Example Installation on Azure

Note that this installation guide is an example. For creating your production cluster, always turn to your cloud provider's official documentation.

See the chapter Recommendations and Limitations, which includes limitations specific to Kubernetes.

Introduction

If you want to deploy Nevis onto a Cloud infrastructure, we recommend using the Kubernetes-based installation. This installation is based on the Docker containerization and Kubernetes orchestration technologies. For a general overview of the Nevis-on-Kubernetes deployment solution, see Main Concepts.

• In the chapter Kubernetes Deployment Troubleshooting you can find information about how to debug the configuration.
• In the chapter Kubernetes Upgrade you can find information about how to upgrade your existing installation.

In this installation tutorial, you will set up Kubernetes from scratch on Azure.

The tutorial creates the following resources in Azure:

• A Terraform storage account, which will hold our cluster configuration.
• A Kubernetes cluster.
• An Azure database server for MariaDB, on which we will create our databases containing the Nevis-related data.
• A container registry, which will hold our docker images.
• A virtual network, which the cluster will use.
• Two IP address, one to access the cluster, and one to the cluster itself.

Prerequisites

This documentation uses Terraform to manage the infrastructure on the cloud service provider. Terraform allows managing the infrastructure as code, which provides additional benefits such as version control.

The use of Terraform is not required.

This tutorial provides a way to set up a Kubernetes cluster on Azure. Any other cloud providers have not been tested and are not officially supported by Nevis at this time. We tested the instructions on RHEL 7.

A couple of things are required to get started with Nevis on Kubernetes:

• Have an Azure subscription and have enough permissions to create resource groups and resources. This includes Application Administratorfor creating the service principal, and Ownerto assign the required Role to it.
• The supported Kubernetes versions for this guide are 1.24, 1.25, 1.26, 1.27 and 1.28.
• A Linux environment with the following software pre-installed:

Expand the panels for more details about tested versions of the tools.

Click here to expand...Terraform v1.1.9

Click here to expand...Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.4", GitCommit:"e6c093d87ea4cbb530a7b2ae91e54c0842d8308a", GitTreeState:"clean", BuildDate:"2022-02-16T12:38:05Z", GoVersion:"go1.17.7", Compiler:"gc", Platform:"linux/amd64"}

Click here to expand...Client: Docker Engine - Community Version: 20.10.3

Click here to expand...

• azure-cli 2.36.0

This guide requires basic knowledge of Linux, Terraform, Kubernetes and the Azure CLI. In case you are new to these topics, we recommend that you see tutorials or courses available online. If you are low on time, focus on the Kubernetes tutorials, for example: Viewing Pods and Nodes.

Steps to Perform

Perform the following steps for a Kubernetes-based installation of nevisAdmin 4:

1. [Downloading Template Files]
2. [Preparing the Git Deployment Repository]
3. [Setting Environment Variables]
4. [Creating the Kubernetes Cluster with Terraform]
5. [Uploading Nevis Docker Images]
6. [Deploying the nevisOperator]
7. [Deploying nevisAdmin 4]
8. [Preparing the Test Namespace for Nevis Deployment]
9. [Configuring an Example Project and Inventory in the GUI]

The following chapters describe each step in detail.

Downloading Template Files

All files required to set up Terraform and Kubernetes are provided in the following Zip file: kubernetes-guide.zip

• First, download and unzip the files. The setup uses Gradle to easily customize the files based on environmental variables. The configuration files used by the setup can be found in kubernetes-guide/src/nevis-cluster.

File	Description
terraform/bootstrap/terraform-storage.tf	Defines the storage account used to store the state of the Terraform managed infrastructure.
terraform/aks-cluster.tf	Defines the actual Kubernetes cluster.
terraform/container-registry.tf	Defines a Docker container registry accessible in the cluster.
terraform/azure.tf	Links the Azure cluster/registry to a storage account.
terraform/db.tf	Defines the Azure MariaDB server.
terraform/db_config.tf	Configures the Azure MariaDb server.
kubernetes-operator/	Configures the Custom Resource Definitions for Nevis and deploys the nevisOperator.
kubernetes-nevisadmin4/	Deploys nevisAdmin 4 itself, and deploys nginx to access nevisAdmin 4 from the public internet.
kubernetes-test-namespace/	Configures the Kubernetes namespace where the Nevis components will run. Configures nginx to expose nevisProxy.
kubernetes-cert-manager	Deploys a certificate manager that uses Let's Encrypt to get valid certificate for the running components.

Preparing the Git Deployment Repository

In this tutorial, we use GitHub as the Git system. However, it is possible to use Bitbucket, Gitea, GitLab, etc, instead.

The nevisOperator currently only supports SSH-based Git access. Follow the next instructions to configure the nevisOperator.

1. Prepare GitHub:
2. Create a GitHub account.
3. Create an empty Git repository called "deploy".
4. Set the GitHub repository to "private": `http://help.github.com/en/articles/setting-repository-visibility#making-a-repository-private
5. Create SSH key material:

Generating key material

# move into the main folder
cd kubernetes-guide
ssh-keygen -t ecdsa -C "kubernetes" -m PEM -P "" -f id_rsa

# make sure ssh keys were generated
cat id_rsa
cat id_rsa.pub

This key pair will be read by Gradle and used during the setup process. Both the nevisOperator and nevisAdmin 4 will use this to connect go GitHub. 3. Add the key (id_rsa.pub) to your GitHub account, or to the repository itself as a deploy key:

1. See `http://help.github.com/en/articles/adding-a-new-ssh-key-to-your-github-account.
2. See`http://developer.github.com/v3/guides/managing-deploy-keys/ (the "Deploy keys" section).
3. (Only if you use other Git systems than GitHub) Add the corresponding known_hosts entry to the following files (the entry for GitHub is added by default):

kubernetes-guide/src/nevis-cluster/kubernetes-nevisadmin4/configs/var/opt/nevisadmin4/conf/ssh/known_hosts
kubernetes-guide/src/nevis-cluster/kubernetes-component-namespace/component-resources.yaml

The fingerprint can be found by using ssh-keyscan:

ssh-keyscan <host>

Setting Environment Variables

First, fill out the following variables in the provided kubernetes-guide/environment file. The last three variables in the file will be set later in the guide.

Environment variables

# ID of your Azure subscription
export SUBSCRIPTION_ID

# globally unique and only lowercase alphanumeric characters allowed
# only lowercase alphanumeric characters, example: terraform33fef3fgs
export STORAGE_ACCOUNT_NAME

# unique within Azure subscription
# example: nevis-cluster
export RESOURCE_GROUP_NAME

# The name of the Resource Group where the Kubernetes Nodes should exist.
# unique within Azure subscription
# example: nevis-cluster-nodes
export NODE_RESOURCE_GROUP_NAME

# name of the Kubernetes cluster, recommended to be the same as the resource group name
# example: nevis-cluster
export CLUSTER_NAME

export VNET_NAME="${RESOURCE_GROUP_NAME}-vnet"

# azure location where the resources will be created
export LOCATION="West Europe"

#location in short, lowercase format, for example "westeurope" instead of "West Europe", "eastus2" instead of "East US 2" etc.
export LOCATION_DNS="westeurope"

# Kubernetes version to use on the cluster (this guide currently only support 1.24, 1.25, 1.26, 1.27 and 1.28)
# Default version could be outdated, command to list available versions:
# az aks get-versions --location 'West Europe' -o table |grep ^1.26 |cut -f 1 -d" "
export KUBERNETES_VERSION="1.26.6"

# VM type for the cluster nodes. More info about possible options: https://docs.microsoft.com/en-us/azure/virtual-machines/linux/compute-benchmark-scores
# Because of the way memory is reserved: https://docs.microsoft.com/en-us/azure/aks/concepts-clusters-workloads#resource-reservations
# a VM type with at least 16GB of memory is recommended. By default 2 node will be created, which later can be easily scaled up or down.
export VM_SIZE="Standard_D4s_v5"

# unique within Azure region
# example: nevisk8s, default domain will have the following format: DNS_PREFIX.LOCATION_DNS.cloudapp.azure.com
export DNS_PREFIX

# option to enable role based access control, for more information visit: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
export RBAC_ENABLED="true"

# Information used for the Certificate Signing Request in automatic key management, by the nevisOperator
# example CH
export CSR_COUNTRY
# example Zurich
export CSR_PROVINCE
# example Zurich
export CSR_LOCALITY
# example Nevis Security AG
export CSR_ORGANIZATION
# example Nevis
export CRS_ORGANIZATIONAL_UNIT
# example [email protected]
export CSR_EMAIL_ADDRESS

# name of the database server, has to be unique
# example nevisk8smariadb
export DB_SERVER

# user name of the root user for the database server, can't be "root"
# example: dbroot
export DB_ROOT_USER

# admin user of the Kubernetes cluster, can't be "admin"
# example k8sadmin
export ADMIN_USER

# the database user that will be created for admin4, to do the schema updates in the database
# example: schemauser
export ADMIN4DB_SCHEMA_USER

# the password for the schema user
export ADMIN4DB_SCHEMA_PASSWORD

# the database user that will be created for admin4, to connect to the database during operation
# example: applicationuser
export ADMIN4DB_APP_USER

# the password for the application user
export ADMIN4DB_APP_PASSWORD

# globally unique DNS label, only lowercase alphanumeric characters allowed / the registry will be accessible at <CONTAINER_REGISTRY_NAME>.azurecr.io
# example: nevisk8s
export CONTAINER_REGISTRY_NAME

# GIT deployment repository
# example: [email protected]:nevis/deploy.git
export GIT_URL

Creating the Kubernetes Cluster with Terraform

The next step is to create a Kubernetes cluster with Terraform. First bootstrap Terraform before you can create the cluster.

Bootstrapping Terraform

Terraform can be used to easily set up a Kubernetes cluster and a Docker registry on Azure. Perform the next steps/execute the following commands:

• Make the used executables runnable:

Set rights

# in the main kubernetes-guide folder, use the following:

sudo chmod +x environment publish_images.sh gradlew

• Source the previously set environment variables:

Set env variables

source environment # sets the environment variables

• Connect to Azure by running the following commands:

Set azure connection

az login
az account set --subscription $SUBSCRIPTION_ID
az configure --defaults group=$RESOURCE_GROUP_NAME

• Produce a customized configuration based on the environment variables:

Bootstrap

./gradlew bootstrap

• Initialize a storage account to store the state of Terraform. Use the next commands:

Bootstrap terraform

cd build/nevis-cluster/terraform/bootstrap # move to bootstrap directory
terraform init # initialize terraform

 # plan the infrastructure change
terraform plan -var "subscription=$SUBSCRIPTION_ID" \
 -var "location=$LOCATION" \
 -var "resource_group_name=$RESOURCE_GROUP_NAME" \
 -var "storage_account_name=$STORAGE_ACCOUNT_NAME"

 # apply the infrastructure change. Will create a resource group and storage account inside the resource group
terraform apply -var "subscription=$SUBSCRIPTION_ID" \
 -var "location=$LOCATION" \
 -var "resource_group_name=$RESOURCE_GROUP_NAME" \
 -var "storage_account_name=$STORAGE_ACCOUNT_NAME"

• Get the access key for the storage account and store it in your environment as "ARM_ACCESS_KEY".

Setting the Azure RM Access Key

# in the bootstrap directory
# sets the environment variable
ARM_ACCESS_KEY=`az storage account keys list --resource-group $RESOURCE_GROUP_NAME --account-name $STORAGE_ACCOUNT_NAME --query [0].value | tr -d '"'`

# puts it into the environment file from the current folder, can also be done manually
sed -i "s;ARM_ACCESS_KEY=.*;ARM_ACCESS_KEY=${ARM_ACCESS_KEY};g" ../../../../environment

# source the environment file again
source ../../../../environment

Creating a Cluster

As soon as you have a storage account, you can create the Kubernetes cluster. This will also create a MariaDB Azure server, in accordance with the configuration in the db.tf and db_config.tf files.

• To create the cluster and the container registry, run the commands in the next code block:

Creating the Cluster

cd .. # return to main terraform directory, commands should be run in build/nevis-cluster/terraform

# initialize terraform
terraform init -backend-config="access_key=$ARM_ACCESS_KEY" \
 -backend-config="storage_account_name=$STORAGE_ACCOUNT_NAME" \
 -backend-config="resource_group_name=$RESOURCE_GROUP_NAME"

# inspect changes
terraform plan -var "location=$LOCATION" \
 -var "resource_group_name=$RESOURCE_GROUP_NAME" \
  -var "node_resource_group_name=$NODE_RESOURCE_GROUP_NAME" \
  -var "rbac_enabled=$RBAC_ENABLED" \
  -var "name=$CLUSTER_NAME" \
 -var "vnet_name=$VNET_NAME" \
 -var "dns_prefix=$DNS_PREFIX" \
 -var "admin_user=$ADMIN_USER" \
 -var "kubernetes_version=$KUBERNETES_VERSION" \
  -var "registry_name=$CONTAINER_REGISTRY_NAME" \
 -var "db_server=$DB_SERVER" \
 -var "db_root_user=$DB_ROOT_USER"
# apply changes, this will output the randomly generated database password
terraform apply -var "location=$LOCATION" \
 -var "resource_group_name=$RESOURCE_GROUP_NAME" \
 -var "node_resource_group_name=$NODE_RESOURCE_GROUP_NAME" \
  -var "rbac_enabled=$RBAC_ENABLED" \
  -var "name=$CLUSTER_NAME" \
 -var "vnet_name=$VNET_NAME" \
 -var "dns_prefix=$DNS_PREFIX" \
 -var "admin_user=$ADMIN_USER" \
 -var "kubernetes_version=$KUBERNETES_VERSION" \
  -var "registry_name=$CONTAINER_REGISTRY_NAME" \
 -var "db_server=$DB_SERVER" \
 -var "db_root_user=$DB_ROOT_USER"

cd ../../.. # return to the main directory

• The command terraform apply generates a random password for the database, outputted to the console. This random password must be added to the environment file as the DB_ROOT_PASSWORD. After this is done, source the file again:

source environment

Cluster creation on Azure might take up to a quarter of an hour. After this, the running costs of your subscription will increase, because of the creation of various infrastructure resources.

Some considerations:

• If you are setting up an environment that you plan to keep for a longer time, consider putting the various files and settings into a version control system such as Git.
• To better record your infrastructure as code, consider setting your choices as defaults in the Terraform files, so that the state of your infrastructure is fully defined there. Uploading Nevis Docker Images

Use the provided script kubernetes-guide/publish_images.sh to copy the Docker images from the Nevis Portal registry to the Azure registry. Select one of the docker images in the portal under `http://portal.nevis.net/portal/secure/releases/rolling to acquire a temporary username/password for the registry.

This will transfer the following images:

Docker images

Run the script to transfer the images:

./publish_images.sh

Deploying the nevisOperator

• Configure kubectl to point to the newly created cluster:

Configuring kubectl

az aks get-credentials --resource-group $RESOURCE_GROUP_NAME --name $CLUSTER_NAME --overwrite-existing

You can verify if you are connected to the correct cluster with the kubectl tool:

kubectl config current-context

Context can be switched with the following commands:

kubectl config get-contexts # get available contexts
kubectl config use-context <context-name> # switch to the desired one

• (Optional) If used on a cluster with multiple Ingress controllers, or with a different ClusterIssuer than the one provided in this guide, configure the following additional properties in the kubernetes-operator/operator.yml file as part of the nevisoperator-operator-config-6fc9hfhdhk ConfigMap, which will be used by the deployed nevisOperator.

Property	Default	Usage
ingress-class	-	Ingress class of the controller, see: `http://kubernetes.github.io/ingress-nginx/user-guide/multiple-ingress/
cluster-issuer	letsencrypt-prod	ClusterIssuer that handles the certificate creation for the Ingress.
cluster-issuer-annotation	http://certmanager.k8s.io/cluster-issuer cert-manager.io/cluster-issuer	Annotation to specify the ClusterIssuer on the Ingress. By default, both ClusterIssuer annotations are used for backwards compatibility. Specify if an Issuer is used instead.

• (Optional) By default the operator is configured to watch all namespaces, this can be changed by by using the restrict-namespaces in kubernetes-operator/operator.yml, this also makes it possible to restrict the needed RBAC permissions:

restrict-namespaces:
 - namespace1
 - namespace2

• Apply the commands below from the main directory:

Deploy CRDs and Operator to the cluster

# move into the nevis-cluster folder
cd build/nevis-cluster

# Create the operator namespace
kubectl apply -f kubernetes-operator/operator-namespace.yaml
# Nevis Custom Resource Definitions
kubectl apply -f kubernetes-operator/crd

# Create the ConfigMap containing the nevisOperator configuration properties
kubectl apply -f kubernetes-operator/operator-config.yaml

# Create the RBAC permissions needed by the operator
kubectl apply -f kubernetes-operator/operator-rbac.yaml

# Deploy by the operator
kubectl apply -f kubernetes-operator/operator.yaml

• Check if everything went well:

Check status

# find out which pod is used for nevisoperator
kubectl get pods --all-namespaces | grep nevisoperator-controller-manager

# Check logs as follows
kubectl logs -n nevisoperator-system -c manager nevisoperator-controller-manager-<random_id>

Deploying nevisAdmin 4

The next steps will guide you through the deployment of nevisAdmin 4. This includes the generation of the required configuration and service objects. You will deploy the following Kubernetes objects:

• nevisAdmin 4
• NGINX
• Certificate manager

Deploying NGINX Ingress

To expose the Nevis setup outside the cluster, an Ingress Controller is used. This also allows the use of Let's Encrypt to get valid certificates.

Static IP

This requires a static IP configured in Azure. Note that you already configured this static IP when setting up the Kubernetes cluster and a Docker registry via Terraform.To deploy a NGINX Ingress Controller, perform the next steps:

1) Obtain the IP address of the cluster by one of the following commands:

• az network public-ip list, and use the value for aks-ingress-ip
• terraform show in build/nevis-cluster/terraform, and use the value of aks_cluster_ingress_ip.

The IP must be set in environment as PUBLIC_IP. If the IP has changed, you have to regenerate the template by running the following command in the main directory:

Generate the configuration again

# in the main kubernetes-guide folder

source environment
./gradlew bootstrap

2) Deploy the NGINX Ingress:

Deploy the NGINX Ingress controller and the necessary roles and role bindings

cd build/nevis-cluster # go back to the configuration folder
kubectl apply -f kubernetes-nevisadmin4/nginx.yaml

Deploying the Certificate Manager

The setup uses Let's Encrypt to set a valid certificate. To make this work, you need to deploy a certificate manager on the cluster.

Deploy the Certificate Manager

# in kubernetes-guide/build/nevis-cluster, use the following:
kubectl apply -f kubernetes-cert-manager/manager.yaml
# create the issuers, might have to wait a minute for the cert-manager to start before the issuers are succesfully created
kubectl apply -f kubernetes-cert-manager/issuers.yaml

Deploying nevisAdmin 4 Component

To deploy the nevisAdmin 4 component, perform the steps below. Note that nevisAdmin 4 runs in a separate namespace. The database is required by nevisAdmin 4 to store application data, such as your configuration projects, inventories, and more.

1) (Optional) Use one-way TLS for the database connection.

Click here to expand...To enable server authentication via a server certificate, the following steps are required:

1) Create a Java KeyStore (JKS) file containing the server certificate. In case of Azure, the certificate can be found at: `http://docs.microsoft.com/en-us/azure/mariadb/howto-configure-ssl#obtain-ssl-certificate.

2) Store the JKS file under kubernetes-guide/src/nevis-cluster/kubernetes-nevisadmin4/configs/ssh

A keytool example to create the keystore:

keytool -importcert -file "BaltimoreCyberTrustRoot.crt.pem" -keystore mariadb.jks -alias "mariadb"

3) Adapt the database URL in the file kubernetes-guide/src/nevis-cluster/kubernetes-nevisadmin4/configs/config/nevisadmin4.yml, to make it use the created keystore file:

url: "jdbc:mysql://@[email protected]:3306/nevisadmin4?useSSL=true&trustStore=/var/opt/nevisadmin4/conf/ssh/mariadb.jks&trustStorePassword=<password>"

4) For the database migration to also use SSL, extend the job definition nevisadmin4-dbschema and the nevisadmin4-dbschema-wait init container of the nevisadmin4 StatefulSet in the file kubernetes-guide/src/nevis-cluster/kubernetes-nevisadmin4/nevisadmin4.yaml with the following env variable:

 env:
 - name: NEVIS_DBSCHEMA_USE_SSL
 value: "true"

5) Generate the build folder again:

# in the main folder
./gradlew bootstrap

2) (Optional) Establish a secure connection between NGINX and nevisAdmin 4.

Click here to expand...The internal communication between NGINX and nevisAdmin 4 uses HTTP by default. To use HTTPS, perform the next steps:

1) Store the keystore containing the certificate under kubernetes-guide/src/nevis-cluster/kubernetes-nevisadmin4/configs/ssh. As the certificate is only used for securing internal traffic, it will not be visible outside the cluster.

The next code snippet shows how to create a self-signed certificate:

openssl req -x509 -newkey rsa:4096 -keyout myKey.pem -out cert.pem -days 3650
openssl pkcs12 -export -out keystore.p12 -inkey myKey.pem -in cert.pem -name nevisadmin

2) Extend the file kubernetes-guide/src/nevis-cluster/kubernetes-nevisadmin4/configs/config/nevisadmin4.yml, to use the provided keystore as well as the right port:

server:
 port: 8443
 tls:
 keystore: /var/opt/nevisadmin4/conf/ssh/keystore.p12
 keystore-passphrase: ${env:NEVIS_KEYSTORE_PASSPHRASE}
 keystore-type: pkcs12
 key-alias: nevisadmin

3) Create the secret that contains the passphrase:

kubectl create namespace nevisadmin4
kubectl create secret generic -n nevisadmin4 nevisadmin4-tls --from-literal=passphrase=<your_passphrase>

4)Generate the buildfolder again:

# in the main folder
./gradlew bootstrap

3) Run the following commands in build/nevis-cluster to apply the changes to the cluster:

Apply the changes to the cluster

# in kubernetes-guide/build/nevis-cluster, use the following:
# Create the namespace
kubectl apply -f kubernetes-nevisadmin4/nevisadmin4-namespace.yaml
# Create the configmap with the config files
kubectl create -n nevisadmin4 configmap nevisadmin4-config --from-file=kubernetes-nevisadmin4/configs/config/
# Create a kubernetes secret from the key materials used by admin4
kubectl create secret generic -n nevisadmin4 nevisadmin4-ssh --from-file=kubernetes-nevisadmin4/configs/ssh/
# Create a kubernetes secret with the environment variables used by admin4
kubectl create secret generic -n nevisadmin4 nevisadmin4-env --from-literal=rootpw=$DB_ROOT_PASSWORD --from-literal=schemauserpw=$ADMIN4DB_SCHEMA_PASSWORD --from-literal=applicationuserpw=$ADMIN4DB_APP_PASSWORD
# Now start nevisAdmin 4.
kubectl apply -f kubernetes-nevisadmin4/nevisadmin4.yaml

If HTTPS was enabled in step 2, apply the following changes:

Apply HTTPS patch

# Apply only, if https is configured for nevisAdmin 4
kubectl apply -f kubernetes-nevisadmin4/nevisadmin4-https-patch.yaml

4) To validate your nevisAdmin 4 deployment, perform the steps mentioned in the code block below:

Validate the nevisAdmin4 deployment

# Find out which pod is used for nevisadmin
kubectl get pods --all-namespaces | grep nevisadmin4-

# Update the pod name below and check the nevisAdmin4 logs
kubectl logs -n nevisadmin4 nevisadmin4-<random_id>

# Update the pod name in all of the commands below
# Check that the configurations and keymaterial have been mounted correctly
kubectl exec -it -n nevisadmin4 nevisadmin4-<random_id> -- ls -l /var/opt/nevisadmin4/conf/
kubectl exec -it -n nevisadmin4 nevisadmin4-<random_id> -- cat /var/opt/nevisadmin4/conf/nevisadmin4.yml
kubectl exec -it -n nevisadmin4 nevisadmin4-<random_id> -- ls -l /var/opt/nevisadmin4/conf/ssh/
kubectl exec -it -n nevisadmin4 nevisadmin4-<random_id> -- cat /var/opt/nevisadmin4/conf/ssh/key
kubectl exec -it -n nevisadmin4 nevisadmin4-<random_id> -- cat /var/opt/nevisadmin4/conf/ssh/key.pub

After some time, you will be able to access the GUI at the following URL:

# The base URL can be found in the Azure Portal, under the created aks-ingress-ip, as the DNS name.
google-chrome https://$DNS_PREFIX.$LOCATION_DNS.cloudapp.azure.com/nevisadmin/
# login as admin/welcome2nevis and change your password immediately

Change your password immediately after logging in. This prevents unauthorized access.

Preparing the Component Namespace for Nevis Deployment

The next step is to configure the Kubernetes namespace where the Nevis components will run. NGINX is configured to expose nevisProxy.

# in kubernetes-guide/build/nevis-cluster, use the following:
kubectl apply -f kubernetes-component-namespace/component-namespace.yaml
kubectl apply -f kubernetes-component-namespace/component-resources.yaml -n component

Configuring an Example Project and Inventory in the GUI

The final step is to import and deploy an example project using nevisAdmin 4:

1. 1. In the nevisAdmin 4 Welcome or Project Settings screen, import the following project: project_CLOUD-PROJECT_20200519T102912Z.zip Adapt the project:

• Open the just imported Cloud-Project project in the Configuration tab. Note that the patterns nevisAuth/nevisProxy Remote Session Store and nevisIDM Database are marked with a red bullet point - this is because their database hostname is incorrect. Correct the database hostname of these patterns. The database hostname can be found in the Azure Portal, at the MariaDB resource.
• Set the latest libraries in the Administration tab under Standard libraries.

2. In the Administration>Inventory Settings screen, import the following inventory: inventory_CLOUD-INVENTORY_20200519T102841Z.zip Adapt the inventory:

• Enter the URL of your GitHub repository.

• Enter the DNS for the proxy-host-name. This DNS has the following format: <https://$DNS_PREFIX>.$LOCATION_DNS.cloudapp.azure.com/. It can also be found in the Azure Portal, under the aks-ingress-ip resource.

• Enter the URL of your Kubernetes cluster using HTTPS and port 443 . The base URL can be found in the Azure Portal, under the created Kubernetes service, as API server address. Alternatively, as long as nevisadmin4 is inside the cluster, https://kubernetes.default.svc:443 can be used.

• Enter the token of your Kubernetes cluster. Get the token by executing the following commands:

  Get the token of your Kubernetes cluster

  # Find the name of the secret containing the token, this is the token of the service account the operator uses
  kubectl get secret -n nevisoperator-system | grep default
  
  # Use the secret name from the output from the command above
  kubectl describe secret -n nevisoperator-system default-token-<random_id> | grep token

3. Click the Deploy button and go through the steps of the Deployment Wizard. If there is a warning, you can just accept it and continue.

4. Go to the following URLs to test:

   URLs to test

   # base url can differ depending on the location
   
   # nevisIDM admin reachable here, default credentials: bootstrap/generated
   google-chrome https://$DNS_PREFIX.$LOCATION_DNS.cloudapp.azure.com/nevisidm/admin
   
   # Example standalone nevisAuth flow
   google-chrome https://$DNS_PREFIX.$LOCATION_DNS.cloudapp.azure.com/