Azure Container App
Simple Deployment with Azure Container App
Overview
This guide provides step-by-step instructions to publish Keeper Automator to the Azure Container App service. This provides a simple and straightforward way to host the Automator service in the cloud.
For environments such as Azure Government, GCC High and DoD, use the Azure App Services method, since the Azure Container App service may not be available in those regions.
(1) Create an Automator Config key
Open a command line interface and generate a 256-bit AES key in URL-encoded format using one of the methods below, depending on your operating system:
Generate a Key
Save the resulting value produced by this command for Step (3).
(2) Create a Container App
From Azure, create a new Container App.
Select or create a new Resource Group
Set the Container App Name to "keeperautomator" or whatever you prefer
Select "Container Image" as the Deployment Source
Select the region where you would like the service hosted
Create a new Apps Environment or select an existing environment
Click
Next : Container >
(3) Setup Container Details
In the "Container" step, make the following selections:
Uncheck the "Use quickstart image"
Select "Docker Hub or other registries"
Select "Public"
Select Registry login server as
docker.io
Set the Image and tag as
keeper/automator:latest
Skip to "Container resource allocation"
For CPU and Memory, 0.5 CPU cores and 1Gi memory is sufficient, but this can be updated based on your volume of new device logins.
Create an environment variable called
AUTOMATOR_CONFIG_KEY
with the value from Step 1 above of the setup guide.Create an environment variable called
AUTOMATOR_PORT
with the value of8089
Create an environment variable called
SSL_MODE
with the value ofnone
Click "Next : Ingress >"
(4) Ingress Setup
On the Ingress setup screen, select the following:
Enable
IngressIngress traffic
Accepting traffic from anywhere
(we'll modify this in a later step)Ingress type
HTTP
Target port set to
8089
(5) Create Container App
Click "Review + Create" and then click "Create"
After a few minutes, the container app will be created and automatically start up.
Clicking on "Go to Resource" will take you to the container environment.
(6) Customize the Ingress Setup
To restrict communications to the Keeper Automator service, click on the "Ingress" link on the left side of the screen under the "Settings" section
Click on "Ingress"
Select "Allow traffic from IPs configured below, deny all other traffic"
Click "Add" to add two of Keeper's IPs and any of your IPs required for testing the service.
Click Save
Keeper Tenant Region | IP1 | IP2 |
---|---|---|
US | 54.208.20.102/32 | 34.203.159.189/32 |
US GovCloud | 18.252.135.74/32 | 18.253.212.59/32 |
EU | 52.210.163.45/32 | 54.246.185.95/32 |
AU | 3.106.40.41/32 | 54.206.208.132/32 |
CA | 35.182.216.11/32 | 15.223.136.134/32 |
JP | 54.150.11.204/32 | 52.68.53.105/32 |
If you want to be able to run a health check, then consider adding your own IP address. Find your IP address at https://checkip.amazonaws.com
(7) Set up Scaling, Health Probes and Volume Mount
In order to prevent Azure from downscaling to zero instances, it's important to set the minimum number of instances to 1.
Navigate to the "Containers" section under the "Application"
Click on the "Edit and deploy" section at the top and then navigate to the Scale section. Set the Min and Max replica to "1"
Next, click on the "Container" tab
Click on the container name link, in this case "keeperautomator" at the bottom
Navigate to Health Probes and enter the following under each section:
Under "Liveness probes":
Enable liveness probes
Transport:
HTTP
Path:
/health
Port:
8089
Initial delay seconds:
5
Period seconds:
30
Under "Startup probes":
Enable startup probes
Transport:
HTTP
Path:
/health
Port:
8089
Initial delay seconds:
5
Period seconds:
30
Under "Volume Mounts":
Select "Create new volume"
Add volume type
automatordata
Add Mount Path as
/usr/mybin/config
Finish the configuration
Click on
Save
Then click on
Create
to build the new configurationAfter a few minutes, the new containers should start up
(8) Retrieve the Application URL
From the Overview section of the Container App, on the right side is the "Application URL" that was assigned. Copy this and use this Application URL in the next step.
For example, https://craigautomator1.xyx-1234.azurecontainerapps.io
(9) Login to Keeper Commander
Keeper Commander is required to perform the final step of Automator configuration. This can be run from anywhere, it does not need to be installed on the server.
On your workstation or server, install Keeper Commander CLI. The installation instructions including binary installers are here:
https://docs.keeper.io/secrets-manager/commander-cli/commander-installation-setup
After Commander is installed, launch Keeper Commander, or from an existing terminal you can type keeper shell
to open the session, then login using the login
command. In order to set up Automator, you must login as a Keeper Administrator, or an Admin with the ability to manage the SSO node.
(10) Create the Automator
Create the Automator using a series of commands, starting with automator create
The Node Name (in this case "Azure Cloud") comes from the Admin Console UI as seen below.
The output of the command will display the Automator settings, including metadata from the identity provider.
Note that the "URL" is not populated yet. This is the Application URL from Step 8.
Run the "automator edit" command as displayed below, which sets the URL and also sets up the skills (team
, team_for_user
and device
).
Next we exchange keys: The enterprise private key encrypted with the Automator public key is provided to Automator:
Initialize the Automator with the new configuration
Enable the service
At this point, the configuration is complete.
For external health checks, you can use the below URL:
https://<server>/health
Example curl
command:
Testing the User Experience
Now that Keeper Automator is deployed, you can test the end-user experience. No prompts for approval will be required after the user authenticates with the SSO identity provider.
The easiest way to test is to open an incognito mode window to the Keeper Web Vault and login with SSO Cloud. You will not be prompted for device approval.
Advanced
Azure Container Apps have many advanced capabilities that are beyond the scope of this documentation. A few of the capabilities are provided below.
Scaling with Multiple Containers
If you would like to have multiple containers running the Keeper Automator service:
Click on "Scale and replicas"
Click "Edit and deploy"
Click on the "Scale" tab
Select the min and max number of containers. The minimum should be at least 1.
Click Create
After a minute, the new version will deploy
Run
automator setup xxx
multiple times (one for each container)Run
automator init xxx
multiple times (one for each container)
Logging
The Keeper Automator logs can be viewed and monitored using the "Console" or "Log stream" section.
For example, to tail the log file of a running Automator service:
Click on Console
Select "/bin/sh"
Click Connect
At the prompt, type:
tail -f logs/keeper-automator.log
Advanced Settings
Environment variables can be passed into the Container to turn on/off features of the runtime environment. The variables with their description can be found at the Advanced Settings page.
Last updated