Azure Deployment Checklist
Pre-deployment
Infrastructure
- AKS cluster running with Workload Identity
- PostgreSQL reachable from cluster (private endpoint or firewall rules)
- Databases
bighammer_db_<env>andkeycloak_db_<env>provisioned - Platform Key Vault / GSM prerequisite secrets provisioned — Key Vault Secrets · Infrastructure
- Dual-role values:
POSTGRES_USER: bh_dev_user,BH_APP_USER: bh_app_user,postgres.passwordaligned — Key Vault Secrets - Application schemas applied (
create-dbs-azure.sh) — Scripts Reference - One-time Key Vault secrets pushed — Key Vault Secrets
- Azure DNS zone and A records (or plan to add after LB IP known)
- NSG / firewall: TCP 80, 443 to ingress; health probe path configured
Chart / values
-
values-<env>.yaml— ACR repo, hostnames, Key Vault URI, tenant ID -
global.remoteSecretsaligned with Key Vault secret names - Chart and images mirrored to your ACR — Release Manifest & Distribution
- Chart version in release manifest matches mirrored artifacts
Cluster add-ons
- External Secrets Operator healthy
- NGINX Ingress deployed with class
nginx - RabbitMQ broker deployed and reachable
- TLS: cert-manager path or private cert in Key Vault + K8s secret — TLS Options
- Reloader (optional, matches chart annotation)
Identity / IAM
- ESO Workload Identity binding applied
- App federated credentials bound to managed identities
- AKS has AcrPull on customer ACR
Deployment
-
kubectl create namespace bh-control-plane(if needed) -
helm upgrade --install bighammer ... - ExternalSecrets status
SecretSynced - All pods
Running(allow time for image pull)
Post-deployment
- DNS points to ingress load balancer IP
- HTTPS works on UI and Keycloak hosts
- Tenant creation / login smoke test
- Celery workers connected to RabbitMQ
- DB credential secrets match PostgreSQL users — Key Vault Secrets · Keycloak server database
- If DB names differ from reference defaults, all chart values updated — Renaming databases or users
Release upgrade
- New release manifest received from BigHammer
- Mirror job completed for new chart version and image tags
- Release notes reviewed — Helm Chart Release Notes
See Release Manifest & Distribution.
Optional Airflow: Airflow Deployment Checklist.