Preparing to Deploy Clusters to Microsoft Azure ¶
This topic explains how to prepare your environment before you deploy a management cluster on Microsoft Azure.
General Requirements ¶
Ensure Tanzu Community Edition is installed locally on your bootstrap machine. See Install the Tanzu CLI.
Ensure the Azure CLI is installed locally. See Install the Azure CLI in the Microsoft Azure documentation.
Your Microsoft Azure account should meet the permissions and requirements described in the Microsoft Azure account topic.
Register Tanzu Community Edition as an Azure Client App. The full procedure is provided below: Register Tanzu Community Edition as a Microsoft Azure Client App.
Accept the Base Image License. The full procedure is provided below: Accept the Base Image License.
If you plan to use an existing VNET, see the Network Security Groups on Microsoft Azure topic for guidelines.
(Optional) Create an SSH keypair. The full procedure is described below: Create an SSH Key Pair.
(Optional) For information about the configurations of the different sizes of node instances for Microsoft Azure, for example, Standard_D2s_v3 or Standard_D4s_v3, see Sizes for virtual machines in Azure in the Microsoft Azure documentation.
Register Tanzu Community Edition as a Microsoft Azure Client App ¶
Tanzu Community Edition manages Microsoft Azure resources as a registered client application that accesses Azure through a service principal account. The following steps register your Tanzu Community Edition application with Microsoft Azure Active Directory, create its account, create a client secret for authenticating communications, and record information needed later to deploy a management cluster.
Log in to the Azure Portal.
Record your Tenant ID by hovering over your account name at upper-right, or else browse to Azure Active Directory > <Your Azure Org> > Properties > Tenant ID. The value is a GUID, for example
Browse to Active Directory > App registrations and click + New registration.
Enter a display name for the app, such as
tce, and select who else can use it. You can leave the Redirect URI (optional) field blank.
Click Register. This registers the application with an Microsoft Azure service principal account as described in How to: Use the portal to create an Azure AD application and service principal that can access resources in the Microsoft Azure documentation.
An overview pane for the app appears. Record its Application (client) ID value, which is a GUID.
From the Microsoft Azure Portal, browse to Subscriptions. At the bottom of the pane, select one of the subscriptions you have access to, and record its Subscription ID. Click the subscription listing to open its overview pane.
Select to Access control (IAM) and click Add a role assignment.
In the Add role assignment pane
- Select the Owner role
- Leave Assign access to selection as “Azure AD user, group, or service principal”
- Under Select enter the name of your app,
tce. It appears underneath under Selected Members
Click Save. A popup appears confirming that your app was added as an owner for your subscription.
From the Microsoft Azure Portal > Azure Active Directory > App Registrations, select your
tceapp under Owned applications. The app overview pane opens.
From Certificates & secrets > Client secrets click + New client secret.
In the Add a client secret popup, enter a Description, choose an expiration period, and click Add.
The new secret is listed with its generated value under Client Secrets. Record the value.
Accept the Base Image License ¶
To run management cluster VMs on Microsoft Azure, accept the license for their base Kubernetes version and machine OS.
Sign in to the Azure CLI as your
az login --service-principal --username AZURE_CLIENT_ID --password AZURE_CLIENT_SECRET --tenant AZURE_TENANT_ID
tceapp’s client ID and secret and your tenant ID, as recorded in Register Tanzu Community Edition as an Azure Client App.
az vm image terms acceptcommand, specifying the
--planand your Subscription ID.
In Tanzu Community Edition 0.11.0, the default cluster image
k8s-1dot21dot5-ubuntu-2004, based on Kubernetes version 1.21 and the machine OS, Ubuntu 20.04. Run the following command:
az vm image terms accept --publisher vmware-inc --offer tkg-capi --plan k8s-1dot21dot5-ubuntu-2004 --subscription AZURE_SUBSCRIPTION_ID
AZURE_SUBSCRIPTION_IDis your Azure subscription ID.
You must repeat this to accept the base image license for every version of Kubernetes or OS that you want to use when you deploy clusters, and every time that you upgrade to a new version of Tanzu Community Edition.
Create an SSH Key Pair (Optional) ¶
You will need OpenSSL installed locally, to create a new keypair or validate the download package thumbprint. See OpenSSL.
You deploy management clusters from a machine referred to as the bootstrap machine, using the Tanzu CLI.
To connect to Microsoft Azure, the bootstrap machine must provide the public key part of an SSH key pair. If your bootstrap machine does not already have an SSH key pair, you can use a tool such as
ssh-keygen to generate one.
On your bootstrap machine, run the following
ssh-keygen -t rsa -b 4096 -C "email@example.com"
At the prompt
Enter file in which to save the key (/root/.ssh/id_rsa):press Enter to accept the default.
Enter and repeat a password for the key pair.
Add the private key to the SSH agent running on your machine, and enter the password you created in the previous step.
Open the file
.ssh/id_rsa.pubin a text editor so that you can easily copy and paste it when you deploy a management cluster.