5zKrL5Kem2aXsXUw6tIig0M~3~1234567",
 "tenant": "12345678-959b-481f-b094-eb043a87570a"
}

Note

Make sure to treat these strings like passwords. Do not share them or check them into a repository.

Step 3: Create a Secret Object with the password#

The Secret stores the clientSecret (password) from the Service Principal.

Save the Secret YAML into a file named azure-cluster-identity-secret.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: azure-cluster-identity-secret
  namespace: hmc-system
stringData:
  clientSecret: <password> # Password retrieved from the Service Principal
type: Opaque

Apply the YAML to your cluster using the following command:

kubectl apply -f azure-cluster-identity-secret.yaml

Step 4: Create the AzureClusterIdentity Object#

This object defines the credentials CAPZ will use to manage Azure resources. It references the Secret you just created above.

Warning

Make sure that .spec.clientSecret.name matches the name of the Secret you created in the previous step.

Save the following YAML into a file named azure-cluster-identity.yaml:

apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AzureClusterIdentity
metadata:
  labels:
    clusterctl.cluster.x-k8s.io/move-hierarchy: "true"
  name: azure-cluster-identity
  namespace: hmc-system
spec:
  allowedNamespaces: {}
  clientID: <appId> # The App ID retrieved from the Service Principal above in Step 2
  clientSecret:
    name: azure-cluster-identity-secret
    namespace: hmc-system
  tenantID: <tenant> # The Tenant ID retrieved from the Service Principal above in Step 2
  type: ServicePrincipal

Apply the YAML to your cluster:

kubectl apply -f azure-cluster-identity.yaml

Step 5: Create the 2A Credential Object#

Create a YAML with the specification of our credential and save it as azure-cluster-identity-cred.yaml.

Warning

.spec.kind must be AzureClusterIdentity
.spec.name must match .metadata.name of the AzureClusterIdentity object created in the previous step.

apiVersion: hmc.mirantis.com/v1alpha1
kind: Credential
metadata:
  name: azure-cluster-identity-cred
  namespace: hmc-system
spec:
  identityRef:
    apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
    kind: AzureClusterIdentity
    name: azure-cluster-identity
    namespace: hmc-system

Apply the YAML to your cluster:

kubectl apply -f azure-cluster-identity-cred.yaml

This creates the Credential object that will be used in the next step.

Step 6: Create your first ManagedCluster#

Create a YAML with the specification of your managed Cluster and save it as my-azure-managedcluster1.yaml.

Here is an example of a ManagedCluster YAML file:

apiVersion: hmc.mirantis.com/v1alpha1
kind: ManagedCluster
metadata:
  name: my-azure-managedcluster1
  namespace: hmc-system
spec:
  template: azure-standalone-cp-0-0-3
  credential: azure-cluster-identity-cred
  config:
    location: "westus" # Select your desired Azure Location (find it via `az account list-locations -o table`)
    subscriptionID: <subscription-id> # Enter the Subscription ID used earlier
    controlPlane:
      vmSize: Standard_A4_v2
    worker:
      vmSize: Standard_A4_v2

Apply the YAML to your management cluster:

kubectl apply -f my-azure-managedcluster1.yaml

There will be a delay as the cluster finishes provisioning. Follow the provisioning process with the following command:

kubectl -n hmc-system get managedcluster.hmc.mirantis.com my-azure-managedcluster1 --watch

After the cluster is Ready, you can access it via the kubeconfig, like this:

kubectl -n hmc-system get secret my-azure-managedcluster1-kubeconfig -o jsonpath='{.data.value}' | base64 -d > my-azure-managedcluster1-kubeconfig.kubeconfig
KUBECONFIG="my-azure-managedcluster1-kubeconfig.kubeconfig" kubectl get pods -A