1.0 Deploy the Workflow Using UI
After a workflow is approved by all the users, you can execute the application in the workflow using the workflow RUN button that allows users to start the application job and monitor them.
2.0 Execute the Application on Azure Kubernetes Service
The following needs to be configured in Fortanix CCM:
- Compute Clusters: A compute cluster is a set of nodes that run containerized applications. Compute clusters are used to run Fortanix CCM workflows. Refer to Configure the AKS Compute Cluster for steps to configure a compute cluster in Fortanix CCM and access the cluster.
Job specification: A Kubernetes job spec is a YAML file. A skeleton is provided as input to Fortanix CCM with user parameters. This is then updated by Fortanix CCM with relevant environment variables. Please see the example for expected inputs.
Refer to Configure Workflow for steps to configure the Kubernetes job specification.
2.2 Create an AKS Cluster
To set up an AKS Cluster, refer to the article how to set up an AKS cluster as worker nodes in Fortanix CCM. The article shows you how to:
- Create a cluster
- Configure Fortanix Node Agent
- Use the cluster to deploy applications manually
2.3 Obtain the Kubectl Config File
kubectl YAML file is used to configure the compute cluster. This file stores the following:
- The client certificates, token, and cluster CA certificate. This is the only authentication mechanism for AKS. We do not yet support username/password or other authentication options.
- The server address.
- Metadata like cluster name and user name.
The following are the usual steps for Azure Kubernetes Service to obtain a
kubectl config file. For more information refer to official documentation from Microsoft.
- Log in on the command line.
- Get a list of all the available subscriptions.
az account list
- Select a subscription.
az account set --subscription subscription-id
- Get the AKS credentials.
az aks get-credentials --name (cluster-name) --resource-group (cluster-resource-group)
2.4 Configure the AKS Compute Cluster
To start applications using the RUN button, you must configure the AKS credentials in Fortanix CCM.
To configure the AKS cluster in Fortanix CCM:
- Click the Infrastructure → Compute Clusters menu item in the CCM UI left navigation bar.
- In the Compute Clusters page, click ADD COMPUTE CLUSTER to configure a new compute cluster. Figure 1: Create compute cluster
- On the “Add Cluster” page, enter the following details:
- Name: The AKS cluster name.
- Type: The runtime environment, that is, Kubernetes.
- Kubernetes Configuration: The YAML file obtained in Section Obtain the Kubectl File that has the AKS configuration details.
- Click ADD CLUSTER to save the cluster configuration. The cluster is now successfully configured. Figure 3: Cluster configured
2.5 Configure Workflow
To run a workflow application, you need to configure the workflow by following the steps below:
- Click the Workflows → Approved workflows in the CCM UI left navigation bar.
- From the list of approved workflows, select a workflow that has a single application since Fortanix CCM supports only single job deployments. Figure 4: Select approved workflow
- In the detailed view of the selected workflow, you will notice a RUN button in the disabled state. The RUN button will be disabled if you have not configured the job specification. To enable the RUN button, configure the Kubernetes job specification using the Configuration icon next to the RUN button. Figure 5: Configure job spec
- In the RUN WORKFLOW window, enter the following details:
- Deployment Type: The workflow deployment type is Kubernetes (Single Job). Currently, Fortanix CCM supports only a single job deployment.
- Namespace: The Kubernetes namespace
- Cluster: The cluster that you configured in Fortanix CCM. Currently, Fortanix CCM supports only the AKS cluster as the runtime environment for deploying the workflow.
- Deployment Type: The deployment type for the application, that is, Kubernetes.
- Job Specification: The Kubernetes job specification YAML file that is required by the cluster and the application to run the application job.
- name: containername
- name: dockerhub
- Configure secret in Kubernetes.
- This is a subset of: https://kubernetes.io/docs/concepts/configuration/secret/
- For any information, please refer to the official documentation above.
To configure the secret:
- If you are using a docker hub, generate a token as in this example.
- If you are using ECR - get a token using the CLI.
- Using the docker server, for the docker hub, is the URL used in this example.
- Click SAVE CONFIGURATION to configure the Kubernetes job specification.
- If the job spec is configured successfully, you will see the RUN button enabled. Figure 8: Run enabled
2.6 Run the Workflow Application
To run the workflow application:
- Configure the image pull secret.
- Click the RUN button in the detailed view of an approved workflow that you enabled in the previous section. Figure 9: Run the application
- In the RUN WORKFLOW window, the Cluster, Job Type, and Job Spec that you configured in the previous section will be selected.
- Click RUN to run the workflow. Figure 10: Run workflow
- Observe the Running indication at the bottom of the workflow. At any point, if there is a need to stop the execution, click STOP. This will re-enable the RUN button.
- The Execution Log will display the execution status if the application executes successfully. Click the View detail link to view the log details. Figure 11: Running workflow
- The EXECUTION LOG window shows the detailed logs of the run. You can also download the log using the DOWNLOAD button. Figure 12: Log details