For organizations who need to maintain control over their environment, they can run the Self Hosted Controller in a Microsoft Azure Kubernetes Service (AKS). While organizations might use cloud services, like AWS, their organization administrators will be the only ones with access to their Self Hosted Controller.
With the Self Hosted Controller, the organization is responsible for all aspects of the controller. This includes deployment, maintenance, backup procedures, and troubleshooting issues. For organizations that would prefer a SaaS model, there is a service available for that.
Here are the pre-requisites for installation of the self hosted Controller in Azure AKS environments.
If you use Terraform and need reference examples, contact Support at email@example.com.
The Azure AKS requirements for installing the self hosted controller are as follows.
|Operating System||CentOS 7|
|# Instances||One (1) for Non-High Availability or three (3) for High Availability|
|System Specs||16 CPU threads, 64 GB RAM or higher|
|Root Disk||100 GB or higher|
|/tmp||>30 GB, if not part of root disk|
|Networking||Allow outbound 443/tcp to reach Azure API|
|Root User||Access to switch as root user|
Craete a PFX certificate using the following command. Use the certificate and key from your SSL certificate.
openssl pkcs12 -export -out <pfx cert name.pfx> -inkey <private_key.key> -in <ssl_certificate>
Export the following variables before running the infrastructure creation script. Do this on the node where you will be executing the RADM commands.
export ResourceGroup=aks-rg export Location=centralindia export VNET=aks-vnet export AKSClusterSubnet=aks-cluster-subnet export AKSClusterName=aks-airgappedConAKSCluster export K8SVersion=1.20.13 export AppGWNSG=aks-airgappedConAppGWNSG export AppGWSubnet=aks-airgappedConAppGWSubnet export AppGWName=aks-airgappedConAppGW export AppGWPublicIPName=aks-airgappedConAppGWPublicIP export NetworkLoadBalancer=aks-nlb export PfxCertFilePath=<Give the Path where pfx file exists> export PfxCertFilePasswd=<Password that is used while creating the pfx file> export DNSPrefixName=aks-dns
Connect Microsoft Azure Account¶
Connect to your Microsoft Azure account using the following command. Running this command will provide a link. Use the link in a web browser and enter the authorization code displayed in the command output.
Download the shell script using the following command.
From your home directory, untar the package using the following command.
tar -xf aks*
Bring Up Infrastructure¶
Use the following command to bring up the Azure infrastructure.
bash ./aks_script.sh -y
Installation of the self hosted controller requires DNS records as mentioned below. In the below examples, replace company.example.com with the desired domain. DNS records for the wildcard FQDN should point to the controller nodes’ IP addresses.
The following is an example of a wildcard FQDN.
The following individual records should be allowed. For AWS Cloud DNS, add these as Records.
To change the logo displayed in the console, the company logo must be less than 600 KB and in the PNG format. Use this for white labeling and branding purposes.
X.509 Certificates (Optional)¶
The controller uses TLS for secure communication. As a result, X.509 certificates are required to secure all endpoints. Customers are expected to provide a trusted CA signed wildcard certificate for the target DNS (e.g.
For non-production or internal to organization scenarios, if signed certificates are not available, the controller can generate self-signed certificates automatically. This can be achieved by setting the
generate-self-signed-certs key to
true in config.yaml during installation.
The installation also requires below email addresses.
- An email address for super user authentication to the controller’s admin
- An email address for receiving support emails from the controller
- An email address for receiving alerts and notifications (Optional)