Installation on Microsoft Azure via AKS
Overview
This guide covers the installation of CAST Imaging on Microsoft Azure Azure Kubernetes Service (AKS) using Helm charts.
Requirements
- Access to Docker Hub registry - CAST Imaging Docker images are available as listed in the table below
- A clone of the latest release branch from the Git repository containing the Helm chart scripts:
git clone https://github.com/CAST-Extend/com.castsoftware.castimaging-v3.kubernetessetup(to clone an older release, add the “-b x.x.x” flag with the desired release number). - A valid CAST Imaging License
- Optional setup choices:
- Deploy the Kubernetes Dashboard (https://github.com/kubernetes/dashboard ) to troubleshoot containers and manage the cluster resources.
- Setup Azure Files for a multi
analysis-nodedeployment (Azure Disks - block storage is used by default) - Use an external PostgreSQL instance (a PostgreSQL instance is provided as a Docker image and will be used by default)
Docker images
CAST Imaging is provided in a set of Docker images as follows:
Installation process
Before starting the installation, ensure that your Kubernetes cluster is running, all the CAST Imaging docker images are available in the registry and that helm and kubectl are installed on your system.
Step 1 - AKS environment setup
Create your AKS environment, see AKS - Cluster Setup.
CAST Imaging also requires:
- Azure CLI to retrieve the cluster credentials
az aks get-credentials --resource-group my-resource-group --name my-cluster(login withaz login) kubectl- see https://kubernetes.io/docs/tasks/tools/helm- see https://helm.sh/docs/intro/quickstart/ . The binary download is provided here: https://github.com/helm/helm/releases
Step 2 - Prepare and run the CAST Imaging installation
- Review and adjust the parameter values in the
values.yamlfile (located at the root of the cloned Git repository branch) in between the section separated with # marks. - Ensure you set the
K8SProvider:option toAKS - When using a custom CA or self-signed SSL certificate, copy the contents into the relevant section in the file
console-authenticationservice-configmap.yamllocated at the root of the cloned Git repository branch and then setUseCustomTrustStore:option totruein thevalues.yamlfile - Run
helm-install.bat|sh(depending on your base OS) located at the root of the cloned Git repository branch
Step 3 - Configure network settings
You will need to setup a reverse proxy such as an Ingress Service, an Application Gateway or a web server (e.g., NGINX) to access the imaging-services “gateway” from outside (with a DNS record/FQDN such as dev.imaginghost.com). The DNS record/FQDN should also have an appropriate SSL certificate.
If you want to use an Azure Application Gateway
Instructions can be found in the file Azure-ApplicationGateway-for-CastImaging.pdf (located at the root of the cloned Git repository branch).
If you want to use an Ingress
Set CreateIngress: true in values.yaml:
# Ingress & LoadBalancer creation (for console-gateway, extendproxy, mcp-server):
CreateIngress: true
Install the Ingress driver on the cluster:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
helm install ingress-nginx ingress-nginx/ingress-nginx --namespace ingress-nginx --create-namespace --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz
Create TLS Secret(s) using the certificate files associated to the DNS name you are planning to use (e.g. dev.imaginghost.com):
kubectl create secret tls tls-secret-cast --cert=mycertificatefolder\fullchain.pem --key=mycertificatefolder\privkey.pem -n castimaging-v3
# (fullchain.pem <=> tls.crt ; privkey.pem <=> tls.key)
Optional - for certificates that cannot be verified (e.g., self-signed certificate or internal CA), it will need to be stored in the CAST auth-service:
- set:
UseCustomTrustStore: trueinvalues.yaml - Insert the encoded certificate:
- directly inside the
auth.caCertificatevariable invalues.yaml - or using
helm upgrade ... --set-file auth.caCertificate=ca.crt ...to override the variable value with theca.crtfile content
- directly inside the
UseCustomTrustStore: true
auth:
caCertificate: |
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
Final steps:
- Update the
FrontEndHost:variable in thevalues.yamlfile, e.g. with https://dev.imaginghost.com - Apply the
helmchart changes by runninghelm-upgrade.bat|sh(depending on your base OS) located at the root of the cloned Git repository branch. - Create a DNS record pointing at the reverse proxy ADDRESS. For an Ingress, this ADDRESS can be displayed using this command:
kubectl get ingress -n castimaging-v3
Step 4 - Install Extend Local Server (optional)
If you need to install Extend Local Server as an intermediary placed between CAST Imaging and CAST’s publicly available “Extend” ecosystem https://extend.castsoftware.com , follow the instructions below. This step is optional and if not completed, CAST Imaging will access https://extend.castsoftware.com to obtain required resources.
- Retrieve the Extend Local Server external IP address by running
kubectl get service -n castimaging-v3 extendproxy - In
values.yaml(located at the root of the cloned Git repository branch), setExtendProxy.enabletotrueand update theExtendProxy.exthostnamevariable:
ExtendProxy:
enable: true
exthostname: myextendhost.com
- Run
helm-upgrade.bat|sh(depending on your base OS) located at the root of the cloned Git repository branch. - Review the log of the
extendproxypod to find the Extend Local Server administration URL and API key (these are required for managing Extend Local Server and configuring CAST Imaging to use it - you can find out more about this in Extend Local Server). You can open the log file from the Kubernetes Dashboard (if you have chosen to install it). Alternatively, you can get theextendproxypod name by runningkubectl get pods -n castimaging-v3then runkubectl logs -n castimaging-v3 castextend-xxxxxxxxto display the log.
Step 5 - Initial start up configuration
When the install is complete, browse to the public/external URL and login using the default local admin/admin credentials. You will be prompted to configure:
- your licensing strategy. Choose either a
Named Applicationstrategy (where each application you onboard requires a dedicated license key entered when you perform the onboarding), or aContributing Developersstrategy (a global license key based on the number of users):
- CAST Extend settings / Proxy settings (if you chose to install Extend Local Server (see Step 4 above) then you now need to input the URL and API key so that CAST Imaging uses it).
As a final check, browse to the URL below and ensure that you have at least one CAST Imaging Node Service, the CAST Dashboards and the CAST Imaging Viewer components listed:
https://<public or external URL>/admin/services
Step 6 - Configure authentication
Out-of-the-box, CAST Imaging is configured to use Local Authentication via a simple username/password system. Default login credentials are provided (admin/admin) with the global ADMIN profile so that installation can be set up initially.
CAST recommends configuring CAST Imaging to use your enterprise authentication system such as LDAP or SAML Single Sign-on instead before you start to onboard applications. See Authentication for more information.
How to start and stop CAST Imaging
Use the following script files (located at the root of the cloned Git repository branch) to stop and start CAST Imaging:
Util-ScaleDownAll.bat|shUtil-ScaleUpAll.bat|sh
Optional setup choices
Install Kubernetes Dashboard
Please refer to the Kubernetes Dashboard documentation at https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/ .
Setup Azure Files for multiple analysis-node(s)
All pods will use Azure Disks (block storage) by default. For the console-analysis-node StatefulSet, it is possible to configure Azure Files (based on the file.csi.azure.com driver driver) to enable file sharing between analysis nodes, when multiple analysis nodes are required.
Prior to running the initial CAST Imaging installation (detailed above), follow these steps:
- Set
AnalysisNodeFS.enableto true in thevalues.yamllocated at the root of the cloned Git repository branch - Proceed with the CAST Imaging installation described above
Use an external PostgreSQL instance
If you do not want use the PostgreSQL instance preconfigured in this helm chart, you can disable it and configure an Azure Database for PostgreSQL instead.
- Setup your Azure Database for PostgreSQL (PostgreSQL 15 - 8GB RAM minimum recommended, e.g. B2ms)
- Connect to the database with a superuser and execute this script to create the necessary CAST custom users/database:
CREATE USER operator WITH SUPERUSER PASSWORD 'CastAIP';
GRANT azure_pg_admin TO operator;
CREATE USER guest WITH PASSWORD 'WelcomeToAIP';
GRANT ALL PRIVILEGES ON DATABASE postgres TO operator;
CREATE USER keycloak WITH PASSWORD 'keycloak';
CREATE DATABASE keycloak;
GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;
EOSQL
- In the
values.yamllocated at the root of the cloned Git repository branch:- Set
CastStorageService.enabletofalse(to disable the PostgreSQL instance server preconfigured by CAST) - Set
CustomPostgres.enabletotrue - Set the
CustomPostgres.hostandCustomPostgres.portto match your custom instance host name and port number
- Set
- Proceed with the CAST Imaging installation described above