Guides
Guides
  1. HERE Anonymizer Self-Hosted User Guide
  2. Deployment environments
  3. Kubernetes

Azure AKS

Prerequisites

  1. Install tools:
  2. Create an Azure Container Registry

Deploy HERE Anonymizer Self-Hosted playbook

You can complete the deployment scenario by running the supplied scripts from the path where you unpacked the Anonymizer.

Run the commands and export environment variables indicated in the code block.

# The azurecr.io registry name (without ".azurecr.io")
export AZURE_TENANT={YOUR_TENANT_ID}
export AZURE_REGISTRY_NAME={YOUR_REGISTRY_NAME}

# Azure Service Principal ID (not its name but ID) and password.
# To create Service Principal:
# `az ad sp create-for-rbac -n "some-bot" --role Contributor --scopes /subscriptions/$AZURE_SUBSCRIPTION_ID`
# Check `az account list` for getting Azure Subscription ID
export AZURE_CLIENT_ID={CLIENT_ID}
export AZURE_CLIENT_PASSWORD={CLIENT_PASSWORD}
export HERE_ANONYMIZER_DIST={PATH_TO_UNPACKED_ANONYMIZER}

./deployments/kubernetes/azure/azure-login.sh
./deployments/kubernetes/azure/azure-deploy-aks.sh
# For deploying flink in session mode for batch processing, run:
# ./deployments/kubernetes/azure/azure-deploy-aks.sh batch

# There the anonymizer is deployed and ready to accept data into RabbitMQ queue
# Pushing test data for stream mode:
kubectl exec -i deployment/rabbit -- rabbitmqadmin publish \
  exchange=amq.default \
  routing_key="input-queue" \
  < ./deployments/common/here-probe-example.json

# For running a batch sample, set the environment variables
# APP_CLIENT_AZURE_STORAGE_ACCOUNT and APP_CLIENT_AZURE_STORAGE_KEY and run:
# ./deployments/kubernetes/azure/batch-anonymize-sample-data.sh

# Shutdown the cluster and all its resources
./deployments/kubernetes/azure/azure-shutdown-aks.sh

Additional variables

List of optional variables for configuring azure-deploy-aks.sh and azure-shutdown-aks.sh with their default values:

export APP_NAME="hereanonaks"
export APP_VERSION="latest"
export AZURE_RESOURCE_GROUP="hereanonaks-latest"
export AZURE_CLUSTER_NAME="hereanonaks-latest"
export AZURE_VM_SIZE="standard_l8s_v2"
export AZURE_LOCATION="germanywestcentral"

Deploy manually

Push container images to Azure Container Registry (ACR)

  1. Log in to Azure using the CLI. Note that the user must have the Contributor role.

    az login

  2. Create a resource group if one doesn't exist.

    az group create --name "$AZURE_RESOURCE_GROUP" --location "$AZURE_LOCATION"

  3. Log in to private container registry.

    REGISTRY_PASS=$(az acr credential show -n "$AZURE_REGISTRY_NAME" --query "passwords[0].value" -o tsv)
docker login -u "${AZURE_REGISTRY_NAME}" -p "${REGISTRY_PASS}" "${AZURE_REGISTRY_NAME}".azurecr.io

  4. Build and push the HERE Anonymizer image.

    APP_IMAGE=${AZURE_REGISTRY_NAME}.azurecr.io/${APP_NAME}-flink:${APP_VERSION}
docker build --tag "$APP_IMAGE" $HERE_ANONYMIZER_DIST
docker push "$APP_IMAGE"

  5. Push the RabbitMQ image. Alternatively, you can use any of the supported connectors.

    RABBIT_IMAGE=${AZURE_REGISTRY_NAME}.azurecr.io/rabbit
docker pull docker.io/rabbitmq:4.1.0-management
docker tag rabbitmq:4.1.0-management "$RABBIT_IMAGE"
docker push "$RABBIT_IMAGE"

Create Kubernetes cluster

  1. Create a Kubernetes cluster with one Node. The type (size) of Nodes is defined by AZURE_VM_SIZE.

    az aks create \
  -g "$AZURE_RESOURCE_GROUP" \
  -n "$AZURE_CLUSTER_NAME" \
  --enable-managed-identity \
  --node-count 1 \
  --node-vm-size "$AZURE_VM_SIZE" \
  --enable-addons monitoring \
  --enable-msi-auth-for-monitoring  \
  --generate-ssh-keys

  2. Log in to cluster and wait until all Pods are ready.

    az aks get-credentials --resource-group "$AZURE_RESOURCE_GROUP" --name "$AZURE_CLUSTER_NAME" --overwrite-existing
kubectl get nodes
kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s
kubectl get pods,deployments -A

Create containers for streaming mode (optional)

To use HERE Anonymizer Self-Hosted in the streaming mode, you must create Azure Blob containers to store state and checkpoints. This ensures reliable recovery and state management.

Run the following commands to create the required containers:

az storage blob upload \
  --account-name "${APP_CLIENT_AZURE_STORAGE_ACCOUNT}" \
  --container-name "${CONTAINER}" \
  --name checkpoints/ \
  --file /dev/null

az storage blob upload \
 --account-name "${APP_CLIENT_AZURE_STORAGE_ACCOUNT}" \
 --container-name "${CONTAINER}" \
 --name savepoints/ \
 --file /dev/null

Deploy HERE Anonymizer Self-Hosted

  1. Configure the HERE Anonymizer Self-Hosted license and deploy it as a Kubernetes Secret.

    export HERE_ANONYMIZER_LICENSE={YOUR_LICENSE}
envsubst < "${HERE_ANONYMIZER_DIST}/deployments/kubernetes/secrets.template.yml" | kubectl apply -f -

  2. Edit configuration files and environment variables. See Configuration of HERE Anonymizer Self-Hosted for details.

    kubectl create -f "${HERE_ANONYMIZER_DIST}/deployments/kubernetes/env-configmap.yml"

# To run Flink with rescaling and checkpointing enabled for a stream anonymization.
export AZURE_STORAGE_ACCOUNT={AZURE_STORAGE_ACCOUNT}
export AZURE_CLIENT_ID={AZURE_CLIENT_ID}
export AZURE_CLIENT_PASSWORD={AZURE_CLIENT_PASSWORD}
export AZURE_STORAGE_KEY={AZURE_STORAGE_KEY}
export CHECKPOINTS_DIR="wasbs://${CONTAINER}@${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/checkpoints/"
export SAVEPOINTS_DIR="wasbs://${CONTAINER}@${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/savepoints/"
kubectl create -f "${HERE_ANONYMIZER_DIST}/deployments/kubernetes/azure/conf-files-configmap.yml"
# For flink in session mode for a batch anonymization.
kubectl create -f "${HERE_ANONYMIZER_DIST}/deployments/kubernetes/conf-files-configmap.yml"

  3. Configure container registry credentials as a Kubernetes secret. Note that the command exports all local Docker credentials.

    kubectl create secret generic regcred \
  --from-file=.dockerconfigjson="$HOME/.docker/config.json" \
  --type=kubernetes.io/dockerconfigjson

  4. As the private container registry is used, container image substitution is required before each deployment.

    IMAGE=$RABBIT_IMAGE envsubst < "${HERE_ANONYMIZER_DIST} /deployments/kubernetes/rabbit-deployment.template.yml" | kubectl apply -f -

# change to 'jobmanager' to run Flink in session mode for a batch anonymization
export JM_CMD='jobmanager-stream'
IMAGE=$APP_IMAGE envsubst < "${HERE_ANONYMIZER_DIST}/deployments/kubernetes/jobmanager-deployment.template.yml" | kubectlapply -f -

IMAGE=$APP_IMAGE envsubst < "${HERE_ANONYMIZER_DIST} /deployments/kubernetes/taskmanager-deployment.template.yml" | kubectl apply -f -

  5. As the taskmanager is referring to jobmanager as a host name, the jobmanager deployment must be exposed as the ClusterIP service.

    kubectl create -f "${HERE_ANONYMIZER_DIST}/deployments/kubernetes/jobmanager-service.yml"

  6. Optionally, for demo purposes, publish the RabbitMQ UI and Flink JobManager UI outside of the cluster.

    kubectl create -f "${HERE_ANONYMIZER_DIST}/deployments/kubernetes/rabbit-ui-service.yml"
kubectl create -f "${HERE_ANONYMIZER_DIST}/deployments/kubernetes/jobmanager-ui-service.yml"

Check the deployed HERE Anonymizer Self-Hosted

To check the demo deployment using a web browser, complete the last step from the previous section.

FLINK_UI=http://$(kubectl get service jobmanager-ui -o jsonpath="{.status.loadBalancer.ingress[0].ip}"):8081
RABBIT_UI=http://$(kubectl get service rabbit-ui -o jsonpath="{.status.loadBalancer.ingress[0].ip}"):15672

Cleanup

  1. Remove the Azure Resource Group to delete all associated resources.

    az group delete --name "$AZURE_RESOURCE_GROUP" -y

  2. Delete the created container image.

    az acr repository delete --name ${AZURE_REGISTRY_NAME} --image "$IMAGE" -y

Updated 2 days ago