-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docs update #1185
Merged
Merged
Docs update #1185
Changes from 6 commits
Commits
Show all changes
14 commits
Select commit
Hold shift + click to select a range
80c07f3
a few formatting changes
604d820
merging
c00ff2e
cleaning up control flow doc
c13b837
using official names
8a6e49e
cleaning up
7c8d29f
adding new diagrams
868380d
Update docs/design/controlflow.md
frodopwns 0fc7437
Update docs/design/controlflow.md
frodopwns 2ff882f
Update docs/faq.md
frodopwns eda7b53
Update docs/faq.md
frodopwns e16a7b3
Update docs/howto/contents.md
frodopwns 284b455
Update docs/howto/contents.md
frodopwns 8cfcec3
Update docs/howto/contents.md
frodopwns dc9c00b
Update docs/howto/contents.md
frodopwns File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,47 +1,41 @@ | ||
## Deploying the operator - How it works | ||
## Deploying the operator - how it works | ||
|
||
![](/docs/images/DeployFlow.png) | ||
![](/docs/images/Deploy%20Flow.png) | ||
|
||
1. The user provisions the Managed Identity (or service principal) in their environment for the Azure Service Operator to use. | ||
2. The user then deploy cert-manager for the Azure Service Operator to use when deployed. | ||
frodopwns marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
2. The user then uses the Helm chart to deploy the operator. | ||
3. The user then uses the Helm chart to deploy the operator. This includes the controller pod and the manager pod, created from images stored in the public Microsoft Container Registry. The Helm chart also deploys dependencies like [aad-pod-identity](https://github.com/Azure/aad-pod-identity) in addition to the Azure Service Operator. This deployment also configures the needed Kubernetes RBAC rules. | ||
|
||
3. The Helm chart uses the images from the public Container Registry. | ||
|
||
4. It deploys dependencies like [aad-pod-identity](https://github.com/Azure/aad-pod-identity) in addition to the Azure Service Operator. | ||
## Resource provisioning - how it works | ||
|
||
5. This deployment takes care of deploying the operator while also configuring the needed Kubernetes RBAC rules. | ||
![](/docs/images/ASO%20flow.png) | ||
|
||
6. Due to ordering of deployment, currently, cert-manager needs to be deployed manually before using the Helm chart to deploy the Operator. | ||
1. The user deploys an application that includes the custom resource manifest for installing a Azure service that the app depends on. | ||
|
||
## Resource provisioning - How it works | ||
2. The application is deployed using its manifest. However, the deployment does not yet succeed as it waits on the Azure service to be successfully created. The application references a secret that provides the information required to consume the Azure service, and the secret does not exist yet. | ||
|
||
![](/docs/images/ProvisionFlow.png) | ||
3. The Azure Service Operator continously watches the custom resource definitions (CRDs) corresponding to the Azure services and recognizes the request for a custom resource. | ||
|
||
1. The developer deploys an application that includes the manifest for installing a Azure service that the app depends on. | ||
4. The Azure Service Operator then updates the Kubernetes instance for the requested resource with the correct status and events. | ||
|
||
2. The application is deployed using its manifest, however the deployment does not succeed yet as it is waiting for the Azure Service that it depends on. The application references a secret that provides the information required to consume the Azure service, and the secret does not exist yet. | ||
5. The Azure Service Operator requests an authorizer from Azure Active Directory for the Azure resource management endpoint, as the identity it is running as and receives an authorizer token. | ||
|
||
3. The Azure Service Operator that watches the custom resource definitions (CRDs) corresponding to the Azure services recognizes the request for a custom resource. | ||
|
||
4. The Azure Service Operator updates the Kubernetes instance for the requested resource with the correct Status and events. | ||
|
||
5. The Azure Service Operator requests an authorizer from Azure Active Directory for the Azure resource management endpoint, as the identity it is running as. | ||
|
||
6. The Azure Service Operator then sends the provisioning request to Azure API, along with the authorizer in the request. | ||
6. The Azure Service Operator then sends the provisioning request to Azure API, along with the authorizer token in the request. | ||
|
||
7. Azure API provisions/deprovisions the resource and returns the Resource object to the Service Operator. | ||
|
||
8. The Azure Service Operator retrieves the information required to access/consume the Azure resource from the Resource objecrt and stores it in a Kubernetes secret or as a secret in a specified Azure KeyVault. | ||
8. The Azure Service Operator retrieves the information required to access/consume the Azure resource from the Resource object and stores it in a Kubernetes secret or as a secret in a pre-specified Azure KeyVault. | ||
frodopwns marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
9. The app is deployed successfully now that the Azure service it depends on is provisioned, and the secret it references exists. | ||
|
||
## Security considerations | ||
|
||
1. The Azure Service Operator requests the authorizer from AAD for every provision/deprovision request. There is no caching of security tokens. | ||
|
||
2. Running the Azure Service Operator under a Managed Identity is recommended for security reasons. There is support to use Service Principals if needed, but not recommended. | ||
2. Running the Azure Service Operator under a Managed Identity is recommended for security reasons. Azure Service Operator can also be run using service principals, but this is not recommended. | ||
|
||
3. It is recommended to use Azure KeyVault to store connection information, keys that are an output of the provisioning process. There is support to store as Kubernetes secrets but not recommended. | ||
3. It is recommended to use Azure KeyVault to store connection information, AKA keys that are an output of the provisioning process. These connection strings can be stored as Kubernetes secrets, but this is not recommended. | ||
|
||
4. There is no implicit deletion of resources. Resources will be deprovisioned/deleted only on an explicit delete operation. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think both of these are correct