Azure Quick Start#
Much of the following includes the process of setting up credentials for Azure. To better understand how Project 2A uses credentials, read the Credential System.
Prerequisites#
2A Management Cluster#
You need a Kubernetes cluster with 2A installed.
Software prerequisites#
Before deploying Kubernetes clusters on Azure using Project 2A, ensure you have:
The Azure CLI (az
) is required to interact with Azure resources. Install it
by following the Azure CLI installation instructions.
Run the az login
command to authenticate your session with Azure.
Register resource providers#
If you're using a new subscription that has never been used to deploy 2A or CAPI clusters, ensure the following resource providers are registered:
Microsoft.Compute
Microsoft.Network
Microsoft.ContainerService
Microsoft.ManagedIdentity
Microsoft.Authorization
To register these providers, run the following commands in the Azure CLI:
az provider register --namespace Microsoft.Compute
az provider register --namespace Microsoft.Network
az provider register --namespace Microsoft.ContainerService
az provider register --namespace Microsoft.ManagedIdentity
az provider register --namespace Microsoft.Authorization
You can follow the official documentation guide to register the providers.
Before creating a cluster on Azure, set up credentials. This involves creating
an AzureClusterIdentity
and a Service Principal (SP) to let CAPZ (Cluster
API Azure) communicate with Azure.
Step 1: Find Your Subscription ID#
List all your Azure subscriptions:
az account list -o table
Look for the Subscription ID of the account you want to use.
Example output:
Name SubscriptionId TenantId
----------------------- ------------------------------------- --------------------------------
My Azure Subscription 12345678-1234-5678-1234-567812345678 87654321-1234-5678-1234-12345678
Copy your chosen Subscription ID for the next step.
Step 2: Create a Service Principal (SP)#
The Service Principal is like a password-protected user that CAPZ will use to manage resources on Azure.
In your terminal, run the following command. Replace <subscription-id>
with
the ID you copied earlier:
az ad sp create-for-rbac --role contributor --scopes="/subscriptions/<subscription-id>"
You will see output like this:
{
"appId": "12345678-7848-4ce6-9be9-a4b3eecca0ff",
"displayName": "azure-cli-2024-10-24-17-36-47",
"password": "12~34~I5zKrL5Kem2aXsXUw6tIig0M~3~1234567",
"tenant": "12345678-959b-481f-b094-eb043a87570a"
}
Note
Make sure to treat these strings like passwords. Do not share them or check them into a repository.
Step 3: Create a Secret Object with the password#
The Secret stores the clientSecret
(password) from the Service Principal.
Save the Secret YAML into a file named azure-cluster-identity-secret.yaml
:
apiVersion: v1
kind: Secret
metadata:
name: azure-cluster-identity-secret
namespace: hmc-system
stringData:
clientSecret: <password> # Password retrieved from the Service Principal
type: Opaque
Apply the YAML to your cluster using the following command:
kubectl apply -f azure-cluster-identity-secret.yaml
Step 4: Create the AzureClusterIdentity Object#
This object defines the credentials CAPZ will use to manage Azure resources. It references the Secret you just created above.
Warning
Make sure that .spec.clientSecret.name
matches the name of the
Secret you created in the previous step.
Save the following YAML into a file named azure-cluster-identity.yaml
:
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AzureClusterIdentity
metadata:
labels:
clusterctl.cluster.x-k8s.io/move-hierarchy: "true"
name: azure-cluster-identity
namespace: hmc-system
spec:
allowedNamespaces: {}
clientID: <appId> # The App ID retrieved from the Service Principal above in Step 2
clientSecret:
name: azure-cluster-identity-secret
namespace: hmc-system
tenantID: <tenant> # The Tenant ID retrieved from the Service Principal above in Step 2
type: ServicePrincipal
Apply the YAML to your cluster:
kubectl apply -f azure-cluster-identity.yaml
Step 5: Create the 2A Credential Object#
Create a YAML with the specification of our credential and save it as
azure-cluster-identity-cred.yaml
.
Warning
.spec.kind
must be AzureClusterIdentity
.spec.name
must match .metadata.name
of the AzureClusterIdentity
object
created in the previous step.
apiVersion: hmc.mirantis.com/v1alpha1
kind: Credential
metadata:
name: azure-cluster-identity-cred
namespace: hmc-system
spec:
identityRef:
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AzureClusterIdentity
name: azure-cluster-identity
namespace: hmc-system
Apply the YAML to your cluster:
kubectl apply -f azure-cluster-identity-cred.yaml
This creates the Credential
object that will be used in the next step.
Step 6: Create your first ManagedCluster#
Create a YAML with the specification of your managed Cluster and save it as
my-azure-managedcluster1.yaml
.
Here is an example of a ManagedCluster
YAML file:
apiVersion: hmc.mirantis.com/v1alpha1
kind: ManagedCluster
metadata:
name: my-azure-managedcluster1
namespace: hmc-system
spec:
template: azure-standalone-cp-0-0-3
credential: azure-cluster-identity-cred
config:
location: "westus" # Select your desired Azure Location (find it via `az account list-locations -o table`)
subscriptionID: <subscription-id> # Enter the Subscription ID used earlier
controlPlane:
vmSize: Standard_A4_v2
worker:
vmSize: Standard_A4_v2
Apply the YAML to your management cluster:
kubectl apply -f my-azure-managedcluster1.yaml
There will be a delay as the cluster finishes provisioning. Follow the provisioning process with the following command:
kubectl -n hmc-system get managedcluster.hmc.mirantis.com my-azure-managedcluster1 --watch
After the cluster is Ready
, you can access it via the kubeconfig, like this:
kubectl -n hmc-system get secret my-azure-managedcluster1-kubeconfig -o jsonpath='{.data.value}' | base64 -d > my-azure-managedcluster1-kubeconfig.kubeconfig
KUBECONFIG="my-azure-managedcluster1-kubeconfig.kubeconfig" kubectl get pods -A