Skip to main content

Deployment Procedure

Review the Prerequisites before you start the deployment. The steps to deploy the web application services are:

  1. Download Installer Package 

  2. Create an AKS Cluster 

  3. Connect the AKS Cluster to your Local Machine 

  4. Enable Application Gateway Ingress Controller 

  5. Configure Virtual Machine Scale Sets 

  6. Create a Key Vault to Store Secrets 

  7. Configure AKS Pods with Azure Key Vault and Workload Identity 

  8. Create Subnet 

  9. Create an Azure Database for PostgreSQL Flexible Servers 

  10. Deploy Elasticsearch, Redis, Redis-dedup, Kafka, and Zookeeper 

  11. Create a Secret in Vault Key 

  12. Deploying CTIX Services 

Download Installer Package

To download the latest version of the CTIX installer package, run the following command:

wget https://packages.cyware.com/repository/cyware/ctix-azure/ctix-azure.zip

Create an AKS Cluster

Use the following steps to create an AKS cluster:

  1. Sign in to your Azure application, in Azure Services, select Kubernetes services.

  2. To create a new cluster, click +Create and select Kubernetes cluster.

  3. Set up the following configuration for the cluster:

    • Kubernetes cluster name: In Basic, go to Cluster details and enter a name for the Kubernetes cluster.

    • Kubernetes version: Select the 1.29.4 version.

    • Authentication and Authorization: Select the Local account with Kubernetes with RBAC option.

    • Network configuration: Go to the Networking tab, and in Network configuration, select Azure CNI Node Subnet.

    • Public Access: Enable Set authorized IP ranges and add your public IP address. You can also add a comma-separated list of IP Addresses.

    • Go to the Monitoring tab and uncheck EnablePrometheus metrics, Enable Grafana, Enable recommended alert rules options.

  4. In the Node pool tab, ensure you have created 5 node pools with specified configurations mentioned in the System Requirements. For more information, see System Requirements.

  5. Go to Review + create and click Create.

Connect the AKS Cluster to your Local Machine

  1. After you create the AKS cluster on Azure, run the following commands on your local machine to connect to the AKS cluster:

    az login
az aks get-credentials --resource-group <resource_group_name> --name <aks_name>  --file ~/.kube/config

    Replace the resource_group_name and aks_name with the name you have configured while creating the cluster.

  2. To verify if the local machine is connected to the AKS cluster, run the following command:

    kubectl get nodes

  3. Deploy Nginx and KEDA Helm charts into a Kubernetes cluster.

    • Use the following commands to install the Nginx chart with value override in the cluster:

      helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install nginx --namespace nginx ingress-nginx/ingress-nginx --values <local path of the values override folder>/nginx-values.yaml --version 4.10.0 --create-namespace

      Add the local path of the values override folder from the CTIX installer zip file and replace it.

    • Use the following commands to install the KEDA chart with value override in the cluster:

      helm repo add kedacore https://kedacore.github.io/charts
helm  repo update
helm install keda kedacore/keda --namespace keda --create-namespace

Enable Application Gateway Ingress Controller

Use the following steps to enable application gateway ingress controller:

  1. In the Azure application, open the AKS cluster you created in Step 2.

  2. In the left pane, click Settings and select Networking. Go to Virtual network integration and enable Ingress controller.

  3. After you enable the Ingress controller, click ingress-appgateway and you will be redirected to ingress-appgateway page.

  4. In the left pane, click Settings and select Backend pools.

  5. Click Add and name the backend pool as nginx-pool. In the Add backend pool without targets, select Yes and click Add.

Configure Virtual Machine Scale Sets

To configure virtual machine scale sets, follow these steps:

  1. In the Azure application, search for Virtual Machine Scale sets and select workeredge scale set.

  2. Go to Networking and select Load Balancing.

  3. Click Add load balancing and select Add existing.

  4. In the load balancing options, select Application gateway.

  5. In Select an application gateway, select ingress-gateway that you have created.

  6. In the left pane, select Instances, and then select all the instances from the list and click Upgrade.

  7. Go to the Application gateways page and open the ingress gateway you created.

  8. Go to Settings and select Backend settings. Click Add and configure the following settings:

    • Backend setting name: Enter a name for the backend setting.

    • Backend protocol: Select HTTP protocol.

    • Backend port: Add 31673 port number.

  9. In the left pane, select Health probes and click Add. Enter the following details:

    • Name: Enter a name for the probe.

    • Protocol: select the HTTP protocol.

    • Pick host name from backend settings: Select No.

    • Host: Enter the host name as localhost.

    • Pick port from backend settings: Select No.

    • Port: Enter 31673 port number.

    • Path: Add / as the path.

    • Use probe matching conditions: Select Yes.

    • HTTP response status code match: Enter 200 - 499 status code range.

    • Backend settings: Select the backend setting you created in step 8. Select the checkbox I want to test the backend health before adding the health probe and click Test.

    Verify if the backend health is configured successfully.

  10. In the left pane, select Listeners and click Add listener. Enter the following details for the listener:

    • Listener name: Enter a name for the listener. You cannot edit the name after the listener is created.

    • Frontend IP: Select the Public option.

    • Protocol: Select HTTPS protocol for end-to-end SSL encryption.

    • Port: Enter the port number 443 for the listener.

    • In the Https Settings, choose a certificate based on where your SSL certificate is stored.

    • Listener type: Select Multi site listener type.

    • Host type: Select Multiple/Wildcard host type.

    • Host name: Enter *.cyware.com as the hostname and click Add.

  11. In the left pane, Select Rules and click Routing rule. Enter the following details:

    • Rule name: Enter a name for the rule.

    • Priority: Enter 1. Priority defines the order in which the rules are processed.

    • Go to the Listener tab and select the listener you have created in the previous step.

    • Go to the Backend targets tab and select Target type as Backend pool.

    • Backend settings: Select the backend setting you created in step 8 and Click Add.

Create a Key Vault to Store Secrets

To create a key vault, follow these steps:

  1. Go to the Key vaults services and click Create.

  2. Enter the following details:

    • Key vault name: Enter a name for the key vault.

    • Resource group: Select the resource group name you have created and click Next.

    • Go to the Access configuration tab, and in the Permission model, select Vault access policy. Change the IAM permissions to give full access to the user you have signed in as.

    • Go to the Review + create tab, and click Create.

Configure AKS Pods with Azure Key Vault and Workload Identity

  1. Go to your local machine and run the following commands to verify if the Pods in the AKS cluster are retrieving secrets from Azure Key Vault:

    helm repo add external-secrets https://charts.external-secrets.io 
helm repo update
helm install external-secrets external-secrets/external-secrets -n external-secrets --create-namespace

    az aks update --resource-group <myResourceGroup> --name <myAKSCluster> --enable-oidc-issuer
SERVICE_ACCOUNT_ISSUER=$(az aks show --name <myAKScluster> --resource-group <myResourceGroup> --query "oidcIssuerProfile.issuerUrl" -o tsv)
    APP_NAME="aks-sa-app"
APP_ID=$(az ad app create --display-name "$APP_NAME" --query appId | tr -d \")
SERVICE_PRINCIPAL=$(az ad sp create --id $APP_ID --query id | tr -d \")
KUBELET_IDENTITY_OBJECT_ID=$(az aks show --resource-group <RESOURCE_GROUP> --name <AKS_NAME> --query 'identityProfile.kubeletidentity.objectId' -o tsv)

    Replace the myResourceGroup and myAKSCluster with the names you have provided while creating.

  2. Run the following commands to create a service account using Azure Workload Identity (azwi):

    azwi serviceaccount create phase sa \
--aad-application-name "${APP_NAME}" \
--service-account-namespace "external-secrets" \
--service-account-name "default"

  3. Run the following commands to create a federated-identity using Azure Workload Identity (azwi):

    azwi serviceaccount create phase federated-identity \
--aad-application-name "${APP_NAME}" \
--service-account-namespace "external-secrets" \
--service-account-name "default" \
--service-account-issuer-url "${SERVICE_ACCOUNT_ISSUER}"

  4. Run the following command to create a new namespace in your Kubernetes cluster:

    kubectl create ns <CTIX_NAMESPACE>

  5. Run the following commands to Create a Kubernetes service account in the specified namespace:

    azwi serviceaccount create phase sa \
--aad-application-name "${APP_NAME}" \
--service-account-namespace "<CTIX_NAMESPACE>" \
--service-account-name "default"

    Replace the CTIX_NAMESPACE with the name you have provided in the previous step.

  6. Run the following commands to set up the federated identity relationship between the Azure AD application and the Kubernetes service account:

    azwi serviceaccount create phase federated-identity \
--aad-application-name "${APP_NAME}" \
--service-account-namespace "<CTIX_NAMESPACE>" \
--service-account-name "default" \
--service-account-issuer-url "${SERVICE_ACCOUNT_ISSUER}"

    Replace the CTIX_NAMESPACE with the name you have provided in the previous step.

  7. Run the following commands to configure Azure Key Vault access policies:

    az keyvault set-policy --name <VAULT_NAME> --object-id $KUBELET_IDENTITY_OBJECT_ID --secret-permissions get
az keyvault set-policy --name <VAULT_NAME> --object-id $SERVICE_PRINCIPAL --secret-permissions get

    Replace the VAULT_NAME with the Key vault name that you have created.

  8. Go to the CTIX installer zip file and in docs_and_templates folder, open the eso-default-sa.yaml file, update the <APP_ID> with the app id generated in the above step and add the tenant ID of your Azure resource group.

    1. In the clustersecretstore.yaml file, update the VAULT_URL with the URL of the vault created. To retrieve the vault URL, go to the Azure application, search for Key vaults, and open the key vault that you have created. In the Overview, copy the Vault URL.

  9. After you update the files, run the following commands:

    kubectl apply -f eso-default-sa.yaml
kubectl apply -f clustersecretstore.yaml

Create Subnet

To create a subnet, follow these steps:

  1. Go to the Azure application, search for Virtual networks, and open the virtual network that is automatically created when you create an AKS cluster. The resource group name starts with MC along with the resource name.

  2. In the left pane, go to Settings and select Subnets.

  3. Click +Subnet and enter the following details:

    • Name: Enter database as the name for the subnet.

    • In the Subnet Delegation, select electMicrosoft.DBforPostgreSQL/flexibleServers.

  4. Click Add.

Create an Azure Database for PostgreSQL Flexible Servers

To create an Azure Database for PostgreSQL Flexible Servers, follow these steps:

  1. In the Azure application, go to Azure Database for PostgreSQL flexible servers, and click Create.

  2. Enter the following details:

    • Server name: Enter a name for the server.

    • Resource group: Select the resource group you have created.

    • PostgreSQL version: Select PostgreSQL version 13.

    • Admin username: Enter postgres in the admin username.

    • Compute + storage: Select Compute + Storage and configure the following:

      • Compute tier: Select Burstable (1-20 vCores) - Best for workloads that don’t need the full CPU continuously option.

      • Compute size: Select Standard_B1ms (1 vCore, 2 GiB memory, 640 max iops) option.

      • Storage size: Select 255 GiB storage.

      • Storage Auto-growth: Enable the Storage Auto-growth option.

  3. Click Create.

  4. After you create the database, configure the following settings for the database:

    • In the left pane, click Settings and select Server parameters. Search for azure.extensions and select PG_CRON, UUID-OSSP values. Search for require_secure_transport and set the value to OFF. Search for cron.database_name and select ingestion_b2f4ff80 value.

    • In the left pane, click Settings and select Networking. In the Connectivity method, select Private. Go to Virtual network, and select a virtual network that was created. In the Subnet, select the database that you created.

    • Password enabled: True.

Deploy Elasticsearch, Redis, Redis-dedup, Kafka, and Zookeeper

Before deploying, ensure that you add the Kubernetes public IP address to the allowed list on Cyware Nexus ALB

To retrieve the IP address, in the Azure application, go to the load balancers page, you can view a load balancer with the name Kubernetes in the resource group you have created. Go to Settings, select Frontend IP configuration, and copy the IP address. Contact Cyware support to add it to the allowed list on Cyware Nexus ALB.

  1. Run the following commands to deploy elastic search:

    helm template (path to elasticsearch folder) -f (path to elasticsearch values' overrides file) >> elasticsearch-deploy.yaml
kubectl apply -f elasticsearch-deploy.yaml -n <CTIX_NAMESPACE>

    Add the path to elasticsearch folder and elasticsearch values overrides file from the CTIX installer zip file. Replace the CTIX_NAMESPACE with the name you have provided.

  2. In the CTIX installer package, update the values.yaml file in kafka-zookeeper helm folder with CTIX_NAMESPACE you have created. Run the following commands to deploy Kafka and Zookeeper:

    helm template (path to kafka-zookeeper folder) >> kafka-zookeeper-deploy.yaml
kubectl apply -f kafka-zookeeper-deploy.yaml -n <CTIX_NAMESPACE>

    Add the path to kafka-zookeeper folder and kafka-zookeeper-deploy.yaml from the CTIX installer zip file. Replace the CTIX_NAMESPACE with the name you have provided.

  3. Run the following commands to deploy redis and redis-dedup:

    helm repo add redis https://charts.bitnami.com/bitnami
helm repo update
helm install ctix-redis --namespace <CTIX_NAMESPACE> redis/redis --values <path to redis override file> --version 16.13.2
helm install redis-dedup --namespace <CTIX_NAMESPACE> redis/redis --values <path to redis dedup override file> --version 16.13.2

    Add the path to redis override file and redis dedup override file from the CTIX installer zip file. Replace the CTIX_NAMESPACE with the name you have provided earlier.

Run the following command to verify if the components are running successfully:

 kubectl get po -n <CTIX_NAMESPACE>

Replace the CTIX_NAMESPACE with the name you have provided earlier.

The output of the above command must display all the pods in the Running status

Create a Secret in Vault Key

Before you create a secret in the vault key, you must update the secret.json.file. Go to the docs_and_templates folder and open secret.json file in the CTIX installer zip file. Update the values for DOMAIN, TENANT_NAME, CTIX_DB_HOST, CTIX_DB_USER, CTIX_DB_PORT, CTIX_DB_PASSWORD, INTEGRATION_DATABASE_HOST, INTEGRATION_DATABASE_USER, INTEGRATION_DATABASE_PORT, and INTEGRATION_DATABASE_PASSWORD. After you update, copy the content from secret.json file.

Note

To retrieve the values for the parameters, go to Azure database for PostgreSQL server > Connect > Connection details. Copy the values for PGHOST, PGUSER, and PGPORT and add them to the json.file.

To create a secret in the vault key, follow these steps:

  1. In the Azure application, go to Key Vaults service and open the vault key that you have created.

  2. In the left pane, click Objects and select Secrets.

  3. Click Generate/Import and enter a name for the secret. In the Secret value, paste the copied content from the secret.json file.

Deploying CTIX Services

Before you start, update the values.yaml files of the ctix-services folder, migration-jobs folder, tenant folder, and common folder. Update the values for domain, namespace, and externalsecretpath (secret name). These values should be the same as the value entered in the secret.json file.

To deploy CTIX services, follow these steps:

  1. Run the following command to deploy the common services:

    helm install common <path to common folder> -n <CTIX_NAMESPACE> 

    Add the path to the common folder from the CTIX installer zip file and replace the CTIX_NAMESPACE with the namespace you created.

  2. Run the following command to deploy tenant service:

    helm install tenant <path to tenant folder> -f <ctix-values override file> -n <CTIX_NAMESPACE> 

    Add the path to the tenant folder and ctix-values override file from the CTIX installer zip file and replace the CTIX_NAMESPACE with the namespace you have created.

  3. Run the following command to run the migration jobs:

    helm install ctix-migrations <path to migration-jobs folder> -f <ctix values override file> -n <CTIX_NAMESPACE>

    Add the path to migration-jobs folder and ctix values override file from the CTIX installer zip file and replace the CTIX_NAMESPACE with the namespace you have created.

  4. Run the following commands to check the status of jobs:

    kubectl get jobs -n <CTIX_NAMESPACE>
kubectl get pods -n <CTIX_NAMESPACE> | grep sync
kubectl logs <pod_name> -n <CTIX_NAMESPACE>

    Replace the CTIX_NAMESPACE with the namespace you have created.

  5. After the successful completion of migration, run the following command to deploy CTIX:

    helm install ctix-services <path to ctix-services' -f <ctix values override file> -n <CTIX_NAMESPACE>

    Add the paths to ctix-services folder and ctix values override file from the CTIX installer zip file and replace the CTIX_NAMESPACE with the namespace you have created.