Azure Citadel
  • Blogs
  • ARM
  • Azure Arc
    • Overview
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure Landing Zones
    • Prereqs
    • Day 1
      • Azure Baristas
      • Day 1 Challenge
    • Day 2
      • Example
      • Day 2 Challenge
    • Day 3
      • Day 3 Challenge
    • Useful Links
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Azure Stack HCI
    • Overview
    • Useful Links
    • Updates from Microsoft Ignite 2022
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
    • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner
    • Lighthouse and Partner Admin Link
      • Microsoft Cloud Partner Program
      • Combining Lighthouse and PAL
      • Minimal Lighthouse definition
      • Using service principals
      • Privileged Identity Management
    • Useful Links
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Working Environments for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Azure Arc
  3. Azure Arc-enabled Kubernetes
  4. Azure Arc for Kubernetes - proctor guides
  5. Master Cheat Sheet

Table of Contents

  • Cheat Sheet
  • Pre-reqs
  • Challenge 0
  • Challenge 1
  • Challenge 2
  • Challenge 3
  • Challenge 4
  • Challenge 5
  • Challenge 6

Master Cheat Sheet

Cheat Sheet

The steps to complete the Azure Arc for Kubernetes challenge

More details in each sub-section. This is designed to be run in one session from start to finish, if it’s not then some steps may not work due to expecting environment variables that were set previously.

This all takes place using Azure Cloud Shell with Bash and will run two unmanaged clusters in uksouth and westeurope

Pre-reqs

Virtual Machines should be < 6

# Query quota
az vm list-usage --location "UK South" -o table
az vm list-usage --location "West Europe" -o table

# Register Providers
az provider register --namespace Microsoft.Web
az provider register --namespace Microsoft.Kubernetes
az provider register --namespace Microsoft.KubernetesConfiguration
az provider register --namespace Microsoft.ExtendedLocation

Challenge 0

Create a new GitHub Organisation manually

https://docs.github.com/en/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch

Ensure you clone the newly created repository as that allows setting secrets

gh auth login
GITHUB_ORG=<set name of the organisation you created above>
gh repo create $GITHUB_ORG/arc-for-kubernetes \
    --description "Organisation for the Azure Arc for Kubernetes Hack" \
    -y \
    --public \
    --template azurecitadel/arc-for-kubernetes
cd arc-for-kubernetes

Challenge 1

Ignore warnings for existing application instances, role assignments, credential outputs and name property being deprecated. It should still just work.

MAIL=$(az ad signed-in-user show --query 'mail' -o tsv)
KEY_PATH=$HOME/.ssh/id_arc-for-kubernetes
ssh-keygen -t rsa -b 4096 -C "${MAIL}" -f $KEY_PATH
PUBLIC_KEY=$(cat $KEY_PATH.pub)
chmod 400 $KEY_PATH*

# Setup in Region

LOCATION=uksouth
RG_ID=$(az group create -n "arc4k8s-${LOCATION}" -l "${LOCATION}" -o tsv --query 'id')
AZURE_CREDENTIALS=$(az ad sp create-for-rbac --sdk-auth --role Owner --name http://arc4k8s-ghaction-$LOCATION --scopes $RG_ID)
gh secret set AZURE_CREDENTIALS_${LOCATION^^} -b"${AZURE_CREDENTIALS}"

# Deploy Cluster

gh workflow run 00-k3s-cluster.yml -f credentials=AZURE_CREDENTIALS_${LOCATION^^} -f adminPasswordOrKey="${PUBLIC_KEY}"

# Setup in Region

LOCATION=westeurope
RG_ID=$(az group create -n "arc4k8s-${LOCATION}" -l "${LOCATION}" -o tsv --query 'id')
AZURE_CREDENTIALS=$(az ad sp create-for-rbac --sdk-auth --role Owner --name http://arc4k8s-ghaction-$LOCATION --scopes $RG_ID)
gh secret set AZURE_CREDENTIALS_${LOCATION^^} -b"${AZURE_CREDENTIALS}"

# Deploy Cluster

gh workflow run 00-k3s-cluster.yml -f credentials=AZURE_CREDENTIALS_${LOCATION^^} -f adminPasswordOrKey="${PUBLIC_KEY}"

# Pull out all kubernetes contexts
FQDN=$(az network public-ip list -g arc4k8s-uksouth --query '[].dnsSettings.fqdn' -o tsv)
scp -i $KEY_PATH arcdemo@$FQDN:~/.kube/config ~/.kube/arc4k8s-uksouth.config
kubectl --kubeconfig ~/.kube/arc4k8s-uksouth.config get node
FQDN=$(az network public-ip list -g arc4k8s-westeurope --query '[].dnsSettings.fqdn' -o tsv)
scp -i $KEY_PATH arcdemo@$FQDN:~/.kube/config ~/.kube/arc4k8s-westeurope.config
kubectl --kubeconfig ~/.kube/arc4k8s-westeurope.config get node

Challenge 2

Connect to Arc

LOCATION=uksouth
RESOURCE_GROUP=arc4k8s-$LOCATION
az connectedk8s connect -n Arc-K3s-Demo -g $RESOURCE_GROUP --kube-config ~/.kube/$RESOURCE_GROUP.config

LOCATION=westeurope
RESOURCE_GROUP=arc4k8s-$LOCATION
az connectedk8s connect -n Arc-K3s-Demo -g $RESOURCE_GROUP --kube-config ~/.kube/$RESOURCE_GROUP.config

Challenge 3

Repository setup

cd .. # If you're in arc-for-kubernetes if you've been following along

gh repo create $GITHUB_ORG/arc-for-kubernetes-cluster-admin \
    --description "Cluster Administrator Repository for managing cluster-wide infrastructure" \
    --public \
    -y
cd arc-for-kubernetes-cluster-admin
cp ../arc-for-kubernetes/cluster-config/* . # copy manifests
sed -i "s/REPLACE_WITH_YOUR_EMAIL_ADDRESS/${MAIL}/" cluster-issuer.yaml

git config --global user.email "${MAIL}"
git config --global user.name "$(az ad signed-in-user show --query 'displayName' -o tsv)"
git add .
git commit -m "first commit from cluster administrator"
git branch -M main
git push -u origin main

cd ..

LOCATION=uksouth
RESOURCE_GROUP=arc4k8s-$LOCATION
gh repo create $GITHUB_ORG/apps-$RESOURCE_GROUP \
    --description "App developer repository for $RESOURCE_GROUP" \
    --public \
    -y
cd apps-$RESOURCE_GROUP
curl -o podinfo.yaml https://gist.githubusercontent.com/bricef/b7a3285007874b4cb9fa59c2a59b8674/raw/a0cd969ca2120264dc707f83c147ce6f3bc88434/podinfo.yaml
sed -i "s/namespace: dev/namespace: app-dev-arc/" podinfo.yaml
git add .
git commit -m "Added podinfo"
git branch -M main
git push -u origin main
cd ..

LOCATION=westeurope
RESOURCE_GROUP=arc4k8s-$LOCATION
gh repo create $GITHUB_ORG/apps-$RESOURCE_GROUP \
    --description "App developer repository for $RESOURCE_GROUP" \
    --public \
    -y
cd apps-$RESOURCE_GROUP
curl -o podinfo.yaml https://gist.githubusercontent.com/bricef/b7a3285007874b4cb9fa59c2a59b8674/raw/a0cd969ca2120264dc707f83c147ce6f3bc88434/podinfo.yaml
sed -i "s/namespace: dev/namespace: app-dev-arc/" podinfo.yaml
git add .
git commit -m "Added podinfo"
git branch -M main
git push -u origin main
cd ..


# Connect it all to Arc
LOCATION=uksouth
RESOURCE_GROUP=arc4k8s-$LOCATION
az k8s-configuration create \
    --name cluster-config \
    --cluster-name Arc-K3s-Demo \
    --resource-group $RESOURCE_GROUP \
    --operator-instance-name cluster-config \
    --operator-namespace cluster-config \
    --operator-params='--git-readonly --sync-garbage-collection --git-branch=main' \
    --repository-url https://github.com/$GITHUB_ORG/arc-for-kubernetes-cluster-admin \
    --scope cluster \
    --cluster-type connectedClusters

az k8s-configuration create \
    -n arc-for-k8s-app \
    -c Arc-K3s-Demo \
    -g $RESOURCE_GROUP \
    --operator-namespace app-dev-arc \
    --operator-params='--git-readonly --sync-garbage-collection --git-branch=main' \
    --repository-url https://github.com/$GITHUB_ORG/apps-$RESOURCE_GROUP \
    --scope namespace \
    --cluster-type connectedClusters


LOCATION=westeurope
RESOURCE_GROUP=arc4k8s-$LOCATION
az k8s-configuration create \
    --name cluster-config \
    --cluster-name Arc-K3s-Demo \
    --resource-group $RESOURCE_GROUP \
    --operator-instance-name cluster-config \
    --operator-namespace cluster-config \
    --operator-params='--git-readonly --sync-garbage-collection --git-branch=main' \
    --repository-url https://github.com/$GITHUB_ORG/arc-for-kubernetes-cluster-admin \
    --scope cluster \
    --cluster-type connectedClusters

az k8s-configuration create \
    -n arc-for-k8s-app \
    -c Arc-K3s-Demo \
    -g $RESOURCE_GROUP \
    --operator-namespace app-dev-arc \
    --operator-params='--git-readonly --sync-garbage-collection --git-branch=main' \
    --repository-url https://github.com/$GITHUB_ORG/apps-$RESOURCE_GROUP \
    --scope namespace \
    --cluster-type connectedClusters

Challenge 4

Deploy app and infra. This reuqires some Manual Steps after deploying the infrastructure

cd ../arc-for-kubernetes

DBA_OBJECT_ID=$(az ad signed-in-user show --query 'objectId' -o tsv)

# Register Application
SUFFIX=$RANDOM
APP=$(az ad app create --display-name="Item Reviewer $SUFFIX" --available-to-other-tenants=true)
APP_ID=$(echo $APP | jq -r .appId)
OBJECT_ID=$(echo $APP | jq -r .objectId)

# Update requestedAccessTokenVersion to v2, add SPA reply urls and set application URI
# you should add on more hosts into the `redirectUris` array that correspond to your hosts
REDIRECT_URIS=$(az network public-ip list --query "[?name=='Arc-K3s-Demo-PIP'].join('', ['https://', dnsSettings.fqdn])" -o json)

az rest \
    --method PATCH \
    --headers "Content-Type=application/json" \
    --uri "https://graph.microsoft.com/v1.0/applications/${OBJECT_ID}" \
    --body "{\"api\":{\"requestedAccessTokenVersion\":2}, \"identifierUris\":[\"api://${APP_ID}\"], \"spa\":{\"redirectUris\":$REDIRECT_URIS}}"

LOCATION=uksouth
gh workflow run 01-app-infra.yml -f credentials=AZURE_CREDENTIALS_${LOCATION^^} -f aad_admin_objectid="${DBA_OBJECT_ID}" -f app_id="${APP_ID}"


LOCATION=westeurope
gh workflow run 01-app-infra.yml -f credentials=AZURE_CREDENTIALS_${LOCATION^^} -f aad_admin_objectid="${DBA_OBJECT_ID}" -f app_id="${APP_ID}"

# Fill these in manually
UKSOUTH_RUN_ID=1098617734
WESTEUROPE_RUN_ID=1098632122

gh run download $UKSOUTH_RUN_ID -n "App Manifest Bundle"
mv baked-template*.yaml ../apps-arc4k8s-uksouth/
cd ../apps-arc4k8s-uksouth/
git add .
git commit -m "Added from run $UKSOUTH_RUN_ID"
git branch -M main
git push -u origin main
cd -

gh run download $WESTEUROPE_RUN_ID -n "App Manifest Bundle"
mv baked-template*.yaml ../apps-arc4k8s-westeurope/
cd ../apps-arc4k8s-westeurope/
git add .
git commit -m "Added from run $WESTEUROPE_RUN_ID"
git branch -M main
git push -u origin main

Follow the Steps here to allow access to SQL Server and deploy the database schema

  • https://github.com/azurecitadel/arc-for-kubernetes/tree/main/01-app-setup#4-create-sql-schema

Challenge 5

Enable Azure AD + Discussion

Challenge 6

Azure Arc for Kubernetes - proctor guides Master Cheat Sheet Deploy Cluster