This config uses the `main` branch, but your repo may be older and need to specify `master` instead.
Note that unlike `git`, Flux does not support the
["shorter" scp-like syntax for the SSH protocol](https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols#_the_ssh_protocol)
(e.g. `ssh.dev.azure.com:v3`).
Use the [RFC 3986 compatible syntax](https://tools.ietf.org/html/rfc3986#section-3) instead: `ssh.dev.azure.com/v3`.
The `flux create source git` command will prompt you to add a deploy key to your repository, but Azure DevOps
[does not support repository or org-specific deploy keys](https://developercommunity.visualstudio.com/t/allow-the-creation-of-ssh-deploy-keys-for-vsts-hos/365747).
You may add the deploy key to a user's personal SSH keys being mindful that removing them from the repo may revoke Flux's access.
As an alternative, create a machine-user whose sole purpose is to store credentials for automation.
Using a machine-user also has the benefit of being able to be read-only or restricted to specific repositories if that is needed.
If you wish to use Git over HTTPS, then generate a personal access token and supply it as the password:
@ -6,9 +6,10 @@ It's important to follow some guidelines when installing Flux on AKS.
### CNI and Network Policy
### CNI and Network Policy
Previously, there has been an issue with Flux and Network Policy on AKS. ([Upstream Azure Issue](https://github.com/Azure/AKS/issues/2031)) ([Flux Issue](https://github.com/fluxcd/flux2/issues/703))
Previously, there has been an issue with Flux and Network Policy on AKS.
If you ensure your AKS cluster is upgraded, and your Nodes have been restarted with the most recent Node images, this could
resolve flux reconciliation failures where source-controller is unreachable.
If you ensure your AKS cluster is upgraded, and your Nodes have been restarted with the most recent Node images,
this could resolve flux reconciliation failures where source-controller is unreachable.
Using `--network-plugin=azure --network-policy=calico` has been tested to work properly.
Using `--network-plugin=azure --network-policy=calico` has been tested to work properly.
This issue only affects you if you are using `--network-policy` on AKS, which is not a default option.
This issue only affects you if you are using `--network-policy` on AKS, which is not a default option.
@ -21,24 +22,23 @@ Depending on the features you are interested in using with Flux, you may want to
With [AAD Pod-Identity](https://azure.github.io/aad-pod-identity/docs/), we can create Pods that have their own
With [AAD Pod-Identity](https://azure.github.io/aad-pod-identity/docs/), we can create Pods that have their own
cloud credentials for accessing Azure services like Azure Container Registry(ACR) and Azure Key Vault(AKV).
cloud credentials for accessing Azure services like Azure Container Registry(ACR) and Azure Key Vault(AKV).
If you do not use AAD Pod-Identity, you'll need to manage and store Service Principal credentials in K8s Secrets, to integrate Flux
If you do not use AAD Pod-Identity, you'll need to manage and store Service Principal credentials
with other Azure Services.
in K8s Secrets, to integrate Flux with other Azure Services.
As a pre-requisite, your cluster must have `--enable-managed-identity` configured.
As a pre-requisite, your cluster must have `--enable-managed-identity` configured.
This software can be [installed via Helm](https://azure.github.io/aad-pod-identity/docs/getting-started/installation/) (unmanaged by Azure).
This software can be [installed via Helm](https://azure.github.io/aad-pod-identity/docs/getting-started/installation/)
Use Flux's `HelmRepository` and `HelmRelease` object to manage the aad-pod-identity installation from a bootstrap repository and keep it up to date.
(unmanaged by Azure).
Use Flux's `HelmRepository` and `HelmRelease` object to manage the aad-pod-identity installation
from a bootstrap repository and keep it up to date.
!!! note
!!! note
As an alternative to Helm, the `--enable-aad-pod-identity` flag for the `az aks create` is currently in Preview.
As an alternative to Helm, the `--enable-aad-pod-identity` flag for the `az aks create` is currently in Preview.
Follow the Azure guide for [Creating an AKS cluster with AAD Pod Identity](https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity) if you would like to enable this feature with the Azure CLI.
Follow the Azure guide for [Creating an AKS cluster with AAD Pod Identity](https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity)
if you would like to enable this feature with the Azure CLI.
### Cluster Creation
### Cluster Creation
!!! info
When working with the Azure CLI, it can help to set a default `location`, `group`, and `acr`.
See `az configure --help`, `az configure --list-defaults`, and `az configure --defaults key=value`
The following creates an AKS cluster with some minimal configuration that will work well with Flux:
The following creates an AKS cluster with some minimal configuration that will work well with Flux:
```sh
```sh
@ -50,10 +50,14 @@ az aks create \
--name="my-cluster"
--name="my-cluster"
```
```
!!! info
When working with the Azure CLI, it can help to set a default `location`, `group`, and `acr`.
See `az configure --help`, `az configure --list-defaults`, and `az configure --defaults key=value`.
## Flux Installation with Azure DevOps Repos
## Flux Installation with Azure DevOps Repos
Ensure you can login to [dev.azure.com](https://dev.azure.com) for your proper organization,
Ensure you can login to [dev.azure.com](https://dev.azure.com) for your proper organization,
and create a new repo to hold your Flux install and other necessary config.
and create a new repository to hold your Flux install and other Kubernetes resources.
Clone the Git repository locally:
Clone the Git repository locally:
@ -98,28 +102,27 @@ Create a `GitRepository` object on your cluster by specifying the SSH address of
This config uses the `main` branch, but your repo may be older and need to specify `master` instead.
The above command will prompt you to add a deploy key to your repository, but Azure DevOps
Note that unlike `git`, Flux does not support the
["shorter" scp-like syntax for the SSH protocol](https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols#_the_ssh_protocol)
(e.g. `ssh.dev.azure.com:v3`).
Use the [RFC 3986 compatible syntax](https://tools.ietf.org/html/rfc3986#section-3) instead: `ssh.dev.azure.com/v3`.
You will be prompted to add a deploy key to your repository.
If you don't specify the SSH algorithm, then `flux` will generate an RSA 2048 bits key.
The `flux create source git` command will prompt you to add a deploy key to your repository, but Azure DevOps
[does not support repository or org-specific deploy keys](https://developercommunity.visualstudio.com/t/allow-the-creation-of-ssh-deploy-keys-for-vsts-hos/365747).
[does not support repository or org-specific deploy keys](https://developercommunity.visualstudio.com/t/allow-the-creation-of-ssh-deploy-keys-for-vsts-hos/365747).
You may add the deploy key to a user's personal SSH keys being mindful that removing them from the repo may revoke Flux's access.
You may add the deploy key to a user's personal SSH keys, but take note that
As an alternative, create a machine-user whose sole purpose is to store credentials for automation.
revoking the user's access to the repository will also revoke Flux's access.
Using a machine-user also has the benefit of being able to be read-only or restricted to specific repositories if that is needed.
The better alternative is to create a machine-user whose sole purpose is
to store credentials for automation.
Using a machine-user also has the benefit of being able to be read-only or
restricted to specific repositories if this is needed.
!!! note
Unlike `git`, Flux does not support the
["shorter" scp-like syntax for the SSH protocol](https://git-scm.com/book/en/v2/Git-on-the-Server-The-Protocols#_the_ssh_protocol)
(e.g. `ssh.dev.azure.com:v3`).
Use the [RFC 3986 compatible syntax](https://tools.ietf.org/html/rfc3986#section-3) instead: `ssh.dev.azure.com/v3`.
If you wish to use Git over HTTPS, then generate a personal access token and supply it as the password:
If you wish to use Git over HTTPS, then generate a personal access token and supply it as the password:
@ -127,7 +130,7 @@ If you wish to use Git over HTTPS, then generate a personal access token and sup
using ACR as an experimental [Helm OCI Registry](https://helm.sh/docs/topics/registries/).
suggests using ACR as an experimental [Helm OCI Registry](https://helm.sh/docs/topics/registries/).
This will not work with Flux, because using Charts from OCI Registries is not yet supported.
This will not work with Flux, because using Charts from OCI Registries is not yet supported.
## Secrets Management with SOPS and Azure Key Vault
## Secrets Management with SOPS and Azure Key Vault
@ -214,5 +222,6 @@ flux install \
Follow the [Image Update Automation Guide](../guides/image-update.md) and see the
Follow the [Image Update Automation Guide](../guides/image-update.md) and see the
[ACR specific section](../guides/image-update.md#azure-container-registry) for more details.
[ACR specific section](../guides/image-update.md#azure-container-registry) for more details.
Your AKS cluster's configuration can also be updated to [allow the kubelets to pull images from ACR](https://docs.microsoft.com/en-us/azure/aks/cluster-container-registry-integration)
Your AKS cluster's configuration can also be updated to
[allow the kubelets to pull images from ACR](https://docs.microsoft.com/en-us/azure/aks/cluster-container-registry-integration)
without ImagePullSecrets as an optional, complimentary step.
without ImagePullSecrets as an optional, complimentary step.