Versions Compared

Old Version 12

changes.mady.by.user Denis Pitul

Saved on

compared with

New Version 13

changes.mady.by.user Denis Pitul

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

Inside that resource group create a storage account, with two file shares called

  • logs

  • keystore

Step 3. Create a KeyVault

...

Step 10. Provide storage access to the SP

In order for the app to use the Service Principal to access the storage account you’ll need to:

  1. Add the Contributor role to the Managed Identity you’ve created

    1. Open the Storage Account

    2. Go to Access Control (IAM)

    3. Click on Add and follow the instructions to add the Contributor role to the Managed Identity

  2. Add a permission mask on the container you’re going to be using in order for the Managed Identity to be able to write on it

    1. From the Storage Account view, open the Containers section

    2. Go to the container that will be used by LHM (the name of it is reflected within the STORAGE_AZURE_CONTAINER environment variable)

    3. Go to Manage ACL

    4. Click on Add principal and follow the steps to a mask for the Managed Identity

    5. Make sure, once added, that you check all checkboxes for this new entry: Read, Write, Execute in order to give it access to use the container

Step 11. Edit Keyvault Access policies

Add the necessary access policy on the Key Vault so the managed identity is able to list and read secrets from it.

  • In the Azure Portal, go to your KeyVault created in step 3.

  • In the left hand sidebar click on Access Policies

  • Click on Create

  • From the Secrets section check List and Get as the permissions to be added

  • Search for the Managed Identity created on step 9 and select it. Click Next.

  • Skip the Application step as it’s optional

  • Click Create

Step

...

12. Configure SSL Communication

For SSL communication you need to create a keystore containing your server private key and certificate. The keystore will be named bplm.p12 and have no password.

Note: If this is not convenient you can use one of these two options:

  1. https://learn.microsoft.com/en-gb/azure/api-management/api-management-key-concepts

  2. https://learn.microsoft.com/en-us/azure/container-instances/container-instances-container-group-ssl

    1. recommended

...

change it but you’ll need to change the environment variables below as well.

Command you can use to generate the keystore:

Code Block
openssl pkcs12 -export -out bplm.p12 -inkey ssl.key -in ssl.crt

Step 13. Create YAML definitions

Create YAML definition for the containers

Code Block
apiVersion: '2019-12-01'
location: <location>
name: <name of your container instance>
properties:
  containers:
  - name: lakehouse-monitor
    properties:
      environmentVariables:
      - name: APPLICATION_LOG_HTTPHEADER
        value: false
      - name: APPSERVICE_URL
        value: <FQDN>
      - name: AZURE_KEYVAULT_ENABLED
        value: true
      - name: AZURE_KEYVAULT_TENANTID
        value: <KV tenantID>
      - name: AZURE_KEYVAULT_URI
        value: <KV URL>
      - name: AZURE_MANAGED_IDENTITY_ID
        value: <managed identity objectID>
      - name: AZURE_MANAGED_IDENTITY_APP_ID
        value: <managed identity clientID>
      - name: LOG_LEVEL
        value: info
      - name: LOG_LEVEL_APP
        value: info
      - name: LOG_LEVEL_HTTP_HEADERS
        value: error
      - name: USE_SP_FOR_BACKGROUND_PROCESSORS
        value: true
      - name: USE_SP_FOR_STORAGE_ACCOUNT
        value: true
      - name: MICROSOFT_PROVIDER_AUTHENTICATION_SECRET
        value: ${msft-provider-auth-secret}
      - name: SERVICE_PRINCIPAL_CLIENT_SECRET
        value: ${msft-provider-auth-secret}
      - name: SERVICE_PRINCIPAL_CLIENTID
        value: <sp clientID>
      - name: SERVICE_PRINCIPAL_OBJECTID
        value: <sp objectID>
      - name: SERVICE_PRINCIPAL_TENANTID
        value: <sp tenantID>
      - name: SQL_DATABASE
        value: <sql database name>
      - name: SQL_SERVER_HOST
        value: <sql server host>
      - name: SQL_USER
        value: <sql username>
      - name: SQL_PASSWORD
        value: ${mssql-password}
      - name: STORAGE_AZURE_ACCOUNT
        value: <storage account name>
      - name: STORAGE_AZURE_CONTAINER
        value: lakehouse-monitor
      - name: CLOUD_PROVIDER
        value: azure
      - name: AUTHENTICATION_PROVIDER
        value: active-directory
      - name: SERVER_SERVLET_SESSION_PERSISTENT
        value: true
      - name: SERVER_SSL_ENABLED
        value: falsetrue
      - name: METRICSERVER_SSL_PROCESSORKEY_ENABLEDSTORE
        value: true
/keystore/bplm.p12
#      - name: METRICSERVER_PROCESSORSSL_DOCTORKEY_INITIALSTORE_DELAYPASSWORD
#        value: PT1Mbplm
#      - name: CONSUMPTIONSERVER_SSL_USEKEY_PREFILTERALIAS
#        value: falsebplm
#      - name: ADMINSERVER_SSL_APPKEY_ROLEPASSWORD
#        value: <admin role value>bplm
      - name: EXECUTIVE_APP_ROLESERVER_SSL_KEY_STORE_TYPE
        value: <executive rolePKCS12
value>       - name: AUTHORIZATIONMETRIC_CACHEPROCESSOR_TIMEOUTENABLED
        value: 1800true
      - name: SERVER_PORTMETRIC_PROCESSOR_DOCTOR_INITIAL_DELAY
        value: 80PT1M
      image: blueprint.azurecr.io/bpcs/lakehouse-optimizer:2.1
- name: CONSUMPTION_USE_PREFILTER
     ports:   value: false
  - port: 80  - name: ADMIN_APP_ROLE
  resources:      value: <admin role requests:value>
      - name: EXECUTIVE_APP_ROLE
 cpu: 4      value: <executive role value>
 memoryInGB: 8    - name: AUTHORIZATION_CACHE_TIMEOUT
volumeMounts:       - mountPathvalue: /var/log1800
      -  name: logsSERVER_PORT
  - name: nginx-with-ssl    value: properties:80
      image: mcrblueprint.microsoftazurecr.comio/oss/nginx/nginx:1.15.5-alpinebpcs/lakehouse-optimizer:2.3
      ports:
      - port: 443
      -  protocolport: TCP80
      resources:
        requests:
          cpu: 1.04
          memoryInGB: 1.58
      volumeMounts:
      - mountPath: /var/log
        name: nginx-configlogs
      - mountPath: /keystore
        mountPathname: /etc/nginxkeystore
  imageRegistryCredentials:
  - server: blueprint.azurecr.io
    username: <ACR Username>
    password: <ACR Password>
  osType: Linux
  restartPolicy: Always
  ipAddress:
    type: Public
    ports:
      - port: 443
      - port: 80
    dnsNameLabel: <dns label>
  volumes:
  - name: nginx-configlogs
    secretazureFile:
      ssl.crtsharename: <BASE64 enc ssl.crt> <name of share for the logs>
      ssl.key: <BASE64 enc ssl.key>storageAccountName: <storage account name where the share is created>
      nginx.confstorageAccountKey: <BASE64<storage encaccount nginx.conf>key>
  - name: logskeystore
    azureFile:
      sharename: <name of share for the logs>
      storageAccountName: <storage account name where the share is created>
      storageAccountKey: <storage account key>
tags: {}
type: Microsoft.ContainerInstance/containerGroups

Step

...

14. Create Containers

Create the containers:

  • recommended minimum 8 cores

...