Deploy Azure Kubernetes Services with Ingress Controller using Terraform

1 Likes

TerraformNsl.tar.gz


postgres-10.0.0.tar.gz

Contents :

  1. Create Service Principal on Azure. 2
  2. Create Kubernetes Cluster with PostgreSQL Instance. 4
  3. Deploying SecureLogin Advanced Edition Docker Images to AKS. 9
  4. Accessing SecureLogin Advanced Edition UI from Browser: 11
  5. Troubleshooting Steps: 11
  6. Destroy and Clean up the Infrastructure. 12

 

 

This article describes how to deploy Azure Kubernetes Service (AKS) using Terraform and then deploy SecureLogin Advanced Edition Docker images.

To deploy and run SecureLogin Advanced Edition on Azure Kubernetes Service, complete the following steps:

  1. Create Service Principal on Azure
  2. Create Kubernetes Cluster with PostgreSQL instance using Terraform
  3. Deploy SecureLogin Advanced Edition Docker images using Helm on the Azure Kubernetes Services.

1. Create Service Principal on Azure

  • Create an Azure account and login to the Azure portal (https://portal.azure.com/).
  • Authenticate to Azure.
    • Cloud Shell is automatically authenticated under the Microsoft account you used to log into the Azure portal. If your account has multiple Azure subscriptions, make sure that you are using the desired subscription.
    • Open Azure Cloud Shell by clicking on the icon next to search bar on Azure portal as shown in the figure. Choose “Bash” under the environment options.
    • Create storage (Just click the button for create storage)

  • In the bash shell, run the following command to make sure that you are already logged in and be able to get subscription details:
    • az login

Note: When logged in successfully, come back to Cloud Shell. You will see subscription details in the shell.

name

subscription name

id

Subscription ID.  Make a note of subscription id.

 

 

If the user has multiple Azure subscriptions, set the account to the right subscription with the following command:  

az account set --subscription "SWServices-NTSNSLSupport-NonProd"

 

In order to Create Service Principal,

  • Make sure you have enough permission to run these commands in your subscription.

[For Example: Owner permission is required in the subscription to run the command create-for-rbac].

  • Create a service principal to access Azure Cloud using Terraform.
    • Terraform supports several options for authenticating to Azure. When using Terraform from code, authenticating via Azure service principal is the recommended way.
    • From the Azure Cloud Shell, run the following command to create service principal:
      • az ad sp create-for-rbac -n "MyAppName"

 

This might take a while.  Be patient

Note: If there is already a service principal with the same name under the given subscription, you may see an error. Provide a different and unique name. If needed, refer to How to create an Azure AD application and service principal.

 

  • Once service principal is created, you will get the following details:
    • Application ID (called as appID)
    • Application Password (called as password)
    • Tenant ID (called as tenant)

Note: Save the application “password” because you will not be able to retrieve the password later. However, at a later point in time, you can open Azure portal and retrieve appID and tenant details as shown below:

 

2. Create Kubernetes Cluster with PostgreSQL Instance

There are multiple ways to create Kubernetes cluster in Azure. However, in this example, we will use Terraform for the ease of use it provides.

In this article, we will aim to create a Kubernetes cluster having one or more nodes of SecureLogin Advanced Edition. You can specify the number of nodes by editing the node count in the variables.tf terraform file.

Let us perform the following steps to create Kubernetes cluster along with PostgreSQL docker instance:

  1. Keep the following files available on your machine’s local drive:
    • TerraformNsl.tar.gz
    • postgres-10.0.0.tar.gz
    • NetIQSecureLogin-AdvancedEdition-helm-chart-1.0.0.0.tar.gz (Download SecureLogin Advanced Edition helm-chart from MicroFocus Downloads)
  2. Open Azure Cloud Shell
  3. Upload files to Azure Cloud Shell space. In the Azure Cloud Shell interface, click on “Upload/Download files” -> “Upload” and upload files listed in the below step. These files will be uploaded to home directory or folder (shown as ~). In the Azure Cloud Shell, you can type “ls -l” to list the files and confirm that they are available.

 

 

  1. To move these files from home folder to clouddrive, use the following commands:
  • mv TerraformNsl.tar.gz clouddrive/
  • cd clouddrive
  1. Extract TerraformNsl.tar.gz file using the command:

    • tar -xf ./TerraformNsl.tar.gz
  2. Move the helm charts to the TerraformNsl folder using the command:
    cd TerraformNsl

mv ~/postgres-10.0.0.tar.gz.

mv ~/server-9.0.0.tar.gz.

tar -xf postgres-10.0.0.tar.gz

tar -xf NetIQSecureLogin-AdvancedEdition-helm-chart-1.0.0.0.tar.gz

  1. Open the file tfvars and update it with the details obtained during creation of Azure Service principal. Provide the values of the following elements:
  • subscription_id
  • tenant_id
  • app_id
  • app_password

 

  1. Open the file tf and specify the values against the variable names:

Variable Name

Description

resource_group_name

Specify a group name. A resource group contains the resources required to deploy one or more virtual machines in Azure.

cluster_name

Specify a cluster name. A cluster is a group of linked servers that work together to improve the system performance, load balancing, and service availability. Cluster will be created under specified resource group.

namespace

Namespace under which nodes can be created and grouped. The nodes we create and run will be part of this Ingress namespace.

Ingress_script_path

Specify the ingress script file path. This shell script will setup ingress load balancer. You can leave it as:
default = "./setup_ingress.sh"

dns_prefix

Specify a unique name. Recommend changing the default value. This value will be used in the ingress script. When the setup is complete, admin page URL will look like:
https://<dns_prefix>.<your geo location>.cloudapp.azure.com

For example, https://mydnsname.centralus.cloudapp.azure.com

acr_name

Specify a unique name for creating Azure Container Registry (ACR) where docker image will be stored in Azure. Recommend changing the default value. This value will be used in the ingress script.

Note: Azure accepts alpha numeric characters only. ie, a to z and 0 to 9

acr_script_path

Specify the acr script file path. This script will create ACR. You can leave it as:
default ="./acrcreate.sh"

cluster_geo_location

Geo location where resources need to be created. Choose the region that applies to you. https://azure.microsoft.com/en-in/global-infrastructure/geographies/#overview
 westus, centralus, southeastasia, etc are some of the valid values.

count_of_nodes

Number of nodes that you want to run.

 

  1. Run the terraform init
    This command downloads the required Azure plugins from the Hashicorp website to the working directory. The plugins enable communication with Azure Cloud.

 

  1. Run the terraform plan -out nsl.plan
    This command reads the desired state configuration terraform files and prepare a plan of list of actions that will be executed. This is a dry run and does not create or modify any resource. This command only retrieves and displays the required information.

This may take a minute. Be patient

 

  1. Run the terraform apply nsl.plan
    This command is an extension of plan, where the actual desired state is configured on Azure Cloud.

 

  1. Verify that Kubernetes cluster is created on Azure. You can also verify by viewing the resources in Azure portal.

Note: Along with the Kubernetes cluster, the terraform apply command creates the following resources:

  • Resource group
  • Kubernetes Cluster
  • Ingress Load balancer and Certificate Manager
  • ACR
  • PostgreSQL database

Proceed with the following commands to verify that Kubernetes is set up correctly:

  • kubectl get nodes
  • kubectl get pods -n <Namespace>

for example : kubectl get pods –n nsl-ingress

3. Deploying SecureLogin Advanced Edition Docker Images to AKS

Prerequisite:

Docker commands are not directly supported in Azure Cloud Shell.

  1. Download and install Docker Desktop on Windows. Can download it from: https://desktop.docker.com/win/stable/Docker%20Desktop%20Installer.exe
  2. Download and install Azure CLI. You can download it from: https://aka.ms/installazurecliwindows
  • By default windows has PowerShell , which is used below.

 

Note: Once Docker Desktop and Azure CLI are installed, make sure that Docker Desktop is running in your local machine.

     

 

  1. Push SecureLogin Advanced Edition docker to Azure Cloud.

 

Run following commands in Powershell (or bash) in your Local Machine

     a. Download SecureLogin Advanced Edition docker image from MicroFocus Downloads and keep on your local machine. Then, load             SecureLogin Advanced Edition in docker using the command:

              docker load --input .\<name of the docker image file >

For example,

docker load --input .\NetIQSecureLogin-AdvancedEdition-9.0.0.0.tar.gz

             
     b. Tag the docker image by running the following command:
         docker tag <source repo:tag> <acr-login-server>/<repository-name>:<tag>

For example,
docker tag sl_server:latest nslacr.azurecr.io/sl_server:9.0.0.0

 

Note: If needed, you can cross verify ACR location and ACR login server from Azure portal for:

  • Login to the Azure portal ( https://portal.azure.com/ ).
  • Go to the Container Registry and select your registry. For eg: As shown below :

 

      c. Make sure that you have logged into Azure and have access to Container Registry:

  • az login
  • az acr login --name nslacr

 Alternatively : sudo az acr login --name nslacr --username nslacr --password DUh2jv1=PqA7hxogYLwagFdp5Qqvddl

    d. If the acr login is expecting the username and password , then go to the location which I have shared in the below screenshot:         Admin user by default will be in the disabled state, change it to enabled state and use the credentials.

 


e. Push the Docker image to the registry by running the following command:​
    docker push <acr login-server>/< repository-name>:<tag>

For example,
docker push nslacr.azurecr.io/sl_server:9.0.0.0

 


 

  1. Install SecureLogin Advanced Edition in Azure Cloud:

 

Now, switch to Azure Cloud Shell.

 a. Open and update values of server/values.yaml file by specifying the following details:

 

repository: <your acr name>.azurecr.io/sl_server
tag:
9.0.0.0

ingresshost: <dns>.<cluster_geo_location>.cloudapp.azure.com

                             For example,

ingresshost: nsl-dns.southeastasia.cloudapp.azure.com

where nsl-dns is the dns, and southeastasia is the cluster_geo_location. These values are defined in the variables.tf file.

 

b.Install SecureLogin Advanced Edition by running the following command:

helm install <name-of-the-helm-chart> <folder> -n <namespace>

 

For example,

                            helm install slserver001   SecureLogin-Server-1.0.0.0  -n nsl-murugan1ingress

Where slserver001 is the name of the helm chart, and nsl-murugan1ingress is the specified namespace.

4. Accessing SecureLogin Advanced Edition UI from Browser:

Finally, to access the SecureLogin Advanced Edition UI, specify the ingress hostname (ingress host name value specified in server/values.yaml file) in the browser with https:// as the prefix.

Example:    

https://<dns>.<cluster_geo_location>.cloudapp.azure.com    

https://nsl-dns.southeastasia.cloudapp.azure.com/

 

 

In the server/values.yml file , we can go find the username and password for the web login:

For example, John_doe –username

                       Foo_bar --- password

For more information about Identity Store, refer to Configuring Identity Store documentation.

Note: Docker desktop is no longer needed. You can remove it when the Docker image is uploaded.

5. Troubleshooting Steps

  1. To watch status of pods, use the below command:

kubectl get pods -n <ingress-namespace>

For example, kubectl get pods -n nsl-ingress

 

To check the logs, use the below command:

Kubectl logs <pod name > -n <Ingress-namespace>

For example, kubectl logs sl-server0023 –n nsl-ingress

  1. To know detailed info about the pods, use the command:

kubectl describe pod <slserver-podname> -n <ingress-namespace>

For example, kubectl describe pod slserver-59484f68d-6dkvl -n nsl-ingress

 

  1. To delete the pod, use the command:

kubectl delete pod <slserver-podname> -n <ingress-namespace>

For example, kubectl delete pod slserver-59484f68d-6dkvl -n nsl-ingress

 

  1. To list the helm charts, use the command:

helm list -n <ingress-namespace>

For example, helm list -n nsl-ingress

 

  1. To check the status of helm (using which SecureLogin Advanced Edition was deployed), use the command:

helm status <chart-name> -n <ingress-namespace>

For example, helm status slserver001 -n nsl-ingress

 

  1. To upgrade helm (so as to deploy updated docker images), use the command:

helm upgrade <chart-name> server -n <ingress-namespace>

For example, helm upgrade slserver001 server -n nsl-ingress

 

  1. To uninstall helm, use the command:

helm uninstall <chart-name> -n <ingress-namespace>

For example, helm uninstall slserver001 -n nsl-ingress

6. Destroy and Clean Up the Infrastructure

As we need to pay for infrastructure in Azure, when we do not need it anymore, it is a good idea to clean them up. At the end when you are done with all the testing and no more need Azure infrastructure,

Clean up the Server helm deployment, using the command (from Azure Cloud Shell):

helm uninstall slserver001 -n nsl-ingress

 

Remove unwanted images from Azure Container Registry (from Powershell), using the command:

az acr repository delete --name nslacr --image sl_server:9.0.0.0

 

Finally, to remove the infrastructure that was created by Terraform scripts, use the command:

terraform destroy

 

General Note:

If you get any error while running the terraform scripts, you can rectify them, and re-run terraform commands in the same sequence:

  • terraform plan -out nsl.plan
  • terraform apply nsl.plan

Labels:

How To-Best Practice
Comment List
Related
Recommended