Skip to main content

Azure Kubernetes Service (AKS)

Set up Platform Cluster

If you are not using a pre-existing cluster, create your Platform Cluster by following the AKS getting started docs

Once completed, log in to your cluster using the az cli and set the PLATFORM environment variable:

az aks get-credentials --resource-group $RESOURCE_GROUP_NAME --name $CLUSTER_NAME
kubectl config current-context
export PLATFORM=<platform-context-name>

Install cert-manager

Kratix requires a set of certificates in order to deploy its internal Validating and Mutating Kubernetes webhooks. By default Kratix is configured to use cert-manager to generate the certificates, therefore we need to install cert-manager. If you already have it installed, skip to the next section.

Don't want to use cert-manager? Manually provide the required certificates

Cert-manager is used to generate CA certificates and key/cert pairs for the Kratix webhook and Metrics Services.

Webhook Service

You will need to generate a CA Certificate and key/cert pair for the following DNS names:

  • kratix-platform-webhook-service.kratix-platform-system.svc.cluster.local
  • kratix-platform-webhook-service.kratix-platform-system.svc

To manually provide the required certificates, you need to create the webhook-server-cert secret in the kratix-platform-system namespace with the following keys:

apiVersion: v1
data:
  ca.crt: # Base64 CA certificate
  tls.crt: # Base64 encoded Server certificate
  tls.key: # Base64 encoded Server private key
kind: Secret
metadata:
  name: webhook-server-cert
  namespace: kratix-platform-system
type: kubernetes.io/tls

As part of installing Kratix we create a few resources that require the CA certificate. You will have to manually add the CA certificate to the resources mentioned below, and manually remove the cert-manager Certificate and Issuer resources. The following resources need to be updated to contain the Base64 encoded CA certificate:

  • MutatingWebhookConfiguration/kratix-platform-mutating-webhook-configuration

    apiVersion: admissionregistration.k8s.io/v1
    kind: MutatingWebhookConfiguration
    metadata:
      name: kratix-platform-mutating-webhook-configuration
    webhooks:
    - admissionReviewVersions:
      - v1
      clientConfig:
        caBundle: .... #  there might be multiple admissionReviewVersions, ensure you update all of them

  • ValidatingWebhookConfiguration/kratix-platform-validating-webhook-configuration

    apiVersion: admissionregistration.k8s.io/v1
    kind: ValidatingWebhookConfiguration
    metadata:
      name: kratix-platform-validating-webhook-configuration
    webhooks:
    - admissionReviewVersions:
      - v1
      clientConfig:
        caBundle: .... #  there might be multiple admissionReviewVersions, ensure you update all of them

  • CustomResourceDefinition/promises.platform.kratix.io

    apiVersion: apiextensions.k8s.io/v1
    kind: CustomResourceDefinition
    metadata:
      name: promises.platform.kratix.io
    spec:
      conversion:
        strategy: Webhook
        webhook:
          clientConfig:
            caBundle: ....

Lastly, you need to remove the following cert-manager Issuer and Certificate from Kratix release manifest:

---
...
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: kratix-platform-serving-cert
  namespace: kratix-platform-system
spec:
...
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: kratix-platform-selfsigned-issuer
  namespace: kratix-platform-system
spec:
...

Metrics Service

You will need to generate a CA Certificate and key/cert pair for the following DNS names:

  • kratix-platform-controller-manager-metrics-service.kratix-platform-system.svc
  • kratix-platform-controller-manager-metrics-service.kratix-platform-system.svc.cluster.local

To manually provide the required certificates, you need to create the metrics-server-cert secret in the kratix-platform-system namespace with the following keys:

apiVersion: v1
data:
  ca.crt: # Base64 CA certificate
  tls.crt: # Base64 encoded Server certificate
  tls.key: # Base64 encoded Server private key
kind: Secret
metadata:
  name: metrics-server-cert
  namespace: kratix-platform-system
type: kubernetes.io/tls

This secret is referenced in the kratix-platform-controller-manager Deployment.

Lastly, you need to remove the following cert-manager Certificate from Kratix release manifest:

---
...
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: kratix-platform-metrics-server-cert
  namespace: kratix-platform-system
spec:
...

To install it, run:

kubectl --context $PLATFORM apply --filename https://github.com/cert-manager/cert-manager/releases/download/v1.15.0/cert-manager.yaml

Make sure that cert-manager is ready before installing Kratix:

$ kubectl --context $PLATFORM get pods --namespace cert-manager
NAME                                      READY   STATUS    RESTARTS   AGE
cert-manager-7476c8fcf4-r8cnd             1/1     Running   0          19s
cert-manager-cainjector-bdd866bd4-7d8zp   1/1     Running   0          19s
cert-manager-webhook-5655dcfb4b-54r49     1/1     Running   0          19s

Install Kratix

Install Kratix on the Platform Cluster.

kubectl apply --context $PLATFORM --filename https://github.com/syntasso/kratix/releases/latest/download/kratix.yaml

You can also install and configure Kratix with Helm. For more information, see the Helm Chart documentation.

Make sure that kratix is ready before proceeding:

$ kubectl --context $PLATFORM get pods --namespace kratix-platform-system
NAME                                                 READY   STATUS    RESTARTS   AGE
kratix-platform-controller-manager-78d57569b-bn4t4   2/2     Running   0          25s

Set up State Store

Kratix uses GitOps to provision resources on the worker clusters. You can configure Kratix with multiple GitOps repositories by creating State Stores. Kratix supports Bucket State Store and Git State Store.

Using a Git State Store is recommended for production environments as it provides better security and version control. However, for development and testing purposes, you can also use the Bucket State Store.

If you have a pre-existing Git repository or S3-Compatible Bucket you can use that as your state store. If not you can either:

  • Create a new Git repository on your Git provider of choice, including Azure Repos, and use it as your state store. See Git State Store for more information.
  • Use an external S3-compatible bucket. Since Azure itself does not provide an S3-compatible service, you can use a different cloud provider or a self hosted solution such as MinIO.

Register cluster as a Destination with Kratix

We need to register the cluster with Kratix so that it can be used as a destination for deploying to. Use the template below to create a Worker Destination resource:

apiVersion: platform.kratix.io/v1alpha1
kind: Destination
metadata:
  name: worker
  labels:
    environment: dev
spec:
  path: worker
  stateStoreRef:
    name: default
    kind: <BucketStateStore or GitStateStore>

Once filled in with the correct values, apply the resource to the platform cluster:

kubectl apply --context $PLATFORM --filename <path-to-worker-destination-resource>

Set up Worker Cluster

If you are not using a pre-existing cluster, create a Worker Cluster following the same steps as the Platform Cluster setup.

Once completed, log in to your cluster using the az cli and set the WORKER environment variable:

az aks get-credentials --resource-group $RESOURCE_GROUP_NAME --name $CLUSTER_NAME
kubectl config current-context
export WORKER=<worker-context-name>

Installing and Configuring a GitOps agent

Now that your Kubernetes Destination is created and Kratix is aware of it, the last step is to install and configure a GitOps agent so that Kubernetes documents that get written to the StateStore are deployed to the cluster. Kratix is agnostic to which GitOps agent you choose to use. See our GitOps Agent installation documentation for configuring the GitOps agent of your choice.

Configuring Metrics Collection

The Kratix Metrics Service emits a default set of metrics which detail the Kratix Controller's performance as a whole. These can be collected via Prometheus-compatible scraping.

Prometheus is not installed with Kratix so you'll first need to install the Prometheus Operator on your cluster. Once installed, you can create a Service Monitor to scrape metrics from the kratix-platform-controller-manager-metrics-service Metrics Service:

apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  labels:
    control-plane: controller-manager
    release: prometheus
  name: prometheus-kube-kratix-prometheus
  namespace: kratix-platform-system
spec:
  endpoints:
    - path: /metrics
      port: https
      scheme: https
      bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
      tlsConfig:
        serverName: kratix-platform-controller-manager-metrics-service.kratix-platform-system.svc
        ca:
          secret:
            name: metrics-server-cert
            key: "tls.crt"
  namespaceSelector:
    matchNames:
      - kratix-platform-system
  selector:
    matchLabels:
      control-plane: controller-manager
note

The Service Monitor must be created in the same Namespace as the metrics-server-cert Secret.