Azure Quickstart

Connect Crossplane to Microsoft Azure to create and manage cloud resources from Kubernetes with the Azure Official Provider.

This guide walks you through the steps required to get started with the Azure Official Provider. This includes installing Upbound Universal Crossplane, configuring the provider to authenticate to Azure and creating a Managed Resource in Azure directly from your Kubernetes cluster.

Prerequisites

This quickstart requires:

  • a Kubernetes cluster with at least 3 GB of RAM
  • permissions to create pods and secrets in the Kubernetes cluster
  • an Azure account with permissions to create an Azure service principal and an Azure Resource Group
If you don’t have a Kubernetes cluster create one locally with minikube or kind.

Guided tour

All commands use the current kubeconfig context and configuration.

Install the Up command-line

The Up command-line helps manage Upbound Universal Crossplane, Upbound’s enterprise Crossplane distribution and manage Upbound user accounts.

Download and install the Upbound up command-line.

1
2
curl -sL "https://cli.upbound.io" | sh
sudo mv up /usr/local/bin/

Install Upbound Universal Crossplane

Upbound Universal Crossplane (UXP) consists of upstream Crossplane and Upbound-specific enhancements and patches. It’s open source and maintained by Upbound.

Install UXP with the Up command-line up uxp install command.

1
2
up uxp install
UXP 1.9.1-up.2 installed

Verify all UXP pods are Running with kubectl get pods -n upbound-system. This may take up to five minutes depending on your Kubernetes cluster.

1
2
3
4
5
6
kubectl get pods -n upbound-system
NAME                                        READY   STATUS    RESTARTS      AGE
crossplane-7fdfbd897c-pmrml                 1/1     Running   0             68m
crossplane-rbac-manager-7d6867bc4d-v7wpb    1/1     Running   0             68m
upbound-bootstrapper-5f47977d54-t8kvk       1/1     Running   0             68m
xgql-7c4b74c458-5bf2q                       1/1     Running   3 (67m ago)   68m
RESTARTS for the xgql pod are normal during initial installation.

For more details about UXP pods, read the UXP section.

Installing UXP and Crossplane creates new Kubernetes API end-points. Take a look at the new API end-points with kubectl api-resources | grep crossplane. In a later step you use the Provider resource install the Official Provider.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
kubectl api-resources  | grep crossplane
compositeresourcedefinitions      xrd,xrds     apiextensions.crossplane.io/v1         false        CompositeResourceDefinition
compositionrevisions                           apiextensions.crossplane.io/v1alpha1   false        CompositionRevision
compositions                                   apiextensions.crossplane.io/v1         false        Composition
configurationrevisions                         pkg.crossplane.io/v1                   false        ConfigurationRevision
configurations                                 pkg.crossplane.io/v1                   false        Configuration
controllerconfigs                              pkg.crossplane.io/v1alpha1             false        ControllerConfig
locks                                          pkg.crossplane.io/v1beta1              false        Lock
providerrevisions                              pkg.crossplane.io/v1                   false        ProviderRevision
providers                                      pkg.crossplane.io/v1                   false        Provider
storeconfigs                                   secrets.crossplane.io/v1alpha1         false        StoreConfig

Install the official Azure provider

Install the official provider into the Kubernetes cluster with the up command-line or a Kubernetes configuration file.

1
2
3
up controlplane \
provider install \
xpkg.upbound.io/upbound/provider-azure:v0.16.0
1
2
3
4
5
6
7
8
cat <<EOF | kubectl apply -f -
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: upbound-provider-azure
spec:
  package: xpkg.upbound.io/upbound/provider-azure:v0.16.0
EOF

The kind: Provider uses the Crossplane Provider Custom Resource Definition to connect your Kubernetes cluster to your cloud provider.

Verify the provider installed with kubectl get providers.

It may take up to five minutes for the provider to list HEALTHY as True.
1
2
3
kubectl get providers 
NAME                     INSTALLED   HEALTHY   PACKAGE                                          AGE
upbound-provider-azure   True        True      xpkg.upbound.io/upbound/provider-azure:v0.16.0   3m3s

A provider installs their own Kubernetes Custom Resource Definitions (CRDs). These CRDs allow you to create Azure resources directly inside Kubernetes.

You can view the new CRDs with kubectl get crds. Every CRD maps to a unique Azure service Crossplane can provision and manage.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
kubectl get crds
NAME                                                                            CREATED AT
accesspolicies.keyvault.azure.upbound.io                                        2022-10-12T01:06:59Z
accountnetworkrules.storage.azure.upbound.io                                    2022-10-12T01:07:02Z
accounts.cosmosdb.azure.upbound.io                                              2022-10-12T01:06:58Z
accounts.datashare.azure.upbound.io                                             2022-10-12T01:06:58Z
accounts.netapp.azure.upbound.io                                                2022-10-12T01:07:00Z
accounts.storage.azure.upbound.io                                               2022-10-12T01:07:02Z
activedirectoryadministrators.dbforpostgresql.azure.upbound.io                  2022-10-12T01:06:59Z
advancedthreatprotections.security.azure.upbound.io                             2022-10-12T01:07:02Z
agentpools.containerregistry.azure.upbound.io                                   2022-10-12T01:06:58Z
applicationgateways.network.azure.upbound.io                                    2022-10-12T01:07:00Z
applicationinsights.insights.azure.upbound.io                                   2022-10-12T01:07:00Z
applicationsecuritygroups.network.azure.upbound.io                              2022-10-12T01:07:00Z
assets.media.azure.upbound.io                                                   2022-10-12T01:07:00Z
authorizationrules.eventhub.azure.upbound.io                                    2022-10-12T01:06:59Z
availabilitysets.compute.azure.upbound.io                                       2022-10-12T01:06:58Z
backuppolicyblobstorages.dataprotection.azure.upbound.io                        2022-10-12T01:06:58Z
backupvaults.dataprotection.azure.upbound.io                                    2022-10-12T01:06:59Z
blobinventorypolicies.storage.azure.upbound.io                                  2022-10-12T01:07:02Z
blobs.storage.azure.upbound.io                                                  2022-10-12T01:07:02Z
cassandraclusters.cosmosdb.azure.upbound.io                                     2022-10-12T01:06:58Z
cassandradatacenters.cosmosdb.azure.upbound.io                                  2022-10-12T01:06:58Z
cassandrakeyspaces.cosmosdb.azure.upbound.io                                    2022-10-12T01:06:58Z
cassandratables.cosmosdb.azure.upbound.io                                       2022-10-12T01:06:58Z
certificateissuers.keyvault.azure.upbound.io                                    2022-10-12T01:06:59Z
certificates.keyvault.azure.upbound.io                                          2022-10-12T01:07:00Z
clusters.kusto.azure.upbound.io                                                 2022-10-12T01:07:00Z
clusters.streamanalytics.azure.upbound.io                                       2022-10-12T01:07:02Z
compositeresourcedefinitions.apiextensions.crossplane.io                        2022-10-12T01:05:33Z
compositionrevisions.apiextensions.crossplane.io                                2022-10-12T01:05:33Z
compositions.apiextensions.crossplane.io                                        2022-10-12T01:05:33Z
configurationrevisions.pkg.crossplane.io                                        2022-10-12T01:05:33Z
configurations.dbformariadb.azure.upbound.io                                    2022-10-12T01:06:59Z
configurations.dbformysql.azure.upbound.io                                      2022-10-12T01:06:59Z
configurations.dbforpostgresql.azure.upbound.io                                 2022-10-12T01:06:59Z
configurations.pkg.crossplane.io                                                2022-10-12T01:05:33Z
connectionmonitors.network.azure.upbound.io                                     2022-10-12T01:07:00Z
consumergroups.eventhub.azure.upbound.io                                        2022-10-12T01:06:59Z
containerconnectedregistries.containerregistry.azure.upbound.io                 2022-10-12T01:06:58Z
containers.storage.azure.upbound.io                                             2022-10-12T01:07:02Z
controllerconfigs.pkg.crossplane.io                                             2022-10-12T01:05:33Z
databases.dbformariadb.azure.upbound.io                                         2022-10-12T01:06:59Z
databases.dbforpostgresql.azure.upbound.io                                      2022-10-12T01:06:59Z
databases.kusto.azure.upbound.io                                                2022-10-12T01:07:00Z
datalakegen2filesystems.storage.azure.upbound.io                                2022-10-12T01:07:02Z
datasetblobstorages.datashare.azure.upbound.io                                  2022-10-12T01:06:58Z
datasetdatalakegen2s.datashare.azure.upbound.io                                 2022-10-12T01:06:58Z
datasetkustoclusters.datashare.azure.upbound.io                                 2022-10-12T01:06:58Z
datasetkustodatabases.datashare.azure.upbound.io                                2022-10-12T01:06:59Z
datashares.datashare.azure.upbound.io                                           2022-10-12T01:06:59Z
ddosprotectionplans.network.azure.upbound.io                                    2022-10-12T01:07:00Z
dedicatedhosts.compute.azure.upbound.io                                         2022-10-12T01:06:58Z
diskaccesses.compute.azure.upbound.io                                           2022-10-12T01:06:58Z
diskencryptionsets.compute.azure.upbound.io                                     2022-10-12T01:06:58Z
dnsaaaarecords.network.azure.upbound.io                                         2022-10-12T01:07:00Z
dnsarecords.network.azure.upbound.io                                            2022-10-12T01:07:00Z
dnscaarecords.network.azure.upbound.io                                          2022-10-12T01:07:00Z
dnscnamerecords.network.azure.upbound.io                                        2022-10-12T01:07:00Z
dnsmxrecords.network.azure.upbound.io                                           2022-10-12T01:07:00Z
dnsnsrecords.network.azure.upbound.io                                           2022-10-12T01:07:00Z
dnsptrrecords.network.azure.upbound.io                                          2022-10-12T01:07:00Z
dnssrvrecords.network.azure.upbound.io                                          2022-10-12T01:07:00Z
dnstxtrecords.network.azure.upbound.io                                          2022-10-12T01:07:00Z
dnszones.network.azure.upbound.io                                               2022-10-12T01:07:00Z
encryptionscopes.storage.azure.upbound.io                                       2022-10-12T01:07:02Z
eventhubnamespaces.eventhub.azure.upbound.io                                    2022-10-12T01:06:59Z
eventhubs.eventhub.azure.upbound.io                                             2022-10-12T01:06:59Z
expressroutecircuitauthorizations.network.azure.upbound.io                      2022-10-12T01:07:00Z
expressroutecircuitconnections.network.azure.upbound.io                         2022-10-12T01:07:00Z
expressroutecircuitpeerings.network.azure.upbound.io                            2022-10-12T01:07:00Z
expressroutecircuits.network.azure.upbound.io                                   2022-10-12T01:07:00Z
expressrouteconnections.network.azure.upbound.io                                2022-10-12T01:07:00Z
expressroutegateways.network.azure.upbound.io                                   2022-10-12T01:07:00Z
expressrouteports.network.azure.upbound.io                                      2022-10-12T01:07:00Z
firewallapplicationrulecollections.network.azure.upbound.io                     2022-10-12T01:07:00Z
firewallnatrulecollections.network.azure.upbound.io                             2022-10-12T01:07:00Z
firewallnetworkrulecollections.network.azure.upbound.io                         2022-10-12T01:07:00Z
firewallpolicies.network.azure.upbound.io                                       2022-10-12T01:07:01Z
firewallpolicyrulecollectiongroups.network.azure.upbound.io                     2022-10-12T01:07:01Z
firewallrules.dbformariadb.azure.upbound.io                                     2022-10-12T01:06:58Z
firewallrules.dbformysql.azure.upbound.io                                       2022-10-12T01:06:59Z
firewallrules.dbforpostgresql.azure.upbound.io                                  2022-10-12T01:06:59Z
firewalls.network.azure.upbound.io                                              2022-10-12T01:07:01Z
flexibledatabases.dbformysql.azure.upbound.io                                   2022-10-12T01:06:59Z
flexibleserverconfigurations.dbformysql.azure.upbound.io                        2022-10-12T01:06:59Z
flexibleserverconfigurations.dbforpostgresql.azure.upbound.io                   2022-10-12T01:06:59Z
flexibleserverdatabases.dbforpostgresql.azure.upbound.io                        2022-10-12T01:06:59Z
flexibleserverfirewallrules.dbformysql.azure.upbound.io                         2022-10-12T01:06:59Z
flexibleserverfirewallrules.dbforpostgresql.azure.upbound.io                    2022-10-12T01:06:59Z
flexibleservers.dbformysql.azure.upbound.io                                     2022-10-12T01:06:59Z
flexibleservers.dbforpostgresql.azure.upbound.io                                2022-10-12T01:06:59Z
frontdoorcustomhttpsconfigurations.network.azure.upbound.io                     2022-10-12T01:07:01Z
frontdoorfirewallpolicies.network.azure.upbound.io                              2022-10-12T01:07:01Z
frontdoorrulesengines.network.azure.upbound.io                                  2022-10-12T01:07:01Z
frontdoors.network.azure.upbound.io                                             2022-10-12T01:07:01Z
functionjavascriptudas.streamanalytics.azure.upbound.io                         2022-10-12T01:07:02Z
gremlindatabases.cosmosdb.azure.upbound.io                                      2022-10-12T01:06:58Z
gremlingraphs.cosmosdb.azure.upbound.io                                         2022-10-12T01:06:58Z
hpccacheaccesspolicies.storagecache.azure.upbound.io                            2022-10-12T01:07:02Z
hpccacheblobnfstargets.storagecache.azure.upbound.io                            2022-10-12T01:07:02Z
hpccacheblobtargets.storagecache.azure.upbound.io                               2022-10-12T01:07:02Z
hpccachenfstargets.storagecache.azure.upbound.io                                2022-10-12T01:07:02Z
hpccaches.storagecache.azure.upbound.io                                         2022-10-12T01:07:02Z
images.compute.azure.upbound.io                                                 2022-10-12T01:06:58Z
integrationserviceenvironments.logic.azure.upbound.io                           2022-10-12T01:07:00Z
iothubconsumergroups.devices.azure.upbound.io                                   2022-10-12T01:06:59Z
iothubdps.devices.azure.upbound.io                                              2022-10-12T01:06:59Z
iothubdpscertificates.devices.azure.upbound.io                                  2022-10-12T01:06:59Z
iothubdpssharedaccesspolicies.devices.azure.upbound.io                          2022-10-12T01:06:59Z
iothubendpointeventhubs.devices.azure.upbound.io                                2022-10-12T01:06:59Z
iothubendpointservicebusqueues.devices.azure.upbound.io                         2022-10-12T01:06:59Z
iothubendpointservicebustopics.devices.azure.upbound.io                         2022-10-12T01:06:59Z
iothubendpointstoragecontainers.devices.azure.upbound.io                        2022-10-12T01:06:59Z
iothubenrichments.devices.azure.upbound.io                                      2022-10-12T01:06:59Z
iothubfallbackroutes.devices.azure.upbound.io                                   2022-10-12T01:06:59Z
iothubroutes.devices.azure.upbound.io                                           2022-10-12T01:06:59Z
iothubs.devices.azure.upbound.io                                                2022-10-12T01:06:59Z
iothubsharedaccesspolicies.devices.azure.upbound.io                             2022-10-12T01:06:59Z
iotsecuritydevicegroups.security.azure.upbound.io                               2022-10-12T01:07:02Z
iotsecuritysolutions.security.azure.upbound.io                                  2022-10-12T01:07:02Z
ipgroups.network.azure.upbound.io                                               2022-10-12T01:07:01Z
jobs.streamanalytics.azure.upbound.io                                           2022-10-12T01:07:02Z
keys.keyvault.azure.upbound.io                                                  2022-10-12T01:06:59Z
kubernetesclusternodepools.containerservice.azure.upbound.io                    2022-10-12T01:06:58Z
kubernetesclusters.containerservice.azure.upbound.io                            2022-10-12T01:06:58Z
linuxvirtualmachines.compute.azure.upbound.io                                   2022-10-12T01:06:58Z
linuxvirtualmachinescalesets.compute.azure.upbound.io                           2022-10-12T01:06:58Z
liveeventoutputs.media.azure.upbound.io                                         2022-10-12T01:07:00Z
liveevents.media.azure.upbound.io                                               2022-10-12T01:07:00Z
loadbalancerbackendaddresspooladdresses.network.azure.upbound.io                2022-10-12T01:07:01Z
loadbalancerbackendaddresspools.network.azure.upbound.io                        2022-10-12T01:07:01Z
loadbalancernatpools.network.azure.upbound.io                                   2022-10-12T01:07:01Z
loadbalancernatrules.network.azure.upbound.io                                   2022-10-12T01:07:01Z
loadbalanceroutboundrules.network.azure.upbound.io                              2022-10-12T01:07:01Z
loadbalancerprobes.network.azure.upbound.io                                     2022-10-12T01:07:01Z
loadbalancerrules.network.azure.upbound.io                                      2022-10-12T01:07:01Z
loadbalancers.network.azure.upbound.io                                          2022-10-12T01:07:01Z
localnetworkgateways.network.azure.upbound.io                                   2022-10-12T01:07:01Z
locks.pkg.crossplane.io                                                         2022-10-12T01:05:33Z
manageddisks.compute.azure.upbound.io                                           2022-10-12T01:06:58Z
managedhardwaresecuritymodules.keyvault.azure.upbound.io                        2022-10-12T01:07:00Z
managedprivateendpoints.streamanalytics.azure.upbound.io                        2022-10-12T01:07:02Z
managedstorageaccounts.keyvault.azure.upbound.io                                2022-10-12T01:07:00Z
managedstorageaccountsastokendefinitions.keyvault.azure.upbound.io              2022-10-12T01:07:00Z
managementgroups.management.azure.upbound.io                                    2022-10-12T01:07:00Z
managementpolicies.storage.azure.upbound.io                                     2022-10-12T01:07:02Z
managements.apimanagement.azure.upbound.io                                      2022-10-12T01:06:58Z
marketplaceagreements.marketplaceordering.azure.upbound.io                      2022-10-12T01:07:00Z
mongocollections.cosmosdb.azure.upbound.io                                      2022-10-12T01:06:58Z
mongodatabases.cosmosdb.azure.upbound.io                                        2022-10-12T01:06:58Z
monitoractiongroups.insights.azure.upbound.io                                   2022-10-12T01:06:59Z
monitormetricalerts.insights.azure.upbound.io                                   2022-10-12T01:06:59Z
monitorprivatelinkscopedservices.insights.azure.upbound.io                      2022-10-12T01:06:59Z
monitorprivatelinkscopes.insights.azure.upbound.io                              2022-10-12T01:06:59Z
mssqldatabases.sql.azure.upbound.io                                             2022-10-12T01:07:02Z
mssqlfailovergroups.sql.azure.upbound.io                                        2022-10-12T01:07:02Z
mssqlmanageddatabases.sql.azure.upbound.io                                      2022-10-12T01:07:02Z
mssqlmanagedinstanceactivedirectoryadministrators.sql.azure.upbound.io          2022-10-12T01:07:02Z
mssqlmanagedinstancefailovergroups.sql.azure.upbound.io                         2022-10-12T01:07:02Z
mssqlmanagedinstances.sql.azure.upbound.io                                      2022-10-12T01:07:02Z
mssqlmanagedinstancevulnerabilityassessments.sql.azure.upbound.io               2022-10-12T01:07:02Z
mssqloutboundfirewallrules.sql.azure.upbound.io                                 2022-10-12T01:07:02Z
mssqlserverdnsaliases.sql.azure.upbound.io                                      2022-10-12T01:07:02Z
mssqlservers.sql.azure.upbound.io                                               2022-10-12T01:07:02Z
mssqlservertransparentdataencryptions.sql.azure.upbound.io                      2022-10-12T01:07:02Z
mssqlvirtualnetworkrules.sql.azure.upbound.io                                   2022-10-12T01:07:02Z
natgatewaypublicipassociations.network.azure.upbound.io                         2022-10-12T01:07:01Z
natgatewaypublicipprefixassociations.network.azure.upbound.io                   2022-10-12T01:07:01Z
natgateways.network.azure.upbound.io                                            2022-10-12T01:07:01Z
networkinterfaceapplicationsecuritygroupassociations.network.azure.upbound.io   2022-10-12T01:07:01Z
networkinterfacebackendaddresspoolassociations.network.azure.upbound.io         2022-10-12T01:07:01Z
networkinterfacenatruleassociations.network.azure.upbound.io                    2022-10-12T01:07:01Z
networkinterfaces.network.azure.upbound.io                                      2022-10-12T01:07:01Z
networkinterfacesecuritygroupassociations.network.azure.upbound.io              2022-10-12T01:07:01Z
notificationhubs.notificationhubs.azure.upbound.io                              2022-10-12T01:07:02Z
objectreplications.storage.azure.upbound.io                                     2022-10-12T01:07:02Z
orchestratedvirtualmachinescalesets.compute.azure.upbound.io                    2022-10-12T01:06:58Z
outputblobs.streamanalytics.azure.upbound.io                                    2022-10-12T01:07:02Z
outputfunctions.streamanalytics.azure.upbound.io                                2022-10-12T01:07:02Z
outputsynapses.streamanalytics.azure.upbound.io                                 2022-10-12T01:07:03Z
packetcaptures.network.azure.upbound.io                                         2022-10-12T01:07:01Z
pointtositevpngateways.network.azure.upbound.io                                 2022-10-12T01:07:01Z
policydefinitions.authorization.azure.upbound.io                                2022-10-12T01:06:57Z
pools.netapp.azure.upbound.io                                                   2022-10-12T01:07:00Z
privatednsaaaarecords.network.azure.upbound.io                                  2022-10-12T01:07:01Z
privatednsarecords.network.azure.upbound.io                                     2022-10-12T01:07:01Z
privatednscnamerecords.network.azure.upbound.io                                 2022-10-12T01:07:01Z
privatednsmxrecords.network.azure.upbound.io                                    2022-10-12T01:07:01Z
privatednsptrrecords.network.azure.upbound.io                                   2022-10-12T01:07:01Z
privatednssrvrecords.network.azure.upbound.io                                   2022-10-12T01:07:01Z
privatednstxtrecords.network.azure.upbound.io                                   2022-10-12T01:07:01Z
privatednszones.network.azure.upbound.io                                        2022-10-12T01:07:01Z
privatednszonevirtualnetworklinks.network.azure.upbound.io                      2022-10-12T01:07:01Z
privateendpoints.network.azure.upbound.io                                       2022-10-12T01:07:01Z
privatelinkservices.network.azure.upbound.io                                    2022-10-12T01:07:01Z
profiles.network.azure.upbound.io                                               2022-10-12T01:07:01Z
providerconfigs.azure.upbound.io                                                2022-10-12T01:06:57Z
providerconfigusages.azure.upbound.io                                           2022-10-12T01:06:57Z
providerrevisions.pkg.crossplane.io                                             2022-10-12T01:05:33Z
providers.pkg.crossplane.io                                                     2022-10-12T01:05:33Z
proximityplacementgroups.compute.azure.upbound.io                               2022-10-12T01:06:58Z
publicipprefixes.network.azure.upbound.io                                       2022-10-12T01:07:01Z
publicips.network.azure.upbound.io                                              2022-10-12T01:07:01Z
queues.storage.azure.upbound.io                                                 2022-10-12T01:07:02Z
rediscaches.cache.azure.upbound.io                                              2022-10-12T01:06:58Z
redisenterpriseclusters.cache.azure.upbound.io                                  2022-10-12T01:06:58Z
redisenterprisedatabases.cache.azure.upbound.io                                 2022-10-12T01:06:57Z
redisfirewallrules.cache.azure.upbound.io                                       2022-10-12T01:06:58Z
redislinkedservers.cache.azure.upbound.io                                       2022-10-12T01:06:58Z
registries.containerregistry.azure.upbound.io                                   2022-10-12T01:06:58Z
resourcegrouppolicyassignments.authorization.azure.upbound.io                   2022-10-12T01:06:57Z
resourcegroups.azure.upbound.io                                                 2022-10-12T01:06:57Z
resourcegrouptemplatedeployments.resources.azure.upbound.io                     2022-10-12T01:07:02Z
resourceproviderregistrations.azure.upbound.io                                  2022-10-12T01:06:57Z
roleassignments.authorization.azure.upbound.io                                  2022-10-12T01:06:57Z
routetables.network.azure.upbound.io                                            2022-10-12T01:07:01Z
scopemaps.containerregistry.azure.upbound.io                                    2022-10-12T01:06:58Z
secrets.keyvault.azure.upbound.io                                               2022-10-12T01:07:00Z
securitygroups.network.azure.upbound.io                                         2022-10-12T01:07:01Z
securityrules.network.azure.upbound.io                                          2022-10-12T01:07:01Z
serverkeys.dbforpostgresql.azure.upbound.io                                     2022-10-12T01:06:59Z
servers.dbformariadb.azure.upbound.io                                           2022-10-12T01:06:59Z
servers.dbformysql.azure.upbound.io                                             2022-10-12T01:06:59Z
servers.dbforpostgresql.azure.upbound.io                                        2022-10-12T01:06:59Z
servicesaccounts.media.azure.upbound.io                                         2022-10-12T01:07:00Z
sharedimagegalleries.compute.azure.upbound.io                                   2022-10-12T01:06:58Z
shares.storage.azure.upbound.io                                                 2022-10-12T01:07:02Z
snapshotpolicies.netapp.azure.upbound.io                                        2022-10-12T01:07:00Z
snapshots.compute.azure.upbound.io                                              2022-10-12T01:06:58Z
snapshots.netapp.azure.upbound.io                                               2022-10-12T01:07:00Z
spatialanchorsaccounts.mixedreality.azure.upbound.io                            2022-10-12T01:07:00Z
sqlcontainers.cosmosdb.azure.upbound.io                                         2022-10-12T01:06:58Z
sqldatabases.cosmosdb.azure.upbound.io                                          2022-10-12T01:06:58Z
sqlfunctions.cosmosdb.azure.upbound.io                                          2022-10-12T01:06:58Z
sqlroleassignments.cosmosdb.azure.upbound.io                                    2022-10-12T01:06:58Z
sqlroledefinitions.cosmosdb.azure.upbound.io                                    2022-10-12T01:06:58Z
sqlstoredprocedures.cosmosdb.azure.upbound.io                                   2022-10-12T01:06:58Z
sqltriggers.cosmosdb.azure.upbound.io                                           2022-10-12T01:06:58Z
storagesyncs.storagesync.azure.upbound.io                                       2022-10-12T01:07:02Z
storeconfigs.azure.upbound.io                                                   2022-10-12T01:06:57Z
storeconfigs.secrets.crossplane.io                                              2022-10-12T01:05:33Z
streamingendpoints.media.azure.upbound.io                                       2022-10-12T01:07:00Z
streaminglocators.media.azure.upbound.io                                        2022-10-12T01:07:00Z
streamingpolicies.media.azure.upbound.io                                        2022-10-12T01:07:00Z
subnetnatgatewayassociations.network.azure.upbound.io                           2022-10-12T01:07:01Z
subnetnetworksecuritygroupassociations.network.azure.upbound.io                 2022-10-12T01:07:01Z
subnetroutetableassociations.network.azure.upbound.io                           2022-10-12T01:07:01Z
subnets.network.azure.upbound.io                                                2022-10-12T01:07:01Z
subnetserviceendpointstoragepolicies.network.azure.upbound.io                   2022-10-12T01:07:01Z
subscriptions.azure.upbound.io                                                  2022-10-12T01:06:57Z
tables.cosmosdb.azure.upbound.io                                                2022-10-12T01:06:58Z
tables.storage.azure.upbound.io                                                 2022-10-12T01:07:02Z
tokens.containerregistry.azure.upbound.io                                       2022-10-12T01:06:58Z
transforms.media.azure.upbound.io                                               2022-10-12T01:07:00Z
vaults.keyvault.azure.upbound.io                                                2022-10-12T01:07:00Z
virtualhubs.network.azure.upbound.io                                            2022-10-12T01:07:01Z
virtualnetworkgatewayconnections.network.azure.upbound.io                       2022-10-12T01:07:02Z
virtualnetworkgateways.network.azure.upbound.io                                 2022-10-12T01:07:02Z
virtualnetworkpeerings.network.azure.upbound.io                                 2022-10-12T01:07:02Z
virtualnetworkrules.dbformariadb.azure.upbound.io                               2022-10-12T01:06:59Z
virtualnetworkrules.dbformysql.azure.upbound.io                                 2022-10-12T01:06:59Z
virtualnetworkrules.dbforpostgresql.azure.upbound.io                            2022-10-12T01:06:59Z
virtualnetworks.network.azure.upbound.io                                        2022-10-12T01:07:02Z
virtualwans.network.azure.upbound.io                                            2022-10-12T01:07:02Z
volumes.netapp.azure.upbound.io                                                 2022-10-12T01:07:00Z
vpnserverconfigurations.network.azure.upbound.io                                2022-10-12T01:07:02Z
watcherflowlogs.network.azure.upbound.io                                        2022-10-12T01:07:02Z
watchers.network.azure.upbound.io                                               2022-10-12T01:07:02Z
webhooks.containerregistry.azure.upbound.io                                     2022-10-12T01:06:58Z
windowsvirtualmachines.compute.azure.upbound.io                                 2022-10-12T01:06:58Z
windowsvirtualmachinescalesets.compute.azure.upbound.io                         2022-10-12T01:06:58Z
workspaces.operationalinsights.azure.upbound.io                                 2022-10-12T01:07:02Z

Create a Kubernetes secret for Azure

The provider requires credentials to create and manage Azure resources. Providers use a Kubernetes Secret to connect the credentials to the provider.

First generate a Kubernetes Secret from your Azure JSON file and then configure the Provider to use it.

Install the Azure command-line

Generating an authentication file requires the Azure command-line.
Follow the documentation from Microsoft to Download and install the Azure command-line.

Log in to the Azure command-line.

az login

Create an Azure service principal

Follow the Azure documentation to find your Subscription ID from the Azure Portal.

Using the Azure command-line and provide your Subscription ID create a service principal and authentication file.

1
2
3
4
az ad sp create-for-rbac \
--sdk-auth \
--role Owner \
--scopes /subscriptions/<Subscription ID> 
The Azure command-line prints an expected deprecation warning for --sdk-auth.

The command generates a JSON file like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
{
  "clientId": "5d73973c-1933-4621-9f6a-9642db949768",
  "clientSecret": "24O8Q~db2DFJ123MBpB25hdESvV3Zy8bfeGYGcSd",
  "subscriptionId": "c02e2b27-21ef-48e3-96b9-a91305e9e010",
  "tenantId": "7060afec-1db7-4b6f-a44f-82c9c6d8762a",
  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
  "resourceManagerEndpointUrl": "https://management.azure.com/",
  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
  "galleryEndpointUrl": "https://gallery.azure.com/",
  "managementEndpointUrl": "https://management.core.windows.net/"
}

Save your Azure JSON output as azure-credentials.json.

The Configuration section of the Provider documentation describes other authentication methods.

Create a Kubernetes secret with the Azure credentials

A Kubernetes generic secret has a name and contents. Use kubectl create secret to generate the secret object named azure-secret in the upbound-system namespace.

Use the --from-file= argument to set the value to the contents of the azure-credentials.json file.

1
2
3
4
kubectl create secret \
generic azure-secret \
-n upbound-system \
--from-file=creds=./azure-credentials.json

View the secret with kubectl describe secret

The size may be larger if there are extra blank spaces in your text file.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
kubectl describe secret azure-secret -n upbound-system
Name:         azure-secret
Namespace:    upbound-system
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
creds:  629 bytes

Create a ProviderConfig

A ProviderConfig customizes the settings of the Azure Provider.

Apply the ProviderConfig with the command:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
cat <<EOF | kubectl apply -f -
apiVersion: azure.upbound.io/v1beta1
metadata:
  name: default
kind: ProviderConfig
spec:
  credentials:
    source: Secret
    secretRef:
      namespace: upbound-system
      name: azure-secret
      key: creds
EOF

This attaches the Azure credentials, saved as a Kubernetes secret, as a secretRef .

The spec.credentials.secretRef.name value is the name of the Kubernetes secret containing the Azure credentials in the spec.credentials.secretRef.namespace .

Create a managed resource

A managed resource is anything Crossplane creates and manages outside of the Kubernetes cluster. This creates an Azure Resource group with Crossplane. The Resource group is a managed resource.

A resource group is one of the fastest Azure resources to provision.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
cat <<EOF | kubectl apply -f -
apiVersion: azure.upbound.io/v1beta1
kind: ResourceGroup
metadata:
  name: example-rg
spec:
  forProvider:
    location: "East US"
  providerConfigRef:
    name: default
EOF

Notice the apiVersion and kind are from the Provider's CRDs.

The metadata.name value is the name of the created resource group in Azure.
This example uses the name example-rg.

The spec.forProvider.location tells Azure which Azure region to use when deploying resources. The region can be any Azure geography code.

Use kubectl get resourcegroup to verify Crossplane created the resource group.

1
2
3
kubectl get ResourceGroup
NAME         READY   SYNCED   EXTERNAL-NAME   AGE
example-rg   True    True     example-rg      4m58s

Optionally, log into the Azure Portal and see the resource group inside Azure.

Azure portal shows a resource-group with the name example-rg that matches the resource group created by Crossplane.
Azure portal shows a resource-group with the name example-rg that matches the resource group created by Crossplane.

If the READY or SYNCED are blank or False use kubectl describe resourcegroup to understand why.

A common issue is incorrect Azure credentials or not having permissions to create the resource group.

The following output is an example of the kubectl describe resourcegroup output when using the wrong Azure credentials.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
kubectl describe ResourceGroup
Name:         example-rg
Namespace:
Labels:       <none>
Annotations:  crossplane.io/external-name: example-rg
API Version:  azure.upbound.io/v1beta1
Kind:         ResourceGroup
# Output trimmed for brevity
Spec:
  Deletion Policy:  Delete
  For Provider:
    Location:  East US
  Provider Config Ref:
    Name:  default
Status:
  At Provider:
  Conditions:
    Last Transition Time:  2022-10-12T02:17:40Z
    Message:               observe failed: cannot run refresh: refresh failed: building account: getting authenticated object ID: listing Service Principals: ServicePrincipalsClient.BaseClient.Get(): clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '76af2645-91b4-4087-aff3-e05bf1f1b88c'.\r\nTrace ID: 26369fb5-ab9c-4ba2-bb74-179818cc2e00\r\nCorrelation ID: 0fefd33e-dc03-4450-b70f-4b9a9c23143a\r\nTimestamp: 2022-10-12 02:17:40Z","error_codes":[7000215],"timestamp":"2022-10-12 02:17:40Z","trace_id":"26369fb5-ab9c-4ba2-bb74-179818cc2e00","correlation_id":"0fefd33e-dc03-4450-b70f-4b9a9c23143a","error_uri":"https://login.microsoftonline.com/error?code=7000215"}:
    Reason:                ReconcileError
    Status:                False
    Type:                  Synced
Events:
  Type     Reason                         Age              From                                                  Message
  ----     ------                         ----             ----                                                  -------
  Warning  CannotObserveExternalResource  24s              managed/azure.upbound.io/v1beta1, kind=resourcegroup  cannot run refresh: refresh failed: building account: getting authenticated object ID: listing Service Principals: ServicePrincipalsClient.BaseClient.Get(): clientCredentialsToken: received HTTP status 401 with response: {"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided. Ensure the secret being sent in the request is the client secret value, not the client secret ID, for a secret added to app '76af2645-91b4-4087-aff3-e05bf1f1b88c'.\r\nTrace ID: 54dd6c59-972b-4194-8d5c-81ccc9df2700\r\nCorrelation ID: 9d5df199-426b-45d4-bbd4-4d46703dff85\r\nTimestamp: 2022-10-12 02:17:17Z","error_codes":[7000215],"timestamp":"2022-10-12 02:17:17Z","trace_id":"54dd6c59-972b-4194-8d5c-81ccc9df2700","correlation_id":"9d5df199-426b-45d4-bbd4-4d46703dff85","error_uri":"https://login.microsoftonline.com/error?code=7000215"}:

The error message in the Condition indicates the problem.

Invalid client secret provided.

To fix the problem:

  • Update your Azure credentials in the azure-credentials.json text file.
  • Delete the original Kubernetes secret with
  • kubectl delete secret azure-secret -n upbound-system
  • Create a new secret with
    kubectl create secret generic azure-secret -n upbound-system --from-file=creds=azure-credentials.json
  • Delete the ProviderConfig with
    kubectl delete providerconfig.azure.upbound.io/default
  • Recreate the ProviderConfig with the output in the ProviderConfig section.
  • Create the resource group again.
Deleting the ProviderConfig isn’t required, but is faster than waiting for Kubernetes to synchronize and update.

Still need help? Join the Crossplane Slack and ask in the #Upbound room to get help directly from Upbound employees and community members.

Delete the managed resource

Before shutting down your Kubernetes cluster, delete the resource group just created.

Use kubectl delete resource-group to remove the bucket.

1
2
kubectl delete resourcegroup example-rg
resourcegroup.azure.upbound.io "example-rg" deleted

Next steps