Advanced Setup Available in v1.18.8+
Azure Integration Setup
You can set up Azure integration resources directly on your Azure account, without using ScaleOps Managed Application.
- Launch Cloud Shell in your Azure account
- Run the provided script in Cloud Shell:
curl -sL scriptshelf.scaleops.com/azure/integrate.sh | bash -s -- cloud-integration \
--subscription-id <SUBSCRIPTION_ID> \
--create-application- After the script runs, copy the helm values provided in the output to your helm values and install ScaleOps.
- Wait for ScaleOps to integrate with your cloud data
*It may take a few minutes for the integration to complete.
Reference
Helm Parameters
| Key | Description | Default |
|---|---|---|
enabled | Enable integration | false |
tenantId | Azure Tenant ID | Current cluster tenant ID |
subscriptionId | Azure Subscription ID | Current cluster subscription ID |
applicationId | Your application ID | Application ID from ScaleOps API |
applicationSecret | Your application Secret | Application Secret from ScaleOps API |
applyToAllClusters | Should enable all child clusters | false |
Script parameters
| Parameter | Description | Default / Notes |
|---|---|---|
-s <UUID>, --subscription <UUID> | Azure subscription ID (required for all commands) | |
-a <UUID>, --application <UUID> | Azure application ID (required for all commands unless --create-application is used) | |
--create-application | Create a new Azure AD application instead of using existing | |
--app-name <name> | Name for the Azure AD application | "ScaleOps-Integration-<TIMESTAMP>" |
--role-name <name> | Name for the role definition | "ScaleOps Cloud Node Integration" |
--use-workload-identity | Enable workload identity setup (required for workload identity) | false |
--installation-namespace <NAMESPACE> | Installation namespace (required for workload identity) | scaleops-system |
--cluster-name <NAME> | AKS cluster name (required for workload identity) | |
-r, --remove | Remove the role definition and role assignment (node-integration only) | |
--dry-run | Show what would be created without making changes | |
-v, --verbose | Print all az commands before executing them | |
-h, --help | Show this help message |
Permissions
Required Azure Permissions
| Role | Scope | Purpose |
|---|---|---|
| Owner or User Access Administrator | Subscription | Create custom roles and assign them to service principals |
| Application Administrator or Cloud Application Administrator | Azure AD Tenant | Create Azure AD applications and service principals |
Minimal Required Permissions
Azure AD Permissions (to create the service principal):
Application.ReadWrite.All- Create Azure AD applicationsDirectory.ReadWrite.All- Create service principalsApplication.ReadWrite.OwnedBy- Manage owned applicationsApplication.Read.All- Read existing applications and service principals
Azure Subscription Permissions (to grant permissions to the service principal):
Microsoft.Authorization/roleDefinitions/read- Read existing rolesMicrosoft.Authorization/roleDefinitions/write- Create custom rolesMicrosoft.Authorization/roleAssignments/read- Read existing role assignmentsMicrosoft.Authorization/roleAssignments/write- Assign roles to service principalsMicrosoft.Resources/subscriptions/read- Read subscription information
Using External Secret
Run helm template with correct values of the Azure node integration to retrieve secret definition:
helm template ... --show-only templates/cloud_node_integration_settings_secret.yamlStore the secret data from the helm template output on your secret provider, and reference it using External Secrets:
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: scaleops-cloud-node-integration-settings
namespace: scaleops-system
spec:
secretStoreRef:
name: SECRET_STORE_NAME # Replace with your secret store name
kind: ClusterSecretStore # Replace with your secret store kind
target:
name: scaleops-cloud-node-integration-settings
template:
data:
settings: "{{ .azure_node_config }}"
data:
- secretKey: azure_node_config
remoteRef:
key: path/to/secret # Replace with your secret pathIf you use this approach, do not include cloudIntegration.azure values in your helm values file.