Deploying OpenIAM on AKS (Kubernetes) with an external MSSQL database
Pre-requisite planning for the deployment
- Review your access and check infrastructure requirements. Hence, for AKS cluster access:
- Make sure OpenIAM team has access to the AKS cluster, as it required for proper functioning.
- Since access is going through the VDI infrastructure, please provide a connection steps and authentication methods.
- Please confirm if
kubectlaccess is allowed directly, or whether it must go through jump hosts. - Please install
- DNS name for the OpenIAM host;
- SSL Certificate for use by OpenIAM.
- Check the internet connectivity requirements.
To support the deployment of OpenIAM on AKS, the environment must allow internet connectivity for installing essential utilities. These tools can typically be installed using standard Linux package managers (yum, dnf, or apt), or manually from their official websites if required.
Please ensure that the firewall and proxy policies allow outbound HTTPS access to the domains listed below, based on your preferred installation method.
| Tool | Purpose | Linux Package Repository (Domain) | Manual Download URL |
|---|---|---|---|
| Terraform | Infrastructure provisioning | rpm.releases.hashicorp.com or apt.releases.hashicorp.com | https://developer.hashicorp.com/terraform/downloads |
| Helm | Kubernetes package manager | baltocdn.com | https://helm.sh/docs/intro/install/ |
kubectl | Kubernetes CLI tool | packages.cloud.google.com, apt.kubernetes.io, or yum.kubernetes.io | https://kubernetes.io/docs/tasks/tools/install-kubectl/ |
| Git | Version control | mirror.centos.org, archive.ubuntu.com, security.ubuntu.com | https://git-scm.com/downloads |
- Providing access to code and repository.
As OpenIAM Terraform scripts are hosted on Bitbucket, please ensure access to Git repository at https://bitbucket.org/openiam. Additionally, as Docker images will be pulled from OpenIAM private container registry, please allow an outbound HTTPS access to the registry at https://confidant-bhaskara.container-registry.com.
- Service accounts and permissions
MS SQL server account is required to create and manage the OpenIAM and Activiti schemas via Flyway. It must satisfy the following requirements.
- It cannot be a Windows-authenticated account.
- Permissions needed:
- Creating a database.
- Creating/modifying tables, indexes, views, procedures.
- Running Flyway migrations.
Moreover, please confirm that OpenIAM is certified on SQL Server 2019. If SQL Server 2022 is used, OpenIAM will first test compatibility in its lab.
For Active Directory (AD) service account to connect to the AD domain and to integrate OpenIAM with your AD environment OpenIAM requires host information. The following permissions are also needed.
- Read access to directory objects (users, groups, OUs).
- Write access if provisioning/deprovisioning is required.
Finally, to send email notifications from OpenIAM, the SMTP details are to be provided.
- Network & access validation
The following network paths must be validated to ensure proper communication between OpenIAM components, the Windows Connector VM, Active Directory, and Microsoft SQL Server. Please ensure all listed ports are open and accessible from the relevant components.
| Source | Destination | Port(s) | Purpose |
|---|---|---|---|
| AKS Pods (OpenIAM) | Windows Connector VM | 5672 | RabbitMQ communication. |
| Windows Connector VM | Active Directory | ? | WinRM communication to AD using PowerShell. |
| OpenIAM Components | MS SQL Server | ? | Which port is being used by Manpower? |
- OpenIAM will test connectivity and DNS resolution during setup.
- Ensure the Windows Connector VM is domain-joined if using integrated AD authentication.
Installing OpenIAM
Install OpenIAM to the AKS cluster, using the steps described in this document
While installing, ensure to
- Setup the DNS name.
- Install the SSL cert provided MPG.
- Install the AD connector.
- Setup connectivity between AD and OpenIAM.
- Configure the SMTP integration with OpenIAM.
Replicating the OpenIAM container registry to the registry at MPG
For OpenIAM team to replicate the OpenIAM container registry to another container registry at MPG, users need to provide connectivity details to the MPG repository and OpenIAM is to create a script to replicate the images.