Merge branch 'master' of https://github.com/MicrosoftDocs/azure-docs-pr into update-mstopic-metadata

daveba · daveba · commit d1d3e8c9e0cf · 2020-05-20T14:57:41.000-07:00
diff --git a/articles/azure-arc/kubernetes/connect-cluster.md b/articles/azure-arc/kubernetes/connect-cluster.md
@@ -165,7 +165,7 @@ AzureArcTest1  eastus      AzureArcTest
 Azure Arc enabled Kubernetes deploys a few operators into the `azure-arc` namespace. You can view these deployments and pods here:
 
 ```console
-kubectl -n azure-arc get deploy,po
+kubectl -n azure-arc get deployments,pods
 ```
 
 **Output:**
@@ -194,8 +194,13 @@ pod/resource-sync-agent-5cf85976c7-522p5        3/3     Running  0       16h
 
 Azure Arc enabled Kubernetes consists of a few agents (operators) that run in your cluster deployed to the `azure-arc` namespace.
 
-* `deploy/config-agent`: watches the connected cluster for source control configuration resources applied on the cluster and updates compliance state
-* `deploy/controller-manager`: is an operator of operators and orchestrates interactions between Azure Arc components
+* `deployment.apps/config-agent`: watches the connected cluster for source control configuration resources applied on the cluster and updates compliance state
+* `deployment.apps/controller-manager`: is an operator of operators and orchestrates interactions between Azure Arc components
+* `deployment.apps/metrics-agent`: collects metrics of other Arc agents to ensure that these agents are exhibiting optimal performance
+* `deployment.apps/cluster-metadata-operator`: gathers cluster metadata - cluster version, node count and Arc agent version
+* `deployment.apps/resource-sync-agent`: syncs the above mentioned cluster metadata to Azure
+* `deployment.apps/clusteridentityoperator`: maintains the managed service identity (MSI) certificate used by other agents for communication with Azure
+* `deployment.apps/flux-logs-agent`: collects logs from the flux operators deployed as a part of source control configuration
 
 ## Delete a connected cluster
 
diff --git a/articles/azure-arc/kubernetes/create-onboarding-service-principal.md b/articles/azure-arc/kubernetes/create-onboarding-service-principal.md
@@ -15,12 +15,9 @@ keywords: "Kubernetes, Arc, Azure, containers"
 
 ## Overview
 
-When a cluster is onboarded to Azure, the agents running in your cluster must authenticate to Azure Resource Manager as part of registration. The `connectedk8s` Azure CLI extension has automated Service Principal creation. However, there may be a few scenarios where the CLI automation does not work:
+It is possible to use service principals having a role assignment with limited privileges for onboarding Kubernetes clusters to Azure Arc. This is useful in continuous integration and continuous deployment (CI/CD) pipelines like Azure Pipelines and GitHub Actions.
 
-* Your organization generally restricts the creation of Service Principals
-* The user onboarding the cluster does not have sufficient permissions to create Service Principals
-
-Instead, let's create the Service Principal out of band, and then pass the principal to the Azure CLI extension.
+The following steps provide a walkthrough on using service principals for onboarding Kubernetes clusters to Azure Arc.
 
 ## Create a new Service Principal
 
@@ -59,7 +56,7 @@ Permissions may be further limited by passing in the appropriate `--scope` argum
 az role assignment create \
     --role 34e09817-6cbe-4d01-b1a2-e0eac5743d41 \      # this is the id for the built-in role
     --assignee 22cc2695-54b9-49c1-9a73-2269592103d8 \  # use the appId from the new SP
-    --scope /subscriptions/<<SUBSCRIPTION_ID>>         # apply the apropriate scope
+    --scope /subscriptions/<<SUBSCRIPTION_ID>>         # apply the appropriate scope
 ```
 
 **Output:**
diff --git a/articles/azure-arc/kubernetes/troubleshooting.md b/articles/azure-arc/kubernetes/troubleshooting.md
@@ -45,21 +45,27 @@ If the Helm release is not found or missing, try onboarding the cluster again.
 If the Helm release is present and `STATUS: deployed` determine the status of the agents using `kubectl`:
 
 ```console
-$ kubectl -n azure-arc get deploy,pods
-NAME                                 READY   UP-TO-DATE   AVAILABLE   AGE
-deployment.apps/config-agent         1/1     1            1           53s
-deployment.apps/connect-agent        1/1     1            1           53s
-deployment.apps/controller-manager   1/1     1            1           53s
-deployment.apps/metrics-agent        1/1     1            1           53s
-
-NAME                                      READY   STATUS    RESTARTS   AGE
-pod/config-agent-74cf758b5f-cxnhs         2/2     Running   0          53s
-pod/connect-agent-bc6b9ff5d-dzkvf         2/2     Running   0          53s
-pod/controller-manager-7cf95d5d77-wv5cw   2/2     Running   0          53s
-pod/metrics-agent-c77c9dfc7-45n5r         1/1     Running   0          53s
+$ kubectl -n azure-arc get deployments,pods
+NAME										READY	UP-TO-DATE AVAILABLE AGE
+deployment.apps/cluster-metadata-operator	1/1		1			1		 16h
+deployment.apps/clusteridentityoperator		1/1		1			1	     16h
+deployment.apps/config-agent				1/1		1			1		 16h
+deployment.apps/controller-manager			1/1		1			1		 16h
+deployment.apps/flux-logs-agent				1/1		1			1		 16h
+deployment.apps/metrics-agent			    1/1     1           1        16h
+deployment.apps/resource-sync-agent			1/1		1			1		 16h
+
+NAME											READY	STATUS	 RESTART AGE
+pod/cluster-metadata-operator-7fb54d9986-g785b  2/2		Running  0		 16h
+pod/clusteridentityoperator-6d6678ffd4-tx8hr    3/3     Running  0       16h
+pod/config-agent-544c4669f9-4th92               3/3     Running  0       16h
+pod/controller-manager-fddf5c766-ftd96          3/3     Running  0       16h
+pod/flux-logs-agent-7c489f57f4-mwqqv            2/2     Running  0       16h
+pod/metrics-agent-58b765c8db-n5l7k              2/2     Running  0       16h
+pod/resource-sync-agent-5cf85976c7-522p5        3/3     Running  0       16h
 ```
 
-All Pods should show `STATUS` as `Running` and `READY` should be either `2/2` or `1/1`. Fetch logs and describe pods that are returning `Error` or `CrashLoopBackOff`.
+All Pods should show `STATUS` as `Running` and `READY` should be either `3/3` or `2/2`. Fetch logs and describe pods that are returning `Error` or `CrashLoopBackOff`.
 
 ## Unable to connect my Kubernetes cluster to Azure
 
@@ -93,54 +99,6 @@ This operation might take a while...
 There was a problem with connect-agent deployment. Please run 'kubectl -n azure-arc logs -l app.kubernetes.io/component=connect-agent -c connect-agent' to debug the error.
 ```
 
-### Incorrect or expired onboarding credentials
-
-```console
-$ kubectl -n azure-arc get deploy,pod
-NAME                                 READY   UP-TO-DATE   AVAILABLE   AGE
-deployment.apps/config-agent         1/1     1            1           8m11s
-deployment.apps/connect-agent        0/1     1            0           8m11s
-deployment.apps/controller-manager   1/1     1            1           8m11s
-deployment.apps/metrics-agent        1/1     1            1           8m11s
-
-NAME                                      READY   STATUS             RESTARTS   AGE
-pod/config-agent-74cf758b5f-d7qz9         2/2     Running            0          8m11s
-pod/connect-agent-bc6b9ff5d-sd9fb         1/2     CrashLoopBackOff   6          8m11s
-pod/controller-manager-7cf95d5d77-qlsvs   2/2     Running            0          8m11s
-pod/metrics-agent-c77c9dfc7-lp2rf         1/1     Running            1          8m11s
-```
-
-Connect agent logs all errors communicating with Azure and the local Kubernetes API server as standard pod logs. Fetch the logs using `kubectl` to debug.
-
-```console
-$ kubectl -n azure-arc logs -l app.kubernetes.io/component=connect-agent -c connect-agent
-2020/04/07 20:52:50 Environment validation :success
-2020/04/07 20:52:50 Kubernetes API server access validation :success
-2020/04/07 20:52:51 Azure Subscription access token :error :http request failed. Authentication Token URL:https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token Authentication Token Body:grant_type=client_credentials&client_id=82195c37-7497-458c-b643-f4a3d0a64190&client_secret=9814c84e-59d7-49fc-bef6-17b717d2f5a8&resource=https%3A%2F%2Fmanagement.azure.com%2F ErrorInfo: Response:{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: b179b7db-c957-4917-a1b6-66fab2042a00\r\nCorrelation ID: 4cfc9c81-660f-4a1a-ba0b-87db205c5461\r\nTimestamp: 2020-04-07 20:52:51Z","error_codes":[7000215],"timestamp":"2020-04-07 20:52:51Z","trace_id":"b179b7db-c957-4917-a1b6-66fab2042a00","correlation_id":"4cfc9c81-660f-4a1a-ba0b-87db205c5461","error_uri":"https://login.microsoftonline.com/error?code=7000215"} HTTPReturnCode:401
-```
-
-To fix an invalid client credential, validate that the client_id and secret are correct:
-
-```console
-$ kubectl -n azure-arc get cm/azure-clusterconfig -o yaml
-  AZURE_CLIENT_ID: 82195c37-7497-458c-b643-f4a3d0a64190
-  AZURE_RESOURCE_GROUP: AzureArc
-  AZURE_RESOURCE_NAME: AzureArcCluster
-```
-
-### Expired credentials
-
-Service principal credentials that are expired cause the connect-agent to log an error `AADSTS7000222: The provided client secret keys are expired`.
-
-```console
-$ kubectl -n azure-arc logs -l app.kubernetes.io/component=connect-agent -c connect-agent
-2020/04/13 19:49:19 Environment validation :success
-2020/04/13 19:49:19 Kubernetes API server access validation :success
-2020/04/13 19:49:19 Azure Subscription access token :error :http request failed. Authentication Token URL:https://login.microsoftonline.com/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token Authentication Token Body:grant_type=client_credentials&client_id=82195c37-7497-458c-b643-f4a3d0a64190&client_secret=9814c84e-59d7-49fc-bef6-17b717d2f5a8&resource=https%3A%2F%2Fmanagement.azure.com%2F ErrorInfo: Response:{"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys are expired.\r\nTrace ID: 69ade0e5-f089-4a9d-b55d-9089e07f6300\r\nCorrelation ID: 10057011-6143-4e87-ad4a-c8256cf0e353\r\nTimestamp: 2020-04-13 19:49:19Z","error_codes":[7000222],"timestamp":"2020-04-13 19:49:19Z","trace_id":"69ade0e5-f089-4a9d-b55d-9089e07f6300","correlation_id":"10057011-6143-4e87-ad4a-c8256cf0e353"} HTTPReturnCode:401
-```
-
-Expired credentials may be reset using `az ad sp credential reset`.
-
 ## Configuration management
 
 ### General
diff --git a/articles/cosmos-db/policy.md b/articles/cosmos-db/policy.md
@@ -1,6 +1,6 @@
 ---
 title: Use Azure Policy to implement governance and controls for Azure Cosmos DB resources
-description: Learn how to use Azure Policy to implement governance and controls for Cosmos DB resources.
+description: Learn how to use Azure Policy to implement governance and controls for Azure Cosmos DB resources.
 author: plzm
 ms.author: paelaz
 ms.service: cosmos-db
@@ -28,7 +28,7 @@ At the step to select a policy definition, enter `Cosmos DB` in the Search field
 > [!TIP]
 > You can also use the built-in policy definition names shown in the **Available Definitions** pane with Azure PowerShell, Azure CLI, or ARM templates to create policy assignments.
 
-:::image type="content" source="./media/policy/available-definitions.png" alt-text="Search for Cosmos DB built-in policy definitions":::
+:::image type="content" source="./media/policy/available-definitions.png" alt-text="Search for Azure Cosmos DB built-in policy definitions":::
 
 ## Create a custom policy definition
 
@@ -111,7 +111,7 @@ The screenshot shows the following compliance evaluation results:
 - Zero out of one Azure Cosmos DB accounts in the specified scope are compliant with the policy assignment to check that resources were deployed to allowed regions.
 - One out of two Azure Cosmos DB database or collection resources in the specified scope are compliant with the policy assignment to check for provisioned throughput exceeding the specified maximum limit.
 
-:::image type="content" source="./media/policy/compliance.png" alt-text="Search for Cosmos DB built-in policy definitions":::
+:::image type="content" source="./media/policy/compliance.png" alt-text="Search for Azure Cosmos DB built-in policy definitions":::
 
 To remediate the non-compliant resources, see the [remediated with Azure Policy](../governance/policy/how-to/remediate-resources.md) article.
 
diff --git a/articles/synapse-analytics/overview-faq.md b/articles/synapse-analytics/overview-faq.md
@@ -31,7 +31,7 @@ A: Azure Synapse is an integrated data platform for BI, AI, and continuous intel
 ### Q: How do I get started with Azure Synapse Analytics
 
 A: To start using Azure Synapse Analytics, [register Azure Synapse resource provider](https://docs.microsoft.com/azure/azure-resource-manager/management/resource-providers-and-types) by selecting *Microsoft.Synapse* from the list of resource providers. Then create a [Synapse workspace](https://portal.azure.com) (it's free!) and create the resources that you want under that workspace. You can follow one of our quickstart tutorials, such as [Create a Synapse SQL pool](quickstart-create-sql-pool-portal.md) or [Create a workspace](quickstart-create-workspace.md), that will walk you through simple use case. 
-You can also find sample notebooks and SQL scripts in our [repository](https://github.com/Azure/azure-synapse-analytics/tree/master/samples). If you need to connect to a public dataset, create a new linked service with the following attributes:
+You can also find sample notebooks and SQL scripts in our [repository](https://github.com/Azure-Samples/Synapse). If you need to connect to a public dataset, create a new linked service with the following attributes:
 
 - azure_storage_account_name = "azureopendatastorage"
 - azure_storage_sas_token = "" (write **""**)
