Authorize Access to Object Storage on Azure¶
This guide will walk you through configuring Rok to have access to object storage resources on Azure.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing AKS cluster.
- An existing Azure Storage Account.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsConfigure S3Proxy to access the Azure Storage Account:
root@rok-tools:~/ops/deployments# j2 \ > rok/rok-external-services/s3proxy/overlays/deploy/config.env.j2 \ > -o rok/rok-external-services/s3proxy/overlays/deploy/config.envGenerate random credentials for Rok to access S3Proxy:
root@rok-tools:~/ops/deployments# export S3PROXY_IDENTITY="$(openssl rand -hex 16)"root@rok-tools:~/ops/deployments# export S3PROXY_CREDENTIAL="$(openssl rand -hex 32)"Retrieve an access key of your storage account:
root@rok-tools:~/ops/deployments# export JCLOUDS_CREDENTIAL=$(az \ > storage account keys list --resource-group ${AZ_RESOURCE_GROUP?} \ > --account-name ${STORAGE_ACCOUNT_NAME?} | jq -r '.[0].value')Provide the generated credentials to S3Proxy:
root@rok-tools:~/ops/deployments# j2 \ > rok/rok-external-services/s3proxy/overlays/deploy/secrets/credentials.env.j2 \ > -o rok/rok-external-services/s3proxy/overlays/deploy/secrets/credentials.envEdit
rok/rok-cluster/overlays/deploy/kustomization.yaml
to set the parent of thedeploy
kustomization overlay toaks
:bases: - ../aksSelect the namespace in which to deploy Rok:
root@rok-tools:~/ops/deployments# export ROK_CLUSTER_NAMESPACE=rokSelect the name of the Rok cluster:
root@rok-tools:~/ops/deployments# export ROK_CLUSTER_NAME=rokSelect the bucket prefix Rok will use to store its snapshots in Azure Blob Storage:
root@rok-tools:~/ops/deployments# S3_BUCKET_PREFIX="rok-${ROK_CLUSTER_NAMESPACE?}-${ROK_CLUSTER_NAME?}"Remove the Rok cluster namespace and name if they are both equal to
rok
:root@rok-tools:~/ops/deployments# export S3_BUCKET_PREFIX=${S3_BUCKET_PREFIX%-rok-rok}Obtain your bucket prefix and copy it to your clipboard, as you are going to use this value in the next step:
root@rok-tools:~/ops/deployments# echo ${S3_BUCKET_PREFIX?} rokEdit
rok/rok-cluster/overlays/deploy/patches/configvars.yaml
to set thedaemons.s3d.aws.access_key_id
anddaemons.s3d.aws.secret_access_key
Rok Cluster configuration variables to the credentials you generated above.spec: configVars: daemons.s3d.bucket_prefix: "<S3_BUCKET_PREFIX>" # <-- Update this line with your bucket prefix daemons.s3d.aws.access_key_id: "<S3PROXY_IDENTITY>" # <-- Update this line with your S3Proxy Access Key ID daemons.s3d.aws.secret_access_key: "<S3PROXY_CREDENTIAL>" # <-- Update this line with your S3Proxy Secret Access KeyTrack all changes in the git repository:
root@rok-tools:~/ops/deployments# git add rok/rok-cluster rok/rok-external-servicesCommit the changes:
root@rok-tools:~/ops/deployments# git commit -m "Configure Azure Blob Storage access for Rok"
Verify¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsConfigure the
rok-verify-storage-access-aks
Pod to access your Azure storage account:root@rok-tools:~/ops/deployments# j2 \ > rok/rok-test/rok-verify-storage-access-aks/credentials.env.j2 \ > -o rok/rok-test/rok-verify-storage-access-aks/credentials.envTrack the rendered manifest:
root@rok-tools:~/ops/deployments# git add rok/rok-test/rok-verify-storage-access-aks/credentials.envCommit the changes:
root@rok-tools:~/ops/deployments# git commit -m "Configure Pod to verify storage access"Deploy the rendered
rok-verify-storage-access-aks
manifest to your AKS cluster:root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-test/rok-verify-storage-access-aksWait for the status of the
rok-verify-storage-access
Pod to becomeRunning
:root@rok-tools:~/ops/deployments# kubectl get pods rok-verify-storage-access NAME READY STATUS RESTARTS AGE rok-verify-storage-access 1/1 Running 0 20sEnter the Pod:
root@rok-tools:~/ops/deployments# kubectl exec rok-verify-storage-access -it -- /bin/bashList the blobs in a non-existent container in the storage account:
root@rok-verify-storage-access:~# az storage blob list \ > --account-name ${STORAGE_ACCOUNT_NAME?} \ > --container-name ${BUCKET_PREFIX?}-chocks-ca \ > --account-key ${ACCOUNT_KEY?} The specified container does not exist. RequestId:8ec2d64b-e01e-002d-6aa1-8af874000000 Time:2021-08-06T09:02:35.4218807Z ErrorCode:ContainerNotFound Error:NoneEnsure that the above command failed with a
ContainerNotFound
error. This means that you have successfully authorized a request using your Azure storage account key.Return to your management environment:
root@rok-verify-storage-access:~# exitDelete the
rok-verify-storage-access
Pod:root@rok-tools:~/ops/deployments# rok-deploy --delete rok/rok-test/rok-verify-storage-access-aks
Summary¶
You have successfully provided Rok with access to the object storage service of your cloud provider.
What’s Next¶
The next step is to grant Rok access to Arrikto’s private container registry, so that it can pull images from it.