Azure AKS Deployment¶
Deploying MazeVault on Azure Kubernetes Service
Document Version: 1.0.0
Last Updated: 2026-02-10
License Tier: Enterprise+
1. Architecture Overview¶
graph TB
subgraph Azure["☁️ Azure Cloud"]
subgraph AKS["Azure Kubernetes Service"]
Ingress["🌐 Ingress Controller<br/>(TLS Termination)"]
FE["🖥️ Web Interface<br/>(2+ replicas)"]
BE["⚙️ API Server<br/>(1 replica)"]
OCSP["📜 OCSP Responder<br/>(1-3 replicas)"]
end
PG["🗄️ Azure Database for PostgreSQL<br/>Flexible Server"]
Redis["⚡ Azure Cache for Redis"]
KV["🔐 Azure Key Vault"]
EntraID["🆔 Azure Entra ID"]
Monitor["📊 Azure Monitor"]
ACR["📦 Azure Container Registry"]
end
Users["🧑💻 Users"] -->|HTTPS| Ingress
Ingress --> FE
Ingress --> BE
Ingress --> OCSP
BE --> PG
BE --> Redis
BE --> KV
BE --> EntraID
BE --> Monitor
AKS -.->|Pull images| ACR
classDef k8s fill:#EBF5FB,stroke:#2196F3,stroke-width:2px,color:#1565C0
classDef data fill:#E8F5E9,stroke:#4CAF50,stroke-width:2px,color:#2E7D32
classDef security fill:#FFF8E1,stroke:#FF9800,stroke-width:2px,color:#E65100
classDef ops fill:#F5F5F5,stroke:#9E9E9E,stroke-width:2px,color:#424242
classDef user fill:#E8EAF6,stroke:#3F51B5,stroke-width:2px,color:#283593
class Ingress,FE,BE,OCSP k8s
class PG,Redis data
class KV,EntraID security
class Monitor,ACR ops
class Users user2. Prerequisites¶
- Azure Subscription with sufficient permissions (Contributor + User Access Administrator)
- Azure CLI (
az) 2.50+ installed kubectlconfigured for AKS cluster access- Helm 3.12+ installed
- MazeVault container images available in Azure Container Registry
- MazeVault Enterprise license key
3. Azure Infrastructure Setup¶
Resource Group¶
AKS Cluster¶
# Create AKS cluster
az aks create \
--resource-group rg-mazevault-prod \
--name aks-mazevault-prod \
--node-count 3 \
--node-vm-size Standard_D4s_v5 \
--enable-managed-identity \
--enable-addons monitoring \
--network-plugin azure \
--network-policy calico \
--kubernetes-version 1.28 \
--generate-ssh-keys
# Get credentials
az aks get-credentials \
--resource-group rg-mazevault-prod \
--name aks-mazevault-prod
PostgreSQL Flexible Server¶
az postgres flexible-server create \
--resource-group rg-mazevault-prod \
--name psql-mazevault-prod \
--version 15 \
--sku-name Standard_D2ds_v4 \
--storage-size 128 \
--admin-user mazevault_admin \
--admin-password '<strong-password>' \
--tier GeneralPurpose \
--public-access None
Azure Cache for Redis¶
az redis create \
--resource-group rg-mazevault-prod \
--name redis-mazevault-prod \
--sku Standard \
--vm-size C1 \
--enable-non-ssl-port false \
--minimum-tls-version 1.2
Azure Key Vault¶
az keyvault create \
--resource-group rg-mazevault-prod \
--name kv-mazevault-prod \
--sku premium \
--enable-purge-protection true \
--enable-soft-delete true
4. Helm Deployment¶
Add MazeVault Helm Repository¶
Create Namespace¶
Create Secrets¶
# Database credentials
kubectl create secret generic mazevault-db-credentials \
--namespace mazevault \
--from-literal=host=psql-mazevault-prod.postgres.database.azure.com \
--from-literal=port=5432 \
--from-literal=username=mazevault_admin \
--from-literal=password='<db-password>' \
--from-literal=database=mazevault
# Redis credentials
kubectl create secret generic mazevault-redis-credentials \
--namespace mazevault \
--from-literal=host=redis-mazevault-prod.redis.cache.windows.net \
--from-literal=port=6380 \
--from-literal=password='<redis-password>'
# License key
kubectl create secret generic mazevault-license \
--namespace mazevault \
--from-literal=key='<your-license-key>'
Install with Helm¶
helm install mazevault mazevault/mazevault \
--namespace mazevault \
--values values-production.yaml \
--wait \
--timeout 10m
See Helm Charts for the full values.yaml reference.
5. Ingress Configuration¶
Nginx Ingress Controller¶
helm install ingress-nginx ingress-nginx/ingress-nginx \
--namespace ingress-nginx \
--create-namespace \
--set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz
TLS Certificate¶
# Using cert-manager with Let's Encrypt
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com
privateKeySecretRef:
name: letsencrypt-prod-key
solvers:
- http01:
ingress:
class: nginx
EOF
6. Post-Deployment Verification¶
# Check all pods are running
kubectl get pods -n mazevault
# Verify health endpoints
kubectl exec -n mazevault deploy/mazevault-backend -- \
wget -qO- http://localhost:8080/api/v1/health
# Check ingress
kubectl get ingress -n mazevault
# View logs
kubectl logs -n mazevault deploy/mazevault-backend --tail=50
Expected Health Response¶
{
"status": "healthy",
"components": {
"database": "healthy",
"redis": "healthy",
"ocsp": "healthy"
}
}
7. Azure Monitor Integration¶
MazeVault exposes Prometheus metrics at /metrics on each component. Configure Azure Monitor to scrape these endpoints:
# Azure Monitor ConfigMap
apiVersion: v1
kind: ConfigMap
metadata:
name: ama-metrics-prometheus-config
namespace: kube-system
data:
prometheus-config: |
scrape_configs:
- job_name: mazevault-backend
kubernetes_sd_configs:
- role: pod
namespaces:
names: [mazevault]
relabel_configs:
- source_labels: [__meta_kubernetes_pod_label_app]
regex: mazevault-backend
action: keep
Related¶
- System Requirements — Hardware and software prerequisites
- Helm Charts — Full Helm values reference
- TLS Configuration — Certificate setup
- Health Checks — Post-deployment verification