Preparing container installation
Prepare networking
Create the Ingress controller on AKS
In PowerShell, execute the following commands as administrator:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install ingress-nginx ingress-nginx/ingress-nginx --create-namespace --namespace ingress-basic --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz --set controller.nodeSelector."kubernetes\.io/os"=linux --set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux
Once Ingress is installed you should be able to get the inbound and outbound IP addresses.
Register the outbound IP Address
Once Ingress is installed, you can get the outbound IP addresses.
-
On Azure portal, look at the Load Balancer configuration for the outbound role, and get the IP address.
-
Configure the outbound IP address be configured for the database instance to allow the containers to connect to the database.
In Oracle OCI, you can enable the IP Address by allowing it in the network configuration. .
Register the Inbound IP Address
Once Ingress is installed you should be able to get the inbound IP addresses.
-
On Azure portal, look at the Load Balancer configuration for the inbound role, and get the IP address.
-
Configure the Inbound IP address s in the DNS for your subdomain.
Prepare Settings
Prepare the Key Vault for installing WorkZone
All pod secrets for WorkZone are stored in a Key Vault. You need to set the pod secrets before doing the actual container deployment. See platform-specific (Azure) documentation for creating a Key Vault.
The following values should exist in the Key Vault.
| Key | Description |
|---|---|
| WORKZONE-ADREPLICATOR-OAUTH2-CLIENTSECRET | Used in dbupgrade job. |
| WORKZONE-AZURE-CLIENTID | |
| WORKZONE-AZURE-CLIENTSECRET | Used in oauth2. |
| WORKZONE-AZURE-TENANTID | |
| WORKZONE-CONTACTSYNCCONFIG-ENCRYPTION-KEY | Key for password encryption. The length of the RSA must be 2048 bits. |
| WORKZONE-CONTACTSYNCCONFIG-DECRYPTION-KEY | Key for password decryption. |
|
WORKZONE-LOGIC-OAUTH2-SECRET |
The OAuth2 service user secret is required to authenticate in WorkZone as a service. |
| WORKZONE-DB-ARCHIVE | |
| WORKZONE-DB-DSN | |
| WORKZONE-DB-HOSTNAME | |
| WORKZONE-DB-ODBC | |
| WORKZONE-DB-ODPNET | |
| WORKZONE-DB-PORT | |
| WORKZONE-DB-PROTOCOL | |
| WORKZONE-DB-SERVER-MODE | |
| WORKZONE-DB-SID | |
| WORKZONE-DB-SJUSER-PASSWORD | |
| WORKZONE-DB-SJUSER-USERNAME | |
| WORKZONE-DB-SYS-PASSWORD | |
| WORKZONE-DB-SYS-USERNAME | |
| WORKZONE-PDF-CRAWLER-CLIENTSECRET | |
| WORKZONE-PROCESS-EXCHANGE-CLIENTID | The GUID of the client ID. |
| WORKZONE-PROCESS-EXCHANGE-CLIENTSECRET | The secret used to access the application in Entra ID. |
| WORKZONE-PROCESS-EXCHANGE-MAILBOX | The email address of the Exchange user who sends smartmails. |
| WORKZONE-PROCESS-EXCHANGE-SERVER-URI | The endpoint for the Exchange service. |
| WORKZONE-PROCESS-EXCHANGE-TENANTID | The GUID of the tenant ID. |
| WORKZONE-PROCESS-OAUTH2-CLIENTSECRET | The OAUTH2 secret used by WorkZone Process. |
| WORKZONE-WZSP-CLIENT-ID | |
| WORKZONE-WZSP-CLIENT-SECRET | |
| WORKZONE-WZSP-SHAREPOINT-CLIENT-ID | |
| WORKZONE-WZSP-SHAREPOINT-SP-CLIENT-SECRET | |
| WORKZONE-WZSP-SHAREPOINT-SP-TENANT-ID | |
|
WORKZONE-WZPS-ENCRYPTION-KEY |
Key for secret encryption for WorkZone Protection Service (WZPS). You can set the length of the RSA key. 2048 bits is the recommended minimum length. For more information about WZPS, see WorkZone Service (WZPS). |
|
WORKZONE-WZPS-DECRYPTION-KEY |
Key for secret decryption for WorkZone Protection Service (WZPS). |
See also:
Prepare a namespace for the WorkZone containers
To prepare for WorkZone deployment, it is important to create a namespace to register secrets for the PODS.
kubectl create namespace <insert-namespace-name-here>
Prepare secrets for the WorkZone containers
Register the Oracle Wallet as a Secret
Once the wallet file is available, you can register the secret ”wallet” in the same name space as the WorkZonepods.
Place the prompt in the unpacked wallet folder.
You may have to create the name space for deployment before you register the wallet.
##
kubectl create secret generic wallet `--namespace <WorkZone name Space > `
--from-file=./cwallet.sso `
--from-file=./ewallet.p12 `
--from-file=./keystore.jks `
--from-file=./ojdbc.properties `
--from-file=./README `
--from-file=./sqlnet.ora `
--from-file=./tnsnames.ora `
--from-file=./truststore.jks
##
kubectl get secrets -n workzone
Register the SSL Certificates as a Secret
-
Navigate to the directory that contains SSL certificate files (crt & key files) and create the tls secreat (See Right)
-
Add/update the secret name and the corresponding host name in the environment file (tls section in ingress)
-
Ensure each ingress resource can populate the tls field.
-
Create the secret in the WorkZone namespace using below command:
kubectl create secret tls <secret-name> -n <namespace-name> --key=<private-key> --cert=<certificate>
Example:kubectl create secret tls ingress-cert-workzone -n workzone --key=key.pem --cert=cert.pem##kubectl get secrets -n workzone
Prepare environment files for WorkZone container installation
Prerequisite: You should have a running Azure AKS and a Windows node pool.
- Copy and paste the code below, and save it as a
values.yamlfile.# Default values for workzone namespace. # This is a YAML-formatted file. # Declare variables to be passed into your templates. affinity: {} nodeSelector: kubernetes.io/os: windows kubernetes.io/arch: amd64 tolerations: - effect: NoSchedule key: os operator: Equal value: windows dapr: enabled: true tracing: enabled: true podAntiAffinity: enabled: false # External Secrets Operator reads information from a third-party service like Azure Key Vault and automatically injects the values as Kubernetes Secrets. externalSecrets: enabled: false secretStoreRefName: azure-aks-key-vault certStoreRefName: azure-aks-cert-vault # Azure Key Vault provider for Secrets Store CSI Driver allows you to get secret contents stored in an Azure Key Vault instance and use the Secrets Store CSI driver interface to mount them into Kubernetes pods secretProvider: enabled: true # https://azure.github.io/secrets-store-csi-driver-provider-azure/configurations/identity-access-modes/ # Modes for accessing a Key Vault instance: PodIdentity, UserAssignedManagedIdentity accessMode: PodIdentity # if eq .Values.secretProvider.accessMode "PodIdentity". The selector to identify which pods should be assigned to the AzureIdentity. # AAD Pod Identity will go through a list of pods and look for value of pod label with key aadpodidbinding that is equal to this value podIdentitySelector: csi-secrets-store podDisruptionBudget: enabled: false minAvailable: 1 workzone: url: http://localhost wzc: client: url: http://wzc-client/app/client wzcng: client: url: http://wzcng-client/client wzcnf: configurator: url: http://wzcnf-configurator/app/configurator wzcs: explorer: url: http://wzcs-explorer/explorer notifications: url: http://wzcs-notifications/notifications oauth2: url: http://wzcs-oauth2/oauth2 internalUrl: http://wzcs-oauth2/oauth2 internalDaprUrl: http://localhost:3500/v1.0/invoke/wzcs-oauth2/method/oauth2 odata: url: http://wzcs-odata/odata internalRootUrl: http://wzcs-odata internalUrl: http://wzcs-odata/odata internalDaprRootUrl: http://localhost:3500/v1.0/invoke/wzcs-odata/method internalDaprUrl: http://localhost:3500/v1.0/invoke/wzcs-odata/method/odata odata4: url: http://wzcs-odata4/odata4 internalRootUrl: http://wzcs-odata4 internalUrl: http://wzcs-odata4/odata4 internalDaprRootUrl: http://localhost:3500/v1.0/invoke/wzcs-odata4/method internalDaprUrl: http://localhost:3500/v1.0/invoke/wzcs-odata4/method/odata4 office: url: http://wzcs-office/Office sourceimport: # Cron schedule for running source import schedule: "*/30 * * * *" wopi: url: http://wzcs-wopi/wopi wopiclient: url: http://wzcs-wopiclient/wopiclient scim: url: http://wzcs-scim/provisioning wzo: api: url: http://wzo-api/wzoserver publicExchange: true graphApi: false wzfo: staticfilesprovider: url: http://wzfo-staticfilesprovider/App/Office wzlogic: oauth2: clientId: CvrUpdate.UpdateService contactlookupservice: url: http://wzlogic-contactlookupservice/ latestApiUrl: http://wzlogic-contactlookupservice/api/v1/ContactLookup contactsyncconfigservice: url: http://wzlogic-contactsyncconfigservice/ latestApiUrl: http://wzlogic-contactsyncconfigservice/api/v1/ContactSyncConfiguration cprsubscriptionservice: url: http://wzlogic-cprsubscriptionservice/ schedule: "0 4 * * 1-5" cprupdateservice: url: http://wzlogic-cprupdateservice/ subscriptionservice: url: http://wzlogic-subscriptionservice/ schedule: "0 4 * * 1-5" updateservice: url: http://wzlogic-updateservice/ datafordeler: CprBaseUri: https://s5-certservices.datafordeler.dk/ CvrBaseUri: https://s5-certservices.datafordeler.dk/ EventsBaseUri: https://s5-certservices.datafordeler.dk/ wzp: process: url: http://wzp-process/process internalUrl: http://wzp-process/process localUrl: http://localhost/process massdispatch: url: http://wzp-massdispatch appdata: enabled: false size: 10Gi publicExchange: true wzpdf: oauth2: clientId: WZPDF.CRAWLER pdfengine: url: http://wzpdf-pdfengine/render pdfservice: url: http://wzpdf-pdfengine/render wzsp: spconnector: url: http://wzsp-spconnector/spconnector internalUrl: http://localhost:3500/v1.0/invoke/wzsp-spconnector/method/spconnector frontend: url: http://wzsp-frontend/frontend internalUrl: http://localhost:3500/v1.0/invoke/wzsp-frontend/method/frontend kmdtxt: api: url: https://kmdtxt-api/api internalUrl: http://kmdtxt-api:5000 wzdocumentmerge: api: url: https://wzdocumentmerge-service/documentmerge wzcitizenaccess: ids: url: https://wzcitizenaccess-ids/ids appproxy: url: https://wzcitizenaccess-appproxyservice/appproxyservice openIdUrl: https://identity.kmd.dk/adfs/.well-known/openid-configuration subscriptionHeaderName : WzcaApiGatewayKey wzps: secretservice: url: http://wzps-secretservice/secretservice latestApiUrl: http://wzps-secretservice/api/v1/SecretService wzie: service: url: http://wzie-service/service wzmg: messaginggateway: url: https://wzmg-messaginggateway/messaginggateway wzsnaplogic: # SnapLogic configuration link snaplogic_config_link: https://emea.snaplogic.com/api/1/rest/plex/config/KMD_WZ_DEV/shared/wzsnaplogic?expires=1733417380&user_id=ftf%40kmd.dk&_sl_authproxy_key=uMNOLw6755JdO29kBuK%2BTsASBkmdO0cvsx1uWI1Cxvs%3D db: #if need to customize below paramemeters, add value into environment .yaml file(eg. cataks.yaml) tablespacemap: DATA cultures: da-DK corporate_access_code: "N" freetext: "Y" externalServices: sharepoint: sharepointUrl: interact: enabled: false smartpost: enabled: false #kmdtxt settings api: cors: allow_origins: "'[\"http://localhost\"]'" dapr: Azure Key Vault provider for Secrets Store CSI Driver allows you to get secret contents stored in an Azure Key Vault instance and use the Secrets Store CSI driver interface to mount them into Kubernetes podssecretProvider: Modes for accessing a Key Vault instance:PodIdentity,UserAssignedManagedIdentityaccessMode: PodIdentity: If eq .Values.secretProvider.accessMode "PodIdentity". The selector to identify which pods should be assigned to the AzureIdentity. AAD Pod Identity will go through a list of pods and look for value of pod label with key aadpodidbinding that is equal to this value.sourceimport: Cron schedule for running source import.db: If you need to customize the db paramemeters, add value intoenvironment.yamlfile.- Copy and paste the code below, and save as an
environment.yamlfile.# These values are overridden by passing @helm install command global: image: registry: "kmdworkzone.azurecr.io" repository: "workzone/wzc/client" pullPolicy: IfNotPresent tag: "22.3" ingress: enabled: true className: "nginx" annotations: # Sets Listener protocol HTTPS and port 443 { nginx.ingress.kubernetes.io/use-regex: "true", nginx.ingress.kubernetes.io/proxy-buffer-size: 16k } hostname: <environment_name>.com teamsHostname: <environment_name>.com WORKZONE_OAuth2__Authentication__AzureAD__TenantId: 8xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx9275 # Override this value @helm install command WORKZONE_OAuth2__Authentication__AzureAD__ClientId: fxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx7da2 # Override this value @helm install command #logs: # persistence: # enabled: true # size: 10Gi workzone: url: https://<environment_name>.com wzc: client: url: https://<environment_name>.com/app/client wzcnf: configurator: url: https://<environment_name>.com/app/configurator wzcs: agentsub: mailerAuthCertificateSecret: wildcard-test-workzone-cloud mailerAuthCertificateKeyVault: wz-common-kv explorer: url: https://<environment_name>.com/explorer notifications: url: https://<environment_name>.com/notifications oauth2: url: https://<environment_name>.com/oauth2 odata: url: https://<environment_name>.com/odata office: url: https://<environment_name>.com/Office wopi: url: https://<environment_name>.com/wopi wopiclient: url: https://<environment_name>.com/wopiclient wzfo: staticfilesprovider: url: https://<environment_name>.com/App/Office wzp: process: url: https://<environment_name>.com/process wzpdf: pdfengine: url: https://<environment_name>.com/render pdfservice: url: https://<environment_name>.com/render wzsp: spconnector: url: https://<environment_name>.com/spconnector db: ipAddress: 20.229.71.246 port: 1521 cultures: da-DK;en-GB #wallet: # enabled: true # secretName: wallet #externalServices: # sharepoint: # sharepointUrl: https://<your_sharepointUrl>.sharepoint.com # interact: # enabled: trueannotations: Sets Listener protocol HTTPS and port 443.<environment_name>: Replace with the name of your environment<your_sharepointUrl>: Replace with the SharePointUrl for your companyWORKZONE_OAuth2__Authentication__AzureAD__TenantId: Override this value @helm install command.WORKZONE_OAuth2__Authentication__AzureAD__ClientId: Override this value @helm install command.
- Copy the
values.yamlandenvironment.yamlfiles into a folder.