Azure Container Apps Setup Guide

Overview

If you are hosting in Microsoft Azure, DataGrail recommends using Azure Container Apps to deploy the Request Manager Agent. Deploying in Azure Container Apps will result in most of the details of load balancing, SSL termination, and service uptime being managed in a simple and standard manner. This toolchain provides simple and robust management of your deployment. To get an overview of Azure Container Apps, check out Microsoft's documentation.

Sourcing the Agent Image

The Request Manager Agent Docker image is hosted in DataGrail's private image registry. Once you have obtained credentials from your DataGrail representative, you can pull the image using the following command:

Pulling the image

# Authenticate with the DataGrail registry
docker login contairium.datagrail.io -u $DATAGRAIL_SUBDOMAIN -p $DATAGRAIL_API_KEY

# Pull the latest Request Manager Agent image (or specify a version)
docker pull contairium.datagrail.io/datagrail-rm-agent:latest

Create an Azure Resource Group

1. Navigate to Resource Groups (type "Resource group" in the search bar and select the service).
2. Select Create.
3. Select your preferred Azure subscription.
4. Under Resource group, enter a name such as datagrail-rm-agent.
5. Select Create.

---

Register an Application and Create Application Credentials

Register an Application

1. Navigate to App Registrations (type "App registrations" in the search bar).
2. Select New registration.
3. Under Name, enter a name such as datagrail-rm-agent.
4. Leave all other values as default and select Register.

---

Create Application Credentials

1. Navigate to the Certificates & secrets module in the left-hand menu.
2. Select New client secret.
3. Enter a description such as datagrail-rm-agent.
4. Copy the Value field immediately after creation. This value will disappear after navigating away from the page.

---

Create a Key Vault, Store Secrets, and Grant Application RBAC to Key Vault

Create a Key Vault

1. Navigate to Key Vaults (type "Key vault" in the search bar).
2. Select Create.
3. Select your preferred subscription and the datagrail-rm-agent resource group.
4. Name the key vault dg-agent-secrets.
5. Select your preferred region.
6. Select Create.

---

Store Secrets

1. Navigate to Secrets in the Key Vault menu.
2. Select Generate/Import.
3. Create the following secrets:
   • DataGrail Application Credentials:
     • Name: datagrail-rm-agent-credentials
     • Value (JSON format): {"client_id": "<arbitrary value>", "client_secret": "<secure string>"}
   • DataGrail Callback Token:
     • Name: datagrail-credentials
     • Value (JSON format): {"token": "<token provided by DataGrail>"}
   • Connector Credentials (e.g., Snowflake):
     • Name: snowflake-credentials
     • Value (JSON format): {"user": "<DB username>", "password": "<DB password>", "account": "<Snowflake Account>", "warehouse": "<Snowflake Warehouse>", "database": "<Snowflake DB>"}

---

Grant Application RBAC to Key Vault

1. Navigate to Access control (IAM) in the Key Vault.
2. Select Role assignments > Add > Add role assignment.
3. Select Key Vault Secrets User and select Next.
4. Search for the registered application by name and select it.
5. Select Review and assign.

---

Create a Container App, Container Apps Environment, Store Secrets, and Modify Ingress

Create a Container App

1. Navigate to Container Apps (type "Container Apps" in the search bar).
2. Select Create.
3. Select your preferred subscription and the datagrail-rm-agent resource group.
4. Enter a name such as datagrail-rm-agent for the container app.
5. Select your preferred region.
6. Under Container Apps Environment, select Create new.

---

Create a Container Apps Environment

1. Enter datagrail-rm-agent as the environment name.
2. Under Monitoring, ensure Azure Log Analytics is selected.
3. Create a new Logs Analytics workspace.
4. Under Networking, select the VNet and subnet for deployment.
5. Select Create.

---

Create a Container App (Continued)

1. De-select Use quickstart image.
2. Select Azure Container Registry and choose the datagrail-rm-agent registry.
3. Configure the following environment variables:
   • DATAGRAIL_AGENT_CONFIG: Filled-in configuration JSON object.
   • AZURE_TENANT_ID: Your Azure tenant ID.
   • AZURE_CLIENT_ID: Client ID from step 2.
   • AZURE_CLIENT_SECRET: Placeholder value (to be updated later).
4. Enable Ingress:
   • Set Client certificate mode to Require.
   • Set Target port to 8080.
5. Select Review and create.

---

Configure Readiness Probe

1. Under Application, navigate to Containers and select the Health probes tab.
2. Under Readiness probes, select Enable readiness probes.
3. Configure the probe with the following:
   • Path: /docs
   • Port: 8080
4. Select Save as a new revision.

---

Store Secrets

1. Navigate to Secrets in the Container App menu.
2. Create a secret:
   • Key: datagrail-rm-agent-client-id
   • Value: Client ID from step 2.
3. Navigate to Revisions and select Create a new revision.
4. Update the AZURE_CLIENT_SECRET source to reference the secret created above.
5. Select Save and then Create.

---

Modify Ingress

1. Navigate to Ingress in the Container App menu.
2. Under IP Restrictions Mode, select Allow traffic from IPs configured below, deny all other traffic.
3. Add the following IP address: 52.36.177.91/32 (DataGrail’s IP address).

---

Grant Container App Permission to Write to Azure Blob Storage

1. Navigate to Storage accounts (type "Storage accounts" in the search bar).
2. Select the pre-created DataGrail container.
3. Under Access Control (IAM), select Add > Add role assignment.
4. Select Storage Blob Data Contributor and select Next.
5. Select the registered application created in step 2.
6. Select Review and assign.