The easiest way to deploy the Azure Service Operator is to use Helm charts. Follow instructions here. However, if you're interested and building and deploying the operators from source, follow the instructions laid out here.
Note
This step assumes you have the prerequisites installed. See prerequisites here for information on setup.
-
Clone the repository.
-
Make sure the environment variable
GO111MODULEis set toon.export GO111MODULE=on -
Log in to your container registry, set the IMG env var, and then build and push the image.
docker login IMG=<container_registry>/<username>/<image_name>:<tag> make docker-build-and-push
Note
This step assumes you already have a Kubernetes cluster. See prerequisites here for information on creating a Kubernetes cluster.
Create the namespace you want to deploy the operator to.
Note
The scripts currently are configured to deploy to the azureoperator-system namespace
kubectl create namespace azureoperator-systemNext, install Cert Manager.
make install-cert-managerYou have the option to use either of the below for storing secrets like connection strings and SQL server username that result from the resource provisioning.
Kubernetes secrets - this is the default. Secrets will be stored as Kubernetes secrets by default.
Azure Key Vault - iff you want to use Azure Key Vault to store the secrets, you should also additionally do the steps below.
Create an Azure Key Vault to use to store secrets.
az keyvault create --name "OperatorSecretKeyVault" --resource-group "resourceGroup-operators" --location "West US"Add appropriate Key Vault access policies to allow the service principal access to this Key Vault
az keyvault set-policy --name "OperatorSecretKeyVault" --spn <AZURE_CLIENT_ID> --secret-permissions get list delete setIf you use Managed Identity instead of Service Principal, use the Client ID of the Managed Identity instead in the above command.
az keyvault set-policy --name "OperatorSecretKeyVault" --spn <MANAGEDIDENTITY_CLIENT_ID> --secret-permissions get list delete setSet the environment variable 'AZURE_OPERATOR_KEYVAULT' to indicate you want to use Azure Key Vault for secrets.
export AZURE_OPERATOR_KEYVAULT=OperatorSecretKeyVaultYou can choose to use either Service Principals or Managed Identity for authentication.
If you choose to use Service Principal authentication, set these environment variables.
export AZURE_CLIENT_ID=xxxxxxx
export AZURE_CLIENT_SECRET=aaaaaaaIf you choose to use Managed Identity, set the below environment variables and then perform the steps listed here.
export AZURE_CLIENT_ID=xxxxxxx
export AZURE_USE_MI=1Before we can use Managed Identity authentication we need to install aad-pod-identity.
Installing AAD Pod Identity and registering an identity
- Install aad-pod-identity.
make install-aad-pod-identity- Apply the AzureIdentity and Binding manifests. This binds the identity to the Azure Service Operator.
Where a particular
resourceIDorclientIDis referenced in the template below, ensure that you replace it with your Managed IdentityresourceIDandclientID.
$ cat <<EOF | kubectl apply -f -
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentity
metadata:
name: aso-managed-id1
namespace: azureoperator-system
spec:
type: 0
resourceID: /subscriptions/<your-subscription-id-here>/resourcegroups/<your-resource-group-test>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<your-managed-identity-here>
clientID: <your-managed-identity-client-id-here>
---
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentityBinding
metadata:
name: aso-identity-binding
namespace: azureoperator-system
spec:
azureIdentity: aso-managed-id1
selector: aso_manager_binding
EOFNote
Use only one of the authentication methods mentioned above.
Set the azureoperatorsettings secret, and set the following environment variables AZURE_TENANT_ID, AZURE_SUBSCRIPTION_ID, REQUEUE_AFTER.
export AZURE_TENANT_ID=xxxxxxx
export AZURE_SUBSCRIPTION_ID=aaaaaaa
export REQUEUE_AFTER=30From the same terminal, run the below command.
kubectl --namespace azureoperator-system \
create secret generic azureoperatorsettings \
--from-literal=AZURE_SUBSCRIPTION_ID="$AZURE_SUBSCRIPTION_ID" \
--from-literal=AZURE_TENANT_ID="$AZURE_TENANT_ID" \
--from-literal=AZURE_CLIENT_ID="$AZURE_CLIENT_ID" \
--from-literal=AZURE_CLIENT_SECRET="$AZURE_CLIENT_SECRET" \
--from-literal=AZURE_USE_MI="$AZURE_USE_MI" \
--from-literal=AZURE_OPERATOR_KEYVAULT="$AZURE_OPERATOR_KEYVAULT" \make deployCheck that the operator is deployed to the cluster using the following commands.
kubectl get pods -n azureoperator-systemYou can view the logs from the operator using the following command. The podname is the name of the pod in the output from kubectl get pods -n azureoperator-system, manager is the name of the container inside the pod.
kubectl logs <podname> -c manager -n azureoperator-systemIf you would like to view the Prometheus metrics from the operator, you can redirect port 8080 to the local machine using the following commands:
Get the deployment using the following command
kubectl get deployment -n azureoperator-systemYou'll see output like the below.
NAME READY UP-TO-DATE AVAILABLE AGE
azureoperator-controller-manager 1/1 1 1 2d1hUse the deployment name in the command as below
kubectl port-forward deployment/<deployment name> -n <namespace> 8080So we would use the following command here
kubectl port-forward deployment/azureoperator-controller-manager -n azureoperator-system 8080You can now browse to http://localhost:8080/metrics from the browser to view the metrics.