From 328015ea1316f96b6d03155cfbf8b4c1b4b160b7 Mon Sep 17 00:00:00 2001 From: Reshma Abdul Rahim Date: Tue, 18 Jun 2024 22:02:56 -0400 Subject: [PATCH 01/15] Add workload identity docs Signed-off-by: Reshma Abdul Rahim --- .../providers/aws-provider/_index.md | 7 ++ .../aws-provider/howto-aws-provider/index.md | 68 ++++++++++++++ .../providers/azure-provider/_index.md | 7 ++ .../howto-azure-provider-sp/index.md | 93 +++++++++++++++++++ .../howto-azure-provider-wi/index.md | 78 ++++++++++++++++ 5 files changed, 253 insertions(+) create mode 100644 docs/content/guides/operations/providers/aws-provider/_index.md create mode 100644 docs/content/guides/operations/providers/aws-provider/howto-aws-provider/index.md create mode 100644 docs/content/guides/operations/providers/azure-provider/_index.md create mode 100644 docs/content/guides/operations/providers/azure-provider/howto-azure-provider-sp/index.md create mode 100644 docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md diff --git a/docs/content/guides/operations/providers/aws-provider/_index.md b/docs/content/guides/operations/providers/aws-provider/_index.md new file mode 100644 index 000000000..f2cff4861 --- /dev/null +++ b/docs/content/guides/operations/providers/aws-provider/_index.md @@ -0,0 +1,7 @@ +--- +type: docs +title: "AWS provider" +linkTitle: "AWS provider" +description: "Deploy and connect to AWS resources" +weight: 300 +--- \ No newline at end of file diff --git a/docs/content/guides/operations/providers/aws-provider/howto-aws-provider/index.md b/docs/content/guides/operations/providers/aws-provider/howto-aws-provider/index.md new file mode 100644 index 000000000..be46a7acd --- /dev/null +++ b/docs/content/guides/operations/providers/aws-provider/howto-aws-provider/index.md @@ -0,0 +1,68 @@ +--- +type: docs +title: "How-To: Configure the AWS cloud provider with IAM Access key" +linkTitle: "AWS provider with IAM Access key" +description: "Learn how to configure the AWS provider with IAM Access key for your Radius Environment" +weight: 300 +categories: "How-To" +tags: ["AWS"] +--- + +The AWS provider allows you to deploy and connect to AWS resources from a Radius Environment on an EKS cluster. It can be configured: + +- [Interactively via `rad init`](#interactive-configuration) +- [Manually via `rad env update` and `rad credential register`](#manual-configuration) + +## Prerequisites + +- [AWS account](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account) and an [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html) +- [rad CLI]({{< ref "installation#step-1-install-the-rad-cli" >}}) + +## Interactive configuration + +1. Initialize a new environment with [`rad init --full`]({{< ref rad_init >}}): + + ```bash + rad init --full + ``` + +1. Follow the prompts, specifying: + - **Namespace** - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, `radius-system`). + - **Add an AWS provider** - Enter your IAM access key and secret key and pick a region to deploy your AWS resources to. + - **Environment name** - The name of the environment to create. + + You should see the following output: + + ``` + Initializing Radius... + + ✅ Install Radius {{< param version >}} + - Kubernetes cluster: k3d-k3s-default + - Kubernetes namespace: radius-system + - AWS IAM access key ID: **** + ✅ Create new environment default + - Kubernetes namespace: default + - AWS: account ***** and region: us-west-2 + ✅ Scaffold application samples + ✅ Update local configuration + + Initialization complete! Have a RAD time 😎 + ``` + +## Manual configuration + +1. Update your Radius Environment with your AWS region and AWS account ID: + + ```bash + rad env update myEnvironment --aws-region myAwsRegion --aws-account-id myAwsAccountId + ``` + + This command updates the configuration of an environment for properties that are able to be changed. For more information visit [`rad env update`]({{< ref rad_env_update >}}) + +1. Add your AWS cloud provider credentials: + + ```bash + rad credential register aws --access-key-id myAccessKeyId --secret-access-key mySecretAccessKey + ``` + + For more information on the command arguments visit [`rad credential register aws`]({{< ref rad_credential_register_aws >}}) diff --git a/docs/content/guides/operations/providers/azure-provider/_index.md b/docs/content/guides/operations/providers/azure-provider/_index.md new file mode 100644 index 000000000..736c13205 --- /dev/null +++ b/docs/content/guides/operations/providers/azure-provider/_index.md @@ -0,0 +1,7 @@ +--- +type: docs +title: "Azure provider" +linkTitle: "Azure providers" +description: "Deploy and connect to Azure resources" +weight: 200 +--- \ No newline at end of file diff --git a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-sp/index.md b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-sp/index.md new file mode 100644 index 000000000..681afcf22 --- /dev/null +++ b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-sp/index.md @@ -0,0 +1,93 @@ +--- +type: docs +title: "How-To: Configure the Azure cloud provider with Service Principal" +linkTitle: "Azure provider with Service Principal" +description: "Learn how to configure the Azure provider with Service Principal for your Radius Environment" +weight: 100 +categories: "How-To" +tags: ["Azure"] +--- + +The Azure provider allows you to deploy and connect to Azure resources from a self-hosted Radius Environment. It can be configured: + +- [Interactively via `rad init`](#interactive-configuration) +- [Manually via `rad env update` and `rad credential register`](#manual-configuration) + +## Prerequisites + +- [Azure subscription](https://azure.com) +- [az CLI](https://aka.ms/azcli) +- [rad CLI]({{< ref "installation#step-1-install-the-rad-cli" >}}) + +## Interactive configuration + +1. Initialize a new environment with [`rad init --full`]({{< ref rad_init >}}): + + ```bash + rad init --full + ``` + +1. Follow the prompts, specifying: + - **Namespace** - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, `radius-system`) + - **Add an Azure provider** + 1. Pick the subscription and resource group to deploy your Azure resources to + 2. Select the service principal option + 3. Run `az ad sp create-for-rbac` to create a Service Principal without a role assignment and obtain your `appId`, `displayName`, `password`, and `tenant` information. + + ``` + { + "appId": "****", + "displayName": "****", + "password": "****", + "tenant": "****" + } + ``` + Enter the `appId`, `password`, and `tenant` information when prompted. + + - **Environment name** - The name of the environment to create + + You should see the following output: + + ``` + Initializing Radius... + + ✅ Install Radius {{< param version >}} + - Kubernetes cluster: k3d-k3s-default + - Kubernetes namespace: radius-system + - Azure service principal: **** + ✅ Create new environment default + - Kubernetes namespace: default + - Azure: subscription ***** and resource group *** + ✅ Scaffold application samples + ✅ Update local configuration + + Initialization complete! Have a RAD time 😎 + ``` + +## Manual configuration + +1. Use [`rad env update`]({{< ref rad_env_update >}}) to update your Radius Environment with your Azure subscription ID and Azure resource group: + + ```bash + rad env update myEnvironment --azure-subscription-id myAzureSubscriptionId --azure-resource-group myAzureResourceGroup + ``` + +1. Run `az ad sp create-for-rbac` to create a Service Principal without a role assignment and obtain your `appId`, `displayName`, `password`, and `tenant` information. + + ``` + { + "appId": "****", + "displayName": "****", + "password": "****", + "tenant": "****" + } + ``` + + +1. Use [`rad credential register azure`]({{< ref rad_credential_register_azure >}}) to add the Azure service principal to your Radius installation: + + ```bash + rad credential register azure sp --client-id myClientId --client-secret myClientSecret --tenant-id myTenantId + ``` + + Radius will use the provided service principal for all interactions with Azure, including Bicep and Recipe deployments. diff --git a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md new file mode 100644 index 000000000..9b321fa46 --- /dev/null +++ b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md @@ -0,0 +1,78 @@ +--- +type: docs +title: "How-To: Configure the Azure cloud provider with Workload identity" +linkTitle: "Azure provider with Workload identity" +description: "Learn how to configure the Azure provider with Workload identity for your Radius Environment" +weight: 200 +categories: "How-To" +tags: ["Azure"] +--- + +The Azure provider allows you to deploy and connect to Azure resources from a self-hosted Radius Environment. It can be configured: + +- [Interactively via `rad init`](#interactive-configuration) +- [Manually via `rad env update` and `rad credential register`](#manual-configuration) + +## Prerequisites + +- [Azure subscription](https://azure.com) +- [az CLI](https://aka.ms/azcli) +- [rad CLI]({{< ref "installation#step-1-install-the-rad-cli" >}}) +- [Setup a supported Kubernetes cluster]({{< ref "/guides/operations/kubernetes/overview#supported-clusters" >}}) +- [Azure AD Workload Identity](https://azure.github.io/azure-workload-identity/docs/installation.html) installed in your cluster, including the [Mutating Admission Webhook](https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html) +- Create an app registration at Microsoft Entra ID +- Configure the federated credential for Radius components to deploy Azure resources following the script [here](insertscript) or manually configure the federated credential following the steps [here](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-create-trust?pivots=identity-wif-apps-methods-azp#kubernetes) + | Cluster Issuer URL | Service account name | Namespace | name | + |---------------------|----------------------|-----------|------| + | | | | | + + +## Interactive configuration + +1. Initialize a new environment with [`rad init --full`]({{< ref rad_init >}}): + + ```bash + rad init --full + ``` + +1. Follow the prompts, specifying: + - **Namespace** - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, `radius-system`) + - **Add an Azure provider** + 1. Pick the subscription and resource group to deploy your Azure resources to. + 2. Select the workload identity option + 3. Enter the `appId` of the Entra ID Application + - **Environment name** - The name of the environment to create + + You should see the following output: + + ``` + Initializing Radius... + + ✅ Install Radius {{< param version >}} + - Kubernetes cluster: k3d-k3s-default + - Kubernetes namespace: radius-system + - Azure workload identity: **** + ✅ Create new environment default + - Kubernetes namespace: default + - Azure: subscription ***** and resource group *** + ✅ Scaffold application samples + ✅ Update local configuration + + Initialization complete! Have a RAD time 😎 + ``` + +## Manual configuration + +1. Use [`rad env update`]({{< ref rad_env_update >}}) to update your Radius Environment with your Azure subscription ID and Azure resource group: + + ```bash + rad env update myEnvironment --azure-subscription-id myAzureSubscriptionId --azure-resource-group myAzureResourceGroup + ``` + +1. Use [`rad credential register azure`]({{< ref rad_credential_register_azure >}}) to add the Workload identity to the Radius Environment: + + ```bash + rad credential register azure wi --client-id myClientId --tenant-id myTenantId + ``` + + Radius will use the provided client-id for all interactions with Azure, including Bicep and Recipe deployments. From a035c9d9c02735ad4a0b0c05b73d7bf4419cdbe2 Mon Sep 17 00:00:00 2001 From: Reshma Abdul Rahim Date: Tue, 18 Jun 2024 22:10:02 -0400 Subject: [PATCH 02/15] Add workload identity docs Signed-off-by: Reshma Abdul Rahim --- .../aws/howto-aws-resources/index.md | 2 +- .../guides/author-apps/aws/overview/index.md | 2 +- .../author-apps/azure/overview/index.md | 2 +- .../environments/howto-environment/index.md | 4 +- .../providers/howto-aws-provider/index.md | 68 -------------- .../providers/howto-azure-provider/index.md | 91 ------------------- .../operations/providers/overview/index.md | 11 ++- .../tutorials/tutorial-recipe/index.md | 4 +- 8 files changed, 13 insertions(+), 171 deletions(-) delete mode 100644 docs/content/guides/operations/providers/howto-aws-provider/index.md delete mode 100644 docs/content/guides/operations/providers/howto-azure-provider/index.md diff --git a/docs/content/guides/author-apps/aws/howto-aws-resources/index.md b/docs/content/guides/author-apps/aws/howto-aws-resources/index.md index d915c28ec..a4e9abf5b 100644 --- a/docs/content/guides/author-apps/aws/howto-aws-resources/index.md +++ b/docs/content/guides/author-apps/aws/howto-aws-resources/index.md @@ -49,7 +49,7 @@ Follow the prompts to install the [control plane services]({{< ref "/concepts/te - **Namespace** - When an application is deployed, this is the namespace where your containers and other Kubernetes resources will be run. By default, this will be in the `default` namespace. {{% alert title="💡 About namespaces" color="success" %}} When you initialize a Radius Kubernetes environment, Radius installs the control plane resources within the `radius-system` namespace in your cluster, separate from your applications. The namespace specified in this step will be used for your application deployments. {{% /alert %}} -- **Add AWS provider** - An [AWS cloud provider]({{< ref "/guides/operations/providers/howto-aws-provider" >}}) allows you to deploy and manage AWS resources as part of your application. Enter 'y' and follow the instructions. Provide a valid AWS region and the values obtained for IAM Access Key ID and IAM Secret Access Keys. +- **Add AWS provider** - An [AWS cloud provider]({{< ref "/guides/operations/providers/aws-provider" >}}) allows you to deploy and manage AWS resources as part of your application. Follow the how-to guides to configure the AWS provider with the preferred identity. - **Environment name** - The name of the environment to create. You can specify any name with lowercase letters, such as `myawsenv`. ## Step 3: Create a Bicep file to model AWS Simple Storage Service (S3) diff --git a/docs/content/guides/author-apps/aws/overview/index.md b/docs/content/guides/author-apps/aws/overview/index.md index 71a3743ea..f4712d83e 100644 --- a/docs/content/guides/author-apps/aws/overview/index.md +++ b/docs/content/guides/author-apps/aws/overview/index.md @@ -14,7 +14,7 @@ Radius uses the [AWS Cloud Control API](https://docs.aws.amazon.com/cloudcontrol ## Configure an AWS Provider -The AWS provider allows you to deploy and connect to AWS resources from a Radius Environment on an EKS cluster. To configure an AWS provider, you can follow the documentation [here]({{< ref "/guides/operations/providers/howto-aws-provider" >}}). +The AWS provider allows you to deploy and connect to AWS resources from a Radius Environment on an EKS cluster. To configure an AWS provider, you can follow the documentation [here]({{< ref "/guides/operations/providers/aws-provider" >}}). ## Example diff --git a/docs/content/guides/author-apps/azure/overview/index.md b/docs/content/guides/author-apps/azure/overview/index.md index 1c944603b..ae03c5306 100644 --- a/docs/content/guides/author-apps/azure/overview/index.md +++ b/docs/content/guides/author-apps/azure/overview/index.md @@ -12,7 +12,7 @@ Radius Applications are able to connect to and leverage every Azure resource wit ## Configure an Azure Provider -The Azure provider allows you to deploy and connect to Azure resources from a Radius Environment on any of the [supported clusters]({{< ref "/guides/operations/kubernetes/overview#supported-clusters" >}}). To configure an Azure provider, you can follow the documentation [here]({{< ref "/guides/operations/providers/howto-azure-provider" >}}). +The Azure provider allows you to deploy and connect to Azure resources from a Radius Environment on any of the [supported clusters]({{< ref "/guides/operations/kubernetes/overview#supported-clusters" >}}). To configure an Azure provider, you can follow the documentation [here]({{< ref "/guides/operations/providers/azure-provider" >}}). ## Resource library diff --git a/docs/content/guides/deploy-apps/environments/howto-environment/index.md b/docs/content/guides/deploy-apps/environments/howto-environment/index.md index b86fe8f1f..9c5dcbf98 100644 --- a/docs/content/guides/deploy-apps/environments/howto-environment/index.md +++ b/docs/content/guides/deploy-apps/environments/howto-environment/index.md @@ -83,8 +83,8 @@ Radius Environments can be setup with the rad CLI via two paths: interactive or 1. Follow the prompts, specifying: - **Namespace** - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, `radius-system`) - - **Azure provider** (optional) - Allows you to [deploy and manage Azure resources]({{< ref "/guides/operations/providers/howto-azure-provider" >}}) - - **AWS provider** (optional) - Allows you to [deploy and manage AWS resources]({{< ref "/guides/operations/providers/howto-aws-provider" >}}) + - **Azure provider** (optional) - Allows you to [deploy and manage Azure resources]({{< ref "/guides/operations/providers/azure-provider" >}}) + - **AWS provider** (optional) - Allows you to [deploy and manage AWS resources]({{< ref "/guides/operations/providers/aws-provider" >}}) - **Environment name** - The name of the environment to create You should see the following output: diff --git a/docs/content/guides/operations/providers/howto-aws-provider/index.md b/docs/content/guides/operations/providers/howto-aws-provider/index.md deleted file mode 100644 index e61f19ad2..000000000 --- a/docs/content/guides/operations/providers/howto-aws-provider/index.md +++ /dev/null @@ -1,68 +0,0 @@ ---- -type: docs -title: "How-To: Configure the AWS cloud provider" -linkTitle: "Configure AWS provider" -description: "Learn how to configure the AWS provider for your Radius Environment" -weight: 300 -categories: "How-To" -tags: ["AWS"] ---- - -The AWS provider allows you to deploy and connect to AWS resources from a Radius Environment on an EKS cluster. It can be configured: - -- [Interactively via `rad init`](#interactive-configuration) -- [Manually via `rad env update` and `rad credential register`](#manual-configuration) - -## Prerequisites - -- [AWS account](https://aws.amazon.com/premiumsupport/knowledge-center/create-and-activate-aws-account) and an [IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/getting-started_create-admin-group.html) -- [rad CLI]({{< ref "installation#step-1-install-the-rad-cli" >}}) - -## Interactive configuration - -1. Initialize a new environment with [`rad init --full`]({{< ref rad_init >}}): - - ```bash - rad init --full - ``` - -1. Follow the prompts, specifying: - - **Namespace** - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, `radius-system`). - - **Add an AWS provider** - Enter your IAM access key and secret key and pick a region to deploy your AWS resources to. - - **Environment name** - The name of the environment to create. - - You should see the following output: - - ``` - Initializing Radius... - - ✅ Install Radius {{< param version >}} - - Kubernetes cluster: k3d-k3s-default - - Kubernetes namespace: radius-system - - AWS IAM access key ID: **** - ✅ Create new environment default - - Kubernetes namespace: default - - AWS: account ***** and region: us-west-2 - ✅ Scaffold application samples - ✅ Update local configuration - - Initialization complete! Have a RAD time 😎 - ``` - -## Manual configuration - -1. Update your Radius Environment with your AWS region and AWS account ID: - - ```bash - rad env update myEnvironment --aws-region myAwsRegion --aws-account-id myAwsAccountId - ``` - - This command updates the configuration of an environment for properties that are able to be changed. For more information visit [`rad env update`]({{< ref rad_env_update >}}) - -1. Add your AWS cloud provider credentials: - - ```bash - rad credential register aws --access-key-id myAccessKeyId --secret-access-key mySecretAccessKey - ``` - - For more information on the command arguments visit [`rad credential register aws`]({{< ref rad_credential_register_aws >}}) diff --git a/docs/content/guides/operations/providers/howto-azure-provider/index.md b/docs/content/guides/operations/providers/howto-azure-provider/index.md deleted file mode 100644 index d55b95f9b..000000000 --- a/docs/content/guides/operations/providers/howto-azure-provider/index.md +++ /dev/null @@ -1,91 +0,0 @@ ---- -type: docs -title: "How-To: Configure the Azure cloud provider" -linkTitle: "Configure Azure provider" -description: "Learn how to configure the Azure provider for your Radius Environment" -weight: 200 -categories: "How-To" -tags: ["Azure"] ---- - -The Azure provider allows you to deploy and connect to Azure resources from a self-hosted Radius Environment. It can be configured: - -- [Interactively via `rad init`](#interactive-configuration) -- [Manually via `rad env update` and `rad credential register`](#manual-configuration) - -## Prerequisites - -- [Azure subscription](https://azure.com) -- [az CLI](https://aka.ms/azcli) -- [rad CLI]({{< ref "installation#step-1-install-the-rad-cli" >}}) - -## Interactive configuration - -1. Initialize a new environment with [`rad init --full`]({{< ref rad_init >}}): - - ```bash - rad init --full - ``` - -1. Follow the prompts, specifying: - - **Namespace** - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, `radius-system`) - - **Add an Azure provider** - Pick the subscription and resource group to deploy your Azure resources to - Run `az ad sp create-for-rbac` to create a Service Principal without a role assignment and obtain your `appId`, `displayName`, `password`, and `tenant` information. - - ``` - { - "appId": "****", - "displayName": "****", - "password": "****", - "tenant": "****" - } - ``` - Enter the `appId`, `password`, and `tenant` information when prompted. - - - **Environment name** - The name of the environment to create - - You should see the following output: - - ``` - Initializing Radius... - - ✅ Install Radius {{< param version >}} - - Kubernetes cluster: k3d-k3s-default - - Kubernetes namespace: radius-system - - Azure service principal: **** - ✅ Create new environment default - - Kubernetes namespace: default - - Azure: subscription ***** and resource group *** - ✅ Scaffold application samples - ✅ Update local configuration - - Initialization complete! Have a RAD time 😎 - ``` - -## Manual configuration - -1. Use [`rad env update`]({{< ref rad_env_update >}}) to update your Radius Environment with your Azure subscription ID and Azure resource group: - - ```bash - rad env update myEnvironment --azure-subscription-id myAzureSubscriptionId --azure-resource-group myAzureResourceGroup - ``` - -1. Run `az ad sp create-for-rbac` to create a Service Principal without a role assignment and obtain your `appId`, `displayName`, `password`, and `tenant` information. - - ``` - { - "appId": "****", - "displayName": "****", - "password": "****", - "tenant": "****" - } - ``` - - -1. Use [`rad credential register azure`]({{< ref rad_credential_register_azure >}}) to add the Azure service principal to your Radius installation: - - ```bash - rad credential register azure --client-id myClientId --client-secret myClientSecret --tenant-id myTenantId - ``` - - Radius will use the provided service principal for all interactions with Azure, including Bicep and Recipe deployments. diff --git a/docs/content/guides/operations/providers/overview/index.md b/docs/content/guides/operations/providers/overview/index.md index db27875e2..d2d2c4790 100644 --- a/docs/content/guides/operations/providers/overview/index.md +++ b/docs/content/guides/operations/providers/overview/index.md @@ -12,9 +12,10 @@ Radius cloud providers allow you to deploy and connect to cloud resources across {{< image src="providers-overview.png" alt="Diagram of cloud resources getting forwarded to cloud platforms upon deployment" width="800px" >}} -## Supported cloud providers +## Supported cloud providers and identities -| Provider | Description | -|----------|-------------| -| [Microsoft Azure]({{< ref howto-azure-provider >}}) | Deploy and connect to Azure resources | -| [Amazon Web Services]({{< ref howto-aws-provider >}}) | Deploy and connect to AWS resources | +| Provider | Identity | Description | +|----------|----------|-------------| +| [Microsoft Azure]({{< ref azure-provider >}}) | [Service Principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser) | Deploy and connect to Azure resources using Service Principal | +| | [Workload Identity](https://learn.microsoft.com/en-us/entra/workload-id/workload-identities-overview) | Deploy and connect to Azure resources using Workload Identity | +| [Amazon Web Services]({{< ref aws-provider >}}) | [IAM access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) | Deploy and connect to AWS resources using IAM Access Key | diff --git a/docs/content/tutorials/tutorial-recipe/index.md b/docs/content/tutorials/tutorial-recipe/index.md index 23ff53618..fe2deabd2 100644 --- a/docs/content/tutorials/tutorial-recipe/index.md +++ b/docs/content/tutorials/tutorial-recipe/index.md @@ -154,7 +154,7 @@ This step requires an Azure subscription or an AWS account to deploy cloud resou ``` 1. Manually add the Azure cloud provider to your Radius Environment - Follow the steps [here]({{< ref "howto-azure-provider#manual-configuration" >}}) to add the Azure cloud provider to your existing environment. + Follow the how-to-guides [here]({{< ref "azure-provider" >}}) to add the Azure cloud provider to your existing environment. 1. Register the Recipe to your Radius Environment: @@ -229,7 +229,7 @@ This step requires an Azure subscription or an AWS account to deploy cloud resou 1. Manually add the AWS cloud provider to your Radius Environment - Follow the steps [here]({{< ref "howto-aws-provider#manual-configuration" >}}) to add the AWS cloud provider to your existing environment + Follow the steps [here]({{< ref "aws-provider" >}}) to add the AWS cloud provider to your existing environment 1. Register the Recipe to your Radius Environment: From 0e1854e93159c38ba5a936c75f829a1c2bcb14a2 Mon Sep 17 00:00:00 2001 From: willdavsmith Date: Thu, 20 Jun 2024 13:51:06 -0700 Subject: [PATCH 03/15] Updating with wi script Signed-off-by: willdavsmith --- .../howto-azure-provider-wi/index.md | 122 ++++++++++++++++-- 1 file changed, 109 insertions(+), 13 deletions(-) diff --git a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md index 9b321fa46..bac2765c3 100644 --- a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md +++ b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md @@ -1,8 +1,8 @@ --- type: docs -title: "How-To: Configure the Azure cloud provider with Workload identity" +title: "How-To: Configure the Azure cloud provider with Azure workload identity" linkTitle: "Azure provider with Workload identity" -description: "Learn how to configure the Azure provider with Workload identity for your Radius Environment" +description: "Learn how to configure the Azure provider with Azure workload identity for your Radius Environment" weight: 200 categories: "How-To" tags: ["Azure"] @@ -19,13 +19,94 @@ The Azure provider allows you to deploy and connect to Azure resources from a se - [az CLI](https://aka.ms/azcli) - [rad CLI]({{< ref "installation#step-1-install-the-rad-cli" >}}) - [Setup a supported Kubernetes cluster]({{< ref "/guides/operations/kubernetes/overview#supported-clusters" >}}) + - You will need the cluster's OIDC Issuer URL. [AKS Example](https://azure.github.io/azure-workload-identity/docs/installation/managed-clusters.html#azure-kubernetes-service-aks) - [Azure AD Workload Identity](https://azure.github.io/azure-workload-identity/docs/installation.html) installed in your cluster, including the [Mutating Admission Webhook](https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html) -- Create an app registration at Microsoft Entra ID -- Configure the federated credential for Radius components to deploy Azure resources following the script [here](insertscript) or manually configure the federated credential following the steps [here](https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-create-trust?pivots=identity-wif-apps-methods-azp#kubernetes) - | Cluster Issuer URL | Service account name | Namespace | name | - |---------------------|----------------------|-----------|------| - | | | | | - +- [Entra ID Application Registration with federated credentials]() + +## Setup + +### install-radius-azwi.sh +```sh +if [ "$#" -ne 3 ]; then + echo "Usage: $0 " + exit 1 +fi + +export AKS_CLUSTER_NAME=$1 +export AZURE_RESOURCE_GROUP=$2 +export AZURE_SUBSCRIPTION_ID=$3 + +# Prereqs: az CLI, AKS cluster with OIDC issuer enabled +# az extension add --name aks-preview +# az aks update -g "${AZURE_RESOURCE_GROUP}" -n "${AKS_CLUSTER_NAME}" --enable-oidc-issuer + + +export AZURE_TENANT_ID="$(az account show -s "${AZURE_SUBSCRIPTION_ID}" --query tenantId -otsv)" +helm repo add azure-workload-identity https://azure.github.io/azure-workload-identity/charts +helm repo update +helm install workload-identity-webhook azure-workload-identity/workload-identity-webhook \ + --namespace azure-workload-identity-system \ + --create-namespace \ + --set azureTenantID="${AZURE_TENANT_ID}" + +# Get the OIDC issuer URL for the AKS cluster +export SERVICE_ACCOUNT_ISSUER=$(az aks show --resource-group "${AZURE_RESOURCE_GROUP}" --name "${AKS_CLUSTER_NAME}" --query "oidcIssuerProfile.issuerUrl" -otsv) + +# Create the Entra ID Application +export APPLICATION_NAME="${AKS_CLUSTER_NAME}-radius-app" +az ad app create --display-name "${APPLICATION_NAME}" + +# Get the client ID and object ID of the application +export APPLICATION_CLIENT_ID="$(az ad app list --display-name "${APPLICATION_NAME}" --query [].appId -o tsv)" +export APPLICATION_OBJECT_ID="$(az ad app show --id "${APPLICATION_CLIENT_ID}" --query id -otsv)" + +# Create the applications-rp federated credential for the application +cat < params-applications-rp.json +{ + "name": "radius-applications-rp", + "issuer": "${SERVICE_ACCOUNT_ISSUER}", + "subject": "system:serviceaccount:radius-system:applications-rp", + "description": "Kubernetes service account federated credential for applications-rp", + "audiences": [ + "api://AzureADTokenExchange" + ] +} +EOF +az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --parameters @params-applications-rp.json + +# Create the bicep-de federated credential for the application +cat < params-bicep-de.json +{ + "name": "radius-bicep-de", + "issuer": "${SERVICE_ACCOUNT_ISSUER}", + "subject": "system:serviceaccount:radius-system:bicep-de", + "description": "Kubernetes service account federated credential for bicep-de", + "audiences": [ + "api://AzureADTokenExchange" + ] +} +EOF +az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --parameters @params-bicep-de.json + +# Create the ucp federated credential for the application +cat < params-ucp.json +{ + "name": "radius-ucp", + "issuer": "${SERVICE_ACCOUNT_ISSUER}", + "subject": "system:serviceaccount:radius-system:ucp", + "description": "Kubernetes service account federated credential for ucp", + "audiences": [ + "api://AzureADTokenExchange" + ] +} +EOF +az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --parameters @params-ucp.json + +# Set the permissions for the application +az ad sp create --id ${APPLICATION_CLIENT_ID} +az role assignment create --assignee "${APPLICATION_CLIENT_ID}" --role "Owner" --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_RESOURCE_GROUP}" + +``` ## Interactive configuration @@ -39,8 +120,8 @@ The Azure provider allows you to deploy and connect to Azure resources from a se - **Namespace** - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, `radius-system`) - **Add an Azure provider** 1. Pick the subscription and resource group to deploy your Azure resources to. - 2. Select the workload identity option - 3. Enter the `appId` of the Entra ID Application + 2. Select the "Workload Identity" option + 3. Enter the `appId` and the `tenantID` of the Entra ID Application - **Environment name** - The name of the environment to create You should see the following output: @@ -51,7 +132,8 @@ The Azure provider allows you to deploy and connect to Azure resources from a se ✅ Install Radius {{< param version >}} - Kubernetes cluster: k3d-k3s-default - Kubernetes namespace: radius-system - - Azure workload identity: **** + - Azure credential: WorkloadIdentity + - Client ID: ********** ✅ Create new environment default - Kubernetes namespace: default - Azure: subscription ***** and resource group *** @@ -63,16 +145,30 @@ The Azure provider allows you to deploy and connect to Azure resources from a se ## Manual configuration + +1. Use [`rad install kubernetes`]({{< ref rad_install_kubernetes >}}) to install Radius with Azure workload identity enabled: + + ```bash + rad install kubernetes --set global.azureWorkloadIdentity.enabled=true + ``` + +1. Create your resource group and environment: + + ```bash + rad group create default + rad env create default + ``` + 1. Use [`rad env update`]({{< ref rad_env_update >}}) to update your Radius Environment with your Azure subscription ID and Azure resource group: ```bash rad env update myEnvironment --azure-subscription-id myAzureSubscriptionId --azure-resource-group myAzureResourceGroup ``` -1. Use [`rad credential register azure`]({{< ref rad_credential_register_azure >}}) to add the Workload identity to the Radius Environment: +1. Use [`rad credential register azure wi`]({{< ref rad_credential_register_azure_wi >}}) to add the Azure workload identity credentials: ```bash - rad credential register azure wi --client-id myClientId --tenant-id myTenantId + rad credential register azure wi --client-id myClientId --tenant-id myTenantId ``` Radius will use the provided client-id for all interactions with Azure, including Bicep and Recipe deployments. From d5b0514c3dd83fe5d962c6852e523bb615095ba0 Mon Sep 17 00:00:00 2001 From: willdavsmith Date: Thu, 20 Jun 2024 15:55:33 -0700 Subject: [PATCH 04/15] oops Signed-off-by: willdavsmith --- .../howto-azure-provider-wi/index.md | 31 ++++++------------- 1 file changed, 9 insertions(+), 22 deletions(-) diff --git a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md index bac2765c3..125ad13f0 100644 --- a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md +++ b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md @@ -21,39 +21,25 @@ The Azure provider allows you to deploy and connect to Azure resources from a se - [Setup a supported Kubernetes cluster]({{< ref "/guides/operations/kubernetes/overview#supported-clusters" >}}) - You will need the cluster's OIDC Issuer URL. [AKS Example](https://azure.github.io/azure-workload-identity/docs/installation/managed-clusters.html#azure-kubernetes-service-aks) - [Azure AD Workload Identity](https://azure.github.io/azure-workload-identity/docs/installation.html) installed in your cluster, including the [Mutating Admission Webhook](https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html) -- [Entra ID Application Registration with federated credentials]() ## Setup +To authorize Radius with Azure using Azure workload identity, you should set up an Entra ID Application with access to your resource group of choosing and 3 federated credentials (one for each of the Radius services). Below is an example script that will create an Entra ID Application and set up the federated credentials necessary for Radius to authenticate with Azure using Azure workload identity. + ### install-radius-azwi.sh ```sh -if [ "$#" -ne 3 ]; then - echo "Usage: $0 " +if [ "$#" -ne 4 ]; then + echo "Usage: $0 " exit 1 fi -export AKS_CLUSTER_NAME=$1 +export K8S_CLUSTER_NAME=$1 export AZURE_RESOURCE_GROUP=$2 export AZURE_SUBSCRIPTION_ID=$3 - -# Prereqs: az CLI, AKS cluster with OIDC issuer enabled -# az extension add --name aks-preview -# az aks update -g "${AZURE_RESOURCE_GROUP}" -n "${AKS_CLUSTER_NAME}" --enable-oidc-issuer - - -export AZURE_TENANT_ID="$(az account show -s "${AZURE_SUBSCRIPTION_ID}" --query tenantId -otsv)" -helm repo add azure-workload-identity https://azure.github.io/azure-workload-identity/charts -helm repo update -helm install workload-identity-webhook azure-workload-identity/workload-identity-webhook \ - --namespace azure-workload-identity-system \ - --create-namespace \ - --set azureTenantID="${AZURE_TENANT_ID}" - -# Get the OIDC issuer URL for the AKS cluster -export SERVICE_ACCOUNT_ISSUER=$(az aks show --resource-group "${AZURE_RESOURCE_GROUP}" --name "${AKS_CLUSTER_NAME}" --query "oidcIssuerProfile.issuerUrl" -otsv) +export SERVICE_ACCOUNT_ISSUER=$4 # Create the Entra ID Application -export APPLICATION_NAME="${AKS_CLUSTER_NAME}-radius-app" +export APPLICATION_NAME="${K8S_CLUSTER_NAME}-radius-app" az ad app create --display-name "${APPLICATION_NAME}" # Get the client ID and object ID of the application @@ -105,9 +91,10 @@ az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --paramete # Set the permissions for the application az ad sp create --id ${APPLICATION_CLIENT_ID} az role assignment create --assignee "${APPLICATION_CLIENT_ID}" --role "Owner" --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_RESOURCE_GROUP}" - ``` +Now that the setup is complete, you can now install Radius with Azure workload identity enabled. + ## Interactive configuration 1. Initialize a new environment with [`rad init --full`]({{< ref rad_init >}}): From ad44d97c0df2f99923d136fdb174022aeed8e425 Mon Sep 17 00:00:00 2001 From: willdavsmith Date: Thu, 20 Jun 2024 15:59:34 -0700 Subject: [PATCH 05/15] edits Signed-off-by: willdavsmith --- .../providers/azure-provider/howto-azure-provider-wi/index.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md index 125ad13f0..9637fe09e 100644 --- a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md +++ b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md @@ -24,7 +24,9 @@ The Azure provider allows you to deploy and connect to Azure resources from a se ## Setup -To authorize Radius with Azure using Azure workload identity, you should set up an Entra ID Application with access to your resource group of choosing and 3 federated credentials (one for each of the Radius services). Below is an example script that will create an Entra ID Application and set up the federated credentials necessary for Radius to authenticate with Azure using Azure workload identity. +To authorize Radius with Azure using Azure workload identity, you should set up an Entra ID Application with access to your resource group of choosing and 3 federated credentials (one for each of the Radius services). The 3 federated credentials should be created with the Kubernetes ServiceAccounts for each of the Radius services (applications-rp, bicep-de, and ucp) and the OIDC Issuer for your Kubernetes cluster. + +Below is an example script that will create an Entra ID Application and set up the federated credentials necessary for Radius to authenticate with Azure using Azure workload identity. ### install-radius-azwi.sh ```sh From 86d0955a4b2388cf8f0419aa31762a79a48d00e8 Mon Sep 17 00:00:00 2001 From: Reshma Abdul Rahim Date: Thu, 20 Jun 2024 19:19:24 -0400 Subject: [PATCH 06/15] Add dets Signed-off-by: Reshma Abdul Rahim --- .../howto-azure-provider-wi/index.md | 71 +------------------ .../snippets/install-radius-azwi.sh | 65 +++++++++++++++++ 2 files changed, 68 insertions(+), 68 deletions(-) create mode 100644 docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/snippets/install-radius-azwi.sh diff --git a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md index 9637fe09e..6e4bcfaa1 100644 --- a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md +++ b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md @@ -22,78 +22,13 @@ The Azure provider allows you to deploy and connect to Azure resources from a se - You will need the cluster's OIDC Issuer URL. [AKS Example](https://azure.github.io/azure-workload-identity/docs/installation/managed-clusters.html#azure-kubernetes-service-aks) - [Azure AD Workload Identity](https://azure.github.io/azure-workload-identity/docs/installation.html) installed in your cluster, including the [Mutating Admission Webhook](https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html) -## Setup +## Setup the Azure Workload Identity -To authorize Radius with Azure using Azure workload identity, you should set up an Entra ID Application with access to your resource group of choosing and 3 federated credentials (one for each of the Radius services). The 3 federated credentials should be created with the Kubernetes ServiceAccounts for each of the Radius services (applications-rp, bicep-de, and ucp) and the OIDC Issuer for your Kubernetes cluster. +To authorize Radius with Azure using Azure workload identity, you should set up an Entra ID Application with access to your resource group and 3 federated credentials (one for each of the Radius services). The 3 federated credentials should be created with the Kubernetes ServiceAccounts for each of the Radius services (applications-rp, bicep-de, and ucp) and the OIDC Issuer for your Kubernetes cluster. Below is an example script that will create an Entra ID Application and set up the federated credentials necessary for Radius to authenticate with Azure using Azure workload identity. -### install-radius-azwi.sh -```sh -if [ "$#" -ne 4 ]; then - echo "Usage: $0 " - exit 1 -fi - -export K8S_CLUSTER_NAME=$1 -export AZURE_RESOURCE_GROUP=$2 -export AZURE_SUBSCRIPTION_ID=$3 -export SERVICE_ACCOUNT_ISSUER=$4 - -# Create the Entra ID Application -export APPLICATION_NAME="${K8S_CLUSTER_NAME}-radius-app" -az ad app create --display-name "${APPLICATION_NAME}" - -# Get the client ID and object ID of the application -export APPLICATION_CLIENT_ID="$(az ad app list --display-name "${APPLICATION_NAME}" --query [].appId -o tsv)" -export APPLICATION_OBJECT_ID="$(az ad app show --id "${APPLICATION_CLIENT_ID}" --query id -otsv)" - -# Create the applications-rp federated credential for the application -cat < params-applications-rp.json -{ - "name": "radius-applications-rp", - "issuer": "${SERVICE_ACCOUNT_ISSUER}", - "subject": "system:serviceaccount:radius-system:applications-rp", - "description": "Kubernetes service account federated credential for applications-rp", - "audiences": [ - "api://AzureADTokenExchange" - ] -} -EOF -az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --parameters @params-applications-rp.json - -# Create the bicep-de federated credential for the application -cat < params-bicep-de.json -{ - "name": "radius-bicep-de", - "issuer": "${SERVICE_ACCOUNT_ISSUER}", - "subject": "system:serviceaccount:radius-system:bicep-de", - "description": "Kubernetes service account federated credential for bicep-de", - "audiences": [ - "api://AzureADTokenExchange" - ] -} -EOF -az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --parameters @params-bicep-de.json - -# Create the ucp federated credential for the application -cat < params-ucp.json -{ - "name": "radius-ucp", - "issuer": "${SERVICE_ACCOUNT_ISSUER}", - "subject": "system:serviceaccount:radius-system:ucp", - "description": "Kubernetes service account federated credential for ucp", - "audiences": [ - "api://AzureADTokenExchange" - ] -} -EOF -az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --parameters @params-ucp.json - -# Set the permissions for the application -az ad sp create --id ${APPLICATION_CLIENT_ID} -az role assignment create --assignee "${APPLICATION_CLIENT_ID}" --role "Owner" --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_RESOURCE_GROUP}" -``` +{{< rad file="snippets/install-radius-azwi.sh" embed=true >}} Now that the setup is complete, you can now install Radius with Azure workload identity enabled. diff --git a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/snippets/install-radius-azwi.sh b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/snippets/install-radius-azwi.sh new file mode 100644 index 000000000..375b89897 --- /dev/null +++ b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/snippets/install-radius-azwi.sh @@ -0,0 +1,65 @@ +```sh +if [ "$#" -ne 4 ]; then + echo "Usage: $0 " + exit 1 +fi + +export K8S_CLUSTER_NAME=$1 +export AZURE_RESOURCE_GROUP=$2 +export AZURE_SUBSCRIPTION_ID=$3 +export SERVICE_ACCOUNT_ISSUER=$4 + +# Create the Entra ID Application +export APPLICATION_NAME="${K8S_CLUSTER_NAME}-radius-app" +az ad app create --display-name "${APPLICATION_NAME}" + +# Get the client ID and object ID of the application +export APPLICATION_CLIENT_ID="$(az ad app list --display-name "${APPLICATION_NAME}" --query [].appId -o tsv)" +export APPLICATION_OBJECT_ID="$(az ad app show --id "${APPLICATION_CLIENT_ID}" --query id -otsv)" + +# Create the applications-rp federated credential for the application +cat < params-applications-rp.json +{ + "name": "radius-applications-rp", + "issuer": "${SERVICE_ACCOUNT_ISSUER}", + "subject": "system:serviceaccount:radius-system:applications-rp", + "description": "Kubernetes service account federated credential for applications-rp", + "audiences": [ + "api://AzureADTokenExchange" + ] +} +EOF +az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --parameters @params-applications-rp.json + +# Create the bicep-de federated credential for the application +cat < params-bicep-de.json +{ + "name": "radius-bicep-de", + "issuer": "${SERVICE_ACCOUNT_ISSUER}", + "subject": "system:serviceaccount:radius-system:bicep-de", + "description": "Kubernetes service account federated credential for bicep-de", + "audiences": [ + "api://AzureADTokenExchange" + ] +} +EOF +az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --parameters @params-bicep-de.json + +# Create the ucp federated credential for the application +cat < params-ucp.json +{ + "name": "radius-ucp", + "issuer": "${SERVICE_ACCOUNT_ISSUER}", + "subject": "system:serviceaccount:radius-system:ucp", + "description": "Kubernetes service account federated credential for ucp", + "audiences": [ + "api://AzureADTokenExchange" + ] +} +EOF +az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --parameters @params-ucp.json + +# Set the permissions for the application +az ad sp create --id ${APPLICATION_CLIENT_ID} +az role assignment create --assignee "${APPLICATION_CLIENT_ID}" --role "Owner" --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_RESOURCE_GROUP}" +``` \ No newline at end of file From 49fee3752d48b022d7609c86ba192a909797b2c9 Mon Sep 17 00:00:00 2001 From: Reshma Abdul Rahim Date: Thu, 20 Jun 2024 19:20:29 -0400 Subject: [PATCH 07/15] Add dets Signed-off-by: Reshma Abdul Rahim --- .../providers/azure-provider/howto-azure-provider-wi/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md index 6e4bcfaa1..50e630b1b 100644 --- a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md +++ b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md @@ -69,7 +69,6 @@ Now that the setup is complete, you can now install Radius with Azure workload i ## Manual configuration - 1. Use [`rad install kubernetes`]({{< ref rad_install_kubernetes >}}) to install Radius with Azure workload identity enabled: ```bash From 4559d40ad42f6a26e6aa2cc3d0b964b7e4af00cb Mon Sep 17 00:00:00 2001 From: Reshma Abdul Rahim Date: Thu, 20 Jun 2024 19:24:29 -0400 Subject: [PATCH 08/15] Fix spelling errors Signed-off-by: Reshma Abdul Rahim --- .github/config/en-custom.txt | 2 ++ .../providers/azure-provider/howto-azure-provider-wi/index.md | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/config/en-custom.txt b/.github/config/en-custom.txt index 27ad311f0..00d876a6a 100644 --- a/.github/config/en-custom.txt +++ b/.github/config/en-custom.txt @@ -1245,3 +1245,5 @@ ProviderConfigProperties enableWebsockets websocket sp +azwi +Entra diff --git a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md index 50e630b1b..3ccc1cf93 100644 --- a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md +++ b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md @@ -22,7 +22,7 @@ The Azure provider allows you to deploy and connect to Azure resources from a se - You will need the cluster's OIDC Issuer URL. [AKS Example](https://azure.github.io/azure-workload-identity/docs/installation/managed-clusters.html#azure-kubernetes-service-aks) - [Azure AD Workload Identity](https://azure.github.io/azure-workload-identity/docs/installation.html) installed in your cluster, including the [Mutating Admission Webhook](https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html) -## Setup the Azure Workload Identity +## Setup the Azure Workload Identity for Radius To authorize Radius with Azure using Azure workload identity, you should set up an Entra ID Application with access to your resource group and 3 federated credentials (one for each of the Radius services). The 3 federated credentials should be created with the Kubernetes ServiceAccounts for each of the Radius services (applications-rp, bicep-de, and ucp) and the OIDC Issuer for your Kubernetes cluster. From b179092dde2f02e9fafcb77cd3989fbef8d06918 Mon Sep 17 00:00:00 2001 From: Reshma Abdul Rahim Date: Thu, 20 Jun 2024 19:37:01 -0400 Subject: [PATCH 09/15] Fix snippets visualization Signed-off-by: Reshma Abdul Rahim --- .../howto-azure-provider-wi/snippets/install-radius-azwi.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/snippets/install-radius-azwi.sh b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/snippets/install-radius-azwi.sh index 375b89897..d501461ed 100644 --- a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/snippets/install-radius-azwi.sh +++ b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/snippets/install-radius-azwi.sh @@ -1,4 +1,3 @@ -```sh if [ "$#" -ne 4 ]; then echo "Usage: $0 " exit 1 @@ -62,4 +61,3 @@ az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --paramete # Set the permissions for the application az ad sp create --id ${APPLICATION_CLIENT_ID} az role assignment create --assignee "${APPLICATION_CLIENT_ID}" --role "Owner" --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_RESOURCE_GROUP}" -``` \ No newline at end of file From c5bdfd17778975e66c92af3e27c11a98380d5c7c Mon Sep 17 00:00:00 2001 From: Reshma Abdul Rahim <61033581+Reshrahim@users.noreply.github.com> Date: Thu, 20 Jun 2024 19:40:00 -0400 Subject: [PATCH 10/15] Update docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md Signed-off-by: Reshma Abdul Rahim <61033581+Reshrahim@users.noreply.github.com> --- .../providers/azure-provider/howto-azure-provider-wi/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md index 3ccc1cf93..331434319 100644 --- a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md +++ b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md @@ -24,7 +24,7 @@ The Azure provider allows you to deploy and connect to Azure resources from a se ## Setup the Azure Workload Identity for Radius -To authorize Radius with Azure using Azure workload identity, you should set up an Entra ID Application with access to your resource group and 3 federated credentials (one for each of the Radius services). The 3 federated credentials should be created with the Kubernetes ServiceAccounts for each of the Radius services (applications-rp, bicep-de, and ucp) and the OIDC Issuer for your Kubernetes cluster. +To authorize Radius with Azure using Azure workload identity, you should set up an Entra ID Application with access to your resource group and 3 federated credentials (one for each of the Radius services). The 3 federated credentials should be created with the Kubernetes ServiceAccounts for each of the Radius services (applications-rp, bicep-de, and ucp) in the `radius-system` namespace and the OIDC Issuer for your Kubernetes cluster. Below is an example script that will create an Entra ID Application and set up the federated credentials necessary for Radius to authenticate with Azure using Azure workload identity. From df06693bb2be1a33fa94a111bee65b57109641ac Mon Sep 17 00:00:00 2001 From: Reshma Abdul Rahim <61033581+Reshrahim@users.noreply.github.com> Date: Thu, 20 Jun 2024 19:42:40 -0400 Subject: [PATCH 11/15] Update docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md Signed-off-by: Reshma Abdul Rahim <61033581+Reshrahim@users.noreply.github.com> --- .../providers/azure-provider/howto-azure-provider-wi/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md index 331434319..81edeeea3 100644 --- a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md +++ b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md @@ -24,7 +24,7 @@ The Azure provider allows you to deploy and connect to Azure resources from a se ## Setup the Azure Workload Identity for Radius -To authorize Radius with Azure using Azure workload identity, you should set up an Entra ID Application with access to your resource group and 3 federated credentials (one for each of the Radius services). The 3 federated credentials should be created with the Kubernetes ServiceAccounts for each of the Radius services (applications-rp, bicep-de, and ucp) in the `radius-system` namespace and the OIDC Issuer for your Kubernetes cluster. +To authorize Radius to connect to Azure using Azure workload identity, you should set up an Entra ID Application with access to your resource group and 3 federated credentials (one for each of the Radius services). The 3 federated credentials should be created with the Kubernetes ServiceAccounts for each of the Radius services (applications-rp, bicep-de, and ucp) in the `radius-system` namespace and the OIDC Issuer for your Kubernetes cluster. Below is an example script that will create an Entra ID Application and set up the federated credentials necessary for Radius to authenticate with Azure using Azure workload identity. From 55ff14ca6e9dd82569901f140c2ceccbef13920d Mon Sep 17 00:00:00 2001 From: Reshma Abdul Rahim <61033581+Reshrahim@users.noreply.github.com> Date: Fri, 21 Jun 2024 08:45:24 -0400 Subject: [PATCH 12/15] Update docs/content/guides/operations/providers/azure-provider/howto-azure-provider-sp/index.md Co-authored-by: Will <28876888+willtsai@users.noreply.github.com> Signed-off-by: Reshma Abdul Rahim <61033581+Reshrahim@users.noreply.github.com> --- .../providers/azure-provider/howto-azure-provider-sp/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-sp/index.md b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-sp/index.md index 681afcf22..40e4d275d 100644 --- a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-sp/index.md +++ b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-sp/index.md @@ -31,7 +31,7 @@ The Azure provider allows you to deploy and connect to Azure resources from a se - **Namespace** - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, `radius-system`) - **Add an Azure provider** 1. Pick the subscription and resource group to deploy your Azure resources to - 2. Select the service principal option + 2. Select the "Service Principal" option 3. Run `az ad sp create-for-rbac` to create a Service Principal without a role assignment and obtain your `appId`, `displayName`, `password`, and `tenant` information. ``` From bacca37a90c94561000a201ec418e64cb6322df3 Mon Sep 17 00:00:00 2001 From: Reshma Abdul Rahim Date: Fri, 21 Jun 2024 09:14:48 -0400 Subject: [PATCH 13/15] Address feedback Signed-off-by: Reshma Abdul Rahim --- .../content/guides/author-apps/aws/howto-aws-resources/index.md | 2 +- .../providers/azure-provider/howto-azure-provider-wi/index.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/guides/author-apps/aws/howto-aws-resources/index.md b/docs/content/guides/author-apps/aws/howto-aws-resources/index.md index a4e9abf5b..ff3100364 100644 --- a/docs/content/guides/author-apps/aws/howto-aws-resources/index.md +++ b/docs/content/guides/author-apps/aws/howto-aws-resources/index.md @@ -49,7 +49,7 @@ Follow the prompts to install the [control plane services]({{< ref "/concepts/te - **Namespace** - When an application is deployed, this is the namespace where your containers and other Kubernetes resources will be run. By default, this will be in the `default` namespace. {{% alert title="💡 About namespaces" color="success" %}} When you initialize a Radius Kubernetes environment, Radius installs the control plane resources within the `radius-system` namespace in your cluster, separate from your applications. The namespace specified in this step will be used for your application deployments. {{% /alert %}} -- **Add AWS provider** - An [AWS cloud provider]({{< ref "/guides/operations/providers/aws-provider" >}}) allows you to deploy and manage AWS resources as part of your application. Follow the how-to guides to configure the AWS provider with the preferred identity. +- **Add AWS provider** - An [AWS cloud provider]({{< ref "/guides/operations/providers/aws-provider" >}}) allows you to deploy and manage AWS resources as part of your application. Follow the how-to guides to [configure the AWS provider]({{< ref "/guides/operations/providers/aws-provider/howto-aws-provider" >}}) with the preferred identity. - **Environment name** - The name of the environment to create. You can specify any name with lowercase letters, such as `myawsenv`. ## Step 3: Create a Bicep file to model AWS Simple Storage Service (S3) diff --git a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md index 81edeeea3..71189b566 100644 --- a/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md +++ b/docs/content/guides/operations/providers/azure-provider/howto-azure-provider-wi/index.md @@ -28,7 +28,7 @@ To authorize Radius to connect to Azure using Azure workload identity, you shoul Below is an example script that will create an Entra ID Application and set up the federated credentials necessary for Radius to authenticate with Azure using Azure workload identity. -{{< rad file="snippets/install-radius-azwi.sh" embed=true >}} +{{< rad file="snippets/install-radius-azwi.sh" embed=true lang=bash >}} Now that the setup is complete, you can now install Radius with Azure workload identity enabled. From f646957f274fdf74c72a2468cf0cba47e836417b Mon Sep 17 00:00:00 2001 From: Reshma Abdul Rahim Date: Fri, 21 Jun 2024 12:07:55 -0400 Subject: [PATCH 14/15] Fix spelling Signed-off-by: Reshma Abdul Rahim --- .github/config/en-custom.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/config/en-custom.txt b/.github/config/en-custom.txt index 00d876a6a..5c55b907a 100644 --- a/.github/config/en-custom.txt +++ b/.github/config/en-custom.txt @@ -1247,3 +1247,4 @@ websocket sp azwi Entra +ServiceAccounts From f6ab833ea21e0a8fb441612e1e2b0df7388b2eee Mon Sep 17 00:00:00 2001 From: Reshma Abdul Rahim Date: Fri, 21 Jun 2024 12:21:58 -0400 Subject: [PATCH 15/15] Fix spelling Signed-off-by: Reshma Abdul Rahim --- .github/config/en-custom.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/config/en-custom.txt b/.github/config/en-custom.txt index 5c55b907a..6cea33d9e 100644 --- a/.github/config/en-custom.txt +++ b/.github/config/en-custom.txt @@ -1246,5 +1246,5 @@ enableWebsockets websocket sp azwi -Entra +Entra ServiceAccounts