Kubernetes on Azure

Context

The purpose of this document is to describe how to create the necessary infrastructure to deploy Vectice on a Kubernetes cluster in Azure, followed by instructions to deploy the Vectice software

Understanding prerequisites

Infrastructure requirements

Other requirements

2. How to provision the infrastructure

You have two ways to create the infrastructure necessary for running Vectice.

Provisioning via Terraform (with Terragrunt Wrapper)

• Expected Time: 40 minutes

• Steps:

Provisioning via Azure portal

• Expected Time: 2 hours

• Steps:

  • Create a resource group in your chosen subscription

3. How to deploy the Vectice application

The provisioning of Vectice on Kubernetes will happen in 5 steps:

Step 1: Connect to the cluster and create the Vectice namespace

First, define the variables for the next steps and retrieve connections from your deployment machine. Below, sample values are provided between brackets:

AZURE_SUBSCRIPTION=<080kkb88-bf7d-44d-b46e-3302454g5r>
CLUSTER_NAME=<vectice-cluster>
RESOURCE_GROUP=<my-resource_group>
KUBE_RESOURCE_GROUP=<kubernetes resource group>
az account set --subscription $AZURE_SUBSCRIPTION
az aks get-credentials --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME
CONTEXT=`kubectl config get-contexts | grep '*' |  grep '*' | awk '{print $2}'`

The expected output should look like this:

Merged "vectice-cluster" as current context in /home/wsl/.kube/config

Next, test the connection:

kubectl --context $CONTEXT get namespaces

The expected output should look like this:

NAME              STATUS   AGE
default           Active   3h54m
kube-node-lease   Active   3h54m
kube-public       Active   3h54m
kube-system       Active   3h54m

Finally, create the Vectice namespace where applications will be deployed:

kubectl --context $CONTEXT create namespace vectice

Step 2: Install the Cert Manager

Next, install the cert-manager and cert-manager-csi-driver applications on the cluster.

helm --kube-context $CONTEXT repo add jetstack https://charts.jetstack.io
helm --kube-context $CONTEXT repo update
helm --kube-context $CONTEXT install cert-manager jetstack/cert-manager -n cert-manager --create-namespace --set crds.enabled=true
helm --kube-context $CONTEXT install cert-manager-csi-driver jetstack/cert-manager-csi-driver --create-namespace -n cert-manager

Next, generate a custom Certificate Authority and create its associated secret:

openssl req -x509 -nodes -newkey rsa:4096 -days 3650 -keyout /tmp/ca.key -out /tmp/ca.crt -subj '/CN=vectice-internal-ca' -addext "keyUsage = keyCertSign"
kubectl --context $CONTEXT create secret tls vectice-internal-ca -n vectice --cert=/tmp/ca.crt --key=/tmp/ca.key

Step 3: Set up the Application Gateway on the cluster

If you did not have an existing Application Gateway, the creation could be blocked because of a permission issue. The AG needs to create a subnet on the Vnet used by the AKS Cluster.

As the AG belongs to the Managed Resource Group of the AKS cluster, permission is needed to add on the Managed Identity of the AG.

Navigate to the AKS managed Resource group created along with the cluster and Click on the managed Identity that contains the name of your AG (it might take a few minutes to appear).

Navigate to the Azure role assignment menu, and add the role "Network Contributor" to the general resource group you use for the resources (not the AKS managed resource group).

Add root-certificate to the application gateway

az network application-gateway root-cert create --cert-file /tmp/ca.crt --gateway-name ingress-appgateway -n vectice-internal-ca --resource-group $KUBE_RESOURCE_GROUP

Step 4: Create Secrets for Ingress and Docker Image Retriever

First, create a self-signed certificate using the following command, replacing the item highlighted with your own Common Name (CN). Below, sample values are provided between brackets.

CNVALUE=<vectice.my-company.com>
openssl req -x509 -nodes -newkey rsa:2048 -days 3650 -keyout /tmp/vectice-cert.key -out /tmp/vectice-cert.crt -subj "/CN=$CNVALUE"

Then, use the command below to install your certificates in the cluster

kubectl --context $CONTEXT create secret tls vectice-private-https -n vectice --cert=/tmp/vectice-cert.crt --key=/tmp/vectice-cert.key

kubectl --context $CONTEXT create secret docker-registry vectice-gar-secrets -n vectice \
--docker-server=https://us-docker.pkg.dev \
--docker-username=_json_key \
--docker-password="$(cat vectice-image-puller.json)" \
--docker-email=$(cat vectice-image-puller.json | grep "client_email" | cut -d '"' -f 4)

Step 5: Install the Vectice Stack

From the package your account team provided, untar helm vectice chart and create myvalues.yml from values.yml file. Below, sample values are provided between brackets.

VERSION=<241.1.0>
tar -xvf vectice-$VERSION.tgz
cd vectice-$VERSION
cp values.yaml myvalues.yaml

Next, fill in the values in myvalues.yaml according to your environment deployment, and deploy Vectice global objects using Helm

cd ..
helm --kube-context $CONTEXT upgrade --install vectice vectice -f vectice/myvalues.yaml -n vectice --create-namespace --wait 

Once this is done, retrieve the Vectice ingress IP. Note: this might take up to 5 minutes to appear

kubectl --context $CONTEXT get ingress vectice -n vectice 

The expected output should look like this. Below are example values:

NAME      CLASS                      HOSTS                    ADDRESS   PORTS     AGE
vectice   azure-application-gateway  vectice.my-company.com   2.3.4.5   80, 443   1d

Finally, add the A record as a new entry in your DNS resolver.

In this example, the A record would look like below:

DOMAIN             RECORD TYPE     NAME        CONTENT
my-company.com     A               vectice     2.3.4.5