Skip to content
This repository has been archived by the owner on Jul 22, 2024. It is now read-only.

Latest commit

 

History

History
103 lines (68 loc) · 4.15 KB

Deployment.md

File metadata and controls

103 lines (68 loc) · 4.15 KB

Deployment

Deploying to an Azure Subscription for the first time

If you are setting up a new micro-service pipeline from scratch, you will need to deploy all of the foundational, shared Azure resources that are necessary to support the k8 solution in Azure. All of these resources are deployed via the inception.sh script provided in this solution.

The following resources are deployed by inception.sh:

  • Azure Resource Group for all common resources
  • Azure Traffic Manager profile
  • KeyVault to store common resource secrets
  • Azure Container Registry for storing micro-service docker images
  • Azure SQL Database for backend data
  • Application Insights instance
  • Log Analytics workspace
  • Service Principal for KeyVault access

Create initial common Azure resources

These resources should only be created one time per subscription and are common resources used by all micro-services.

Step 1: configure environment variables

Open globalVariables.prod.sh and enter values for the deployment.

Step 2: Configure SSH keys

A private / public certificate key pair is required to setup the k8 cluster so client dev and ops engineers can connect to the cluster after deployment.

  • Generate new SSH keys and save it in /deployment as cluster_rsa.pub and cluster_rsa. The public portion of the SSH key will be added in clusterDefinition.json later.

Step 3: Execute inception.sh

Open a bash shell and execute inception.sh

cd /deployment
chmod 775 *.sh
./inception.sh

Copy the values for the following variables from the inception script output file - inception.txt, you will need these in deployCluster.sh. You might want to save inception.txt somewhere safe as you will need it in the future to deploy additional clusters.

K8_DEPLOYMENT_KEYVAULT_NAME
AZURE_CONTAINER_REGISTRY_NAME
AZURE_TRAFFIC_MANAGER_PROFILE_NAME
MT_CONNECTION_STRING

You will need an SSL certificate protecting the HTTP requests with the users passwords to the Middle Tier Login Service.

Specify the path to the ssl certificate .pfx file and the password protecting the .pfx in deployCluster.sh:

SSL_CERT_FILE_PATH
SSL_PASSWORD

It is not recommended to have .pfx certificate files without password protection but if your .pfx file is not protected with a password then do the following:

  • in deployCluster.sh locate az keyvault certificate import --name mt-ssl-cert --vault-name $K8_DEPLOYMENT_KEYVAULT_NAME -f $SSL_CERT_FILE_PATH --password $SSL_PASSWORD --query id line and remove --password $SSL_PASSWORD.

  • In the same file find # Validate that values have been set for required variables. Below there is [ -z "SSL_PASSWORD" ] non-empty password check - remove it.

Deploying a k8 cluster

Multiple k8 clusters can be deployed, each in their own resource group and with their own endpoint. Each time you run deployCluster.sh a new resource group will be provisioned and all resources specific for that cluster will be deployed.

The following resources are deployed by deployCluster.sh:

  • Azure Resource Group specific to the cluster
  • Service Principal to serve as the cluster identity
  • Permissions to access common resources
  • ACS Engine based k8 cluster (1 master | 3 nodes)
  • Helm
  • Traefik
  • Azure Traffic Manager endpoint to cluster

The following diagram shows the physical artifacts created in the resource group. Kubernetes Resources

Step 1: Edit deployCluster.sh

Fill out the following values....

Name of the cluster (must be unique):

CLUSTER_NAME=

Open a bash shell and execute deployCluster.sh

cd /deployment
./deployCluster.sh