Skip to main content

Azure Deployment Checklist

Use this checklist when deploying applications (e.g., Airflow, data platforms) on Azure Kubernetes Service.

Pre-Deployment

Chart Validation

  • Chart structure valid (Chart.yaml, values.yaml)
  • Dependencies configured (helm dependency update)
  • Azure-specific values file (e.g., values-dev.yaml)

Critical Items

  • Database password — Use ExternalSecret or Key Vault; avoid plain text
  • TLS certificate — Ensure secret exists or ExternalSecret syncs from Key Vault
  • Storage classes — Use Azure CSI (managed-csi, azurefile-csi) where applicable

Prerequisites

  • External Secrets Operator installed
  • Namespace created
  • Storage classes exist
  • Ingress controller (e.g., nginx) installed
  • Workload Identity configured

Azure Resources

  • Azure Key Vault exists
  • Required secrets in Key Vault
  • Managed Identity has Key Vault read permissions
  • PostgreSQL (if external) accessible from cluster
  • Database and user created (if using external Postgres)

Deployment Steps

1. Create Namespace

kubectl create namespace <your-namespace>

2. Verify Prerequisites

kubectl get pods -n external-secrets-system
kubectl get storageclass managed-csi azurefile-csi
kubectl get ingressclass nginx

3. Deploy Chart

helm upgrade --install <release-name> . \
  -f values-dev.yaml \
  -n <your-namespace> \
  --create-namespace

4. Wait for ExternalSecrets

kubectl get externalsecret -n <your-namespace>
kubectl wait --for=condition=Ready externalsecret/<name> -n <your-namespace> --timeout=5m

5. Verify Deployment

kubectl get pods -n <your-namespace>
kubectl get svc -n <your-namespace>
kubectl get ingress -n <your-namespace>

Post-Deployment

  • All pods Running
  • Database connection verified (check logs)
  • Ingress accessible via HTTPS
  • TLS certificate valid

Troubleshooting

IssueCheck
ExternalSecret not syncingkubectl describe externalsecret <name>
Database connection failedPod logs, firewall rules, connection string
ImagePullBackOffImage pull secrets or Workload Identity for ACR
Permission deniedKey Vault RBAC, Managed Identity roles

References