Azure Infrastructure Setup - Manual
Overview
This document covers the steps required to deploy a new Kubernetes cluster to your existing Azure account, including the creation of all required resources. This process will be completed through the Azure CLI as well as the web interface.
Prerequisites and Azure Features
In this step, we will go over the prerequisites for creating a new cluster in Azure, and enable any Azure features that Snorkel Flow requires to run.
To begin, you will need a few command line tools. Install the current versions of these tools if they are not already installed.
-
Instructions to install az
-
Instructions to install helm
-
Instructions to install kubectl
-
Run
az login
to login with an Azure account or service principle with appropriate admin permissions (ensure to specify the --tenant flag)
-
We require Azure features that are currently only available in Preview. Ensure they are activated and registered for your account, you can register for the required Azure Preview features with the following commands.
- Azure Preview
-
az extension add --name aks-preview
-
az extension update --name aks-preview
-
- Azure Files NFS mounting in AKS
-
az feature register --name AllowNfsFileShares --namespace Microsoft.Storage
-
az provider register --namespace Microsoft.Storage
-
Wait around 15 minutes, and ensure
az feature show --name AllowNfsFileShares --namespace Microsoft.Storage --query properties.state
outputs ”Registered”
-
- Azure Preview
Manually provision required infrastructure
In this step, we will be creating the cluster that Snorkel Flow runs in, alongside any required resources.
-
Create a new resource group where your account / service principal you previously logged in with is an “Owner” of the resource group)
-
Make sure that an Azure AD group exists whose members will have admin access to the newly created cluster (where your account / service principal is an owner and/or member)
-
Create a new virtual network with a subnet (suggest at least /18 address space) in the resource group created above.
-
After creating the subnet, go to the Azure UI, find the subnet under the Virtual Networks page, and ensure Microsoft.Storage is checked under Service Endpoints in the subnet configuration.
-
Select both options under Network policy for private endpoints (Network security groups and Route tables).
-
You can use your existing Azure DNS zone, or create a new one for Snorkel Flow.
- Azure DNS with a delegated domain -> https://learn.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns
-
[OPTIONAL] If you would like to configure TLS, then create a new Azure Key Vault
-
az keyvault create -g snorkel-flow-rg -l <Location> -n <KeyVaultName> --enable-rbac-authorization
- Generate and/or import certificates (https://medium.com/@jibinpb/lets-encrypt-certificate-with-azure-dns-b9ed32ae5aee)
-
-
Gather required variables
- snorkel_rg_name
- from step 4a
- vm_size_node
- we recommend D32ds_v5
- admin_group_name
- from step 4b
- vnet_name and subnet_name
- from step 4c
- snorkel_rg_name
-
Go to the Azure web portal, and click through to provision the infrastructure (replace the variables in
{{ }}
with their appropriate values from 5)- Cluster
- Navigate to the Kubernetes services page from the top-level search and click Create then Create a Kubernetes cluster
- Select the resource group as {{ snorkel_rg_name }}
- For Kubernetes cluster name, put
snorkel-flow-cluster
- For Primary node pool, set Scale method to Manual and Node count to 1
- Click Next: Node pools
- Under Node pools Click Add node pool
- For Node pool name, put cpupool
- Check all availability zones boxes available
- For Node size, search for {{ vm_size_node }} , click the option displayed, and click Select
- Set Scale method to Manual and Node count to 2
- Click Next: Access
- For Authentication and Authorization, select Azure AD authentication with Azure RBAC
- Click Next: Networking
- For Network configuration, select Azure CNI
- Select {{ vnet_name }} and {{ subnet_name }}
- Set DNS name prefix to be snorkel-flow-cluster
- Click Next: Integrations
- Click Next: Advanced
- Set Infrastructure resource group to be snorkel-flow-cluster-nodes
- Click Review + create
- Click Create to finish
- Storage Account
- Navigate to the Storage accounts page from the top-level search and click Create
- Select the resource group as what was defined in the Infrastructure resource group from the cluster creation step
- Type in a unique storage account name (can only have lowercase letters and numbers)
- Select the region to be the same as the {{ snorkel_rg_name }} resource group
- Select the performance to be Premium
- Select the premium account type to be File shares
- Select the redundancy to be ZRS
- Click Next: Advanced
- Uncheck Require secure transfer for REST API operations
- Click Next Networking
- Under Network access, check Enabled from selected virtual networks and IP addresses
- Select the virtual network name and subnet name
- Click Review
- Click Create to finish
- Cluster Role Assignment
- Go to the overview page of the newly created cluster, and click Access control (IAM).
- Click Add, then click Add role assignment
- Search for Azure Kubernetes Service Cluster Admin Role, and select it then click next
- Click Select members, then search by {{ admin_group_name }} and select it then click Next
- Click Review and assign to finish
- Virtual Network Role Assignment
- Go to the overview page of the manually created virtual network from step 4, and click Access control (IAM).
- Click Add, then click Add role assignment
- Search for Network Contributor, and select it then click next
- Check Managed identity next to Assign access to
- Click Select members, select Kubernetes service under Managed identity, then select the
snorkel-flow-cluster
(ensure it is the right cluster in the previously created resource group), and click Select - Click Review and assign to finish
- Cluster
-
Set up kubectl access
-
az aks get-credentials --resource-group {{ snorkel_rg_name }} --name snorkel-flow-cluster --admin
If this command doesn't work, you should go to the cluster overview page, go to the cluster configuration tab on the left hand side, and ensure the Kubernetes local accounts checkbox is checked.
- Complete cluster setup by creating and applying the following yaml files to the cluster.
Replace the variables in{{ }}
with their appropriate values - the storage account name can be seen from the Storage Account Overview tab, and the storage account access key can be seen from the Storage Account Access keys tab. - Create and apply namespace.yaml to create the namespace for Snorkel Flow
-
kubectl apply -f namespace.yaml
-
apiVersion: v1
kind: Namespace
metadata:
annotations:
meta.helm.sh/release-name: snorkel-flow
meta.helm.sh/release-namespace: snorkel-flow
labels:
app.kubernetes.io/managed-by: Helm
name: snorkel-flow
- Create and apply storageaccountsecret.yaml
-
kubectl apply -f storageaccountsecret.yaml
-
apiVersion: v1
stringData:
azurestorageaccountkey: {{ STORAGE_ACCOUNT_KEY }}
azurestorageaccountname: {{ STORAGE_ACCOUNT_NAME }}
kind: Secret
metadata:
annotations:
meta.helm.sh/release-name: snorkel-flow
meta.helm.sh/release-namespace: snorkel-flow
labels:
app.kubernetes.io/managed-by: Helm
name: secret-storage-account
namespace: snorkel-flow
type: Opaque
- Create and apply storageclass.yaml
-
kubectl apply -f storageclass.yaml
-
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: snorkel-flow-sc
parameters:
protocol: nfs
secretName: secret-storage-account
secretNamespace: snorkel-flow
storageAccount: {{ STORAGE_ACCOUNT_NAME }}
provisioner: file.csi.azure.com
reclaimPolicy: Retain
volumeBindingMode: Immediate
-
Enable the ingress controller add on (https://learn.microsoft.com/en-us/azure/aks/web-app-routing?tabs=without-osm)
-
az aks enable-addons -g snorkel-flow-rg -n snorkel-flow-cluster --addons azure-keyvault-secrets-provider,web_application_routing --enable-secret-rotation
-
get the object (principal) ID of the managed identity of the web-app-routing add on from the Azure UI and save it under the name MANAGEDIDENTITY_OBJECTID
- From the Azure console, go to Resource Groups, select the resource group created by the Snorkel Flow installation process (not the one defined in variables.tf, but rather the other automatically created one that ends in “-nodes”, for example “snorkel-flow-rg-nodes”), and search for the appropriate managed identity (should start with “webapprouting-”, e.g. “webapprouting-snorkel-flow-cluster”).
-
Next, in order for automatic management of DNS records we will connect the ingress controller add-on to Azure DNS. Get the resource ID of the Azure DNS zone you created in step 4 from the Azure UI (select the DNS Zone, click Properties) and save it under the name ZONEID
-
-
az role assignment create --role "DNS Zone Contributor" --assignee $MANAGEDIDENTITY_OBJECTID --scope $ZONEID
-
az aks addon update -g snorkel-flow-rg -n snorkel-flow-cluster --addon web_application_routing --dns-zone-resource-id=$ZONEID
-
-
Connect the ingress controller add-on to Azure Key Vault (for automatic management of TLS certs)
-
KEYVAULTID=$(az keyvault show --name <KeyVaultName> --query "id" --output tsv)
-
az role assignment create --role "Key Vault Secrets User" --assignee $MANAGEDIDENTITY_OBJECTID --scope $KEYVAULTID
-