How to Install TIBCO ModelOps 1.2 on Azure Managed Kubernetes Service (AKS) with Azure AD Authentication (Windows Quick-Start)
Article ID: KB0071921
Updated On:
| Products | Versions |
|---|---|
| TIBCO ModelOps | 1.2 |
Description
This article provides the essential steps needed to run a TIBCO ModelOps 1.2 server on the Azure Managed Kubernetes Service (AKS), while using Azure AD for authentication (oauth2). The commands shown below are assumed to be run from a Windows command prompt.
This procedure may not be appropriate for production use, but should help to quickly spin up a working ModelOps server that users may access and perform tests.
This procedure may not be appropriate for production use, but should help to quickly spin up a working ModelOps server that users may access and perform tests.
Issue/Introduction
Outlines the basic steps needed to run a TIBCO ModelOps 1.2 server on the Azure Managed Kubernetes Service (AKS), using Azure AD for authentication (oauth2). Guidance is provided for Windows only.
Resolution
This article assumes you have installed the following prerequisites on your Windows machine:
This installation procedure assumes that the person tasked with installing ModelOps (herein referred to as "the SSO user" or "you") has SSO access to a shared Azure team account. The SSO user has the following Azure roles assigned at the Azure Resource Group scope:
1.) First, ensure that you have an Azure Resource Group with a DNS Zone available to your ModelOps application. In the Azure portal, go to Home > DNS Zones, and find the appropriate zone name listed on that page. Also make note of the Resource Group that this DNS Zone is associated with. This information will be shown on the DNS Zone's 'Overview' page. If no zones are listed, your Azure administrator will need to create one for you. In this example, we will use the DNS Zone 'az.companycloud.com', which is associated with the Resource Group 'azgroup'.
If your Azure DNS Zone has a parent domain, the name servers for your Azure DNS Zone must be added/configured in the parent domain by your Azure administrator. Otherwise, DNS resolution will not work properly. The name servers for your Azure DNS Zone are displayed on the Zone's details page (again, under Home > DNS zones > [Your Zone Name]). For example, if your Azure DNS zone name is 'az.companycloud.com', then its name servers would need to be configured in the parent domain 'companycloud.com'.
2.) Choose a name for your new ModelOps application, and other values that will be needed to complete the installation. Assign environment variables in your command prompt for each value. For example:
Also configure environment variables for your local ModelOps home directory, the Azure Resource Group, and the DNS Zone you determined from step 1.
In addition to the above values, your ModelOps application will need access to an AKS cluster, nodepool and ACR (Access Container Registry). Check with the Owner of your Azure Resource Group to see if these resources are already created and available. If they are not yet available, you will need to create them using the commands shown in steps 6 through 8. Again, set environment variables for these (and related) values:
4.) In order to use Azure AD for authentication, your Azure administrator must grant the API permission that you added in step 3. The output from the 'az ad app permission add' command tells you the additional command that needs to be run by your Azure administrator. For example..
When your Azure administrator confirms that the permission has been granted, confirm this in the Azure portal under Home > App Registrations > ModelOpsAzApp > API permissions. If the permission has been granted by your Azure administrator, you should see a green check mark with text that says "Granted for [Your Azure Organization]".
Before permission is granted:
After permission is granted:
5.) Now assign the following additional Azure roles to your ModelOps application service principal (at the Resource Group level):
Also Note: To perform the role assignments in this step, your currently logged-in Azure user (used in step 3) needs (at least) the permissions enabled by the built-in 'Role Based Access Control Administrator' role. Other built-in Azure roles like 'User Access Administrator' or 'Owner' will also enable your Azure user to perform the below role assignments. If your currently logged-in Azure user does not have an assignment to one of these roles, ask your Azure administrator (or whoever is the Owner of the Azure Resource Group) to add these assignments for you.
Alternatively, you can create these role assignments in the Azure portal under Home > Resource Groups > azgroup > Access Control (IAM) > Add > Add role assignment. On the 'Add role assignment' screen, select the option to assign access to 'User, group, or service principal'. Then click '+ Select members', and search for your application name (ModelOpsAzApp). Then click 'Review + assign' to complete the assignment.
6.) Login using the service principal you created in step 3, and create the ACR:
7.) Create the AKS cluster:
8.) Create the node pool:
9.) Verify the nodes are ready:
10.) Create the K8s namespace for ModelOps and create secrets for ModelOps services (like git-server, nexus-server, etc.):
11.) Install and start the ModelOps server using helm:
12.) When the helm upgrade command completes, copy the maven artifacts:
This copy will take a few minutes to complete.
13.) Then continue to monitor the progress:
14.) Once the bootstrapping is done, you may follow the progress for the modelops-server:
15.) Navigate to the server in a web browser:
https://modelops-server.aksapps.az.companycloud.com
- ModelOps installer files (typically found under C:\TIBCO\modelops\1.2)
- Azure CLI
- kubectl
- helm
- tkn
- jq
This installation procedure assumes that the person tasked with installing ModelOps (herein referred to as "the SSO user" or "you") has SSO access to a shared Azure team account. The SSO user has the following Azure roles assigned at the Azure Resource Group scope:
- A role that allows the SSO user to create new role assignments for the ModelOps Application Service Principal (as shown in step 5). Assign one of the following built-in Azure roles to enable the SSO user to create new role assignments:
- Role Based Access Control Administrator
- User Access Administrator
- Owner
- A role that allows the SSO user to create an Azure Container Registry (ACR), an Azure AKS cluster, and a node pool (as shown in steps 6 through 8). Assign one of the following built-in Azure roles to enable the SSO user to create these resources:
- User Access Administrator
- Owner
- A role that allows the ModelOps Application Service Principal to install ModelOps. Assign all of the following built-in Azure roles to enable the ModelOps Application Service Principal to install ModelOps:
- AcrPull
- AcrPush
- Contributor
1.) First, ensure that you have an Azure Resource Group with a DNS Zone available to your ModelOps application. In the Azure portal, go to Home > DNS Zones, and find the appropriate zone name listed on that page. Also make note of the Resource Group that this DNS Zone is associated with. This information will be shown on the DNS Zone's 'Overview' page. If no zones are listed, your Azure administrator will need to create one for you. In this example, we will use the DNS Zone 'az.companycloud.com', which is associated with the Resource Group 'azgroup'.
If your Azure DNS Zone has a parent domain, the name servers for your Azure DNS Zone must be added/configured in the parent domain by your Azure administrator. Otherwise, DNS resolution will not work properly. The name servers for your Azure DNS Zone are displayed on the Zone's details page (again, under Home > DNS zones > [Your Zone Name]). For example, if your Azure DNS zone name is 'az.companycloud.com', then its name servers would need to be configured in the parent domain 'companycloud.com'.
2.) Choose a name for your new ModelOps application, and other values that will be needed to complete the installation. Assign environment variables in your command prompt for each value. For example:
set AZ_APP_DISPLAY_NAME=ModelOpsAzApp set MODELOPS_ROOT_PASSWORD=tibco123 set AKS_ES_PASSWORD=ElAsticPW123 set AKS_GIT_PASSWORD=G1tPW123 set AKS_NEXUS_PASSWORD=NxtPW123 set AKS_SCORING_PASSWORD=Sc0rePW123 set MODELOPS_NAMESPACE=modelops12
Also configure environment variables for your local ModelOps home directory, the Azure Resource Group, and the DNS Zone you determined from step 1.
set MODELOPS_HOME=C:\TIBCO\modelops\1.2 set AZ_GROUP_NAME=azgroup set DNS_ZONE=az.companycloud.com
In addition to the above values, your ModelOps application will need access to an AKS cluster, nodepool and ACR (Access Container Registry). Check with the Owner of your Azure Resource Group to see if these resources are already created and available. If they are not yet available, you will need to create them using the commands shown in steps 6 through 8. Again, set environment variables for these (and related) values:
set AZ_ACR_NAME=azacr set AKS_CLUSTER_NAME=aksapps set AKS_NODEPOOL_NAME=npmo12 set AKS_WIN_USERNAME=azwinuser set AKS_WIN_PASSWORD=P@ssw0rd1234567!
You must follow Azure naming conventions for the node pool name and the Azure Windows password. Ref:
- https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts
- https://learn.microsoft.com/en-us/azure/aks/use-multiple-node-pools#limitations
REM First check for any existing service principal names that REM match the value you've set for AZ_APP_DISPLAY_NAME. FOR /F "tokens=* USEBACKQ" %F ^ IN ( `az ad sp list --all --filter "displayname eq '%AZ_APP_DISPLAY_NAME%'" ^| jq .[].displayName` ) ^ DO ( set FOUND_AZ_APP_NAME=%F ) IF DEFINED FOUND_AZ_APP_NAME ECHO ^ A service principal with display name %FOUND_AZ_APP_NAME% ^ already exists. Please start over from a new command prompt ^ and choose a different value for AZ_APP_DISPLAY_NAME. REM Get the tenant ID del /f az-login-info.json call az login > az-login-info.json FOR /F "tokens=* USEBACKQ" %F ^ IN ( `jq .[].tenantId az-login-info.json` ) ^ DO (set AZ_TENANT_ID=%F) set AZ_TENANT_ID=%AZ_TENANT_ID:"=% echo AZ_TENANT_ID is: %AZ_TENANT_ID% REM Get the first subscription ID from your Azure subscriptions list del /f az-subscriptions-list.json call az account subscription list > az-subscriptions-list.json FOR /F "tokens=* USEBACKQ" %F ^ IN ( `jq .[0].subscriptionId az-subscriptions-list.json` ) ^ DO (set AZ_SUBSCRIPTION_ID=%F) set AZ_SUBSCRIPTION_ID=%AZ_SUBSCRIPTION_ID:"=% echo AZ_SUBSCRIPTION_ID is %AZ_SUBSCRIPTION_ID% REM Create the app, adding the ModelOps server 'Admin' App Role and the redirect URI del /f app-role-manifest.json echo ^ [{ ^ "allowedMemberTypes": [ ^ "User" ^ ], ^ "description": "Admin App Role for ModelOps applications.", ^ "displayName": "ModelOpsAdmin", ^ "isEnabled": "true", ^ "value": "Admin" ^ }] | jq . > app-role-manifest.json del /f az-app-manifest.json call az ad app create ^ --display-name %AZ_APP_DISPLAY_NAME% ^ --app-roles "@app-role-manifest.json" ^ --web-redirect-uris "https://modelops-server.%AKS_CLUSTER_NAME%.%DNS_ZONE%/oauth2/callback" ^ --enable-access-token-issuance true ^ --enable-id-token-issuance true > az-app-manifest.json REM Create the application's service principal and secret. REM Assign the Azure 'Contributor' role to start del /f az-sp-info.json call az ad sp create-for-rbac ^ --name %AZ_APP_DISPLAY_NAME% ^ --role "Contributor" ^ --scopes /subscriptions/%AZ_SUBSCRIPTION_ID%/resourceGroups/%AZ_GROUP_NAME% > az-sp-info.json FOR /F "tokens=* USEBACKQ" %F ^ IN ( `jq .password az-sp-info.json` ) ^ DO (set AZ_APP_SECRET=%F) set AZ_APP_SECRET=%AZ_APP_SECRET:"=% echo AZ_APP_SECRET is %AZ_APP_SECRET% FOR /F "tokens=* USEBACKQ" %F ^ IN ( `jq .appId az-sp-info.json` ) ^ DO (set AZ_SERVICE_PRINCIPAL_ID=%F) set AZ_SERVICE_PRINCIPAL_ID=%AZ_SERVICE_PRINCIPAL_ID:"=% echo AZ_SERVICE_PRINCIPAL_ID is %AZ_SERVICE_PRINCIPAL_ID% REM Add Microsoft Graph API User.Read permission to the app call az ad app permission add ^ --id %AZ_SERVICE_PRINCIPAL_ID% ^ --api 00000003-0000-0000-c000-000000000000 ^ --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope 4.) In order to use Azure AD for authentication, your Azure administrator must grant the API permission that you added in step 3. The output from the 'az ad app permission add' command tells you the additional command that needs to be run by your Azure administrator. For example..
Invoking `az ad app permission grant --id %AZ_SERVICE_PRINCIPAL_ID% --api 00000003-0000-0000-c000-000000000000` is needed to make the change effective
When your Azure administrator confirms that the permission has been granted, confirm this in the Azure portal under Home > App Registrations > ModelOpsAzApp > API permissions. If the permission has been granted by your Azure administrator, you should see a green check mark with text that says "Granted for [Your Azure Organization]".
Before permission is granted:
After permission is granted:
5.) Now assign the following additional Azure roles to your ModelOps application service principal (at the Resource Group level):
- AcrPush
- AcrPull
- User Access Administrator
Also Note: To perform the role assignments in this step, your currently logged-in Azure user (used in step 3) needs (at least) the permissions enabled by the built-in 'Role Based Access Control Administrator' role. Other built-in Azure roles like 'User Access Administrator' or 'Owner' will also enable your Azure user to perform the below role assignments. If your currently logged-in Azure user does not have an assignment to one of these roles, ask your Azure administrator (or whoever is the Owner of the Azure Resource Group) to add these assignments for you.
REM Add ACR Push/Pull & User Access Administrator role assignments call az role assignment create ^ --role "AcrPush" ^ --scope /subscriptions/%AZ_SUBSCRIPTION_ID%/resourceGroups/%AZ_GROUP_NAME% ^ --assignee %AZ_SERVICE_PRINCIPAL_ID% call az role assignment create ^ --role "AcrPull" ^ --scope /subscriptions/%AZ_SUBSCRIPTION_ID%/resourceGroups/%AZ_GROUP_NAME% ^ --assignee %AZ_SERVICE_PRINCIPAL_ID% call az role assignment create ^ --role "User Access Administrator" ^ --scope /subscriptions/%AZ_SUBSCRIPTION_ID%/resourceGroups/%AZ_GROUP_NAME% ^ --assignee %AZ_SERVICE_PRINCIPAL_ID% REM Wait 60 seconds for role assignments to propagate timeout 60 >nul
Alternatively, you can create these role assignments in the Azure portal under Home > Resource Groups > azgroup > Access Control (IAM) > Add > Add role assignment. On the 'Add role assignment' screen, select the option to assign access to 'User, group, or service principal'. Then click '+ Select members', and search for your application name (ModelOpsAzApp). Then click 'Review + assign' to complete the assignment.
6.) Login using the service principal you created in step 3, and create the ACR:
call az login ^ --service-principal ^ --username=%AZ_SERVICE_PRINCIPAL_ID% ^ --password=%AZ_APP_SECRET% ^ --tenant=%AZ_TENANT_ID% call az acr create ^ --name=%AZ_ACR_NAME% ^ --resource-group=%AZ_GROUP_NAME% ^ --sku=basic --output=json
7.) Create the AKS cluster:
call az aks create ^ --resource-group=%AZ_GROUP_NAME% ^ --service-principal=%AZ_SERVICE_PRINCIPAL_ID% ^ --client-secret=%AZ_APP_SECRET% ^ --name=%AKS_CLUSTER_NAME% ^ --max-pods=200 ^ --node-count 1 ^ --enable-cluster-autoscaler ^ --min-count=1 ^ --max-count=5 ^ --no-ssh-key ^ --windows-admin-password=%AKS_WIN_PASSWORD% ^ --windows-admin-username=%AKS_WIN_USERNAME% ^ --vm-set-type=VirtualMachineScaleSets ^ --node-vm-size=Standard_B8ms ^ --network-plugin=azure ^ --attach-acr=%AZ_ACR_NAME% ^ --output=json
8.) Create the node pool:
call az aks nodepool add ^ --resource-group=%AZ_GROUP_NAME% ^ --cluster-name=%AKS_CLUSTER_NAME% ^ --os-type=Windows ^ --name=%AKS_NODEPOOL_NAME% ^ --node-count=1 ^ --enable-cluster-autoscaler ^ --min-count=1 ^ --max-count=2 ^ --node-vm-size=Standard_B8ms ^ --node-taints=os=windows:NoSchedule ^ --output=json
9.) Verify the nodes are ready:
call az aks get-credentials ^ --overwrite-existing ^ --resource-group=%AZ_GROUP_NAME% ^ --name=%AKS_CLUSTER_NAME% kubectl get node
10.) Create the K8s namespace for ModelOps and create secrets for ModelOps services (like git-server, nexus-server, etc.):
kubectl create namespace %MODELOPS_NAMESPACE% kubectl config set-context --current --namespace=%MODELOPS_NAMESPACE% del /f secret.yaml kubectl create secret generic elasticsearch-es-elastic-user ^ --from-literal=elastic=%AKS_ES_PASSWORD% ^ --dry-run=client --output=yaml > secret.yaml 2>&1 kubectl apply -f secret.yaml del /f secret.yaml kubectl create secret generic git-server --from-literal=modelops=%AKS_GIT_PASSWORD% kubectl create secret generic nexus-server --from-literal=admin=%AKS_NEXUS_PASSWORD% kubectl create secret generic scoring-admin --from-literal=admin=%AKS_SCORING_PASSWORD% kubectl create secret generic modelops-server --from-literal=admin=%MODELOPS_ROOT_PASSWORD% kubectl create secret generic oauth2 --from-literal=TENANT_ID=%AZ_TENANT_ID% ^ --from-literal=CLIENT_ID=%AZ_SERVICE_PRINCIPAL_ID% ^ --from-literal=CLIENT_SECRET=%AZ_APP_SECRET% kubectl create secret generic externaldns-config --from-literal=azure.json=^ "{ \"tenantId\": \"%AZ_TENANT_ID%\", ^ \"subscriptionId\": \"%AZ_SUBSCRIPTION_ID%\", ^ \"resourceGroup\": \"%AZ_GROUP_NAME%\", ^ \"aadClientId\": \"%AZ_SERVICE_PRINCIPAL_ID%\", ^ \"aadClientSecret\": \"%AZ_APP_SECRET%\" }" 11.) Install and start the ModelOps server using helm:
helm upgrade ^ --install %MODELOPS_NAMESPACE%-release "%MODELOPS_HOME%\helm-charts\kubernetes-installer-1.0.2.tgz" ^ --atomic ^ --set cloud="aks" ^ --set aks.containerRegistry="%AZ_ACR_NAME%.azurecr.io" ^ --set aks.containerUsername="%AZ_SERVICE_PRINCIPAL_ID%" ^ --set aks.containerPassword="%AZ_APP_SECRET%" ^ --set aks.azureTenantId="%AZ_TENANT_ID%" ^ --namespace %MODELOPS_NAMESPACE% ^ --set aks.networkExposure="ingress" ^ --set aks.ingressDomain="%AKS_CLUSTER_NAME%.%DNS_ZONE%" ^ --set aks.oauth2="azure" ^ --set medium.nexus.memory="3Gi" ^ --set aks.externalDNS="azure" ^ --timeout 10m0s
12.) When the helm upgrade command completes, copy the maven artifacts:
cd %MODELOPS_HOME%\maven-repository-artifacts\ kubectl cp modelops-repo-1.2.0-mavenrepo.zip mavenrepo-0:/tmp/
This copy will take a few minutes to complete.
13.) Then continue to monitor the progress:
tkn pipelinerun logs bootstrap --follow --namespace %MODELOPS_NAMESPACE%
14.) Once the bootstrapping is done, you may follow the progress for the modelops-server:
tkn pipelinerun logs modelops-server --follow --namespace %MODELOPS_NAMESPACE%
15.) Navigate to the server in a web browser:
https://modelops-server.aksapps.az.companycloud.com
Attachments
Feedback
Yes
No
Powered by
