This charm can grant select permissions to instances of applications related to it which enable integration with Azure specific features, such as firewalls, load balancing, block storage, object storage, etc.
This charm acts as a proxy to Azure and provides an interface to apply a certain set of changes via roles, profiles, and tags to the instances of the applications that are related to this charm.
When on Azure, this charm can be deployed, granted trust via Juju to access Azure, and then related to an application that supports the interface. The set of permissions that the related application could request is documented in the interface's Requires API documentation.
For example, CDK has support for this, and can be deployed with the following bundle overlay:
applications: azure-integrator: charm: cs:~containers/azure-integrator num_units: 1 relations: - ['azure-integrator', 'kubernetes-master'] - ['azure-integrator', 'kubernetes-worker']
Then deploy CDK using this overlay:
juju deploy cs:canonical-kubernetes --overlay ./k8s-azure-overlay.yaml
The charm then needs to be granted access to credentials that it can use to setup integrations. Using Juju 2.4 or later, you can easily grant access to the credentials used deploy the integrator itself:
juju trust azure-integrator
To deploy with earlier versions of Juju, or if you wish to provide it different
credentials, you will need to provide the cloud credentials via the
charm config options.
Note: The credentials used must have rights to use the API to inspect the instances connecting to it, enable a Managed Service Identity (MSI) for those instances, assign roles to those instances, and create custom roles. This may be different from the access permissions that Juju itself requires.
Resource Usage Note
By relating to this charm, other charms can directly allocate resources, such as managed disks and load balancers, which could lead to cloud charges and count against quotas. Because these resources are not managed by Juju, they will not be automatically deleted when the models or applications are destroyed, nor will they show up in Juju's status or GUI. It is therefore up to the operator to manually delete these resources when they are no longer needed, using the Azure management website or API.
Following are some examples using Azure integration with CDK.
Creating a pod with a Disk Storage-backed volume
This script creates a busybox pod with a persistent volume claim backed by Azure's Disk Storage.
#!/bin/bash # create a storage class using the `kubernetes.io/azure-disk` provisioner kubectl create -f - <<EOY apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: azure-standard provisioner: kubernetes.io/azure-disk parameters: storageaccounttype: Standard_LRS kind: managed EOY # create a persistent volume claim using that storage class kubectl create -f - <<EOY kind: PersistentVolumeClaim apiVersion: v1 metadata: name: testclaim spec: accessModes: - ReadWriteOnce resources: requests: storage: 100Mi storageClassName: azure-standard EOY # create the busybox pod with a volume using that PVC: kubectl create -f - <<EOY apiVersion: v1 kind: Pod metadata: name: busybox namespace: default spec: containers: - image: busybox command: - sleep - "3600" imagePullPolicy: IfNotPresent name: busybox volumeMounts: - mountPath: "/pv" name: testvolume restartPolicy: Always volumes: - name: testvolume persistentVolumeClaim: claimName: testclaim EOY
Creating a service with an Azure load-balancer
The following script starts the hello-world pod behind an Azure-backed load-balancer.
#!/bin/bash kubectl run hello-world --replicas=5 --labels="run=load-balancer-example" --image=gcr.io/google-samples/node-hello:1.0 --port=8080 kubectl expose deployment hello-world --type=LoadBalancer --name=hello watch kubectl get svc -o wide --selector=run=load-balancer-example
- (string) The base64-encoded JSON credentials data, which must include the 'application-id', 'application-password', and the 'subscription-id'. These values can be retrieved from Juju using the 'credentials' command and extracting the value of the 'details' key for the appropriate credential. For example, using 'jq', replace '<credential-name>' in the following: juju credentials --format=json --show-secrets azure | jq '.["local-credentials"]["azure"]["cloud-credentials"]["<credential-name>"]["details"]' This can be used from bundles with 'include-base64://' (see https://jujucharms.com/docs/stable/charms-bundles#setting-charm-configurations-options-in-a-bundle), or from the command-line with 'juju config aws credentials="$(base64 /path/to/file)"'. This option will take precedence over the individual config options, if set. It is strongly recommended that you use 'juju trust' instead, if available. since config values can be read by anyone with read access to the model.
- (string) Space separated list of extra deb packages to install.
- (string) List of signing keys for install_sources package sources, per charmhelpers standard format (a yaml list of strings encoded as a string). The keys should be the full ASCII armoured GPG public keys. While GPG key ids are also supported and looked up on a keyserver, operators should be aware that this mechanism is insecure. null can be used if a standard package signing key is used that will already be installed on the machine, and for PPA sources where the package signing key is securely retrieved from Launchpad.
- - | -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.7 (GNU/Linux) mQENBFYxWIwBCADAKoZhZlJxGNGWzqV+1OG1xiQeoowKhssGAKvd+buXCGISZJwT LXZqIcIiLP7pqdcZWtE9bSc7yBY2MalDp9Liu0KekywQ6VVX1T72NPf5Ev6x6DLV 7aVWsCzUAF+eb7DC9fPuFLEdxmOEYoPjzrQ7cCnSV4JQxAqhU4T6OjbvRazGl3ag OeizPXmRljMtUUttHQZnRhtlzkmwIrUivbfFPD+fEoHJ1+uIdfOzZX8/oKHKLe2j H632kvsNzJFlROVvGLYAk2WRcLu+RjjggixhwiB+Mu/A8Tf4V6b+YppS44q8EvVr M+QvY7LNSOffSO6Slsy9oisGTdfE39nC7pVRABEBAAG0N01pY3Jvc29mdCAoUmVs ZWFzZSBzaWduaW5nKSA8Z3Bnc2VjdXJpdHlAbWljcm9zb2Z0LmNvbT6JATUEEwEC AB8FAlYxWIwCGwMGCwkIBwMCBBUCCAMDFgIBAh4BAheAAAoJEOs+lK2+EinPGpsH /32vKy29Hg51H9dfFJMx0/a/F+5vKeCeVqimvyTM04C+XENNuSbYZ3eRPHGHFLqe MNGxsfb7C7ZxEeW7J/vSzRgHxm7ZvESisUYRFq2sgkJ+HFERNrqfci45bdhmrUsy 7SWw9ybxdFOkuQoyKD3tBmiGfONQMlBaOMWdAsic965rvJsd5zYaZZFI1UwTkFXV KJt3bp3Ngn1vEYXwijGTa+FXz6GLHueJwF0I7ug34DgUkAFvAs8Hacr2DRYxL5RJ XdNgj4Jd2/g6T9InmWT0hASljur+dJnzNiNCkbn9KbX7J/qK1IbR8y560yRmFsU+ NdCFTW7wY0Fb1fWJ+/KTsC4= =J6gs -----END PGP PUBLIC KEY BLOCK-----
- (string) List of extra apt sources, per charm-helpers standard format (a yaml list of strings encoded as a string). Each source may be either a line that can be added directly to sources.list(5), or in the form ppa:<user>/<ppa-name> for adding Personal Package Archives, or a distribution component to enable.
- - deb https://packages.microsoft.com/repos/azure-cli/ xenial main
- (string) The status of service-affecting packages will be set to this value in the dpkg database. Valid values are "install" and "hold".
- (string) Map of roles to known roles, used to prevent the charm from creating roles. Space separated. Valid mappings are lb-manager=role,disk-manager=role,vm-reader=role
- (string) The resource group this charm is running in. Used to scope cluster roles to the resource group.
- (string) Vnet's subnet to be used by azure cloud-integration. This config must be set at deployment and cannot be changed later.
- (string) VnetName to be passed via cloud-integration. This config must be set at deployment and cannot be changed later.
- (string) Vnet's resource group to be passed via cloud-integration. This config must be set at deployment and cannot be changed later.
- (string) Default network sec group (NSG) to be used by azure cloud integration. This config must be set at deployment and cannot be changed later.