2.5 Deploying Advanced Authentication on Azure Kubernetes Services in an Air Gap Environment

This document contains details on the deployment of Advanced Authentication in an air gap environment on Azure Kubernetes Service. You can deploy Advanced Authentication containers into Kubernetes clusters using the docker images and Helm charts.

An air gap environment indicates a server or cluster disconnected from a public network for security. To install Advanced Authentication on an air gap environment, an administrator must download the required installation files to a server that is connected to the Internet. Then transfer them to an installation server that is not connected to the Public Internet but connected to a private intranet.

2.5.1 Prerequisites

In addition to the system requirements of Advanced Authentication appliance, ensure that you have completed following tasks:

  • Created an administrative account on Azure Kubernetes Services (AKS).

  • Configured a Microsoft AKS cluster.

    For more information about how to configure a Microsoft AKS cluster, see Get started tutorial.

  • Set the Node Size as DS3_V2 Standard.

  • Installed kubectl and configured it to work with Microsoft AKS.

  • Perform Pre-Deployment Procedure.

2.5.2 Pre-Deployment Procedure

  1. Download the AdvancedAuthDocker-<version>.zip file from Software Licenses and Downloads.

  2. Unzip the AdvancedAuthDocker-<version>.zip file and navigate to the dockerimages directory.

  3. Run the following command to load the images from the docker images tgz file on your server:

    docker load -I aauth-images.tgz

  4. Run the following command and verify that the images are loaded:

    docker images

    • mfsecurity/aaf-webauth:<version>

    • mfsecurity/aaf-aucore:<version>

    • mfsecurity/aaf-redis:<version>

    • mfsecurity/aaf-repldb:<version>

    • mfsecurity/aaf-fipsd:<version>

    • mfsecurity/aaf-afisd:<version>

    • mfsecurity/aaf-radiusd:<version>

    • mfsecurity/aaf-searchd:<version>

    • mfsecurity/aaf-webd:<version>

    • mfsecurity/aaf-audb:<version>

    • gliderlabs/logspout:<version>

  5. Run the following commands to retag the docker images per specifications from your internal docker repository:

    docker tag mfsecurity/<name>:<version> <internalDocker>/<name>:<version>

    docker tag gliderlabs/<name>:<version> <internalDocker>/<name>:<version>

  6. Run the following command to push the newly tagged images to your internal docker repository:

    docker push <internalDocker>/<name>:<version>

2.5.3 Deployment Procedure

  1. Download the aaf-<version>-helm-chart.zip file from Software Licenses and Downloads.

  2. Unpack the zip file. You can view the aaf-<version>.tgz tar file.

  3. Run the following command to unpack the tar file:

    tar zxvf aaf-<version>.tgz

  4. Modify the values.yaml file by replacing the default value mfsecurity with the value for the internal repository internalDocker.

  5. Run one of the following commands to deploy three Advanced Authentication instances into the cluster:

    • For helm v3.0.0, and kubectl v1.19.6 or prior versions:

      helm install --namespace <name_of_kubernetes namespace> --name=<helm_chart_release_name> --set lb.enabled=true <path_of _helm_chart>

      where, lb represents load balancer.

      For example,

      helm install --namespace aaf-test --name=aaf-test-1 --set lb.enabled=true ./aaf/

    • For helm v3.4.0 and kubectl v1.20.1 or later versions:

      helm install --create-namespace --namespace <name_of_kubernetes namespace> <helm_chart_release_name> --set lb.enabled=true <path_of_helm_chart>

      where, lb represents load balancer.

      For example,

      helm install --create-namespace --namespace aaf-test aaf-test-1 --set lb.enabled=true ./aaf/

    NOTE:You can deploy one instance for testing purpose. But it is highly recommended to create a cluster with multiple instances of the server for the production environment.

  6. Run the following command to get the IP addresses that are assigned to each Advanced Authentication instance in the cluster:

    kubectl -n aaf-test get svc | grep LoadBalancer

NOTE:The Configuration Portal (port 9443) is not available for the Kubernetes environment. The Managing the Appliance is only relevant for the appliance.