Skip to content

Latest commit

 

History

History
86 lines (54 loc) · 5.73 KB

01_prereqs.md

File metadata and controls

86 lines (54 loc) · 5.73 KB

Prerequisites

Before getting started, you'll need these:

This repo

Clone or fork a copy of this repo to your SCM of choice -- Github, Bitbucket, Azure Git Repos etc.

An Azure Free Trial Subscription

To get a free 12-month trial of Azure, follow the instructions here.

An Azure Devops organisation

If you don't already have one, create a free Azure DevOps organisation, as per these instructions. You'll also need to create a Project.

A Personal Access Token

Once you've create your Azure DevOps organisation, you'll need a Personal Access Token(PAT) with the authorized scopes Agent Pools(read, manage). To do this you'll need to:

  1. Navigate here: alt text

  2. Create the PAT with the required scopes. Set the name and expiration as you see fit. Make sure to copy the token in the next screen. alt text

  3. Next, create a Variable Group for the token alt text

  4. Name the Variable Group and Variable exactly as shown. Paste the value for the PAT in 'Value', and click the lock icon so that the Variable is stored as a Secret Variable. alt text

Note: If you want to rename the Variable Group, you'll have to update some values in this pipeline first.

An Agent Pool

Create the 'k8s' agent pool. alt text

A Service Connection

To enable Azure DevOps to deploy into our Azure Subscription, we need to connect those services using a Service Connection. To do this:

  1. Navigate to the 'Project Settings' page and click on 'New Service Connection'. Select type 'Azure Resource Manager'. alt text

  2. On the next screen, select the 'Service Principal' authentication method. alt text

  3. Enter the connection details as required (leave Resource Group blank) and save. alt text

Note: By default all Pipelines default the Service Connection name to 'azure'. This can be overriden when a Pipeline is run. If you name the Service Connection something other than 'azure', be sure to do this in the next section!

Some Permissions

Next we need to give the newly-created Service Principal permission to deploy Resources. To do this:

  1. In the Azure Portal, navigate to the Azure Active Directory (AAD) Blade

  2. Select 'App Registrations' and find the newly-created App Registration. The name should follow the pattern: <Azure Devops Organisation Name><Azure DevOps Project Name><Azure Subscription ID> alt text Take a note of the name and ID for later.

  3. Add the API permission 'Azure Active Directory Graph/Application.ReadWrite.OwnedBy', and click the 'Grant Admin consent' button on the next screen to approve the permissions assignment. You should see the message 'Successfully granted admin consent for the requested permissions'. alt text alt text

  4. Next, go to your Subscription, and give the App Registration the Owner IAM Role for your Subscription.

Note: The 'Owner' Role is required to provision another Service Principal, required by Azure Kubernetes Service, and bind permissions to it so that it can Pull images from the Azure Container Registry. Obviously this doesn't follow least priviledge.

Before taking this solution anywhere near an Enterprise Subscription, it would be recommended to create a Custom Role, and providing the Azure DevOps App Registration Just in Time Access for the initial deployment of the Kubernetes Service.