Azure (AKS)

The fastest path to a running Scrydon install on Azure Kubernetes Service via Helm, with the Azure-specific networking notes that trip people up.

Two ways to run Scrydon on Azure:

Azure Marketplace — Portal-native, one-click, automatic upgrades, no Helm CLI or registry credentials. Use this unless you need custom Helm values.
Helm on AKS (this page) — full control over chart values. Follow the five steps below; for every override the chart exposes, see the Helm reference.

Before you start

An AKS cluster running Kubernetes 1.28+ with kubectl access.
A license bundle from Scrydon — { "jwt": "…", "publicKey": "…" } JSON.
Registry credentials for scrydonops.azurecr.io (the ACR token name + value from your account team).
A single DNS name pointing at your ingress (e.g. app.example.com).

Full sizing and checklist: Prerequisites.

Step 1: Log in to the registry

helm registry login scrydonops.azurecr.io --username <acr-token-name>
# (paste the token value at the password prompt)

Step 2: Create the namespace and pull secret

By default the chart deploys every service into one namespace, scrydon-platform:

kubectl create namespace scrydon-platform 2>/dev/null || true
kubectl create secret docker-registry scrydon-registry \
  --namespace scrydon-platform \
  --docker-server=scrydonops.azurecr.io \
  --docker-username=<acr-token-name> \
  --docker-password=<acr-token-password>

Splitting services across namespaces is opt-in via namespaces.* (see the Helm reference). If you do, create the same pull secret in each namespace you target.

Step 3: Write `values.customer.yaml`

The Azure-specific value is global.storageClass (managed-csi, or managed-csi-premium for higher IOPS). If an Application Gateway terminates TLS in front of the cluster, keep ingress.tls.enabled: true — the browser still uses HTTPS, so the public URL scheme, CORS, and secure cookies must reflect that even though App Gateway forwards plain HTTP to Traefik.

# Replace REPLACE-WITH-* with values you generate. Keep this file out of source control.

global:
  imageRegistry: scrydonops.azurecr.io  # pull images from the ACR you logged into
  imagePullSecrets:
    - name: scrydon-registry            # from Step 2
  storageClass: managed-csi             # or managed-csi-premium

routing:
  host: app.example.com               # the hostname your DNS points at

ingress:
  tls:
    enabled: true                     # browser reaches Scrydon over HTTPS (true even behind App Gateway)

# Secrets — generate fresh per deployment.
infra:
  db:
    credentials:
      password: REPLACE-WITH-DB-PASSWORD          # openssl rand -hex 16
auth:
  secrets:
    AUTH_SECRET: REPLACE-WITH-AUTH-SECRET         # openssl rand -hex 32
apiTable:
  secrets:
    STARROCKS_PASSWORD: REPLACE-WITH-STARROCKS-PW # openssl rand -hex 24

Step 4: Install

helm install scrydon oci://scrydonops.azurecr.io/scrydon/charts/scrydon \
  --version <version> \
  --namespace scrydon-platform \
  -f values.customer.yaml \
  --wait

Step 5: Run the setup wizard

Open https://app.example.com/platform/setup and complete the five steps — paste the { jwt, publicKey } bundle, create the admin account, name your organization, configure email (or skip), finish. Then sign in at https://app.example.com/. Details: Helm → Run the setup wizard.

Azure specifics

Storage class — managed-csi (Step 3), or managed-csi-premium for higher IOPS.
Ingress behind Application Gateway — App Gateway terminates TLS and forwards plain HTTP to Traefik. Set ingress.tls.enabled: true (done in Step 3) and trust the App Gateway subnet via trustedIPs. This trips everyone up — the full playbook is in TLS Offloading.
Database — the bundled Postgres works out of the box; or point at Azure Database for PostgreSQL via BYO Database.

All options

Everything beyond this minimal path — routing modes, BYO StarRocks, pod scheduling, low-resource trims, an existing Dapr control plane, and day-2 operations — lives in the Helm reference.

Azure (AKS)

On this page