Deploy ArcGIS Enterprise on Kubernetes in Azure - Esri/arcgis-gitops GitHub Wiki

This walkthrough will guide you through the process of deploying ArcGIS Enterprise on Kubernetes 11.5 in Microsoft Azure using GitHub Actions.

The walkthrough uses azure/arcgis-enterprise-k8s template.

Duration: about 2 hours

Before you begin this walkthrough:

• A private GitHub repository "gitops-demo" for the site must be created and properly configured.
• The core resources for the ArcGIS Enterprise site, including the AKS cluster, must be provisioned in the Azure account.

Refer to the Getting Started in Azure walkthrough for detailed instructions.

You need to have the following resources and accounts:

• GitHub.com user account
• A service principal in a Microsoft Azure account with the Owner role
• Microsoft Azure user account to administer Azure Managed Grafana
• Docker Hub account that has access to the private repositories with ArcGIS Enterprise on Kubernetes container images
• Authorization file for ArcGIS Enterprise on Kubernetes 11.5
• Helm charts for ArcGIS Enterprise on Kubernetes 11.5 (ArcGIS_Enterprise_on_Kubernetes_Helm_Charts_1.5.4_198043.tgz)
• Domain name for the ArcGIS Enterprise site
• SSL certificate files (certificate, private key, and chain files in PEM format) for the ArcGIS Enterprise site domain name

The authorization file and Helm charts for ArcGIS Enterprise on Kubernetes can be downloaded from My Esri.

In the private repository, click the green <> Code button, switch to the "Codespaces" tab, and click the Create codespace on main button. The codespace will be created and opened in a new browser tab.

In the codespace, click on the "Terminal" tab in the bottom panel and run the following commands:

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

Run the following command, replacing <client id>, <client secret>, and <tenant id> with the service principal's credentials:

az login --service-principal --username <client id> --password <client secret> --tenant <tenant id>

This step copies the required workflows to .github/workflows directory and lists the available workflows in the repository.

Switch back to the codespace browser tab and run the following commands:

cp -r azure/arcgis-enterprise-k8s/workflows/* .github/workflows/

git add --all

git commit -m "Enable arcgis-enterprise-k8s workflows"

git push origin main

List the available workflows in the repository:

gh workflow list

Output:

NAME                                          STATE   ID       
enterprise-k8s-azure-backup                   active  205780057
enterprise-k8s-azure-destroy                  active  205780058
enterprise-k8s-azure-image                    active  205780059
enterprise-k8s-azure-ingress                  active  205780060
enterprise-k8s-azure-organization             active  205780061
enterprise-k8s-azure-restore                  active  205780062
enterprise-k8s-azure-test                     active  205780063
site-automation-chef-azure-destroy            active  204358554
site-automation-chef-azure                    active  204358555
site-core-azure-destroy                       active  204358556
site-core-azure                               active  204358557
site-ingress-azure-destroy                    active  204358558
site-ingress-azure                            active  204358559
site-k8s-cluster-azure-destroy                active  204358560
site-k8s-cluster-azure                        active  204358561
validate-settings-aws                         active  204336023
validate-settings-azure                       active  204336024
verify-site-config-aws                        active  204336025
verify-site-config-azure                      active  204336026
Copilot coding agent                          active  205030856

This step updates the configuration files used by the workflows.

In the EXPLORER sidebar of the codespace window, click on the "config" folder, then right-click on the "certificates" folder, and select "Upload..." from the context menu. In the file selector dialog window navigate to the SSL certificate files location, select the certificate, private key, and chain files, and click the "Open" button to upload the files to the workspace.

Click again on the "config" folder, then on "azure" subfolder, and then on "arcgis-enterprise-k8s" subfolder. Double-click on "ingress.tfvars.json" file to open it in the editor.

Change "deployment_fqdn" value to the fully qualified domain name of the ArcGIS Enterprise site.

Replace "tls_certificate_path", "tls_private_key_path", and "ca_certificate_path" properties with the uploaded SSL certificate file paths.

In the EXPLORER sidebar of the codespace window, navigate to "azure/arcgis-enterprise-k8s/organization/helm-charts/arcgis-enterprise" folder and select "Upload..." from the context menu. In the file selector dialog window navigate to the Helm charts location, select ArcGIS_Enterprise_on_Kubernetes_Helm_Charts_1.5.4_198043.tgz file and click the "Open" button to upload the file to the workspace.

Change the current folder to the Helm charts subfolder:

cd azure/arcgis-enterprise-k8s/organization/helm-charts/arcgis-enterprise/

Extract the Helm charts from the archive:

tar -xzf ArcGIS_Enterprise_on_Kubernetes_Helm_Charts_1.5.4_198043.tgz

Rename the extracted subfolder to the Helm chart version:

mv arcgis-enterprise 1.5.4

Delete the Helm charts archive:

rm ArcGIS_Enterprise_on_Kubernetes_Helm_Charts_1.5.4_198043.tgz

Go back to the workspace root folder:

cd /workspaces/gitops-demo

In the EXPLORER sidebar of the codespace window, click on "config" folder, then right-click on "authorization" folder, select "New Folder..." from the context menu, and enter "11.5" as the folder name. Right-click on the new "11.5" folder, and select "Upload..." from the context menu. In the file selector dialog window navigate to the ArcGIS Enterprise on Kubernetes authorization file location, select the file and click the "Open" button to upload the file to the workspace.

Open the "config/azure/arcgis-enterprise-k8s/organization.tfvars.json" file in the editor and update the following properties:

• Replace the "helm_charts_version" property value with "1.5.4".
• Replace the "authorization_file_path" property with the uploaded authorization file path "~/config/authorization/11.5/<authorization file name>".
• Set "deployment_fqdn" property to the ArcGIS Enterprise site fully qualified domain name.
• Set "admin_first_name", "admin_last_name", "admin_username", "admin_password", "admin_email", "security_question_index", and "security_question_answer" to the ArcGIS Enterprise primary administrator account properties.

The primary administrator user name must be at least six characters in length. The only special characters allowed are the at sign (@), dash (-), dot (.), and underscore (_). The primary administrator password must be at least eight characters in length. It must contain at least one alphabet letter (uppercase or lowercase), at least one digit, and at least one special character. All special characters are allowed.

Change the "passcode" property value in backup.vars.json and restore.vars.json config files to a passcode that will be used when restoring the backup.

Replace the "deployments" property value in config/azure/site-index.json file with ["arcgis-enterprise-k8s"].

git add --all

git commit -m "Update config files"

git push origin main

Click on the "Actions" tab in the repository, select the "verify-site-config-azure" workflow on the left sidebar, click "Run workflow" on the right, and click the Run workflow button to run the workflow. Reload the web page and wait until the workflow run is completed. The workflow will succeed if no errors are found in the config files.

This step runs the workflows to build Enterprise Admin CLI container image, create Kubernetes namespace for the deployment and configure ingress, create ArcGIS Enterprise organization, test and back up the deployment.

Run the "enterprise-k8s-azure-image" workflow that builds Enterprise Admin CLI container image and pushes it to the private ACR repository of the AKS cluster.

Run the "enterprise-k8s-azure-ingress" workflow that creates the ingress resources for the ArcGIS Enterprise on Kubernetes deployment.

After the workflow run is complete, retrieve the DNS name of the load balancer created by the workflow from the workflow run log and create a CNAME record for the load balancer in the DNS server managing the ArcGIS Enterprise site domain name.

Alternatively, you can use the Azure CLI to retrieve the DNS name (FQDN).

Make sure you have the CLI extension for ALB (Application Gateway for Containers) installed:

az extension add --name alb

List the frontends child resources of "arcgis" ALB:

az network alb frontend list --resource-group arcgis-k8s-cluster --alb-name arcgis -o table

Sample output:

Fqdn                     Location    Name            ProvisioningState    ResourceGroup
-----------------------  ----------  --------------  -------------------  ------------------
xxxx.fz35.alb.azure.com  eastus      enterprise-k8s  Succeeded            arcgis-k8s-cluster

Run the "enterprise-k8s-azure-organization" workflow to deploy ArcGIS Enterprise on Kubernetes in the AKS cluster and create an ArcGIS Enterprise organization.

After the workflow run is complete, the ArcGIS Enterprise site will be accessible at the deployment FQDN https://<deployment FQDN>/arcgis/manager.

The first run of the workflow may fail with BackoffLimitExceeded error. Run the workflow again if that happened.

Run the "enterprise-k8s-azure-test" workflow.

Run the "enterprise-k8s-azure-backup" workflow.

The walkthrough demonstrates only the basic capabilities of ArcGIS Automation using GitHub Actions. Refer to the template and workflow documentation for other features and options.

Follow Destroy ArcGIS Enterprise on Kubernetes in Azure walkthrough to destroy the deployment and clean up the resources created during this walkthrough.