Deploying DataSunrise

In a Microsoft Azure
Kubernetes Cluster
Instruction Manual

September, 2022

© Copyright DataSunrise, Inc 2018.

All rights reserved.
 Deploying DataSunrise in an Azure Kubernetes Cluster 2

Оглавление
1. Introduction..........................................................................................................................................3
Prerequisites ........................................................................................................................................3
2. Getting DataSunrise Docker Image ......................................................................................................3
3. Creating a Container Registry...............................................................................................................4
4. Creating a New Kubernetes Cluster .....................................................................................................6
5. Enabling AKS-managed Azure AD Integration on the cluster ..............................................................7
6. Running DataSunrise ............................................................................................................................7
7. Protecting an Azure SQL Database Instance ..................................................................................... 11
8. Updating DataSunrise........................................................................................................................ 14
9. Common Issues and Troubleshooting ............................................................................................... 15

© Copyright DataSunrise, Inc 2022

All rights reserved.
 Deploying DataSunrise in an Azure Kubernetes Cluster 3

1. Introduction
This document describes the process of deployment and configuring of DataSunrise
Database Security in a Microsoft Azure Kubernetes cluster.

Prerequisites
You need a Linux system to prepare your Kubernetes cluster on Azure. In order to deploy
DataSunrise with Azure Kubernetes service, the following components should be installed:

⚫ Docker
⚫ Azure CLI
⚫ Kubernetes CLI

If you have the Debian 10 Linux OS, install required packages to prepare your system:

• Azure CLI and Kubernetes CLI:

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
sudo az aks install-cli

• Docker CE:
sudo add-apt-repository "deb [arch=amd64]
https://download.docker.com/linux/debian $(lsb_release -cs)
stable"
curl -fsSL https://download.docker.com/linux/debian/gpg |
sudo apt-key add -
sudo apt update
sudo apt install apt-transport-https ca-certificates curl
gnupg2 software-properties-common
sudo apt install docker-ce

If you have another type of Linux, prepare the system to meet the requirements listed
above.

2. Getting DataSunrise Docker Image

DataSunrise Docker image is published on the Docker Hub repository:

https://hub.docker.com/r/datasunrise/datasunrise

© Copyright DataSunrise, Inc 2022

All rights reserved.
 Deploying DataSunrise in an Azure Kubernetes Cluster 4

2.1 Having met all the requirements, use the following command on Debian-based Linux:

sudo docker pull datasunrise/datasunrise:latest

To view available Docker images, execute the following command:

sudo docker image ls

You should see the following output:

REPOSITORY TAG IMAGE ID
CREATED SIZE
alech.azurecr.io/datasunrise 7.2.10.19061 b4d7c8e04576
5 days ago 3.35GB

3. Creating a Container Registry

Please make sure you have Azure CLI installed on your system. We need to create an Azure
container registry where the DataSunrise image will be published.

3.1 Log into Azure CLI:

az login

3.2 Make sure you have set the default subscription in your Azure account. Create a new
Resource Group using the az group create command, but you can use an existing
Resource Group as well:

az group create --resource-group [YOUR RESOURCE GROUP NAME] --

location [THE LOCATION]

Example:
az group create --name myResourceGroup --location eastus

3.3 Create an instance of the Azure Container Registry instance (ACR) using the az acr
create command and enter your own registry name:

© Copyright DataSunrise, Inc 2022

All rights reserved.
 Deploying DataSunrise in an Azure Kubernetes Cluster 5

az acr create -g [YOUR RESOURCE GROUP NAME] -n [AZURE CONTAINER

REGISTRY NAME] --sku Basic

To use your ACR instance, you should be logged in first:

az acr login -n [AZURE CONTAINER REGISTRY NAME]

In case you need to use a login token, get the token to use with Docker:
az acr login -n [AZURE CONTAINER REGISTRY NAME] --expose-token

3.4 Now we need to tag the container image with the address of the registry login server.
But first we should get the address of the login server (ACRServerName). To do this, we use
the az acr list command and query the loginServer as shown below:
az acr list -g [YOUR RESOURCE GROUP NAME] --query
"[].{ACRServerName:loginServer}" --output table

For example, if you use “myResourceGroup” as the name of your Resource Group:
az acr list -g myResourceGroup --query
"[].{ACRServerName:loginServer}" --output table

You should get a similar output:

ACRServerName
----------------
myResourceGroup.azurecr.io

3.5 Now let’s tag the local DataSunrise Docker image using the ACRServerName address of
the Container Registry. For example, if the release number of DataSunrise downloaded using
Docker is “7.2.10.19061”, use the following command:
docker tag datasunrise/datasunrise:7.2.10.19061 [YOUR
ACRServerName]/datasunrise:7.2.10.19061

To verify that the tags have been applied, run the docker image ls command again:
$ sudo docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
myResourceGroup.azurecr.io/datasunrise 7.2.10.19061 b4d7c8e04576
5 days ago 3.35GB
datasunrise/datasunrise latest b4d7c8e04576 5 days ago
3.35GB

3.6 Once we have the image created and tagged, we can push it to the ACR instance:

© Copyright DataSunrise, Inc 2022

All rights reserved.
 Deploying DataSunrise in an Azure Kubernetes Cluster 6

docker push [YOUR ACRServerName]/datasunrise:7.2.10.19061

Run the az acr repository list command to list the images pushed to the ACR
instance:
az acr repository list -n [AZURE CONTAINER REGISTRY NAME]

For example, if your ACR name is ”ACRDatasunrise”, the output will be as follows:

4. Creating a New Kubernetes Cluster

4.1 Create an AKS cluster using the az aks create command. To allow the AKS cluster
to communicate with other Azure resources, an Azure Active Directory service principal is
automatically created (if you did not specify one). Use this template and put your names
instead of names in brackets to make 2-node Kubernetes cluster:

az aks create \
-g [YOUR RESOURCE GROUP NAME] \
-n [YOUR NEW CLUSTER NAME] \
--node-count 2 \
--generate-ssh-keys \
--attach-acr [AZURE CONTAINER REGISTRY NAME]

4.2 Use the kubectl tool (Kubernetes command line client) to connect to your Kubernetes
cluster from your local machine. Make sure the Kubernetes command line interface is
installed. To configure kubectl to connect to your Kubernetes cluster, use az aks get-
credentials:
az aks get-credentials -g [YOUR RESOURCE GROUP NAME] -n [YOUR NEW
CLUSTER NAME]

To test connectivity with the cluster, use the kubectl get nodes command to get a list
of the cluster nodes:
kubectl get nodes

© Copyright DataSunrise, Inc 2022

All rights reserved.
 Deploying DataSunrise in an Azure Kubernetes Cluster 7

5. Enabling AKS-managed Azure AD Integration on the cluster

5.1 To be able to authenticate to your Azure SQL database with Azure Active Directory, you
need to enable AKS-managed Azure AD Integration on your existing cluster. Execute the
following command:

az aks update -g MyResourceGroup -n MyManagedCluster --enable-aad --

aad-admin-group-object-ids <id-1> [--aad-tenant-id <id>]

If an AKS-managed Azure AD cluster is activated, the following section in the response body
should be displayed:

"AADProfile": {
"adminGroupObjectIds": [
"5d24****-****-****-****-****afa27aed"
],
"clientAppId": null,
"managed": true,
"serverAppId": null,
"serverAppSecret": null,
"tenantId": "72f9****-****-****-****-****d011db47"
}

5.2 Execute the following command and follow the instructions to sign in to your cluster
again:

az aks get-credentials --resource-group <myResourceGroup> --name

<myManagedCluster>

6. Running DataSunrise
To implement DataSunrise Service to Kubernetes cluster, a .yaml file with the objects that
are to be deployed should be configured.

6.1 Create two .yaml files locally on your machine (datasunrise.yml and datasunrise-lb.yml).
Put the strings listed below into your datasunrise.yml file.

Replace myResourceGroup.azurecr.io with your ACR service name, and replace 7.2.10.19061
with your DataSunrise release number.

First, we create a datasunrise.yml file:

© Copyright DataSunrise, Inc 2022

All rights reserved.
 Deploying DataSunrise in an Azure Kubernetes Cluster 8

apiVersion: v1
kind: Pod
metadata:
name: datasunrise-test
labels:
app: web
spec:
containers:
- name: datasunrise
image: myResourceGroup.azurecr.io/datasunrise:7.2.10.19061
ports:
- containerPort: 11000

To deploy an AKS cluster on remote configuration, add the following environment variables
to the containers section of the .yaml file:

© Copyright DataSunrise, Inc 2022

All rights reserved.
 Deploying DataSunrise in an Azure Kubernetes Cluster 9

containers:
- name: datasunrise
env:
- name: 'DICTIONARY_TYPE'
value: ''
- name: 'DICTIONARY_HOST'
value: ''
- name: 'DICTIONARY_PORT'
value: ''
- name: 'DICTIONARY_DB_NAME'
value: ''
- name: 'DICTIONARY_LOGIN'
value: ''
- name: 'DICTIONARY_PASS'
value: ''

- name: 'AUDIT_TYPE'

value: ''

- name: 'AUDIT_HOST'

value: ''

- name: 'AUDIT_PORT'

value: ''

- name: 'AUDIT_DB_NAME'

value: ''

- name: 'AUDIT_LOGIN'

value: ''

- name: 'AUDIT_PASS'

value: ''

For more details on DataSunrise image environment variables, refer to:

https://hub.docker.com/r/datasunrise/datasunrise

© Copyright DataSunrise, Inc 2022

All rights reserved.
 Deploying DataSunrise in an Azure Kubernetes Cluster 10

6.2 Create a datasunrise-lb.yml file:

apiVersion: v1
kind: Service
metadata:
name: service-lb
spec:
type: LoadBalancer
selector:
app: web
ports:
- protocol: TCP
port: 11000
targetPort: 11000

6.3 To deploy the application, use the kubectl apply command (we assume that our
new .yml files are placed in the current folder):
kubectl apply -f datasunrise.yaml
kubectl apply -f datasunrise-lb.yaml

To track progress, use the kubectl get service command.

kubectl get pods

6.4 DataSunrise Kubernetes container with two nodes (pods) and a Load Balancer have been
created to provide access to the cluster outside the cluster subnets. For access to
DataSunrise Web Console, use your Load Balancer’s public IP address:

© Copyright DataSunrise, Inc 2022

All rights reserved.
 Deploying DataSunrise in an Azure Kubernetes Cluster 11

6.5 You can also monitor all the resources that were created via the Azure Portal. Navigate
to your Resource Group:

7. Protecting an Azure SQL Database Instance

The current version of DataSunrise Docker image already includes Microsoft ODBC driver.
You need to configure your Azure SQL server and add new configuration to the DataSunrise
cluster you created.

7.1 Log into your Azure account you used on the Linux system, then navigate to your Azure
SQL Server at the Azure portal. Add an existing Virtual Network to provide access to your
Database Instance.

© Copyright DataSunrise, Inc 2022

All rights reserved.
 Deploying DataSunrise in an Azure Kubernetes Cluster 12

7.2 Add SQL Database Instance to DataSunrise. See DataSunrise User Guide, section
“Configuring an MS SQL Server Connection” to meet the requirements for database login.

Otherwise, you can use the Azure Active Directory authentication method for database login.
Input the required parameters (see the instructions below):

• Logical Name: profile's logical name (it is used by DataSunrise as a reference to the
database)

© Copyright DataSunrise, Inc 2022

All rights reserved.
 Deploying DataSunrise in an Azure Kubernetes Cluster 13

• Hostname or IP: target database's address (hostname or IP address)

• Authentication method: Active Directory
• Database Type: target database type
• Port: your database port number
• Database: name of target database.

Then check the Use Custom Connection String check box and paste the string into the
corresponding field:

Click Test. If a connection has been successfully established, scroll down and click Save:

© Copyright DataSunrise, Inc 2022

All rights reserved.
 Deploying DataSunrise in an Azure Kubernetes Cluster 14

When your DataSunrise cluster built with Kubernetes and Docker is up and running on
Microsoft Azure, you can configure DataSunrise Rules to audit, secure or mask your sensitive
database columns. See section “DataSunrise Use Cases” of the DataSunrise User Guide:
https://www.datasunrise.com/documents/DataSunrise_Database_Security_Suite_User_Guide.pdf

8. Updating DataSunrise
To change the version of DataSunrise, do the following:

8.1 Pull the Docker image of the newer version to your local repository: use Docker UI in
case if you are using Docker Desktop on Windows.

If you are using Docker on Linux, you can use the following command:

© Copyright DataSunrise, Inc 2022

All rights reserved.
 Deploying DataSunrise in an Azure Kubernetes Cluster 15

docker pull datasunrise/datasunrise:latest

8.2 Tag the Docker image using the address of your ACR:
docker tag datasunrise/datasunrise:latest
acrname.azurecr.io/datasunrise:latest

8.3 Push the Docker image to your ACR:

docker push acrname.azurecr.io/datasunrise:latest

8.4 Delete your current deployment in AKS:

kubectl delete deployment deploymentname

8.5 Edit your .yaml file: change the name of pods (containers) and edit the lines with the
images of DataSunrise.

8.6 Start the new Deployment using the edited .yaml file:
kubectl apply -f filename.yaml

9. Common Issues and Troubleshooting

Checking the logs of DataSunrise after the start of the Deployment:
kubectl logs –tail=300 podname

9.1 You may face the following error in the logs after you started a Deployment:

This error usually occurs if the names of the pods were not changed in the new Deployment
(in case if DataSunrise was not installed during the first Deployment and you decided to start
a new one). The error happens because Dictionary database already reserved the names of
pods in itself and you cannot create a new Deployment with the same names.

9.2 “unauthorized: authentication required” after pushing an image into ACR

© Copyright DataSunrise, Inc 2022

All rights reserved.
 Deploying DataSunrise in an Azure Kubernetes Cluster 16

You may receive an “unauthorized: authentication required” error when pushing your Image
to your ACR or pushing a new image to your ACR in place of an existing one. One of the ways
to resolve this issue:

Login into your ACR again:

az acr login -n azureacrname

Log into your Docker account:

docker login -u username -p password

Push the image again:

docker push azureacrname.azurecr.io/datasunrise:latest

If you are using Docker Desktop, you need to pull the image to your local repository before
pushing it to ACR.

Note: if you use “az acr login -n azureacrname –expose-token” you can receive an
“unauthorized: authentication required” error again after pushing attempt. This may happen
because your expose token in ACR expired.

9.3 Error response from daemon: Get "https://azureacr.azurecr.io/v2/": unauthorized:

Application not registered with AAD
Make sure you have enabled “admin mode” in the settings of your Azure Container Registry.

© Copyright DataSunrise, Inc 2022

All rights reserved.