IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at docs.openshift.com and access.redhat.com.

Installing and Using the Azure Service Operator (ASO) in Azure Red Hat OpenShift (ARO)

Paul Czarkowski

last edit - 02/16/2022

The Azure Service Operator (ASO) provides Custom Resource Definitions (CRDs) for Azure resources that can be used to create, update, and delete Azure services from an OpenShift cluster.

Prerequisites

• Azure CLI
• An Azure Red Hat OpenShift (ARO) cluster

Prepare your Azure Account and ARO Cluster

1. Set the following environment variables:

   Note: modify the cluster name, region and resource group to match your cluster

   AZURE_TENANT_ID=$(az account show -o tsv --query tenantId)
   AZURE_SUBSCRIPTION_ID=$(az account show -o tsv --query id)
   CLUSTER_NAME="openshift"
   AZURE_RESOURCE_GROUP="openshift"
   AZURE_REGION="eastus"
   

2. Create a Service Principal with Contributor permissions to your subscription:

   Note: You may want to lock this down to a specific resource group.

   read -r ASO_USER ASO_PASS < <(az ad sp create-for-rbac -n "$CLUSTER_NAME-ASO" \
     --role contributor --scopes /subscriptions/$AZURE_SUBSCRIPTION_ID -o tsv \
     --query "[name,password]" | xargs)
   

3. Create a secret containing your Service Principal credentials:

   cat <<EOF | oc apply -f -
   apiVersion: v1
   kind: Secret
   metadata:
     name: azureoperatorsettings
     namespace: openshift-operators
   stringData:
     AZURE_TENANT_ID: $AZURE_TENANT_ID
     AZURE_SUBSCRIPTION_ID: $AZURE_SUBSCRIPTION_ID
     AZURE_CLIENT_ID: $ASO_USER
     AZURE_CLIENT_SECRET: $ASO_PASS
     AZURE_CLOUD_ENV: AzurePublicCloud
   EOF
   

4. Deploy the ASO Operator:

   cat <<EOF | oc apply -f -
   apiVersion: operators.coreos.com/v1alpha1
   kind: Subscription
   metadata:
     labels:
    operators.coreos.com/azure-service-operator.openshift-operators: ""
     name: azure-service-operator
     namespace: openshift-operators
   spec:
     channel: stable
     installPlanApproval: Automatic
     name: azure-service-operator
     source: community-operators
     sourceNamespace: openshift-marketplace
     startingCSV: azure-service-operator.v1.0.28631
   EOF
   

Deploy an Azure PostgreSQL Server

1. Create a Project:

   oc new-project redis-demo
   

2. Allow the redis app to run as any user:

   oc adm policy add-scc-to-user anyuid -z default
   

3. Create a random string to use as the unique redis hostname:

   REDIS_HOSTNAME=$(cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 8 | head -n 1)
   

4. Deploy a Redis service using the ASO Operator and an example application

   cat <<EOF | oc apply -f -
   apiVersion: azure.microsoft.com/v1alpha1
   kind: RedisCache
   metadata:
     name: $REDIS_HOSTNAME
   spec:
     location: $AZURE_REGION
     resourceGroup: $AZURE_RESOURCE_GROUP
     properties:
    sku:
      name: Basic
      family: C
      capacity: 1
    enableNonSslPort: true
   ---
   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: azure-vote-front
   spec:
     replicas: 1
     selector:
    matchLabels:
      app: azure-vote-front
     template:
    metadata:
      labels:
        app: azure-vote-front
    spec:
      containers:
      - name: azure-vote-front
        image: mcr.microsoft.com/azuredocs/azure-vote-front:v1
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 250m
            memory: 256Mi
        ports:
        - containerPort: 80
        env:
        - name: REDIS_NAME
          value: $REDIS_HOSTNAME
        - name: REDIS
          value: $REDIS_HOSTNAME.redis.cache.windows.net
        - name: REDIS_PWD
          valueFrom:
            secretKeyRef:
              name: rediscache-$REDIS_HOSTNAME
              key: primaryKey
   ---
   apiVersion: v1
   kind: Service
   metadata:
     name: azure-vote-front
   spec:
     ports:
            - port: 80
     selector:
    app: azure-vote-front
   ---
   apiVersion: route.openshift.io/v1
   kind: Route
   metadata:
     name: azure-vote
   spec:
     port:
    targetPort: 80
     tls:
    insecureEdgeTerminationPolicy: Redirect
    termination: edge
     to:
    kind: Service
    name: azure-vote-front
   EOF
   

5. Wait for Redis to be ready

   This may take 10 to 15 minutes.

    watch oc get rediscache $REDIS_HOSTNAME
   

   the output should eventually show the following:

    NAME       PROVISIONED   MESSAGE
    l67for49   true          successfully provisioned
   

6. Get the URL of the example app

    oc get route azure-vote
   

7. Browse to the URL provided by the previous command and validate that the app is working

Cleanup

1. Delete the project containing the demo app

    oc delete project redis-demo