Installation using werf and Helm
Install Helm
The kmdworkzone chart requires Helm 3.7+ for successful installation. Check your Helm release before installation.
- Open a PowerShell console as administrator and execute the following command:
choco install kubernetes-helm
- Verify the Helm version by executing the following command:
helm version --short
Install werf
Use werf to deploy WorkZone with a single command and ensure that the deployment happens in a specific order. Only when the first container in a repo is deployed successfully, the remaining containers in the repo will be deployed according to a specific order. See Order of containers. In case of any error while deploying the container, werf will stop deploying the containers. The werf tool provides a deployment status (In Progress, Completion, or Error) with a color code.
Werf is a wrapper of Helm, so please refer both to helm.sh and werf.io for reference. Refer to werf.io for installation guidance.
Tip: Set the target OS in the werf.io guide to get the right instructions for installation.
Standard werf packages
WorkZone releases a number of standard werf pacages that install different sets of WorkZone depending on different use cases. It is important to choose the package that fits your specific use case in order to only utilize the relevant resources in your setup.
| werf package | Description |
|---|---|
|
werf-wz-core |
The core package includes WorkZone Content Server, WorkZone Client, WorkZone Configurator, and WorkZone PDF modules. |
|
werf-wz-basic |
In addition to the core services in core package, the basic package includes WorkZone Process, WorkZone 365 and WorkZone for Office. |
|
werf-wz |
The wz package includes the basic package plus WorkZone AI, WorkZone 365 - Teams and Sharepoint , WorkZone Contact Lookup, and the Auto Purge modules. |
|
werf-wz-dk |
The dk package includes the basic package plus modules specific to the Danish Market such as WorkZone CPR and CVR Lookup, WorkZone CPR and CVR Update, and WorkZone AI. |
|
werf-wz-all |
The all package deploys all released WorkZone containers from the container registry. |
The table below provides an overview of which containers are included in the different packages
| Container | werf-wz-core | werf-wz-basic | werf-wz | werf-wz-dk | werf-wz-all |
|---|---|---|---|---|---|
| dbupgrade | X | X | X | X | X |
| sourceimport | X | X | X | X | X |
| agentfix | X | X | X | X | X |
| agentadw | X | X | X | X | X |
| agentocr | X | X | X | X | X |
| agentsub | X | X | X | X | X |
| explorer | X | X | X | X | X |
| landingpage | X | X | X | X | X |
| notifications | X | X | X | X | X |
| oauth2 | X | ||||
| odata | X | X | X | X | X |
| office | X | X | X | X | |
| wopi | X | ||||
| wopiclient | X | ||||
| scim | X | X | X | X | X |
| init | X | X | X | X | |
| mailagent | X | X | X | X | |
| mailnotification | X | X | X | X | |
| process | X | X | X | X | |
| processagent | X | X | X | X | |
| pushnotification | X | X | X | X | |
| postinit | X | X | X | X | |
| init | X | X | X | X | X |
| pdfcrawler | X | X | X | X | X |
| pdfengine | X | X | X | X | X |
| Client | X | X | X | X | X |
| Configurator | X | X | X | X | X |
| office | X | X | X | X | |
| api | X | X | X | X | |
| upgrade | X | X | X | X | |
| staticfilesprovider | X | X | X | X | |
| spconnectorinit | X | X | |||
| spconnector | X | X | |||
| frontend | X | X | |||
| client | X | X | |||
| wzlogic-init | X | X | |||
| subscriptionservice | X | X | |||
| updateservice | X | X | X | X | |
| contactlookupservice | X | X | X | X | |
| cprsubscriptionservice | X | X | |||
| cprupdateservice | X | X | |||
| autopurge | X | X | X | ||
| kmdtxt | X | X | X | ||
| WZRS | X | X | X | ||
| documentmerge | X | X | X | X |
Order of containers
The table below shows the order in which the containers are deployed.
| Repo | Order No | Container name | Job/deployment |
|---|---|---|---|
| WZCS | 1 | dbupgrade | Job |
| 2 | sourceimport | Job | |
| 3 | agentfix | Deployment | |
| 4 | agentadw | Deployment | |
| 5 | agentocr | Deployment | |
| 6 | agentsub | Deployment | |
| 7 | explorer | Deployment | |
| 8 | landingpage | Deployment | |
| 9 | notifications | Deployment | |
| 10 | oauth2 | Deployment | |
| 11 | odata | Deployment | |
| 12 | office | Deployment | |
| 13 | wopi | Deployment | |
| 14 | wopiclient | Deployment | |
| 15 | scim | Deployment | |
| WZP | 1 | init | Job |
| 2 | mailagent | Deployment | |
| 3 | mailnotification | Deployment | |
| 4 | process | Deployment | |
| 5 | processagent | Deployment | |
| 6 | pushnotification | Deployment | |
| 7 | postinit | Job | |
| WZPDF | 1 | init | Job |
| 2 | pdfcrawler | Deployment | |
| 3 | pdfengine | Deployment | |
| WZC | 1 | Client | Deployment |
| WZCNF | 1 | Configurator | Deployment |
| WZO | 1 | office | Deployment |
| 2 | api | Deployment | |
| WZFO | 1 | upgrade | Job |
| 2 | staticfilesprovider | Deployment | |
| WZSP | 1 | spconnectorinit | Job |
| 2 | spconnector | Deployment | |
| 3 | frontend | Deployment | |
| WZTC | 1 | client | Deployment |
| WZLOGIC | 1 | wzlogic-init | Job |
| 2 | subscriptionservice | Deployment | |
| 3 | updateservice | Deployment | |
| 4 | contactlookupservice | Deployment | |
| 5 | cprsubscriptionservice d | Deployment | |
| 6 | cprupdateservice | Deployment | |
| WZCS_autopurge | 1 | autopurge | Job |
| kmdtxt | 1 | kmdtxt | Deployment |
| WZRS | 1 | WZRS | Deployment |
| WZdocumentmerge | 1 | documentmerge | Deployment |
Create the Ingress controller on AKS
In PowerShell, execute the following commands as administrator:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install ingress-nginx ingress-nginx/ingress-nginx --create-namespace --namespace ingress-basic --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz --set controller.nodeSelector."kubernetes\.io/os"=linux --set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux
Prepare the Key Vault for installing WorkZone
All pod secrets for WorkZone are stored in a Key Vault. You need to set the pod secrets before doing the actual container deployment. See platform-specific (Azure) documentation for creating a Key Vault.
The following values should exist in the Key Vault.
| Key | Description |
|---|---|
| WORKZONE-ADREPLICATOR-OAUTH2-CLIENTSECRET | |
| WORKZONE-AZURE-CLIENTID | |
| WORKZONE-AZURE-CLIENTSECRET | |
| WORKZONE-AZURE-TENANTID | |
| WORKZONE-DB-ARCHIVE | |
| WORKZONE-DB-DSN | |
| WORKZONE-DB-HOSTNAME | |
| WORKZONE-DB-ODBC | |
| WORKZONE-DB-ODPNET | |
| WORKZONE-DB-PORT | |
| WORKZONE-DB-PROTOCOL | |
| WORKZONE-DB-SERVER-MODE | |
| WORKZONE-DB-SID | |
| WORKZONE-DB-SJUSER-PASSWORD | |
| WORKZONE-DB-SJUSER-USERNAME | |
| WORKZONE-DB-SYS-PASSWORD | |
| WORKZONE-DB-SYS-USERNAME | |
| WORKZONE-LOGIC-CPR-CONFIGURATIONID | |
| WORKZONE-LOGIC-CPR-SUBSCRIPTIONID | |
| WORKZONE-LOGIC-CVR-CONFIGURATIONID | |
| WORKZONE-LOGIC-CVR-SUBSCRIPTIONID | |
| WORKZONE-LOGIC-OAUTH2-SECRET | |
| WORKZONE-LOGIC-TOKENPROVIDER-CLIENTSECRET | |
| WORKZONE-PDF-CRAWLER-CLIENTSECRET | |
| WORKZONE-PROCESS-EXCHANGE-CLIENTID | The GUID of the client ID. |
| WORKZONE-PROCESS-EXCHANGE-CLIENTSECRET | The secret used to access the application in Entra ID. |
| WORKZONE-PROCESS-EXCHANGE-MAILBOX | The email address of the Exchange user who sends smartmails. |
| WORKZONE-PROCESS-EXCHANGE-SERVER-URI | The endpoint for the Exchange service. |
| WORKZONE-PROCESS-EXCHANGE-TENANTID | The GUID of the tenant ID. |
| WORKZONE-PROCESS-OAUTH2-CLIENTSECRET | The OAUTH2 secret used by WorkZone Process. |
| WORKZONE-WZSP-CLIENT-ID | |
| WORKZONE-WZSP-CLIENT-SECRET | |
| WORKZONE-WZSP-SHAREPOINT-CLIENT-ID | |
| WORKZONE-WZSP-SHAREPOINT-SP-CLIENT-SECRET | |
| WORKZONE-WZSP-SHAREPOINT-SP-TENANT-ID |
Install the containers using a master Helm chart
Prerequisite: You should have a running Azure AKS and a Windows node pool.
- Copy and paste the code below, and save it as a
values.yamlfile.# Default values for workzone namespace. # This is a YAML-formatted file. # Declare variables to be passed into your templates. affinity: {} nodeSelector: kubernetes.io/os: windows kubernetes.io/arch: amd64 tolerations: - effect: NoSchedule key: os operator: Equal value: windows dapr: enabled: false tracing: enabled: false # Azure Key Vault provider for Secrets Store CSI Driver allows you to get secret contents stored in an Azure Key Vault instance and use the Secrets Store CSI driver interface to mount them into Kubernetes pods secretProvider: # https://azure.github.io/secrets-store-csi-driver-provider-azure/configurations/identity-access-modes/ # Modes for accessing a Key Vault instance: PodIdentity, UserAssignedManagedIdentity accessMode: PodIdentity # if eq .Values.secretProvider.accessMode "PodIdentity". The selector to identify which pods should be assigned to the AzureIdentity. # AAD Pod Identity will go through a list of pods and look for value of pod label with key aadpodidbinding that is equal to this value podIdentitySelector: csi-secrets-store global: workzone: url: https://localhost wzc: client: url: https://wzc-client/app/client wzcnf: configurator: url: https://wzcnf-configurator/app/configurator wzcs: explorer: url: https://wzcs-explorer/explorer notifications: url: https://wzcs-notifications/notifications oauth2: url: https://wzcs-oauth2/oauth2 internalUrl: https://wzcs-oauth2/oauth2 internalDaprUrl: https://localhost:3500/v1.0/invoke/wzcs-oauth2/method/oauth2 odata: url: https://wzcs-odata/odata internalRootUrl: https://wzcs-odata internalUrl: https://wzcs-odata/odata internalDaprRootUrl: https://localhost:3500/v1.0/invoke/wzcs-odata/method internalDaprUrl: https://localhost:3500/v1.0/invoke/wzcs-odata/method/odata office: url: https://wzcs-office/Office sourceimport: # Cron schedule for running source import schedule: "*/30 * * * *" wopi: url: https://wzcs-wopi/wopi wopiclient: url: https://wzcs-wopiclient/wopiclient wzfo: staticfilesprovider: url: https://wzfo-staticfilesprovider/App/Office wzlogic: oauth2: clientId: CvrUpdate.UpdateService tokenProvider: authorizationScope: https://logicidentityprod.onmicrosoft.com/LogicAPI/user_impersonation wzp: process: url: https://wzp-process/process internalUrl: https://wzp-process/process localUrl: https://localhost/process wzpdf: oauth2: clientId: WZPDF.CRAWLER pdfengine: url: https://wzpdf-pdfengine/render pdfservice: url: https://wzpdf-pdfengine/render wzsp: spconnector: url: https://wzsp-spconnector/spconnector internalUrl: https://localhost:3500/v1.0/invoke/wzsp-spconnector/method/spconnector frontend: url: https://wzsp-frontend/frontend internalUrl: https://localhost:3500/v1.0/invoke/wzsp-frontend/method/frontend db: #if need to customize below paramemeters, add value into environment.yaml file tablespacemap: DATA cultures: da-DK corporate_access_code: "N" freetext: "N" dapr: Azure Key Vault provider for Secrets Store CSI Driver allows you to get secret contents stored in an Azure Key Vault instance and use the Secrets Store CSI driver interface to mount them into Kubernetes podssecretProvider: Modes for accessing a Key Vault instance:PodIdentity,UserAssignedManagedIdentityaccessMode: PodIdentity: If eq .Values.secretProvider.accessMode "PodIdentity". The selector to identify which pods should be assigned to the AzureIdentity. AAD Pod Identity will go through a list of pods and look for value of pod label with key aadpodidbinding that is equal to this value.sourceimport: Cron schedule for running source import.db: If you need to customize the db paramemeters, add value intoenvironment.yamlfile.- Copy and paste the code below, and save as a
environment.yamlfile.# These values are overridden by passing @helm install command global: image: registry: "kmdworkzone.azurecr.io" repository: "workzone/wzc/client" pullPolicy: IfNotPresent tag: "22.3" ingress: enabled: true className: "nginx" annotations: # Sets Listener protocol HTTPS and port 443 { nginx.ingress.kubernetes.io/use-regex: "true", nginx.ingress.kubernetes.io/proxy-buffer-size: 16k } hostname: <environment_name>.com teamsHostname: <environment_name>.com WORKZONE_OAuth2__Authentication__AzureAD__TenantId: 8xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx9275 # Override this value @helm install command WORKZONE_OAuth2__Authentication__AzureAD__ClientId: fxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx7da2 # Override this value @helm install command #logs: # persistence: # enabled: true # size: 10Gi workzone: url: https://<environment_name>.com wzc: client: url: https://<environment_name>.com/app/client wzcnf: configurator: url: https://<environment_name>.com/app/configurator wzcs: agentsub: mailerAuthCertificateSecret: wildcard-test-workzone-cloud mailerAuthCertificateKeyVault: wz-common-kv explorer: url: https://<environment_name>.com/explorer notifications: url: https://<environment_name>.com/notifications oauth2: url: https://<environment_name>.com/oauth2 odata: url: https://<environment_name>.com/odata office: url: https://<environment_name>.com/Office wopi: url: https://<environment_name>.com/wopi wopiclient: url: https://<environment_name>.com/wopiclient wzfo: staticfilesprovider: url: https://<environment_name>.com/App/Office wzp: process: url: https://<environment_name>.com/process wzpdf: pdfengine: url: https://<environment_name>.com/render pdfservice: url: https://<environment_name>.com/render wzsp: spconnector: url: https://<environment_name>.com/spconnector db: ipAddress: 20.229.71.246 port: 1521 cultures: da-DK;en-GB #wallet: # enabled: true # secretName: wallet #externalServices: # sharepoint: # sharepointUrl: https://<your_sharepointUrl>.sharepoint.com # interact: # enabled: trueannotations: Sets Listener protocol HTTPS and port 443.<environment_name>: Replace with the name of your environment<your_sharepointUrl>: Replace with the SharePointUrl for your companyWORKZONE_OAuth2__Authentication__AzureAD__TenantId: Override this value @helm install command.WORKZONE_OAuth2__Authentication__AzureAD__ClientId: Override this value @helm install command.
- Copy the
values.yamlandenvironment.yamlfiles into a folder.
Authenticate to remote registry (ACR)
The command will prompt for the user name and password and provide the credentials to authenticate with Azure Container Registry (ACR).
werf helm registry login <registry-name>
werf helm registry login kmdworkzone.azurecr.io
Deployment from the registry (ACR)
werf bundle apply --tag v1.0.0 --release myapp --namespace myapp-production --repo kmdworkzone.azurecr.io/helm/werf-oauth2-odata --set global.image.tag=24.1 --values values.yaml --values environment.yaml
Command descriptions:
| --tag: |
The specific chart tag to be deployed. If it is not specified, the default tag will be the latest. |
| --release: |
The name of the release to be deployed. Change the value accordingly. |
| --namespace: |
The name of the namespace where the release is deployed. Change the value accordingly. |
| --repo: |
The registry (ACR) URL that contains the bundled chart. Change the value accordingly. |
| --set: |
Overrides the default image tag value. |
| --values: |
Passing and overriding the value files. The order is important. The value file which is at the rightmost has the highest priority. Change the value files according to environment. |
Helm values
The command uses two value files, values.yaml and environment.yaml. The first value file contains the default values with WorkZone internal URLs and the second value file contains the WorkZone public URL along with database details.
