Manage Azure costs by using CCM on Harness Self-Managed Enterprise Edition
This topic walks you through the steps required to set up CCM for Azure in a self-managed platform.
Figure: Azure CCM Self-Managed Enterprise Edition architecture diagram
You need to perform the following tasks to set up CCM for Azure. For Step 1, 2 and 3 Sign in to your Azure Portal:
- Setup a new Application via App Registration.
- Create a new Client secret.
- Setup a new Storage Account and a new Storage Container.
- Deploy workloads via Helm charts.
Setup a new Application via App Registration
- Give it Name like
Harness CCM App
. - For Supported account types select:
Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)
. - Click on Register. For more information, go to Quickstart: Register an App.
Create a new Client secret
- Once you click register, the App Overview Page would be open.
- From the overview page, Copy and Save following from it:
Copy & Save Directory (tenant) ID →
tenantId
Copy & Save Application (client) ID →clientId
.
- Now click on Certificates & secrets in the left panel.
- Go to Client secrets (0) tab.
- Click on New client secret.
- Enter Description
Harness CCM Client Secret
. - Select Expires from the drop down select
730 days (24 months)
(or the maximum allowed time). - Click Add Button.
- From the new Client secret, Copy & Save Value →
clientSecret
. For more information, go to Add credentials.
Make a note of the following:
-
tenantId
-
clientId
-
clientSecret
Setup a new Storage Account and a new Storage Container
- Select a Subscription from the drop down.
- Select a Resource Group from the drop down.
- Enter Storage account name
ccmbillingdatasmp
. Save Storage account name →storageName
- Move to Advanced Tab.
- In Blob storage section, enable
Allow cross-tenant replication
- Click on Review.
- Click on Create. For more information, go to Create a storage account.
- Once the storage account is created, Go to Containers in left panel.
- Click on + Container.
- Enter Name as
billingdatacontainer
. Save Name as →containerName
- Click on Create. For more information, go to Create a container.
- Go to Shared access signature in left panel.
- Check all Allowed resource types which are
Service
,Container
andObject
. - Add 10 years to End in Start and expiry date/time.
- Click on Generate SAS and connection string.
- Save SAS token →
sasToken
starting fromsv=
, ignore?
in beginning. For more information, go to Create your SAS tokens.
Make a note of the following:
-
storageName
-
containerName
-
sasToken
Deploy workloads via Helm charts
- Clone the chart repository.
git clone git@github.com:harness/helm-charts.git
cd main/src/harness
- Upgrade charts if you're already using Harness Self-managed Enterprise Edition services. Perform the following steps to update the override files:
-
Retrieve the current override values provided during the installation or upgrade of the Helm charts.
helm get values <chart-name> -n <namespace> > override.yaml
-
After obtaining the override file, you can make necessary modifications as mentioned below.
-
Override file changes for a connected environment
Air-gapped environment for Azure in SMP is not supported as of now
- After making the necessary updates to the override file, you can proceed with the Helm chart upgrade.
helm upgrade <chart-name> <chart-directory> -n <namespace> -f override.yaml
Handling Kubernetes secrets
When installing or upgrading the Helm charts, Kubernetes secrets with default values are created within the cluster. These generated secrets should be updated with the values mentioned above. Before updating the secrets, you need to convert the secret into base64 encoded format. For example, if your HARNESS_CE_AZURE_CLIENTID value is "clientId", it would be stored as Y2xpZW50SWQ==
after encoding.
The following are the secrets specific to CCM services:
- batch-processing
kubectl edit secret batch-processing -n <namespace>
HARNESS_CE_AZURE_CLIENTSECRET: "<clientSecret>"
HARNESS_CE_AZURE_SAS: "<sasToken>"
HARNESS_CE_AZURE_CLIENTID: "<clientId>"
HARNESS_CE_AZURE_TENANTID: "<tenantId>"
- cloud-info-secret-mount [config-file]
kubectl edit secret cloud-info-secret-mount -n <namespace>
config-file: <Config file> [In "Config file" provided below: Replace <clientId>, <tenantId> and <clientSecret>]
- nextgen-ce
kubectl edit secret nextgen-ce -n <namespace>
AZURE_APP_CLIENT_SECRET: "<clientSecret>"
Config file
The following are some secrets from platform-service that you need to update:
- smtp-secret - Required to support budget alerts email.
kubectl edit secret smtp-secret -n <namespace>
SMTP_HOST: <SMTP_HOST>
SMTP_PASSWORD: <SMTP_PASSWORD>
SMTP_PORT: <SMTP_PORT>
SMTP_USE_SSL: <SMTP_USE_SSL>
SMTP_USERNAME: <SMTP_USERNAME>
Increase TimescaleDB to 100Gi: kubectl edit pvc wal-volume-harness-timescaledb-0 -n <namespace>
. Features like Recommendations and Anomalies within CCM services use it.