Create Azure Resources for Tanzu Application Platform

To install Tanzu Application Platform (commonly known as TAP) within the Azure ecosystem, you must create several Azure resources. Use this topic to learn how to create:

• An Azure Kubernetes Service (AKS) cluster to install Tanzu Application Platform.
• ACR repositories for the Tanzu Application Platform container images.

Creating these resources enables Tanzu Application Platform to use an IAM role bound to a Kubernetes service account for authentication, rather than the typical username and password stored in a Kubernetes secret strategy.

This is important when using ACR because authenticating to ACR is a two-step process:

1. Retrieve a token using your Azure credentials.
2. Use the token to authenticate to the registry.

To increase security, the token has a lifetime of 12 hours. This makes storing it as a secret for a service impractical because it must be refreshed every 12 hours.

Using an IAM role on a service account mitigates the need to retrieve the token because it is handled by credential helpers within the services.

Prerequisites

Before installing Tanzu Application Platform on Azure, you need:

• An Azure subscription:

  You must create all of your resources within an Azure subscription and create an Azure free account.

• Azure CLI:

  To run CLI reference commands locally, you must install the Azure CLI. This topic uses Azure CLI to both query and configure resources in Azure, such as IAM roles. For more information, see Azure CLI documentation.

Create Azure Resource Group

1. Log in to Azure.

   az login
   az account set --subscription SUBSCRIPTION-NAME
   

2. Create a resource group with the az group create command.

   az group create --name myTAPResourceGroup --location eastus
   

Create an AKS cluster

To create an AKS cluster, you can run the az aks create command with the --enable-addons monitoring and --enable-msi-auth-for-monitoring parameter to enable Azure Monitor Container insights with managed identity authentication (preview).

The following example creates a cluster named tap-on-azure with one node and enables a system-assigned managed identity:

az aks create -g myTAPResourceGroup -n tap-on-azure --enable-managed-identity --node-count 6 --enable-addons monitoring --enable-msi-auth-for-monitoring --generate-ssh-keys --node-vm-size Standard_D4ds_v4 --kubernetes-version K8S-VERSION

Where K8S-VERSION is the compatible Kubernetes version that can be retrieved by running az aks get-versions.

Note

You might need to increase quota for Standard DDSv4 Family vCPUs. For more information, see the Azure documentation.

After a few minutes, the command completes and returns JSON-formatted information about the cluster.

When you create an AKS cluster, a second resource group is automatically created to store the AKS resources. For more information, see Why are two resource groups created with AKS?

Connect to the AKS cluster

To manage a Kubernetes cluster, use the Kubernetes command-line client, kubectl. kubectl is already installed if you use Azure Cloud Shell.

1. Install kubectl locally by using the az aks install-cli command:

   az aks install-cli
   

2. Configure kubectl to connect to your Kubernetes cluster by using the az aks get-credentials command that:

   • Downloads credentials and configures the Kubernetes CLI to use them.
   • Uses ~/.kube/config, the default location for the Kubernetes configuration file. You can specify a different location for your Kubernetes configuration file by using the --file argument.

   az aks get-credentials --resource-group myTAPResourceGroup --name tap-on-azure
   

Create the container repositories

1. Set an environment variable for your registry by running:

   export REGISTRY_NAME=YOUR-REGISTRY-NAME
   

   Where YOUR-REGISTRY-NAME is the name that you want for your container image registry. Use lowercase.

2. Create the Azure Container Registry by running:

   az acr create -n $REGISTRY_NAME -g myTAPResourceGroup --sku Standard
   

   Note

   Azure Container Registry (ACR) does not require that the container repositories are already created. Repositories are created automatically when images are uploaded.

Enable registry admin account

To enable push and pull to your registries, you must enable the admin user account, which is created with each registry. Run the following command to enable the admin user account:

az acr update -n $REGISTRY_NAME --admin-enabled true

There are two passwords created for each admin user account per registry. To retrieve the passwords, run the following for each registry:

az acr credential show --name $REGISTRY_NAME --resource-group myTAPResourceGroup

Expect to see the following outputs:

{
  "passwords": [
    {
      "name": "password",
      "value": YOUR-PASSWORD
    },
    {
      "name": "password2",
      "value": YOUR-PASSWORD-2
    }
  ],
  "username": ""
}

Export the username and password by running:

export KP_REGISTRY_USERNAME=$REGISTRY_NAME
export KP_REGISTRY_PASSWORD=YOUR-PASSWORD

Next steps

• Install Tanzu Application Platform package and profiles on Azure