Setting up WordPress in Azure with AKS and Helm

To get started, you’ll need the following:

  • kubectl
  • helm
  • Azure subscription

Installing WordPress in AKS with Helm

Set up an Azure Kubernetes Service with the following:

  • Node size – desired VM size (cheapest available is B2s)
  • Node count – need to use at least a minimum of 1.

After AKS is set up, connect to it with the following:

az aks get-credentials --resource-group AKS_RG --name AKS_NAME

Install Helm:

helm init

Create a values.yml file:

wordpressUsername: sammy
wordpressEmail: sammy@example.com
wordpressFirstName: Sammy
wordpressLastName: the Shark
wordpressBlogName: Sammy's Blog!

Create a second file values.secret.yml:

wordpressPassword: password

Now install WordPress with the following commands:

helm install --name blog -f values.yml -f values.secrets.yml stable/wordpress

After installation, run the following command to get the external IP:

kubectl get svc --namespace default -w blog-wordpress

Once the IP is ready, you’ll likely need to wait for the pods to finish loading. You can check their status with:

kubectl get pods

Once ready, try accessing the IP address to get the WordPress installation.

Reference: https://www.digitalocean.com/community/tutorials/how-to-set-up-wordpress-with-mysql-on-kubernetes-using-helm

Setting Up SonarQube in Azure with Azure AD Integration

Installing SonarQube

Go to the marketplace and install SonarQube from Bitnami – https://bitnami.com/stack/sonarqube/cloud/azure with the following:

  • resize to D1_v2
  • if desired, configure any NSG restrictions

After creation, set a DNS name label for the IP address.

Access using the domain name, and follow the directions in the link above to log in.

Setting up Azure AD Integration

Setting up HTTPS

To be able to use Azure AD, you have to use HTTPS.

Set up the Server base URL to be the configured HTTPS address in Administration → Configuration → General → Server base URL:

SSH into the server and set up a Let’s Encrypt script and enforce redirection to HTTPS here (make sure you aren’t behind a firewall to allow for Let’s Encrypt).

Restart Apache:

sudo /opt/bitnami/ctlscript.sh restart apache

Verify that trying to access the HTTP version of SonarQube automatically redirects you to the HTTPS version.

Creating App Registration in Azure

Run the following command in CLI to generate a service principal:

az ad sp create-for-rbac --name="{NAME}" --role="Contributor" --scope="/subscriptions/{SUBSCRIPTION_ID}" --years=100

You should receive some output data, which you will use when filling out info in SonarQube:

Set the Reply URL of the application to https://<URL>/oauth2/callback/aad:

Set the required permissions:

  • Sign in and read user profile
  • Read all users’ basic profiles

Installing Plug-in

Install the Azure Active Directory (AAD) Authentication Plug-in for SonarQube (restarting when requested):

Configure in Administration → General Settings → Azure Active Directory:

  1. Activate Azure AD
  2. Use the value in “appId”
  3. Use the value in “password”
  4. Use the value in “tenant”
  5. Allow users to sign-up.

Log out as admin, and verify the ability to log in as an Azure AD user.

Create Multiple Terraform Resources with a Map

I recently worked through a case in Terraform where I wanted to be able to pass in a map for Terraform to allow creating secrets in an Azure Key Vault. We’ll use the count, keys(, and values( helpers to iterate through the map.

This code sample will show a way to dynamically determine the amount of resources needed. In this case, this will create secrets based on the map provided in the Terraform variable:

variable "vault_secrets" {
  secret_name_1 = "secret_value_1"
  secret_name_2 = "secret_value_2"
  secret_name_3 = "secret_value_3"
}

resource "azurerm_key_vault" "vault" {
  name                = "example-vault"
  location            = "${var.rg_location}"
  resource_group_name = "${var.rg_name}"
  tenant_id           = "00000000-0000-0000-0000-000000000000"

  sku {
    name = "standard"
  }
}

resource "azurerm_key_vault_secret" "secret" {
  count = "${length(keys(var.vault_secrets))}"

  name         = "${element(keys(var.vault_secrets), count.index)}"
  value        = "${element(values(var.vault_secrets), count.index)}"
  key_vault_id = "${azurerm_key_vault.vault.id}"
}

Uploading a Public Key to a VM

Obtaining Public Key First, check to see if you already have a public key for your machine: ls ~/.ssh If you don’t see an id_rsa.pub file, create a public/private key pair on the machine that will access the VM: ssh-keygen

Uploading

For the next step, you’ll need to use a machine that can access the VM – using the public key generated in the step above, SSH into the VM and run the following: scp /path/to/public_key username@server:~ mv id_rsa.pub ~/.ssh/authorized_keys

Verification

Finally, going back to the machine you want to SSH with, SSH into the VM to make sure access is working: ssh username@hostname You should be able to log into without a password.]]>

Setting up Remote State with Terraform and Azure

Create the Azure Storage Account The first step is creating a storage account that will host the state information for the entire tenant. Create the following in order:

  1. Resource group (specifically for the Storage Account)
  2. Storage Account
  3. A container/blob for the Storage Account
In terms of working with multiple projects, I personally like to use multiple storage accounts for each major project you’ll be building out. This gives a separate access key for each project.

Setting up Backend Config

First, create a file called backend.tf and populate with the following:
terraform {
    backend "azure" {}
}
Second, create a file called beconf.tfvars, and populate it with the following:
resource_group_name = “” storage_account_name = “” container_name = “” key = “” access_key = “” Once this is done, initialize the backend with the following command: terraform init -backend-config="beconf.tfvars" Verify everything is set up with the following:

Running Terraform

Once the backend configuration is set, the next step is running Terraform itself. I suggest running it alongside a tfvars file that defines environment-specific information: terraform apply -var-file="dev.tfvars"

Checking into Source Code

Now that you’re using remote state for Terraform, you don’t have to worry about checking in your state file into source code. Just in case you’re doing this on a fresh Terraform setup, add the following to your .gitignore file:
.terraform
be.tfvars



Reference
https://medium.com/@trstringer/use-azure-blob-storage-for-remote-terraform-state-5f809b95215a]]>		

Git Repo Best Practices

Forcing Pull Request Merges to master When creating a repo, it’s a good idea to keep the master branch deployable and clean at all times. A good way to do this is to not allow direct commits to the branch. In turn, if you have a CI/CD process in place, you can have more confidence that checking things into master can result in a deployment. In a system using trunk-based deployment, you may decide to automatically deploy all changes from master into production. You can do this in Github with the following steps: Go to the repo, and go to ‘Settings’. Click on ‘Branches’. Create the rule: Once this is done, if you try to commit directly to master, you’ll see the following: ]]>

Creating a nopCommerce Plugin in version 3.90 and below

I recently worked with a client using an older version of nopCommerce that needed to have a plugin made for functionality. In particular, this plugin integrates with updown.io to allow for turning checks on and off during scheduled maintenance.

To do this, you’ll need to have the nopCommerce source code available for use.

Creating the Plugin

To get started, create a Class Library in the Plugins folder:

  • Make sure to change the location to the plugin folder below the name.
  • Use naming convention Nop.Plugin.{category}.{name}
  • The categories you can use include:
    • ExternalAuth
    • Widgets
    • ExchangeRate
    • DiscountRules
    • Payments
    • Shipping
    • Tax
    • Misc

Next, go into properties and make sure your Target framework is .NET Framework 4,.5.1.

Next, change the output path for all configurations to deploy to:

..\..\Presentation\Nop.Web\Plugins\{group}.{name}\

This will build the output of the plugin into the Web project, which will ultimately deploy to the nopCommerce application.

After that, copy a web.config file from another plugin.

Next, create a Description.txt file with the following content:

Group: {group}
FriendlyName: {friendly name}
SystemName: {group}.{name}
Version: 0.1
SupportedVersions: {your version of nopCommerce}
Author: {you}
DisplayOrder: 1
FileName: Nop.Plugin.{group}.{name}.dll
Description: {a description}

Set both the web.config and Description.txt files to ‘Copy if newer’.

Finally, there is a Class.cs file that was created when creating the Class Library. Rename the file to {name}Plugin.cs and use the following code snippet:

public class YourPlugin : BasePlugin, IMiscPlugin
    {
        public void GetConfigurationRoute(out string actionName, out string controllerName, out RouteValueDictionary routeValues)
         {
             actionName = "";
             controllerName = "";
             routeValues = new RouteValueDictionary { { "area", null } };
         }
    }

Once this is done, you should be able to clean, build, and publish the project. Check the plugins list of the admin backend to see your plugin listed:

Just to ensure everything is working, go ahead and install the plugin. The plugin should install successfully, and the plugin will then be running on your site. You’re now ready to make changes to the plugin to modify NopCommerce capabilities.

Next Steps

After the initial plugin was created, next steps include:

  • Creating a logo named logo.png and upload it to the plugin. Set the image to ‘Copy if newer’ and size the image to around 50×50.
  • Set up a configuration page to allow for customizing data on the plugin.

Reference: 
http://docs.nopcommerce.com/pages/viewpage.action?pageId=22675509

SSHing into an Azure Kubernetes Service node

First, a few reasons why you might do this:

  • If you were looking to view and/or retrieve files from the node itself, perhaps generated by a pod.
  • If you wanted to get more information on the OS running for the node.

Generate an SSH Key

First, generate an SSH key to connect to the server with, noting where you save:

ssh-keygen

Add Public SSH Key to Node

Next, add your generated public SSH key to the node, alongside a user:

az vm user update --resource-group <RESOURCE_GROUP> --name <NODE_NAME> --username azureuser --ssh-key-value <PUBLIC_SSH_KEY_LOCATION>

Setting up to SSH

To actually SSH into the node, there are two ways you can do this:

  1. Open the node via a public IP address and SSH into it directly from your machine. This is the easiest and my preferred way to do this, but requires the ability to make changes to the network interface of the node.
  2. Create a pod with OpenSSH installed to ssh into the node while connected.

Method 1: Public IP Address

First, access the network interface of the node you’re trying to access. Access IP Configurations, and click the ‘ipconfig1’ configuration. Add a public IP:

Next, create an NSG rule for the cluster with the following info:

  • Source: your local IP address (https://canihazip.com/s)
  • Destination: the private IP address of the node.
  • Destination port ranges: 22
  • Protocol: TCP

Method 2: Creating OpenSSH Pod

I’ll fill this out at some point.

SSHing into the Node

After following either of the methods above, the final step is actually SSHing into the node. If you’ve been using PowerShell here, I’d switch to WSL:

sudo ssh -i <PUBLIC_SSH_KEY_DIR> azureuser@<PUBLIC_IP>

Clean Up

Once you’ve finished, I recommend:

  • Removing the SSH access rule from the NSG.
  • Removing the public IP address from the AKS node network interface.
]]>

Keeping Track of Apparel in NopCommerce by Size

Setting the Product to Use Attributes For Inventory
  • View the product using the “Advanced” view
  • Set the Inventory Method for the product to be “Track inventory by product attributes”
  • Optionally, set “Display availability” and “Display stock quantity”

Adding Inventory for the Product

  • Go to “Product Attributes” -> “Attribute Combinations”
  • You should see a listing of the different sizes available – if not, click the “Generate all possible combinations” button.
  • Change the stock count for each item as needed:
]]>

Setting up WordPress in Azure with SSL for ~$8 a Month

  • Basic plan (allowing for Always on and SSL): ~$50/month
  • MySQL for Azure: ~$25
  • With this solution, you will create everything on one virtual machine, allowing for dynamic scaling as needed for the machine. This does of course come with some downside:

    • You will need to handle backing up of both the files on the server and the data in the database.

    Creating the VM

    First, create the VM and Resource Group:

    • RG name: <app>-<env>-<location>-rg
    • VM name: <app>-<env>-<location>-vm
    • Image: Ubuntu 18.04 LTS
    • VM size: B1s
    • VNet name: <app>-<env>-<location>-vnet
    • Diagnostics Storage Account: <app><env><location>vmdiag
    • Allow Inbound Port Access for HTTP, HTTPS, SSH
    • Login access through Azure Active Directory

    Once the VM is created, access the NSG and add a restriction to IP to only allow your local IP to access:

    Access VM and Install LAMP Server

    Retrieve the public IP address and SSH into the server:

    ssh <user>@<public_ip>

    Install LAMP Server:

    sudo apt update && sudo apt install lamp-server^

    To ensure the installation happened successfully, run the following commands:

    apache2 -v
    mysql -V
    php -v

    Once LAMP server is installed, verify that you can connect to HTTP using the public IP address – you should see the Apache2 Ubuntu Default Page:

     

    Set up MySQL

    Once the web server is running, the next step is configuring MySQL. Run the following command, installing the Validate Password Plugin and using “Medium” policy:

    sudo mysql_secure_installation

    When installing, use medium strength, and default yes to all options except “Disallow root login remotely?” Generate a password.
    The next step is configuring access to MySQL through external servers (such as from a VPN). This assumes you’ll be using the NSG from Azure to restrict access based on desired IP addresses.
    Run a query to allow access:

    sudo mysql -u root -p
    GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'password' WITH GRANT OPTION; FLUSH PRIVILEGES;

    Edit MySQL configuration:

    sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

    Comment out the line that says ‘bind-address’.
    After making that change, restart MySQL:

    sudo service mysql restart

    Finally, create an NSG rule that allows for external access to port 3306:

    Once the installation is done, let’s verify that the MySQL server can be accessed. I usually use MySQL Workbench and connect to the server using the following information:

    • Hostname: public IP

    After MySQL is set up, set up any database that may be needed.
    Here, you’ll want to set up the WordPress database server, whether you are starting fresh or migrating from an old instance.
    If running into an issue with packet size, run the following command in MySQL and restart:

    sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf

    The final step is creating a DB user specifically for the WordPress installation – this use would only have access to the specific database that WordPress uses. Create a user with the following:

    • Allow access to the DB used for the WordPress installation.

    Installing WordPress

    After finishing setting up the LAMP server, next is installing WordPress. Assuming you’ve downloaded the source, you can use the following:

    scp -r .\wordpress-download\ vmadmin@YOUR_SERVER_IP:~

    Now you’ll need to SSH into the server and move the files into /var/www/html:

    sudo mv -v ~/wordpress-download/* /var/www/html/

    Before doing the 5-minute install, run the following to allow for Apache to have write permissions:
    Check the group that Apache is running under:

    cat /etc/apache2/apache2.conf | grep ^Group -B 2
    cat /etc/apache2/envvars | grep GROUP
    # Give that group access
    sudo chown -R www-data:www-data /var/www/html
    sudo find /var/www/html -type d -exec chmod 755 {} \;
    sudo find /var/www/html -type f -exec chmod 644 {} \;
    

    Now perform the 5-minute install to ensure everything is working, you can access the site using the IP address to ensure everything in place.
    While doing this, make sure you can do the following:

    • Configure Apache to use .htaccess files. Change the following in apache2.conf to change AllowOverride to All:
      • <Directory /var/www/>
          Options Indexes FollowSymLinks
          AllowOverride None
          Require all granted
        </Directory>
    • Access a page outside of the home page (sudo a2enmod rewrite && sudo systemctl restart apache2)
    • Upload a media file to test uploads

    Enabling Mail (using G Suite)

    First, set up DNS to use email. For this example, we are using Google Suite for email. Add the following 5 MX records:

    • Host: @
    • Records (priority-URL)
      • 1-ASPMX.L.GOOGLE.COM.
      • 5-ALT1.ASPMX.L.GOOGLE.COM.
      • 5-ALT2.ASPMX.L.GOOGLE.COM.
      • 10-ALT3.ASPMX.L.GOOGLE.COM.
      • 10-ALT4.ASPMX.L.GOOGLE.COM.

    Then, do the following:
    https://wpforms.com/how-to-securely-send-wordpress-emails-using-gmail-smtp/

    Setting up SSL

    Once the web server can be reached and LAMP is installed, the next step is securing the site using SSL. Run the following to enable SSL, enable the SSL site, and restart Apache:

    sudo a2enmod ssl
    sudo a2ensite default-ssl
    sudo systemctl reload apache2

    Once that’s done, access the public IP using HTTPS – you should get an insecure cert warning.
    Now that we’ve determined the port is listening, let’s set up Let’s Encrypt. Using CertBot usually makes this much easier. Since in this case, we’re using Apache and Ubuntu 18.04, we just need to populate those values and run the commands provided by CertBot:

    With these commands, you’ll also need to set up DNS for the domain to use. With the public IP address, create the following:

    • create an A record with the host as @ and the IP address as the web server IP address.

    After this finishes, run the CertBot job to create the certificate. After that finishes, allow for the ability to redirect to HTTPS using the CertBot plugin.
    Reference:

    ]]>