2.4 Deploying Advanced Authentication on Azure Kubernetes Services

This section contains details about how to deploy Advanced Authentication on Azure Kubernetes Service. You can deploy Advanced Authentication containers into Kubernetes clusters by using the Helm charts.

NOTE:The procedures in this section are based on the assumption that you know basics of how containers work.

NOTE:The Risk Service is not supported on the Advanced Authentication server that is deployed on the public cloud.

2.4.1 Prerequisites

In addition to the system requirements of Advanced Authentication appliance, ensure that you have completed following tasks:

  • Created an administrative account on Azure Kubernetes Services (AKS).

  • Configured a Microsoft AKS cluster.

    For more information about how to configure a Microsoft AKS cluster, see Get started tutorial.

  • Set the Node Size as DS3_V2 Standard.

  • Installed kubectl and configured it to work with Microsoft AKS.

2.4.2 Deployment Procedure

  1. Download the aaf-<version>-helm-chart.zip file from Software Licenses and Downloads.

  2. Unpack the zip file. You can view the aaf-<version>.tgz tar file.

  3. Run the following command to unpack the tar file:

    tar zxvf aaf-<version>.tgz

  4. Run one of the following commands to deploy three Advanced Authentication instances into the cluster:

    • For helm v3.0.0, and kubectl v1.19.6 or prior versions:

      helm install --namespace <name_of_kubernetes namespace> --name=<helm_chart_release_name> --set lb.enabled=true <path_of _helm_chart>

      where, lb represents load balancer.

      For example,

      helm install --namespace aaf-test --name=aaf-test-1 --set lb.enabled=true ./aaf/

    • For helm v3.4.0 and kubectl v1.20.1 or later versions:

      helm install --create-namespace --namespace <name_of_kubernetes namespace> <helm_chart_release_name> --set lb.enabled=true <path_of_helm_chart>

      where, lb represents load balancer.

      For example,

      helm install --create-namespace --namespace aaf-test aaf-test-1 --set lb.enabled=true ./aaf/

    NOTE:You can deploy one instance for testing purpose. But it is highly recommended to create a cluster with multiple instances of the server for the production environment.

  5. Run the following command to get the IP addresses that are assigned to each Advanced Authentication instance in the cluster:

    kubectl -n aaf-test get svc | grep LoadBalancer

NOTE:The Configuration Portal (port 9443) is not available for the Kubernetes environment. The Managing the Appliance is only relevant for the appliance.

Sample Deployment

This sample explains the prerequisites and step-by-step procedure to deploy Advanced Authentication instance on Azure with minimum configuration.

Before deployment, ensure to perform the following tasks:

  1. Install kubectl.

  2. Configure AKS cluster.

  3. Set the Node Size as DS3_V2 Standard.

Perform the following steps to deploy Advanced Authentication on Azure with basic configuration:

  1. Run the following command to configure kubectl with the credentials for your AKS cluster:

    az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

  2. Configure cluster role binding for particular group to grant access to Advanced Authentication instance on Azure for users with the specific role.

    For more information, see Role-based access control.

    WARNING:The following policy allows ALL service accounts to act as cluster administrators. Any application running in a container receives service account credentials automatically, and could perform any action against the API, including viewing secrets and modifying permissions. However, this is not a recommended policy for production environment.

    kubectl create clusterrolebinding cluster-admin-default --clusterrole=cluster-admin --user=system:serviceaccount:kube-system:default

  3. Run the following command to deploy Advanced Authentication instance into your cluster:

    helm install --create-namespace --namespace aaf-test aaf-test-1 --set lb.enabled=true ./aaf_63/