Prime EDMAzure AKS Deployment Guide
Prerequisites
Before deploying to Azure Kubernetes Service (AKS), ensure you have:
- Azure CLI installed and configured
- Kubernetes CLI (
kubectl) installed - Helm 3.x installed
Cluster Setup
- Create a resource group:
bash
az group create --name prime-edm-rg --location eastus- Create an AKS cluster:
bash
az aks create \
--resource-group prime-edm-rg \
--name prime-edm-cluster \
--node-count 3 \
--enable-addons monitoring \
--generate-ssh-keys- Get credentials:
bash
az aks get-credentials --resource-group prime-edm-rg --name prime-edm-clusterInstalling Prime EDM Charts
- Add the Helm repository:
bash
helm repo add prime-edm https://charts.acx-sandbox.net --username $USER --password $PASSWORD
helm repo update- Create Azure-specific values:
yaml
# azure-values.yaml
global:
provider: azure
location: eastus
storage:
class: managed-premium
serviceAccount:
annotations:
azure.workload.identity/client-id: CLIENT_ID
ingress:
annotations:
kubernetes.io/ingress.class: nginx- Install the chart:
bash
helm install prime-edm prime-edm/prime-edm -f azure-values.yamlAzure-Specific Configuration
Storage Classes
AKS provides several storage options:
yaml
storage:
# Premium SSD
class: managed-premium
# Standard SSD
# class: managed-standard
# Standard HDD
# class: managed-standard-hddLoad Balancer
Using Azure Load Balancer:
yaml
service:
type: LoadBalancer
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "false"Identity Management
Configure managed identities:
yaml
podIdentity:
enabled: true
userAssignedIdentityID: /subscriptions/SUB_ID/resourcegroups/RG_NAME/providers/Microsoft.ManagedIdentity/userAssignedIdentities/IDENTITY_NAMESecrets Management
Azure Key Vault Setup
- Create Key Vault:
bash
az keyvault create \
--name prime-edm-kv \
--resource-group prime-edm-rg \
--location eastus- Enable Managed Identity:
bash
az aks update \
--name prime-edm-cluster \
--resource-group prime-edm-rg \
--enable-managed-identity- Create role assignment:
bash
az role assignment create \
--role "Key Vault Secrets User" \
--assignee $(az aks show -g prime-edm-rg -n prime-edm-cluster --query identityProfile.kubeletidentity.clientId -o tsv) \
--scope $(az keyvault show --name prime-edm-kv --resource-group prime-edm-rg --query id -o tsv)- Install External Secrets Operator:
bash
helm repo add external-secrets https://charts.external-secrets.io
helm repo update
helm install external-secrets \
external-secrets/external-secrets \
--namespace external-secrets \
--create-namespace \
--set installCRDs=true- Create SecretStore:
yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: azure-backend
spec:
provider:
azurekv:
tenantId: "$(az account show --query tenantId -o tsv)"
vaultUrl: "https://prime-edm-kv.vault.azure.net"
authType: ManagedIdentity- Create ExternalSecret:
yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: database-secret
spec:
refreshInterval: 1h
secretStoreRef:
name: azure-backend
kind: SecretStore
target:
name: db-credentials
data:
- secretKey: username
remoteRef:
key: database-username
- secretKey: password
remoteRef:
key: database-passwordMonitoring
Azure Monitor Integration
Enable Azure Monitor:
yaml
monitoring:
azureMonitor:
enabled: true
workspaceId: WORKSPACE_IDBest Practices
- Use node selectors:
yaml
nodeSelector:
agentpool: prime-edm-pool- Configure resource limits:
yaml
resources:
requests:
cpu: 250m
memory: 512Mi
limits:
cpu: 500m
memory: 1Gi- Enable auto-scaling:
yaml
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 10
targetCPUUtilizationPercentage: 80Troubleshooting
Common issues and solutions:
Storage provisioning:
- Verify storage class exists
- Check PVC status
- Validate permissions
Network connectivity:
- Review NSG rules
- Check VNET configuration
- Validate DNS settings
Identity issues:
- Verify managed identity setup
- Check role assignments
- Validate pod identity configuration