Azure DevOps for IdentityIQ

This is the second article in a series about IdentityIQ deployments in Azure Kubernetes.? In the first article I talked about the runtime architecture, in this one I talk about the deployment.? SailPoint makes great products, and they are even better when you use everything the cloud has to offer.

Everything in this series is fleshed out with Terraform, Kubernetes artifacts, Azure GitOps and DevOps, and containers. If you want some help implementing this design, DM me on LinkedIn or at [email protected].

A Git repo (1) contains the docker files and resources that define the images.? Azure DevOps (2) builds the IdentityIQ images, pulling in any war/jar files from Azure Storage.? The finished image is pushed to the Azure Container Registry (3).? An Azure DevOps service principal is assigned the AcrPull role, AcrPush role, plus a custom role that enforces least-privilege access to Azure to stage other resources.

The great thing about the images is that they contain the war file, 3rd party libraries, branding, database extensions etc.? You do not have to build a war file, or push a war file to a host when you deploy.? No more dependency management with Maven.? It also eliminates the need to manage the database credentials as part of the build, those secrets are pulled from Azure Key Vault at run time.

The Git repo also contains the Terraform files that define the Azure infrastructure.? The Terraform module deploys not only the AKS cluster, but also the Azure Storage, Key Vault secrets and other resources needed by the cluster at runtime.? This single module is re-used to quickly deploy multiple clusters for test, prod, etc. environments.? Terraform Cloud automatically creates a Terraform plan and provides the estimated cost of the new infrastructure. Once approved, the Terraform IaC is executed.

As mentioned in part 1, the Azure Kubernetes Service cluster is enabled with Flux2 GitOps (4).? Flux2 automatically detects Kubernetes/Kustomize IaC updates in the IaC repo and deploys IdentityIQ workload to the AKS cluster.? The Kubernetes yaml files define the JVM settings, database connection and other settings as environment variables for a given environment.? For developer environments, you can set a flag to deploy the Tomcat Manager application when the pod starts.

Shift-left IaC code security and image vulnerability scanning is provided by Snyk, while and Microsoft Defender provides the CNAPP.

The next article will drill down into specific aspects of the design.