Azure Deployment Prerequisites
Use this page as a deploy readiness checklist before running helm upgrade on bighammer.
For provisioning methods, Terraform/Bicep modules, and full reference values, see Infrastructure.
Azure foundation (must exist)
| Resource | Purpose |
|---|---|
| AKS | Run platform and AI Agent workloads |
| PostgreSQL Flexible Server | Application and Keycloak data |
| Key Vault | Passwords, TLS, app secrets |
| Azure DNS | Resolve ingress hostnames |
| Blob / ADLS Gen2 | Schemas and artifacts |
| Azure Container Registry (ACR) | Container images and Helm OCI charts (after mirror) |
| Managed identities | ESO + application pod access to Azure APIs |
Minimum configuration
| Area | Requirement |
|---|---|
| AKS | Kubernetes 1.34.x (tested); Workload Identity enabled; OIDC issuer enabled; node pool ≥ Standard_D2ads_v5 |
| PostgreSQL | PostgreSQL 16; SKU ≥ Standard_D2ads_v5 General Purpose; private access recommended; SSL required |
| Databases | bighammer_db_<env> (application) and keycloak_db_<env> (Keycloak server) |
| DB users | Admin, bh_dev_user, bh_app_user, keycloak_db_user — names must match chart defaults |
| DB passwords in Key Vault | azure-postgres-master-password, bh-app-user-password, bh-kcdbpwd |
| DNS | Public or private zone per company policy; A/CNAME records for all global.ingress.*HostName values |
The chart expects a dual-role database model on the application database:
POSTGRES_USER/POSTGRES_PASSWORD→bh_dev_user— Alembic migrations, create/alter/drop tablesBH_APP_USER/BH_APP_USER_PASSWORD→bh_app_user— runtime API and worker traffic (DML only)
See Scripts Reference — Database creation and Key Vault Secrets.
The Keycloak server (bhkeycloak) uses a separate database and user provisioned by infrastructure — not the application schema bootstrap:
| Resource | Reference name | Chart |
|---|---|---|
| Database | keycloak_db_<env> | global.bhkeycloak.env.KC_DB_URL |
| User | keycloak_db_user | global.bhkeycloak.env.KC_DB_USERNAME |
| Password (Key Vault) | bh-kcdbpwd | global.remoteSecrets.keycloak.dbPassword → KC_DB_PASSWORD |
If you rename these during provisioning, update all chart touchpoints — Renaming databases or users.
Cluster add-ons (install before platform chart)
| Add-on | Required | Helm chart [BigHammer tested versions] |
|---|---|---|
| External Secrets Operator | Yes | external-secrets-0.18.2 |
| NGINX Ingress | Yes | Helm chart 4.15.1 (controller v1.15.1) |
| RabbitMQ (separate Helm release) | Yes | bhrabbitmq (ECR OCI → mirror to ACR) or existing broker |
| Stakater Reloader | Recommended | reloader-1.1.0 |
| Cert Manager | Only for TLS Option A | cert-manager-v1.19.2 |
Storage classes:
managed-csi— Azure Diskazurefile-csi— Azure Fileazure-blob-csi— Blob volume mounts (enable via cluster add-on if not default)
IAM / RBAC (minimum roles)
| Principal | Role |
|---|---|
| ESO managed identity | Key Vault Secrets User (Get, List) |
| App Workload Identity | Key Vault Secrets User; AcrPull; Storage Blob Data Contributor |
| AKS kubelet identity | AcrPull on customer ACR |
Identity bindings and chart config: Workload Identity · full RBAC in Infrastructure.
Tools
| Tool | Version |
|---|---|
az | Latest stable |
kubectl | Matches cluster version |
helm | 3.10+ |
psql | For database bootstrap scripts |
Optional platform services
Not required for the core Helm chart, but used in reference Azure environments:
| Service | Purpose |
|---|---|
| Airflow on AKS | Workflow orchestration — Airflow Deployment |
| Azure Databricks | Analytics / lakehouse |
| Azure AI Foundry | LLM / embeddings for bhaiagent |
Details: Infrastructure · Architecture.
Next steps
- Provision foundation — Infrastructure
- Mirror entitled artifacts — Release Manifest & Distribution
- Prepare the cluster — Cluster preparation
- Deploy chart — Platform Deployment · Deployment Checklist