-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added support for ServiceAccount, Azure Application Gateway and Servi…
…ce Type Load Balancer
- Loading branch information
1 parent
06a9aab
commit e344fd6
Showing
15 changed files
with
144 additions
and
15 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,21 @@ | ||
| # This example shows how to deploy and expose GraphDB with AWS Load Balancer Controller Ingress without SSL. | ||
|
|
||
| configuration: | ||
| externalUrl: http://graphdb-example-dns-name.com/ # Change this to your ALB DNS name or Route53 if you use it. | ||
| # Change this to your AzureDNS domain name or use nip.io which you can do after you deploy the chart since you | ||
| # need to map the public IP address of the Application Gateway to the nip.io. | ||
| externalUrl: http://ip.address.nip.io/ | ||
|
|
||
| ingress: | ||
| enabled: true | ||
| className: alb | ||
| annotations: | ||
| # Define name of the Load Ingress | ||
| alb.ingress.kubernetes.io/load-balancer-name: graphdb-ingress | ||
| # Define target type for the Ingress | ||
| alb.ingress.kubernetes.io/target-type: ip | ||
| # This ensures the load balancer is public | ||
| alb.ingress.kubernetes.io/scheme: internet-facing | ||
| # Allowed CIDRs to access the load balancer | ||
| alb.ingress.kubernetes.io/inbound-cidrs: "0.0.0.0/0" | ||
| # Define the ports on which the Ingress should create listener | ||
| alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}]' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,17 +1,27 @@ | ||
| # This example shows how to deploy and expose GraphDB with AWS Load Balancer Controller Ingress with SSL enabled. | ||
|
|
||
| configuration: | ||
| externalUrl: https://graphdb-example-dns-name.com/ # Change this to your ALB DNS name or Route53 if you use it. | ||
| # Change this to your AzureDNS domain name or use nip.io which you can do after you deploy the chart since you | ||
| # need to map the public IP address of the Application Gateway to the nip.io. | ||
| externalUrl: https://ip.address.nip.io | ||
|
|
||
| ingress: | ||
| enabled: true | ||
| className: alb | ||
| annotations: | ||
| # Define name of the Load Ingress | ||
| alb.ingress.kubernetes.io/load-balancer-name: graphdb-ingress | ||
| # Define target type for the Ingress | ||
| alb.ingress.kubernetes.io/target-type: ip | ||
| # This ensures the load balancer is public | ||
| alb.ingress.kubernetes.io/scheme: internet-facing | ||
| # Allowed CIDRs to access the load balancer | ||
| alb.ingress.kubernetes.io/inbound-cidrs: "0.0.0.0/0" | ||
| # Define the ports on which the Ingress should create listener | ||
| alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]' | ||
| alb.ingress.kubernetes.io/certificate-arn: "" # ARN of the ACM SSL Certificate that will be used | ||
| # ARN of the ACM SSL Certificate that will be used | ||
| alb.ingress.kubernetes.io/certificate-arn: "" | ||
| # TLS Policy | ||
| alb.ingress.kubernetes.io/ssl-policy: "ELBSecurityPolicy-TLS13-1-2-2021-06" | ||
| alb.ingress.kubernetes.io/ssl-redirect: '443' | ||
| # Enable SSL redirect on the listener | ||
| alb.ingress.kubernetes.io/ssl-redirect: '443' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,5 @@ | ||
| serviceAccount: | ||
| create: true | ||
| name: graphdb | ||
| annotations: | ||
| eks.amazonaws.com/role-arn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/eks-service-account-role # Example ARN Role, replace with your actual IAM Role ARN | ||
| # Example ARN Role, replace with your actual IAM Role ARN | ||
| eks.amazonaws.com/role-arn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/eks-service-account-role |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # AKS Application Gateway Ingress deployment | ||
|
|
||
| This document describes the steps on how to configure the GraphDB Helm chart to use Application Gateway Ingress on Azure AKS. | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| * AKS Cluster: Ensure you have an AKS cluster up and running. | ||
| * [Enable application gateway ingress on existing AKS cluster](https://learn.microsoft.com/en-us/azure/application-gateway/tutorial-ingress-controller-add-on-new) | ||
| * [Application Gateway supported annotations](https://azure.github.io/application-gateway-kubernetes-ingress/annotations/) | ||
|
|
||
| ## Example | ||
|
|
||
| * [values.yaml](values.yaml) - Example of how to deploy and expose GraphDB with Ingress without SSL enabled. | ||
| * [values_https.yaml](values_https.yaml) - Example of how to deploy and expose GraphDB with Ingress with SSL enabled. | ||
|
|
||
| ## Note | ||
|
|
||
| After you deploy the GraphDB chart you should either point an DNS name to the Application Gateway and set | ||
| the externalUrl property in the chart and re-apply it, or the other option you can use nip.io and map it's | ||
| public ip address to nip.io. In order to do that use the kubectl get ingress commands and copy the Public IP | ||
| for the GraphDB ingress, then go to the values file and set the externalUrl property to http://ip.address.nip.io/. | ||
| Otherwise Workbench won't be accessible. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| # This example shows how to deploy and expose GraphDB with Application Gateway Ingress without SSL. | ||
|
|
||
| configuration: | ||
| # Change this to your AzureDNS domain name or use nip.io which you can do after you deploy the chart since you | ||
| # need to map the public IP address of the Application Gateway to the nip.io. | ||
| externalUrl: http://ip.address.nip.io/ | ||
|
|
||
| ingress: | ||
| enabled: true | ||
| className: azure-application-gateway |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| # This example shows how to deploy and expose GraphDB with Application Gateway Ingress with SSL certificate hosted in the KeyVault Service. | ||
|
|
||
| configuration: | ||
| # Change this to your AzureDNS domain name or use nip.io which you can do after you deploy the chart since you | ||
| # need to map the public IP address of the Application Gateway to the nip.io. | ||
| externalUrl: https://ip.address.nip.io/ | ||
|
|
||
| ingress: | ||
| enabled: true | ||
| className: azure-application-gateway | ||
| annotations: | ||
| # Set the name of the SSL certificate that you have in the KeyVault Service | ||
| appgw.ingress.kubernetes.io/appgw-ssl-certificate: "name-of-appgw-installed-certificate" | ||
| # Enable SSL redirect on the listener | ||
| appgw.ingress.kubernetes.io/ssl-redirect: "true" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| # AKS Load Balancer type deployment | ||
|
|
||
| This folder contains examples of using GraphDB with the Azure Load Balancer and Application Gateway Ingress. | ||
|
|
||
| ## Pre-requisites | ||
|
|
||
| * AKS Cluster: Ensure you have an AKS cluster up and running. | ||
| * [Use a public standard load balancer in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/en-us/azure/aks/load-balancer-standard) | ||
| * [Expose an AKS service over HTTP or HTTPS using Application Gateway](https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-expose-service-over-http-https) | ||
| * [Azure Kubernetes Service Type Load Balancer supported annotations](https://cloud-provider-azure.sigs.k8s.io/topics/loadbalancer/#loadbalancer-annotations) | ||
|
|
||
| ## Example | ||
|
|
||
| * [values.yaml](values.yaml) - Example of how to deploy and expose GraphDB with Azure Load Balancer. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| # This example shows how to deploy and expose GraphDB with Application Gateway Ingress and Service Type Load Balancer without SSL enabled. | ||
|
|
||
| service: | ||
| enabled: true | ||
| ports: | ||
| http: 80 | ||
| type: LoadBalancer | ||
| annotations: | ||
| service.beta.kubernetes.io/azure-load-balancer-internal: "false" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| # Azure Service Account Examples | ||
|
|
||
| This folder contains examples of using GraphDB with the Service account to gain access to the Azure services. | ||
|
|
||
| The main reason that we want to use service accounts is that GraphDB relies on Azure Storage Account | ||
| for the Cloud Backups. But you can use that service account to use other Azure services from the AKS cluster as well, | ||
| when you have configured your IAM Role Assignments properly. | ||
|
|
||
| ## Pre-requisites | ||
|
|
||
| * AKS Cluster: Ensure you have an AKS cluster up and running. | ||
| * Before starting with the service account setup you should have an IAM Role assignment that should | ||
| have access to the Azure Storage Account Service. | ||
| * [Best practices for authentication and authorization in Azure Kubernetes Service (AKS)](https://learn.microsoft.com/en-us/azure/aks/operator-best-practices-identity) | ||
| * [Azure Login using identity](https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli-managed-identity) | ||
| * [Deploy and configure workload identity on an Azure Kubernetes Service (AKS) cluster](https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster) | ||
| * [Azure Role Assignments](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal) | ||
|
|
||
| ## Example | ||
|
|
||
| * [values.yaml](values.yaml) - Example of how to deploy the service account. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| serviceAccount: | ||
| create: true | ||
| annotations: | ||
| azure.workload.identity/client-id: <YOUR_MANAGED_IDENTITIY_CLIENT_ID> |