Private Cloud Installation (Azure)

This guide walks you through installing Pangea’s Private Cloud services, allowing you to run Pangea security solutions within your own cloud environment. The installation process includes pulling container images from Pangea’s registry, setting up required dependencies like PostgreSQL, and verifying that the deployment is operational.

Prerequisites

The minimum requirements for running Pangea's Private Cloud are:

Kubernetes installed
Azure credentials in your environment variables
A license key or username/password to the Pangea registry
A PostgreSQL database
An ingress configuration

If you want to run Audit, you need one additional configuration.

An S3 bucket

Overview of the Installation Process

Here's what you'll be doing:

Setting up a namespace and configuring authentication Pulling and verifying required container images Deploying the Helm chart for Pangea services Configuring and deploying PostgreSQL Deploying the PangeaCluster resource Configuring the ServiceConfig for specific Pangea services Verifying the deployment with a test API request

Prepare a Azure cluster

You can skip to setting up a namespace if you have already prepared an Azure Kubernetes cluster for use with Private Cloud.

Make sure to add the email you will use to authenticate as a user on the project when setting up your project in Google Cloud.

Enable the Google Kubernetes Engine API for your project in the Google Cloud Console.
Download and install the Google CLI .
Then and any required plugins.
Set up a service account in Azure and create a new key if none exists.
Download the key for the service account.

For more information for setting up an Azure cloud account, refer to their documentation.

Set up a namespace

To isolate your Pangea Private Cloud deployment, create a dedicated namespace and configure your context:

kubectl create namespace <namespace>
kubectl config set-context --current --namespace=<namespace>

Authenticate with the Pangea Docker registry

Pangea's private cloud images are hosted in a private Docker registry. Customers need access credentials to pull these images.

How to get access

Customers should receive registry credentials from Pangea. If you don’t have them, contact your Pangea representative.
Credentials are typically provided as a JSON file containing a clientId and clientSecret.
The credentials should be named registry_reader.json and stored in the top level folder for your project.

In that folder, login with the following command:

docker login \
-u $(cat registry_reader.json| jq -r .clientId) \
-p $(cat registry_reader.json| jq -r .clientSecret) \
registry.pangea.cloud

Creating a Kubernetes secret for image pulls

Once you have your credentials, create a Kubernetes secret:

kubectl create secret docker-registry pangea-registry \
--docker-server="registry.pangea.cloud" \
--docker-username="$(cat registry_reader.json | jq -r .clientId)" \
--docker-password="$(cat registry_reader.json | jq -r .clientSecret)" \
-o yaml -n <namespace>

This secret will be referenced later in the deployment configuration.

Install the Helm chart

Pangea services are deployed using Helm. First create the private-cloud-operator namespace:

kubectl create namespace private-cloud-operator

Next, add a secret to the namespace:

kubectl create secret docker-registry pangea-registry \
--docker-server="registry.pangea.cloud" \
--docker-username="$(cat registry_reader.json | jq -r .clientId)" \
--docker-password="$(cat registry_reader.json | jq -r .clientSecret)" \
-o yaml -n private-cloud-operator

Then, install the chart to your private-cloud-operator namespace:

helm install -n private-cloud-operator private-cloud-operator oci://registry.pangea.cloud/private-cloud-charts \
--set "image.imagePullSecrets[0].name=pangea-registry"

Then check if the deployment is successful:

kubectl get all --namespace <namespace>

You can then run the following command to view the deployment using a single hostname:

kubectl port-forward services/pangea-cluster-console 8000:http -n <namespace>

Deploy PostgreSQL

Pangea services require a PostgreSQL database to store service-related data. Below is an example of a PostgreSQL deployment using the Zalando Postgres Operator.

apiVersion: "acid.zalan.do/v1"
kind: postgresql
metadata:
  name: postgres
spec:
  teamId: "acid"
  volume:
    size: 1Gi
  numberOfInstances: 1
  users:
    pangea_user: # Database owner
      - superuser
      - createdb
  databases:
    authn: pangea_user # dbname: owner
    authz: pangea_user
    embargo: pangea_user
    intelligence: pangea_user
    puc_service: pangea_user
  postgresql:
    version: "16"

Apply the database configuration:

kubectl apply -f <postgres-database-file-name>.yaml

Why this is necessary

Stores user and service data: The database manages authentication, authorization, embargo policies, and other service-related data.
Enables reliable service execution: Without a database, Pangea services cannot function correctly.

Deploy the PangeaCluster resource

You also need to set up a PangeaCluster YAML file similar to the configuration below.

apiVersion: pangea-cluster.pangea.cloud/v1beta1
kind: PangeaCluster
metadata:
  name: pangea-cluster
spec:
  version: 0.8.1
  imagePullSecrets:
    - name: pangea-registry
  common:
    image:
      registry: "registry.pangea.cloud"
      tag: ""
    database:
      host: "postgres.pangea-controller-private-cloud.svc.cluster.local"
      port: 5432
      name: msf
      auth:
        usernameSecretRef:
          name: bronson.postgres.credentials.postgresql.acid.zalan.do
          key: username
        passwordSecretRef:
          name: bronson.postgres.credentials.postgresql.acid.zalan.do
          key: password
  ui:
    externalIngress:
      baseHost: <pangea-user>.pc-demo.aws.pangea.cloud
  services:
    embargo:
      enabled: true

And then apply the cluster, replacing the name with the name of your cluster.

kubectl apply -f <pangea-cluster-name>.yaml

Verify that the PangeaCluster is running by using the kubectl get pods -n <namespace> command:

kubectl get pods -n <namespace>

You should see a list of all resources running in that resource, their status, and their age.

NAME                                          READY   STATUS    RESTARTS   AGE
pangea-cluster-authn-64686dcd44-nxm9t         1/1     Running   0          32h
pangea-cluster-console-979b7f96b-rk5m5        1/1     Running   0          32h
pangea-cluster-embargo-5cb99c8dc-zzzh9        1/1     Running   0          32h
pangea-cluster-gateway-bb8f799bc-gdh2q        1/1     Running   0          32h
pangea-cluster-puc-service-7bd5f44b7f-x2g8l   1/1     Running   0          32h
postgres-0                                    1/1     Running   0          43h

Verify deployment

To confirm that the installation was successful, forward a local port to access the embargo service:

kubectl port-forward service/embargo-service 8000:80 -n <namespace>

Then, run a test API request:

curl -X POST 'http://localhost:8000/v1/ip/check' \
  -H 'Authorization: Bearer <your-api-token>' \
  -H 'Host: embargo.pangea.cloud' \
  -H 'Content-Type: application/json' \
  -d '{"ip": "200.0.16.24"}'

Troubleshooting

Check the status of all deployments and services:

kubectl get deployments,pods,jobs --namespace <namespace>

This should give a readout of all of the services currently running, along with important information about each service, such as service readiness, if it is up-to-date, if it is available, and how many times it has restarted.

Issue	Resolution
Pods stuck in "Pending"	Ensure PostgreSQL is running properly.
"Unauthorized" API response	Verify you are using the correct API token.
Image pull failures	Ensure your Docker registry secret is correctly configured.

You can also look at the health of your deployment by running the support tool command:

Without security:

curl -sS https://registry.pangea.cloud/help.sh | sh

With hash verification for security:

curl -sS https://registry.pangea.cloud/help.sh > help.sh
chmod +755 help.sh
<verify the hash>
./help.sh

This command displays the operators and their state. It also lists all clusters and additional useful information, such as databases, statuses, and services.

Add additional Pangea services

You can easily add additional Pangea services to your Private Cloud deployment by editing the Pangea Cluster yaml file. Open your file in your text editor of choice.

Inside spec:services, add the following text.

<service-name>:
  enabled: true

Then apply the file in the command line:

kubectl apply -f <pangea-cluster-name>.yaml

Alternatively, you can open it and save it all in one step on the console with the following command:

kubectl edit -n <namespace> pangeacluster

If you have more than one Pangea Cluster, then you will also need the specific file name after pangeacluster to identify the correct file.

kubectl edit -n <namespace> pangeacluster/<name>

Special Pangea service configurations

For AI Guard, Prompt Guard, and Redact services, there are some additional tags that are required due to their higher minimum CPU and memory requirements compared to other services. Use these configurations in your Pangea Cluster to get them running.

For AI Guard:

ai-guard:
  enabled: true
  resources:
    limits:
      cpu: 750m
      memory: 7Gi
    requests:
      cpu: 250m
      memory: 5Gi
  startupProbe:
    initialDelaySeconds: 1
    failureThreshold: 30
    periodSeconds: 20
    successThreshold: 1
    timeoutSeconds: 1

For Prompt Guard:

prompt-guard:
  enabled: true
  resources:
    limits:
      cpu: 1000m
      memory: 7Gi
    requests:
      cpu: 1000m
      memory: 5Gi
  startupProbe:
    initialDelaySeconds: 1
    failureThreshold: 30
    periodSeconds: 20
    successThreshold: 1
    timeoutSeconds: 1

For Redact:

redact:
  enabled: true
  resources:
    limits:
      cpu: 1000m
      memory: 6Gi
    requests:
      cpu: 1000m
      memory: 3Gi
  startupProbe:
    initialDelaySeconds: 1
    failureThreshold: 30
    periodSeconds: 20
    successThreshold: 1
    timeoutSeconds: 1

Once you have these special configurations set up in your yaml file, you need to apply them for the configuration to take effect.

kubectl apply -f <pangea-cluster-name>.yaml

This will then enable the services that you configured. You can then verify that all services are healthy by running the curl support script in Troubleshooting or by running the following command.

kubectl get pods -n <namespace>

Uninstall Private Cloud

You can use the following commands to roll back a Private Cloud deployment if you need to restart the process.

First you want to delete any service configurations that you created. Do this for each service, replacing the bracketed information with your data.

kubectl delete ServiceConfig <service>-config -n <namespace>

Next, you should delete the Pangea Cluster that you created:

kubectl delete PangeaCluster pangea-cluster -n

After that is complete, you can use helm to uninstall the private cloud operator

helm uninstall -n private-cloud-operator private-cloud-operator

Once helm completes its uninstall process, you can then delete the namespace to finish the uninstallation.

kubectl delete namespace <namespace>

Was this article helpful?

Prerequisites​

Overview of the Installation Process​

Prepare a Azure cluster​

Set up a namespace​

Authenticate with the Pangea Docker registry​

How to get access​

Creating a Kubernetes secret for image pulls​

Install the Helm chart​

Deploy PostgreSQL​

Why this is necessary​

Deploy the PangeaCluster resource​

Verify deployment​

Troubleshooting​

Add additional Pangea services​

Special Pangea service configurations​

Uninstall Private Cloud​