Running Convier as an App Service on Azure

Summary

Convier runs within an Single Docker Container App Service in Azure. The Docker image is downloaded from Convier’s private repository, hosted on Azure. It can be assigned to its own subscription and resource group. By default the application writes config to a persistent storage attached to the app service. The potentially sensitive parts of this config is encrypted using AES. The application is automatically upgraded when new versions of the Docker image becomes available. The application is backed up every hour. The app can be configured to write audit logs to its internal database. This is disabled by default as that would mean storing customer data.

Create enterprise application

Create a single tenant enterprise application, e.g. named Convier Single Tenant from the Azure portal. Single tenant means the enterprise applications only can be used within your organization.

Under app registrations, API permissions, add permission User.Read this allows the app to fetch basic information about logged in users.

Under app registrations, App roles, add three roles:

  • Task.Read
  • Task.Manage
  • Task.Audit

Groups can be assigned to the different roles. The only difference between Task.Read and Task.Manage is the ability to make changes for other users. Task.Audit is allowed to query the audit log.

If you want to restrict access to Convier to certain users/groups, see the documentation for how to restrict access to the application.

Create a client secret that will be used by the Convier app to authorize users.

Create a new subscription

Optionally create a new subscription for the App Service.

Create a resource group

Optionally create a new resource within the chosen subscription for the App Service.

Create an App Service Plan

Optionally create a new app service plan.

Create the App Service resource

Create a new Web App App Service and assigned it to the chosen subscription and resource group. Give the app an appropriate name and add the following configuration:

Basics

  • Publish: Docker Container
  • Operating System: Linux
  • Region: <Choose>
  • Linux plan: <Choose>

Docker

  • Options: Single Container
  • Image Source: Private Registry
  • Server URL: https://docker.convier.com
  • Username: <Your username>
  • Password: <Your password>
  • Image and tag: build.convier.com:8082/convier:release

Networking

  • Enable public access: Off

Review and create

Add networking restrictions

To add a layer of security, from the app service portal, add restrictions to which IP addresses can access the application.

Configuration

The Convier app accepts configuration in the form of environment variables. These configurations are enrypted and stored within Azure by Microsoft.

Under Configuration, click Advanced edit and add the following entries:

  {
    "name": "OIDC_CLIENT_ID",
    "value": "<client id>",
    "slotSetting": false
  },
  {
    "name": "OIDC_CLIENT_SECRET",
    "value": "<client secret>",
    "slotSetting": false
  },
  {
    "name": "OIDC_CONFIGURATION_ENDPOINT",
    "value": "<OpenID Connect metadata document>",
    "slotSetting": false
  },
  {
    "name": "OIDC_ROLE_MANAGE",
    "value": "Task.Manage",
    "slotSetting": false
  },
  {
    "name": "OIDC_ROLE_AUDIT",
    "value": "Task.Audit",
    "slotSetting": false
  },
  {
    "name": "SERVER_PORT",
    "value": "80",
    "slotSetting": false
  },
  {
    "name": "JDBC_CONNECTION_STRING",
    "value": "jdbc:sqlite:/home/convier.db",
    "slotSetting": false
  },
  {
    "name": "WEBSITES_ENABLE_APP_SERVICE_STORAGE",
    "value": "true",
    "slotSetting": true
  },

Scope offline_access enables users to stay logged in.

A key CONFIG_B64_ENCRYPTION_KEY to enable encryption of configuration. The value of CONFIG_B64_ENCRYPTION_KEY must be a 32 character random string. It is an AES encryption key used for symmetric encryption of configuration in the internal database. The internal database is by default a SQLite database stored in the persistent storage.

JDBC_CONNECTION_STRING the full connection string to the database that will contain configuration and optionally contain audit logs.

Set WEBSITES_ENABLE_APP_SERVICE_STORAGE to true to enable persistent storage:

  {
    "name": "WEBSITES_ENABLE_APP_SERVICE_STORAGE",
    "value": "true",
    "slotSetting": false
  }

When enabled. /home is mounted as a persistent store.

Configuration

Configuration tells the system which sources to connect to, how data should be presented, linked, and monitored. The configuration can contain sensitive data in the form of credentials to APIs and databases. All config is encrypted using AES before being stored, and credentials are never sent to clients.

Audit logs

Audit logs contains information about which user access which data, or performed which config changes. Because audit logs needs to be searchable, the contents are not encrypted.

Audit logs are disabled by default to avoid storing sensitive data if not absolutely necessary.

Upgrading

The App Service will regularly within deployment slots check with the Docker registry for new versions of the image. When new versions are found, the system is upgraded automatically.

Logging

Service logs

Service logs are available through the Azure portal under App Service logs.

Audit logs

As audit logs will contain sensitive information, they are disabled by default.

Backup / Restore

The App Service storage which by default contains the app configuration is automatically backed up every hour. Backups can be restored from the Azure portal. If configuration is stored in another database, that database will need its own backup/restore configuration.