Microsoft Azure
This guide will walk you through deploying D1 Storage or D1 Generic, using K1 for key management, to Azure Kubernetes Service with Azure Blob Storage, Azure Key Vault, and Azure Active Directory.
To follow this guide, you will need to create an Azure account
as well as set up the az
CLI tool. Then, create a
resource group by running the following az
command:
az group create -l <location> -n <group name>
Azure Blob Storage
In order to provision a storage container follow this
guide or run the following az
commands. First create a storage account:
az storage account create --name d1account --resource-group <group name> --location <location> --sku Standard_LRS
Then get the account key:
az storage account keys list --resource-group <group name> --account-name d1account
Finally, create a storage container:
az storage container create -n d1container --account-name d1account --account-key <account key>
Azure Key Vault
You will need to provision an encryption Key. First, create a premium Key Vault:
az keyvault create --location <localtion> --name d1vault --resource-group <group name> --sku premium
Then, create a key:
az keyvault key create --size 4096 --kty RSA-HSM --name k1 --vault-name d1vault
Create an application with a client secret:
K1_APP_RES=$(az ad sp create-for-rbac -n d1-k1)
export K1_APP_ID=$(echo $K1_APP_RES | jq -r .appId)
export K1_APP_SECRET=$(echo $K1_APP_RES | jq -r .password)
export K1_APP_OBJECT_ID=$(az ad sp show --id $K1_APP_ID | jq -r .objectId)
Give the application access to the Key Vault:
az keyvault set-policy -n d1vault --key-permissions wrapKey unwrapKey sign verify --object-id $K1_APP_OBJECT_ID
Azure Active Directory
Create an application used for OIDC login by running the following az
commands:
OIDC_APP_RES=$(az ad app create --display-name d1-oidc)
export OIDC_APP_ID=$(echo $OIDC_APP_RES | jq -r .appId)
export OIDC_APP_OBJECT_ID=$(echo $OIDC_APP_RES | jq -r .objectId)
OIDC_CRED=$(az ad app credential reset --id $OIDC_APP_ID --append)
export OIDC_APP_SECRET=$(echo $OIDC_CRED | jq -r .password)
Then, follow the instructions in Making Azure AD OIDC Compliant.
Azure Kubernetes Service
Provision an AKS cluster as described here or by using the following az
command:
az aks create --resource-group <group name> --name d1-cluster --node-count 2 --generate-ssh-keys
Deployment
You first need to deploy K1 using our Helm chart. You will need to configure the Helm chart as shown below with the information obtained in the previous steps:
# File: values.yaml
k1:
endpoint: k1.default.svc.cluster.local
keyprovider:
provider: azureKeyVault
azureKeyVault:
vaulturi: "https://d1vault.vault.azure.net/"
keyname: "k1"
tenantId: <Tenant ID>
clientId: <K1 application ID>
clientSecret: <K1 application secret>
postgresql:
auth:
database: "k1"
username: "k1"
password: <fill in a secure password>
You can then deploy K1:
helm install k1 oci://ghcr.io/cybercryptio/helm-charts/k1 --version 0.2.0 --values values.yaml
Once the deployment is succesful, create a new Key Set and get the Key Initialization Key:
export KS_ID=$(kubectl exec -it deployments/k1 -- /k1 newKeySet 2> /dev/null | tail -n 3 | jq -r ".KsID")
kubectl exec -it deployments/k1 -- /k1 newKik --ksid=$KS_ID
You are now ready to deploy D1 Storage or D1 Generic using our Helm charts. You will need to configure the Helm chart as shown below with the information obtained in the previous steps:
config:
keys:
provider: "k1"
k1:
endpoint: "k1.default.svc.cluster.local:50051"
kik: <Key Initialization Key>
kikId: <Key Initialization Key ID>
io:
provider: "azureblob"
azureblob:
address: "https://d1account.blob.core.windows.net"
accountname: "d1account"
accountkey: <Account key>
container: "d1container"
id:
provider: "oidc"
oidc:
issuer: "https://login.microsoftonline.com/<Tenant ID>/v2.0"
clientid: <OIDC client ID>
signingalg: "RS256"
claimtranslation: <You desired claim translation>
You can then deploy D1 Storage or D1 Generic:
helm install d1 oci://ghcr.io/cybercryptio/helm-charts/d1-service-storage --version 0.3.10 --values values.yaml
# OR
helm install d1 oci://ghcr.io/cybercryptio/helm-charts/d1-service-generic --version 0.3.10 --values values.yaml