the_order/docs/deployment/azure/cdn-configuration.md

# CDN Configuration for Credential Seals

## Current Status

**CDN Provider**: Not yet configured (placeholder URLs in use)  
**Default URL Pattern**: `https://cdn.theorder.org/images/`  
**Status**: Ready for CDN configuration

## Available CDN Options

Based on the infrastructure setup, the following CDN options are available:

### 1. Azure Blob Storage + CDN (Recommended for Azure Infrastructure)

**Why**: The infrastructure is primarily Azure-based (Azure Storage, AKS, Key Vault)

**Configuration**:
```bash
# Azure Blob Storage with CDN
CDN_BASE_URL=https://<storage-account>.blob.core.windows.net/images/
# Or with Azure CDN
CDN_BASE_URL=https://<cdn-endpoint>.azureedge.net/images/
```

**Upload Script** (Azure):
```bash
# Using Azure CLI
az storage blob upload \
  --file "${png_file}" \
  --container-name images \
  --name "${png_file}" \
  --account-name <storage-account> \
  --auth-mode login

# Set public access
az storage blob set-permission \
  --container-name images \
  --name "${png_file}" \
  --public-access blob \
  --account-name <storage-account>
```

### 2. AWS S3 + CloudFront (If using AWS)

**Why**: The storage package supports S3 (`@aws-sdk/client-s3`)

**Configuration**:
```bash
CDN_BASE_URL=https://<bucket>.s3.<region>.amazonaws.com/images/
# Or with CloudFront
CDN_BASE_URL=https://<cloudfront-id>.cloudfront.net/images/
```

**Upload Script** (AWS):
```bash
# Using AWS CLI
aws s3 cp "${png_file}" \
  "s3://<bucket>/images/${png_file}" \
  --acl public-read \
  --content-type image/png
```

### 3. Cloudflare R2 (Modern Alternative)

**Why**: Cost-effective, S3-compatible API

**Configuration**:
```bash
CDN_BASE_URL=https://<account-id>.r2.cloudflarestorage.com/images/
# Or with Cloudflare CDN
CDN_BASE_URL=https://<custom-domain>/images/
```

**Upload Script** (Cloudflare R2):
```bash
# Using rclone
rclone copy "${png_file}" \
  r2:images/ \
  --s3-provider Cloudflare \
  --s3-access-key-id <key> \
  --s3-secret-access-key <secret>
```

### 4. GitHub Pages / Static Hosting

**Why**: Simple, free for public repos

**Configuration**:
```bash
CDN_BASE_URL=https://theorder.github.io/assets/images/
```

### 5. Custom Domain CDN

**Why**: Full control, custom branding

**Configuration**:
```bash
CDN_BASE_URL=https://cdn.theorder.org/images/
```

## Recommended Configuration

### For Azure Infrastructure (Current Setup)

**Recommended**: Azure Blob Storage + Azure CDN

1. **Create Storage Account**:
   ```bash
   az storage account create \
     --name theordercdn \
     --resource-group <rg> \
     --location westeurope \
     --sku Standard_LRS \
     --kind StorageV2
   ```

2. **Create Container**:
   ```bash
   az storage container create \
     --name images \
     --account-name theordercdn \
     --public-access blob
   ```

3. **Create CDN Profile** (Optional):
   ```bash
   az cdn profile create \
     --name theorder-cdn \
     --resource-group <rg> \
     --sku Standard_Microsoft
   ```

4. **Set CDN Base URL**:
   ```bash
   export CDN_BASE_URL=https://theordercdn.blob.core.windows.net/images/
   # Or with CDN
   export CDN_BASE_URL=https://<cdn-endpoint>.azureedge.net/images/
   ```

## Current Configuration

### Default URLs (Placeholder)

All manifest templates currently use:
```
https://cdn.theorder.org/images/
```

### Files Using CDN URLs

- `manifests/entra/default-manifest-template.json`
- `manifests/entra/financial-manifest-template.json`
- `manifests/entra/judicial-manifest-template.json`
- `manifests/entra/diplomatic-manifest-template.json`

### Update Script

To update all manifest templates with your CDN URL:
```bash
CDN_BASE_URL=https://your-cdn.com/images \
  ./scripts/deploy/update-manifest-seal-urls.sh
```

## Upload Script Template

The upload script template is located at:
```
assets/credential-images/png/upload-to-cdn.sh
```

**Current Status**: Template (needs customization)

**To Customize**:
1. Edit `assets/credential-images/png/upload-to-cdn.sh`
2. Add your CDN provider's upload commands
3. Set credentials/environment variables
4. Run the script

## Next Steps

1. **Choose CDN Provider**
   - Azure Blob Storage + CDN (recommended for Azure infrastructure)
   - AWS S3 + CloudFront (if using AWS)
   - Cloudflare R2 (cost-effective alternative)
   - Custom domain CDN

2. **Configure CDN**
   - Create storage account/container
   - Set up CDN endpoint (optional)
   - Configure public access
   - Set CORS headers (if needed)

3. **Upload Files**
   - Customize `upload-to-cdn.sh`
   - Upload all PNG files
   - Verify HTTPS and public access

4. **Update Configuration**
   - Set `CDN_BASE_URL` environment variable
   - Run `update-manifest-seal-urls.sh`
   - Update manifest templates

5. **Test**
   - Verify URLs are accessible
   - Test image loading
   - Test credential issuance

## Environment Variables

Set these for CDN configuration:

```bash
# CDN Base URL
export CDN_BASE_URL=https://your-cdn.com/images

# Azure (if using)
export AZURE_STORAGE_ACCOUNT=theordercdn
export AZURE_STORAGE_KEY=<key>
export AZURE_STORAGE_CONTAINER=images

# AWS (if using)
export AWS_S3_BUCKET=theorder-images
export AWS_REGION=eu-west-1

# Cloudflare R2 (if using)
export R2_ACCOUNT_ID=<id>
export R2_ACCESS_KEY_ID=<key>
export R2_SECRET_ACCESS_KEY=<secret>
```

## Security Considerations

1. **HTTPS Required**: All CDN URLs must use HTTPS
2. **Public Access**: Images must be publicly accessible
3. **CORS**: Configure CORS if needed for cross-origin requests
4. **Content-Type**: Ensure correct `image/png` content type
5. **Cache Headers**: Set appropriate cache headers

## References

- [Azure Blob Storage](https://docs.microsoft.com/en-us/azure/storage/blobs/)
- [Azure CDN](https://docs.microsoft.com/en-us/azure/cdn/)
- [AWS S3](https://docs.aws.amazon.com/s3/)
- [Cloudflare R2](https://developers.cloudflare.com/r2/)

---

**Last Updated**: [Current Date]  
**Status**: Ready for CDN configuration