Skip to main content

Microsoft Azure

This guide will walk you through deploying D1 Storage or D1 Generic, using K1 for key management, to Azure Kubernetes Service with Azure Blob Storage, Azure Key Vault, and Azure Active Directory.

To follow this guide, you will need to create an Azure account as well as set up the az CLI tool. Then, create a resource group by running the following az command:

az group create -l <location> -n <group name>

Azure Blob Storage

In order to provision a storage container follow this guide or run the following az commands. First create a storage account:

az storage account create --name d1account --resource-group <group name> --location <location> --sku Standard_LRS

Then get the account key:

az storage account keys list --resource-group <group name> --account-name d1account

Finally, create a storage container:

az storage container create -n d1container --account-name d1account --account-key <account key>

Azure Key Vault

You will need to provision an encryption Key. First, create a premium Key Vault:

az keyvault create --location <localtion> --name d1vault --resource-group <group name> --sku premium

Then, create a key:

az keyvault key create --size 4096 --kty RSA-HSM --name k1 --vault-name d1vault

Create an application with a client secret:

K1_APP_RES=$(az ad sp create-for-rbac -n d1-k1)
export K1_APP_ID=$(echo $K1_APP_RES | jq -r .appId)
export K1_APP_SECRET=$(echo $K1_APP_RES | jq -r .password)
export K1_APP_OBJECT_ID=$(az ad sp show --id $K1_APP_ID | jq -r .objectId)

Give the application access to the Key Vault:

az keyvault set-policy -n d1vault --key-permissions wrapKey unwrapKey sign verify --object-id $K1_APP_OBJECT_ID

Azure Active Directory

Create an application used for OIDC login by running the following az commands:

OIDC_APP_RES=$(az ad app create --display-name d1-oidc)
export OIDC_APP_ID=$(echo $OIDC_APP_RES | jq -r .appId)
export OIDC_APP_OBJECT_ID=$(echo $OIDC_APP_RES | jq -r .objectId)
OIDC_CRED=$(az ad app credential reset --id $OIDC_APP_ID --append)
export OIDC_APP_SECRET=$(echo $OIDC_CRED | jq -r .password)

Then, follow the instructions in Making Azure AD OIDC Compliant.

Azure Kubernetes Service

Provision an AKS cluster as described here or by using the following az command:

az aks create --resource-group <group name> --name d1-cluster --node-count 2 --generate-ssh-keys

Deployment

You first need to deploy K1 using our Helm chart. You will need to configure the Helm chart as shown below with the information obtained in the previous steps:

# File: values.yaml
k1:
  endpoint: k1.default.svc.cluster.local

  keyprovider:
    provider: azureKeyVault

    azureKeyVault:
      vaulturi: "https://d1vault.vault.azure.net/"
      keyname: "k1"
      tenantId: <Tenant ID>
      clientId: <K1 application ID>
      clientSecret: <K1 application secret>


postgresql:
  auth:
    database: "k1"
    username: "k1"
    password: <fill in a secure password>

You can then deploy K1:

helm install k1 oci://ghcr.io/cybercryptio/helm-charts/k1 --version 0.2.0 --values values.yaml

Once the deployment is succesful, create a new Key Set and get the Key Initialization Key:

export KS_ID=$(kubectl exec -it deployments/k1 -- /k1 newKeySet 2> /dev/null | tail -n 3 | jq -r ".KsID")
kubectl exec -it deployments/k1 -- /k1 newKik --ksid=$KS_ID

You are now ready to deploy D1 Storage or D1 Generic using our Helm charts. You will need to configure the Helm chart as shown below with the information obtained in the previous steps:

config:
  keys:
    provider: "k1"

    k1:
      endpoint: "k1.default.svc.cluster.local:50051"
      kik: <Key Initialization Key>
      kikId: <Key Initialization Key ID>

  io:
    provider: "azureblob"

    azureblob:
      address: "https://d1account.blob.core.windows.net"
      accountname: "d1account"
      accountkey: <Account key>
      container: "d1container"

  id:
    provider: "oidc"

    oidc:
      issuer: "https://login.microsoftonline.com/<Tenant ID>/v2.0"
      clientid: <OIDC client ID>
      signingalg: "RS256"
      claimtranslation: <You desired claim translation>

You can then deploy D1 Storage or D1 Generic:

helm install d1 oci://ghcr.io/cybercryptio/helm-charts/d1-service-storage --version 0.3.10 --values values.yaml
# OR
helm install d1 oci://ghcr.io/cybercryptio/helm-charts/d1-service-generic --version 0.3.10 --values values.yaml