Cloud Providers

A Cloud Provider is used to provide Nirmata access to your public or private cloud resources.

The setup for any Cloud Provider has the following general flow:
  1. Create the Cloud Provider in Nirmata
  2. Prepare a VM template, or similar construct to provision cloud instances, as detailed in the Container Host Groups section.
  3. Create one or more Host Groups in Nirmata

The setup for private clouds, has one additional step. You will first need run the Nirmata Private Cloud Agent and then configure a Cloud Provider. See details in the Private Cloud. setup section.

Direct Connect

You can connect any virtual or physical server to Nirmata using the ‘Direct Connect’ cloud provider type. With this type of deployment you control which servers are made available in a Host Group. Auto scaling and recovery of hosts is not supported for this host type.

A Direct Connect cloud provider is already created in each account. You can create Direct Connect Host Groups without any additional setup.

Next Steps: Setup a Direct Connect Hosts Host Group.

AWS Cloud Provider

Nirmata requires read-only access to EC2 service if using ASGs or Spot Fleet Requests and full access to EC2 service if using Launch Configuration to provision your VMs. The secure way to provide access is by configuring an IAM role for Nirmata in your AWS account. To configure a role, you will need the Nirmata AWS account ID and an unique external ID. When the role is configured, you provide Nirmata the role ARN (Amazon Resource Name).

This process seems involved, but only takes a few minutes to set up! Here are the detailed steps:

  1. Launch the Add Cloud Provider Wizard and select AWS as the provider.
_images/AWS-IAM-Role-0.png
  1. The Settings page with show you the Nirmata Account ID (094919933512) and a unique external ID for the Cloud Provider. You will require these in a later step:
_images/AWS-IAM-Role-6.png
  1. Login to your AWS account. Select IAM and navigate to the option to create a new user role:
_images/AWS-IAM-Role-1.png _images/AWS-IAM-Role-2.png _images/AWS-IAM-Role-3.png
  1. Select the ‘Another AWS account’ role type, and enter the Nirmata Account ID from the Settings page (Step 2):
_images/AWS-IAM-Role-5-1.png
  1. On the next page, select the ‘AmazonEC2ReadOnlyAccess’ and ‘IAMReadOnlyAccess’ to allow Nirmata to provision EC2 instances:
_images/AWS-IAM-Role-8-1.png

You can also create a new custom policy (e.g. NirmataAutomationPolicy) for more granular access control. Below is the Policy Document that can be used in the custom policy. This policy limits Start/Stop/TerminateInstance to the instances created by Nirmata with appropriate tag:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:CreateTags",
                "ec2:Describe*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": "arn:aws:ec2:<region>:<account>:instance/*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/com.nirmata.createdBy": "nirmata"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:Describe*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:ListPolicyVersions",
                "iam:ListInstanceProfiles",
                "iam:GetPolicyVersion",
                "iam:SimulateCustomPolicy",
                "iam:PassRole"
            ],
            "Resource": "*"
        }
    ]
}

NOTE: be sure to replace the <region> and <account> placeholders, with the allowed region or “*” to allow all regions, and your AWS account ID.

  1. Provide a name (e.g. ‘nirmata-aws-role-1’) and click on Create role:
_images/AWS-IAM-Role-4-1.png
  1. Finish creating the AWS IAM role. Go to the roles page and select the role you just created and copy the Role ARN:
_images/AWS-IAM-Role-11.png
  1. Paste the Role ARN into the Nirmata Add Cloud Provider Wizard. You can then click ‘Next’ and Nirmata will validate the settings:
_images/AWS-IAM-Role-12.png

Note: When deploying a Kubernetes cluster on AWS Host Groups, an IAM policy for the hosts in the cluster need to be created. This IAM policy allows the AWS cloud controller to access AWS resources.

An example of the IAM policies can be found here:

Master Nodes: https://github.com/kubernetes/kops/blob/master/pkg/model/iam/tests/iam_builder_master_strict.json

Compute Nodes: https://github.com/kubernetes/kops/blob/master/pkg/model/iam/tests/iam_builder_node_strict.json

For networking, Nirmata uses Amazon VPC CNI plugin (https://github.com/aws/amazon-vpc-cni-k8s). This plugin requires the following IAM policy:

{
    "Effect": "Allow",
    "Action": [
        "ec2:CreateNetworkInterface",
        "ec2:AttachNetworkInterface",
        "ec2:DeleteNetworkInterface",
        "ec2:DetachNetworkInterface",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeInstances",
        "ec2:ModifyNetworkInterfaceAttribute",
        "ec2:AssignPrivateIpAddresses"
    ],
    "Resource": [
        "*"
    ]
},
{
    "Effect": "Allow",
    "Action": "tag:TagResources",
    "Resource": "*"
}

Creating AWS Cloud Provider Video

Next Steps: Setup a AWS Host Groups Host Group.

Microsoft Azure Cloud Provider

Create an Azure Provider by entering the Subscription ID, Tenant ID, Client ID and Client Secret. Nirmata uses Azure Active Directory for authentication so you need to ensure that you have setup Azure Active Directory. For setting up Azure Active Directory, refer to the documentation (https://azure.microsoft.com/en-us/documentation/services/active-directory/)

How To Obtain Client ID To obtain your Client ID (Application ID) please follow these steps:

https://docs.nirmata.io/en/_images/NTRN-Azure-Support.pdf

1.) Login to your Azure portal and search for App Registrations (https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-integrate-apps-with-azure-ad)

2.) You will want to create an Azure Application for Nirmata inside of your resources group used for the Nirmata deployment.

3.) You will be utilizing the https://www.nirmata.io as the webpage/api interface.

4.) Subscription ID will be the subscription your resource group is utilizing

_images/azure-subscription-id.png

4a.) Tenant ID is your AD directory ID which can be found in your AD properties area

_images/azure-tenant-id.png

4b.) App ID/Client ID are both the same, you’ll find this once you deploy your application registration

_images/azure-app-registration.png

5.) When creating the App registration besure to note the Client Secret as this is used by Nirmata

Cohesive Environment Requirements Make sure your nodes will all able to access and talk to eachother and allow Nirmata to create a host group:

1.) Confirm you have an active resource group for the cluster (https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-portal)

2.) Confirm security groups are correctly configured (https://docs.microsoft.com/en-us/azure/virtual-network/security-overview)

3.) Confirm you have an accessble storage account (https://docs.microsoft.com/en-us/azure/storage/common/storage-create-storage-account)

Should you require Public access Be sure to allow public ip’s to your nodes, and configure your networking security groups to allow ssh.

A more secure method is to setup a bastion host in the same subnet with a public IP so you can then ssh to each node from one point.

Once you provide the required information, Nirmata will validate access to your account.

Next Steps: Setup a Microsoft Azure Host Groups Host Group.

GCE Cloud Provider

Here are the steps to create a cloud provider for Google Compute Engine:

Launch the Add Cloud Provider Wizard and select Google Compute Engine as the provider.

In the Settings page provide the service account key. This can be generated from Google Cloud Platform account.

Click Next to validate the settings and complete the wizard.

Next Steps: Setup a GCE Host Groups Host Group.

Oracle Cloud Provider

Here are the steps to create a cloud provider for Oracle Public Cloud:

Launch the Add Cloud Provider Wizard and select Oracle Public Cloud Services as the provider.

In the Settings page provide the endpoint URL, identity domain, username and password. The endpoint URL and identity domain can be found in your Oracle Public Cloud account.

_images/create-oracle-cp.png

Click Next to validate the settings and complete the wizard.

Next Steps: Setup a Oracle Public Cloud Host Group Host Group.

Digital Ocean Cloud Provider

Create an API key on the Digital Ocean console. You can create the API key here

_images/create-digital-ocean-api-key.png

In Nirmata, create a Digital Ocean cloud provider by providing the API Key.

_images/create-digital-ocean-provider-1.png _images/create-digital-ocean-provider-2.png

Next Steps: Setup a Digital Ocean Host Group.

VMware vSphere Cloud Provider

To securely connect Nirmata to OpenStack in your Private Cloud or Data Center, first setup a Private Cloud.

Create a VMWare vSphere provider by providing the vCenter SDK URL (http://<server-address>/sdk) and credentials:

images/create-vsphere-provider-1.png>

After entering the credentials, validate access to your cloud provider before closing the wizard:

_images/create-vsphere-provider-2.png

Next Steps: Setup a VMware vSphere Host Group.

OpenStack Cloud Provider

To securely connect Nirmata to OpenStack in your Private Cloud or Data Center, first setup a Private Cloud.

Create an OpenStack provider by providing Keystone identity service URL (https://serviceaddress:5000/v2.0/), project name and the credentials:

_images/create-openstack-provider-1.png

After entering the credentials, validate access to your cloud provider before closing the wizard:

_images/create-openstack-provider-2.png

Next Steps: Setup a OpenStack Host Group.

Bare Metal Servers

You can use the Direct Connect. option to configure Host Groups for bare metal (physical) servers in Nirmata.

Private Cloud

Nirmata can securely manage your VMware and OpenStack cloud resources, and Docker Image Registries, in your Data Center. To connect your Private Cloud, you will need to run the Nirmata Private Cloud Agent, on a system within your Data Center that has connectivity to your cloud management system (e.g. VMware’s vCenter) and/or your private Docker Image Registry. Once the Nirmata Private Cloud Agent is connected, you can then provision Cloud Providers and Image Registries and select the appropriate private cloud for these systems.

Here are the steps to setup a Private Cloud:

  1. In Nirmata go to Settings -> Private cloud, select the option to add a private cloud, and provide a unique name.
_images/private-cloud-setup.png
  1. Setup a system in your Data Center for the Nirmata Private Cloud agent, and run the command to install the agent, using the unique ID for your Private Cloud:

    curl -sSL https://www.nirmata.io/nirmata-private-cloud-agent/setup-nirmata-private-cloud-agent.sh | sudo sh -s b71025b0-068f-40a1-8804-f03e52c598db
    

Once the Private Cloud is connected, you can select it when creating an Image Registry, a VMware vSphere Cloud Provider, or an OpenStack Cloud Provider. Here is an example:

_images/private-image-registry.png