Preparing container installation

Prepare networking

Create the Ingress controller on AKS

In PowerShell, execute the following commands as administrator:

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx

```
helm repo update
```


helm install ingress-nginx ingress-nginx/ingress-nginx --create-namespace --namespace ingress-basic --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz --set controller.nodeSelector."kubernetes\.io/os"=linux --set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux

Once Ingress is installed you should be able to get the inbound and outbound IP addresses.

Register the outbound IP Address

Once Ingress is installed, you can get the outbound IP addresses.

On Azure portal, look at the Load Balancer configuration for the outbound role, and get the IP address.
Configure the outbound IP address be configured for the database instance to allow the containers to connect to the database.

In Oracle OCI, you can enable the IP Address by allowing it in the network configuration. .

Register the Inbound IP Address

Once Ingress is installed you should be able to get the inbound IP addresses.

On Azure portal, look at the Load Balancer configuration for the inbound role, and get the IP address.
Configure the Inbound IP address s in the DNS for your subdomain.

Prepare Settings

Prepare the Key Vault for installing WorkZone

All pod secrets for WorkZone are stored in a Key Vault. You need to set the pod secrets before doing the actual container deployment. See platform-specific (Azure) documentation for creating a Key Vault.

The following values should exist in the Key Vault.

Key	Description
WORKZONE-ADREPLICATOR-OAUTH2-CLIENTSECRET	Used in dbupgrade job.
WORKZONE-AZURE-CLIENTID
WORKZONE-AZURE-CLIENTSECRET	Used in oauth2.
WORKZONE-AZURE-TENANTID
WORKZONE-CONTACTSYNCCONFIG-ENCRYPTION-KEY	Encryption for password encryption.
WORKZONE-CONTACTSYNCCONFIG-DECRYPTION-KEY	Decryption for decrypting password.
WORKZONE-DB-ARCHIVE
WORKZONE-DB-DSN
WORKZONE-DB-HOSTNAME
WORKZONE-DB-ODBC
WORKZONE-DB-ODPNET
WORKZONE-DB-PORT
WORKZONE-DB-PROTOCOL
WORKZONE-DB-SERVER-MODE
WORKZONE-DB-SID
WORKZONE-DB-SJUSER-PASSWORD
WORKZONE-DB-SJUSER-USERNAME
WORKZONE-DB-SYS-PASSWORD
WORKZONE-DB-SYS-USERNAME
WORKZONE-PDF-CRAWLER-CLIENTSECRET
WORKZONE-PROCESS-EXCHANGE-CLIENTID	The GUID of the client ID.
WORKZONE-PROCESS-EXCHANGE-CLIENTSECRET	The secret used to access the application in Entra ID.
WORKZONE-PROCESS-EXCHANGE-MAILBOX	The email address of the Exchange user who sends smartmails.
WORKZONE-PROCESS-EXCHANGE-SERVER-URI	The endpoint for the Exchange service.
WORKZONE-PROCESS-EXCHANGE-TENANTID	The GUID of the tenant ID.
WORKZONE-PROCESS-OAUTH2-CLIENTSECRET	The OAUTH2 secret used by WorkZone Process.
WORKZONE-WZSP-CLIENT-ID
WORKZONE-WZSP-CLIENT-SECRET
WORKZONE-WZSP-SHAREPOINT-CLIENT-ID
WORKZONE-WZSP-SHAREPOINT-SP-CLIENT-SECRET
WORKZONE-WZSP-SHAREPOINT-SP-TENANT-ID

Prepare a namespace for the WorkZone containers

To prepare for WorkZone deployment, it is important to create a namespace to register secrets for the PODS.

kubectl create namespace <insert-namespace-name-here>

Prepare secrets for the WorkZone containers

Register the Oracle Wallet as a Secret

Once the wallet file is available, you can register the secret ”wallet” in the same name space as the WorkZonepods.

Place the prompt in the unpacked wallet folder.

You may have to create the name space for deployment before you register the wallet.

kubectl create secret generic wallet `--namespace <WorkZone name Space > `

--from-file=./cwallet.sso `

--from-file=./ewallet.p12 `

--from-file=./keystore.jks `

--from-file=./ojdbc.properties `

--from-file=./README `

--from-file=./sqlnet.ora `

--from-file=./tnsnames.ora `

--from-file=./truststore.jks

kubectl get secrets -n workzone

Register the SSL Certificates as a Secret

Prerequisite: Valid certificate files are available.

Navigate to the directory that contains SSL certificate files (crt & key files) and create the tls secreat (See Right)
Add/update the secret name and the corresponding host name in the environment file (tls section in ingress)
Ensure each ingress resource can populate the tls field.
Create the secret in the WorkZone namespace using below command:

kubectl create secret tls <secret-name> -n <namespace-name> --key=<private-key> --cert=<certificate>

Example:
kubectl create secret tls ingress-cert-workzone -n workzone --key=key.pem --cert=cert.pem
##
kubectl get secrets -n workzone

Prepare environment files for WorkZone container installation

Prerequisite: You should have a running Azure AKS and a Windows node pool.

Copy and paste the code below, and save it as a values.yaml file.


# Default values for workzone namespace.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

affinity: {}

nodeSelector:
  kubernetes.io/os: windows
  kubernetes.io/arch: amd64

tolerations:
  - effect: NoSchedule
    key: os
    operator: Equal
    value: windows

dapr:
  enabled: false
  tracing:
    enabled: false

# Azure Key Vault provider for Secrets Store CSI Driver allows you to get secret contents stored in an Azure Key Vault instance and use the Secrets Store CSI driver interface to mount them into Kubernetes pods
secretProvider:
  # https://azure.github.io/secrets-store-csi-driver-provider-azure/configurations/identity-access-modes/
  # Modes for accessing a Key Vault instance: PodIdentity, UserAssignedManagedIdentity
  accessMode: PodIdentity
  # if eq .Values.secretProvider.accessMode "PodIdentity". The selector to identify which pods should be assigned to the AzureIdentity.
  # AAD Pod Identity will go through a list of pods and look for value of pod label with key aadpodidbinding that is equal to this value
  podIdentitySelector: csi-secrets-store

global:
  workzone:
    url: https://localhost
    wzc:
      client:
        url: https://wzc-client/app/client
    wzcnf:
      configurator:
        url: https://wzcnf-configurator/app/configurator
    wzcs:
      explorer:
        url: https://wzcs-explorer/explorer
      notifications:
        url: https://wzcs-notifications/notifications
      oauth2:
        url: https://wzcs-oauth2/oauth2
        internalUrl: https://wzcs-oauth2/oauth2
        internalDaprUrl: https://localhost:3500/v1.0/invoke/wzcs-oauth2/method/oauth2
      odata:
        url: https://wzcs-odata/odata
        internalRootUrl: https://wzcs-odata
        internalUrl: https://wzcs-odata/odata
        internalDaprRootUrl: https://localhost:3500/v1.0/invoke/wzcs-odata/method
        internalDaprUrl: https://localhost:3500/v1.0/invoke/wzcs-odata/method/odata
      office:
        url: https://wzcs-office/Office
      sourceimport:
        # Cron schedule for running source import
        schedule: "*/30 * * * *"
      wopi:
        url: https://wzcs-wopi/wopi
      wopiclient:
        url: https://wzcs-wopiclient/wopiclient
    wzfo:
      staticfilesprovider:
        url: https://wzfo-staticfilesprovider/App/Office
    wzlogic:
      oauth2:
        clientId: CvrUpdate.UpdateService
      tokenProvider:
        authorizationScope: https://logicidentityprod.onmicrosoft.com/LogicAPI/user_impersonation
    wzp:
      process:
        url: https://wzp-process/process
        internalUrl: https://wzp-process/process
        localUrl: https://localhost/process
    wzpdf:
      oauth2:
        clientId: WZPDF.CRAWLER
      pdfengine:
        url: https://wzpdf-pdfengine/render
      pdfservice:
        url: https://wzpdf-pdfengine/render
    wzsp:
      spconnector:
        url: https://wzsp-spconnector/spconnector
        internalUrl: https://localhost:3500/v1.0/invoke/wzsp-spconnector/method/spconnector
      frontend:
        url: https://wzsp-frontend/frontend
        internalUrl: https://localhost:3500/v1.0/invoke/wzsp-frontend/method/frontend
    db: #if need to customize below paramemeters, add value into environment.yaml file
      tablespacemap: DATA
      cultures: da-DK
      corporate_access_code: "N"
      freetext: "N"

dapr: Azure Key Vault provider for Secrets Store CSI Driver allows you to get secret contents stored in an Azure Key Vault instance and use the Secrets Store CSI driver interface to mount them into Kubernetes pods
secretProvider: Modes for accessing a Key Vault instance: PodIdentity, UserAssignedManagedIdentity
accessMode: PodIdentity: If eq .Values.secretProvider.accessMode "PodIdentity". The selector to identify which pods should be assigned to the AzureIdentity. AAD Pod Identity will go through a list of pods and look for value of pod label with key aadpodidbinding that is equal to this value.
sourceimport: Cron schedule for running source import.
db: If you need to customize the db paramemeters, add value into environment.yaml file.

Copy and paste the code below, and save as a environment.yaml file.


# These values are overridden by passing @helm install command

global:
  image:
    registry: "kmdworkzone.azurecr.io"
    repository: "workzone/wzc/client"
    pullPolicy: IfNotPresent
    tag: "22.3"


  ingress:
    enabled: true
    className: "nginx"
    annotations:
      # Sets Listener protocol HTTPS and port 443
      { nginx.ingress.kubernetes.io/use-regex: "true",
        nginx.ingress.kubernetes.io/proxy-buffer-size: 16k
      }
    hostname: <environment_name>.com
    teamsHostname: <environment_name>.com


  WORKZONE_OAuth2__Authentication__AzureAD__TenantId: 8xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx9275 # Override this value @helm install command
  WORKZONE_OAuth2__Authentication__AzureAD__ClientId: fxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx7da2 # Override this value @helm install command


#logs:
#  persistence:
#    enabled: true
#    size: 10Gi

  workzone:
    url: https://<environment_name>.com
    wzc:
      client:
        url: https://<environment_name>.com/app/client
    wzcnf:
      configurator:
        url: https://<environment_name>.com/app/configurator
    wzcs:
      agentsub:
        mailerAuthCertificateSecret: wildcard-test-workzone-cloud
        mailerAuthCertificateKeyVault: wz-common-kv
      explorer:
        url: https://<environment_name>.com/explorer
      notifications:
        url: https://<environment_name>.com/notifications
      oauth2:
        url: https://<environment_name>.com/oauth2
      odata:
        url: https://<environment_name>.com/odata
      office:
        url: https://<environment_name>.com/Office
      wopi:
        url: https://<environment_name>.com/wopi
      wopiclient:
        url: https://<environment_name>.com/wopiclient
    wzfo:
      staticfilesprovider:
        url: https://<environment_name>.com/App/Office
    wzp:
      process:
        url: https://<environment_name>.com/process
    wzpdf:
      pdfengine:
        url: https://<environment_name>.com/render
      pdfservice:
        url: https://<environment_name>.com/render
    wzsp:
      spconnector:
        url: https://<environment_name>.com/spconnector

    db:
      ipAddress: 20.229.71.246
      port: 1521
      cultures: da-DK;en-GB

  #wallet:
  #  enabled: true
  #  secretName: wallet

  #externalServices:
  #  sharepoint:
  #    sharepointUrl: https://<your_sharepointUrl>.sharepoint.com
  #  interact:
  #    enabled: true

annotations: Sets Listener protocol HTTPS and port 443.
<environment_name>: Replace with the name of your environment
<your_sharepointUrl>: Replace with the SharePointUrl for your company
WORKZONE_OAuth2__Authentication__AzureAD__TenantId: Override this value @helm install command.
WORKZONE_OAuth2__Authentication__AzureAD__ClientId: Override this value @helm install command.

Copy the values.yaml and environment.yaml files into a folder.