Azure Citadel
  • Blogs
  • ARM
  • Azure Arc
    • Overview
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure Landing Zones
    • Prereqs
    • Day 1
      • Azure Baristas
      • Day 1 Challenge
    • Day 2
      • Example
      • Day 2 Challenge
    • Day 3
      • Day 3 Challenge
    • Useful Links
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Azure Stack HCI
    • Overview
    • Useful Links
    • Updates from Microsoft Ignite 2022
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
    • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner
    • Lighthouse and Partner Admin Link
      • Microsoft Cloud Partner Program
      • Combining Lighthouse and PAL
      • Minimal Lighthouse definition
      • Using service principals
      • Privileged Identity Management
    • Useful Links
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Working Environments for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Azure Arc
  3. Azure Arc-enabled Kubernetes
  4. Azure Arc for Kubernetes - proctor guides
  5. Deploy Application

Table of Contents

  • Deploy App Dev Infrastructure as Cluster Admin
  • Set up App Dev repo
  • Get Application Logs
  • Lets Encrypt
  • Managed Identity

Deploy Application

Remove podinfo

kubectl delete all --all -n podinfo-app

See the sample manifests for how to deploy without using kubectl apply

Deploy App Dev Infrastructure as Cluster Admin

Just run through the steps listed here:

https://github.com/azurecitadel/arc-for-kubernetes/tree/main/01-app-setup

Set up App Dev repo

Create a new (private?) repository on GitHub

LOCATION=westeurope
RESOURCE_GROUP=arc4k8s-$LOCATION
DEVELOPER_REPO=<gitHubUsername>/<repoName>
az k8s-configuration create \
    -n arc-for-k8s-app \
    -c Arc-K3s-Demo \
    -g $RESOURCE_GROUP \
    --operator-namespace app-dev-arc \
    --operator-params='--git-readonly --sync-garbage-collection --git-branch=main' \
    --repository-url git@github.com:$DEVELOPER_REPO.git \
    --scope namespace \
    --cluster-type connectedClusters

You can view logs of the flux operator by running

LOCATION=westeurope
RESOURCE_GROUP=arc4k8s-$LOCATION
kubectl --kubeconfig ~/.kube/$RESOURCE_GROUP.config logs -n app-dev-arc -linstanceName=arc-for-k8s-app

You can get the SSH public key from the cluster and add it to GitHub repository as a deploy key to fix git repo not ready: git clone --mirror: fatal: Could not read from remote repository

It doesn’t matter what you call the Deploy Key in GitHub, the only thing that matters is the content of it

az k8s-configuration show \
  -g $RESOURCE_GROUP \
  -n arc-for-k8s-app \
  -c Arc-K3s-Demo \
  --cluster-type connectedClusters \
  --query 'repositoryPublicKey' \
  -o tsv

Get Application Logs

Reviewer API

kubectl --kubeconfig ~/.kube/$RESOURCE_GROUP.config logs -n app-dev-arc -lapp=reviewer-api --tail=-1

Reviewer UI

kubectl --kubeconfig ~/.kube/$RESOURCE_GROUP.config logs -n app-dev-arc -lapp=reviewer-ui --tail=-1

Ensure that you updated the host name in ingress.yaml and deployment.yaml

Access a running instance of the API

kubectl --kubeconfig ~/.kube/$RESOURCE_GROUP.config exec -it -n app-dev-arc reviewer-api-XXXXXXXX-YYYYY -- /bin/bash

Lets Encrypt

It takes a while for new certificates to be deployed so you may enoucnter errors that look like Your connection isn't private when visiting x.y.cloudapp.azure.com

  1. Ensure you have replaced the email address in your cluster issuer deployment
# Failed to register ACME account: 400 urn:ietf:params:acme:error:invalidEmail: Error creating new account :: "replace_with_your_email_address" is not a valid e-mail address#

kubectl --kubeconfig ~/.kube/$RESOURCE_GROUP.config describe clusterissuer

Managed Identity

If pod identity is failing to start, you can view the logs of the mic controller. It may say something like /etc/kubernetes/azure.json is a directory and not a file

# View logs for mic
kubectl --kubeconfig ~/.kube/$RESOURCE_GROUP.config logs -n aad-pod-identity -lapp=mic

{
  "cloud": "AzurePublicCloud",
  "tenantId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
  "subscriptionId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
  "resourceGroup": "",
  "useManagedIdentityExtension": true
}

E0729 “The client ‘XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX’with object id ‘XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX’ does not have authorization to perform action ‘Microsoft.Compute/virtualMachines/read’ over scope ‘/subscriptions/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX/resourceGroups/RESOURCE_GROUP/providers/Microsoft.Compute/virtualMachines/VM’ or the scope is invalid. If access was recently granted, please refresh your credentials.”

Solution you need to grant the following roles to the identity. This should have been done as part of the setup process but is worth checking.

SUBSCRIPTION_ID=$(az account show --query id -o tsv)
RESOURCE_GROUP=rg-arc4k8s-westeurope
PRINCIPAL_ID=$(az vm list -g $RESOURCE_GROUP --query '[].identity.principalId' -o tsv)

az role assignment create --role "Managed Identity Operator" --assignee-object-id $PRINCIPAL_ID --scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP

az role assignment create --role "Virtual Machine Contributor" --assignee-object-id $PRINCIPAL_ID --scope /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$RESOURCE_GROUP

You can check managed identity by logging into a UI pod and retrieving an access token that can be checked at https://jwt.ms

kubectl --kubeconfig ~/.kube/$RESOURCE_GROUP.config exec -it -n app-dev-arc reviewer-ui-XXXXXXXX-YYYYY -- /bin/bash

curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -H Metadata:true -s

Another way this might fail is if the VMs system assigned managed identity doesn’t have permissions to read the managed identity. This may occur if you didn’t.

Enable GitOps Deploy Application Enforce Policy