The easiest way to deploy the Azure Service Operator is to use Helm charts. Follow instructions here. However, if you're interested and building and deploying the operators from source, follow the instructions laid out here.
Note
This step assumes you have the prerequisites installed. See prerequisites here for information on setup.
-
Clone the repository.
-
Make sure the environment variable
GO111MODULE
is set toon
.export GO111MODULE=on
-
Log in to your container registry, set the IMG env var, and then build and push the image.
docker login IMG=<container_registry>/<username>/<image_name>:<tag> make docker-build-and-push
Note
This step assumes you already have a Kubernetes cluster. See prerequisites here for information on creating a Kubernetes cluster.
Create the namespace you want to deploy the operator to.
Note
The scripts currently are configured to deploy to the azureoperator-system
namespace
kubectl create namespace azureoperator-system
Next, install Cert Manager.
make install-cert-manager
You have the option to use either of the below for storing secrets like connection strings and SQL server username that result from the resource provisioning.
Kubernetes secrets - this is the default. Secrets will be stored as Kubernetes secrets by default.
Azure Key Vault - iff you want to use Azure Key Vault to store the secrets, you should also additionally do the steps below.
Create an Azure Key Vault to use to store secrets.
az keyvault create --name "OperatorSecretKeyVault" --resource-group "resourceGroup-operators" --location "West US"
Add appropriate Key Vault access policies to allow the service principal access to this Key Vault
az keyvault set-policy --name "OperatorSecretKeyVault" --spn <AZURE_CLIENT_ID> --secret-permissions get list delete set
If you use Managed Identity instead of Service Principal, use the Client ID of the Managed Identity instead in the above command.
az keyvault set-policy --name "OperatorSecretKeyVault" --spn <MANAGEDIDENTITY_CLIENT_ID> --secret-permissions get list delete set
Set the environment variable 'AZURE_OPERATOR_KEYVAULT' to indicate you want to use Azure Key Vault for secrets.
export AZURE_OPERATOR_KEYVAULT=OperatorSecretKeyVault
You can choose to use either Service Principals or Managed Identity for authentication.
If you choose to use Service Principal authentication, set these environment variables.
export AZURE_CLIENT_ID=xxxxxxx
export AZURE_CLIENT_SECRET=aaaaaaa
If you choose to use Managed Identity, set the below environment variables and then perform the steps listed here.
export AZURE_CLIENT_ID=xxxxxxx
export AZURE_USE_MI=1
Before we can use Managed Identity authentication we need to install aad-pod-identity.
Installing AAD Pod Identity and registering an identity
- Install aad-pod-identity.
make install-aad-pod-identity
- Apply the AzureIdentity and Binding manifests. This binds the identity to the Azure Service Operator.
Where a particular
resourceID
orclientID
is referenced in the template below, ensure that you replace it with your Managed IdentityresourceID
andclientID
.
$ cat <<EOF | kubectl apply -f -
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentity
metadata:
name: aso-managed-id1
namespace: azureoperator-system
spec:
type: 0
resourceID: /subscriptions/<your-subscription-id-here>/resourcegroups/<your-resource-group-test>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<your-managed-identity-here>
clientID: <your-managed-identity-client-id-here>
---
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentityBinding
metadata:
name: aso-identity-binding
namespace: azureoperator-system
spec:
azureIdentity: aso-managed-id1
selector: aso_manager_binding
EOF
Note
Use only one of the authentication methods mentioned above.
Set the azureoperatorsettings
secret, and set the following environment variables AZURE_TENANT_ID
, AZURE_SUBSCRIPTION_ID
, REQUEUE_AFTER
.
export AZURE_TENANT_ID=xxxxxxx
export AZURE_SUBSCRIPTION_ID=aaaaaaa
export REQUEUE_AFTER=30
From the same terminal, run the below command.
kubectl --namespace azureoperator-system \
create secret generic azureoperatorsettings \
--from-literal=AZURE_SUBSCRIPTION_ID="$AZURE_SUBSCRIPTION_ID" \
--from-literal=AZURE_TENANT_ID="$AZURE_TENANT_ID" \
--from-literal=AZURE_CLIENT_ID="$AZURE_CLIENT_ID" \
--from-literal=AZURE_CLIENT_SECRET="$AZURE_CLIENT_SECRET" \
--from-literal=AZURE_USE_MI="$AZURE_USE_MI" \
--from-literal=AZURE_OPERATOR_KEYVAULT="$AZURE_OPERATOR_KEYVAULT" \
make deploy
Check that the operator is deployed to the cluster using the following commands.
kubectl get pods -n azureoperator-system
You can view the logs from the operator using the following command. The podname
is the name of the pod in the output from kubectl get pods -n azureoperator-system
, manager
is the name of the container inside the pod.
kubectl logs <podname> -c manager -n azureoperator-system
If you would like to view the Prometheus metrics from the operator, you can redirect port 8080 to the local machine using the following commands:
Get the deployment using the following command
kubectl get deployment -n azureoperator-system
You'll see output like the below.
NAME READY UP-TO-DATE AVAILABLE AGE
azureoperator-controller-manager 1/1 1 1 2d1h
Use the deployment name in the command as below
kubectl port-forward deployment/<deployment name> -n <namespace> 8080
So we would use the following command here
kubectl port-forward deployment/azureoperator-controller-manager -n azureoperator-system 8080
You can now browse to http://localhost:8080/metrics
from the browser to view the metrics.