Microsoft Azure Blob Storage

  • 9 minute(s) read
Prev Next

Overview

This guide will walk you through the following steps:

  • Configuring Microsoft Azure Storage as your storage provider

  • Creating a Maverics environment to publish config to Microsoft Azure Storage

  • Deploying an orchestrator to read the config in Microsoft Azure Storage

Prerequisites

  • An active Microsoft Azure account with permissions to create and manage storage accounts,  containers and generate a SAS token.

  • Permissions in your host environment install the orchestrator service

Configure storage provider

You will utilize Microsoft Azure’s blob storage containers to publish configurations from the Maverics Console, which your orchestrators will access. The Maverics Console must have permissions to both read and write to the storage container, while the orchestrators will need read-only access.

  1. Create a Storage Account:

    • Navigate to the Azure portal and create a new storage account if you haven't already.

  2. Create a Container:

    • Within your storage account, go to the "Containers" section and create a new container.

  3. Generate SAS a token for the Maverics Console

    Click to enlarge

    • On the containter, right click or select the three dots and choose Generate SAS token

    • Signing method: select Account key

    • Signing key: select Key 1

    • Permissions: select Create, Add, and Write

    • Start and expiry date/time: Move the expiration date out to a longer time frame at your discretion. The default is eight hours.

    • Click Generate SAS token and URL, copy the Blob SAS token value, store it in a safe place as you use it in the next section.

  4. Generate a SAS token for your Orchestrators

    • Signing method: select Account key

    • Signing key: select Key 1

    • Permissions: select List and Read

    • Start and expiry date/time: Move the expiration date out to a longer time frame at your discretion. The default is eight hours.

    • Click Generate SAS token and URL, copy the Blob SAS token value, store it in a safe place as you use it in the next section.

Maverics Console Configuration Storage

  1. Go to Deployments.

  2. Next to Configuration Storage, click Edit.

  3. From the dropdown menu, select Microsoft Azure Blob Storage.

Click to enlarge

You will need to enter the following information:

Field

Description

Storage account name

The unique name of the storage account you've created in Azure.

Container name

The name of the container in your storage account.

SAS token

A shared access signature (SAS) is a URI that grants restricted access to an Azure Storage container.

Optional:
Configuration file path

The path within the blob storage that your configuration file will be uploaded to. Do not include any leading forward slashes (/) or the file name in this path. Ensure that this path exists in the blob storage prior to deploying.

Orchestrator Remote Config

Refer to the Windows (Silent Install) article for details on system requirements, installation procedures, updates, and uninstallation.

If you are using the silent install process and the Windows machine will connect directly to a Maverics cloud environment, use the following PowerShell script as a template and update the configuration values as required:

# Set the configuration values
# Download MAVERICS_BUNDLE_PUBLIC_KEY_FILE your Maverics deployment
ownlo$RegistryPath = 'HKLM:\SYSTEM\CurrentControlSet\Services\mavericsSvc'
$Name         = 'Environment'
$Value        = @('MAVERICS_HTTP_ADDRESS=127.0.0.1:8888',
                'MAVERICS_POLLING_INTERVAL_SECONDS=30',
                'MAVERICS_RELOAD_CONFIG=true',
                'MAVERICS_AZURE_CONFIG={"token": "sp=r&st=2023-03-31T02:31:53Z&se=2023-07-14T10:31:53Z&spr=https&sv=2021-12-02&sr=c&sig=xxxxyxxxxxxxxx", "account": "exampleStorage", "container": "exampleContainer", "configurationFilePath": "folder1/folder2"}',
                'MAVERICS_BUNDLE_PUBLIC_KEY_FILE=C:\config\public_key.pem',
                'MAVERICS_CONFIGURATION_TYPE=1',
                'MAVERICS_REMOTE_CONFIG_TYPE=AZURE')

# Create the relevant registry path if the Orchestrator MSI has not yet been installed
If (-NOT (Test-Path $RegistryPath)) {
  New-Item -Path $RegistryPath -Force | Out-Null
}

# Update the Environment
New-ItemProperty -Path $RegistryPath -Name $Name -Value $Value -Type MultiString -Force

The Orchestrator is compatible with Red Hat Linux and Ubuntu. Refer to the Linux install article for details on system requirements, installation procedures, updates, and uninstallation.

  1. Create a maverics.env file using a text editor in the directory where you downloaded and unzipped the orchestrator binary.

  2. Replace the bracketed placeholders with files and values needed for your environment. 

# MAVERICS_DEBUG_MODE: Enables or disables debug mode for Maverics.
# When set to true, additional debug information will be logged.
MAVERICS_DEBUG_MODE=true

# MAVERICS_HTTP_ADDRESS: Specifies the HTTP address and port for the Maverics server to listen on.
# Example: :443 or :8443
MAVERICS_HTTP_ADDRESS=:443

# MAVERICS_TLS_SERVER_CERT_FILE: Path or secret key name to the TLS server certificate file.
# This is used to enable HTTPS for the Maverics server.
MAVERICS_TLS_SERVER_CERT_FILE=your-cert.pem

# MAVERICS_TLS_SERVER_KEY_FILE: Path to the TLS server private key file.
# This is used in conjunction with the server certificate to enable HTTPS.
MAVERICS_TLS_SERVER_KEY_FILE=your-private_key.pem

# MAVERICS_RELOAD_CONFIG: This is required when deploying config from Maverics to your storage provider.
# When set to true, the configuration file will be reloaded automatically when changes are detected.
MAVERICS_RELOAD_CONFIG=true

# MAVERICS_POLLING_INTERVAL_SECONDS: Specifies the interval, in seconds, at which the configuration file is polled for changes.
MAVERICS_POLLING_INTERVAL_SECONDS=30

# MAVERICS_BUNDLE_PUBLIC_KEY_FILE: Path to the public key file used for verifying signed bundles.
# Download this public key file from your Maverics deployment.
MAVERICS_BUNDLE_PUBLIC_KEY_FILE=./public_key.pem

# MAVERICS_AZURE_CONFIG: JSON string containing AWS configuration details.
# Includes region, bucket name, access key ID, secret access key, and (optional) configuration file path.
MAVERICS_AZURE_CONFIG='{"token": "sp=r&st=2023-03-31T02:31:53Z&se=2023-07-14T10:31:53Z&spr=https&sv=2021-12-02&sr=c&sig=xxxxyxxxxxxxxx", "account": "exampleStorage", "container": "exampleContainer", "configurationFilePath": "folder1/folder2"}'

Refer to the Docker install article for details on system requirements, installation procedures, updates, and uninstallation.

  1. Create a maverics.env using a text editor and save it to a working directory.

  2. Replace the bracketed placeholders with files and values needed for your environment. 

# MAVERICS_DEBUG_MODE: Enables or disables debug mode for Maverics.
# When set to true, additional debug information will be logged.
export MAVERICS_DEBUG_MODE=true

# MAVERICS_HTTP_ADDRESS: Specifies the HTTP address and port for the Maverics server to listen on.
# Example: :443 or :8443
export MAVERICS_HTTP_ADDRESS=:443

# MAVERICS_TLS_SERVER_CERT_FILE: Path or secret key name to the TLS server certificate file.
# This is used to enable HTTPS for the Maverics server.
export MAVERICS_TLS_SERVER_CERT_FILE=your_cert.pem

# MAVERICS_TLS_SERVER_KEY_FILE: Path to the TLS server private key file.
# This is used in conjunction with the server certificate to enable HTTPS.

export MAVERICS_TLS_SERVER_KEY_FILE=your_private_key.pem

# MAVERICS_RELOAD_CONFIG: This is required when deploying config from Maverics to your storage provider.
# When set to true, the configuration file will be reloaded automatically when changes are detected.
export MAVERICS_RELOAD_CONFIG=true

# MAVERICS_POLLING_INTERVAL_SECONDS: Specifies the interval, in seconds, at which the configuration file is polled for changes.
export MAVERICS_POLLING_INTERVAL_SECONDS=30

# MAVERICS_BUNDLE_PUBLIC_KEY_FILE: Path to the public key file used for verifying signed bundles.
# Download this public key file from your Maverics deployment.
export MAVERICS_BUNDLE_PUBLIC_KEY_FILE=./public_key.pem

# MAVERICS_AWS_CONFIG: JSON string containing AWS configuration details.
# Includes region, bucket name, access key ID, secret access key, and (optional) configuration file path.
export MAVERICS_AWS_CONFIG='MAVERICS_AZURE_CONFIG='{"token": "sp=r&st=2023-03-31T02:31:53Z&se=2023-07-14T10:31:53Z&spr=https&sv=2021-12-02&sr=c&sig=xxxxyxxxxxxxxx", "account": "exampleStorage", "container": "exampleContainer", "configurationFilePath": "folder1/folder2"}''

The Mac OS Orchestrator should only be used for development purposes only.

Refer to the Mac OS install article for details on system requirements, installation procedures, updates, and uninstallation.

  1. Create a maverics.env using a text editor and save it to a working directory.

  2. Replace the bracketed placeholders with files and values needed for your environment. 

# MAVERICS_DEBUG_MODE: Enables or disables debug mode for Maverics.
# When set to true, additional debug information will be logged.
export MAVERICS_DEBUG_MODE=true

# MAVERICS_HTTP_ADDRESS: Specifies the HTTP address and port for the Maverics server to listen on.
# Example: :443 or :8443
export MAVERICS_HTTP_ADDRESS=:443

# MAVERICS_TLS_SERVER_CERT_FILE: Path or secret key name to the TLS server certificate file.
# This is used to enable HTTPS for the Maverics server.
export MAVERICS_TLS_SERVER_CERT_FILE=your-cert.pem

# MAVERICS_TLS_SERVER_KEY_FILE: Path to the TLS server private key file.
# This is used in conjunction with the server certificate to enable HTTPS.
export MAVERICS_TLS_SERVER_KEY_FILE=your-private_key.pem

# MAVERICS_RELOAD_CONFIG: This is required when deploying config from Maverics to your storage provider.
# When set to true, the configuration file will be reloaded automatically when changes are detected.
export MAVERICS_RELOAD_CONFIG=true

# MAVERICS_POLLING_INTERVAL_SECONDS: Specifies the interval, in seconds, at which the configuration file is polled for changes.
export MAVERICS_POLLING_INTERVAL_SECONDS=30

# MAVERICS_BUNDLE_PUBLIC_KEY_FILE: Path to the public key file used for verifying signed bundles.
# Download this public key file from your Maverics deployment.
export MAVERICS_BUNDLE_PUBLIC_KEY_FILE=./public_key.pem

# MAVERICS_AWS_CONFIG: JSON string containing AWS configuration details.
# Includes region, bucket name, access key ID, secret access key, and (optional) configuration file path.
export MAVERICS_AWS_CONFIG='MAVERICS_AZURE_CONFIG='{"token": "sp=r&st=2023-03-31T02:31:53Z&se=2023-07-14T10:31:53Z&spr=https&sv=2021-12-02&sr=c&sig=xxxxyxxxxxxxxx", "account": "exampleStorage", "container": "exampleContainer", "configurationFilePath": "folder1/folder2"}'

Refer to the Windows MSI Installer article for details on system requirements, installation procedures, updates, and uninstallation.

The Windows MSI installer prompts you for the environment details as part of the installation process:

  1. After starting the MSI installer, click next until you get to the Select a configuration source step.

  2. Accept the default Maverics Cloud, and then click Next.

  3. Select Azure.

  4. Edit the JSON replacing the placeholder values with the actual values from previous steps. 

{
  "account": "exampleStorage",
  "container": "exampleContainer",
  "token": "sp=r&st=2023-03-31T02:31:53Z&se=2023-07-14T10:31:53Z&spr=https&sv=2021-12-02&sr=c&sig=xxxxyxxxxxxxxx",
  "configurationFilePath": "folder1/folder2"
}

  1. When you are done click Next to proceed to the Bundle public key file selection.

    Configuration Bundle Signing

    Configuration bundles published by the Maverics platform are signed to ensure data integrity. The orchestrator cannot load a published bundle without validating the configuration file signatures against the public key for the specific configuration deployment.

  2. In Maverics Console go to Deployments and open the deployment you created before, scroll to the Host Environment section and download the public key.

  3. In the MSI installer, click Change… navigate to the downloaded public key and click open. Click Next

  4. In the next screen choose the IP address, port and TLS settings for the orchestrator. Click Next and Install. If there are no install errors the orchestrator is receiving configuration from Azure.

  5. To verify you can view Maverics logs in the Event Viewer

    • Start→Search for Event Viewer

    • Go to Windows logs → Application

    • Maverics Event ...level=info msg="loaded config 'maverics.tar.gz' from Azure"

Start orchestrator on the host

The Windows installation configures the orchestrator service to auto-start after all other services have started.

  1. In Terminal navigate to the directory where you downloaded and unzipped the orchestrator binary.

  2. Run the following command replacing with paths to the orchestrator binary.
    sudo systemctl start maverics

To start the Orchestrator container, use the docker run command. For example:

docker run --publish 443:8443 \
  --volume /opt/maverics:/etc/maverics \
  --env-file /opt/maverics/maverics.env \
  --name orchestrator maverics_base:0.18.10

The example command above illustrates the following options:

  • --publish (or -p) maps port 8443 on the container to port 443 on the host

  • --volume (or -v) bind mounts the hosts /opt/maverics/ directory to /etc/maverics in the container

  • --env-file sources environment variables from a maverics.env file for the orchestrator process

  • --name (optional) provides an explicit name for the container instance

  • maverics_base:0.18.10 specifies the image name and release number of the container

Paths, port addresses, names, versions, and other settings will vary depending on your use case. Information on all options can be found in the docker run reference documentation.

  1. In Terminal navigate to the directory where you downloaded and unzipped the orchestrator binary.

  2. Run the following command replacing with paths to the orchestrator binary.

source ./maverics.env  && ./maverics_darwin_ARM64

Troubleshooting

  • What do I do if orchestrator fails to start with an error message “…level=error msg="failed to instantiate config provider: unable to read file 'public_key.pem' specified in 'MAVERICS_BUNDLE_PUBLIC_KEY_FILE': open public_key.pem: no such file or directory" ?

    • Configuration bundles published by the Maverics platform are signed to ensure data integrity. The orchestrator cannot load the public key associated with your deployment. In the host environment configuration check that the file path is correct.

  • What do I do if the orchestrator fails to start with the error message "level=error msg="failed to load configuration: unable to unbundle 'maverics.tar.gz' config from <storage provider>: bundle signature verification failed: signature verification failed: go-jose/go-jose: error in cryptographic primitive" ?

    • In this case, the signature verification failed. The configuration bundle signature did not match with the public key used to start the orchestrator. Get the Deployment, scroll down to the Host Environment section, download the Public Key, and update the path in your host environment to the new file.

Related articles