Azure Kubernetes Service (AKS) is a managed Kubernetes service that enables you to deploy and manage clusters. This section includes the following procedures:
This section explains the following procedures to deploy Identity Console in AKS Cluster:
Azure Container Registry (ACR) is an Azure-based, private registry, for Docker container images.
For more detail steps see Create an Azure container registry using the Azure portal section in the Create container registry - Portal or perform the following steps to create an Azure Container Registry (ACR):
Sign in to Azure Portal.
Go to Create a resource > Containers > Container Registry.
In the Basics tab, specify values for Resource group and Registry name. The registry name must be unique within Azure and contain minimum of 5 and maximum of 50 alphanumeric characters.
Accept default values for the remaining settings.
Click Review + create.
Click Create.
Sign in to Azure CLI, run the following command to log in to Azure Container Registry.
az acr login --name registryname
Example:
az acr login --name < idconsole >
Retrieve the login server of the Azure Container Registry using the command:
az acr show --name registryname --query loginServer --output table
Example:
az acr show --name < idconsole > --query loginServer --output table
Tag the local image of Identity Console with the name of the ACR login server (registryname.azureacr.io) using the following command:
docker tag idconsole-image <login server>/idconsole-image
Example:
docker tag identityconsole:<version> registryname.azurecr.io/identityconsole:<version>
Push the tagged image to the registry.
docker push <login server>/idconsole: <version>
Example:
docker push registryname.azurecr.io/identityconsole:<version>
Retrieve the list of images in the registry using the command:
az acr show --name registryname --query loginServer --output table
Create a kubernetes service resource using Azure portal or CLI.
For more detail steps to create a Kubernetes service resource in azure with a node, see Create an AKS Cluster in the Azure Quickstart.
NOTE:
Ensure to select Azure CNI as network.
Select the existing virtual network (where the eDirectory server is deployed in the subnet).
Select the existing container registry where Identity Console image is available.
A Public IP address resource under Kubernetes cluster resource group acts as load Balancer IP for the application.
For detail steps, see the Create a public IP address using the Azure portal in the Create public IP address – Portal.
Use cloud Shell which is available in azure portal for all operations.
To setup cloud shell in Azure portal see Start Cloud Shell section in Bash – Quickstart or perform the following steps to set Up Cloud Shell and connect to Kubernetes Cluster:
In the Azure portal, click the button to Open Cloud Shell.
NOTE:To manage a Kubernetes cluster, use the Kubernetes command-line client, kubectl. kubectl is already installed if you use Azure Cloud Shell.
Configure kubectl to connect to your Kubernetes cluster using the following command:
az aks get-credentials --resource-group "resource group name" --name "Kubernetes cluster name"
Example:
az aks get-credentials --resource-group myResourceGroup --name myAKSCluster
Verify the list of the cluster nodes using the command:
kubectl get nodes
To deploy Identity Console, you can use idc-services.yaml , idc-statefulset.yaml, idc-storageclass.yaml and idc-pvc.yaml sample files.
You can also create your own yaml files as per the requirement.
Create a storage class resource using below command:
kubectl apply -f <location of the YAML file>
Example:
kubectl apply -f idc-storageclass.yaml
(Optional) For more information on how to dynamically create and use persistence volume with azure files share, see Dynamically create and use a persistent volume with Azure Files in Azure Kubernetes Service (AKS)
A sample storage class resource file has been shown below:
kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: azurefilesc provisioner: kubernetes.io/azure-file mountOptions: - dir_mode=0777 - file_mode=0777 - uid=0 - gid=0 - mfsymlinks - cache=strict - actimeo=30 parameters: skuName: Standard_LRS shareName: fileshare ~
A storage class resource enables dynamic storage provisioning. It is used to define how an Azure file share is created.
View the details of storageclass using below command:
kubectl get sc
Create a pvc resource using idc-pvc.yaml file:
kubectl apply -f <location of the YAML file>
Example:
kubectl apply -f idc.pvc.yaml
A sample pvc resource file has been shown below:
apiVersion: v1 kind: PersistentVolumeClaim metadata: name: pvcforsc spec: accessModes: - ReadWriteMany storageClassName: azurefilesc resources: requests: storage: 5Gi
A persistence volume claim resource creates the file share. A persistent volume claim (PVC) uses the storage class object to dynamically provision an Azure file share.
Upload the edirapi.conf, CA cert, and the server certificate to the cloud shell.
Click the Upload/Download files button icon on cloud shell and upload edirapi.conf, SSCert.pem and keys.pfx files.
NOTE:edirapi.conf has a parameter “origin”. Here we need to provide IP address with which we will access Identity Console application. (use the IP address which is created in the Creating a standard SKU public IP address section.)
Identity Console deploy requires server certificate(keys.pfx).
While creating server certificate make sure to provide valid DNS name in subject Alternative Name.
Steps to build a valid DNS name:
A typical pod deployed using StatefulSet has DNS name like below - {statefulsetname}-{ordinal}.{servicename}.{namespace}.svc.cluster.local
If StatefulSet name in idconsole-statefulset.yaml file is idconsole-app then statefulsetname = idconsole-app
If it is 1st pod, then ordinal = 0
If you define serviceName in idconsole -statefulset.yaml file as idconsole then serviceName = idconsole
If it is by default namespace, then namespace=default
Output: idconsole-app-0.idcosole.default.svc.cluster.local
Create a configmap resource in Kubernetes cluster which stores the configuration files along with the certificates.
Before running the command make sure that files (edirapi.conf, SSCert.pem and keys.pfx) are present in the directory.
kubectl create configmap <confgimapName> --from-file= "path where the files are present"
Example:
kubectl create configmap config-data --from-file=/data
View the details of the configmap object, using kubectl describe command:
kubectl describe configmap <configmapName>
Example:
kubectl describe configmap confg-data
Create StatefulSet resource to deploy container.
Run the below command to deploy the container:
kubectl apply -f <location of the YAML file>
Example:
kubectl apply -f idc-statefulset.yaml
A sample StatefulSet resource file has been shown below:
apiVersion: apps/v1 kind: StatefulSet metadata: name: idconsole-app spec: serviceName: idconsole selector: matchLabels: app: idconsole replicas: 1 template: metadata: labels: app: idconsole spec: containers: - name: idconsole-container image: registryname.azurecr.io/identityconsole:<version> env: - name: ACCEPT_EULA value: "Y" ports: - containerPort: 9000 volumeMounts: - name: configfiles mountPath: /config/data - name: datapersistenceandlog mountPath: /config subPath: log volumes: - name: configfiles configMap: name: config-data - name: datapersistenceandlog persistentVolumeClaim: claimName: pvcforsc
Run the following command to verify the status of the deployed pod:
kubectl get pods -o wide
Create Service resource of type loadBalancer.
The type of service specified in yaml file is of loadBalancer.
Create a service resource using the below command:
kubectl apply -f <location of the YAML file>
Example:
kubectl apply -f ids-service.yaml
A sample service resource file has been shown below:
apiVersion: v1 kind: Service metadata: name: idconsole-service labels: run: idconsole-service spec: type: LoadBalancer loadBalancerIP: xx.xx.xx.xx selector: app: idconsole ports: - port: 9000 targetPort: 9000 protocol: TCP
Check the EXTERNAL-IP address (or the loadBalancerIP) using the below command:
kubectl get svc -o wide
Launch url using EXTERNAL-IP (or the loadBalancerIP address).
Example:
https://<EXTERNAL-IP>:9000/identityconsole