Prepare Azure Blob Storage by completing these steps:
Note: You will need administrator permissions in Azure to complete these steps.
-
Ensure that you have a storage account.
-
In that storage account, create a container named kubernetes. This container will be used for storing log files of CloudBlue Commerce components.
-
Prepare a managed identity and a pod-managed identity by using one of these methods:
-
Execute the following commands in the Azure CLI:
Copy# Specify values that belong to your installation
# -----------------------------------------------
export SUBSCRIPTION_NAME="NAME_OF_YOUR_AZURE_SUBSCRIPTION"
export CLUSTER_RESOURCE_GROUP="NAME_OF_RESOURCE_GROUP_OF_YOUR_CLUSTER"
export CLUSTER_NAME="NAME_OF_YOUR_CLUSTER"
export LOCATION="YOUR_REGION"
export IDENTITY_NAME="NAME_FOR_MANAGED_IDENTITY-identity"
export IDENTITY_RESOURCE_GROUP="NAME_OF_RESOURCE_GROUP_FOR_MANAGED_IDENTITY-identity-rg"
export POD_IDENTITY_NAME="logs"
export POD_IDENTITY_NAMESPACE="NAMESPACE_FOR_INFRASTRUCTURE_COMPONENTS"
# -----------------------------------------------
az account set --subscription ${SUBSCRIPTION_NAME}
az group create --name ${IDENTITY_RESOURCE_GROUP} --location ${LOCATION}
az identity create --resource-group ${IDENTITY_RESOURCE_GROUP} --name ${IDENTITY_NAME}
export IDENTITY_CLIENT_ID="$(az identity show -g ${IDENTITY_RESOURCE_GROUP} -n ${IDENTITY_NAME} --query clientId -otsv)"
export IDENTITY_RESOURCE_ID="$(az identity show -g ${IDENTITY_RESOURCE_GROUP} -n ${IDENTITY_NAME} --query id -otsv)"
NODE_GROUP=$(az aks show -g ${CLUSTER_RESOURCE_GROUP} -n ${CLUSTER_NAME} --query nodeResourceGroup -o tsv)
NODES_RESOURCE_ID=$(az group show -n $NODE_GROUP -o tsv --query "id")
az role assignment create --role "Virtual Machine Contributor" --assignee "$IDENTITY_CLIENT_ID" --scope $NODES_RESOURCE_ID
az feature register --name EnablePodIdentityPreview --namespace Microsoft.ContainerService
az aks update -g ${CLUSTER_RESOURCE_GROUP} -n ${CLUSTER_NAME} --enable-pod-identity
az aks pod-identity add --resource-group ${CLUSTER_RESOURCE_GROUP} --cluster-name ${CLUSTER_NAME} --namespace ${POD_IDENTITY_NAMESPACE} --name ${POD_IDENTITY_NAME} --identity-resource-id ${IDENTITY_RESOURCE_ID} -
Create the required managed identity and pod-managed identity manually:
-
Ensure that Microsoft Entra ID pod-managed identities are enabled in your cluster. To learn how to do this, please refer to the Azure documentation.
-
Create a managed identity. To learn how to create that managed identity, please refer to the Azure documentation.
-
Create a pod identity:
- Give it the logs name.
- Place it in the namespace that is intended for infrastructure components.
- Associate it with the managed identity you created.
To learn how to do this, please refer to the Azure documentation.
-
-
-
Assign the Storage Blob Data Contributor role to the managed identity at the level of the kubernetes container. To learn how to do this, please refer to the Azure documentation.
-
Prepare the following information:
-
The name of your storage account
-
The URL of the container you created
-
The Client ID of the managed identity you created
Note: You can obtain that Client ID with this the
kubectl -n NAMESPACE_FOR_INFRASTRUCTURE_COMPONENTS get AzureIdentity logs -o=jsonpath='{.spec.clientID}command.
-
-
In your AKS cluster, create a secret with access credentials:
kubectl -n NAMESPACE_FOR_INFRASTRUCTURE_COMPONENTS create secret generic azure-storage-credentials-msi \ --from-literal=azure_msi_client_id='CLIENT_ID_OF_MANAGED_IDENTITY' \ --from-literal=account='STORAGE_ACCOUNT_NAME' \ --from-literal=url_blob_container='URL_OF_CONTAINER'