Kublr Platform on Microsoft Azure

Overview

This document describes the necessary steps needed to deploy the Kublr Platform in a Microsoft Azure infrastructure. It contains the following main steps:

  1. Creating Azure API credentials for Kublr
  2. Deploying the Kublr Platform to Microsoft Azure infrastructure
  3. Opening deployed Kublr Platform
  4. (Optional) Setting up a custom DNS name for the Kublr Platform

Prerequisites

Installed Kublr-in-a-Box. Please refer to Installation Guide for Kublr-in-a-Box.

Creating Azure API Credentials for Kublr

Before You Get Started

To use Kublr, you will need a Microsoft Azure subscription account as well as Kublr credentials.

Required Permissions

To register your application, you must have sufficient permissions with your Azure AD tenant. You will also need to assign the application to a role in your Azure subscription. Let’s make sure you have the right permissions to perform these steps.

Check Azure Active Directory Permissions

  1. Log in to your Azure Account through the Azure portal.
  2. Select Azure Active Directory. Select Azure Active Directory
  3. In Azure Active Directory, select User settings. User settings
  4. Check the App registrations setting. If set to Yes, non-admin users can register AD apps. This setting means any user in the Azure AD tenant can register an app. You can proceed to Check Azure subscription permissions. Application registrations
  5. If the app registrations setting is set to No, only admin users can register apps. Check whether your account is an admin for the Azure AD tenant. Select Overview and Find a user from Quick tasks. Find a user
  6. Search for your account, then select it. Search results
  7. For your account, select Directory role. Directory role
  8. View your assigned directory role in Azure AD. If your account is assigned to the User role, but the app registration setting (from the preceding steps) is limited to admin users, ask your administrator to either assign you to an administrator role, or to enable users to register apps. View user's role

Check Azure Subscription Permissions

In your Azure subscription, your account must have Microsoft.Authorization/Write permission to assign an AD app to a role. This action is granted through the Owner Role or User Access Administrator Role. If your account is assigned to the Contributor Role, you do not have required permission. You will receive an error when you attempt to assign the service principal to a role.

To check your subscription permissions:

  1. If you are not already looking at your Azure AD account by following the preceding steps, select Azure Active Directory from the left pane.
  2. Find your Azure AD account. Then select Overview and Find a user from Quick Tasks. Find a user
  3. Search for your account, and select it when you find it. Search results
  4. Select Azure resources. Select Azure resources
  5. View your assigned roles, and determine if you have adequate permissions to assign an AD app to a role. If not, ask your subscription administrator to add you as a User Access Administrator. In the following image, the user is assigned to the Owner role for two subscriptions, which means that user has the required level of permissions. Viewing assigned roles

Getting Subscription ID

  1. Log in to your Azure Account through the Azure portal.
  2. Open Subscriptions Subscriptions
  3. Copy SUBSCRIPTION ID. This value is your Subscription ID.

Creating an Azure Active Directory application

  1. Log in to your Azure Account through the Azure portal.
  2. Select Azure Active Directory. Select Azure Active Directory
  3. Select App registrations. Select app registrations
  4. Select New application registration. New application registration
  5. Provide a name and URL for the application. Select Web app / API for the type of application you want to create. You cannot create credentials for a Native application; therefore, that type does not work for an automated application. After setting the values, select Create. Create new application

You have created your application.

Obtaining Application ID and Authentication Key

When programmatically logging in, you need the ID for your application and an authentication key. To obtain those values, follow these steps:

  1. From App registrations in Azure Active Directory, select your application. Select application
  2. Copy the Application ID and store it. You will use this value as the Client ID later. Application ID
  3. To generate an authentication key, select Keys. Authentication Keys
  4. Provide a description of the key, and a duration for the key. When done, select Save. Saving a Key
  5. After saving the key, the value of the key is displayed. Copy this value because you will not be able to retrieve it later. Use this value later as Client Secret. Client Secret

Obtaining Tenant ID

When programmatically logging in, you will need to pass the tenant ID with your authentication request.

  1. Select Azure Active Directory. Azure Active Directory
  2. To obtain the tenant ID, select Properties for your Azure AD tenant. Azure ID Properties
  3. Copy the Directory ID. This value is your Tenant ID. Copy the Directory ID

Assigning Application to Role

To access resources in your subscription, you must assign the application to a role. Decide which role represents the right permissions for the application. To learn about the available roles, see RBAC: Built in Roles.

You can set the scope at the level of the subscription, resource group, or resource. Permissions are inherited to lower levels of scope. For example, adding an application to the Reader Role for a resource group means it can read the resource group and any resources it contains. Kublr requires Contributor Role so that it can provision virtual machines and prepare your infrastructure to run Kublr

  1. Navigate to the level of scope you wish to assign the application to. For example, to assign a role at the subscription scope, select Subscriptions. You could instead select a resource group or resource. Subscriptions
  2. Select the particular subscription (resource group or resource) to assign the application to. Select Subscription
  3. Select Access Control (IAM). Select Access Control
  4. Click on the Add button. Click on Add button
  5. Select the role you wish to assign to the application. The following image shows the Contributor Role. Select a role
  6. Search for your application, and select it. Select an application
  7. Select Save to finish assigning the role. You will see your application in the list of users assigned to a role for that scope.

Connecting Microsoft Azure and Kublr

  1. Log into Kublr using your credentials.
  2. Click on the Credentials menu in the left navigation menu bar. Credentials
  3. Click Add Credentials Add Credentials
  4. Under credential type, select Azure Credentials.
  5. Enter Credential’s Name (e.g. Test).
  6. Enter Tenant ID, Subscription ID, Client ID and Client Secret from the steps above.
  7. Click Save Credentials.
  8. “Credentials have been successfully created” popup appears.
  9. Click to verify if credentials are valid and ready to be used.

Deploying Kublr Platform to Azure Infrastructure

  1. Click on Cluster Menu in the left navigation menu bar. Cluster Menu
  2. Click on Add Kublr Platform or Deploy Full Kublr Platform Add New Cluster
  3. You may see short Kublr Platform description. Add New Cluster
  4. Enter Kublr Platform name.
  5. Select Provider: Microsoft Azure and region. Azure Provider
  6. Select the credentials created and/or saved in point 2.
  7. Select operating system to be used for Kublr cluster instances. Select OS
  8. Select number of master nodes and instance type. Select Instance Type
  9. Select number of worker nodes and instance type. Select Word Nodes
  10. Select credentials for accessing newly deployed Kublr platform. Credentials1. Click Confirm and Install. A “congratulations” box will appear: “Your cluster is being created. It might take a few minutes.”.

Opening Deployed Kublr Platform

The Kublr Platform creation process typically takes about 30 minutes to complete.

  1. Once it’s done, on Clusters page you will see: Kublr Platform
  2. Click on “Open Kublr Platform” button to open the program.
  3. Please allow it to use the self-signed SSL certificate. SSL Certificate error
  4. Sign In to the Kublr Platform using the admin Username and Password provided when creating Kublr Platform above.

Setting Up Custom DNS Name for Kublr Platform

This optional step is needed if you want to replace the IP address for the Kublr Platform, which looks something like “https://13.92.169.135/" with something more user-friendly, like https://kublr.example.com/.

In order to do this, please create a new DNS A record for kublr.example.com pointing to Kublr Platform IP.

Instructions on how to setup SSL certificate for this domain are provided in the article: Ingress TLS/SSL Setup.


Questions? Suggestions? Need help? Contact us.