Follow

EvOps for Azure Stack - Deployment Guide

Gridpro AB

Rev: 1.0.7820

Published: December 2017

 

Prerequisites

Azure Stack

EvOps is currently only supported to be installed on Azure Stack Development Kit deployments. We are working together with Microsoft to support installation on integrated (multi-node) systems in the near future.

Minimum supported version: 1.0.171122.1

Maximum supported version: 1.0.171122.1

Verify Access to Privileged Endpoint Virtual Machine

An essential prerequisite for the EvOps installation is that the host you are running all scripts from has access to the Azure Stack Privileged Endpoint virtual machine.

  • For Azure Stack Development Kit (ASDK) installations, sign in to the physical host
  • For multi-node systems, the host must be a system that can access the Privileged Endpoint

Setup Azure Stack PowerShell Environment

EvOps installation requires that AzureRM and Azure Stack-specific PowerShell modules are installed, AzureStack Tools are available, and the PowerShell environment is configured for your Azure Stack deployment type (Azure AD or AD FS). Please see below article for step-by-step instructions.

Get up and running with PowerShell in Azure Stack
https://docs.microsoft.com/azure/azure-stack/azure-stack-powershell-configure-quickstart

Add Windows Server 2016 VM image to Azure Stack

EvOps requires a default Windows Server 2016 image to be available in Marketplace so that it can be used during the installation. Images can be added either through syndication, if there is internet access, or using PowerShell if there is no internet access.

The following steps are applicable for the ASDK with internet access, for other scenarios please refer to the official Microsoft documentation.

  1. Login as a Cloud Admin on Azure Stack Administration Site
  2. Select More services > Marketplace management
  3. Click Add from Azure
  4. Select Windows Server 2016 Datacenter - Eval
    1.png
  5. Click Download
  6. Verify that status is Succeeded in the Marketplace management blade before starting EvOps installation script

Prepare EvOps Installation Directory

  1. Extract the downloaded EvOps zip archive to C:\EvOpsInstall
  2. Download Microsoft Azure Service Fabric for Windows Server:
    http://go.microsoft.com/fwlink/?LinkId=730690
  3. Verify that download filename is in format: Azure.ServiceFabric.WindowsServer.<version>.zip
  4. Save file to C:\EvOpsInstall\resources folder
  5. Download Web Deployment Tool:
    https://www.microsoft.com/en-us/download/details.aspx?id=43717
  6. Verify that download filename is in format:
    WebDeploy_amd64_en-US.msi
  7. Save file to C:\EvOpsInstall\resources folder
  8. Download Microsoft Azure Service Fabric Runtime:
    https://go.microsoft.com/fwlink/?linkid=839354
  9. Verify that download filename is in format:
    <version>.cab
  10. Save file to C:\EvOpsInstall\resources folder

Create Subscription hosting EvOps infrastructure

All EvOps infrastructure resources should be hosted in a dedicated subscription. EvOps requires the following services as a minimum in the subscription where you choose to deploy the EvOps infrastructure:

  • Compute
  • Network
  • Storage
  • KeyVault

Please see this section for how to prepare a suitable subscription.

Create Plan containing services required by EvOps

  1. Login as a Cloud Admin on the Azure Stack Administration site
  2. Select More services > Plans
  3. Click Add
  4. Provide a Display nameg. EvOpsCore
  5. Create a new Resource Group, or select an existing one, as a container for the Plan
  6. Click Services
  7. Select Compute, Microsoft.KeyVault, Microsoft.Network and Microsoft.Storage, then click Select
  8. Click Quotas
  9. Select Storage (local), select Default Quota
  10. Select Network (local), select Default Quota
  11. Select KeyVault (local), select Unlimited
  12. Select Compute (local), select Default Quota
  13. Click OK
  14. Click Create

Create Offer for EvOps Core Plan

  1. Login as a Cloud Admin on Azure Stack Administration site
  2. Select More services > Offers
  3. Provide a Display nameg. EvOpsCore
  4. Create a new Resource Group, or select an existing one, as a container for the Offer
  5. Click Base plans
  6. Select EvOpsCore and click Select
  7. Click Create
  8. In Offer blade, click Refresh
  9. Select offer EvOpsCore, click Change State and select Public

NOTE: If you don’t want to make the offer Public you will need to create the tenant subscription from the admin site instead of following the steps in the next section.

Create Subscription

  1. Login as a Cloud Admin on Tenant site
  2. Select More services > Subscriptions
  3. Click Add
  4. Provide a Display nameg. EvOpsInfra
  5. Select Offer, then click EvOpsCore
  6. Click Create
  7. Select subscription EvOpsInfra, copy Subscription ID for use in deployment script

Prepare Certificates

A set of certificates is required to be generated and copied into the EvOps installation kit folder structure prior to installing EvOps, please see below table for certificate details.

Certificate

Description

Usage

SSL

Used to encrypt traffic to EvOps fabric

Server Authentication

FabricAuth

Securing internal communication in EvOps fabric

Client/Server Authentication

Encryption

Used to encrypt data store in EvOps fabric

Data Encipherment

 

Create Certificates for Azure Stack Development Kit Deployment

If you are installing on an ASDK, all three of the certificates above can be self-signed. Follow the steps below to generate appropriate certificates, the script will automatically copy certificates into the EvOps installation kit certificate folders.

IMPORTANT: Self-signed certificates should not be used in a production environment.

  1. Open an elevated Windows PowerShell ISE session, and open below script file:
    C:\EvOpsInstall\Create-EvOpsASDKCertificates.ps1
  2. Replace all variables in parameters section with environment specific data according to table below:

<PrivilegedEndpoint>

DNS name or IP address of the privileged endpoint virtual machine
ASDK: azs-ercs01.azurestack.local

<CloudAdminPass>

Cloud admin password for privileged endpoint access

<Domain>

Used to encrypt data store in EvOps fabric
ASDK: AzureStack

<PfxPassword>

Password used to protect the certificate pfx files

  1. Change working directory before running the script by executing the following command: cd C:\EvOpsInstall
  2. Click Run Script to execute script
  3. Verify that certificate has been exported successfully in C:\EvOpsInstall\Certificates subfolders Auth, Encryption and SSL

Create Certificates for Azure Stack Multi-Node (Production)

If you are installing on an Azure Stack multi-node deployment, certificates should be created by a corporate or external certificate authority for production grade security. Create the certificate with the same pfx password and copy them into corresponding C:\EvOpsInstall\Certicates subfolder.

Create EvOps Service Principal

Following sections will help you prepare the service principal required by the EvOps installation.

Create Service Principal for Azure Active Directory-based deployments

  1. Open an elevated PowerShell ISE editor and open script file:
    C:\EvOpsInstall\Create-RPServicePrincipalAAD.ps1
  2. Replace all variables in parameters section with environment specific data according to table below:

<TenantDirectoryID>

Same tenant/directory as used when installing Azure Stack e.g.
a8f6ceef-486a-4ed3-9d6c-699ade6abea7

<AuthCertificate>

File path to the "auth" certificate e.g. C:\EvOpsInstall\certificates\auth\<certificate name>.pfx

<ServicePrincipal>

Specify a name of the service principal you are creating e.g. EvOpsFabric

<PfxPassword>

Password for FabricAuth certificate pfx file

  1. Change working directory before running the script by executing the following command: cd C:\EvOpsInstall
  2. Click Run Script to execute script
  3. Log in as an AAD Admin when login prompt appears
  4. In the script output save Application ID for later use in EvOps deployment

Create Service Principal for AD FS-based deployments

  1. Open an elevated PowerShell ISE editor and open script file:
    C:\EvOpsInstall\Create-RPServicePrincipalAAD.ps1
  2. Replace all variables in parameters section with environment specific data according to table below:

<PrivilegedEndpoint>

DNS name or IP address of the privileged endpoint virtual .machine
ASDK: azs-ercs01.azurestack.local

<Domain>

NetBIOS name for the Azure Stack domain
ASDK: AzureStack

<ServicePrincipal>

Specify a name of the service principal you are creating e.g. EvOpsFabric

<AuthCertificate>

File path to the "auth" certificate e.g. C:\EvOpsInstall\certificates\auth\<certificate name>.pfx

<PfxPassword>

Password for FabricAuth certificate pfx file

  1. Change working directory before running the script by executing the following command: cd C:\EvOpsInstall
  2. Click Run Script to execute script
  3. Log in as a Domain Admin when login prompt appears
  4. In the script output, save Client ID for later use in EvOps deployment

 

Installation

Once the preparations are completed, you are ready to initiate the installation.

Deploy EvOps for Azure Stack

  1. Login to host that has Azure Stack PowerShell Environment setup and access to the privileged endpoint virtual machine.
    1. For ASDK: Login to the Azure Stack physical host as: AzureStack\AzureStackAdmin
    2. For Multi-Node: You need to configure it yourself. Please see this article for instruction on how to access the privileged endpoint: https://docs.microsoft.com/lv-lv/azure/azure-stack/azure-stack-privileged-endpoint
  2. Open an elevated PowerShell ISE editor and open script file:
    C:\EvOpsInstall\Install-EvOpsASDK.ps1
  3. Replace all variables in parameters section with environment specific data according to table below:

<ServicePrincipalAppID>

Specify Application ID of the Service Principal created in chapter “Create EvOps Service Principal”
Example format: a8f6ceef-486a-4ed3-9d6c-699ade6abea7

<PrivilegedEndpoint>

DNS name or IP address of the privileged endpoint virtual machine
ASDK: azs-ercs01.azurestack.local

<TenantSubscriptionID>

Specify Subscription ID of the subscription that will host EvOps infrastructure that was created in section “Create Subscription hosting EvOps infrastructure”
Example format: 06f64eb6-150a-4b70-a596-ad170b446ac5

<VmLocalAdminPass>

Sets the password for local user “localadmin” on EvOps .Service Fabric VMs

<ServiceAdmin>

Specify service admin login (AAD or AD FS) e.g. admin@contoso.onmicrosoft.com

<ServiceAdminPass>

Specify service admin password (AAD or AD FS)

<CloudAdminPass>

Specify password for user CloudAdmin privileged endpoint access

<Domain>

NetBIOS name for the Azure Stack domain
ASDK: AzureStack

<PfxPassword>

Password for certificate pfx files

NOTE: If you have different passwords for the different certificate files, you need to update the script accordingly.

  1. Change working directory before running the script by executing the following command: cd C:\EvOpsInstall
  2. Click Run Script to execute script (script can take up to 60 minutes to complete)
  3. Read the EULA carefully and click type Y, if you accept the terms
  4. Verify that script executed successfully based on output
  5. Installation completed

 

Getting Started

The following steps will help you to get started with EvOps for Azure Stack.

Activate License

  1. Login as a Cloud Admin on Azure Stack Administration site
  2. Select More services > EvOps
  3. Click License management

Internet Connected Environment

  1. Click Activate license
  2. Type in your activation key
  3. Click OK

Non-Internet Connected Environment

  1. Click Activate license
  2. Paste license request string and send to support@gridprosoftware.com
  3. When you receive license file, click Offline activation request
  4. Browse and select license file received and click OK

Prepare Plan and Offer for EvOps

  1. Login as a Cloud Admin on Azure Stack Administration site
  2. Select More services > Plans
  3. Click New
  4. Login as a Cloud Admin on Azure Stack Administration site
  5. Select More services > Plans
  6. Click Add
  7. Provide a Display nameg. EvOps for Azure Stack
  8. Create a new Resource Group, or select an existing one, as a container for the Plan
  9. Click Services
    2.png
  10. Select EvOps and click Select
  11. Click Quotas
  12. Select Storage (local), select Default Quota
  13. Select Network (local), select Default Quota
  14. Select KeyVault (local), select Unlimited
  15. Select Compute (local), select Default Quota
  16. Select EvOps (local) and click Create new quota
    3.png
  17. Type Unlimited as Name and check Unlimited Accounts and Requests
  18. Click OK to save quota
  19. Select Unlimited and click OK
  20. Click Create
  21. Select More services > Offers
  22. Provide a Display nameg. EvOps for Azure Stack
  23. Create a new Resource Group, or select an existing one, as a container for the Offer
  24. Click Base plans
  25. Select EvOps for Azure Stack and click Select
  26. Click Create
  27. In Offer blade, click Refresh
  28. Select offer evops-for-azure-stack, click Change State and select Public

Create your first EvOps Account

Now you are ready to create your first EvOps account.

IMPORTANT: It is not recommended that you create EvOps account in the Subscription that hosts the EvOps infrastructure for security reasons.

Create subscription hosting your EvOps account

  1. Login as a Cloud Admin on Azure Stack Tenant site
  2. Select More services > Subscriptions
  3. Type in a name, in this example: EvOpsAdmin
  4. Click Offers
  5. Select EvOps for Azure Stack offer
  6. Click Create
  7. Click subscription you just created
  8. Click Resource providers
  9. Find EvOps resource provider in list and click Register
  10. Done

Create EvOps account

  1. Select More services > EvOps accounts
  2. Click New
  3. Select EvOpsAdmin subscription
  4. Type in a name, in this example Cloud1
  5. In Resource group, click Create new and type in EvOps
  6. Click Service Principal
  7. Select your service principal for this EvOps account and click Select

    For ASDK installation you can use the same service principal you created as a part of the installation of EvOps, but in a multi-node installation it is recommended to create a separate service principal. Please see below links for recommendation on creating it, depended on your deployment type.

    Azure Active Directory-based deployments
    https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal#create-service-principal-with-certificate-from-certificate-authority

    AD FS-based deployments
    https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-create-service-principals#create-service-principal-for-ad-fs
  1. Type the Application ID for the service principal selected above
  2. Click Browse and select the service principal authentication certificate PFX file

    NOTE: If you deploy on an ADSK installation and use the same service principal as used during installation, please browse and select FabricAuth certificate PFX file.
  1. Type PFX file password
  2. Click Create
  3. Done

Import Sample Request Templates

The installation kit contains two samples as described below. For updated and more samples, please visit EvOps product support site.

The installation kit contains two samples as described below. For updated and more samples, please visit EvOps product support site.

  • VM with approval (vm-with-approval.evpkg): Request template with an advanced wizard that contains SKU pickers, conditional visibility etc. and a workflow that contains an approval and ARM deployment for virtual machine creation.
  • Support Request (support-request.evpkg): Request template creating a support request with resource picker that allows to add affected item.

Please follow the steps below to import samples.

  1. Select More services > EvOps accounts
  2. Click your EvOps account
  3. Click Request templates
  4. Click Import
  5. Browse to the folder where you extracted the EvOps installation files and documentation
  6. Select vm-with-approval.evpkg file in the list and click Open
  7. Change Display name and Name if required, then click OK to import
  8. Repeat step 4-7 for support-request.evpkg file as well
  9. Open each Request template and click Publish to publish to Marketplace

 

Uninstallation

Remove EvOps for Azure Stack on ASDK

  1. Start by removing all Plans and Offers connected to EvOps
  2. Login to the Azure Stack physical host as: AzureStack\AzureStackAdmin
  3. Open an elevated PowerShell ISE editor and open script file:
    C:\EvOpsInstall\Uninstall-EvOpsASDK.ps1
  4. Replace all variables in parameters section with environment specific data according to table below:

<PrivilegedEndpoint>

DNS name or IP address of the privileged endpoint virtual machine
ASDK: azs-ercs01.azurestack.local

<TenantSubscriptionID>

Specify Subscription ID of the subscription that will host EvOps infrastructure that was created in section “Create Subscription hosting EvOps infrastructure”.
Example format: 06f64eb6-150a-4b70-a596-ad170b446ac5

<ServiceAdmin>

Specify service admin login (AAD or AD FS) e.g. admin@contoso.onmicrosoft.com

<ServiceAdminPass>

Specify service admin password (AAD or AD FS)

<CloudAdminPass>

Specify password for user CloudAdmin privileged endpoint access

<Domain>

NetBIOS name for the Azure Stack domain
ASDK: AzureStack

  1. Change working directory before running the script by executing the following command: cd C:\EvOpsInstall
  2. Click Run Script to execute script (script can take up to 60 minutes to complete)
  3. Type Y, on the question that you are sure you want to unregister EvOps resource provider
  4. Verify that script executed successfully based on output
  5. Uninstallation completed

 

Known Limitations

This section describes known issues with this version of the product.

  • EvOps is currently not supported on integrated (multi-node) systems.
    Workaround: Start evaluating EvOps on the ASDK, design and build your request templates which can later be exported and imported into your multi-node environment.
  • When creating a new EvOps account, you might see a message saying, "Checking permissions to create a Run As Account in Active Directory". If this happens, it should be ignored. The text is incorrect, EvOps does not try to create a service principal automatically for you in your directory. If we implement this automation later on, to simplify the process of creating an account, we will prompt and ask first. We do place the provided service principal in the contributor role of the subscription where you create the EvOps account, this is currently a requirement.
    Workaround: Ignore message and create the account.
  • It is currently not possible to edit list values like "Classification, Source, Support group". This will be possible in a future release.
    Workaround: None.
  • After adding an extension and the success message is shown, it can still take a while before the extension shows up in the list of active extensions.
  • When modifying extensions in EvOps on the ASDK, you can experience delays and "locks" in the UX. This is due to the single VM setup and should not be expected in a production environment.
  • Subscriptions should not be deleted before deleting the resources of those subscriptions first. If the subscription is deleted without doing so, it will leave orphaned resources in the system. This is a known issue in current builds of Azure Stack.
  • Resource group- and location picker are added by default to the wizard of a new request template. For any request that does not include a Deployment Activity, the resource group and location picker can be removed.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments