Install on Azure
Admin guide
Greenlight installs into an Azure subscription you own. A single Bicep deployment provisions the AKS cluster, the control-plane services, the data broker, Key Vault, PostgreSQL, and the identity bindings needed for SSO. End-to-end deploy time is typically 8–12 minutes for a standard install.
Azure Supported 
AWS Coming soon 
GCP Coming soon This page walks through the Azure install. AWS and GCP are planned provider targets behind Greenlight’s cloud provider interface.
What you need before you start
- An Azure subscription where you have Owner at the subscription scope (needed to create role assignments).
- An Azure tenant connected to the identity provider you intend to use for Greenlight SSO.
- A domain you can point a CNAME at — Greenlight uses one customer-controlled subdomain (e.g.
greenlight.contoso.com). - A GitHub organization to install the Greenlight GitHub App into (or your equivalent SCM — GitLab and Bitbucket support comes later).
Sizing defaults
The default sizing supports up to ~100 simultaneous apps and ~500 users at modest load. The Bicep template’s parameter file is the place to scale up for a larger initial footprint.
| Resource | Default |
|---|---|
| AKS system node pool | 2 × Standard_D2ds_v4 |
| AKS app node pool | 1 × Standard_D2ds_v4, autoscale enabled |
| Postgres (control plane) | Flexible Server, B2ms |
| Postgres (app databases) | Flexible Server, B2ms |
| Key Vault | Standard SKU |
| Log Analytics workspace | Pay-as-you-go |
These defaults are intentionally small. Greenlight scales horizontally; the install template is the floor, not the ceiling.
Install
-
Provision the resource group. In the target subscription, create a resource group in your chosen region. Greenlight expects to be the only platform in this group.
-
Run the Bicep template. Run
az deployment group createagainst the Greenlight template with your parameter file. The template provisions AKS, the control-plane services, Key Vault, the Postgres flexible servers, storage, container registry, DNS, and managed identities. -
Verify the cluster is healthy. The template’s last step writes a “Greenlight installed” event to the Log Analytics workspace. Confirm the event is present before continuing.
-
Point the domain at the ingress. Create a CNAME from your chosen subdomain to the ingress controller’s external hostname. The template prints the hostname at the end of the deployment.
-
Open the dashboard. Visit
https://<your-subdomain>and sign in with an account that has Owner on the subscription. You will be guided through SSO and the initial admin grant in the first-run wizard.
First-run wizard
The dashboard’s first-run wizard captures four things:
- The OIDC IdP endpoint and the group-to-role mapping for
org_owner. - The GitHub organization the Greenlight GitHub App should be installed into.
- The first policy bundle — Greenlight ships sensible defaults you can accept or edit.
- The first integration — usually GitHub itself, so apps can write to repos under your org.
The wizard does not need to be completed in one sitting. Each step is independent, audited, and reversible.
Post-install verification
The dashboard’s “Installation health” page checks the seven things that need to be true for a working install:
- SSO sign-in resolves to a real IdP user.
- OIDC sign-in includes the claims Greenlight needs for group-to-role mapping.
- The GitHub App is installed and has access to at least one repository.
- At least one integration is registered and has a valid credential.
- The policy bundle is non-empty.
- The audit log has at least one event.
- A test app can be registered and pass the policy check.
Once all seven are green, the install is complete. Re-run anytime — it’s idempotent.
Upgrades
Greenlight upgrades through a customer-owned updater that lives inside the same subscription. The flow and rollback story are documented in Upgrades.