User's Guide: Deploy the Workflow - Web Interface

1.0 Deploy the Workflow Using UI

After a workflow is approved by all the users, you can execute the application in the workflow using the workflow RUN button that allows users to start the application job and monitor them.

2.0 Execute the Application on Azure Kubernetes Service

2.1 Prerequisites

The following needs to be configured in Fortanix CCM:

• Compute Clusters: A compute cluster is a set of nodes that run containerized applications. Compute clusters are used to run Fortanix CCM workflows. Refer to Configure the AKS Compute Cluster for steps to configure a compute cluster in Fortanix CCM and access the cluster.

• Job specification: A Kubernetes job spec is a YAML file. A skeleton is provided as input to Fortanix CCM with user parameters. This is then updated by Fortanix CCM with relevant environment variables. Please see the example for expected inputs.
  Refer to Configure Workflow for steps to configure the Kubernetes job specification.

2.2 Create an AKS Cluster

To set up an AKS Cluster, refer to the article how to set up an AKS cluster as worker nodes in Fortanix CCM. The article shows you how to:

• Create a cluster

• Configure Fortanix Node Agent

• Use the cluster to deploy applications manually

2.3 Obtain the Kubectl Config File

A kubectl YAML file is used to configure the compute cluster. This file stores the following:

• The client certificates, token, and cluster CA certificate. This is the only authentication mechanism for AKS. We do not yet support username/password or other authentication options.

• The server address.

• Metadata like cluster name and user name.

The following are the usual steps for Azure Kubernetes Service to obtain a kubectl config file. For more information refer to official documentation from Microsoft.

1. Log in on the command line.

   az login

2. Get a list of all the available subscriptions.

   az account list

3. Select a subscription.

   az account set --subscription subscription-id

4. Get the AKS credentials.

   az aks get-credentials --name (cluster-name) --resource-group (cluster-resource-group)

   The config is now available in ~/.kube/config folder.

   NOTE

   The credentials can be revoked if needed using the command:az aks rotate-certificates but this will incur downtime, for more information, check Microsoft Azure Kubernetes Service documentation.

2.4 Configure the AKS Compute Cluster

To start applications using the RUN button, you must configure the AKS credentials in Fortanix CCM.

To configure the AKS cluster in Fortanix CCM:

1. Click the Infrastructure → Compute Clusters menu item in the CCM UI left navigation panel.

2. In the Compute Clusters page, click ADD COMPUTE CLUSTER to configure a new compute cluster.  

   

3. On the “Add Cluster” page, enter the following details:

   • Name: The AKS cluster name.

   • Type: The runtime environment, that is, Kubernetes.

   • Kubernetes Configuration: The YAML file obtained in Section Obtain the Kubectl File that has the AKS configuration details.

   

4. Click ADD CLUSTER to save the cluster configuration. The cluster is now successfully configured.  

   

2.5 Configure Workflow

To run a workflow application, you need to configure the workflow by following the steps below:

1. Click the Workflows → Approved workflows in the CCM UI left navigation panel.

2. From the list of approved workflows, select a workflow that has a single application since Fortanix CCM supports only single job deployments.  

   

3. In the detailed view of the selected workflow, you will notice a RUN button in the disabled state. The RUN button will be disabled if you have not configured the job specification. To enable the RUN button, configure the Kubernetes job specification using the Configuration   icon next to the RUN button.  

   

4. In the RUN WORKFLOW window, enter the following details:

   • Deployment Type: The workflow deployment type is Kubernetes (Single Job). Currently, Fortanix CCM supports only a single job deployment.

   • Namespace: The Kubernetes namespace

   • Cluster: The cluster that you configured in Fortanix CCM. Currently, Fortanix CCM supports only the AKS cluster as the runtime environment for deploying the workflow.

   • Deployment Type: The deployment type for the application, that is, Kubernetes.

   • Job Specification: The Kubernetes job specification YAML file that is required by the cluster and the application to run the application job.

   apiVersion: batch/v1
   kind: Job
   metadata:
     name: job-name
   spec:
     backoffLimit: 0
     template:
       spec:
         containers:
         - name: containername
           resources:
             limits:
               kubernetes.azure.com/sgx_epc_mem_in_MiB: 1
         imagePullSecrets:
         - name: dockerhub
         restartPolicy: Never
   

   NOTE

   • Refer to the Kubernetes job specification at: https://kubernetes.io/docs/concepts/workloads/controllers/job/

   • Fortanix CCM incorporates the necessary environment variables into the provided Kubernetes job specification.

   • When hosting the Docker image in a password-protected repository, include imagePullSecrets.

   • Fortanix CCM does not push any secrets stored in it; it is the user’s responsibility to configure these in Kubernetes.

   

5. Configure secret in Kubernetes.

   • This is a subset of: https://kubernetes.io/docs/concepts/configuration/secret/

   • For any information, please refer to the official documentation above.
     To configure the secret:

   • If you are using a docker hub, generate a token as in this example.

   • If you are using ECR - get a token using the CLI.

   • Using the docker server, for the docker hub, is the URL used in this example.

   NOTE

   Tokens usually expire, so the following step needs to be refreshed.

   kubectl delete secret dockerhub
   kubectl create secret docker-registry dockerhub --docker-server=https://index.docker.io/v1/ --docker-username=username --docker-password=password

6. Click SAVE CONFIGURATION to configure the Kubernetes job specification.

7. If the job spec is configured successfully, you will see the RUN button enabled.  

   

2.6 Run the Workflow Application

To run the workflow application:

1. Configure the image pull secret.

2. Click the RUN button in the detailed view of an approved workflow that you enabled in the previous section.  

   

3. In the RUN WORKFLOW window, the Cluster, Job Type, and Job Spec that you configured in the previous section will be selected.

4. Click RUN to run the workflow.  

   

5. Observe the Running indication at the bottom of the workflow.

   NOTE

   At any point, if there is a need to stop the execution, click STOP. This will re-enable the RUN button.

6. The Execution Log will display the execution status if the application executes successfully. Click the View detail link to view the log details.  

   

7. The EXECUTION LOG window shows the detailed logs of the run. You can also download the log using the DOWNLOAD button.  

   

   NOTE

   Attempting to execute a workflow containing more than one application will result in the following error. The Fortanix CCM only supports running a workflow with a single application.