Cloud Providers

A Cloud Provider is used to provide Nirmata access to your public or private cloud resources.

The setup for any Cloud Provider has the following general flow:

  1. Create the Cloud Provider in Nirmata
  2. Prepare a VM template, or similar construct to provision cloud instances, as detailed in the host-groups section.
  3. Create one or more Host Groups in Nirmata

The setup for private clouds, has one additional step. You will first need run the Nirmata Private Cloud Agent and then configure a Cloud Provider. See details in the private-cloud-setup setup section.

Direct Connect

You can connect any virtual or physical server to Nirmata using the ‘Direct Connect’ cloud provider type. With this type of deployment you control which servers are made available in a Host Group. Auto scaling and recovery of hosts is not supported for this host type.

A Direct Connect cloud provider is already created in each account. You can create Direct Connect Host Groups without any additional setup.

Next Steps: Setup a direct-connect-host-group Host Group.

AWS Cloud Provider

Nirmata requires read-only access to EC2 service when using ASGs or Spot Fleet Requests and full access to EC2 service when using a Launch Configuration to provision Virtual Machines.

Securely enable AWS and Nirmata access by configuring an IAM role for Nirmata, then providing the Amazon Resource Name (ARN) for the role to Nirmata.

Configure IAM Role for Nirmata in AWS

To securely provide access, configure an IAM role for Nirmata in AWS.

First, launch the Add Cloud Provider Wizard by selecting Cloud Providers from the sidebar menu and clicking on the +Add Cloud Provider button.

Enter a Name and select Amazon Web Services as the Type.

image

Then select the Settings tab and note the Account ID and External ID.

image

Next, login to AWS and select Identity & Access Management.

image

Select Roles from the sidebar menu.

image

Then click the Create New Role button.

image

Select the Role Type Another AWS Account and enter the Nirmata Account ID noted on the Settings tab in Nirmata.

image

Click Next and enter IAMReadOnlyAccess in the Seach bar. Enable access. Then search AmazonEC2ReadOnlyAccess in the Search bar. Enable access. This allows Nirmata to provision EC2 instances.

image

For more granular access control, create a custom policy using the Custom Automation Policy Template. This policy limits Start/Stop/TerminateInstance to the instances created by Nirmata with appropriate tag.

Custom Automation Policy Template:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:RunInstances",
                    "ec2:CreateTags",
                    "ec2:Describe*"
                ],
                "Resource": [
                    "*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:StartInstances",
                    "ec2:StopInstances",
                    "ec2:TerminateInstances"
                ],
                "Resource": "arn:aws:ec2:<region>:<account>:instance/*",
                "Condition": {
                    "StringEquals": {
                        "ec2:ResourceTag/com.nirmata.createdBy": "nirmata"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": "autoscaling:Describe*",
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "iam:GetRole",
                    "iam:ListAttachedRolePolicies",
                    "iam:ListPolicyVersions",
                    "iam:ListInstanceProfiles",
                    "iam:GetPolicyVersion",
                    "iam:SimulateCustomPolicy",
                    "iam:PassRole"
                ],
                "Resource": "*"
            }
        ]
    }

Note: Be sure to replace the <region> and <account> placeholders, with the allowed region or “*” to allow all regions, and your AWS account ID.

Next, enter a Role Name (e.g. ‘nirmata-aws-role-1’) and Role Description. Then click Create Role.

image

After creating the AWS IAM role, navigate to the Roles page and copy the Role ARN for the newly created Nirmata Access Role.

image

Return to the Nirmata Add Cloud Provider Wizard and past the Role ARN into the Role ARN field. Click Next and Nirmata will validate the settings.

image

Note: When deploying a Kubernetes cluster on AWS Host Groups, an IAM policy for the hosts in the cluster must be created. This IAM policy allows the AWS cloud controller to access AWS resources.

An example of the IAM policies can be found here:

Master Nodes: https://github.com/kubernetes/kops/blob/master/pkg/model/iam/tests/iam_builder_master_strict.json

Compute Nodes: https://github.com/kubernetes/kops/blob/master/pkg/model/iam/tests/iam_builder_node_strict.json

For networking, Nirmata uses Amazon VPC CNI plugin (https://github.com/aws/amazon-vpc-cni-k8s). This plugin requires the following IAM policy:

    {
        "Effect": "Allow",
        "Action": [
            "ec2:CreateNetworkInterface",
            "ec2:AttachNetworkInterface",
            "ec2:DeleteNetworkInterface",
            "ec2:DetachNetworkInterface",
            "ec2:DescribeNetworkInterfaces",
            "ec2:DescribeInstances",
            "ec2:ModifyNetworkInterfaceAttribute",
            "ec2:AssignPrivateIpAddresses"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": "tag:TagResources",
        "Resource": "*"
    }
Creating AWS Cloud Provider Video

Next Steps: Setup a aws-host-group Host Group.

Microsoft Azure Cloud Provider

Nirmata utilizes Azure Active Directory for authentication. Be sure that Azure Active Directory is setup before adding Microsoft Azure as a Cloud Provider in Nirmata.

Click here for instructions on setting up Azure Active Directory.

To add Microsoft Azure as a Cloud Provider in Nirmata, enter the Subscription ID, Tenant ID, Client ID, and Client Secret.

How to Obtain Client ID

To find a Client ID in Microsoft Azure, login to the Azure account and use the sidebar menu to navigate to the active directory created for Nirmata. Open Settings and note the Application ID.

Note: Application ID and Client ID are the same.

image

Create an Azure Application for Nirmata

Next, create an Azure Application in the Resources Group of Azure. This application will be used for Nirmata deployment.

To create an Azure Application, sign in to the Azure portal.

From the sidebar menu, select Azure Active Directory and then App Registration.

Select New Application Registration.

image

In the Create page, enter the application registration information.

Enter https://www.nirmata.io as the Webpage/API interface. Use the same Subscription ID as the current Resource Group.

image

Locate the Directory ID (Tenant ID) by opening the Azure Active Directory and then navigating to Properties. Note the Directory ID (Tenant ID).

image

Generate the Client Secret (Client Key)

The Client Secret (Client Key) is required to for Nirmata access to the Azure Application.

To create a Client Secret (Client Key) in Microsoft Azure, open the Azure Application and then Settings.

image

Select Keys and make note copy the key value.

image

Cohesive Environment Requirements

Confirm that all nodes can communicate and will allow Nirmata to create a Host Group.

Verify Active Resource Group for the Cluster

Fist, confirm there is an active Resource Group for the cluster.

Sign in to the Azure portal. Sign in to the Azure portal and select Resource Groups from the sidebar menu.

Select +Add and provide a name and location for the resource group. Click Create.

image

Click Refresh to view the newly created Resource Group.

image

Confirm Security Groups are Configured Correctly

Review Microsoft Azure security groups and apply the correct security levels.

Confirm Accessible Storage Account

Click here for instructions on creating an Accessible Storage Account.

Note: If the cluster requires public access, be sure to allow public IP’s to the nodes and to configure the networking security groups to allow ssh.

For a increased security, create a bastion host in the same subnet with a public IP. Then ssh to each node from a single point.

Add Cloud Provider to Nirmata

Select Cloud Providers from the sidebar menu.

Complete the information in the Add Cloud Provider wizard.

Enter Cloud Provider information then click Next.

image

Enter Cloud Provider settings then click Next.

image

Nirmata automatically validates account access. Once account access is validated, setup an Azure Host Group.

Next Steps: Setup a azure-host-group Host Group.

GCE Cloud Provider

To add Google Compute Engine (GCE) as a Cloud Provider in Nirmata, add the Service Account Key.

Locate the Service Account Key in GCE

A GCE service account key allows services outside of Google Cloud Platform (GCP) to communicate with GCE.

To locate the service account key, login to GCP Console and open IAM & admin.

Select a project from the drop down menu and click Open.

image

Select Service Accounts from the sidebar menu.

image

Locate the service account, click the More more_vert button in that row, and then click Create.

Select the Key Type and click Create.

The privateKeyData returned is a base64-encoded string representation of the JSON or P12 key/credentials.

Save the JSON file in a secure, accessible location.

Add GCE Service Account Key to Nirmata

To add the GCE Service Account Key to Nirmata, select Cloud Providers from the sidebar menu. Select +Add Cloud Provider.

image

Enter the Cloud Provider information. Select Google Cloud Platform as the Type. Click Next.

image

On the Settings tab, drop the service account key JSON file or select from the file directory. Click Next.

image

Nirmata automatically validates account access. Once account access is validated, setup a Google Host Group.

Next Steps: Setup a gce-host-group Host Group.

Oracle Cloud Provider

To add Oracle Public Cloud to Nirmata, enter the identity domain name, endpoint URL, and username and password associated with the Oracle Public Cloud account.

How to Find the Oracle Public Cloud Identity Domain Name and Endpoint URL

Sign in to the Oracle Public Cloud account. Navigate to Service Listing and click on the service name.

Select Identity Domain Administration. Note the Identity Domain Name.

Locate and note the endpoint URL for the account.

Add Oracle Public Cloud to Nirmata

To add the Oracle Public Cloud to Nirmata, select Cloud Providers from the sidebar menu. Select +Add Cloud Provider.

image

Enter the Cloud Provider information. Select Oracle Public Cloud Services as the Type. Click Next.

image

On the Settings tab, enter the Endpoint URL, Identity Domain, and Username and Password. Click Next.

image

Nirmata automatically validates account access. Once account access is validated, setup an Oracle Public Cloud Host Group.

Next Steps: Setup a opc-host-group Host Group.

Digital Ocean Cloud Provider

To securely connect Nirmata to OpenStack in your Private Cloud or Data Center, setup a private-cloud-setup.

Then, provide the vCenter SDK URL (http://<server-address>/sdk) and credentials.

In Nirmata, select Cloud Providers from the sidebar menu. Select +Add Cloud Provider.

image

Enter the Cloud Provider information. Select VMware vSphere as the Type and select a Private Cloud. Click Next.

image

On the Settings tab, enter the Endpoint URL and Username and Password. Click Next.

image

Nirmata automatically validates account access. Once account access is validated, setup a VMWare vSphere Host Group.

Next Steps: Setup a vsphere-host-group.

VMware vSphere Cloud Provider

To securely connect Nirmata to OpenStack in your Private Cloud or Data Center, setup a private-cloud-setup.

Then, provide the vCenter SDK URL (http://<server-address>/sdk) and credentials.

In Nirmata, select Cloud Providers from the sidebar menu. Select +Add Cloud Provider.

image

Enter the Cloud Provider information. Select VMware vSphere as the Type and select a Private Cloud. Click Next.

image

On the Settings tab, enter the Endpoint URL and Username and Password. Click Next.

image

Nirmata automatically validates account access. Once account access is validated, setup a VMWare vSphere Host Group.

Next Steps: Setup a vsphere-host-group.

OpenStack Cloud Provider

To securely connect Nirmata to OpenStack in your Private Cloud or Data Center, first setup a private-cloud-setup.

Next, add OpenStack Cloud to Nirmata by providing the OpenStack Keystone Identity Service URL, Project Name, and Credentials.

To add the OpenStack Cloud to Nirmata, select Cloud Providers from the sidebar menu. Select +Add Cloud Provider.

image

Enter the Cloud Provider information. Select Oracle Public Cloud Services as the Type. Click Next.

image

On the Settings tab, enter the Endpoint URL, Tenant ID/Project ID, Username, and Password. Click Next.

image

Nirmata automatically validates account access. Once account access is validated, setup an OpenStack Cloud Provider Host Group.

Next Steps: Setup a openstack-host-group.

Bare Metal Servers

You can use the direct-connect-provider option to configure Host Groups for bare metal (physical) servers in Nirmata.

Private Cloud

Nirmata can securely manage your VMware and OpenStack cloud resources, and Docker Image Registries, in your Data Center. To connect your Private Cloud, you will need to run the Nirmata Private Cloud Agent, on a system within your Data Center that has connectivity to your cloud management system (e.g. VMware’s vCenter) and/or your private Docker Image Registry. Once the Nirmata Private Cloud Agent is connected, you can then provision Cloud Providers and Image Registries and select the appropriate private cloud for these systems.

To setup a Private Cloud first, navigate to Settings and then select Private Cloud. Select the option to Add Private Cloud. Enter a unique name for the new Private Cloud.

image

Next, setup a system in your Data Center for the Nirmata Private Cloud agent. Run the Install Agent Command, using the unique ID for the new Private Cloud:

Install Agent Command:

curl -sSL https://www.nirmata.io/nirmata-private-cloud-agent/setup-nirmata-private-cloud-agent.sh | sudo sh -s b71025b0-068f-40a1-8804-f03e52c598db

After the Private Cloud is connected, select it when creating an Image Registry, a VMware vSphere Cloud Provider, or an OpenStack Cloud Provider.

image