User's Guide: Deploy the Workflow - Web Interface

1.0 Deploy the Workflow Using UI

After a workflow is approved by all the users, you can execute the application in the workflow using the workflow RUN button that allows users to start the application job and monitor them.

NOTE
  • Currently, the RUN button works only for single job deployments, that is, workflows that only contain a single application will run using the RUN button. In future releases of Fortanix CCM, multiple jobs will be supported.
  • The application execution will be performed on the Azure Kubernetes Service (AKS) runtime environment. In future releases of Fortanix CCM, other runtime environments will also be supported for workflow deployment.

2.0 Execute the Application on Azure Kubernetes Service

2.1 Prerequisites

The following needs to be configured in Fortanix CCM:

  • Compute Clusters: A compute cluster is a set of nodes that run containerized applications. Compute clusters are used to run Fortanix CCM workflows. Refer to Configure the AKS Compute Cluster for steps to configure a compute cluster in Fortanix CCM and access the cluster.
  • Job specification: A Kubernetes job spec is a YAML file. A skeleton is provided as input to Fortanix CCM with user parameters. This is then updated by Fortanix CCM with relevant environment variables. Please see the example for expected inputs.
    Refer to Configure Workflow for steps to configure the Kubernetes job specification.

2.2 Create an AKS Cluster

To set up an AKS Cluster, refer to the article how to set up an AKS cluster as worker nodes in Fortanix CCM. The article shows you how to:

  • Create a cluster
  • Configure Fortanix Node Agent
  • Use the cluster to deploy applications manually

2.3 Obtain the Kubectl Config File

A kubectl YAML file is used to configure the compute cluster. This file stores the following:

  • The client certificates, token, and cluster CA certificate. This is the only authentication mechanism for AKS. We do not yet support username/password or other authentication options.
  • The server address.
  • Metadata like cluster name and user name.

The following are the usual steps for Azure Kubernetes Service to obtain a kubectl config file. For more information refer to official documentation from Microsoft.

  1. Log in on the command line.
    az login
  2. Get a list of all the available subscriptions.
    az account list
  3. Select a subscription.
    az account set --subscription subscription-id
  4. Get the AKS credentials.
    az aks get-credentials --name (cluster-name) --resource-group (cluster-resource-group)
    The config is now available in ~/.kube/config folder.
    NOTE
    The credentials can be revoked if needed using the command:az aks rotate-certificates but this will incur downtime, for more information, check Microsoft Azure Kubernetes Service documentation.

2.4 Configure the AKS Compute Cluster

To start applications using the RUN button, you must configure the AKS credentials in Fortanix CCM.

NOTE
Only the Azure Kubernetes Service is available at the moment.

To configure the AKS cluster in Fortanix CCM:

  1. Click the InfrastructureCompute Clusters menu item in the CCM UI left navigation bar.
  2. In the Compute Clusters page, click ADD COMPUTE CLUSTER to configure a new compute cluster. add-compute-cluster.pngFigure 1: Create compute cluster
  3. On the “Add Cluster” page, enter the following details:
    • Name: The AKS cluster name.
    • Type: The runtime environment, that is, Kubernetes.
    • Kubernetes Configuration: The YAML file obtained in Section Obtain the Kubectl File that has the AKS configuration details.
    2023-10-20_16-36-54.png Figure 2: Configure the compute cluster
  4. Click ADD CLUSTER to save the cluster configuration. The cluster is now successfully configured. Screenshot (61).png Figure 3: Cluster configured

2.5 Configure Workflow

To run a workflow application, you need to configure the workflow by following the steps below:

  1. Click the WorkflowsApproved workflows in the CCM UI left navigation bar.
  2. From the list of approved workflows, select a workflow that has a single application since Fortanix CCM supports only single job deployments. Screenshot (57).png Figure 4: Select approved workflow
  3. In the detailed view of the selected workflow, you will notice a RUN button in the disabled state. The RUN button will be disabled if you have not configured the job specification. To enable the RUN button, configure the Kubernetes job specification using the Configuration ComputeClusters4.png icon next to the RUN button. Screenshot (57) - Copy.pngFigure 5: Configure job spec
  4. In the RUN WORKFLOW window, enter the following details:
    • Deployment Type: The workflow deployment type is Kubernetes (Single Job). Currently, Fortanix CCM supports only a single job deployment.
    • Namespace: The Kubernetes namespace
    • Cluster: The cluster that you configured in Fortanix CCM. Currently, Fortanix CCM supports only the AKS cluster as the runtime environment for deploying the workflow.
    • Deployment Type: The deployment type for the application, that is, Kubernetes.
    • Job Specification: The Kubernetes job specification YAML file that is required by the cluster and the application to run the application job.
    apiVersion: batch/v1
    kind: Job
    metadata:
    name: job-name
    spec:
    backoffLimit: 0
    template:
    spec:
    containers:
    - name: containername
    resources:
    limits:
    kubernetes.azure.com/sgx_epc_mem_in_MiB: 1
    imagePullSecrets:
    - name: dockerhub
    restartPolicy: Never
    NOTE
    • Refer to the Kubernetes job specification at: https://kubernetes.io/docs/concepts/workloads/controllers/job/
    • Fortanix CCM incorporates the necessary environment variables into the provided Kubernetes job specification.
    • When hosting the Docker image in a password-protected repository, include imagePullSecrets.
    • Fortanix CCM does not push any secrets stored in it; it is the user’s responsibility to configure these in Kubernetes.
    2023-10-20_16-45-42.png Figure 6: Configure job spec
  5. Configure secret in Kubernetes.
    • This is a subset of: https://kubernetes.io/docs/concepts/configuration/secret/
    • For any information, please refer to the official documentation above.
      To configure the secret:
    • If you are using a docker hub, generate a token as in this example.
    • If you are using ECR - get a token using the CLI.
    • Using the docker server, for the docker hub, is the URL used in this example.
    NOTE
    Tokens usually expire, so the following step needs to be refreshed.
    kubectl delete secret dockerhub
    kubectl create secret docker-registry dockerhub --docker-server=https://index.docker.io/v1/ --docker-username=username --docker-password=password
  6. Click SAVE CONFIGURATION to configure the Kubernetes job specification.
  7. If the job spec is configured successfully, you will see the RUN button enabled. Screenshot (60).pngFigure 8: Run enabled

2.6 Run the Workflow Application

To run the workflow application:

  1. Configure the image pull secret.
  2. Click the RUN button in the detailed view of an approved workflow that you enabled in the previous section. Screenshot (60) - Copy.pngFigure 9: Run the application
  3. In the RUN WORKFLOW window, the Cluster, Job Type, and Job Spec that you configured in the previous section will be selected.
  4. Click RUN to run the workflow. 2023-10-20_16-49-32.pngFigure 10: Run workflow
  5. Observe the Running indication at the bottom of the workflow.
    NOTE
    At any point, if there is a need to stop the execution, click STOP. This will re-enable the RUN button.
  6. The Execution Log will display the execution status if the application executes successfully. Click the View detail link to view the log details. ComputeClusters15.pngFigure 11: Running workflow
  7. The EXECUTION LOG window shows the detailed logs of the run. You can also download the log using the DOWNLOAD button. ComputeClusters13.pngFigure 12: Log details
    NOTE
    Attempting to execute a workflow containing more than one application will result in the following error. The Fortanix CCM only supports running a workflow with a single application. ComputeClusters14.pngFigure 13: Workflow execution not allowed for multiple applications

Comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful