It is possible to deploy the solution
- As a normal ARM template deployment
- As a catalog managed application
- As a marketplace managed application
Whilst the goal is to deploy as a marketplace application, it is usually more convenient to test using the other two approaches. Testing a marketplace application involves a publishing step which takes a few hours, even for preview. Reserve marketplace testing for a final step.
You will need your own copy of this repo to complete all the steps as you need to create GitHub action secrets for your deployment. I would recommend either forking or duplicating this repo now.
Before any deployment the following resources must exist in the publisher tenant:
- A Key vault (KV) resource
- An Container registry (ACR) resource
-
Create a new resource group called
managed-app-aks-publisher-sourceto host these resources- If you pick a different name, make sure you update it in the command below and the main Bicep template
-
The following Azure CLI command will create the resources
az deployment group create \ --name 'prereqs' \ --resource-group 'managed-app-aks-publisher-source' \ --template-file './bicep/prereqs.bicep' \ --parameters \ kvname='[INSERT UNIQUE NAME FOR THE KEY VAULT]' \ objectId='[INSERT THE OBJECT ID OF YOUR USER IDENTITY]'
-
You can use
az ad signed-in-user show --query idto get your objectId -
You will be prompted for the
securestringvalues:backgroundColor- set this to a valid HTML color name eg'MediumSeaGreen'infoMessage- set this to any string eg'Hello!'acrToken- set this to any empty string for now
-
Update the Bicep template
bicep/mainTemplate.bicep- change the default values of:vaultNamefrom'kv-managedapps'to whatever you named your KV abovevaultResourceGroupNameif you didn't useManagedAppsSourcevaultSubscriptionIdfrom''to the subscription ID where the KV resides
-
Save
mainTemplate.bicep
-
Pull the latest Inspector Gadget image
docker pull jelledruyts/inspectorgadget
-
Tag the image
docker tag jelledruyts/inspectorgadget <acrname>.azurecr.io/inspectorgadget
-
Authenticate with the container registry
- You will need the username and password for the container registry
- You will find these on the
Access Keysblade of the portal - Enable
Admin userto reveal the username & password
docker login <acrname>.azurecr.io
-
Push the image to your registry eg
docker push <acrname>.azurecr.io/inspectorgadget
- Capture the credentials
-
The login process creates / updates a config.json file with an auth token
-
View the config file
cat ~/.docker/config.json -
The output should look similar to this
{ "auths": { "<acrname>.azurecr.io": { "auth": "bWVvY...." } } } -
Make sure you have an entry for the correct container registry (and no other entries)
-
base64 encode the contents of the file
base64 ~/.docker/config.json -
Carefully copy the output to be stored in the
acr-tokenin the next step- You may find that the output includes CR/LF characters. This will break things
- Delete any CR/LF characters before copying the base64 encoded string
-
This docker image will be pulled by the AKS cluster pods.
For more details see Pull an Image from a Private Registry in the Kuberetes documentation.
- Create three secrets
acr-tokenpaste in the base64 secret you generated in the previous step- Set the
Content typeforacr-tokensecret tobase64
- On the
Access control (IAM)blade- Add a role assignment
- Assign the Contributor role to the
Appliance Resource Provideruser at the key vault scope
The acr-token is used to authenticate with ACR to pull the private image. info-message will be displayed on the inspector gadget site and the background will be set to background-color.
For more details see Access Key Vault secret when deploying Azure Managed Applications
Choose your path (ordered quickest / simplest first)