Prepare DataRobot Helm chart values¶

This page describes how to prepare and customize the DataRobot Helm chart's values_dr.yaml file to define your specific installation parameters, including cluster resources, persistent storage configurations, networking details, and application-level settings.

Minimal values files¶

For platform-specific configuration examples, refer to the minimal values files located within the datarobot-prime/override Helm chart artifact directory.

tar xzf datarobot-prime-X.X.X.tgz
cd datarobot-prime/override

You can use one of the below files as reference when creating values_dr.yaml the values files:

• override/minimal_datarobot-azure_values.yaml
• override/minimal_datarobot-azure-ext-pcs_values.yaml
• override/minimal_datarobot-azure_workload_identity.yaml

Variables¶

The following variables are used throughout the installation process. You will use these variables in the .yaml templates and example commands found in the installation sections.

Kubernetes¶

DATAROBOT_NAMESPACE : The primary namespace in which DataRobot will operate.

DR_APP_HELM_RELEASE_NAME : The name of the Helm release used for the main application chart. The recommended value is dr.

AZ ACR¶

AZ_ACR_URL : An private Azure Container Registry (ACR) URL used for both retrieving images and as storage for the Image Build Service. Example: myacrnamehere.azurecr.io

AZ_ACR_REPO : A name to logically organize specific environments. Suggestions: datarobot-dev, datarobot-uat, datarobot-prod, etc.

FULL_ACR_URL : The global DataRobot platform image registry. For private ACR this should be a combination of AZ_ACR_URL and AZ_ACR_REPO. Example: myacrnamehere.azurecr.io/datarobot-dev

AZ_ACR_USERNAME : A username for ACR access.

AZ_ACR_PASSWORD : A password for ACR access.

Object storage¶

DataRobot supports four authentication methods for accessing an Azure Blob Storage container. The recommended method is Workload Identity. Refer to the Azure Blob Storage section for details on each option.

Using a storage account key¶

AZ_STORAGE_CONTAINER_NAME : The name for an Azure Storage Account container used by DataRobot for object storage.

AZ_BLOB_STORAGE_ACCOUNT_NAME : The name of the Azure Storage account.

AZ_BLOB_STORAGE_ACCOUNT_KEY : The key used to access the Azure Storage Account.

Adjust the following setting in the chart's values_dr.yaml file:

global:
  filestore:
    type: azure_blob
    environment:
      AZURE_BLOB_STORAGE_CONTAINER_NAME: <AZ_STORAGE_CONTAINER_NAME>
      AZURE_BLOB_STORAGE_ACCOUNT_NAME: <AZ_BLOB_STORAGE_ACCOUNT_NAME>
      AZURE_BLOB_STORAGE_ACCOUNT_KEY: <AZ_BLOB_STORAGE_ACCOUNT_KEY>

Using a connection string¶

AZ_STORAGE_CONTAINER_NAME : The name for an Azure Storage Account container used by DataRobot for object storage.

AZ_BLOB_STORAGE_CONNECTION_STRING : A string used to access the Azure Storage Account.

Adjust the following setting in the chart's values_dr.yaml file:

global:
  filestore:
    type: azure_blob
    environment:
      AZURE_BLOB_STORAGE_CONTAINER_NAME: <AZ_STORAGE_CONTAINER_NAME>
      AZURE_BLOB_STORAGE_CONNECTION_STRING: <AZURE_BLOB_STORAGE_CONNECTION_STRING>

Using an Azure service principal¶

AZ_STORAGE_CONTAINER_NAME : The name for an Azure Storage Account container used by DataRobot for object storage.

AZ_BLOB_STORAGE_CONNECTION_STRING : A string used to access the Azure Storage Account.

AZ_TENANT_ID : The tenant ID for the Azure account that contains the Storage Account.

AZ_CLIENT_ID : An ID for app registration, used to access the Azure Storage Account.

AZ_CLIENT_SECRET : An access secret for app registration, used to access the Azure Storage Account.

Adjust the following setting in the chart's values_dr.yaml file:

global:
  filestore:
    type: azure_blob
    environment:
      AZURE_BLOB_STORAGE_CONTAINER_NAME: AZ_STORAGE_CONTAINER_NAME
      AZURE_BLOB_STORAGE_ACCOUNT_NAME: AZ_BLOB_STORAGE_ACCOUNT_NAME
      AZURE_TENANT_ID: AZ_TENANT_ID
      AZURE_CLIENT_ID: AZ_CLIENT_ID
      AZURE_CLIENT_SECRET: AZ_CLIENT_SECRET

Workload identity for Azure¶

Using the following az commands will configure the service account. Replace placeholders with your deployment's information.

export NS="DATAROBOT_NAMESPACE"
export RESOURCE_GROUP="DESIGNATED_RESOURCE_GROUP"
export LOCATION="DESIGNATED_LOCATION"
export STORAGE_ACCOUNT_NAME="DESIGNATED_STORAGE_ACCOUNT_NAME"
export AKS_NAME="DESIGNATED_AKS_NAME"
export USER_ASSIGNED_IDENTITY_NAME="DESIGNATED_USER_ASSIGNED_IDENTITY_NAME"

Create Azure managed identity:

export SUBSCRIPTION="$(az account show --query id --output tsv)"
export AKS_OIDC_ISSUER="$(az aks show -n $AKS_NAME -g "${RESOURCE_GROUP}" --query "oidcIssuerProfile.issuerUrl" -otsv)"
az identity create --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RESOURCE_GROUP}" --location "${LOCATION}" --subscription "${SUBSCRIPTION}"
export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv)"

Assign permission to the managed identity and establish federated identity trust:

az role assignment create --assignee "$USER_ASSIGNED_CLIENT_ID" \
  --role "Storage Blob Data Contributor" \
  --scope "/subscriptions/$SUBSCRIPTION/resourceGroups/$RESOURCE_GROUP/providers/Microsoft.Storage/storageAccounts/$STORAGE_ACCOUNT_NAME"
SALIST=('datarobot-storage-sa' 'dynamic-worker' 'prediction-server-sa' 'internal-api-sa' 'build-service' 'tileservergl-sa' 'nbx-notebook-revisions-account' 'buzok-account' 'exec-manager-qw' 'exec-manager-wrangling' 'lrs-job-manager' 'blob-view-service')
for sa in "${SALIST[@]}"
do
    echo "Setting trust for $NS:$sa"
    az identity federated-credential create --name "$sa" --identity-name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RESOURCE_GROUP}" --issuer "${AKS_OIDC_ISSUER}" --subject "system:serviceaccount:$NS:$sa"
done

Once completed, the values_dr.yaml section should follow the minimal_datarobot-azure_workload_identity.yaml example file.

Azure Government configuration¶

AZ_STORAGE_CONTAINER_NAME : The name for an Azure Storage Account container used by DataRobot for object storage.

AZ_BLOB_STORAGE_CONNECTION_STRING : A string used to access the Azure Storage Account.

Adjust the following setting in the chart's values_dr.yaml file:

global:
  filestore:
    type: azure_blob
    environment:
      AZURE_HOST: blob.core.usgovcloudapi.net
      AZURE_BLOB_STORAGE_CONTAINER_NAME: <AZ_STORAGE_CONTAINER_NAME>
      AZURE_BLOB_STORAGE_CONNECTION_STRING: <AZURE_BLOB_STORAGE_CONNECTION_STRING>

Web portal¶

DR_WEBPAGE_FQDN : The fully qualified domain name (FQDN) of the web portal where users will log in (e.g., datarobot-app.company-name.com).

ADMIN_USER_EMAIL : The email address for the initial administrative user in the web portal (e.g., admin@datarobot.com).

ADMIN_USER_PASSWORD : The password for the initial administrative user.

DR_LICENSE_CONTENT : The encrypted content of the DataRobot license file.

Feature flags¶

The DataRobot platform utilizes feature flags as an administrative mechanism to control the availability of various functionalities and newly-released features.

Feature enablement requires assistance. Contact your DataRobot Representative or submit a request through the DataRobot Support Portal or by emailing support@datarobot.com.

core:
  config_env_vars:

Admin user on ACR for build-service¶

To allow the build-service to write images to the ACR, the admin account user needs to be enabled.

Its credentials are then used in the AZ_ACR_USERNAME and AZ_ACR_PASSWORD in the datarobot helm charts build-service values, for example:

build-service:
  buildService:
    envApp:
      secret:
        DOCKERHUB_USERNAME: AZ_ACR_USERNAME
        DOCKERHUB_PASSWORD: AZ_ACR_PASSWORD

TLS Configuration¶

DataRobot provides specific configuration options to encrypt data-in-flight for different parts of the platform. See:

• Configuring TLS for ingress for instances where TLS is terminated at the load balancer or ingress controller.
• Configuring application-level TLS for service-to-service traffic within the platform.
• Configuring TLS for object storage for S3-compatible providers.

Configure StorageClass¶

DataRobot is deployed using default StorageClass configured for your cluster. To specify a non-default StorageClass name globally for all persistent volumes requested by the main DataRobot platform chart, adjust the following setting in the chart's values_dr.yaml file:

global:
  storageClassName: DESIGNATED_STORAGE_CLASS_NAME

Persistent Critical Services (PCS)¶

This guide helps you customize the relevant PCS component for:

• MongoDB
• PostgreSQL
• RabbitMQ
• Redis
• Elasticsearch

Elasticsearch {: aks-elasticsearch }¶

When configured, the DataRobot platform chart deploys Elasticsearch services. These services require specific Linux kernel settings to function correctly; see max virtual memory areas for details.

By default, AKS nodes are configured with incompatible settings and Elasticsearch will fail to start. The chart can adjust the setting for you automatically when configured with the following values:

elasticsearch:
  sysctlImage:
    enabled: true

Review notebook configuration¶

DataRobot updates the naming for notebook chart values—this change may impact your process. For detailed instructions, see the Notebooks upgrade guide.

Generative AI service¶

When you install the generative AI (GenAI) service in a restricted network environment, two migrations need to be disabled and performed manually. For instructions, see the following pages:

• Enable the service.
• Static file migration.
• Migration of execution environments.

Tile server¶

For information on updating the tile server in a restricted network, see the following page:

• Tile update.

Custom tasks¶

For information on configuring custom tasks in a restricted network, see the following pages:

• Testing networks.
• Special considerations.