Setting up Azure Infrastructure


Dependencies

    

Azure CLI

Ensure that you are logged into your account.


Terraform

Follow the run-anywhere-terraform module’s README to set up a Terraform state in your AWS account, instantiate the module, and run the subsequent Terraform apply.


Alternatively, you may use the Terraform module as documentation and deploy the same set of resources following the policies required by your organization. While the Terraform module does offer most configurations to be specified by the user, it is by no means “one size fits all” - there are still some finite configuration details some organizations may need to tweak beyond the capability we allow.


In short, the module will instantiate and configure:


  • 1 Azure Database for PostgreSQL single server
  • 1 Azure Cache for Redis (1GB)
  • 1 AKS cluster and 3-Node Pool
  • 1 Key Vault for Certificate Manager keys
  • 1 Key Vault for project secrets
  •  11 DNS records
  • 1 Storage Account and container for holding CRLs


DNS

In your base domain DNS provider's records, add an NS record to delegate resolution of the subdomain to the DNS nameservers.


Run `terraform output -json` to get the list of nameservers. For example, an NS record for smallstep.basedomain.company.com may contain the following:

ns1-03.azure-dns.com.
ns2-03.azure-dns.net.
ns3-03.azure-dns.org.
s4-03.azure-dns.info.

Platform

Azure kubectl context

To interact with the AKS cluster, you'll need to configure a local kubectl context. az CLI can do this for you. 

az aks get-credentials -g smallstep -n smallstep

Linkerd

Smallstep services currently use Linkerd for some internal load balancing needs and mutual TLS. Install it manually with a long lived certificate. Linkerd comes with a default certificate with a lifetime of 1 year; we don’t want our CA to become useless in 1 year, so this step is necessary. However, we may eventually remove the dependency on Linkerd.


First, create a root CA cert and key:

step certificate create root.linkerd.cluster.local ca.crt ca.key \
  --profile root-ca --no-password --insecure --not-after=87600h

Use the CA to issue an identity certificate for Linkerd:

step certificate create identity.linkerd.cluster.local issuer.crt issuer.key \
  --profile intermediate-ca --not-after 87600h --no-password --insecure \
  --ca ca.crt --ca-key ca.key

Install the new Linkerd certificate you’ve just created to the Kubernetes cluster, providing the files from the previous commands:

kubectl config use-context <your context>

linkerd install \
  --identity-trust-anchors-file ca.crt \
  --identity-issuer-certificate-file issuer.crt \
  --identity-issuer-key-file issuer.key \
  | kubectl apply -f -

Shred the key material:

shred -uv ca.key issuer.key
If you do not have the shred command and don’t wish to install it, it is also okay to rm the files instead.


Secrets

This project uses Kubernetes secrets internal to the AKS cluster to manage the passwords for Run Anywhere. If you followed the Terraform run-anywhere module README, these have already been set up for you.


Next Steps

Now that your cloud infrastructure is in place, the K8s cluster is running, and in a good state, DNS has propagated, and your cluster keys have been rotated out:


Continue to SSH Professional Setup

or

Continue to Certificate Manager Setup