This guide describes how to run Akeyless Gateway on Azure Container APP.

Prerequisites

• Azure Resource Group
• Azure Container Apps environment
• Azure Container Registry

Configuration

The steps below will demonstrate how to set the environment for deploying the Gateway.

Log in to your Azure Account:

az login

Install the Azure Container Apps extension (if not installed):

az extension add --name containerapp --upgrade

Create a Resource Group using the following command:

az group create --name akeyless-gw-rg --location eastus

Create a Container Registry using the following command:

az acr create --resource-group akeyless-gw-rg \
--name akeylessgwacr \
--sku Standard

Create a Container APPs Environment using the following command:

az containerapp env create \
  --name akeyless-gw-env \
  --resource-group akeyless-gw-rg \
  --location eastus

With the configuration complete, we can now proceed to install the Gateway.

Container App Creation

In case your ACR is private and requires authentication, run the following command while Docker is up and running on your host:

az acr login --name akeylessgwacr

Import the Image into the Azure Container Registry:

az acr import \
  --name akeylessgwacr \
  --source docker.registry-2.akeyless.io/base:latest \
  --image akeyless-base:latest

To verify that the image was imported to the ACR, run the following command:

az acr repository list -n akeylessgwacr

Installation

Create the Container App using the following command:

az containerapp create \
  --name akeyless-gw-app \
  --resource-group akeyless-gw-rg	 \
  --environment akeyless-gw-env	 \
  --image akeylessgwacr.azurecr.io/akeyless-base:latest \
  --registry-server akeylessgwacr.azurecr.io \
  --cpu 4.0 \
  --memory 8.0Gi \
  --ingress external \
  --target-port 8000 \
  --env-vars \
    GATEWAY_ACCESS_ID=<AccessID> \
    GATEWAY_ACCESS_TYPE='azure' \
    ALLOWED_ACCESS_PERMISSIONS='[{"access_id":"<AccessID>","name":"Administrators"}]' \
    AKEYLESS_URL='https://vault.akeyless.io' \
    CLUSTER_NAME='Akeyless-GW-Container-APP' 

Where:

• name - The name of the Container App.

• resource-group - The resource group used for this Container App.

• environment - Your Container App environment.

• image - The container image to run.

• registry-server - The container registry where the image is stored.

• cpu - Assigns 4 vCPUs to the container.

• memory - Allocates 8 GiB RAM to the container.

• ingress - Either External or Internal:

  • External: Accepts traffic from both the public internet and your container app's internal environment.

  • Internal: Allows only internal access from within your container app's environment.

• target-port - The app inside the container listens on port 8000 for incoming traffic.

• gateway_access_id - Your Azure Authentication Method Access ID.

• gateway_access_type - The Auth Method type for the Gateway (In our case - azure).

• allowed_access_permissions - A list of allowed Access IDs, to delegate permissions users will have on your Gateway components.
  Required when admin_access_id_type is azure. For example, it can be used with API Key or SAML, etc.

• akeyless_url - https://vault.akeyless.io.

• cluster_name - The name of the cluster.

Upon successful deployment, A new Container APP will be created, which will hold the Gateway application.

The Gateway is configured using environment variables. For additional available variables, refer to the Advanced Configuration guide.

Mount a Volume in Your Container App

After your Container App is created, follow these steps to add a volume:

Use the following command to export your app's configuration to a YAML file:

az containerapp show \
  --name akeyless-gw-app \
  --resource-group akeyless-gw-rg	 \
  --out yaml > akeyless-gw-app_deployment.yaml

In the akeyless-gw-app_deployment.yaml, add the volumeMounts section under the container definition:

volumeMounts:
  - volumeName: akeyless-var-log
    mountPath: /var/log/akeyless

In the same file, define the akeyless-var-log volume in the volumes section of the template:

volumes: 
  - name: akeyless-var-log
    storageType: EmptyDir

Save the file and update the Container APP with the new configuration using the following command:

az containerapp update --name akeyless-gw-app --resource-group akeyless-gw-rg --yaml akeyless-gw-app_deployment.yaml --output table

The Gateway URL will be available in the Container App resource in the Overview tab, and in the output of the az containerapp create command in the fqdn parameter.