Skip to main content

Azure Container Services (AKS)

Azure Container Services (AKS) is a fully managed Kubernetes service running on the Azure platform.

Azure Container Registry (ACR)

Azure Container Registry is a managed Docker container registry service used for storing private Docker container images. It’s a fully managed Azure resource and gives you local, network-close storage of your container images when deploying to AKS. Chef Habitat Builder has native integration with this service so you can publish your packages directly to Azure Container Registry.

In order to do this you need to create an Azure Service Principal that has Owner rights on your ACR instance. You can do this with the following script, changing the environment variable values to match your environment.

  !/bin/bash

    R_RESOURCE_GROUP=myACRResourceGroup
    R_NAME=myACRRegistry
BLDR_PRINCIPAL_NAME=myPrincipalName
BLDR_PRINCIPAL_PASSWORD="ThisIsVeryStrongPassword"

    Create Service Principal for Chef Habitat Builder
    R_ID=$(az acr show --name $ACR_NAME --resource-group $ACR_RESOURCE_GROUP --query "id" --output tsv)
     ad sp create-for-rbac --scopes $ACR_ID --role Owner --password "$BLDR_PRINCIPAL_PASSWORD" --name $BLDR_PRINCIPAL_NAME
BLDR_ID=$(az ad sp list --display-name $BLDR_PRINCIPAL_NAME  --query "[].appId" --output tsv)

    ho "Configuration details for Habitat Builder Principal:"
echo "  ID : $BLDR_ID"
echo "  Password : $BLDR_PRINCIPAL_PASSWORD"

Note: The unique Service Principal Name (the UUID) should be provided in the Chef Habitat Builder configuration.

Connecting ACR and AKS

Since ACR is a private Docker registry, AKS must be authorized to pull images from it. The best way is to create a role assignment on the Service Principal that is automatically created for AKS, granting it Reader access on your ACR instance.

To do this you can use the following script, changing the environment variable values to match your configuration.

#!/bin/bash

AKS_RESOURCE_GROUP=myAKSResourceGroup
AKS_CLUSTER_NAME=myAKSCluster
ACR_RESOURCE_GROUP=myACRResourceGroup
ACR_NAME=myACRRegistry

# Get the id of the service principal configured for AKS
CLIENT_ID=$(az aks show --resource-group $AKS_RESOURCE_GROUP --name $AKS_CLUSTER_NAME --query "servicePrincipalProfile.clientId" --output tsv)

# Get the ACR Registry Resource ID
ACR_ID=$(az acr show --name $ACR_NAME --resource-group $ACR_RESOURCE_GROUP --query "id" --output tsv)

# Create Role Assignment
az role assignment create --assignee $CLIENT_ID --role Reader --scope $ACR_ID
Edit this page on GitHub

Thank you for your feedback!

×