Description:

This article targets the NAM deployment in azure. In earlier article, we have talked about deployment of azure Kubernetes service using terraform, while this solution will provide a step-by-step approach to deploy NAM in the azure cloud.

Note: to configure a Kubernetes service, you can use the existing cool-solution using terraform - /cyberres/accmgmt/accessmanager/w/access_manager_tips/19482/deploying-azure-kubernetes-cluster-and-nam-docker-images-beta-using-azure-cli-and-terraform

At initial, this article focus is to use azure provided CLI Options to deploy basic environment. Later this could be add into automation (CI/CD).

Prerequisite:

• You should have a valid azure command with role as user with ability to create and view resource group and application
• Administer the Azure deployment from a client system. Here, I have used an Ubuntu system.

Process:

Step 1 - Environment Setup:

Note: The Bold text are variable names

1. Azure login: az login
2. Create Resource Group
   1. az group create --name <vneerajResourceGroup> --location <southeastasia>
3. Create azure Kubernetes registry (ACR) if using an engineering provided images. Else, we can use the Micro Focus Docker registry when available
   1. az acr create --resource-group <vneerajResourceGroup> --name <vneerajNAMAcr> --sku Basic
4. Create azure Kubernetes cluster (AKS) –
   1. az aks create --resource-group <vneerajResourceGroup> --name <myAKSCluster> --node-count 3 --nodepool-name <n> --generate-ssh-keys --attach-acr <vneerajNAMAcr>
5. Create AKS credentials and do the azure login
   1. az aks get-credentials --resource-group <vneerajResourceGroup> --name <myAKSCluster>
6. Do the acr login
   1. sudo az acr login --name <vneerajNAMAcr>
7. List nodes and IP address
   1. az vm list-ip-addresses --resource-group <vneerajResourceGroup>  -o table
   2. kubectl get nodes -o wide
8. Create namespace
   1. kubectl create namespace <development>
9. Deploy ingress controller
   1. kubectl run nginx --image=nginx:alpine --port=8080 --restart=Never
   2. helm install nam-ingress ingress-nginx/ingress-nginx --set controller.publishService.enabled=true
   3. kubectl get pods,svc

Deploy Access Manager

1. Add helm repository and download the access manager charts
   1. Add helm repository
   2. helm repo add access-manager-charts <repo-name>
   3. helm repo update
   4. helm pull --untar --version 1.0.0 access-manager-charts/access-manager
2. Modify Helm Charts
   1. Navigate to helm untar location and access values.yaml file
   2. Modify Fields:
      1.      Image:
         1. repository: <repository location>
         2. Image Secret: If any
      2.      Amconfig:
         1.  Primary IP address
         2. Secondary IP address

•      Amsecret:
  1. Admin name and password
  2. Values for admin console

1.      Am-ac [these names can be pulled from pods details in previous section]
   1. Primary ac node name
   2. Secondary ac node name
2.      Am-idp
   1. Replica count
   2. Selected ports
3.      Am-ag
   1. Define ports

•      Ingress configuration:
  1. Enabled: true [by default false]
  2. Ac host – <DNS name>
  3. Idp host – <DNS name>
  4. Ag host – <DNS name>

3. Save the file

Note: Ensure you use these DNS name while configuration the admin server for IDP and AG Url’s

4. Execute helm charts [should be execute outside of access-manager directory]
   1. helm install --namespace development access-manager access-manager           
5. Once deployed, check the status
   1. kubectl get --namespace development statefulset,pods,pv,pvc,svc,ingress

Once all the three container shows in running state, capture the public IP address, add host entries (If not public URL’s) and access admin console using DNS name.

After the Step 4, Container Status will be look like this.

NAME                                        READY   STATUS    RESTARTS   AGE

pod/access-manager-am-ac-0    2/2     Running         0            24h

pod/access-manager-am-ag-0    1/1     Running        0            24h

pod/access-manager-am-idp-0   1/1     Running         0          24h

and ingress controller IP detail

NAME                         CLASS    HOSTS                                                          ADDRESS         PORTS     AGE

ingress.extensions/access-manager-ingress-https   <none>   www.cloudac.com, www.cloudidp.com, www.cloudag.com 1 more...   20.197.105.71   80, 443   24h

Note: Use <20.197.105.71> IP is ingress address  and corresponding Hosts name to system host file and on all devices host file.

Access Admin console using this URL - https://<ac-url>:443/nps

Note: When Configuring the IDP, use 443 as the port. After this, it will be a standard NAM configuration.

Steps to configure front end ssl:

Consider Ag dns to be www.cloudag.com and a cert is created for the same in access manager. Note that ingress is also configured with same dns.

1. Download pfx cert file from AC UI.
2. Extract cert and key, so that k8s secrets can be created using it.

• openssl pkcs12 -in <ag_exportedCert.pfx> -clcerts -nokeys -out <ag.cert>
• openssl pkcs12 -in <ag_exportedCert.pfx> -nocerts -out <ag_pwd.key>
• openssl rsa -in <ag_pwd.key> -out <ag.key>

3. Third step is require to remove password from key. Now create a secret and add it in yml file.

• kubectl create secret tls cloudag --key ag.key --cert ag.cert -n development   

In yaml:

  tls:

    - secretName: cloudag

      hosts:

        - www.cloudag.com

4. Repeat the same steps for IDP as well and update the values.yaml file.
5. Once done, do the helm update to make it in effect

• helm upgrade nam access-manager -n development

Further:

In case, you have non-standard ports for ag web server, it is require to add them in values.yaml file of access-manager charts.

e.g.

am-ag:

  # if enabled: false, then AG will not be deployed

  enabled: true

  # replicaCount: 2 - To increase AG instances to desired number

  replicaCount: 1

  # OPTIONAL - Ports to be exposed in AG kubernetes service

  service:

    port:

      - 80

      - 443

      - 8000

      - 8001

      - 445

  # OPTIONAL - Additional pod/node affinity can be confiured for AG pod

  affinity: {}