This article provides a tutorial on deploying, running and scaling Joget on Azure Kubernetes Service (AKS). AKS is a managed Kubernetes service offered by Azure.
| Info | 
|---|
| If you are not familiar with Kubernetes, refer to Joget on Kubernetes for a quick introduction. | 
| Table of Contents | 
|---|
Deploy Joget on Azure Kubernetes Service
...
From the Azure portal, go to the Kubernetes services then Create a Kubernetes cluster.
In the Basics page, choose the Subscription, Resource Group and input the Kubernetes cluster name. Adjust the other configuration settings as desired, or leave as default.
...
- Create persistent storage using PersistentVolume and PersistentVolumeClaim
| Code Block | 
|---|
| kubectl apply -f https://k8s.io/examples/application/mysql/ | 
...
| mysql-pv.yaml | 
- Deploy the MySQL image
| Code Block | 
|---|
| kubectl apply -f https://k8s.io/examples/application/mysql/ | 
...
| mysql-deployment.yaml | 
- Inspect the deployment
| Code Block | 
|---|
| kubectl describe deployment mysql | 
...
| kubectl get pods -l app=mysql | 
...
| kubectl describe pvc mysql-pv-claim | 
You need to modify the original yaml files for production usage (eg. using different version of MySQL image and setting up secret instead of plain password in the yaml).
...
If you are running a multiple node Kubernetes cluster, you will need to allocate shared persistent storage with read write access by multiple nodes. In Azure, you need to can set up Azure NFS volume to be used in the Azure Kubernetes cluster. Refer to the official documentation here for detailed info and steps.
...
You can also read more on other options for storage in Azure Kubernetes here.
- Create an Azure Ubuntu VM at the same Virtual Network as the AKS cluster.
- Setup NFS server into the VM.
From the link, you can use this script to set up the NFS server (edit the variables as necessary especially the AKS_SUBNET).
...
| Code Block | ||
|---|---|---|
| 
 | ||
| apiVersion: v1 kind: PersistentVolume metadata: name: aks-nfs labels: type: nfs spec: capacity: storage: 1Gi accessModes: - ReadWriteMany nfs: server: NFS_INTERNAL_IP path: NFS_EXPORT_FILE_PATH --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: aks-nfs spec: accessModes: - ReadWriteMany storageClassName: "" resources: requests: storage: 1Gi selector: matchLabels: type: nfs | 
Replace the values for NFS_INTERNAL_IP, NFS_NAME and NFS_EXPORT_FILE_PATH with the actual settings from your NFS Server.
| Code Block | 
|---|
| kubectl apply -f azurenfsstorage.yaml | 
4.Deploy Joget DX
With the prerequisite database and persistent storage available, you can now deploy Joget. You can apply the example joget-dx7-tomcat9-aks.yaml file to deploy.
...
**Before going further with these steps, make sure that you have set up DNS to the public IP of the ingress that has been generated by AKS earlier.
| Code Block | 
|---|
| kubectl apply -f https:// | 
...
| github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.yaml | 
Configure Let’s Encrypt issuer
Configure Let’s Encrypt issuer
Example stagingissuer.yaml file;
| Code Block | ||
|---|---|---|
| 
 | ||
| apiVersion: cert-manager.io/v1 | 
...
| kind: ClusterIssuer | 
...
| metadata: | 
...
| name: letsencrypt-staging | 
...
| spec: | 
...
| acme: | 
...
| # The ACME server URL | 
...
| server: https://acme-staging-v02.api.letsencrypt.org/directory | 
...
| # Email address used for ACME registration | 
...
| email: [update email here] | 
...
| # Name of a secret used to store the ACME account private key | 
...
| privateKeySecretRef: | 
...
| name: letsencrypt-staging | 
...
| # Enable the HTTP-01 challenge provider | 
...
| solvers: | 
...
| - http01: | 
...
| ingress: | 
...
| class: nginx | 
| Code Block | 
|---|
| kubectl apply -f stagingissuer.yaml | 
You can check on the status of the issuer resource after you have deployed it
| Code Block | 
|---|
| kubectl describe issuer letsencrypt-staging | 
Deploy/Update the Ingress with TLS configuration
As we have previously deploy the Ingress without TLS configuration, we can update the Ingress yaml file to include the TLS configuration.
Example Ingress yaml with TLS;
| Code Block | ||
|---|---|---|
| 
 | ||
| apiVersion: networking.k8s.io/v1 | 
...
| kind: Ingress | 
...
| metadata: | 
...
| name: joget-dx7-tomcat9-ingress | 
...
| annotations: | 
...
| nginx.ingress.kubernetes.io/affinity: cookie | 
...
| nginx.ingress.kubernetes.io/ssl-redirect: "true" | 
...
| cert-manager.io/cluster-issuer: "letsencrypt-staging" | 
...
| spec: | 
...
| ingressClassName: nginx | 
...
| tls: | 
...
| - hosts: | 
...
| - exampledomain.com | 
...
| secretName : aks-jogetworkflow | 
...
| rules: | 
...
| - host: exampledomain.com | 
...
| http: | 
...
| paths: | 
...
| - path: /jw | 
...
| pathType: Prefix | 
...
| backend: | 
...
| service: | 
...
| name: joget-dx7-tomcat9 | 
...
| port: | 
...
| number: 9080 | 
This staging procedure is to ensure that the certificate is generated correctly before we setup the Issuer with Let’s Encrypt production.
| Code Block | 
|---|
| kubectl get certificate | 
| Code Block | ||
|---|---|---|
| 
 | ||
| [ ~/jogetaks ]$ kubectl get certificate | 
...
| NAME READY SECRET | 
...
| AGE aks-jogetworkflow | 
...
| True aks-jogetworkflow 30s | 
| Code Block | 
|---|
| kubectl describe certificate aks-jogetworkflow | 
If the certificate is generated correctly then we can set up the production Issuer.
Example productionissuer.yaml file;
| Code Block | ||
|---|---|---|
| 
 | ||
| apiVersion: cert-manager.io/v1 | 
...
| kind: | 
...
| ClusterIssuer metadata: | 
...
| name: letsencrypt-prod | 
...
| spec: | 
...
| acme: | 
...
| # The ACME server URL | 
...
| server: https://acme-v02.api.letsencrypt.org/directory | 
...
| # Email address used for ACME registration | 
...
| email: [update email here] | 
...
| # Name of a secret used to store the ACME account private key | 
...
| privateKeySecretRef: | 
...
| name: letsencrypt-prod | 
...
| # Enable the HTTP-01 challenge provider | 
...
| solvers: | 
...
| - http01: | 
...
| ingress: | 
...
| class: nginx | 
Update the ingress yaml file with the production annotation.
| Code Block | ||
|---|---|---|
| 
 | ||
| apiVersion: networking.k8s.io/v1 | 
...
| kind: Ingress | 
...
| metadata: | 
...
| name: joget-dx7-tomcat9-ingress | 
...
| annotations: | 
...
| nginx.ingress.kubernetes.io/affinity: cookie | 
...
| nginx.ingress.kubernetes.io/ssl-redirect: "true" | 
...
| cert-manager.io/issuer: "letsencrypt-prod" | 
...
| spec: | 
...
| ingressClassName: nginx | 
...
| tls: | 
...
| - hosts: | 
...
| - exampledomain.com | 
...
| secretName : aks-jogetworkflow | 
...
| rules: | 
...
| - host: exampledomain.com | 
...
| - http: | 
...
| paths: | 
...
| - path: /jw | 
...
| pathType: Prefix | 
...
| backend: | 
...
| service: | 
...
| name: joget-dx7-tomcat9 | 
...
| port: | 
...
| number: 9080 | 
After applying the updated ingress yaml, you need to delete the previous secret so that the new certificate can be generated for the production.
| Code Block | 
|---|
| kubectl delete secret aks-jogetworkflow | 
Then run back the describe command to check on the cert status
| Code Block | 
|---|
| kubectl describe certificate aks-jogetworkflow | 
After the new certificate has been issued, you can then access the Joget domain with https to ensure that everything is working properly.
...



