Skip to main content

Azure Deployment Prerequisites

Use this page as a deploy readiness checklist before running helm upgrade on bighammer.

For provisioning methods, Terraform/Bicep modules, and full reference values, see Infrastructure.

Azure foundation (must exist)

ResourcePurpose
AKSRun platform and AI Agent workloads
PostgreSQL Flexible ServerApplication and Keycloak data
Key VaultPasswords, TLS, app secrets
Azure DNSResolve ingress hostnames
Blob / ADLS Gen2Schemas and artifacts
Azure Container Registry (ACR)Container images and Helm OCI charts (after mirror)
Managed identitiesESO + application pod access to Azure APIs

Minimum configuration

AreaRequirement
AKSKubernetes 1.34.x (tested); Workload Identity enabled; OIDC issuer enabled; node pool ≥ Standard_D2ads_v5
PostgreSQLPostgreSQL 16; SKU ≥ Standard_D2ads_v5 General Purpose; private access recommended; SSL required
Databasesbighammer_db_<env> (application) and keycloak_db_<env> (Keycloak server)
DB usersAdmin, bh_dev_user, bh_app_user, keycloak_db_user — names must match chart defaults
DB passwords in Key Vaultazure-postgres-master-password, bh-app-user-password, bh-kcdbpwd
DNSPublic or private zone per company policy; A/CNAME records for all global.ingress.*HostName values
Helm coupling

The chart expects a dual-role database model on the application database:

  • POSTGRES_USER / POSTGRES_PASSWORDbh_dev_user — Alembic migrations, create/alter/drop tables
  • BH_APP_USER / BH_APP_USER_PASSWORDbh_app_user — runtime API and worker traffic (DML only)

See Scripts Reference — Database creation and Key Vault Secrets.

Keycloak server database — platform provisioning

The Keycloak server (bhkeycloak) uses a separate database and user provisioned by infrastructure — not the application schema bootstrap:

ResourceReference nameChart
Databasekeycloak_db_<env>global.bhkeycloak.env.KC_DB_URL
Userkeycloak_db_userglobal.bhkeycloak.env.KC_DB_USERNAME
Password (Key Vault)bh-kcdbpwdglobal.remoteSecrets.keycloak.dbPasswordKC_DB_PASSWORD

If you rename these during provisioning, update all chart touchpoints — Renaming databases or users.

Cluster add-ons (install before platform chart)

Add-onRequiredHelm chart [BigHammer tested versions]
External Secrets OperatorYesexternal-secrets-0.18.2
NGINX IngressYesHelm chart 4.15.1 (controller v1.15.1)
RabbitMQ (separate Helm release)Yesbhrabbitmq (ECR OCI → mirror to ACR) or existing broker
Stakater ReloaderRecommendedreloader-1.1.0
Cert ManagerOnly for TLS Option Acert-manager-v1.19.2

Storage classes:

  • managed-csi — Azure Disk
  • azurefile-csi — Azure File
  • azure-blob-csi — Blob volume mounts (enable via cluster add-on if not default)

IAM / RBAC (minimum roles)

PrincipalRole
ESO managed identityKey Vault Secrets User (Get, List)
App Workload IdentityKey Vault Secrets User; AcrPull; Storage Blob Data Contributor
AKS kubelet identityAcrPull on customer ACR

Identity bindings and chart config: Workload Identity · full RBAC in Infrastructure.

Tools

ToolVersion
azLatest stable
kubectlMatches cluster version
helm3.10+
psqlFor database bootstrap scripts

Optional platform services

Not required for the core Helm chart, but used in reference Azure environments:

ServicePurpose
Airflow on AKSWorkflow orchestration — Airflow Deployment
Azure DatabricksAnalytics / lakehouse
Azure AI FoundryLLM / embeddings for bhaiagent

Details: Infrastructure · Architecture.

Next steps

  1. Provision foundation — Infrastructure
  2. Mirror entitled artifacts — Release Manifest & Distribution
  3. Prepare the cluster — Cluster preparation
  4. Deploy chart — Platform Deployment · Deployment Checklist