2.4 Deploying Identity Console In Azure Kubernetes Services

Azure Kubernetes Service (AKS) is a managed Kubernetes service that enables you to deploy and manage clusters. This section includes the following procedures:

2.4.1 Deploying Identity Console in AKS Cluster

This section explains the following procedures to deploy Identity Console in AKS Cluster:

Creating an Azure Container Registry (ACR)

Azure Container Registry (ACR) is an Azure-based, private registry, for Docker container images.

For more detail steps see Create an Azure container registry using the Azure portal section in the Create container registry - Portal or perform the following steps to create an Azure Container Registry (ACR):

  1. Sign in to Azure Portal.

  2. Go to Create a resource > Containers > Container Registry.

  3. In the Basics tab, specify values for Resource group and Registry name. The registry name must be unique within Azure and contain minimum of 5 and maximum of 50 alphanumeric characters.

    Accept default values for the remaining settings.

  4. Click Review + create.

  5. Click Create.

  6. Sign in to Azure CLI, run the following command to log in to Azure Container Registry.

    az acr login --name registryname

    Example:

    az acr login --name < idconsole >

  7. Retrieve the login server of the Azure Container Registry using the command:

    az acr show --name registryname --query loginServer --output table

    Example:

    az acr show --name < idconsole > --query loginServer --output table

  8. Tag the local image of Identity Console with the name of the ACR login server (registryname.azureacr.io) using the following command:

    docker tag idconsole-image <login server>/idconsole-image

    Example:

    docker tag identityconsole:<version> registryname.azurecr.io/identityconsole:<version>

  9. Push the tagged image to the registry.

    docker push <login server>/idconsole: <version>

    Example:

    docker push registryname.azurecr.io/identityconsole:<version>

  10. Retrieve the list of images in the registry using the command:

    az acr show --name registryname --query loginServer --output table

Setting a Kubernetes cluster

Create a kubernetes service resource using Azure portal or CLI.

For more detail steps to create a Kubernetes service resource in azure with a node, see Create an AKS Cluster in the Azure Quickstart.

NOTE:

  • Ensure to select Azure CNI as network.

  • Select the existing virtual network (where the eDirectory server is deployed in the subnet).

  • Select the existing container registry where Identity Console image is available.

Creating a standard SKU public IP address

A Public IP address resource under Kubernetes cluster resource group acts as load Balancer IP for the application.

For detail steps, see the Create a public IP address using the Azure portal in the Create public IP address – Portal.

Setting Up Cloud Shell and Connecting to Kubernetes Cluster

Use cloud Shell which is available in azure portal for all operations.

To setup cloud shell in Azure portal see Start Cloud Shell section in Bash – Quickstart or perform the following steps to set Up Cloud Shell and connect to Kubernetes Cluster:

  1. In the Azure portal, click the button to Open Cloud Shell.

    NOTE:To manage a Kubernetes cluster, use the Kubernetes command-line client, kubectl. kubectl is already installed if you use Azure Cloud Shell.

  2. Configure kubectl to connect to your Kubernetes cluster using the following command:

    az aks get-credentials --resource-group "resource group name" --name "Kubernetes cluster name"

    Example:

    az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

  3. Verify the list of the cluster nodes using the command:

    kubectl get nodes

Deploying the Application

To deploy Identity Console, you can use idc-services.yaml , idc-statefulset.yaml, idc-storageclass.yaml and idc-pvc.yaml sample files.

You can also create your own yaml files as per the requirement.

  1. Create a storage class resource using below command:

    kubectl apply -f <location of the YAML file>

    Example:

    kubectl apply -f idc-storageclass.yaml

    (Optional) For more information on how to dynamically create and use persistence volume with azure files share, see Dynamically create and use a persistent volume with Azure Files in Azure Kubernetes Service (AKS)

    A sample storage class resource file has been shown below:

    kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: azurefilesc
provisioner: kubernetes.io/azure-file
mountOptions:
  - dir_mode=0777
  - file_mode=0777
  - uid=0
  - gid=0
  - mfsymlinks
  - cache=strict
  - actimeo=30
parameters:
  skuName: Standard_LRS
  shareName: fileshare
~

    A storage class resource enables dynamic storage provisioning. It is used to define how an Azure file share is created.

  2. View the details of storageclass using below command:

    kubectl get sc

  3. Create a pvc resource using idc-pvc.yaml file:

    kubectl apply -f <location of the YAML file>

    Example:

    kubectl apply -f idc.pvc.yaml

    A sample pvc resource file has been shown below:

    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pvcforsc
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: azurefilesc
  resources:
    requests:
      storage: 5Gi

    A persistence volume claim resource creates the file share. A persistent volume claim (PVC) uses the storage class object to dynamically provision an Azure file share.

  4. Upload the edirapi.conf, CA cert, and the server certificate to the cloud shell.

    Click the Upload/Download files button icon on cloud shell and upload edirapi.conf, SSCert.pem and keys.pfx files.

    NOTE:edirapi.conf has a parameter “origin”. Here we need to provide IP address with which we will access Identity Console application. (use the IP address which is created in the Creating a standard SKU public IP address section.)

    Identity Console deploy requires server certificate(keys.pfx).

    While creating server certificate make sure to provide valid DNS name in subject Alternative Name.

    Steps to build a valid DNS name:

    A typical pod deployed using StatefulSet has DNS name like below - {statefulsetname}-{ordinal}.{servicename}.{namespace}.svc.cluster.local

    • If StatefulSet name in idconsole-statefulset.yaml file is idconsole-app then statefulsetname = idconsole-app

    • If it is 1st pod, then ordinal = 0

    • If you define serviceName in idconsole -statefulset.yaml file as idconsole then serviceName = idconsole

    • If it is by default namespace, then namespace=default

    Output: idconsole-app-0.idcosole.default.svc.cluster.local

  5. Create a configmap resource in Kubernetes cluster which stores the configuration files along with the certificates.

    Before running the command make sure that files (edirapi.conf, SSCert.pem and keys.pfx) are present in the directory.

    kubectl create configmap <confgimapName> --from-file= "path where the files are present"

    Example:

    kubectl create configmap config-data --from-file=/data

  6. View the details of the configmap object, using kubectl describe command:

    kubectl describe configmap <configmapName>

    Example:

    kubectl describe configmap confg-data

  7. Create StatefulSet resource to deploy container.

    Run the below command to deploy the container:

    kubectl apply -f <location of the YAML file>

    Example:

    kubectl apply -f idc-statefulset.yaml

    A sample StatefulSet resource file has been shown below:

    apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: idconsole-app
spec:
  serviceName: idconsole
  selector:
    matchLabels:
      app: idconsole
  replicas: 1
  template:
    metadata:
      labels:
        app: idconsole
    spec:
      containers:
      - name: idconsole-container
        image: registryname.azurecr.io/identityconsole:<version>
        env:
        - name: ACCEPT_EULA
          value: "Y"
        ports:
        - containerPort: 9000
        volumeMounts:
          - name: configfiles
            mountPath: /config/data
          - name: datapersistenceandlog
            mountPath: /config
            subPath: log
      volumes:
        - name: configfiles
          configMap:
            name: config-data
        - name: datapersistenceandlog
          persistentVolumeClaim:
            claimName: pvcforsc

  8. Run the following command to verify the status of the deployed pod:

    kubectl get pods -o wide

  9. Create Service resource of type loadBalancer.

    The type of service specified in yaml file is of loadBalancer.

    Create a service resource using the below command:

    kubectl apply -f <location of the YAML file>

    Example:

    kubectl apply -f ids-service.yaml

    A sample service resource file has been shown below:

    apiVersion: v1
kind: Service
metadata:
  name: idconsole-service
  labels:
    run: idconsole-service
spec:
  type: LoadBalancer
  loadBalancerIP: xx.xx.xx.xx
  selector:
    app: idconsole
  ports:
   - port: 9000
     targetPort: 9000
     protocol: TCP

    Check the EXTERNAL-IP address (or the loadBalancerIP) using the below command:

    kubectl get svc -o wide

  10. Launch url using EXTERNAL-IP (or the loadBalancerIP address).

    Example:

    https://<EXTERNAL-IP>:9000/identityconsole