Skip to main content

Azure Deployment Checklist

Pre-deployment

Infrastructure

  • AKS cluster running with Workload Identity
  • PostgreSQL reachable from cluster (private endpoint or firewall rules)
  • Databases bighammer_db_<env> and keycloak_db_<env> provisioned
  • Platform Key Vault / GSM prerequisite secrets provisioned — Key Vault Secrets · Infrastructure
  • Dual-role values: POSTGRES_USER: bh_dev_user, BH_APP_USER: bh_app_user, postgres.password aligned — Key Vault Secrets
  • Application schemas applied (create-dbs-azure.sh) — Scripts Reference
  • One-time Key Vault secrets pushed — Key Vault Secrets
  • Azure DNS zone and A records (or plan to add after LB IP known)
  • NSG / firewall: TCP 80, 443 to ingress; health probe path configured

Chart / values

  • values-<env>.yaml — ACR repo, hostnames, Key Vault URI, tenant ID
  • global.remoteSecrets aligned with Key Vault secret names
  • Chart and images mirrored to your ACR — Release Manifest & Distribution
  • Chart version in release manifest matches mirrored artifacts

Cluster add-ons

  • External Secrets Operator healthy
  • NGINX Ingress deployed with class nginx
  • RabbitMQ broker deployed and reachable
  • TLS: cert-manager path or private cert in Key Vault + K8s secret — TLS Options
  • Reloader (optional, matches chart annotation)

Identity / IAM

  • ESO Workload Identity binding applied
  • App federated credentials bound to managed identities
  • AKS has AcrPull on customer ACR

Deployment

  • kubectl create namespace bh-control-plane (if needed)
  • helm upgrade --install bighammer ...
  • ExternalSecrets status SecretSynced
  • All pods Running (allow time for image pull)

Post-deployment

  • DNS points to ingress load balancer IP
  • HTTPS works on UI and Keycloak hosts
  • Tenant creation / login smoke test
  • Celery workers connected to RabbitMQ
  • DB credential secrets match PostgreSQL users — Key Vault Secrets · Keycloak server database
  • If DB names differ from reference defaults, all chart values updated — Renaming databases or users

Release upgrade

  • New release manifest received from BigHammer
  • Mirror job completed for new chart version and image tags
  • Release notes reviewed — Helm Chart Release Notes

See Release Manifest & Distribution.

Optional Airflow: Airflow Deployment Checklist.