Deploy Portworx using Azure managed identity on new AKS cluster
Perform the following steps to enable Azure managed identity on new AKS cluster:
-
Log in to Azure and set the subscription:
az login
az account set –subscription <Your-Azure-Subscription-UUID> -
Check locations to create AKS cluster:
az account list-locations
-
Create an Azure Resource Group:
az group create –name <resource-group-name> –location <location>
-
Create an AKS cluster with managed identities:
az aks create -g <resource-group-name> -n <cluster-name> --enable-managed-identity
-
Identify object and client IDs:
az aks show -g <resource-group-name> -n <cluster-name> --query identityProfile
For example:
az aks show -g cass-rg -n msi-test --query identityProfile
{
"kubeletidentity": {
"clientId": "68XXXXXX-f3a5-459d-9b57-XXXXXXXXXX70",
"objectId": "c0XXXXXX-ba91-4c13-9456-XXXXXXXXXX35",
"resourceId": "/subscriptions/72XXXXXX-a431-4b8e-80ef-685510XXXXXX/resourcegroups/MC_cass-rg_msi-test_eastus/providers/Microsoft.ManagedIdentity/userAssignedIdentities/msi-test-agentpool"
}
} -
Assign contributor role to managed identity:
az role assignment create --assignee <objectId> --role "Contributor" --scope <resourceId>
noteThe
objectId
is from the step #5, as well as theresourceId
, though string needs to be cut after resource groups name /subscriptions/72XXXXXX-a431-4b8e-80ef-685510XXXXXX/resourcegroups/MC_cass-rg_msi-test_eastus, right before the providersFor example:
az role assignment create --assignee "c0XXXXXX-ba91-4c13-9456-XXXXXXXXXX35" --role "Contributor" --scope "/subscriptions/72XXXXXX-a431-4b8e-80ef-685510XXXXXX/resourcegroups/MC_cass-rg_msi-test_eastus"
{
"canDelegate": null,
"condition": null,
"conditionVersion": null,
"description": null,
"id": "/subscriptions/72XXXXXX-a431-4b8e-80ef-685510XXXXXX/resourceGroups/MC_cass-rg_msi-test_eastus/providers/Microsoft.Authorization/roleAssignments/d0XXXXXX-4e9f-452c-8e43-1a661eXXXXXX",
"name": "d0XXXXXX-4e9f-452c-8e43-1a661eXXXXXX",
"principalId": "c0XXXXXX-ba91-4c13-9456-XXXXXXXXXX35",
"principalType": "ServicePrincipal",
"resourceGroup": "MC_cass-rg_msi-test_eastus",
"roleDefinitionId": "/subscriptions/72XXXXXX-a431-4b8e-80ef-685510XXXXXX/providers/Microsoft.Authorization/roleDefinitions/b2XXXXXX-6180-42a0-ab88-20f738XXXXXX",
"scope": "/subscriptions/72XXXXXX-a431-4b8e-80ef-685510XXXXXX/resourceGroups/MC_cass-rg_msi-test_eastus",
"type": "Microsoft.Authorization/roleAssignments"
} -
Create a Kubernetes secret based on
clientId
that you retrieved in step 5:kubectl create secret generic -n <px-namespace> px-azure --from-literal=AZURE_CLIENT_ID="<clientId>”
For example:
kubectl create secret generic -n portworx px-azure --from-literal=AZURE_CLIENT_ID="68XXXXXX-f3a5-459d-9b57-XXXXXXXXXX70”
-
Follow the steps to generate the Operator and StorageCluster spec in Install Portworx on AKS using the Operator. Save the spec for the next step.
-
Modify the StorageCluster spec that is automatically generated. In the
env
section, remove theAZURE_CLIENT_SECRET
andAZURE_TENANT_ID
sections or selecting Managed Identity option in the wizard. The finished section should match the following:env:
name: AZURE_CLIENT_ID
valueFrom:
secretKeyRef:
name: px-azure
key: AZURE_CLIENT_ID