Connect Crossplane to Microsoft Azure to create and manage cloud resources from Kubernetes with the Azure Official Provider.
This guide walks you through the steps required to get started with the Azure Official Provider. This includes installing Upbound Universal Crossplane, configuring the provider to authenticate to Azure and creating a Managed Resource in Azure directly from your Kubernetes cluster.
- Guided tour
This quickstart requires:
- a Kubernetes cluster with at least 3 GB of RAM
- permissions to create pods and secrets in the Kubernetes cluster
- an Azure account with permissions to create an Azure service principal and an Azure Resource Group
All commands use the current
kubeconfigcontext and configuration.
The Up command-line helps manage Upbound Universal Crossplane, Upbound’s enterprise Crossplane distribution and manage Upbound user accounts.
Download and install the Upbound
Upbound Universal Crossplane (UXP) consists of upstream Crossplane and Upbound-specific enhancements and patches. It’s open source and maintained by Upbound.
Install UXP with the Up command-line
up uxp install command.
Verify all UXP pods are
kubectl get pods -n upbound-system. This may take up to five minutes depending on your Kubernetes cluster.
For more details about UXP pods, read the UXP section.
Installing UXP and Crossplane creates new Kubernetes API end-points. Take a look at the new API end-points with
kubectl api-resources | grep crossplane. In a later step you use the
resource install the Official Provider.
Install the official provider into the Kubernetes cluster with the
up command-line or a Kubernetes configuration file.
uses the Crossplane
Provider Custom Resource Definition to connect your Kubernetes cluster to your cloud provider.
Verify the provider installed with
kubectl get providers.
It may take up to five minutes for the provider to list
A provider installs their own Kubernetes Custom Resource Definitions (CRDs). These CRDs allow you to create Azure resources directly inside Kubernetes.
You can view the new CRDs with
kubectl get crds. Every CRD maps to a unique Azure service Crossplane can provision and manage.
The provider requires credentials to create and manage Azure resources. Providers use a Kubernetes Secret to connect the credentials to the provider.
First generate a Kubernetes Secret from your Azure JSON file and then configure the Provider to use it.
Generating an authentication file requires the Azure command-line.
Follow the documentation from Microsoft to Download and install the Azure command-line.
Log in to the Azure command-line.
Follow the Azure documentation to find your Subscription ID from the Azure Portal.
Using the Azure command-line and provide your Subscription ID create a service principal and authentication file.
The Azure command-line prints an expected deprecation warning for
The command generates a JSON file like this:
Save your Azure JSON output as
The Configuration section of the Provider documentation describes other authentication methods.
A Kubernetes generic secret has a name and contents. Use
to generate the secret object named
argument to set the value to the contents of the
View the secret with
kubectl describe secret
The size may be larger if there are extra blank spaces in your text file.
ProviderConfig customizes the settings of the Azure Provider.
with the command:
This attaches the Azure credentials, saved as a Kubernetes secret, as a
value is the name of the Kubernetes secret containing the Azure credentials in the
A managed resource is anything Crossplane creates and manages outside of the Kubernetes cluster. This creates an Azure Resource group with Crossplane. The Resource group is a managed resource.
A resource group is one of the fastest Azure resources to provision.
are from the
value is the name of the created resource group in Azure.
This example uses the name
tells Azure which Azure region to use when deploying resources. The region can be any Azure geography code.
kubectl get resourcegroup to verify Crossplane created the resource group.
Optionally, log into the Azure Portal and see the resource group inside Azure.
SYNCED are blank or
kubectl describe resourcegroup to understand why.
A common issue is incorrect Azure credentials or not having permissions to create the resource group.
The following output is an example of the
kubectl describe resourcegroup output when using the wrong Azure credentials.
The error message in the Condition indicates the problem.
To fix the problem:
- Update your Azure credentials in the
- Delete the original Kubernetes secret with
kubectl delete secret azure-secret -n upbound-system
- Create a new secret with
kubectl create secret generic azure-secret -n upbound-system --from-file=creds=azure-credentials.json
- Delete the
kubectl delete providerconfig.azure.upbound.io/default
- Recreate the
ProviderConfigwith the output in the ProviderConfig section.
- Create the resource group again.
ProviderConfigisn’t required, but is faster than waiting for Kubernetes to synchronize and update.
Still need help? Join the Crossplane Slack and ask in the
#Upbound room to get help directly from Upbound employees and community members.
Before shutting down your Kubernetes cluster, delete the resource group just created.
kubectl delete resource-group to remove the bucket.
- Explore Azure resources that can Crossplane can configure in the Provider CRD reference.
- Learn about Crossplane configuration packages to make your cloud platform fully portable.
- Join the Crossplane Slack and the
#Upboundroom to connect with Crossplane users and contributors.