Azure Deployment Prerequisites
Before deploying BigHammer or Airflow on Azure Kubernetes Service (AKS), ensure the following are in place.
Azure Resources
| Resource | Purpose |
|---|---|
| AKS cluster | Kubernetes 1.22+, OIDC issuer and Workload Identity enabled |
| Azure Key Vault | Secrets for databases, storage, TLS, application credentials |
| Azure Container Registry (ACR) | Container images (or use Workload Identity for pull) |
| Azure Database for PostgreSQL | Flexible Server for application and Keycloak databases |
| Azure Storage Account | Blob containers for schemas and utilities |
| Managed Identity | For Workload Identity Federation (ESO, ACR, Key Vault) |
| Federated credentials | Link Kubernetes service accounts to managed identity |
Tools
| Tool | Purpose |
|---|---|
| kubectl | Kubernetes CLI |
| helm | Helm 3.10+ |
| Azure CLI (az) | Azure authentication and Key Vault operations |
| psql | PostgreSQL client (for database creation) |
Cluster Add-ons
- External Secrets Operator – Sync secrets from Azure Key Vault to Kubernetes
- NGINX Ingress Controller – Ingress class
nginx - Storage classes –
managed-csi(Azure Disk),azurefile-csi(Azure File). Optional:azure-blob-csifor Blob mounts
Permissions
- Managed Identity → Key Vault: Secrets User (Get, List) or custom RBAC
- Managed Identity → ACR: AcrPull
- Managed Identity → Storage: Access to required containers (if using storage account key, store in Key Vault)
- AKS → PostgreSQL: Firewall allows cluster egress; DB user has privileges on databases