forked from pivotal-cf/docs-pks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
azure-prepare-env.html.md.erb
286 lines (235 loc) · 10.7 KB
/
azure-prepare-env.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
---
title: Preparing to Deploy PKS on Azure
owner: Ops Manager
---
<strong><%= modified_date %></strong>
<html class="list-style-none"></html>
This topic describes how to prepare to deploy Pivotal Container Service (PKS) on Azure by manually
creating a service principal to access resources in your Azure subscription.
See [Deploying Ops Manager on Azure](./azure-om-deploy.html) for information about installing PKS
on Azure using Terraform templates.
After you complete this procedure, follow the instructions in
[Installing PKS on Azure](./installing-pks-azure.html).
##<a id="install"></a> Step 1: Install and Configure the Azure CLI
1. Install Azure CLI v2.0 or later by following the instructions for your operating system in
[Install the Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli) in the
Microsoft documentation.
1. To use the Azure CLI to set the active cloud, run the following command:
```
az cloud set --name MY-CLOUD
```
Replace `MY-CLOUD` with the value corresponding to the Azure environment where you install PKS:
* **Azure**: `AzureCloud`.
* **Azure China**: `AzureChinaCloud`. If logging in to `AzureChinaCloud` fails with a
`CERT_UNTRUSTED` error, use `node` v4.x or later. For more information, see
[Failed to login AzureChinaCloud](https://github.com/Azure/azure-xplat-cli/issues/2725) in
GitHub.
* **Azure Government Cloud**: `AzureUSGovernment`. Azure Government Cloud is only supported in
PKS v1.10 and later.
* **Azure Germany**: `AzureGermanCloud`.
For example:
<pre class="terminal">
$ az cloud set --name AzureCloud
</pre>
<p class="note"><strong>Note</strong>: For more information about installing PKS in the China Region, see <a href="https://docs.pivotal.io/pivotalcf/customizing/offline_installation.html#install_china">Install in the China Region</a> in the Pivotal Documentation.</p>
1. To log in, run the following command:
```
az login
```
To authenticate, navigate to the URL in the output, enter the provided code, and click your
account.
##<a id="default-subscription"></a> Step 2: Set Your Default Subscription
1. To list your Azure subscriptions, run `az account list`.
For example:
<pre class="terminal">
$ az account list
[
{
"id": "12345678-1234-5678-1234-567891234567",
"name": "Sample Subscription",
"user": {
"name": "Sample Account",
"type": "user"
},
"tenantId": "11111111-1234-5678-1234-678912345678",
"state": "Enabled",
"isDefault": true,
"registeredProviders": [],
"environmentName": "AzureCloud"
},
{
"id": "87654321-1234-5678-1234-678912345678",
"name": "Sample Subscription1",
"user": {
"name": "Sample Account1",
"type": "user"
},
"tenantId": "22222222-1234-5678-1234-678912345678",
"state": "Enabled",
"isDefault": false,
"registeredProviders": [],
"environmentName": "AzureCloud"
}
]
</pre>
1. PKS deploys to your default subscription. To determine your default subscription, search the
output of the `az account list` command for the subscription with `isDefault` set to `true`. To set
a different default subscription, run the following command:
```
az account set --subscription SUBSCRIPTION-ID
```
Where `SUBSCRIPTION-ID` is the value of the `id` field.
For example:
<pre class="terminal">
$ az account set --subscription 87654321-1234-5678-1234-567891234567
</pre>
1. Record the value of the `id` set as the default. You use this value in future configuration
steps.
1. Record the value of `tenantID` for your default subscription. This is your `TENANT-ID` for
creating a service principal. If your `tenantID` value is not defined, you may be using a personal
account to log in to your Azure subscription.
##<a id='create-aad'></a> Step 3: Create an AAD Application
1. To create an Azure Active Directory (AAD) application, run the following command:
```
az ad app create --display-name "Service Principal for BOSH" \
--password "PASSWORD" --homepage "MY-HOMEPAGE" \
--identifier-uris "MY-IDENTIFIER"
```
Where:
* `PASSWORD` is a password of your choice. This is your `CLIENT-SECRET` for creating a
service principal.
* `MY-HOMEPAGE` is a string of your choice. Pivotal recommends that you use the string
`http://BOSHAzureCPI`, as shown in the example below.
* `MY-IDENTIFIER` is a string of your choice. This string must be unique within the
organization associated with your Azure subscription.
For example:
<pre class="terminal">
$ az ad app create --display-name "Service Principal for BOSH" \
--password "pa55w0rd" --homepage "<span>http:</span>//BOSHAzureCPI" \
--identifier-uris "<span>http</span>://BOSHAzureCPI"
</pre>
1. From the output of the `az ad app create` command, record the value of `appId`. This is your
`APPLICATION-ID` for creating a service principal.
For example:
<pre class="terminal">
{
"appId": "abcdef01-ab23-45cd-ef67-8901234abcde",
"appPermissions": null,
"availableToOtherTenants": false,
"displayName": "Service Principal for BOSH",
"homepage": "http<span>://</span>BOSHAzureCPI",
"identifierUris": [
"http<span>://</span>BOSHAzureCPI"
],
"objectId": "f3884df4-7d1d-4894-a78c-c1fe75750436",
"objectType": "Application",
"replyUrls": []
}
</pre>
In this example, the value of `appId` is `abcdef01-ab23-45cd-ef67-8901234abcde`.
##<a id="create-configure"></a> Step 4: Create and Configure a Service Principal
1. To create a service principal, run the following command:
```
az ad sp create --id YOUR-APPLICATION-ID
```
Where `YOUR-APPLICATION-ID` is the `APPLICATION-ID` that you recorded in
[Create an AAD Application](#create-aad).
For example:
<pre class="terminal">
$ az ad sp create --id abcdef01-ab23-45cd-ef67-8901234abcde
{
"appId": "abcdef01-ab23-45cd-ef67-8901234abcde",
"displayName": "Service Principal for BOSH",
"objectId": "cc13c685-4c3b-461e-ae96-7a0563960b83",
"objectType": "ServicePrincipal",
"servicePrincipalNames": [
"abcdef01-ab23-45cd-ef67-8901234abcde",
"http<span>://</span>BOSHAzureCPI"
]
}
</pre>
1. To assign the Contributor role to your service principal, run the following command. The service
principal requires the Contributor role to deploy PKS.
```
az role assignment create --assignee "SERVICE-PRINCIPAL-NAME" \
--role "Contributor" --scope /subscriptions/SUBSCRIPTION-ID
```
Where:
* `SERVICE-PRINCIPAL-NAME` is the first value of `Service Principal Names` from the output above,
which corresponds to `YOUR-APPLICATION-ID`.
* `SUBSCRIPTION-ID` is the `id` of the default subscription that you recorded in
[Set Your Default Subscription](#default-subscription).
<p class="note"><strong>Note</strong>: If you need to use multiple resource groups for your PKS deployment on Azure, you can define custom roles for your Service Principal. These roles allow BOSH to deploy PKS to pre-existing network resources outside of the PKS resource group. For more information, see <a href="https://docs.pivotal.io/pivotalcf/refarch/azure/azure_ref_arch.html#multiple_resource_groups">Multiple Resource Group Deployment</a> in <em>Reference Architecture for Pivotal Cloud Foundry on Azure</em> in the Pivotal Documentation.</p>
For more information about Azure Role-Based Access Control, refer to <a href="https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles">Built-in roles for Azure resources</a> in the Azure documentation.
1. To verify the role assignment, run the following command:
```
az role assignment list --assignee "SERVICE-PRINCIPAL-NAME"
```
Where `SERVICE-PRINCIPAL-NAME` is the value of `Service Principal Names` that you used when you
assigned the role.
For example:
<pre class="terminal">
$ az role assignment list --assignee "abcdef01-ab23-45cd-ef67-8901234abcde"
[
{
"canDelegate": null,
"id": "/subscriptions/995b7eed-77ef-45ff-a5c9-1a405ffb8243/providers/Microsoft.Authorization/roleAssignments/0bd4fa5a-45ed-44ec-acb3-b6bb3538a78d",
"name": "32e644cf-ba1a-4f43-bf7c-68bf4583e463",
"principalId": "cc13c685-4c3b-461e-ae96-7a0563960b83",
"principalName": "http<span>://</span>BOSHAzureCPI",
"roleDefinitionId": "/subscriptions/995b7eed-77ef-45ff-a5c9-1a405ffb8243/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
"roleDefinitionName": "Contributor",
"scope": "/subscriptions/995b7eed-77ef-45ff-a5c9-1a405ffb8243",
"type": "Microsoft.Authorization/roleAssignments"
}
]
</pre>
##<a id="verify-your-service-principal"></a> Step 5: Verify Your Service Principal
To verify your service principal, run the following command:
```
az login --username YOUR-APPLICATION-ID --password CLIENT-SECRET \
--service-principal --tenant TENANT-ID
```
Where:
* `YOUR-APPLICATION-ID` is the `APPLICATION-ID` that you recorded in
[Create an AAD Application](#create-aad).
* `CLIENT-SECRET` is the password that you set in [Create an AAD Application](#create-aad).
* `TENANT-ID` is the `tenantID` that you recorded in
[Set Your Default Subscription](#default-subscription).
For example:
<pre class="terminal">
$ az login --username abcdef01-ab23-45cd-ef67-8901234abcde --password pa55w0rd \
--service-principal --tenant 22222222-1234-5678-1234-678912345678
[
{
"cloudName": "AzureCloud",
"id": "995b7eed-77ef-45ff-a5c9-1a405ffb8243",
"isDefault": true,
"name": "CF-Docs",
"state": "Enabled",
"tenantId": "22222222-1234-5678-1234-678912345678",
"user": {
"name": "abcdef01-ab23-45cd-ef67-8901234abcde",
"type": "servicePrincipal"
}
}
]
</pre>
If you cannot log in, your service principal is invalid. Create a new service principal to try
again.
##<a id='register'></a> Step 6: Register Your Subscriptions
1. To register your subscription with Microsoft.Storage, run the following command:
```
az provider register --namespace Microsoft.Storage
```
1. To register your subscription with Microsoft.Network, run the following command:
```
az provider register --namespace Microsoft.Network
```
1. To register your subscription with Microsoft.Compute, run the following command:
```
az provider register --namespace Microsoft.Compute
```
##<a id='next-steps'></a> Next Steps
After preparing to deploy PKS on Azure, follow the instructions in
[Deploying Ops Manager on Azure](azure-om-deploy.html) to deploy Ops Manager using Terraform.