Documentation Index
Fetch the complete documentation index at: https://docs.definite.app/llms.txt
Use this file to discover all available pages before exploring further.
This install path has not been fully validated end to end. The shape below is the same one customers have run on AWS and GCP, and the on-prem CLI ships an Azure-aware config.yaml schema and an Azure example. The guide is preliminary; we have not yet completed a clean-room Azure install. If you want to be a design partner for the Azure path, reach out to hello@definite.app and we’ll work the install with you. What you’ll create
| Resource | Notes |
|---|
| Resource group | Holds the AKS cluster, database, storage account, and networking |
| Virtual network + subnet | Subnet for AKS nodes; private endpoints for Postgres and Blob recommended |
| AKS cluster | Kubernetes 1.28+ |
| Azure Database for PostgreSQL (Flexible Server) | Postgres 15+, private access |
| Azure Storage Account + Blob container | Lakehouse data |
| Azure AD app (optional) | For OIDC SSO via Entra ID |
Prerequisites
Azure access
A subscription where you have permission to create AKS, Postgres Flexible Server, and Storage Accounts. The az CLI must be authenticated (az login) and the subscription set (az account set --subscription <your-subscription-id>).
Local tooling
Install the following on the machine you’ll run az and definite from:| Tool | Version | Check |
|---|
az | recent | az version |
kubectl | 1.28+ | kubectl version --client |
helm | 3.12+ | helm version |
LLM access
Decide which LLM provider Fi will use. Azure OpenAI is the most common choice for Azure deployments because it lives in the same subscription. Anthropic, Bedrock, and Vertex are also supported. If you go with Azure OpenAI, make sure you’ve requested model access and created a deployment (the URL is your llm.endpoint).
Phase 1: Provision Azure infrastructure
Set up shared env vars first:
export RG="<your-resource-group>"
export LOCATION="<your-region>" # e.g. eastus
export CLUSTER_NAME="<your-cluster-name>" # e.g. definite
export PG_NAME="<your-pg-server>" # e.g. acme-pg
export PG_USER="definite"
export STORAGE_ACCOUNT="<your-storage-acct>" # lowercase, 3-24 chars
export BLOB_CONTAINER="definite"
1. Create the resource group
az group create --name "$RG" --location "$LOCATION"
2. Create the AKS cluster
az aks create \
--resource-group "$RG" \
--name "$CLUSTER_NAME" \
--node-count 3 \
--enable-managed-identity \
--generate-ssh-keys
az aks get-credentials --resource-group "$RG" --name "$CLUSTER_NAME"
kubectl get nodes
3. Create Azure Database for PostgreSQL (Flexible Server)
az postgres flexible-server create \
--resource-group "$RG" \
--name "$PG_NAME" \
--location "$LOCATION" \
--version 15 \
--admin-user "$PG_USER" \
--admin-password "<your-postgres-password>" \
--tier GeneralPurpose \
--sku-name Standard_D2ds_v4
az postgres flexible-server db create \
--resource-group "$RG" \
--server-name "$PG_NAME" \
--database-name definite
4. Create a Storage Account + Blob container
az storage account create \
--resource-group "$RG" \
--name "$STORAGE_ACCOUNT" \
--location "$LOCATION" \
--sku Standard_LRS \
--kind StorageV2 \
--allow-blob-public-access false
# Grab a storage account key (the lakehouse uses a single shared key, not an
# HMAC pair like S3/GCS).
STORAGE_KEY=$(az storage account keys list \
--resource-group "$RG" \
--account-name "$STORAGE_ACCOUNT" \
--query '[0].value' --output tsv)
az storage container create \
--account-name "$STORAGE_ACCOUNT" \
--name "$BLOB_CONTAINER" \
--account-key "$STORAGE_KEY"
5. (If using Entra ID SSO) Register an app
Create an Azure AD app for OIDC, set https://<your-hostname>/auth/callback as a redirect URI, and create a client secret. You’ll plug the tenant ID, client ID, and client secret into auth.mode: oidc in config.yaml.
Phase 2: Install Definite with the definite CLI
1. Install the CLI
curl -fsSL https://storage.googleapis.com/definite-public/definite-onprem/install.sh | sh
definite version
2. Bootstrap cluster prerequisites
definite bootstrap --acme-email you@yourcompany.com
letsencrypt-prod ClusterIssuer, and the agent-sandbox CRDs the Fi runtime needs.
3. Discover the load balancer IP
kubectl get svc ingress-nginx-controller -n ingress-nginx \
-o jsonpath='{.status.loadBalancer.ingress[0].ip}'
nip.io host for demos, or create an A record in your DNS provider pointing your chosen hostname at it.
4. Build config.yaml
Start from the AKS example in the repo: examples/minimal-aks.yaml. The shape:
deployment:
name: definite
namespace: definite
hostname: <your-hostname>
tls: cert_manager
postgres:
url: postgres://definite:${POSTGRES_PASSWORD}@<pg-server>.postgres.database.azure.com:5432/definite
object_store:
type: azure
account: <your-storage-account>
container: definite
credentials:
env: AZURE_STORAGE_KEY
lakehouse:
prefix: lake/
storage:
size: 50Gi
storage_class_name: managed-csi-premium
auth:
mode: oidc # or `local` for username/password auth
issuer: https://login.microsoftonline.com/<your-tenant-id>/v2.0
client_id: <your-azure-ad-client-id>
client_secret:
env: OIDC_CLIENT_SECRET
llm:
provider: azure_openai
endpoint: https://<your-aoai-resource>.openai.azure.com
deployment: <your-aoai-deployment>
api_key:
env: AZURE_OPENAI_API_KEY
resources:
api:
replicas: 2
cpu: "1"
memory: 2Gi
lakehouse:
replicas: 1
cpu: "4"
memory: 16Gi
Azure uses a single shared storage key (not an HMAC pair). Pull it from the Storage Account’s “Access keys” blade, or via az storage account keys list as shown above.
5. Export secrets
export POSTGRES_PASSWORD="<your-postgres-password>"
export AZURE_STORAGE_KEY="<storage-key-from-step-4>"
export AZURE_OPENAI_API_KEY="<your-aoai-api-key>"
export OIDC_CLIENT_SECRET="<your-azure-ad-client-secret>" # only if auth.mode: oidc
6. Preflight and deploy
definite doctor --config config.yaml
definite init --config config.yaml
init renders the bundled Helm chart and runs helm upgrade --install. Watch the rollout:
definite status --config config.yaml
definite logs api --follow
Ready and cert-manager has issued a cert, open your hostname in a browser and log in.
Known limitations on Azure
A few things are worth flagging up front; these are why this guide is labeled preliminary:
definite run load (file upload via the CLI) is documented as not supported on Azure in v1; S3, GCS, and MinIO backends are. Browser-based Drive uploads still work via the configured Storage Account.definite doctor validates Azure config shape but does not yet round-trip a real PutBlob against your storage account. Confirm the storage key has write access before deploying.- Workload Identity / Entra-bound credentials for the lakehouse are not yet wired in; the storage account key is the supported path today.
Day-2 operations
Same CLI as AWS and GCP:
definite status --config config.yaml
definite logs api --follow
definite upgrade --config config.yaml
definite license show
definite run maintenance stats
Phase 3: Teardown
az group delete --name "$RG" --yes
Support
This install path is actively being matured. For issues or questions, contact hello@definite.app or open an issue on definite-app/definite-onprem. If you’re planning an Azure install, we’d love to be in the room: design-partner support is free.
