Skip to content

Refactor docs so quick start instructions are for creating an AKS man… #5625

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Refactor docs so quick start instructions are for creating an AKS man… #5625

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion docs/book/src/SUMMARY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Summary

[Introduction](./introduction.md)
[Getting Started](./getting-started.md)
[Getting Started](./getting-started-with-aks.md)
[Roadmap](./roadmap.md)
- [General Topics](./topics/topics.md)
- [Azure Service Operator](./topics/aso.md)
Expand Down Expand Up @@ -50,6 +50,7 @@
- [Development](./developers/development.md)
- [Kubernetes Developers](./developers/kubernetes-developers.md)
- [AKS as management cluster](./developers/tilt-with-aks-as-mgmt-ilb.md)
- [Getting Started with CAPI Operator](./developers/getting-started-with-capi-operator.md)
- [Releasing](./developers/releasing.md)
- [Jobs](./developers/jobs.md)
- [Reference](./reference/reference.md)
Expand Down
0 docs/book/src/getting-started.md → ...ers/getting-started-with-capi-operator.md
View file
Open in desktop
File renamed without changes.
120 changes: 120 additions & 0 deletions docs/book/src/getting-started-with-aks.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,120 @@
# Getting started with cluster-api-provider-azure

## Prerequisites

### Requirements

<!-- markdown-link-check-disable-next-line -->
- A [Microsoft Azure account](https://azure.microsoft.com/)
- Note: If using a new subscription, make sure to [register](https://learn.microsoft.com/azure/azure-resource-manager/management/resource-providers-and-types) the following resource providers:
- `Microsoft.Compute`
- `Microsoft.Network`
- `Microsoft.ContainerService`
- `Microsoft.ManagedIdentity`
- `Microsoft.Authorization`
- `Microsoft.ResourceHealth` (if the `EXP_AKS_RESOURCE_HEALTH` feature flag is enabled)
- The [Azure CLI](https://learn.microsoft.com/cli/azure/install-azure-cli?view=azure-cli-latest)
- A [supported version](https://github.com/kubernetes-sigs/cluster-api-provider-azure#compatibility) of `clusterctl`

### Setting up your Azure environment

1. Login with the Azure CLI.

```bash
az login
```

2. List your Azure subscriptions.

```bash
az account list -o table
```

3. If more than one account is present, select the account that you want to use.

```bash
az account set -s <SubscriptionId>
```

4. Save your Subscription ID in an environment variable.

```bash
export AZURE_SUBSCRIPTION_ID="<SubscriptionId>"
```
## Creating an AKS Management Cluster with Workload Identity

1. Create an AKS Cluster with Workload Identity and OIDC Endpoint Enabled.
```bash
az aks create \
--resource-group <resource-group-name> \
--name <aks-cluster-name> \
--enable-oidc-issuer \
--enable-workload-identity \
--node-count 2 \
--node-vm-size Standard_B2s \
--generate-ssh-keys \
--location <region>
```

2. Retrieve Credentials for the AKS Cluster to interact with it using kubectl:
```bash
az aks get-credentials --resource-group <resource-group-name> --name <aks-cluster-name>
```

3. Retrieve the OIDC Issuer URL.
```bash
az aks show \
--resource-group <resource-group-name> \
--name <aks-cluster-name> \
--query "oidcIssuerProfile.issuerUrl" -o tsv
```
Hold onto the OIDC issuer URL for creating federated credentials.

4. Create a User-Assigned Managed Identity (UAMI) to use for Workload Identity.
```bash
az identity create \
--name <uami-name> \
--resource-group <resource-group-name> \
--location <region>
```
Hold onto the UAMI `clientID` and `principalID` for the next steps.

5. Assign the Contributor role to the UAMI so it can manage Azure resources.
```bash
az role assignment create \
--assignee <uami-principal-id> \
--role Contributor \
--scope /subscriptions/<subscription-id>
```

6. Add a Federated Credential to the UAMI

To configure the federated credential for the UAMI, follow the detailed instructions in [Azure Workload Identity: Federated identity credential for an Azure AD application](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html#federated-identity-credential-for-a-user-assigned-managed-identity).
For CAPZ, the federated credential should be configured for the capz-manager service account in the capz-system namespace, like the below:
```bash
az identity federated-credential create \
--name <federated-credential-name> \
--identity-name <uami-name> \
--resource-group <resource-group-name> \
--issuer <oidc-issuer-url> \
--subject "system:serviceaccount:capz-system:capz-manager" \
```

7. Initialize the management cluster

Run the following command to initialize the management cluster with Cluster API Provider Azure (CAPZ):

`clusterctl init --infrastructure azure`

This command sets up the necessary components, including Cluster API Core, CAPZ, and Azure Service Operator (ASO).
View the [Cluster API Quick Start: Initialize the management cluster](https://cluster-api.sigs.k8s.io/user/quick-start.html) documentation for more detailed instructions. Ensure you select the "Azure" tabs for Azure-specific guidance.

7. Annotate the capz-manager service account in the capz-system namespace with the UAMI's clientId:
```bash
kubectl annotate serviceaccount capz-manager \
-n capz-system \
azure.workload.identity/client-id=<uami-client-id>
```
## Building your First Cluster

To create a workload cluster, follow the [Cluster API Quick Start: Create your first workload cluster](https://cluster-api.sigs.k8s.io/user/quick-start.html) for detailed instructions. Ensure you select the "Azure" tabs for Azure-specific guidance.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like we're repeating the same instructions from line 110 here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this one is highlighting a different part of the Quick Start (which I can appreciate-I am partial to overexplaining)

Copy link
Contributor Author

@alimaazamat alimaazamat May 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same instructions but different sections. So I did Cluster API Quick Start: <"section"> to point to what specific section of the Cluster API Quick Start documentation is relevant.
Let me know how this sounds, I was thinking of merging this information in one step but in between you need to annotate the capz-manager service account and that isn't in the Cluster API Quick Start docs since that is specific to workload identity.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since there's an in between step I wouldn't merge them for newer users. It's easier to follow that way.

Loading