Authorize Access to Object Storage on Azure

This guide will walk you through configuring Rok to have access to object storage resources on Azure.

Procedure

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Configure S3Proxy to access the Azure Storage Account:

    root@rok-tools:~/ops/deployments# j2 \ > rok/rok-external-services/s3proxy/overlays/deploy/config.env.j2 \ > -o rok/rok-external-services/s3proxy/overlays/deploy/config.env
  3. Generate random credentials for Rok to access S3Proxy:

    root@rok-tools:~/ops/deployments# export S3PROXY_IDENTITY="$(openssl rand -hex 16)"
    root@rok-tools:~/ops/deployments# export S3PROXY_CREDENTIAL="$(openssl rand -hex 32)"
  4. Retrieve an access key of your storage account:

    root@rok-tools:~/ops/deployments# export JCLOUDS_CREDENTIAL=$(az \ > storage account keys list --resource-group ${AZ_RESOURCE_GROUP?} \ > --account-name ${STORAGE_ACCOUNT_NAME?} | jq -r '.[0].value')
  5. Provide the generated credentials to S3Proxy:

    root@rok-tools:~/ops/deployments# j2 \ > rok/rok-external-services/s3proxy/overlays/deploy/secrets/credentials.env.j2 \ > -o rok/rok-external-services/s3proxy/overlays/deploy/secrets/credentials.env
  6. Edit rok/rok-cluster/overlays/deploy/kustomization.yaml to set the parent of the deploy kustomization overlay to aks:

    bases: - ../aks
  7. Select the namespace in which to deploy Rok:

    root@rok-tools:~/ops/deployments# export ROK_CLUSTER_NAMESPACE=rok
  8. Select the name of the Rok cluster:

    root@rok-tools:~/ops/deployments# export ROK_CLUSTER_NAME=rok
  9. Select the bucket prefix Rok will use to store its snapshots in Azure Blob Storage:

    root@rok-tools:~/ops/deployments# S3_BUCKET_PREFIX="rok-${ROK_CLUSTER_NAMESPACE?}-${ROK_CLUSTER_NAME?}"
  10. Remove the Rok cluster namespace and name if they are both equal to rok:

    root@rok-tools:~/ops/deployments# export S3_BUCKET_PREFIX=${S3_BUCKET_PREFIX%-rok-rok}
  11. Obtain your bucket prefix and copy it to your clipboard, as you are going to use this value in the next step:

    root@rok-tools:~/ops/deployments# echo ${S3_BUCKET_PREFIX?} rok
  12. Edit rok/rok-cluster/overlays/deploy/patches/configvars.yaml to set the daemons.s3d.aws.access_key_id and daemons.s3d.aws.secret_access_key Rok Cluster configuration variables to the credentials you generated above.

    spec: configVars: daemons.s3d.bucket_prefix: "<S3_BUCKET_PREFIX>" # <-- Update this line with your bucket prefix daemons.s3d.aws.access_key_id: "<S3PROXY_IDENTITY>" # <-- Update this line with your S3Proxy Access Key ID daemons.s3d.aws.secret_access_key: "<S3PROXY_CREDENTIAL>" # <-- Update this line with your S3Proxy Secret Access Key
  13. Track all changes in the git repository:

    root@rok-tools:~/ops/deployments# git add rok/rok-cluster rok/rok-external-services
  14. Commit the changes:

    root@rok-tools:~/ops/deployments# git commit -m "Configure Azure Blob Storage access for Rok"

Verify

  1. Go to your GitOps repository, inside your rok-tools management environment:

    root@rok-tools:~# cd ~/ops/deployments
  2. Configure the rok-verify-storage-access-aks Pod to access your Azure storage account:

    root@rok-tools:~/ops/deployments# j2 \ > rok/rok-test/rok-verify-storage-access-aks/credentials.env.j2 \ > -o rok/rok-test/rok-verify-storage-access-aks/credentials.env
  3. Track the rendered manifest:

    root@rok-tools:~/ops/deployments# git add rok/rok-test/rok-verify-storage-access-aks/credentials.env
  4. Commit the changes:

    root@rok-tools:~/ops/deployments# git commit -m "Configure Pod to verify storage access"
  5. Deploy the rendered rok-verify-storage-access-aks manifest to your AKS cluster:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/rok-test/rok-verify-storage-access-aks
  6. Wait for the status of the rok-verify-storage-access Pod to become Running:

    root@rok-tools:~/ops/deployments# kubectl get pods rok-verify-storage-access NAME READY STATUS RESTARTS AGE rok-verify-storage-access 1/1 Running 0 20s
  7. Enter the Pod:

    root@rok-tools:~/ops/deployments# kubectl exec rok-verify-storage-access -it -- /bin/bash
  8. List the blobs in a non-existent container in the storage account:

    root@rok-verify-storage-access:~# az storage blob list \ > --account-name ${STORAGE_ACCOUNT_NAME?} \ > --container-name ${BUCKET_PREFIX?}-chocks-ca \ > --account-key ${ACCOUNT_KEY?} The specified container does not exist. RequestId:8ec2d64b-e01e-002d-6aa1-8af874000000 Time:2021-08-06T09:02:35.4218807Z ErrorCode:ContainerNotFound Error:None
  9. Ensure that the above command failed with a ContainerNotFound error. This means that you have successfully authorized a request using your Azure storage account key.

  10. Return to your management environment:

    root@rok-verify-storage-access:~# exit
  11. Delete the rok-verify-storage-access Pod:

    root@rok-tools:~/ops/deployments# rok-deploy --delete rok/rok-test/rok-verify-storage-access-aks

Summary

You have successfully provided Rok with access to the object storage service of your cloud provider.

What’s Next

The next step is to grant Rok access to Arrikto’s private container registry, so that it can pull images from it.