Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Azure Permissons #2077

Merged
merged 19 commits into from
Jan 22, 2024
Merged
Show file tree
Hide file tree
Changes from 14 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 19 additions & 10 deletions docs/docs-content/clusters/public-cloud/azure/aks.md
Original file line number Diff line number Diff line change
Expand Up @@ -125,19 +125,28 @@ The following steps need to be performed to provision a new cluster:
| **Region** | Select a region in Azure in where the cluster should be deployed. |
| **Resource Group** | Select the resource group in which the cluster should be deployed. |
| **SSH Key** | The public SSH key for connecting to the nodes. Review Microsoft's [supported SSH](https://learn.microsoft.com/en-us/azure/virtual-machines/linux/mac-create-ssh-keys#supported-ssh-key-formats) formats. |
| **Static Placement** | By default, Palette uses dynamic placement, wherein a new VPC with a public and private subnet is created to place cluster resources for every cluster. These resources are fully managed by Palette and deleted when the corresponding cluster is deleted. <br /> Turn on the **Static Placement** option if it is desired to place resources into preexisting VPCs and subnets. If the user is making the selection of **Static Placement** of resources, the following placement information needs to be provided:
||**Virtual Resource Group**: The logical container for grouping related Azure resources.
|| **Virtual Network**: Select the virtual network from dropdown menu.
|| **Control plane Subnet**: Select the control plane network from the dropdown menu.
|| **Worker Network**: Select the worker network from the dropdown.
|**Update worker pools in parallel**| Check the box to concurrently update the worker pools.|
| **Static Placement** | By default, Palette uses dynamic placement. This creates a new VNet for the cluster that contains two subnets in different Availability Zones (AZs). Palette places resources in these clusters, manages the resources, and deletes them when the corresponding cluster is deleted.<br /><br />If you want to place resources into a pre-existing VNet, enable the **Static Placement** option, and fill out the input values listed in the [Static Placement](#static-placement-table) table below.|

:::warning

If the Palette [cloud account](azure-cloud.md) is created with **Disable Properties** and the cluster option
**Static Placement** is enabled, the network information from your Azure account will not be imported to Palette. You can manually input the information for the **Control Plane Subnet** and the **Worker Network**.

:::
#### Static Placement Settings

Each subnet allows you to specify the CIDR range and a security group.

| **Parameter** | **Description** |
|------------------------|------------------------------------------------------------|
| **Network Resource Group** | The logical container for grouping related Azure resources. |
| **Virtual Network** | Select the VNet. |
| **CIDR Block** | Select the IP address CIDR range.|
| **Security Group Name** | Select the security group name. |
| **Control Plane Subnet** | Select the control plane subnet. |
| **Worker Subnet** | Select the worker network. |

:::warning

If you enable the **Disable Properties** setting when [registering an Azure cloud account](./azure-cloud.md#add-azure-cloud-account), Palette cannot create network resources on your behalf. In this case, every time you deploy a cluster, you must manually specify their virtual network subnets and security groups,

:::

7. Click **Next** to configure the node pools.

Expand Down
36 changes: 2 additions & 34 deletions docs/docs-content/clusters/public-cloud/azure/azure-cloud.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ Palette supports integration with Azure and [Azure Government](https://azure.mic

* A [Palette](https://console.spectrocloud.com/), or VerteX account. 

* An active [Azure cloud account](https://portal.azure.com/) with sufficient resource limits and permissions to provision compute, network, and security resources in the desired regions.
* An active [Azure cloud account](https://portal.azure.com/) with sufficient resource limits and permissions to provision compute, network, and security resources in the desired regions. Refer to the [Required Permissions](./required-permissions.md) section for more information.

* An [Azure App](https://learn.microsoft.com/en-us/azure/app-service/overview) with valid credentials.

Expand Down Expand Up @@ -44,46 +44,14 @@ Use the following steps to add an Azure or Azure Government account in Palette o
|**Client Secret**| Azure secret for authentication. Refer to Microsoft's reference guide for creating a [Client Secret](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#create-an-azure-active-directory-application). |
| **Cloud** | Select **Azure Public Cloud** or **Azure US Government**. |
|**Tenant Name**| An optional tenant name.|
|**Disable Properties**| This option disables Palette importing Azure networking details. Disabling this option requires you to create a Microsoft Entra application and manually obtain account information. To learn more, refer to the [Disable Palette Network Calls to the Account](#disable-palette-network-calls-to-the-account) section below. |
|**Disable Properties**| This option prevents Palette and VerteX from creating Azure Virtual Networks (VNets) and other network resources on your behalf for static placement deployments. If you enable this option, all users must manually specify a pre-existing VNet, subnets, and security groups when creating clusters. |
|**Connect Private Cloud Gateway**| If you will be launching Managed Kubernetes Service (AKS), use the **drop-down Menu** to select a [self-hosted PCG](gateways.md) that you created to link to the cloud account.|

6. After providing the required values, click the **Validate** button. If the client secret you provided is correct, a *Credentials validated* success message with a green check is displayed.

7. Click **Confirm** to complete the registration.


#### Disable Palette Network Calls to Azure Account

<details>
<summary>Expand to learn more about disabling properties.</summary>

When you provide your cloud account information, Azure networking details are sent to Palette unless you disable network calls from Palette to the account. To disable network calls, select the **Disable Properties** option.

Disabling network calls requires that you create a [Microsoft Entra](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#create-an-azure-active-directory-application) application, which can be used with Role-Based Access Control (RBAC). Follow the summary steps below to create a new Microsoft Entra application, assign roles, and create the client secret.

:::tip
Microsoft Entra replaces the Azure Active Directory (AAD) application. For more information, review the [Microsoft Entra](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#create-an-azure-active-directory-application) reference guide.
:::


1. Create a new Microsoft Entra application and note down your ClientID and TenantID. Refer to the [Create a Microsoft Entra application and service principal](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#create-an-azure-active-directory-application) reference guide.

2. Next, assign yourself the [User Access Administrator](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator) role to allow you to manage user access to Azure resources. You need this role assignment to assign the role in step 3. For guidance, refer to [Assign a Role to the Application](https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#assign-a-role-to-the-application).

3. With User Access Administrator privilege, you can now assign yourself the minimum required [Contributor](https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor) role, which grants full access to manage all resources.

To learn about Azure roles, review [Azure Roles, Microsoft Entra Roles, and Administrator Roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles).

4. Create a client secret. Refer to [Create a Client Secret](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal#option-3-create-a-new-client-secret) for guidance.

:::warning

Safely store your client secret, as it will not be available later as plain text.

:::

</details>

## Validate

You can verify your account is added.
Expand Down
23 changes: 17 additions & 6 deletions docs/docs-content/clusters/public-cloud/azure/azure.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,23 +20,34 @@ Learn how to deploy a cluster to Azure by using Palette. Check out the [Deploy a

To learn more about Palette and Azure cluster creation and its capabilities check out the following resources:

- [Register and Manage Azure Cloud Account](azure-cloud.md)

- [Azure Architecture](architecture.md)

- [Create and Manage IaaS Azure Cluster](create-azure-cluster.md)
- [Cluster Management Day Two Operations](../../cluster-management/cluster-management.md)

- [Cluster Removal](../../cluster-management/remove-clusters.md)

- [Create and Manage Azure AKS Cluster](aks.md)

- [Create and Manage IaaS Azure Cluster](create-azure-cluster.md)

- [Deleting an Azure Cluster](../../cluster-management/remove-clusters.md)

- [Register and Manage Azure Cloud Account](azure-cloud.md)

- [Required Permissions](required-permissions.md)











- [Cluster Management Day Two Operations](../../cluster-management/cluster-management.md)


- [Azure Architecture](architecture.md)


- [Cluster Removal](../../cluster-management/remove-clusters.md)

Original file line number Diff line number Diff line change
Expand Up @@ -84,10 +84,10 @@ Use the following steps to deploy an Azure cluster.

If you have custom storage accounts or containers available, you can attach them to the cluster. To learn more about attaching custom storage to a cluster, check out [Azure storage](../azure/architecture.md#azure-storage).

:::warning

If the Azure account is registered with **Disable Properties** and **Static Placement** options enabled, then Palette will not import the network information from your Azure account. You can manually input the information for the **Control Plane Subnet** and the **Worker Network**, but be aware that **drop-down Menu** selections will be empty. To learn more about these settings and certain requirements to use them, refer to [Disable Properties](azure-cloud.md#disable-palette-network-calls-to-azure-account).
:::warning

If you enable the **Disable Properties** setting when [registering an Azure cloud account](./azure-cloud.md#add-azure-cloud-account), Palette cannot create network resources on your behalf. In this case, when creating clusters, you must manually specify their virtual network subnets and security groups.
:::

|**Parameter**| **Description**|
Expand All @@ -98,17 +98,21 @@ Use the following steps to deploy an Azure cluster.
| **Storage Account** | Optionally, if you have a custom storage account available, you can use the **drop-down Menu** to select the storage account name. For information about use cases for custom storage, review [Azure Storage](../azure/architecture.md#azure-storage).|
| **Storage Container**| Optionally, if you will be using a custom storage container, use the **drop-down Menu** to select it. For information about use cases for custom storage, review [Azure Storage](../azure/architecture.md#azure-storage).|
| **SSH Key** | The public SSH key for connecting to the nodes. SSH key pairs must be pre-configured in your Azure environment. The key you select is inserted into the provisioned VMs. For more information, review Microsoft's [Supported SSH key formats](https://learn.microsoft.com/en-us/azure/virtual-machines/linux/mac-create-ssh-keys#supported-ssh-key-formats). |
| **Static Placement** | By default, Palette uses dynamic placement. This creates a new VNet for the cluster that contains two subnets in different Availability Zones (AZs). Palette places resources in these clusters, manages the resources, and deletes them when the corresponding cluster is deleted.<br /><br />If you want to place resources into pre-existing VNets, enable the **Static Placement** option, and fill out the input values listed in the [Static Placement](#static-placement-table) table below.|
| **Static Placement** | By default, Palette uses dynamic placement. This creates a new VNet for clusters with two subnets in different Availability Zones (AZs). Palette places resources in these clusters, manages the resources, and deletes them when the corresponding cluster is deleted.<br /><br />If you want to place resources into a pre-existing VNet, enable the **Static Placement** option, and fill out the input values listed in the [Static Placement](#static-placement-table) table below.|


#### Static Placement Settings

Each subnet allows you to specify the CIDR range and a security group.

| **Parameter** | **Description** |
|------------------------|------------------------------------------------------------|
| **Network Resource Group** | The logical container for grouping related Azure resources. |
| **Virtual Network** | Select the VNet. |
| **CIDR Block** | Select the IP address CIDR range.|
| **Security Group Name** | Select the security group name. |
| **Control Plane Subnet** | Select the control plane subnet. |
| **Worker Network** | Select the worker network. |
| **Worker Subnet** | Select the worker network. |


11. Click **Next** to continue.
Expand Down
Loading
Loading