Azure Setup

This section outlines the deployment of DRISTI on Azure Cloud.

Prerequisites

Access to a Microsoft Azure Subscription
A Github account
Azure CLI

The installation uses Github workflow. The workflow file must include the following for DRISTI installation:

Terraform installation
Az CLI installation
Sops installation
Helmfile & Helmfile plugin

Pre Deployment Work

To be able to install the required infrastructure, subscription ID, tenant ID, client ID and client secret is required. The following steps need to be followed to get these details.

Service Principal: Make a registration in the app registration service and create a secret (in the manage section, certificates & secrets) for the app that was created. Assign CONTRIBUTOR role to the app in the subscription section.

Login to Azure Account
Search for app registration
Select all application tab

Enter name for registration and click on the register button

Once registration is completed, the Tenant ID and client ID will be present on the overview page
Then select Certificates & secrets and create a new secret

A New Secret will be created. Do note down the details as it will be displayed only once

Value is the client's secret
For subscription ID, search Subscriptions and select the subscription in which Azure resource is to be created.

Now you should have the following details:

Subscription_id
tenant_id
Client_id (Application Id)
Client_secret (Secret created in application)

Note: We need to assign AcrPull roll to the application. 
This role is essential to pull images from Container Registry.

Clone Git Repository

Clone git repository pucar-DevOps to your local system
Checkout the Solution-Pipeline branch
Update default value for remote state (path: infra-as-code/terraform/azure-pucar/remote-state)
Modify the relevant variables for Azure resources in the tfvars directory (path: pucar-DevOps/infra-as-code/terraform/azure-pucar/tfvars)

List of variables to be updated:

Resource_group, environment, address_space, db_username, address_prefixes_postgres,address_prefixes_aks,aks_dns_service_ip, aks_service_cidr

Directory Path: pucar-DevOps/infra-as-code/terraform/azure-pucar/remote-state/variables.tf

Do terraform apply after changing relevant variables (as mentioned above) for the creation of terraform state bucket and resource group using the below cmd

terraform init -backend-config="resource_group_name=<name>" 
        -backend-config="storage_account_name=<name>" 
        -backend-config="container_name=<name>" 
        -backend-config="key=name" -reconfigure

This will create a resource group and state bucket in which the infrastructure and the services will be deployed.

In Remote Github:

Create necessary secrets like Azure credentials, sops keys, db password, etc. Follow this reference for Azure credentials secret.

Update domain name in env.yaml

Directory path: deploy-as-code/charts/environments/env-secrets.yaml

For env-secrets, as it is encrypted using sops. This needs to be decrypted and sops keys are stored on the storage account (pucarsolutionsfsdev), container pucar-solutions-filestore-dev, and keys in keys.txt
Keys need to be stored in the local system for decryption

Path: $HOME/.config/sops/age/keys.txt

Use Sops decrypt cmd to decrypt keys
Update db password, flywaypassword, login username, login password, and git-sync private key in env-secrets.yaml

Secrets Operations (sops)

It is an open-source tool for managing secrets like passwords, keys, etc. It enables developers to encrypt files containing sensitive information while allowing them to remain in version control systems such as Git.

Choose any of the vault services like Azure Key Vault, aws kms, age, etc to generate a secret key for encrypting and decrypting the data.

Note:

Script in the workflow for decrypting the secrets in the git repository using age(vault service ). For this version of sops, we should provide an absolute path to the encrypted file.
We can also use the Azure Key Vault service, create an Azure key then use sops --encrypt --azure-kv <key-vault-url>/keys/<key-name> secret.yaml > secret.enc.yaml

In the workflow we can directly do sops –decrypt.

Configure Storage Account for Filestore Service

We need a place to store uploaded files. Create a storage account and a container in the same resource group (as created earlier).

Get the storage account access keys from the security tab. Update the azureaccountname and azuresecretkey in the egov-filestore secret.

Directory path: deploy-as-code/charts/environments/env-secrets.yaml

Steps for Storage Account Creation:

On the Azure web page, Search for the resource group
Select the resource group for which the storage account is to be created.
Select the Create option, this will navigate to the marketplace
Search for “storage account” and select that

Update value as below with updated storage account name
This will create a storage account
Select the created Storage account
Select Containers option in Data Storage
Select the + container option and create a new container
This will create a storage container
Create another storage container for pucar asset
Upload all assets from kerala-config(https://github.com/pucardotorg/kerala-configs/tree/master/pucar-assets)
Create a new globalconfig.js file similar to the given one and update the link of all images passed and domain name.

Deployment Process (Infra Creation)

Update Existing terraform-infra.yaml workflow variable for new Azure infra used within it.

Here update the secret name with a new db password to be passed for db creation.
Here update the secret name with new Azure credentials.

- name: Terraform init - Infra creation

id: init-Infra

run: |

terraform --version

terraform init -backend-config="resource_group_name=pucar-solutions-dev" -backend-config="storage_account_name=tfstate771y4" -backend-config="container_name=pucar-solutions-dev-tfstate" -backend-config="key=infra.tfstate" -reconfigure

working-directory: infra-as-code/terraform/azure-pucar

Here update the resource group name, storage account name, and container name with an appropriate value. Similarly do this for the terraform plan and apply the step.

- name: Generate kubeconfig

run: |

az aks get-credentials --resource-group "pucar-solutions-dev" --name "solutions-dev"

cat ~/.kube/config > kubeconfig

Run this workflow to create Azure infra including nodes, postgres db, security group, load balancer

PreviousInfrastructure Setup NextSDC - OpenShift Setup

Last updated 13 days ago

Azure Setup

This section outlines the deployment of DRISTI on Azure Cloud.

Prerequisites

Access to a Microsoft Azure Subscription
A Github account
Azure CLI

The installation uses Github workflow. The workflow file must include the following for DRISTI installation:

Terraform installation
Az CLI installation
Sops installation
Helmfile & Helmfile plugin

Pre Deployment Work

To be able to install the required infrastructure, subscription ID, tenant ID, client ID and client secret is required. The following steps need to be followed to get these details.

Login to Azure Account
Search for app registration
Select all application tab

Enter name for registration and click on the register button

Once registration is completed, the Tenant ID and client ID will be present on the overview page
Then select Certificates & secrets and create a new secret

A New Secret will be created. Do note down the details as it will be displayed only once

Value is the client's secret
For subscription ID, search Subscriptions and select the subscription in which Azure resource is to be created.

Now you should have the following details:

Subscription_id
tenant_id
Client_id (Application Id)
Client_secret (Secret created in application)

Note: We need to assign AcrPull roll to the application. 
This role is essential to pull images from Container Registry.

Clone Git Repository

Clone git repository pucar-DevOps to your local system
Checkout the Solution-Pipeline branch
Update default value for remote state (path: infra-as-code/terraform/azure-pucar/remote-state)
Modify the relevant variables for Azure resources in the tfvars directory (path: pucar-DevOps/infra-as-code/terraform/azure-pucar/tfvars)

List of variables to be updated:

Resource_group, environment, address_space, db_username, address_prefixes_postgres,address_prefixes_aks,aks_dns_service_ip, aks_service_cidr

Directory Path: pucar-DevOps/infra-as-code/terraform/azure-pucar/remote-state/variables.tf

Do terraform apply after changing relevant variables (as mentioned above) for the creation of terraform state bucket and resource group using the below cmd

terraform init -backend-config="resource_group_name=<name>" 
        -backend-config="storage_account_name=<name>" 
        -backend-config="container_name=<name>" 
        -backend-config="key=name" -reconfigure

This will create a resource group and state bucket in which the infrastructure and the services will be deployed.

In Remote Github:

Create necessary secrets like Azure credentials, sops keys, db password, etc. Follow this reference for Azure credentials secret.

Update domain name in env.yaml

Directory path: deploy-as-code/charts/environments/env-secrets.yaml

For env-secrets, as it is encrypted using sops. This needs to be decrypted and sops keys are stored on the storage account (pucarsolutionsfsdev), container pucar-solutions-filestore-dev, and keys in keys.txt
Keys need to be stored in the local system for decryption

Path: $HOME/.config/sops/age/keys.txt

Use Sops decrypt cmd to decrypt keys
Update db password, flywaypassword, login username, login password, and git-sync private key in env-secrets.yaml

Secrets Operations (sops)

Choose any of the vault services like Azure Key Vault, aws kms, age, etc to generate a secret key for encrypting and decrypting the data.

Note:

Script in the workflow for decrypting the secrets in the git repository using age(vault service ). For this version of sops, we should provide an absolute path to the encrypted file.
We can also use the Azure Key Vault service, create an Azure key then use sops --encrypt --azure-kv <key-vault-url>/keys/<key-name> secret.yaml > secret.enc.yaml

In the workflow we can directly do sops –decrypt.

Configure Storage Account for Filestore Service

We need a place to store uploaded files. Create a storage account and a container in the same resource group (as created earlier).

Get the storage account access keys from the security tab. Update the azureaccountname and azuresecretkey in the egov-filestore secret.

Directory path: deploy-as-code/charts/environments/env-secrets.yaml

Steps for Storage Account Creation:

On the Azure web page, Search for the resource group
Select the resource group for which the storage account is to be created.
Select the Create option, this will navigate to the marketplace
Search for “storage account” and select that

Update value as below with updated storage account name
This will create a storage account
Select the created Storage account
Select Containers option in Data Storage
Select the + container option and create a new container
This will create a storage container
Create another storage container for pucar asset
Upload all assets from kerala-config(https://github.com/pucardotorg/kerala-configs/tree/master/pucar-assets)
Create a new globalconfig.js file similar to the given one and update the link of all images passed and domain name.

Deployment Process (Infra Creation)

Update Existing terraform-infra.yaml workflow variable for new Azure infra used within it.

Here update the secret name with a new db password to be passed for db creation.
Here update the secret name with new Azure credentials.

- name: Terraform init - Infra creation

id: init-Infra

run: |

terraform --version

working-directory: infra-as-code/terraform/azure-pucar

Here update the resource group name, storage account name, and container name with an appropriate value. Similarly do this for the terraform plan and apply the step.

- name: Generate kubeconfig

run: |

az aks get-credentials --resource-group "pucar-solutions-dev" --name "solutions-dev"

cat ~/.kube/config > kubeconfig