Deploy Fluent Manager with Azure Container Apps

This document describes how to deploy the Fluent Manager using Azure Container Apps. This is well suited to customers with high availability needs like autoscaling.

Prerequisites

• Azure CLI
• The Azure CLI containerapp extension
• The database that you'll be using. For high availability deployments in Azure, we recommend Azure Database for PostgreSQL flexible server.
  • The database server should have a database named fluent with a schema named manager
• The fluent-deploy-docker-compose kotlin script for your version
  • We'll just be using this to generate some values used in your environment
• Kotlin command-line compiler Kotlin 1.4+ and Java 6+
  • Needed to run the above kotlin script

Step 1: Using the compose script to generate your .env file

Run the following command to create your .env file. We'll be pulling values out of it for keyset handles and JWT private keys. admin-email and admin-password should be the default admin login for your Manager instance. You may change your mind about this later in the process.

kotlin fluent-deploy-docker-compose-x.y.z.main.kts create-config-file --admin-email=admin@email.com --admin-password=long_password

Step 2: Setup environment variables to simplify setup

Run the following bash commands to setup environment variables that will be re-used throughout your setup.

• RG should be set to your desired resource group name for this install.
• LOC is the Azure region you want to deploy to
• ENV_NAME is the name Container Apps Environment we'll create for this install
• BACK_APP is the name of the Container App that will host the backend
• FRONT_APP is the name of the Container App that will host the frontend

RG="fluent-manager-rg"
LOC="eastus"
ENV_NAME="fluent-manager-env"

BACK_APP="fluent-manager-backend"
FRONT_APP="fluent-manager-frontend"

Step 3: Create your Resource Group

This command will create your resource group.

az group create -n $RG -l $LOC

Step 4: Create your Container Apps Environment

Your container app environment is a shared network boundary that will have your other container apps in it. If your database is behind a Virtual Network, you should configure your Container App Environment to have access to that Virtual Network at this step using the --infrastructure-subnet-resource-id <subnet-resource-id> option where <subnet-resource-id> is the Subnet that will give you access to your database.

az containerapp env create \
  -g $RG \
  -n $ENV_NAME \
  -l $LOC

Step 5: Create Backend Container

This command will create a Container App using the Manager backend image in your new Container Apps Environment.

• target-port is 8080 because this is the port that the Manager container listens on.
• ingress is internal because the Manager backend is only ever called via the frontend's reverse proxy
• We keep replicas, cpu, and memory low for now because you can scale these options later once you've gotten everything working.

az containerapp create \
  -g $RG \
  -n $BACK_APP \
  --environment $ENV_NAME \
  --image public.ecr.aws/apryse/fluent-manager-backend:x.y.z \
  --target-port 8080 \
  --ingress internal \
  --allow-insecure \
  --min-replicas 1 \
  --max-replicas 1 \
  --cpu 1.0 \
  --memory 2.0Gi

Step 6: Provide Secrets and configuration Values for Backend Container

Next we'll specify secrets for the Manager backend container.

az containerapp secret set \
  -g $RG \
  -n $BACK_APP \
  --secrets \
    db-password="<your-db-password>" \
    admin-password="<the password you want for you admin user (from step 1)>" \
    jwt-private-key="<FLUENT_MANAGER_JWT_PRIVATE_KEY from the .env file create in step 1>" \
    keyset-handle="<FLUENT_MANAGER_KEYSET_HANDLE from the .env file create in step 1>"

Once we've provided our secrets we can provide all of the environment variables for backend. Notice that we're referencing the secrets that we just created with secretref:. You can use secretref: this way for any additional configuration values below that you wish to publish as secrets. You'll just need to set them as secrets on the Container App.

az containerapp update \
  -g $RG \
  -n $BACK_APP \
  --set-env-vars \
    FLUENT_MANAGER_ACCESS_TOKEN_TIME_TO_LIVE="86400" \
    FLUENT_MANAGER_COOKIES_TIME_TO_LIVE="2592000" \
    FLUENT_MANAGER_CORS_ALLOWED_METHODS="*" \
    FLUENT_MANAGER_CORS_ALLOWED_ORIGINS="*" \
    FLUENT_MANAGER_CORS_ALLOWED_PATHS="*" \
    FLUENT_MANAGER_DATABASE_NAME="fluent" \
    FLUENT_MANAGER_DATABASE_PASSWORD=secretref:db-password \
    FLUENT_MANAGER_DATABASE_URL="<your-postgresql-server>.postgres.database.azure.com:5432" \
    FLUENT_MANAGER_DATABASE_USERNAME="<username for your database>" \
    FLUENT_MANAGER_DEFAULT_ADMIN_EMAIL="<The email of your default admin in Manager>" \
    FLUENT_MANAGER_DEFAULT_ADMIN_PASSWORD=secretref:admin-password \
    FLUENT_MANAGER_JWT_PRIVATE_KEY="secretref:" \
    FLUENT_MANAGER_KEYSET_HANDLE="secretref:" \
    FLUENT_MANAGER_LICENSE_SUBSCRIPTION_ENABLE="true" \
    FLUENT_MANAGER_MAILING_ENABLE="false" \
    FLUENT_MANAGER_MAXIMUM_FAILED_LOGIN_ATTEMPTS="5" \
    FLUENT_MANAGER_REFRESH_TOKEN_TIME_TO_LIVE="1209600" \
    FLUENT_MANAGER_RESET_SYSTEM_ADMINISTRATOR_CREDENTIALS="false" \
    FLUENT_MANAGER_SDK_TYPE="fluent" \
    FLUENT_MANAGER_SENTRY_DSN="" \
    FLUENT_MANAGER_SENTRY_ENVIRONMENT="" \
    FLUENT_MANAGER_SMTP_AUTH="true" \
    FLUENT_MANAGER_SMTP_FROM="admin@email.com" \
    FLUENT_MANAGER_SMTP_HOST="smtp.gmail.com" \
    FLUENT_MANAGER_SMTP_PASSWORD="$$uper$$ecret" \
    FLUENT_MANAGER_SMTP_PORT="587" \
    FLUENT_MANAGER_SMTP_TLS_ENABLE="true" \
    FLUENT_MANAGER_SMTP_USERNAME="admin@gmail.com" \
    FLUENT_MANAGER_VAULT_ENABLE="false" \
    FLUENT_MANAGER_VAULT_SECRET_ENGINE_PATH="fluent-manager" \
    FLUENT_MANAGER_VAULT_TOKEN="static-token-value" \
    FLUENT_MANAGER_VAULT_URI="http://host.docker.internal:8200" \
    POSTGRES_DB="fluent" \
    POSTGRES_PASSWORD=secretref:db-password \
    POSTGRES_USER="postgres" \
    PUBLIC_URL="" \
    SPRING_PROFILES_ACTIVE="prod, fluent"

Step 7: Create Frontend Container

This command will create a Container App using the Manager frontend image in your new Container Apps Environment.

• target-port is 8080 because this is the port that the Manager container listens on.
• ingress is external because the Manager frontend needs to be called from user's web browsers and application API calls.
• We keep replicas, cpu, and memory low for now because you can scale these options later once you've gotten everything working.

az containerapp create \
  -g $RG \
  -n $FRONT_APP \
  --environment $ENV_NAME \
  --image public.ecr.aws/apryse/fluent-manager-frontend:w.x.y.z \
  --target-port 8080 \
  --ingress external \
  --min-replicas 1 \
  --max-replicas 1 \
  --cpu 1.0 \
  --memory 2.0Gi

Step 8: Provide Configuration Values for Frontend Container

Now we provide all of the environment variables that the front end needs with this command.

• We use "BACK_APP" variable as the URL for our backend host because the container app name can be used as a hostname within the container app environment.

az containerapp update \
  -g $RG \
  -n $FRONT_APP \
  --set-env-vars \
    BACKEND_HOST="$BACK_APP" \
    BACKEND_SCHEME="http" \
    PUBLIC_URL=""

Step 9: Check to see if Manager is Working

You can get the fully qualified domain name from the frontend container with this command.

az containerapp show \
  -g $RG \
  -n $FRONT_APP \
  --query properties.configuration.ingress.fqdn \
  -o tsv

Then browse to the Container App in your web browser to see if it's working. If you run into any issues, we recommend examining logs on both containers via the Azure Portal. We also recommend using the Azure Portal to setup a Custom Domain and TLS Certificate for your frontend container.