LaminarDocs

Work in Progress: This page is under development. Use the feedback button on the bottom right to help us improve it.

Azure AKS

Deploy Laminar on Azure Kubernetes Service (AKS).

Prerequisites

  • Azure CLI configured
  • kubectl installed
  • Helm 3.12+

Create AKS Cluster

# Create resource group
az group create \
  --name laminar-rg \
  --location eastus
 
# Create AKS cluster
az aks create \
  --resource-group laminar-rg \
  --name laminar-cluster \
  --node-count 3 \
  --node-vm-size Standard_D4s_v3 \
  --enable-managed-identity \
  --enable-workload-identity \
  --enable-oidc-issuer \
  --generate-ssh-keys
 
# Get credentials
az aks get-credentials \
  --resource-group laminar-rg \
  --name laminar-cluster

Install Laminar

Create Values File

aks-values.yaml:

global:
  storageClass: managed-csi
 
api:
  replicas: 2
  resources:
    requests:
      cpu: 500m
      memory: 512Mi
    limits:
      cpu: 2000m
      memory: 2Gi
  ingress:
    enabled: true
    className: azure-application-gateway
    annotations:
      appgw.ingress.kubernetes.io/ssl-redirect: "true"
    hosts:
      - host: laminar.example.com
        paths:
          - path: /
            pathType: Prefix
 
controller:
  replicas: 2
  resources:
    requests:
      cpu: 500m
      memory: 1Gi
  persistence:
    size: 100Gi
    storageClass: managed-csi
 
storage:
  artifacts:
    url: "https://mystorageaccount.blob.core.windows.net/laminar/artifacts"
  checkpoints:
    url: "https://mystorageaccount.blob.core.windows.net/laminar/checkpoints"

Install

helm repo add laminar https://charts.laminar.dev
helm repo update
 
helm install laminar laminar/laminar \
  --namespace laminar \
  --create-namespace \
  -f aks-values.yaml

Workload Identity

For Azure Blob Storage access:

# Create managed identity
az identity create \
  --name laminar-identity \
  --resource-group laminar-rg
 
# Get identity details
IDENTITY_CLIENT_ID=$(az identity show \
  --name laminar-identity \
  --resource-group laminar-rg \
  --query clientId -o tsv)
 
# Assign Storage Blob Data Contributor role
az role assignment create \
  --role "Storage Blob Data Contributor" \
  --assignee $IDENTITY_CLIENT_ID \
  --scope /subscriptions/SUBSCRIPTION_ID/resourceGroups/laminar-rg
 
# Create federated credential
AKS_OIDC_ISSUER=$(az aks show \
  --name laminar-cluster \
  --resource-group laminar-rg \
  --query oidcIssuerProfile.issuerUrl -o tsv)
 
az identity federated-credential create \
  --name laminar-federated \
  --identity-name laminar-identity \
  --resource-group laminar-rg \
  --issuer $AKS_OIDC_ISSUER \
  --subject system:serviceaccount:laminar:laminar \
  --audience api://AzureADTokenExchange

Update values:

serviceAccount:
  create: true
  annotations:
    azure.workload.identity/client-id: <IDENTITY_CLIENT_ID>
 
podLabels:
  azure.workload.identity/use: "true"

Application Gateway Ingress

Install AGIC:

# Enable AGIC add-on
az aks enable-addons \
  --resource-group laminar-rg \
  --name laminar-cluster \
  --addons ingress-appgw \
  --appgw-name laminar-appgw \
  --appgw-subnet-cidr "10.225.0.0/16"

Verify Installation

# Check pods
kubectl get pods -n laminar
 
# Get external IP
kubectl get ingress -n laminar
 
# Test API
curl https://laminar.example.com/health

Next Steps