Deploying BMC Helix IT Operations Management in an Azure Kubernetes Service cluster

Reference installation architecture

The following image shows the reference logical architecture used by BMC to deploy BMC Helix IT Operations Management in an AKS cluster:

Before you begin

• Make sure you have a domain and have configured Domain Name System (DNS) for BMC Helix IT Operations Management so that you can access the applications by using URLs.
• Make sure that you create a Secure Sockets Layer (SSL) certificate for BMC Helix IT Operations Management application URLs to support the HTTPS protocol.
  BMC certifies the use of the LetsEncrypt service to create the wildcard SSL certificate.
• Review the system requirements for BMC Helix IT Service Management installation.
• Download the installation files and container images access key from Electronic Product Download (EPD).

Process to install BMC Helix IT Operations Management in an AKS cluster

The following table lists the tasks to install BMC Helix IT Operations Management in an AKS cluster:

Installing and configuring Kubernetes Ingress Nginx Controller

The Ingress Nginx Controller installation creates an Azure Standard load balancer for your cluster. 

To install and configure Ingress Nginx Controller, perform the following tasks:

1. Install Kubernetes Ingress Nginx Controller 1.2.1

1. Configure Ingress Ngnix Controller.
2. Install TLS certificate.

To install Ingress Nginx controller

1. Download the Ingress Nginx yaml file.

2. In the deploy.yaml file, modify the kind parameter value from Deployment to DaemonSet.

1. Make sure that the namespace value for the ingress controller is ingress-nginx.

2. Install Ingress Nginx controller by running the following command:

   kubectl apply -f deploy.yaml

   Ingress controller is installed and a Public (Load balancing type) Standard (SKU) load balancer is created.

3. To view the load balancer details, run the following command:

   kubectl get svc -n ingress-nginx

   Example output of the command is as follows:

   NAME                                 TYPE               CLUSTER-IP     EXTERNAL-IP      PORT(S)                      AGE
   ingress-nginx-controller             LoadBalancer   10.0.140.244    20.253.121.236   80:30740/TCP,443:30802/TCP   3d21h
   ingress-nginx-controller-admission   ClusterIP          10.0.119.115    <none>           443/TCP                      3d21h

   The EXTERNAL-IP is the IP address of external load balancer that is created in the Azure cloud.

4. In the DNS records, make sure that you have configured the external IP as the target for application URL host names.

5. Verify that the pods are running on each worker node.

   Worker nodes are added to the load balancer backend pools automatically as shown in the following example image:
   

To configure Ingress Nginx Controller

1. Identify the Ingress Nginx Controller configmap name by running the following command:

   kubectl get all -n <ingress_nginx_namespace>

2. Modify the configmap name to use the configmap in your environment by running the following command:

   kubectl edit cm <ingress_nginx_configmap> -n <ingress_nginx_namespace>

   Example command output:

   data:
     enable-underscores-in-headers: "true"
     proxy-body-size: 250m
     server-name-hash-bucket-size: "1024"
     ssl-redirect: "false"
     use-forwarded-headers: "true"

To install TLS certificate

To install a Transport Layer Security (TLS) certificate in the Ingress Nginx Controller for TLS termination, perform the following steps:

1. Create a secret with a certificate and key that you want to mount on the Ingress Controller pods by using the following command:

   kubectl create secret tls my-tls-secret --cert=/path/to/cert.pem --key=/path/to/privkey.pem -n ingress-nginx
   

2. Edit the daemonset by using the following command and add the secret in the args section.

   kubectl edit daemonset ingress-nginx-controller -n ingress-nginx

   Example command output:

   ...
       spec:
         containers:
         - args:
           - /nginx-ingress-controller
           - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
           - --election-id=ingress-controller-leader
           - --controller-class=k8s.io/ingress-nginx
           - --ingress-class=nginx
           - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
           - --validating-webhook=:8443
           - --validating-webhook-certificate=/usr/local/certificates/cert
           - --validating-webhook-key=/usr/local/certificates/key
           - --default-ssl-certificate=ingress-nginx/my-tls-secret

Preparing to deploy BMC Helix IT Operations Management

1. Set vm.max.count on all worker nodes.
2. Set up the NFS Server.
3. Set up the BMC Discovery Appliance.
4. Configure the DNS.
5. Configure access to the BMC Discovery Appliance.
6. Enable the Network Time Protocol (NTP)-Time Sync.

To set up vm.max.count on all worker nodes

1. Obtain the nodes in the cluster by running the following command:

   kubectl get nodes

   Example output:

   aks-is1-31789813-vmss000001         Ready    agent   19m   v1.23.12

2. Configure the vm.max_map_count by running the followig command:

   kubectl debug node/aks-is1-31789813-vmss00000a  -it --image=mcr.microsoft.com/dotnet/runtime-deps:6.0
   

3. In the debug container, run the following commands in the given order:

   chroot /host
   echo vm.max_map_count=262144 > /etc/sysctl.d/es-custom.conf
   sysctl -w vm.max_map_count=262144
4. Exit the debug container.

To set up the NFS server

1. Provision a CentOS virtual machine in the same virtual network where the Kubernetes worker node are deployed.
   See System-requirements for the required disk size. 

2. On the NFS server, run the following commands in the given order:

   sudo yum install -y nfs-utils
   
   sudo systemctl start nfs-server rpcbind
   
   sudo systemctl enable nfs-server rpcbind
   
   sudo mkdir /data1
   
   sudo chmod 777 /data1/
   
   sudo vi /etc/exports
   
   /data1 *(rw,sync,no_root_squash,insecure)
   
   sudo exportfs -r

3. Verify that the mount is accessible by running the following command: 

   showmount -e localhost

4. From the controller machine, run the following command:

   helm repo add nfs-subdir-external-provisioner https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/

5. Run the Helm install command:
   Ensure that you use the private IP of the NFS server in the commnad.

   helm install nfs-subdir-external-provisioner nfs-subdir-external-provisioner/nfs-subdir-external-provisioner \
   
       --set nfs.server=10.224.0.20 \
   
       --set nfs.path=/data1 \
   
       --set storageClass.name=nfs-storage
   

To set up the BMC Discovery Appliance

See Deploying a BMC Discovery virtual appliance into Microsoft Azure for instructions on setting up the BMC Discovery Appliance.

To configure the BMC Discovery Appliance DNS

Create a DNS alias for the URL created for the BMC Discovery Appliance with the IP of the BMC Discovery Appliance machine in the following format:

where the COMPANY, TENANT_TYPE, ENVIRONMENT, and DOMAIN parameters are derived from the helix-on-prem-deployment-manager/configs/infra.config file.

Example: acme-disc-private-poc.lab.bmc.com

For more information, see Configuration-file-settings.

To configure access to the BMC Discovery Appliance

1. After the BMC Discovery Appliance is set up and configured, ensure that the BMC Discovery Appliance DNS alias is resolvable from all worker nodes.
2. Allow the 443 and 25030-25033 ports from worker nodes to the BMC Discovery Appliance virtual machine.

3. From the worker nodes, ensure that the following telnet protocol works:

   telnet <Discovery Appliance DNS alias> 443/25030/25031/25032/25033

4. Ensure that the BMC Discovery Appliance can access BMC Helix Single Sign-on and the BMC Helix Portal URLs.

To enable the Network Time Protocol (NTP)-Time synchronization

For instructions, see Performing time synchronization.