Skip to content

What is it?

The Azure AKS Template is a pre built system template designed for managing Azure Kubernetes Service (AKS) lifecycle management, covering both day-0 and day-2 operations. This template is part of the Template Catalog under the Kubernetes Lifecycle Management section and enables organizations to create self-service workflows for end users without requiring extensive configuration knowledge.

This template provides comprehensive AKS management capabilities and is fully supported with regular updates and new features added over time. With these templates, administrators can follow two simple steps to provide a self-service experience for their end users:

  1. Configure and customize the system template (provide credentials, specify defaults, and determine what values end users can/cannot override) in a project owned by the Platform team
  2. Publish by sharing the template with end user projects

Prerequisites

Before consuming the Azure AKS Template, ensure you have the following prerequisites in place:

1. Healthy GitOps Agent

  • Deploy a healthy GitOps agent that drives the workflow
  • The agent can be deployed as:
  • Docker container
  • Kubernetes deployment
  • The agent's network must have reachability to the network where AKS clusters will be created
  • Refer to the GitOps Agent setup documentation for detailed configuration

2. Valid Rafay API Key

  • Obtain a valid Rafay API key for authentication
  • The API key should have appropriate permissions for AKS template operations
  • Refer to the API Key management documentation for setup instructions

3. Azure Service Principal Credentials

  • Configure valid Azure Service Principal credentials with permissions for:
  • Authentication
  • AKS lifecycle management operations
  • Alternative: You can use User Managed Identity for resources in the cluster configuration
  • Refer to the AKS credentials documentation for detailed setup instructions

Configuration

The AKS System Template includes the following configuration sections:

1. Agent Configuration

  • GitOps Agent or Agent Pools can be configured at the template level or added at runtime during environment deployment
  • Drives workflow execution.

2. Rafay-Specific Configuration

  • Blueprint specification for the cluster configuration
  • Project name where the AKS cluster will be created
  • Defines the Rafay platform configuration

3. Azure AKS Configuration

  • Azure-specific settings for AKS cluster creation and management
  • Includes region, node pools, networking, and other AKS-specific parameters

4. Credentials

  • Rafay API Key for platform authentication
  • Azure Credentials (Service Principal or User Managed Identity)
  • Can be configured at the template level or applied at runtime during environment deployment

Workflow Overview

The Azure AKS Template follows a centralized configuration model where platform administrators first configure and customize the template in a central project, then share it with end-user projects for consumption.

graph TD
    A[Template Catalog] --> B[Platform Admin: Get Started]
    B --> C[Share to Central Project]
    C --> D[Configure Template]
    D --> E[Customize Input Variables]
    E --> F[Set Schedules Optional]
    F --> G[Share to End User Projects]
    G --> H[End Users Deploy AKS Clusters]

Step-by-Step Guide

Step 1: Locate and Initialize the Azure AKS Template

  1. Navigate to the Template Catalog from the home page
  2. Under Kubernetes Lifecycle Management, locate the Azure AKS card
  3. Click the Get Started button
  4. Provide the following details:
  5. Template name for your organization
  6. Version identifier
  7. Central project where you'll configure the template before sharing

Screenshot: Template Catalog with Azure AKS card highlighted

Step 2: Configure the Template

Once the Azure AKS template is shared to your central project, configure the essential components:

2.1 Add GitOps Agent

  • Configure the GitOps agent at the template level
  • This agent will drive the workflow execution for the deployment.

Screenshot: Agent configuration section

2.2 Set Up Configuration Context

  • Configure the aks-rafay-env-vars context with:
  • Azure credentials (Service Principal or User Managed Identity)
  • Rafay API key for authentication
  • Lock the credentials to prevent end users from modifying them

Screenshot 1: Configuration context with locked credentials

2.3 Lock Down Credentials

Screenshot 2: Configuration context with locked credentials

This screenshot shows one variable locking, but you can apply the same approach to other credential variables. Set them as non-overrideable so users cannot see or modify them so that credentials are handled implicitly for end users.

Step 3: Customize Input Variables

Platform administrators can customize which variables to expose to end users:

3.1 Set Default Values

  • Blueprint name and version for cluster configuration
  • Region for AKS cluster deployment
  • Kubernetes version for the cluster
  • Cluster tags for resource organization

3.2 Restrict User Inputs

  • Location restrictions (e.g., only allow specific Azure regions)
  • Blueprint restrictions (e.g., only allow approved blueprints)
  • Resource limits (e.g., maximum node count)

Screenshot 1: Input variables customization interface

2.4 Customize Input Variables

Screenshot 2: Input variables customization interface

Step 4: Configure Schedules (Optional)

Set up automated schedules for cluster lifecycle management:

  • Destroy schedule (e.g., destroy clusters at end of business day)
  • Deploy schedule (e.g., recreate clusters in the morning)
  • Maintenance windows for updates

Screenshot: Schedule configuration options

Step 5: Share with End User Projects

Once configuration is complete, save it as an active version and share the template with end-user projects: 1. Navigate to the template sharing settings 2. Select target end-user projects 3. Publish the template for consumption

Screenshot: Template sharing interface

Configuration Flexibility

This workflow provides flexibility for different organizational needs:

  • Fully Managed: Platform admin configures all settings, end users simply deploy
  • Hybrid Approach: Some settings pre-configured, others left for end users
  • User-Driven: Minimal pre-configuration, maximum end-user control

The recommended approach is the fully managed configuration, which reduces the burden on end users while maintaining security and compliance standards.

End User Flow

Once the platform administrator shares the Azure AKS template to end-user projects, end users can easily deploy AKS clusters with minimal configuration effort.

Step 1: Access the Shared Template

  1. Navigate to your project where the Azure AKS template has been shared
  2. Locate the Azure AKS Template in your available templates
  3. Click Launch to begin the deployment process

Screenshot: End user project view with Azure AKS template available

Step 2: Configure Template Inputs

Based on the configuration exposed by the platform administrator, provide the necessary inputs:

2.1 Required Configuration

  • Cluster name for your AKS deployment
  • Resource group (if not pre-configured)
  • Region (if multiple regions are allowed)
  • Node pool configuration (if customizable)

2.2 Optional Configuration

  • Cluster tags for resource organization
  • Network configuration (if exposed by admin)
  • Additional labels or annotations

Screenshot: End user configuration form with input fields

Step 3: Deploy or Save Configuration

After providing all required inputs, you have two options:

Option 1: Save and Continue Later

  • Click Save to store your configuration
  • Return later to complete the deployment

Option 2: Save and Deploy

  • Click Save & Deploy to immediately start the deployment process
  • The AKS cluster creation will begin automatically

Screenshot: Save and Deploy options

Step 4: Monitor Deployment Progress

Track the deployment progress through the status indicators. The screenshot below shows how to monitor your deployment status.

Screenshot: Deployment progress monitoring interface

Approval Required

After the plan phase completes successfully, the deployment will be blocked and require your approval before proceeding with the actual cluster creation. You must explicitly approve the deployment to continue with the GKE Autopilot cluster provisioning. This approval step ensures you have reviewed the planned changes before they are applied to your environment.

Step 5: Access Cluster Resources

Once the deployment status shows Success, you will receive the following output configuration:

5.1 Cluster Access Information

  • Kubeconfig file for cluster access

5.2 Resource Information

  • Resource group where cluster was created
  • Node pool details and status

Post-Deployment Information

Once the deployment is finished and shows success, the cluster will be visible under the Infrastructure tab for monitoring and dashboard purposes. All day-2 operations are available using template edit functionality - you can change values and redeploy as needed.

Step 6: Verify Cluster Access

Test your cluster access using the provided kubeconfig:

# Set kubeconfig
export KUBECONFIG=/path/to/kubeconfig

# Verify cluster access
kubectl get nodes
kubectl get namespaces

Benefits for End Users

  • Simplified Deployment: Pre-configured templates reduce complexity
  • Consistent Configuration: Standardized settings across all deployments
  • Security: Credentials managed by platform administrators
  • Compliance: Built-in governance and policy enforcement
  • Self-Service: Deploy clusters without waiting for platform team assistance