MicrosoftDocs
diff --git a/‎articles/azure-arc/kubernetes/connect-cluster.md
Lines changed: 213 additions & 0 deletions b/‎articles/azure-arc/kubernetes/connect-cluster.md
Lines changed: 213 additions & 0 deletions
diff --git a/‎articles/azure-arc/kubernetes/create-onboarding-service-principal.md
Lines changed: 91 additions & 0 deletions b/‎articles/azure-arc/kubernetes/create-onboarding-service-principal.md
Lines changed: 91 additions & 0 deletions
diff --git a/‎articles/azure-arc/kubernetes/deploy-azure-iot-edge-workloads.md
Lines changed: 71 additions & 0 deletions b/‎articles/azure-arc/kubernetes/deploy-azure-iot-edge-workloads.md
Lines changed: 71 additions & 0 deletions
@@ -0,0 +1,213 @@
+---
+title: "Connect an Azure Arc-enabled Kubernetes cluster (Preview)"
+services: azure-arc
+ms.service: azure-arc
+#ms.subservice: azure-arc-kubernetes coming soon
+ms.date: 05/19/2020
+ms.topic: article
+author: mlearned
+ms.author: mlearned
+description: "Connect an Azure Arc-enabled Kubernetes cluster with Azure Arc"
+keywords: "Kubernetes, Arc, Azure, K8s, containers"
+---
+
+# Connect an Azure Arc-enabled Kubernetes cluster (Preview)
+
+Connect a Kubernetes cluster to Azure Arc. 
+
+## Before you begin
+
+Verify you have the following requirements ready:
+
+* A Kubernetes cluster that is up and running
+* You'll need access with kubeconfig, and cluster-admin access. 
+* The user or service principal used with `az login` and `az connectedk8s connect` commands must have the 'Read' and 'Write' permissions on the 'Microsoft.Kubernetes/connectedclusters' resource type.
+* Latest version of the *connectedk8s* and *k8sconfiguration* extensions
+
+## Supported regions
+
+* East US
+* West Europe
+
+## Network requirements
+
+Azure Arc agents require the following protocols/ports/outbound URLs to function.
+
+* TCP on port 443 --> `https://:443`
+* TCP on port 9418 --> `git://:9418`
+
+| Endpoint (DNS)                                                                                               | Description                                                                                                                 |
+| ------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------- |
+| `https://management.azure.com`                                                                                 | Required for the agent to connect to Azure and register the cluster                                                        |
+| `https://eastus.dp.kubernetesconfiguration.azure.com`, `https://westeurope.dp.kubernetesconfiguration.azure.com` | Data plane endpoint for the agent to push status and fetch configuration information                                      |
+| `https://docker.io`                                                                                            | Required to pull container images                                                                                         |
+| `https://github.com`, git://github.com                                                                         | Example GitOps repos are hosted on GitHub. Configuration agent requires connectivity to whichever git endpoint you specify. |
+| `https://login.microsoftonline.com`                                                                            | Required to fetch and update Azure Resource Manager tokens                                                                                    |
+| `https://azurearcfork8s.azurecr.io`                                                                            | Required to pull container images for Azure Arc agents                                                                  |
+
+## Register the two providers for Azure Arc enabled Kubernetes:
+
+```console
+az provider register --namespace Microsoft.Kubernetes
+Registering is still on-going. You can monitor using 'az provider show -n Microsoft.Kubernetes'
+
+az provider register --namespace Microsoft.KubernetesConfiguration
+Registering is still on-going. You can monitor using 'az provider show -n Microsoft.KubernetesConfiguration'
+```
+
+Registration is an asynchronous process. Registration may take approximately 10 minutes. You can monitor the registration process with the following commands:
+
+```console
+az provider show -n Microsoft.Kubernetes -o table
+```
+
+```console
+az provider show -n Microsoft.KubernetesConfiguration -o table
+```
+
+## Install CLI extensions
+
+Install the `connectedk8s` extension, which helps you connect Kubernetes clusters to Azure:
+
+```console
+az extension add --name connectedk8s
+```
+
+Install the `k8sconfiguration` extension:
+
+```console
+az extension add --name k8sconfiguration
+```
+
+Run the following commands to update the extensions to the latest versions.
+
+```console
+az extension update --name connectedk8s
+az extension update --name k8sconfiguration
+```
+
+## Create a Resource Group
+
+Use a resource group to store metadata for your cluster.
+
+First, create a resource group to hold the connected cluster resource.
+
+```console
+az group create --name AzureArcTest -l EastUS -o table
+```
+
+**Output:**
+
+```console
+Location    Name
+----------  ------------
+eastus      AzureArcTest
+```
+
+## Connect a cluster
+
+Next, we will connect our Kubernetes cluster to Azure. The workflow for `az connectedk8s connect` is as follows:
+
+1. Verify connectivity to your Kubernetes cluster: via `KUBECONFIG`, `~/.kube/config`, or `--kube-config`
+1. Deploy Azure Arc Agents for Kubernetes using Helm 3, into the `azure-arc` namespace
+
+```console
+az connectedk8s connect --name AzureArcTest1 --resource-group AzureArcTest
+```
+
+**Output:**
+
+```console
+Command group 'connectedk8s' is in preview. It may be changed/removed in a future release.
+Helm release deployment succeeded
+
+{
+  "aadProfile": {
+    "clientAppId": "",
+    "serverAppId": "",
+    "tenantId": ""
+  },
+  "agentPublicKeyCertificate": "...",
+  "agentVersion": "0.1.0",
+  "id": "/subscriptions/57ac26cf-a9f0-4908-b300-9a4e9a0fb205/resourceGroups/AzureArcTest/providers/Microsoft.Kubernetes/connectedClusters/AzureArcTest1",
+  "identity": {
+    "principalId": null,
+    "tenantId": null,
+    "type": "None"
+  },
+  "kubernetesVersion": "v1.15.0",
+  "location": "eastus",
+  "name": "AzureArcTest1",
+  "resourceGroup": "AzureArcTest",
+  "tags": {},
+  "totalNodeCount": 1,
+  "type": "Microsoft.Kubernetes/connectedClusters"
+}
+```
+
+## Verify connected cluster
+
+List your connected clusters:
+
+```console
+az connectedk8s list -g AzureArcTest
+```
+
+**Output:**
+
+```console
+Command group 'connectedk8s' is in preview. It may be changed/removed in a future release.
+Name           Location    ResourceGroup
+-------------  ----------  ---------------
+AzureArcTest1  eastus      AzureArcTest
+```
+
+Azure Arc enabled Kubernetes deploys a few operators into the `azure-arc` namespace. You can view these deployments and pods here:
+
+```console
+kubectl -n azure-arc get deploy,po
+```
+
+**Output:**
+
+```console
+NAME										READY	UP-TO-DATE AVAILABLE AGE
+deployment.apps/cluster-metadata-operator	1/1		1			1		 16h
+deployment.apps/clusteridentityoperator		1/1		1			1	     16h
+deployment.apps/config-agent				1/1		1			1		 16h
+deployment.apps/controller-manager			1/1		1			1		 16h
+deployment.apps/flux-logs-agent				1/1		1			1		 16h
+deployment.apps/metrics-agent			    1/1     1           1        16h
+deployment.apps/resource-sync-agent			1/1		1			1		 16h
+
+NAME											READY	STATUS	 RESTART AGE
+pod/cluster-metadata-operator-7fb54d9986-g785b  2/2		Running  0		 16h
+pod/clusteridentityoperator-6d6678ffd4-tx8hr    3/3     Running  0       16h
+pod/config-agent-544c4669f9-4th92               3/3     Running  0       16h
+pod/controller-manager-fddf5c766-ftd96          3/3     Running  0       16h
+pod/flux-logs-agent-7c489f57f4-mwqqv            2/2     Running  0       16h
+pod/metrics-agent-58b765c8db-n5l7k              2/2     Running  0       16h
+pod/resource-sync-agent-5cf85976c7-522p5        3/3     Running  0       16h
+```
+
+## Azure Arc agents for Kubernetes
+
+Azure Arc enabled Kubernetes consists of a few agents (operators) that run in your cluster deployed to the `azure-arc` namespace.
+
+* `deploy/config-agent`: watches the connected cluster for source control configuration resources applied on the cluster and updates compliance state
+* `deploy/controller-manager`: is an operator of operators and orchestrates interactions between Azure Arc components
+
+## Delete a connected cluster
+
+You can delete a `Microsoft.Kubernetes/connectedcluster` resource using the CLI or Azure portal.
+
+The Azure CLI command `az connectedk8s delete` removes the `Microsoft.Kubernetes/connectedCluster` resource in Azure. The Azure CLI deletes any associated `sourcecontrolconfiguration` resources in Azure. The Azure CLI uses helm uninstall to remove the agents in the cluster.
+
+The Azure portal deletes the `Microsoft.Kubernetes/connectedcluster` resource in Azure, and deletes any associated `sourcecontrolconfiguration` resources in Azure.
+
+To remove the agents in the cluster you need to run `az connectedk8s delete` or `helm uninstall azurearcfork8s`.
+
+## Next steps
+
+* [Use GitOps in a connected cluster](./use-gitops-connected-cluster.md)
+* [Use Azure Policy to govern cluster configuration](./use-azure-policy.md)
@@ -0,0 +1,91 @@
+---
+title: "Create an Azure Arc-enabled onboarding Service Principal (Preview)"
+services: azure-arc
+ms.service: azure-arc
+#ms.subservice: azure-arc-kubernetes coming soon
+ms.date: 05/19/2020
+ms.topic: article
+author: mlearned
+ms.author: mlearned
+description: "Create an Azure Arc-enabled onboarding Service Principal "
+keywords: "Kubernetes, Arc, Azure, containers"
+---
+
+# Create an Azure Arc-enabled onboarding Service Principal (Preview)
+
+## Overview
+
+When a cluster is onboarded to Azure, the agents running in your cluster must authenticate to Azure Resource Manager as part of registration. The `connectedk8s` CLI extension has automated Service Principal creation. However, there may be a few scenarios where the CLI automation does not work:
+
+* Your organization generally restricts the creation of Service Principals
+* The user onboarding the cluster does not have sufficient permissions to create Service Principals
+
+Instead, let's create the Service Principal out of band, and then pass the principal to the CLI extension.
+
+## Create a new Service Principal
+
+Create a new Service Principal with an informative name. Note that this name must be unique for your Azure Active Directory tenant:
+
+```console
+az ad sp create-for-RBAC --skip-assignment --name "https://azure-arc-for-k8s-onboarding"
+```
+
+**Output:**
+
+```console
+{
+  "appId": "22cc2695-54b9-49c1-9a73-2269592103d8",
+  "displayName": "azure-arc-for-k8s-onboarding",
+  "name": "https://azure-arc-for-k8s-onboarding",
+  "password": "09d3a928-b223-4dfe-80e8-fed13baa3b3d",
+  "tenant": "72f988bf-86f1-41af-91ab-2d7cd011db47"
+}
+```
+
+## Assign permissions
+
+After creating the new Service Principal, assign the "Azure Arc for Kubernetes Onboarding" role to the newly created principal. This is a built-in Azure role with limited permissions, which only allows the principal to register clusters to Azure. The principal cannot update, delete, or modify any other clusters or resources within the subscription.
+
+Given the limited abilities, customers can easily re-use this principal to onboard multiple clusters.
+
+Permissions may be further limited by passing in the appropriate `--scope` argument when assigning the role. This allows customers to restrict cluster registration. The following scenarios are supported by various `--scope` parameters:
+
+| Resource  | `scope` argument| Effect |
+| ------------- | ------------- | ------------- |
+| Subscription | `--scope /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333` | Service principal can register any cluster in an existing Resource Group in the given subscription |
+| Resource Group | `--scope /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup`  | Service principal can __only__ register clusters in the Resource Group `myGroup` |
+
+```console
+az role assignment create \
+    --role 34e09817-6cbe-4d01-b1a2-e0eac5743d41 \      # this is the id for the built-in role
+    --assignee 22cc2695-54b9-49c1-9a73-2269592103d8 \  # use the appId from the new SP
+    --scope /subscriptions/<<SUBSCRIPTION_ID>>         # apply the apropriate scope
+```
+
+**Output:**
+
+```console
+{
+  "canDelegate": null,
+  "id": "/subscriptions/<<SUBSCRIPTION_ID>>/providers/Microsoft.Authorization/roleAssignments/fbd819a9-01e8-486b-9eb9-f177ba400ba6",
+  "name": "fbd819a9-01e8-486b-9eb9-f177ba400ba6",
+  "principalId": "ddb0ddb4-ba84-4cde-b936-affc272a4b90",
+  "principalType": "ServicePrincipal",
+  "roleDefinitionId": "/subscriptions/<<SUBSCRIPTION_ID>>/providers/Microsoft.Authorization/roleDefinitions/34e09817-6cbe-4d01-b1a2-e0eac5743d41",
+  "scope": "/subscriptions/<<SUBSCRIPTION_ID>>",
+  "type": "Microsoft.Authorization/roleAssignments"
+}
+```
+
+## Use Service Principal with CLI
+
+Reference the newly created Service Principal:
+
+```console
+az login --service-principal -u mySpnClientId -p mySpnClientSecret --tenant myTenantID
+az connectedk8s connect -n myConnectedClusterName -g myResoureGroupName
+```
+
+## Next steps
+
+* [Use Azure Policy to govern cluster configuration](./use-azure-policy.md)
@@ -0,0 +1,71 @@
+---
+title: "Deploy Azure IoT Edge workloads (Preview)"
+services: azure-arc
+ms.service: azure-arc
+#ms.subservice: azure-arc-kubernetes coming soon
+ms.date: 05/19/2020
+ms.topic: article
+author: mlearned
+ms.author: mlearned
+description: "Deploy Azure IoT Edge workloads"
+keywords: "Kubernetes, Arc, Azure, K8s, containers"
+---
+
+
+# Deploy Azure IoT Edge workloads (Preview)
+
+## Overview
+
+Azure Arc and Azure IoT Edge complement each other's capabilities quite well. Azure Arc provides mechanisms for cluster operators to the configure the foundational components of a cluster as well as apply and enforce cluster policies. And IoT Edge allows application operators to remotely deploy and manage the workloads at scale with convenient cloud ingestion and bi-directional communication primitives. The diagram below illustrates this:
+
+![](./media/edge-arc.png)
+
+## Pre-requisites
+
+* [Register an IoT Edge device](https://docs.microsoft.com/azure/iot-edge/quickstart-linux#register-an-iot-edge-device) and [deploy the simulated temperature sensor module](https://docs.microsoft.com/azure/iot-edge/quickstart-linux#deploy-a-module). Be sure to note the device's connection string.
+
+* Use [IoT Edge's support for Kubernetes](https://aka.ms/edgek8sdoc) to deploy it via Azure Arc's Flux operator.
+
+* Download the [**values.yaml**](https://github.com/Azure/iotedge/blob/master/kubernetes/charts/edge-kubernetes/values.yaml) file for IoT Edge Helm chart and replace the **deviceConnectionString** placeholder at the end of the file with the one noted in Step 1. You can set any other supported chart installation options as required. Create a namespace for the IoT Edge workload and create add a secret in it:
+
+    ```
+    $ kubectl create ns iotedge
+
+    $ kubectl create secret generic dcs --from-file=fully-qualified-path-to-values.yaml --namespace iotedge
+    ```
+
+    >You can also set this up remotely using the [cluster config example](./use-gitops-connected-cluster.md).
+
+## Connect a cluster
+
+Use the `az` CLI `connectedk8s` extension to connect a Kubernetes cluster to Azure Arc:
+
+  ```
+  az connectedk8s connect --name AzureArcIotEdge --resource-group AzureArcTest
+  ```
+
+## Create a configuration for IoT Edge
+
+Example repo: https://github.com/veyalla/edgearc
+
+This repo points to the IoT Edge Helm chart and references the secret created in the pre-requisites section.
+
+1. Use the `az` CLI `k8sconfiguration` extension to create a configuration to link the connected cluster to the git repo:
+
+    ```
+    az k8sconfiguration create --name iotedge --cluster-name AzureArcIotEdge --resource-group AzureArcTest --operator-instance-name iotedge --operator-namespace azure-arc-iot-edge --enable-helm-operator --helm-operator-chart-version 0.6.0 --helm-operator-chart-values "--set helm.versions=v3" --repository-url "git://github.com/veyalla/edgearc.git" --cluster-scoped
+    ```
+
+    In a minute or two, you should see the IoT Edge workload modules deployed into the `iotedge` namespace in your cluster. You can view the logs of the `SimulatedTemperatureSensor` pod in that namespace to see the sample values being generated. You can also watch the messages arrive at your IoT hub by using the [Azure IoT Hub Toolkit extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-toolkit).
+
+## Cleanup
+
+You can remove the configuration using:
+
+```
+az k8sconfiguration delete -g AzureArcTest --cluster-name AzureArcIotEdge --name iotedge
+```
+
+## Next steps
+
+[Use Azure Policy to govern cluster configuration](./use-azure-policy.md)