This is the streamlined setup guide for getting Confident AI running on Azure. It covers cloning the repository, configuring variables, provisioning infrastructure with Terraform, and deploying workloads via ArgoCD.
If you want detailed explanations of each step, see the step-by-step guide instead. This page assumes you already have the required tools installed and Azure credentials configured — see Requirements and Prerequisites for details.
All cloud resources are defined in .tf (Terraform) files in the azure directory:
AKS/database/public/private-endpoint subnets with NAT Gateway, NSG, and Private DNS Zone.
Managed Kubernetes with autoscaling node pools and Workload Identity.
Secure jump host for accessing private resources inside the VNet.
Managed database in a delegated subnet with automated backups and encryption.
Automated TLS certificate management for HTTPS termination via NGINX Ingress.
Private Storage Account with private endpoint for application data.
ECR cross-account credentials are only used for syncing image pull secrets into the AKS cluster — it handles cross-cloud image pull credentials, not hosting your own images.
Copy an environment template and save it as terraform.tfvars:
Open terraform.tfvars and set the following variables:
ACI code executor image: First pull the image from 128045499490.dkr.ecr.us-east-1.amazonaws.com/confident-code-sandbox-aci:<tag>, push it to your own Azure Container Registry, then use its URI in code_executor_aci_image_uri. Azure Container Instances requires the image to be in your subscription’s private ACR.
For detailed explanations of each variable, see the Configuration page.
Approve when prompted. This takes 15-25 minutes and provisions the VNet, AKS cluster, PostgreSQL Flexible Server, Storage Account, Key Vault, managed identities, and Helm releases.
External Secrets syncs credentials from Azure Key Vault into Kubernetes.
Edit app/base/common/external-secrets/external-secrets.yaml and update the key field for each secret block. Set it based on your confident_environment variable:
confidentai-stage-confident-secretconfidentai-prod-confident-secretThen in app/base/common/secret-store/secret-store.yaml, update the vaultUrl: field to match your Key Vault URI (from terraform output key_vault_uri).
In app/base/network/ingress.yaml, update the annotations block with your cert-manager ClusterIssuer and ingress class:
Unlike AWS (which uses ACM), Azure deployments use cert-manager with Let’s Encrypt. Create a ClusterIssuer resource first — see TLS Certificates for the manifest. Ensure your NGINX Ingress controller is reachable from Let’s Encrypt for HTTP-01 challenges.
ArgoCD installation via Terraform is enabled in helm-charts.tf (lines 69-104). If the Terraform runner’s context window is exceeded, you’ll need to install ArgoCD manually using Helm.
To install ArgoCD manually:
A few things to keep in mind:
<true | false> based on your setup — use false if confident_public_aks is true (internet-facing), otherwise true (internal).<your_admin_password> with the same value you provided to the argocd_admin_password Terraform variable.Once ArgoCD is running:
terraform outputapp/argocd/app-of-apps.yaml to start automated deployment of all Kubernetes workloadsArgoCD deploys everything described in app-of-apps.yaml. You may need to approve access or confirm secrets sync depending on your cluster security settings.
To install the Datadog Agent on your AKS cluster, use the official Datadog Helm chart:
Replace <your-aks-cluster-name> with your AKS cluster name (available from terraform output or the Azure portal). Use your actual Datadog API Key and Application Key for authentication.
For further configuration (tags, proxy, extra features), see the Datadog Helm chart documentation.
Done ✅ All major components and workloads are handled via Terraform and ArgoCD (app-of-apps pattern).
You’ve completed the quickstart setup. Here’s what to do next: