Single container Budibase and using Minio in Azure PaaS

[PekkaJalonen]

Hi, I have deployed Budibase to Azure and wanted to share some insights so far.

I started testing with Azure App Service (Docker) for single image Budibase, but due to technical limitations in how App Service uses Azure File Storage mount, the Minio deployment does not work as it fails due file access errors. I was able to configure older Minio gateway with Azure storage, but I did not want to continue with old Minio version and on top of that, I found out that Budibase does not require authentication to attachments.
To ensure attachment authentication, I wanted to use App Service build-in easy-auth functionality which is middleware container authorizing all requests before they reach my Budibase instance. This configuration in App Service uses IP scope 169.254.x.y which is usually private host networking, and for some reason some budibase components fails to bind ports when easy-auth is enabled. This was a deal breaker for me. So I ditched the whole App Service idea and moved towards Azure Container Apps which is a little bit more expensive, but more flexible around the configuration.

Azure Container Apps (ACA) supports also both easy-auth and azure file storage mounts. Both works as expected. Also ACA support direct console access to container without requiring the SSH access which the App Service required. Downsize with ACA compared to App Service was that it does not allow as simple custom domain integration. It allows you so set custom domain, but requires you to bring your own TLS certificate for ingress (compared to App Service, it allows custom domain but also generates valid managed TSL certificate). ACA also limits the inbound traffic to port 443 and requires the TLS, so you cannot allow traffic to both 80 and 443 and configure the Budibase bundled let's encrypt. These two limitations required few customizations:

1. first generating let's encrypt TLS using ACME-bot or similar (I created custom pipeline following ideas from https://medium.com/@brentrobinson5/automating-certificate-management-with-azure-and-lets-encrypt-fee6729e2b78 and generated TLS certificates to Azure Key Vault and additional pipeline to set custom domain and TLS to ACA). So, now I have Budibase running in ACA using my own domain and mounting Azure File Storage for Minio.
2. second is the limitation of port 443 which means that you are limited to single port and route all traffic through the nginx. This also made it impossible to access Minio console which listens on different port than the Minio API. To solve this, I mounted /etc/nginx/sites-enabled to file storage share and used a custom nginx configuration to allow Minio console access based on subpath through nginx. Setting required adding MINIO_BROWSER=on and MINIO_BROWSER_REDIRECT_URL=https://myurl/minio. And the adding following configuration to nginx default file:

    location /minio {
        rewrite   ^/minio/(.*) /$1 break;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-NginX-Proxy true;

        # This is necessary to pass the correct IP to be hashed
        real_ip_header X-Real-IP;

        proxy_connect_timeout 300;

        # To support websocket
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        
        chunked_transfer_encoding off;

        proxy_pass http://localhost:9001;
    }

So that's it, wanted to share as I have done a huge amount testing and playing around with Azure and figured that I was looking this type of info and now, I'm sharing to others what works and what does not.

[jonnymccullagh]

Thanks @PekkaJalonen for posting info that will be helpful to other people. The limitations of Azure are frustrating as I have personally found with AAS. I'll try to make some time to play with ACA and your customizations.