Merge pull request #287388 from kgremban/m2-bbprep

M2 bbprep

Author: prmerger-automator[bot]

articles/iot-operations/configure-observability-monitoring/howto-configure-observability.md

@@ -19,8 +19,10 @@ Observability provides visibility into every layer of your Azure IoT Operations
 
 ## Prerequisites
 
-- Azure IoT Operations Preview installed. For more information, see [Quickstart: Run Azure IoT Operations Preview in GitHub Codespaces with K3s](../get-started-end-to-end-sample/quickstart-deploy.md).
-- [Git](https://git-scm.com/downloads) for cloning the repository.
+* An Arc-enabled Kubernetes cluster.
+* Helm installed on your development machine. For instructions, see [Install Helm](https://helm.sh/docs/intro/install/).
+* Kubectl installed on your development machine. For instructions, see [Install Kubernetes tools](https://kubernetes.io/docs/tasks/tools/).
+* Azure CLI installed on your development machine. For more information, see [How to install the Azure CLI](/cli/azure/install-azure-cli).
 
 ## Configure your subscription
 
@@ -39,17 +41,11 @@ az provider register -n "Microsoft.AlertsManagement"
 
 The steps in this section install shared monitoring resources and configure your Arc enabled cluster to emit observability signals to these resources. The shared monitoring resources include Azure Managed Grafana, Azure Monitor Workspace, Azure Managed Prometheus, Azure Log Analytics, and Container Insights. In this section, you also deploy an [OpenTelemetry (Otel) Collector](https://opentelemetry.io/docs/collector/)
 
-1. In your console, go to the local folder where you want to clone the Azure IoT Operations repo:
+1. Clone or download the Azure IoT Operations repo to your local machine: [azure-iot-operations.git](https://github.com/Azure/azure-iot-operations.git).
 
    > [!NOTE]
    > The repo contains the deployment definition of Azure IoT Operations, and samples that include the sample dashboards used in this article.
 
-1. Clone the repo to your local machine, using the following command:
-
-   ```shell
-   git clone https://github.com/Azure/azure-iot-operations.git
-   ```
-
 1. Browse to the following path in your local copy of the repo:
 
    *azure-iot-operations\tools\setup-3p-obs-infra*

articles/iot-operations/deploy-iot-ops/howto-deploy-iot-operations.md

@@ -41,25 +41,7 @@ Cloud resources:
   az keyvault create --enable-rbac-authorization --name "<KEYVAULT_NAME>" --resource-group "<RESOURCE_GROUP>"
   ```
 
-* Azure access permissions. For more information, see [Steps to assign an Azure role](../../role-based-access-control/role-assignments-steps.md).
-
-  * At a minimum, have **Contributor** permissions in your Azure subscription.
-
-  * Creating secrets in Key Vault requires **Key Vault Secrets Officer** permissions.
-
-  * The following tasks require **Microsoft/Authorization/roleAssignments/write** permissions.
-
-    * Enabling resource sync rules on the Azure IoT Operations instance. If you don't have role assignment write permissions, you can disable this feature during deployment. This approach is discussed in more detail in the [Deploy](#deploy) section of this article.
-
-    * Creating a schema registry.
-
-  > [!TIP]
-  >
-  > * If you use the Azure CLI, use the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command to give permissions. For example, `az role assignment create --assignee sp_name --role "Role Based Access Control Administrator" --scope subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup`
-  >
-  > * If you use the Azure portal to assign privileged admin roles to a user or principal, you're prompted to restrict access using conditions. For this scenario, select the **Allow user to assign all roles** condition in the **Add role assignment** page.
-  >
-  >   :::image type="content" source="./media/howto-deploy-iot-operations/add-role-assignment-conditions.png" alt-text="Screenshot that shows assigning users highly privileged role access in the Azure portal.":::
+* Azure access permissions. For more information, see [Deployment details > Required permissions](overview-deploy.md#required-permissions).
 
 Development resources:
 
@@ -73,7 +55,7 @@ Development resources:
 
 A cluster host:
 
-* An Azure Arc-enabled Kubernetes cluster with the custom location and workload identity features enabled. If you don't have one, follow the steps in [Prepare your Azure Arc-enabled Kubernetes cluster](./howto-prepare-cluster.md?tabs=wsl-ubuntu).
+* An Azure Arc-enabled Kubernetes cluster with the custom location and workload identity features enabled. If you don't have one, follow the steps in [Prepare your Azure Arc-enabled Kubernetes cluster](./howto-prepare-cluster.md).
 
   If you deployed Azure IoT Operations to your cluster previously, uninstall those resources before continuing. For more information, see [Update Azure IoT Operations](./howto-manage-update-uninstall.md#update).
 
@@ -83,6 +65,8 @@ A cluster host:
   az iot ops verify-host
   ```
 
+* (Optional) Prepare your cluster for observability before deploying Azure IoT Operations: [Configure observability](../configure-observability-monitoring/howto-configure-observability.md).
+
 ## Deploy
 
 Use the Azure portal or Azure CLI to deploy Azure IoT Operations to your Arc-enabled Kubernetes cluster.
@@ -154,7 +138,7 @@ Azure IoT Operations requires a schema registry on your cluster. Schema registry
    | Optional parameter | Value | Description |
    | --------- | ----- | ----------- |
    | `--no-progress` |  | Disables the deployment progress display in the terminal. |
-   | `--disable-rsync-rules` |  | Disable the resource sync rules on the deployment feature flag if you don't have **Microsoft.Authorization/roleAssignment/write** permissions in the resource group. |
+   | `--enable-rsync-rules` |  | Enable the resource sync rules on the instance to project resources from the cloud to the edge. |
    | `--add-insecure-listener` |  | Add an insecure 1883 port config to the default listener. *Not for production use*. |
    | `--broker-config-file` | Path to JSON file | Provide a configuration file for the MQTT broker. For more information, see [Advanced MQTT broker config](https://github.com/Azure/azure-iot-ops-cli-extension/wiki/Advanced-Mqtt-Broker-Config) and [Configure core MQTT broker settings](../manage-mqtt-broker/howto-configure-availability-scale.md). |
 

articles/iot-operations/deploy-iot-ops/howto-prepare-cluster.md

@@ -29,8 +29,6 @@ Microsoft supports AKS Edge Essentials for deployments on Windows and K3s for de
 
 To prepare your Azure Arc-enabled Kubernetes cluster, you need:
 
-* Hardware that meets the [system requirements](/azure/azure-arc/kubernetes/system-requirements).
-
 ### [AKS Edge Essentials](#tab/aks-edge-essentials)
 
 * An Azure subscription. If you don't have an Azure subscription, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
@@ -105,10 +103,14 @@ This section provides steps to create clusters in validated environments on Linu
 
 The [AksEdgeQuickStartForAio.ps1](https://github.com/Azure/AKS-Edge/blob/main/tools/scripts/AksEdgeQuickStart/AksEdgeQuickStartForAio.ps1) script automates the process of creating and connecting a cluster, and is the recommended path for deploying Azure IoT Operations on AKS Edge Essentials.
 
- 
-
 1. Open an elevated PowerShell window and change the directory to a working folder.
 
+1. Get the `objectId` of the Microsoft Entra ID application that the Azure Arc service uses in your tenant.
+
+   ```azurecli
+   az ad sp show --id bc313c14-388c-4e7d-a58e-70017303ee3b --query id -o tsv
+   ```
+
 1. Run the following commands, replacing the placeholder values with your information:
 
    | Placeholder | Value |
@@ -118,26 +120,28 @@ The [AksEdgeQuickStartForAio.ps1](https://github.com/Azure/AKS-Edge/blob/main/to
    | RESOURCE_GROUP_NAME | The name of an existing resource group or a name for a new resource group to be created. |
    | LOCATION | An Azure region close to you. For the list of currently supported Azure regions, see [Supported regions](../overview-iot-operations.md#supported-regions). |
    | CLUSTER_NAME | A name for the new cluster to be created. |
+   | ARC_APP_OBJECT_ID | The object ID value that you retrieved in the previous step. |
 
-> [!NOTE]
->  > **Special instructions for AIO Internal Bugbash**: 
+   > [!NOTE]
+   > **Special instructions for AIO Internal Bugbash**:
+   >
    > The instructions below for AksEdgeQuickStartForAio.ps1 from AKS-Edge GitHub repo are  for external customer consumption and will only work after AIO 0.7 is released. 
    > For internal bug bashes, use this powershell script below instead
->   ```powershell
->   $url = "https://raw.githubusercontent.com/jagadishmurugan/AKS-Edge/blob/users/jagamu/changes-for-M2-integration/tools/scripts/AksEdgeQuickStart/AksEdgeQuickStartForAio.ps1"
->   Invoke-WebRequest -Uri $url -OutFile .\AksEdgeQuickStartForAio.ps1
->   Unblock-File .\AksEdgeQuickStartForAio.ps1
->   Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force
->   .\AksEdgeQuickStartForAio.ps1 -SubscriptionId "<SUBSCRIPTION_ID>" -TenantId "<TENANT_ID>" -ResourceGroupName "<RESOURCE_GROUP_NAME>"  -Location "<LOCATION>"  -ClusterName "<CLUSTER_NAME>" -Tag "test-v0.3" -CustomLocationOid $customlocationOid
->   ```
-
+   >
+   >```powershell
+   >$url = "https://raw.githubusercontent.com/jagadishmurugan/AKS-Edge/blob/users/jagamu/changes-for-M2-integration/tools/scripts/AksEdgeQuickStart/AksEdgeQuickStartForAio.ps1"
+   >Invoke-WebRequest -Uri $url -OutFile .\AksEdgeQuickStartForAio.ps1
+   >Unblock-File .\AksEdgeQuickStartForAio.ps1
+   >Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force
+   >.\AksEdgeQuickStartForAio.ps1 -SubscriptionId "<SUBSCRIPTION_ID>" -TenantId "<TENANT_ID>" -ResourceGroupName "<RESOURCE_GROUP_NAME>"  -Location "<LOCATION>"  -ClusterName "<CLUSTER_NAME>" -Tag "test-v0.3" -CustomLocationOid $customlocationOid
+   >```
 
    ```powershell
    $url = "https://raw.githubusercontent.com/Azure/AKS-Edge/main/tools/scripts/AksEdgeQuickStart/AksEdgeQuickStartForAio.ps1"
    Invoke-WebRequest -Uri $url -OutFile .\AksEdgeQuickStartForAio.ps1
    Unblock-File .\AksEdgeQuickStartForAio.ps1
    Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force
-   .\AksEdgeQuickStartForAio.ps1 -SubscriptionId "<SUBSCRIPTION_ID>" -TenantId "<TENANT_ID>" -ResourceGroupName "<RESOURCE_GROUP_NAME>"  -Location "<LOCATION>"  -ClusterName "<CLUSTER_NAME>"
+   .\AksEdgeQuickStartForAio.ps1 -SubscriptionId "<SUBSCRIPTION_ID>" -TenantId "<TENANT_ID>" -ResourceGroupName "<RESOURCE_GROUP_NAME>"  -Location "<LOCATION>"  -ClusterName "<CLUSTER_NAME>" --CustomLocationOid "<ARC_APP_OBJECT_ID>"
    ```
 
    If there are any issues during deployment, including if your machine reboots as part of this process, run the whole set of commands again.

articles/iot-operations/deploy-iot-ops/overview-deploy.md

@@ -42,6 +42,25 @@ If you want to deploy Azure IoT Operations with secure settings, follow these ar
 1. Start with [Prepare your Azure Arc-enabled Kubernetes cluster](./howto-prepare-cluster.md) to configure and Arc-enable your cluster.
 1. Then, [Deploy Azure IoT Operations Preview](./howto-deploy-iot-operations.md).
 
+## Required permissions
+
+The following table described Azure IoT Operations deployment and management tasks that require elevated permissions. For information about assigning roles to users, see [Steps to assign an Azure role](../../role-based-access-control/role-assignments-steps.md).
+
+| Task | Required permission | Comments |
+| ---- | ------------------- | -------- |
+| Deploy Azure IoT Operations | **Contributor** permissions at the subscription level. |  |
+| Create secrets in Key Vault | **Key Vault Secrets Officer** permissions at the resource level. | Only required for secure settings deployment. |
+| Enable resource sync rules on an Azure IoT Operations instance | **Microsoft/Authorization/roleAssignments/write** permissions at the resource group level. | Resource sync rules are disabled by default, but can be enabled during instance creation. |
+| Create a schema registry. | **Microsoft/Authorization/roleAssignments/write** permissions at the resource group level. |  |
+
+> [!TIP]
+>
+> * If you use the Azure CLI to assign roles, use the [az role assignment create](/cli/azure/role/assignment#az-role-assignment-create) command to give permissions. For example, `az role assignment create --assignee sp_name --role "Role Based Access Control Administrator" --scope subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup`
+>
+> * If you use the Azure portal to assign privileged admin roles to a user or principal, you're prompted to restrict access using conditions. For this scenario, select the **Allow user to assign all roles** condition in the **Add role assignment** page.
+>
+>   :::image type="content" source="./media/howto-deploy-iot-operations/add-role-assignment-conditions.png" alt-text="Screenshot that shows assigning users highly privileged role access in the Azure portal.":::
+
 ## Included components
 
 Azure IoT Operations is a suite of data services that run on Azure Arc-enabled edge Kubernetes clusters. It also depends on a set of support services that are also installed as part of a deployment.

articles/iot-operations/get-started-end-to-end-sample/quickstart-deploy.md

@@ -81,6 +81,17 @@ To connect your cluster to Azure Arc:
 
 1. After signing in, Azure CLI displays all of your subscriptions and indicates your default subscription with an asterisk `*`. To continue with your default subscription, select `Enter`. Otherwise, type the number of the Azure subscription that you want to use.
 
+   > [!NOTE]
+   > **Special instructions for AIO Internal Bugbash**:
+   >
+   > Official IoT Ops CLI releases are installed via extension index like so az extension add --upgrade --name azure-iot-ops mentioned below.
+   > However for bug bashes, we will distribute one-off release candidates intended to expose functionality to exercise internally. Use this for Bug Bash 2 on 9/27:
+   >
+   > ``` bash
+   >    az storage blob download --auth-mode login --blob-url https://azedgecli.blob.core.windows.net/drop/azure_iot_ops-0.7.0a10-py3-none-any.whl -f ./azure_iot_ops-0.7.0a10-py3-none-any.whl
+   >    az extension add --upgrade --source ./azure_iot_ops-0.7.0a10-py3-none-any.whl
+   > ```
+
 1. Register the required resource providers in your subscription:
 
    >[!NOTE]

articles/iot-operations/includes/connect-cluster-k3s.md

@@ -33,15 +33,8 @@ ms.custom: include file, ignite-2023, devx-track-azurecli
 1. Download and install a preview version of the `connectedk8s` extension for Azure CLI.
 
    ```azurecli
-   az storage blob download --auth-mode login --blob-url https://github.com/AzureArcForKubernetes/azure-cli-extensions/blob/connectedk8s/public/cli-extensions/connectedk8s-1.10.0-py2.py3-none-any.whl -f ./connectedk8s-1.10.0-py2.py3-none-any.whl
-   
-   az extension add --upgrade --source ./connectedk8s-1.10.0-py2.py3-none-any.whl
-   ```
-
-1. Use the [az connectedk8s connect](/cli/azure/connectedk8s#az-connectedk8s-connect) command to Arc-enable your Kubernetes cluster and manage it as part of your Azure resource group:
-
-   ```azurecli
-   az connectedk8s connect --name $CLUSTER_NAME -l $LOCATION --resource-group $RESOURCE_GROUP --subscription $SUBSCRIPTION_ID --disable-auto-upgrade
+   curl -L -o connectedk8s-1.10.0-py2.py3-none-any.whl https://github.com/AzureArcForKubernetes/azure-cli-extensions/raw/refs/heads/connectedk8s/public/cli-extensions/connectedk8s-1.10.0-py2.py3-none-any.whl   
+   az extension add --upgrade --source connectedk8s-1.10.0-py2.py3-none-any.whl
    ```
 
 1. Export environment variables that the `az connectedk8s upgrade` command requires.
@@ -51,16 +44,10 @@ ms.custom: include file, ignite-2023, devx-track-azurecli
    export HELMREGISTRY=azurearcfork8sdev.azurecr.io/merge/private/azure-arc-k8sagents:0.1.15392-private
    ```
 
-1. Upgrade the Azure Arc agent to use a preview build that supports the workload identity feature that Azure IoT Operations uses for user-assigned managed identities.
-
-   ```azurecli
-   az connectedk8s upgrade --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --agent-version 0.1.15392-private
-   ```
-
-1. Enable the workload identity feature on the cluster.
+1. Use the [az connectedk8s connect](/cli/azure/connectedk8s#az-connectedk8s-connect) command to Arc-enable your Kubernetes cluster and manage it as part of your Azure resource group:
 
    ```azurecli
-   az connectedk8s update --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --enable-oidc-issuer --enable-workload-identity
+   az connectedk8s connect --name $CLUSTER_NAME -l $LOCATION --resource-group $RESOURCE_GROUP --subscription $SUBSCRIPTION_ID --disable-auto-upgrade --enable-oidc-issuer --enable-workload-identity
    ```
 
 1. Get the cluster's issuer URL.
@@ -80,12 +67,12 @@ ms.custom: include file, ignite-2023, devx-track-azurecli
 1. Add the following content to the `config.yaml` file, replacing the `<SERVICE_ACCOUNT_ISSUER>` placeholder with your cluster's issuer URL.
 
    ```yml
-   kube-apiserver-arg: 'service-account-issuer=<SERVICE_ACCOUNT_ISSUER>' kube-apiserver-arg: 'service-account-max-token-expiration=24h'
+   kube-apiserver-arg: 'service-account-issuer=<SERVICE_ACCOUNT_ISSUER>'
    ```
 
 1. Save the file and exit the nano editor.
 
-1. Get the `objectId` of the Microsoft Entra ID application that the Azure Arc service uses and save it as an environment variable.
+1. Get the `objectId` of the Microsoft Entra ID application that the Azure Arc service uses in your tenant and save it as an environment variable.
 
    ```azurecli
    export OBJECT_ID=$(az ad sp show --id bc313c14-388c-4e7d-a58e-70017303ee3b --query id -o tsv)