You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/operator-nexus/howto-cluster-manager.md
+99-14Lines changed: 99 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -16,10 +16,10 @@ The Cluster Manager is deployed in the operator's Azure subscription to manage t
16
16
17
17
## Before you begin
18
18
19
-
You'll need:
19
+
Ensure you have the following information:
20
20
21
21
-**Azure Subscription ID** - The Azure subscription ID where Cluster Manager needs to be created (should be the same subscription ID of the Network Fabric Controller).
22
-
-**Network Fabric Controller ID** - Network Fabric Controller and Cluster Manager have a 1:1 association. You'll need the resource ID of the Network Fabric Controller associated with the Cluster Manager.
22
+
-**Network Fabric Controller ID** - Network Fabric Controller and Cluster Manager have a 1:1 association. You need the resource ID of the Network Fabric Controller to be associated with the Cluster Manager.
23
23
-**Log Analytics Workspace ID** - The resource ID of the Log Analytics Workspace used for the logs collection.
24
24
-**Azure Region** - The Cluster Manager should be created in the same Azure region as the Network Fabric Controller.
25
25
This Azure region should be used in the `Location` field of the Cluster Manager and all associated Operator Nexus instances.
@@ -38,23 +38,40 @@ Some arguments that are available for every Azure CLI command
38
38
-**--query** - uses the JMESPath query language to filter the output returned from Azure services.
39
39
-**--verbose** - prints information about resources created in Azure during an operation, and other useful information
| Name, ID, location, tags, type | Name: User friendly name <br> ID: < Resource ID > <br> Location: Azure region where the Cluster Manager is created. Values from: `az account list -locations`.<br> Tags: Resource tags <br> Type: Microsoft.NetworkCloud/clusterManagers |
46
46
| managerExtendedLocation | The ExtendedLocation associated with the Cluster Manager |
47
47
| managedResourceGroupConfiguration | Information about the Managed Resource Group |
48
-
| fabricControllerId | A reference to the Network Fabric Controller that is 1:1 with this Cluster Manager |
49
-
| analyticsWorkspaceId | This workspace will be where any logs that 's relevant to the customer will be relayed. |
50
-
| clusterVersions[]| List of ClusterAvailableVersions objects. <br> Cluster versions that the manager supports. Will be used as an input in the cluster clusterVersion property. |
| detailedStatus | Detailed statuses that provide additional information about the status of the Cluster Manager. |
53
-
| detailedStatusMessage | Descriptive message about the current detailedStatus. |
48
+
| fabricControllerId | The reference to the Network Fabric Controller that is 1:1 with this Cluster Manager |
49
+
| analyticsWorkspaceId | The Log Analytics workspace where logs that are relevant to the customer will be relayed. |
50
+
| clusterVersions[]| The list of Cluster versions that the Cluster Manager supports. It is used as an input in the cluster clusterVersion property. |
51
+
| provisioningState | The provisioning status of the latest operation on the Cluster Manager. One of: Succeeded, Failed, Canceled, Provisioning, Accepted, Updating |
52
+
| detailedStatus | The detailed statuses that provide additional information about the status of the Cluster Manager. |
53
+
| detailedStatusMessage | The descriptive message about the current detailed status. |
54
+
55
+
## Cluster Manager Identity
56
+
57
+
Starting with the 2024-06-01-preview API version, a customer can assign managed identity to a Cluster Manager. Both System-assigned and User-Assigned managed identities are supported.
58
+
59
+
If a Cluster Manager is created with the User-assigned managed identity, a customer is required to provision access to that identity for the Nexus platform.
60
+
Specifically, `Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` permission needs to be added to the User-assigned identity for `AFOI-NC-MGMT-PME-PROD` Microsoft Entra ID. It is a known limitation of the platform that will be addressed in the future.
61
+
62
+
The role assignment can be done via the Azure portal:
63
+
64
+
- Open Azure portal and locate User-assigned identity in question.
65
+
- If you expect multiple managed identities provisioned, the role can be added instead at the resource group or subscription level.
66
+
- Under `Access control (IAM)`, click Add new role assignment
67
+
- Select Role: `Managed Identity Operator`. See the [permissions](../role-based-access-control/built-in-roles/identity.md#managed-identity-operator) that the role provides.
68
+
- Assign access to: User, group, or service principal
Use the `az networkcloud clustermanager create` command to create a Cluster Manager. This command creates a new Cluster Manager or updates the properties of the Cluster Manager if it exists. If you have multiple Azure subscriptions, select the appropriate subscription ID using the [az account set](/cli/azure/account#az-account-set) command.
60
77
@@ -85,13 +102,14 @@ az networkcloud clustermanager create \
85
102
-**wait/--no-wait** - Wait for command to complete or don't wait for the long-running operation to finish.
86
103
-**--tags** - Space-separated tags: key[=value][key[=value]...]. Use '' to clear existing tags
87
104
-**--subscription** - Name or ID of subscription. You can configure the default subscription using `az account set -s NAME_OR_ID`.
88
-
105
+
-**--mi-system-assigned** - Enable System-assigned managed identity. Once added, the Identity can only be removed via the API call at this time.
106
+
-**--mi-user-assigned** - Space-separated resource IDs of the User-assigned managed identities to be added. Once added, the Identity can only be removed via the API call at this time.
89
107
90
108
### Create the Cluster Manager using Azure Resource Manager template editor:
91
109
92
110
An alternate way to create a Cluster Manager is with the ARM template editor.
93
111
94
-
In order to create the cluster this way, you will need to provide a template file (clusterManager.jsonc) and a parameter file (clusterManager.parameters.jsonc).
112
+
In order to create the cluster this way, you need to provide a template file (clusterManager.jsonc) and a parameter file (clusterManager.parameters.jsonc).
95
113
96
114
You can find examples of these two files here:
97
115
@@ -171,6 +189,73 @@ az networkcloud clustermanager update \
171
189
-**--IDs** - One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource ID' arguments.
172
190
-**--resource-group -g** - Name of resource group. You can configure the default group using `az configure --defaults group=<name>`.
173
191
-**--subscription** - Name or ID of subscription. You can configure the default subscription using `az account set -s NAME_OR_ID`.
192
+
-**--mi-system-assigned** - Enable System-assigned managed identity. Once added, the Identity can only be removed via the API call at this time.
193
+
-**--mi-user-assigned** - Space-separated resource IDs of the User-assigned managed identities to be added. Once added, the Identity can only be removed via the API call at this time.
194
+
195
+
### Update Cluster Manager Identities via APIs
196
+
197
+
Cluster Manager managed identities can be assigned via CLI. The un-assignment of the identities can be done via API calls.
198
+
Note, `<APIVersion>` is the API version 2024-06-01-preview or newer.
199
+
200
+
- To remove all managed identities, execute:
201
+
202
+
```azurecli
203
+
az rest --method PATCH --url /subscriptions/$SUB_ID/resourceGroups/$CLUSTER_MANAGER_RG/providers/Microsoft.NetworkCloud/clusterManagers/$CLUSTER_MANAGER_NAME?api-version=<APIVersion> --body "{\"identity\":{\"type\":\"None\"}}"
204
+
```
205
+
206
+
- If both User-assigned and System-assigned managed identities were added, the User-assigned can be removed by updating the `type` to `SystemAssigned`:
207
+
208
+
```azurecli
209
+
az rest --method PATCH --url /subscriptions/$SUB_ID/resourceGroups/$CLUSTER_MANAGER_RG/providers/Microsoft.NetworkCloud/clusterManagers/$CLUSTER_MANAGER_NAME?api-version=<APIVersion> --body @~/uai-body.json
210
+
```
211
+
212
+
The request body (uai-body.json) example:
213
+
214
+
```azurecli
215
+
{
216
+
"identity": {
217
+
"type": "SystemAssigned"
218
+
}
219
+
}
220
+
```
221
+
222
+
- If both User-assigned and System-assigned managed identities were added, the System-assigned can be removed by updating the `type` to `UserAssigned`:
223
+
224
+
```azurecli
225
+
az rest --method PATCH --url /subscriptions/$SUB_ID/resourceGroups/$CLUSTER_MANAGER_RG/providers/Microsoft.NetworkCloud/clusterManagers/$CLUSTER_MANAGER_NAME?api-version=<APIVersion> --body @~/uai-body.json
@@ -196,4 +281,4 @@ az networkcloud clustermanager delete \
196
281
197
282
## Next steps
198
283
199
-
After you successfully create an NFC and Cluster Manager, the next step is to create a [Network Fabric](./howto-configure-network-fabric.md).
284
+
After you successfully created the Network Fabric Controller and the Cluster Manager, the next step is to create a [Network Fabric](./howto-configure-network-fabric.md).
0 commit comments