Protegrity Provisioned Cluster on

Prerequisites

Mon, 01 Jan 0001 00:00:00 +0000

Microsoft Azure Resource Providers: The following Microsoft Azure resource providers are registered.

Microsoft.ContainerService
Microsoft.Network
Microsoft.Compute
Microsoft.Storage
Microsoft.KeyVault
Microsoft.ManagedIdentity
Microsoft.OperationsManagement
Microsoft.OperationalInsights

AKS Permissions: Contact the Infrastructure Team to get the necessary permissions to create an AKS cluster, typically Contributor and User Access Administrator roles on the target subscription or resource group.

Jump Box or Local Machine: Use a dedicated Debian jump box created in Microsoft Azure. Do not use a jump box hosted on any other cloud.

Preparing for PPC deployment

Mon, 01 Jan 0001 00:00:00 +0000

This section describes the steps to download and extract the recipe for deploying the PPC.

Note: If there is an existing cluster from a previous install, clean up your local repository on the jump box and any existing clusters by running tofu destroy -var-file=terraform.tfvars from scripts/iac/ before proceeding.

During installation, the system may prompt for the system password and require sign-in to Microsoft Azure. If the Azure CLI is not already logged in, the bootstrap script automatically runs az login. A device-code prompt similar to the following displays.

Deploying PPC

Mon, 01 Jan 0001 00:00:00 +0000

Before you begin

The repository provides a bootstrap script that automatically installs or updates the following tools on the jump box:

Azure CLI - Required to communicate with your Microsoft Azure account.
OpenTofu - Required to manage infrastructure as code.
kubectl - Required to communicate with the Kubernetes cluster.
Helm - Required to manage Kubernetes packages.
Make - Required to run the OpenTofu automation scripts.
jq - Required to parse JSON.
oras: Required to pull non‑container, generic OCI artifacts from the registry that are not handled by standard container tooling.

The bootstrap script asks for variables to be set to complete the deployment. Follow the instructions on the screen:

Deleting PPC

Mon, 01 Jan 0001 00:00:00 +0000

Cleaning up the AKS Resources

To destroy all created resources, including the AKS cluster and related components, run the following command:


# Navigate setup directory
cd iac_setup_azure/scripts/iac

# Clean up all resources
tofu destroy -auto-approve

Executing this command destroys the PPC and all related components.

Installing Features

Mon, 01 Jan 0001 00:00:00 +0000

After the PPC deployment is complete, optional components can be installed to extend the functionality.

Note: Feature installation is decoupled from PPC and must be performed separately. For detailed installation instructions, refer to the documentation provided by the respective feature teams.

Policy Workbench

This section describes how to install, verify, and uninstall Policy Workbench on a Kubernetes cluster without deploying Karpenter resources.

Prerequisites

Before running the Helm command, ensure the following prerequisites are in place:

Troubleshooting

Mon, 01 Jan 0001 00:00:00 +0000

Accessing the PPC CLI

Permission denied (publickey): Ensure the correct private key (~/.ssh/<cluster_name>_user_svc) is used and matches the authorized_keys in the pod.
Connection refused: Verify the load balancer IP and hosts file configuration.
Key format issues: Ensure the private key is in the correct format (OpenSSH format for Linux/macOS, .ppk for PuTTY)

Component installation issues

Helm chart not found: Run helm repo update to refresh the repository cache.
Namespace already exists: Drop the --create-namespace flag if the namespace is already created.
CRD conflicts: If cert-manager CRDs already exist, skip the CRD installation step.
Pod not starting: Inspect logs with kubectl logs <pod> -n <namespace> and kubectl describe pod <pod> -n <namespace>.