Merge pull request #383 from MicrosoftDocs/main

12/10/2024 PM Publish

articles/azure-arc/kubernetes/secret-store-extension.md

@@ -23,8 +23,7 @@ This article shows you how to install and configure the SSE as an [Azure Arc-ena
 
 ## Prerequisites
 
-- A cluster [connected to Azure Arc](quickstart-connect-cluster.md), running Kubernetes version 1.27 or higher, and in one of the supported regions (East US, East US2, West US, West US2, West US3, West Europe, North Europe). The region is defined by the resource group region used for creating the Arc cluster.
-- The examples throughout this guide use a [K3s](https://k3s.io/) cluster.
+- An Arc-enabled cluster. This can be one that you [connected to yourself](quickstart-connect-cluster.md) (the examples throughout this guide use a [K3s](https://k3s.io/) cluster) or a Microsoft-managed [AKS enanabled by Azure Arc](/azure/aks/hybrid/aks-overview) cluster. The cluster must be running Kubernetes version 1.27 or higher, and in one of the supported regions (East US, East US2, West US, West US2, West US3, West Europe, North Europe). The region is defined by the resource group region used for creating the Arc cluster.
 - Ensure you meet the [general prerequisites for cluster extensions](extensions.md#prerequisites), including the latest version of the `k8s-extension` Azure CLI extension.
 - cert-manager is required to support TLS for intracluster log communication. The examples later in this guide direct you though installation. For more information about cert-manager, see [cert-manager.io](https://cert-manager.io/)
 
@@ -52,13 +51,16 @@ export KUBERNETES_NAMESPACE="my-namespace"
 export SERVICE_ACCOUNT_NAME="my-service-account"
 ```
 
-## Configure an identity to access secrets
+## Activate workload identity federation in your cluster
 
-To access and synchronize a given Azure Key Vault secret, the SSE requires access to an Azure managed identity with appropriate Azure permissions to access that secret. The managed identity must be linked to a Kubernetes service account through [workload identity federation](conceptual-workload-identity.md). The Kubernetes service account is what you use in a Kubernetes pod or other workload to access secrets from the Kubernetes secret store. The SSE uses the associated federated Azure managed identity to pull secrets from Azure Key Vault to your Kubernetes secret store. The following sections describe how to set this up.
+The SSE uses a feature called [workload identity federation](conceptual-workload-identity.md) to access and synchronize Azure Key Vault secrets. This section describes how to set this up. Following sections will explain how it is used in detail.
 
-### Enable workload identity on your cluster
+### [Arc-enabled Kubernetes](#tab/arc-k8s)
 
-If your cluster isn't yet connected to Azure Arc, [follow these steps](quickstart-connect-cluster.md). During these steps, enable workload identity as part of the `connect` command:
+> [!TIP]
+> The following steps are based on the [How-to guide](/azure/azure-arc/kubernetes/workload-identity) for configuring Arc-enabled Kubernetes with workload identity federation. Refer to that documentation for any additional assistance.
+
+If your cluster isn't yet connected to Azure Arc, [follow these steps](quickstart-connect-cluster.md). During these steps, enable workload identity federation as part of the `connect` command:
 
 ```azurecli
 az connectedk8s connect --name ${CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} --enable-oidc-issuer --enable-workload-identity
@@ -70,14 +72,10 @@ If your cluster is already connected to Azure Arc, enable workload identity usin
 az connectedk8s update --name ${CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} --enable-oidc-issuer --enable-workload-identity
 ```
 
-### Configure your cluster to enable token validation
-
-Your cluster must be configured to issue Service Account tokens with a new issuer URL (`service-account-issuer`) that enables Microsoft Entra ID to find the public keys necessary for it to validate these tokens. These public keys are for the cluster's own service account token issuer, and they were obtained and cloud-hosted at this URL as a result of the `--enable-oidc-issuer` option that you set above.
+Now configure your cluster to issue Service Account tokens with a new issuer URL (`service-account-issuer`) that enables Microsoft Entra ID to find the public keys necessary for it to validate these tokens. These public keys are for the cluster's own service account token issuer, and they were obtained and cloud-hosted at this URL as a result of the `--enable-oidc-issuer` option that you set above.
 
 Optionally, you can also configure limits on the SSE's own permissions as a privileged resource running in the control plane by configuring [`OwnerReferencesPermissionEnforcement`](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement) [admission controller](https://Kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#how-do-i-turn-on-an-admission-controller). This admission controller constrains how much the SSE can change other objects in the cluster.
 
-Your Kubernetes cluster must be running Kubernetes version 1.27 or higher.
-
 1. Configure your [kube-apiserver](https://Kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/) with the issuer URL field and permissions enforcement. The following example is for a k3s cluster. Your cluster may have different means for changing API server arguments: `--kube-apiserver-arg="--service-account-issuer=${SERVICE_ACCOUNT_ISSUER}" and --kube-apiserver-arg="--enable-admission-plugins=OwnerReferencesPermissionEnforcement"`.
 
    - Get the service account issuer URL.
@@ -109,6 +107,38 @@ Your Kubernetes cluster must be running Kubernetes version 1.27 or higher.
    sudo systemctl restart k3s
    ```
 
+### [AKS on Azure Local](#tab/aks-local)
+
+Use the [How-to guide](/azure/aks/hybrid/workload-identity) to activate workload identity federation on AKS on Azure Local by using the `--enable-oidc-issuer` and `--enable-workload-identity` flags.
+
+Return to these steps after the initial activation. There is no need to complete the remainder of that guide.
+
+Validate the activation has been succesful by obtaining the cluster's service account issuer URL. You'll use this URL in the following steps:  
+
+   ```console
+   export SERVICE_ACCOUNT_ISSUER="$(az connectedk8s show --name ${CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} --query "oidcIssuerProfile.issuerUrl" --output tsv)"
+   echo $SERVICE_ACCOUNT_ISSUER
+   ```
+
+### [AKS Edge Essentials](#tab/aks-ee)
+
+Use the [How-to guide](/azure/aks/hybrid/aks-edge-workload-identity) to activate workload identity federation on AKS Edge Essentials. 
+
+Return to these steps after the initial activation. There is no need to complete the remainder of that guide.
+
+Validate the activation has been succesful by obtaining the cluster's service account issuer URL. You'll use this URL in the following steps:  
+
+   ```console
+   export SERVICE_ACCOUNT_ISSUER="$(az connectedk8s show --name ${CLUSTER_NAME} --resource-group ${RESOURCE_GROUP} --query "oidcIssuerProfile.issuerUrl" --output tsv)"
+   echo $SERVICE_ACCOUNT_ISSUER
+   ```
+
+---
+
+## Create a secret and configure an identity to access it
+
+To access and synchronize a given Azure Key Vault secret, the SSE requires access to an Azure managed identity with appropriate Azure permissions to access that secret. The managed identity must be linked to a Kubernetes service account using the workload identity feature that you activated above. The SSE uses the associated federated Azure managed identity to pull secrets from Azure Key Vault to your Kubernetes secret store. The following sections describe how to set this up.
+
 ### Create an Azure Key Vault
 
 [Create an Azure Key Vault](/azure/key-vault/secrets/quick-create-cli) and add a secret. If you already have an Azure Key Vault and secret, you can skip this section.
@@ -176,31 +206,25 @@ Create a Kubernetes service account for the workload that needs access to secret
    az identity federated-credential create --name ${FEDERATED_IDENTITY_CREDENTIAL_NAME} --identity-name ${USER_ASSIGNED_IDENTITY_NAME} --resource-group ${RESOURCE_GROUP} --issuer ${SERVICE_ACCOUNT_ISSUER} --subject system:serviceaccount:${KUBERNETES_NAMESPACE}:${SERVICE_ACCOUNT_NAME}
    ```
 
-## Install and use the SSE
+## Install the SSE
 
 The SSE is available as an Azure Arc extension. An [Azure Arc-enabled Kubernetes cluster](overview.md) can be extended with [Azure Arc-enabled Kubernetes extensions](extensions.md). Extensions enable Azure capabilities on your connected cluster and provide an Azure Resource Manager-driven experience for the extension installation and lifecycle management.
 
-### Install cert-manager and trust-manager
-
-[cert-manager](https://cert-manager.io/) and [trust-manager](https://cert-manager.io/docs/trust/trust-manager/) are required for secure communication of logs between cluster services and must be installed before the Arc extension.
+[cert-manager](https://cert-manager.io/) and [trust-manager](https://cert-manager.io/docs/trust/trust-manager/) are also required for secure communication of logs between cluster services and must be installed before the Arc extension.
 
 1. Install cert-manager.
-
    ```azurecli
-   kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.3/cert-manager.yaml
+   helm repo add jetstack https://charts.jetstack.io/ --force-update
+   helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.16.2 --set crds.enabled=true 
    ```
 
 1. Install trust-manager.
 
    ```azurecli
-   helm repo add jetstack https://charts.jetstack.io
-   helm repo update
    helm upgrade trust-manager jetstack/trust-manager --install --namespace cert-manager --wait
    ```
 
-### Install the SSE
-
-- Install the SSE to your Arc-enabled cluster using the following command:
+1. Install the SSE to your Arc-enabled cluster using the following command:
 
    ``` console
    az k8s-extension create \

articles/azure-portal/azure-portal-safelist-urls.md

@@ -55,6 +55,7 @@ management.azure.com
 *.ext.azure.com
 *.graph.windows.net
 *.graph.microsoft.com
+hosting.partners.azure.net
 ```
 
 #### Account data

articles/copilot/get-information-resource-graph.md

@@ -49,7 +49,7 @@ You can ask Microsoft Copilot in Azure (preview) to write queries with prompts l
 
 :::image type="content" source="media/get-information-resource-graph/azure-resource-graph-explorer-list-vms.png" alt-text="Screenshot of Microsoft Copilot in Azure responding to a request to list VMs.":::
 
-If the generated query isn't exactly what you want, you can ask Microsoft Copilot in Azure (preview) to make changes. In this example, the first prompt is "**Write a KQL query to list my VMs by OS.**" After the query is shown, the additional prompt "Sorted alphabetically" results in a revised query that lists the OS alphabetically by name.
+If the generated query isn't exactly what you want, you can ask Microsoft Copilot in Azure (preview) to make changes. In this example, the first prompt is "**Write a KQL query to list my VMs by OS.**" After the query is shown, the additional prompt "**Sorted alphabetically**" results in a revised query that lists the OS alphabetically by name.
 
 :::image type="content" source="media/get-information-resource-graph/azure-resource-graph-query-refine.png" alt-text="Screenshot of Microsoft Copilot in Azure (preview) generating and then revising a query to list VMs by OS.":::