Skip to main content
Version: 3.2

Automate authentication for AAD enabled AKS cluster in ARO

For running disaster recovery (DR) scenarios with Stork, you need to create a unidirectional or bidirectional ClusterPair with the ability to automatically authenticate Stork. When using an Azure Active Directory (AAD) enabled Azure Kubernetes Service (AKS) cluster, the kubelogin tool enables automatic login using a service principal.

This page provides instructions on creating a Kubernetes secret using the service principal ID and secret, and then passing it to the Stork spec. This process will automatically authenticate Stork when creating a ClusterPair object during DR setup.

Prerequisites

Create a non-interactive authentication

Once you have configured your kubeconfig to use a service principal for authentication instead of the default device code flow, follow the below steps to pass the service principal ID and secret as Stork environment variables to your source and destination clusters.

  1. Create a secret using your service principal ID and secret:
    oc create secret generic \
    -n <px-namespace> px-azure-kube-access \
    --from-literal=AAD_SERVICE_PRINCIPAL_CLIENT_ID=<spn-client-id> \
    --from-literal=AAD_SERVICE_PRINCIPAL_CLIENT_SECRET=<spn-secret>

  1. Edit your source and destination StorageCluster to pass your service principal ID and secret as Stork environment variables. This will be used by Stork to authenticate with the AKS cluster:

    stork:
    env:
    - name: AAD_SERVICE_PRINCIPAL_CLIENT_ID
    valueFrom:
    secretKeyRef:
    key: AAD_SERVICE_PRINCIPAL_CLIENT_ID
    name: px-azure-kube-access
    - name: AAD_SERVICE_PRINCIPAL_CLIENT_SECRET
    valueFrom:
    secretKeyRef:
    key: AAD_SERVICE_PRINCIPAL_CLIENT_SECRET
    name: px-azure-kube-access

  1. Wait for a few minutes, and verify that all Stork pods are in the running state:
    oc get pods -n <px-namespace> -l name=stork
    NAME                        READY   STATUS    RESTARTS   AGE
    stork-78b8bbf7d8-4nd58 1/1 Running 0 3m25s
    stork-78b8bbf7d8-9m6qw 1/1 Running 0 3m25s
    stork-78b8bbf7d8-rldkf 1/1 Running 0 3m25s

After all Stork pods have started, proceed to the DR section to complete your DR setup.