Merge pull request #267369 from zfengms/zfeng/kvexttemplate

Stacyrch140 · web-flow · commit 45b0c4ab4296 · 2024-03-15T20:04:05.000-04:00
add KeyVault Extension for Windows template and troubleshooting information
diff --git a/articles/batch/automatic-certificate-rotation.md b/articles/batch/automatic-certificate-rotation.md
@@ -1,31 +1,32 @@
 ---
 title: Enable automatic certificate rotation in a Batch pool
-description: You can create a Batch pool with a managed identity and a certificate that will automatically be renewed.
+description: You can create a Batch pool with a managed identity and a certificate that can automatically be renewed.
 ms.topic: conceptual
 ms.custom: linux-related-content
 ms.date: 12/05/2023
 ---
+
 # Enable automatic certificate rotation in a Batch pool
 
- You can create a Batch pool with a certificate that will automatically be renewed. To do so, your pool must be created with a [user-assigned managed identity](managed-identity-pools.md) that will have access to the certificate in [Azure Key Vault](../key-vault/general/overview.md).
+You can create a Batch pool with a certificate that can automatically be renewed. To do so, your pool must be created with a [user-assigned managed identity](managed-identity-pools.md) that has access to the certificate in [Azure Key Vault](../key-vault/general/overview.md).
 
 ## Create a user-assigned identity
 
 First, [create your user-assigned managed identity](../active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-portal.md#create-a-user-assigned-managed-identity) in the same tenant as your Batch account. This managed identity doesn't need to be in the same resource group or even in the same subscription.
 
-Be sure to note the **Client ID** of the user-assigned managed identity. You'll need this value later.
+Be sure to note the **Client ID** of the user-assigned managed identity. You need this value later.
 
 :::image type="content" source="media/automatic-certificate-rotation/client-id.png" alt-text="Screenshot showing the client ID of a user-assigned managed identity in the Azure portal.":::
 
 ## Create your certificate
 
-Next, you'll need to create a certificate and add it to Azure Key Vault. If you haven't already created a key vault, you'll need to do that first. For instructions, see [Quickstart: Set and retrieve a certificate from Azure Key Vault using the Azure portal](../key-vault/certificates/quick-create-portal.md).
+Next, you need to create a certificate and add it to Azure Key Vault. If you haven't already created a key vault, you need to do that first. For instructions, see [Quickstart: Set and retrieve a certificate from Azure Key Vault using the Azure portal](../key-vault/certificates/quick-create-portal.md).
 
 When creating your certificate, be sure to set **Lifetime Action Type** to automatically renew, and specify the number of days after which the certificate should renew.
 
 :::image type="content" source="media/automatic-certificate-rotation/certificate.png" alt-text="Screenshot of the certificate creation screen in the Azure portal.":::
 
-After your certificate has been created, make note of its **Secret Identifier**. You'll need this value later.
+After your certificate has been created, make note of its **Secret Identifier**. You need this value later.
 
 :::image type="content" source="media/automatic-certificate-rotation/secret-identifier.png" alt-text="Screenshot showing the Secret Identifier of a certificate.":::
 
@@ -48,7 +49,68 @@ REST API URI
 PUT https://management.azure.com/subscriptions/<subscriptionid>/resourceGroups/<resourcegroupName>/providers/Microsoft.Batch/batchAccounts/<batchaccountname>/pools/<poolname>?api-version=2021-01-01
 ```
 
-Request Body
+Request Body for Linux node
+
+```json
+{
+  "name": "test2",
+  "type": "Microsoft.Batch/batchAccounts/pools",
+  "properties": {
+    "vmSize": "STANDARD_DS2_V2",
+    "taskSchedulingPolicy": {
+      "nodeFillType": "Pack"
+    },
+    "deploymentConfiguration": {
+      "virtualMachineConfiguration": {
+        "imageReference": {
+          "publisher": "canonical",
+          "offer": "ubuntuserver",
+          "sku": "20.04-lts",
+          "version": "latest"
+        },
+        "nodeAgentSkuId": "batch.node.ubuntu 20.04",
+        "extensions": [
+          {
+            "name": "KVExtensions",
+            "type": "KeyVaultForLinux",
+            "publisher": "Microsoft.Azure.KeyVault",
+            "typeHandlerVersion": "3.0",
+            "autoUpgradeMinorVersion": true,
+            "settings": {
+              "secretsManagementSettings": {
+                "pollingIntervalInS": "300",
+                "certificateStoreLocation": "/var/lib/waagent/Microsoft.Azure.KeyVault",
+                "requireInitialSync": true,
+                "observedCertificates": [
+                  "https://testkvwestus2s.vault.azure.net/secrets/authcertforumatesting/8f5f3f491afd48cb99286ba2aacd39af"
+                ]
+              },
+              "authenticationSettings": {
+                "msiEndpoint": "http://169.254.169.254/metadata/identity",
+                "msiClientId": "b9f6dd56-d2d6-4967-99d7-8062d56fd84c"
+              }
+            }
+          }
+        ]
+      }
+    },
+    "scaleSettings": {
+      "fixedScale": {
+        "targetDedicatedNodes": 1,
+        "resizeTimeout": "PT15M"
+      }
+    }
+  },
+  "identity": {
+    "type": "UserAssigned",
+    "userAssignedIdentities": {
+      "/subscriptions/042998e4-36dc-4b7d-8ce3-a7a2c4877d33/resourceGroups/ACR/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testumaforpools": {}
+    }
+  }
+}
+```
+
+Request Body for Windows node
 
 ```json
 {
@@ -62,26 +124,29 @@ Request Body
         "deploymentConfiguration": {
             "virtualMachineConfiguration": {
                 "imageReference": {
-                    "publisher": "canonical",
-                    "offer": "ubuntuserver",
-                    "sku": "20.04-lts",
+                    "publisher": "microsoftwindowsserver",
+                    "offer": "windowsserver",
+                    "sku": "2022-datacenter",
                     "version": "latest"
                 },
-                "nodeAgentSkuId": "batch.node.ubuntu 20.04",
+                "nodeAgentSkuId": "batch.node.windows amd64",
                 "extensions": [
                     {
                         "name": "KVExtensions",
-                        "type": "KeyVaultForLinux",
+                        "type": "KeyVaultForWindows",
                         "publisher": "Microsoft.Azure.KeyVault",
-                        "typeHandlerVersion": "1.0",
+                        "typeHandlerVersion": "3.0",
                         "autoUpgradeMinorVersion": true,
                         "settings": {
                             "secretsManagementSettings": {
                                 "pollingIntervalInS": "300",
-                                "certificateStoreLocation": "/var/lib/waagent/Microsoft.Azure.KeyVault",
                                 "requireInitialSync": true,
                                 "observedCertificates": [
-                                    "https://testkvwestus2s.vault.azure.net/secrets/authcertforumatesting/8f5f3f491afd48cb99286ba2aacd39af"
+                                    {
+                                        "https://testkvwestus2s.vault.azure.net/secrets/authcertforumatesting/8f5f3f491afd48cb99286ba2aacd39af",
+                                        "certificateStoreLocation": "LocalMachine",
+                                        "keyExportable": true
+                                    }
                                 ]
                             },
                             "authenticationSettings": {
@@ -112,13 +177,20 @@ Request Body
 
 ## Validate the certificate
 
-To confirm that the certificate has been successfully deployed, log in to the compute node. You should see output similar to the following:
+To confirm that the certificate is successfully deployed, log in to the compute node. You should see output similar to the following:
 
 ```
 root@74773db5fe1b42ab9a4b6cf679d929da000000:/var/lib/waagent/Microsoft.Azure.KeyVault.KeyVaultForLinux-1.0.1363.13/status# cat 1.status
 [{"status":{"code":0,"formattedMessage":{"lang":"en","message":"Successfully started Key Vault extension service. 2021-03-03T23:12:23Z"},"operation":"Service start.","status":"success"},"timestampUTC":"2021-03-03T23:12:23Z","version":"1.0"}]root@74773db5fe1b42ab9a4b6cf679d929da000000:/var/lib/waagent/Microsoft.Azure.KeyVault.KeyVaultForLinux-1.0.1363.13/status#
 ```
 
+## Troubleshooting Key Vault Extension
+
+If Key Vault extension is configured incorrectly, the compute node might be in usuable state. To troubleshoot Key Vault extension failure, you can temporarily set requireInitialSync to false and redeploy your pool, then the compute node is in idle state, you can log in to the compute node to check KeyVault extension logs for errors and fix the configuration issues. Visit following Key Vault extension doc link for more information.
+
+- [Azure Key Vault extension for Linux](../virtual-machines/extensions/key-vault-linux.md)
+- [Azure Key Vault extension for Windows](../virtual-machines/extensions/key-vault-windows.md)
+
 ## Next steps
 
 - Learn more about [Managed identities for Azure resources](../active-directory/managed-identities-azure-resources/overview.md).
diff --git a/articles/batch/create-pool-extensions.md b/articles/batch/create-pool-extensions.md
@@ -8,15 +8,15 @@ ms.date: 12/05/2023
 
 # Use extensions with Batch pools
 
-Extensions are small applications that facilitate post-provisioning configuration and setup on Batch compute nodes. You can select any of the extensions that are allowed by Azure Batch and have them installed on the compute nodes as they're provisioned. After that, the extension can perform its intended operation.
+Extensions are small applications that facilitate post-provisioning configuration and setup on Batch compute nodes. You can select any of the extensions that are allowed by Azure Batch and install them on the compute nodes as they're provisioned. After that, the extension can perform its intended operation.
 
 You can check the live status of the extensions you use and retrieve the information they return in order to pursue any detection, correction, or diagnostics capabilities.
 
 ## Prerequisites
 
 - Pools with extensions must use [Virtual Machine Configuration](nodes-and-pools.md#virtual-machine-configuration).
 - The CustomScript extension type is reserved for the Azure Batch service and can't be overridden.
-- Some extensions may need pool-level Managed Identity accessible in the context of a compute node in order to function properly. Please see [configuring managed identities in Batch pools](managed-identity-pools.md) if applicable for the extension(s).
+- Some extensions may need pool-level Managed Identity accessible in the context of a compute node in order to function properly. See [configuring managed identities in Batch pools](managed-identity-pools.md) if applicable for the extensions.
 
 > [!TIP]
 > Extensions cannot be added to an existing pool. Pools must be recreated to add, remove, or update extensions.
@@ -38,19 +38,82 @@ The following extensions can currently be installed when creating a Batch pool:
 - [Azure Monitor agent for Linux](../azure-monitor/agents/azure-monitor-agent-manage.md)
 - [Azure Monitor agent for Windows](../azure-monitor/agents/azure-monitor-agent-manage.md)
 
-You can request support for additional publishers and/or extension types by opening a support request.
+You can request support for other publishers and/or extension types by opening a support request.
 
 ## Create a pool with extensions
 
-The example below creates a Batch pool of Linux nodes that uses the Azure Key Vault extension.
+The following example creates a Batch pool of Linux/Windows nodes that uses the Azure Key Vault extension.
 
 REST API URI
 
 ```http
  PUT https://management.azure.com/subscriptions/<subscriptionId>/resourceGroups/<resourceGroup>/providers/Microsoft.Batch/batchAccounts/<batchaccountName>/pools/<batchpoolName>?api-version=2021-01-01
 ```
 
-Request Body
+Request Body for Linux node
+
+```json
+{
+  "name": "test1",
+  "type": "Microsoft.Batch/batchAccounts/pools",
+  "properties": {
+    "vmSize": "STANDARD_DS2_V2",
+    "taskSchedulingPolicy": {
+      "nodeFillType": "Pack"
+    },
+    "deploymentConfiguration": {
+      "virtualMachineConfiguration": {
+        "imageReference": {
+          "publisher": "microsoftcblmariner",
+          "offer": "cbl-mariner",
+          "sku": "cbl-mariner-2",
+          "version": "latest"
+        },
+        "nodeAgentSkuId": "batch.node.mariner 2.0",
+        "extensions": [
+          {
+            "name": "secretext",
+            "type": "KeyVaultForLinux",
+            "publisher": "Microsoft.Azure.KeyVault",
+            "typeHandlerVersion": "3.0",
+            "autoUpgradeMinorVersion": true,
+            "settings": {
+              "secretsManagementSettings": {
+                "pollingIntervalInS": "300",
+                "certificateStoreLocation": "/var/lib/waagent/Microsoft.Azure.KeyVault",
+                "requireInitialSync": true,
+                "observedCertificates": [
+                  "https://testkvwestus2.vault.azure.net/secrets/authsecreat"
+                ]
+              },
+              "authenticationSettings": {
+                "msiEndpoint": "http://169.254.169.254/metadata/identity",
+                "msiClientId": "885b1a3d-f13c-4030-afcf-9f05044d78dc"
+              }
+            },
+            "protectedSettings": {}
+          }
+        ]
+      }
+    },
+    "scaleSettings": {
+      "fixedScale": {
+        "targetDedicatedNodes": 1,
+        "targetLowPriorityNodes": 0,
+        "resizeTimeout": "PT15M"
+      }
+    }
+  },
+  "identity": {
+    "type": "UserAssigned",
+    "userAssignedIdentities": {
+      "/subscriptions/042998e4-36dc-4b7d-8ce3-a7a2c4877d33/resourceGroups/ACR/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testumaforpools": {}
+    }
+  }
+}
+```
+
+Request Body for Windows node
 
 ```json
 {
@@ -64,26 +127,29 @@ Request Body
         "deploymentConfiguration": {
             "virtualMachineConfiguration": {
                 "imageReference": {
-                    "publisher": "microsoftcblmariner",
-                    "offer": "cbl-mariner",
-                    "sku": "cbl-mariner-2",
+                    "publisher": "microsoftwindowsserver",
+                    "offer": "windowsserver",
+                    "sku": "2022-datacenter",
                     "version": "latest"
                 },
-                "nodeAgentSkuId": "batch.node.mariner 2.0",
+                "nodeAgentSkuId": "batch.node.windows amd64",
                 "extensions": [
                     {
                         "name": "secretext",
-                        "type": "KeyVaultForLinux",
+                        "type": "KeyVaultForWindows",
                         "publisher": "Microsoft.Azure.KeyVault",
-                        "typeHandlerVersion": "1.0",
+                        "typeHandlerVersion": "3.0",
                         "autoUpgradeMinorVersion": true,
                         "settings": {
                             "secretsManagementSettings": {
                                 "pollingIntervalInS": "300",
-                                "certificateStoreLocation": "/var/lib/waagent/Microsoft.Azure.KeyVault",
                                 "requireInitialSync": true,
                                 "observedCertificates": [
-                                    "https://testkvwestus2.vault.azure.net/secrets/authsecreat"
+                                    {
+                                        "https://testkvwestus2.vault.azure.net/secrets/authsecreat"
+                                        "certificateStoreLocation": "LocalMachine",
+                                        "keyExportable": true
+                                    }
                                 ]
                             },
                             "authenticationSettings": {
@@ -103,13 +169,19 @@ Request Body
                 "resizeTimeout": "PT15M"
             }
         }
+    },
+    "identity": {
+        "type": "UserAssigned",
+        "userAssignedIdentities": {
+            "/subscriptions/042998e4-36dc-4b7d-8ce3-a7a2c4877d33/resourceGroups/ACR/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testumaforpools": {}
+        }
     }
 }
 ```
 
 ## Get extension data from a pool
 
-The example below retrieves data from the Azure Key Vault extension.
+The following example retrieves data from the Azure Key Vault extension.
 
 REST API URI
 
@@ -121,19 +193,36 @@ Response Body
 
 ```json
 {
-  "odata.metadata":"https://testwestus2batch.westus2.batch.azure.com/$metadata#extensions/@Element","instanceView":{
-    "name":"secretext","statuses":[
+  "odata.metadata": "https://testwestus2batch.westus2.batch.azure.com/$metadata#extensions/@Element",
+  "instanceView": {
+    "name": "secretext",
+    "statuses": [
       {
-        "code":"ProvisioningState/succeeded","level":0,"displayStatus":"Provisioning succeeded","message":"Successfully started Key Vault extension service. 2021-02-08T19:49:39Z"
+        "code": "ProvisioningState/succeeded",
+        "level": 0,
+        "displayStatus": "Provisioning succeeded",
+        "message": "Successfully started Key Vault extension service. 2021-02-08T19:49:39Z"
       }
     ]
-  },"vmExtension":{
-    "name":"KVExtensions","publisher":"Microsoft.Azure.KeyVault","type":"KeyVaultForLinux","typeHandlerVersion":"1.0","autoUpgradeMinorVersion":true,"settings":"{\r\n  \"secretsManagementSettings\": {\r\n    \"pollingIntervalInS\": \"300\",\r\n    \"certificateStoreLocation\": \"/var/lib/waagent/Microsoft.Azure.KeyVault\",\r\n    \"requireInitialSync\": true,\r\n    \"observedCertificates\": [\r\n      \"https://testkvwestus2.vault.azure.net/secrets/testumi\"\r\n    ]\r\n  },\r\n  \"authenticationSettings\": {\r\n    \"msiEndpoint\": \"http://169.254.169.254/metadata/identity\",\r\n    \"msiClientId\": \"885b1a3d-f13c-4030-afcf-922f05044d78dc\"\r\n  }\r\n}"
+  },
+  "vmExtension": {
+    "name": "KVExtensions",
+    "publisher": "Microsoft.Azure.KeyVault",
+    "type": "KeyVaultForLinux",
+    "typeHandlerVersion": "1.0",
+    "autoUpgradeMinorVersion": true,
+    "settings": "{\r\n  \"secretsManagementSettings\": {\r\n    \"pollingIntervalInS\": \"300\",\r\n    \"certificateStoreLocation\": \"/var/lib/waagent/Microsoft.Azure.KeyVault\",\r\n    \"requireInitialSync\": true,\r\n    \"observedCertificates\": [\r\n      \"https://testkvwestus2.vault.azure.net/secrets/testumi\"\r\n    ]\r\n  },\r\n  \"authenticationSettings\": {\r\n    \"msiEndpoint\": \"http://169.254.169.254/metadata/identity\",\r\n    \"msiClientId\": \"885b1a3d-f13c-4030-afcf-922f05044d78dc\"\r\n  }\r\n}"
   }
 }
-
 ```
 
+## Troubleshooting Key Vault Extension
+
+If Key Vault extension is configured incorrectly, the compute node might be in a usable state. To troubleshoot Key Vault extension failure, you can temporarily set requireInitialSync to false and redeploy your pool, then the compute node is in idle state, you can log in to the compute node to check KeyVault extension logs for errors and fix the configuration issues. Visit following Key Vault extension doc link for more information.
+
+- [Azure Key Vault extension for Linux](../virtual-machines/extensions/key-vault-linux.md)
+- [Azure Key Vault extension for Windows](../virtual-machines/extensions/key-vault-windows.md)
+
 ## Next steps
 
 - Learn about various ways to [copy applications and data to pool nodes](batch-applications-to-pool-nodes.md).
