|
| 1 | +# Getting started with cluster-api-provider-azure |
| 2 | + |
| 3 | +## Prerequisites |
| 4 | + |
| 5 | +### Requirements |
| 6 | + |
| 7 | +<!-- markdown-link-check-disable-next-line --> |
| 8 | +- A [Microsoft Azure account](https://azure.microsoft.com/) |
| 9 | + - Note: If using a new subscription, make sure to [register](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-providers-and-types) the following resource providers: |
| 10 | + - `Microsoft.Compute` |
| 11 | + - `Microsoft.Network` |
| 12 | + - `Microsoft.ContainerService` |
| 13 | + - `Microsoft.ManagedIdentity` |
| 14 | + - `Microsoft.Authorization` |
| 15 | + - `Microsoft.ResourceHealth` (if the `EXP_AKS_RESOURCE_HEALTH` feature flag is enabled) |
| 16 | +- Install the [Azure CLI](https://learn.microsoft.com/cli/azure/install-azure-cli?view=azure-cli-latest) |
| 17 | +- A [supported version](https://github.com/kubernetes-sigs/cluster-api-provider-azure#compatibility) of `clusterctl` |
| 18 | + |
| 19 | +### Setting up your Azure environment |
| 20 | + |
| 21 | + 1. Login with the Azure CLI. |
| 22 | + |
| 23 | + ```bash |
| 24 | + az login |
| 25 | + ``` |
| 26 | + |
| 27 | + 2. List your Azure subscriptions. |
| 28 | + |
| 29 | + ```bash |
| 30 | + az account list -o table |
| 31 | + ``` |
| 32 | + |
| 33 | + 3. If more than one account is present, select the account that you want to use. |
| 34 | + |
| 35 | + ```bash |
| 36 | + az account set -s <SubscriptionId> |
| 37 | + ``` |
| 38 | + |
| 39 | + 4. Save your Subscription ID in an environment variable. |
| 40 | + |
| 41 | + ```bash |
| 42 | + export AZURE_SUBSCRIPTION_ID="<SubscriptionId>" |
| 43 | + ``` |
| 44 | +### Creating an AKS Management Cluster with Workload Identity |
| 45 | + |
| 46 | + 1. Create an AKS Cluster with Workload Identity and OIDC Endpoint Enabled. |
| 47 | + ```bash |
| 48 | + az aks create \ |
| 49 | + --resource-group <resource-group-name> \ |
| 50 | + --name <aks-cluster-name> \ |
| 51 | + --enable-oidc-issuer \ |
| 52 | + --enable-workload-identity \ |
| 53 | + --node-count 2 \ |
| 54 | + --node-vm-size Standard_B2s \ |
| 55 | + --generate-ssh-keys \ |
| 56 | + --location <region> |
| 57 | + ``` |
| 58 | + |
| 59 | + 2. Retrieve Credentials for the AKS Cluster to interact with it using kubectl: |
| 60 | + ```bash |
| 61 | + az aks get-credentials --resource-group <resource-group-name> --name <aks-cluster-name> |
| 62 | + ``` |
| 63 | + |
| 64 | + 3. Retrieve the OIDC Issuer URL and OIDC issuer URL. |
| 65 | + ```bash |
| 66 | + az aks show \ |
| 67 | + --resource-group <resource-group-name> \ |
| 68 | + --name <aks-cluster-name> \ |
| 69 | + --query "oidcIssuerProfile.issuerUrl" -o tsv |
| 70 | + ``` |
| 71 | + Hold onto the OIDC issuer URL for creating federated credentials. |
| 72 | + |
| 73 | + 4. Create a User Assigned Managed Identity (UAMI) to use for Workload Identity. |
| 74 | + ```bash |
| 75 | + az identity create \ |
| 76 | + --name <uami-name> \ |
| 77 | + --resource-group <resource-group-name> \ |
| 78 | + --location <region> |
| 79 | + ``` |
| 80 | + Hold onto the UAMI clientID and principalID for the next step. |
| 81 | + |
| 82 | + 5. Assign the Contributor role to the UAMI so it can manage Azure resources. |
| 83 | + ```bash |
| 84 | + az role assignment create \ |
| 85 | + --assignee <uami-principal-id> \ |
| 86 | + --role Contributor \ |
| 87 | + --scope /subscriptions/<subscription-id> |
| 88 | + ``` |
| 89 | + |
| 90 | + 6. Add a Federated Credential to the UAMI |
| 91 | + |
| 92 | +To configure the federated credential for the UAMI, follow the detailed instructions in the [Azure Workload Identity: Federated identity credential for an Azure AD application](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html#federated-identity-credential-for-a-user-assigned-managed-identity). |
| 93 | +For CAPZ, the federated credential should be configured for the capz-manager service account in the capz-system namespace. |
| 94 | + |
| 95 | + 7. Annotate the capz-manager service account in the capz-system namespace with the UAMI's clientId: |
| 96 | + ```bash |
| 97 | + kubectl annotate serviceaccount capz-manager \ |
| 98 | + -n capz-system \ |
| 99 | + azure.workload.identity/client-id=<uami-client-id> |
| 100 | + ``` |
| 101 | + |
| 102 | +### Building your first cluster |
| 103 | + |
| 104 | +The recommended way to build a cluster is to install a CAPZ management cluster using [Cluster API Operator](https://github.com/kubernetes-sigs/cluster-api-operator), then utilizing a Helm chart to create a workload cluster, specifically an [ASO Managed Cluster](./managed/asomanagedcluster.md). |
| 105 | + |
| 106 | +To create a cluster manually, check out the [Cluster API Quick Start](https://cluster-api.sigs.k8s.io/user/quick-start.html) for in-depth instructions. Make sure to select the "Azure" tabs. If you are looking to install additional ASO CRDs, set `ADDITIONAL_ASO_CRDS` to the list of CRDs you want to install. Refer to adding additional CRDs for Azure Service Operator [here](./topics/aso.md#Using-aso-for-non-capz-resources). |
| 107 | + |
0 commit comments