Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add documentation for Azure workload identity #1138

Merged
merged 17 commits into from
Jun 21, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/config/en-custom.txt
Original file line number Diff line number Diff line change
Expand Up @@ -1245,3 +1245,6 @@ ProviderConfigProperties
enableWebsockets
websocket
sp
azwi
Entra
ServiceAccounts
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ Follow the prompts to install the [control plane services]({{< ref "/concepts/te
- **Namespace** - When an application is deployed, this is the namespace where your containers and other Kubernetes resources will be run. By default, this will be in the `default` namespace.
{{% alert title="💡 About namespaces" color="success" %}} When you initialize a Radius Kubernetes environment, Radius installs the control plane resources within the `radius-system` namespace in your cluster, separate from your applications. The namespace specified in this step will be used for your application deployments.
{{% /alert %}}
- **Add AWS provider** - An [AWS cloud provider]({{< ref "/guides/operations/providers/howto-aws-provider" >}}) allows you to deploy and manage AWS resources as part of your application. Enter 'y' and follow the instructions. Provide a valid AWS region and the values obtained for IAM Access Key ID and IAM Secret Access Keys.
- **Add AWS provider** - An [AWS cloud provider]({{< ref "/guides/operations/providers/aws-provider" >}}) allows you to deploy and manage AWS resources as part of your application. Follow the how-to guides to [configure the AWS provider]({{< ref "/guides/operations/providers/aws-provider/howto-aws-provider" >}}) with the preferred identity.
- **Environment name** - The name of the environment to create. You can specify any name with lowercase letters, such as `myawsenv`.

## Step 3: Create a Bicep file to model AWS Simple Storage Service (S3)
Expand Down
2 changes: 1 addition & 1 deletion docs/content/guides/author-apps/aws/overview/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ Radius uses the [AWS Cloud Control API](https://docs.aws.amazon.com/cloudcontrol

## Configure an AWS Provider

The AWS provider allows you to deploy and connect to AWS resources from a Radius Environment on an EKS cluster. To configure an AWS provider, you can follow the documentation [here]({{< ref "/guides/operations/providers/howto-aws-provider" >}}).
The AWS provider allows you to deploy and connect to AWS resources from a Radius Environment on an EKS cluster. To configure an AWS provider, you can follow the documentation [here]({{< ref "/guides/operations/providers/aws-provider" >}}).

## Example

Expand Down
2 changes: 1 addition & 1 deletion docs/content/guides/author-apps/azure/overview/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ Radius Applications are able to connect to and leverage every Azure resource wit

## Configure an Azure Provider

The Azure provider allows you to deploy and connect to Azure resources from a Radius Environment on any of the [supported clusters]({{< ref "/guides/operations/kubernetes/overview#supported-clusters" >}}). To configure an Azure provider, you can follow the documentation [here]({{< ref "/guides/operations/providers/howto-azure-provider" >}}).
The Azure provider allows you to deploy and connect to Azure resources from a Radius Environment on any of the [supported clusters]({{< ref "/guides/operations/kubernetes/overview#supported-clusters" >}}). To configure an Azure provider, you can follow the documentation [here]({{< ref "/guides/operations/providers/azure-provider" >}}).

## Resource library

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -83,8 +83,8 @@ Radius Environments can be setup with the rad CLI via two paths: interactive or

1. Follow the prompts, specifying:
- **Namespace** - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, `radius-system`)
- **Azure provider** (optional) - Allows you to [deploy and manage Azure resources]({{< ref "/guides/operations/providers/howto-azure-provider" >}})
- **AWS provider** (optional) - Allows you to [deploy and manage AWS resources]({{< ref "/guides/operations/providers/howto-aws-provider" >}})
- **Azure provider** (optional) - Allows you to [deploy and manage Azure resources]({{< ref "/guides/operations/providers/azure-provider" >}})
- **AWS provider** (optional) - Allows you to [deploy and manage AWS resources]({{< ref "/guides/operations/providers/aws-provider" >}})
- **Environment name** - The name of the environment to create

You should see the following output:
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
type: docs
title: "AWS provider"
linkTitle: "AWS provider"
description: "Deploy and connect to AWS resources"
weight: 300
---
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
---
type: docs
title: "How-To: Configure the AWS cloud provider"
linkTitle: "Configure AWS provider"
description: "Learn how to configure the AWS provider for your Radius Environment"
title: "How-To: Configure the AWS cloud provider with IAM Access key"
linkTitle: "AWS provider with IAM Access key"
description: "Learn how to configure the AWS provider with IAM Access key for your Radius Environment"
weight: 300
categories: "How-To"
tags: ["AWS"]
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
type: docs
title: "Azure provider"
linkTitle: "Azure providers"
description: "Deploy and connect to Azure resources"
weight: 200
---
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
---
type: docs
title: "How-To: Configure the Azure cloud provider"
linkTitle: "Configure Azure provider"
description: "Learn how to configure the Azure provider for your Radius Environment"
weight: 200
title: "How-To: Configure the Azure cloud provider with Service Principal"
linkTitle: "Azure provider with Service Principal"
description: "Learn how to configure the Azure provider with Service Principal for your Radius Environment"
weight: 100
categories: "How-To"
tags: ["Azure"]
---
Expand All @@ -29,8 +29,10 @@ The Azure provider allows you to deploy and connect to Azure resources from a se

1. Follow the prompts, specifying:
- **Namespace** - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, `radius-system`)
- **Add an Azure provider** - Pick the subscription and resource group to deploy your Azure resources to
Run `az ad sp create-for-rbac` to create a Service Principal without a role assignment and obtain your `appId`, `displayName`, `password`, and `tenant` information.
- **Add an Azure provider**
1. Pick the subscription and resource group to deploy your Azure resources to
2. Select the "Service Principal" option
3. Run `az ad sp create-for-rbac` to create a Service Principal without a role assignment and obtain your `appId`, `displayName`, `password`, and `tenant` information.

```
{
Expand Down Expand Up @@ -85,7 +87,7 @@ The Azure provider allows you to deploy and connect to Azure resources from a se
1. Use [`rad credential register azure`]({{< ref rad_credential_register_azure >}}) to add the Azure service principal to your Radius installation:

```bash
rad credential register azure --client-id myClientId --client-secret myClientSecret --tenant-id myTenantId
rad credential register azure sp --client-id myClientId --client-secret myClientSecret --tenant-id myTenantId
```

Radius will use the provided service principal for all interactions with Azure, including Bicep and Recipe deployments.
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
---
type: docs
title: "How-To: Configure the Azure cloud provider with Azure workload identity"
linkTitle: "Azure provider with Workload identity"
description: "Learn how to configure the Azure provider with Azure workload identity for your Radius Environment"
weight: 200
categories: "How-To"
tags: ["Azure"]
---

The Azure provider allows you to deploy and connect to Azure resources from a self-hosted Radius Environment. It can be configured:

- [Interactively via `rad init`](#interactive-configuration)
- [Manually via `rad env update` and `rad credential register`](#manual-configuration)

## Prerequisites

- [Azure subscription](https://azure.com)
- [az CLI](https://aka.ms/azcli)
- [rad CLI]({{< ref "installation#step-1-install-the-rad-cli" >}})
- [Setup a supported Kubernetes cluster]({{< ref "/guides/operations/kubernetes/overview#supported-clusters" >}})
- You will need the cluster's OIDC Issuer URL. [AKS Example](https://azure.github.io/azure-workload-identity/docs/installation/managed-clusters.html#azure-kubernetes-service-aks)
- [Azure AD Workload Identity](https://azure.github.io/azure-workload-identity/docs/installation.html) installed in your cluster, including the [Mutating Admission Webhook](https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html)

## Setup the Azure Workload Identity for Radius

To authorize Radius to connect to Azure using Azure workload identity, you should set up an Entra ID Application with access to your resource group and 3 federated credentials (one for each of the Radius services). The 3 federated credentials should be created with the Kubernetes ServiceAccounts for each of the Radius services (applications-rp, bicep-de, and ucp) in the `radius-system` namespace and the OIDC Issuer for your Kubernetes cluster.

Below is an example script that will create an Entra ID Application and set up the federated credentials necessary for Radius to authenticate with Azure using Azure workload identity.

{{< rad file="snippets/install-radius-azwi.sh" embed=true lang=bash >}}

Now that the setup is complete, you can now install Radius with Azure workload identity enabled.

## Interactive configuration

1. Initialize a new environment with [`rad init --full`]({{< ref rad_init >}}):
Reshrahim marked this conversation as resolved.
Show resolved Hide resolved

```bash
rad init --full
```

1. Follow the prompts, specifying:
- **Namespace** - The Kubernetes namespace where your application containers and networking resources will be deployed (different than the Radius control-plane namespace, `radius-system`)
- **Add an Azure provider**
1. Pick the subscription and resource group to deploy your Azure resources to.
2. Select the "Workload Identity" option
3. Enter the `appId` and the `tenantID` of the Entra ID Application
- **Environment name** - The name of the environment to create

You should see the following output:

```
Initializing Radius...

✅ Install Radius {{< param version >}}
- Kubernetes cluster: k3d-k3s-default
- Kubernetes namespace: radius-system
- Azure credential: WorkloadIdentity
- Client ID: **********
✅ Create new environment default
- Kubernetes namespace: default
- Azure: subscription ***** and resource group ***
✅ Scaffold application samples
✅ Update local configuration

Initialization complete! Have a RAD time 😎
```

## Manual configuration

1. Use [`rad install kubernetes`]({{< ref rad_install_kubernetes >}}) to install Radius with Azure workload identity enabled:

```bash
rad install kubernetes --set global.azureWorkloadIdentity.enabled=true
```

1. Create your resource group and environment:

```bash
rad group create default
rad env create default
```

1. Use [`rad env update`]({{< ref rad_env_update >}}) to update your Radius Environment with your Azure subscription ID and Azure resource group:

```bash
rad env update myEnvironment --azure-subscription-id myAzureSubscriptionId --azure-resource-group myAzureResourceGroup
```

1. Use [`rad credential register azure wi`]({{< ref rad_credential_register_azure_wi >}}) to add the Azure workload identity credentials:

```bash
rad credential register azure wi --client-id myClientId --tenant-id myTenantId
```

Radius will use the provided client-id for all interactions with Azure, including Bicep and Recipe deployments.
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
if [ "$#" -ne 4 ]; then
echo "Usage: $0 <K8S_CLUSTER_NAME> <AZURE_RESOURCE_GROUP> <AZURE_SUBSCRIPTION_ID> <OIDC_ISSUER_URL>"
exit 1
fi

export K8S_CLUSTER_NAME=$1
export AZURE_RESOURCE_GROUP=$2
export AZURE_SUBSCRIPTION_ID=$3
export SERVICE_ACCOUNT_ISSUER=$4

# Create the Entra ID Application
export APPLICATION_NAME="${K8S_CLUSTER_NAME}-radius-app"
az ad app create --display-name "${APPLICATION_NAME}"

# Get the client ID and object ID of the application
export APPLICATION_CLIENT_ID="$(az ad app list --display-name "${APPLICATION_NAME}" --query [].appId -o tsv)"
export APPLICATION_OBJECT_ID="$(az ad app show --id "${APPLICATION_CLIENT_ID}" --query id -otsv)"

# Create the applications-rp federated credential for the application
cat <<EOF > params-applications-rp.json
{
"name": "radius-applications-rp",
"issuer": "${SERVICE_ACCOUNT_ISSUER}",
"subject": "system:serviceaccount:radius-system:applications-rp",
"description": "Kubernetes service account federated credential for applications-rp",
"audiences": [
"api://AzureADTokenExchange"
]
}
EOF
az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --parameters @params-applications-rp.json

# Create the bicep-de federated credential for the application
cat <<EOF > params-bicep-de.json
{
"name": "radius-bicep-de",
"issuer": "${SERVICE_ACCOUNT_ISSUER}",
"subject": "system:serviceaccount:radius-system:bicep-de",
"description": "Kubernetes service account federated credential for bicep-de",
"audiences": [
"api://AzureADTokenExchange"
]
}
EOF
az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --parameters @params-bicep-de.json

# Create the ucp federated credential for the application
cat <<EOF > params-ucp.json
{
"name": "radius-ucp",
"issuer": "${SERVICE_ACCOUNT_ISSUER}",
"subject": "system:serviceaccount:radius-system:ucp",
"description": "Kubernetes service account federated credential for ucp",
"audiences": [
"api://AzureADTokenExchange"
]
}
EOF
az ad app federated-credential create --id "${APPLICATION_OBJECT_ID}" --parameters @params-ucp.json

# Set the permissions for the application
az ad sp create --id ${APPLICATION_CLIENT_ID}
az role assignment create --assignee "${APPLICATION_CLIENT_ID}" --role "Owner" --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_RESOURCE_GROUP}"
11 changes: 6 additions & 5 deletions docs/content/guides/operations/providers/overview/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,10 @@ Radius cloud providers allow you to deploy and connect to cloud resources across

{{< image src="providers-overview.png" alt="Diagram of cloud resources getting forwarded to cloud platforms upon deployment" width="800px" >}}

## Supported cloud providers
## Supported cloud providers and identities

| Provider | Description |
|----------|-------------|
| [Microsoft Azure]({{< ref howto-azure-provider >}}) | Deploy and connect to Azure resources |
| [Amazon Web Services]({{< ref howto-aws-provider >}}) | Deploy and connect to AWS resources |
| Provider | Identity | Description |
|----------|----------|-------------|
| [Microsoft Azure]({{< ref azure-provider >}}) | [Service Principal](https://learn.microsoft.com/en-us/entra/identity-platform/app-objects-and-service-principals?tabs=browser) | Deploy and connect to Azure resources using Service Principal |
| | [Workload Identity](https://learn.microsoft.com/en-us/entra/workload-id/workload-identities-overview) | Deploy and connect to Azure resources using Workload Identity |
| [Amazon Web Services]({{< ref aws-provider >}}) | [IAM access Key](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) | Deploy and connect to AWS resources using IAM Access Key |
4 changes: 2 additions & 2 deletions docs/content/tutorials/tutorial-recipe/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,7 @@ This step requires an Azure subscription or an AWS account to deploy cloud resou
```
1. Manually add the Azure cloud provider to your Radius Environment

Follow the steps [here]({{< ref "howto-azure-provider#manual-configuration" >}}) to add the Azure cloud provider to your existing environment.
Follow the how-to-guides [here]({{< ref "azure-provider" >}}) to add the Azure cloud provider to your existing environment.

1. Register the Recipe to your Radius Environment:

Expand Down Expand Up @@ -229,7 +229,7 @@ This step requires an Azure subscription or an AWS account to deploy cloud resou

1. Manually add the AWS cloud provider to your Radius Environment

Follow the steps [here]({{< ref "howto-aws-provider#manual-configuration" >}}) to add the AWS cloud provider to your existing environment
Follow the steps [here]({{< ref "aws-provider" >}}) to add the AWS cloud provider to your existing environment

1. Register the Recipe to your Radius Environment:

Expand Down
Loading