External Secrets for DataRobot Kubernetes Installation¶
DataRobot supports external secret management through two primary operators: External Secrets Operator (ESO) and Vault Sync Operator (VSO). These operators integrate external secret management systems like AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, and others with Kubernetes, providing a secure way to manage sensitive configuration data without storing secrets directly in your cluster.
概要¶
Both External Secrets Operator and Vault Sync Operator allow you to:
- Fetch secrets from external secret stores
- Automatically sync secrets into Kubernetes Secret objects
- Maintain separation between your application configuration and sensitive data
- Leverage your existing secret management infrastructure
前提条件¶
Before configuring external secret operators for your DataRobot installation:
- Kubernetes cluster with External Secrets Operator or Vault Sync Operator installed
- Access to an external secret management system (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault, etc.)
- Appropriate IAM/RBAC permissions for the operator to access your secret store
Configuring External Secrets Operator¶
To configure External Secrets Operator with DataRobot Helm chart, create an override values file:
# values-override.yaml
auth-server:
secretManager:
secretStore:
# -- Name of external secret store
name: "external-secret-store"
useExistingSecretStore: true
auth-token-customization:
hydra:
secret:
enabled: false
secretManager:
externalSecret:
name: auth-server-system-secrets
secretStore:
# -- Name of external secret store
name: "external-secret-store"
useExistingSecretStore: true
global:
externalSecretStore:
# -- Enable external secret store
enabled: true
engine: eso
# -- Kind of external secret store ClusterSecretStore/SecretStore
kind: "ClusterSecretStore"
# -- Name of external secret store
name: "external-secret-store"
# -- Path to external secret store
path: "/common/datarobot"
provider:
vault:
auth:
# - Example of using kubernetes auth engine
kubernetes:
mountPath: eso
role: vault-secrets-operator
serviceAccountRef:
name: externalsecrets-sa
# -- Optional field containing a base64 encoded string of the Certificate Authority to trust the Vault connection
caBundle: >-
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJiekNDQVJhZ0F3SUJBZ0
...
YyZUgyTjVEdzc2bzlySUF0Nkk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
path: /kv
server: https://vault.vault:8200
version: v2
Configuring Vault Sync Operator¶
To configure Vault Sync Operator with DataRobot Helm chart, create an override values file:
# values-override.yaml
auth-server:
secretManager:
secretStore:
# -- Name of external secret store
name: "external-secret-store"
useExistingSecretStore: true
auth-token-customization:
hydra:
secret:
enabled: false
secretManager:
externalSecret:
name: auth-server-system-secrets
secretStore:
# -- Name of external secret store
name: "external-secret-store"
useExistingSecretStore: true
global:
externalSecretStore:
enabled: true
engine: vso
path: "/common/datarobot"
refreshInterval: "42s"
vso:
# -- spec for VaultConnection https://developer.hashicorp.com/vault/docs/deploy/kubernetes/vso/api-reference#vaultconnectionspec
connection:
address: https://vault.vault:8200
skipTLSVerify: true
# -- spec for VaultAuth https://developer.hashicorp.com/vault/docs/deploy/kubernetes/vso/api-reference#vaultauthspec
auth:
name: vault-auth-cfg
spec:
# - Example of using kubernetes auth engine
method: kubernetes
mount: vso
kubernetes:
role: vault-secrets-operator
serviceAccount: externalsecrets-sa
audiences:
- vault
Note Vault Authentication configuration must be defined based on your vault configuration using one of the following methods
kubernetes, jwt, appRole, aws, gcp
Secrets¶
Following secrets needs to be populated in the chosen secret management system:
/common/datarobot/ui-admin-credentials¶
{
"fqdn": "DR_WEBPAGE_FQDN",
"password": "ADMIN_USER_PASSWORD",
"username": "ADMIN_USER_EMAIL"
}
DR_WEBPAGE_FQDN: The Fully-qualified domain name (FQDN) of the web portal where users will log in (e.g., datarobot-app.company-name.com).
ADMIN_USER_EMAIL: The email address for the initial administrative user in the web portal (e.g., admin@datarobot.com).
ADMIN_USER_PASSWORD: The password for the initial administrative user.
/common/datarobot/datarobot-license¶
{
"license": "DR_LICENSE_CONTENT"
}
DR_LICENSE_CONTENT : The encrypted content of the DataRobot license file.
/common/datarobot/core-credentials¶
{
"asymmetrickey": "DATAROBOT_ASYMMETRIC_KEY",
"drsecurekey": "DATAROBOT_DRSECURE_KEY"
}
DATAROBOT_ASYMMETRIC_KEY: The secure key used by the DataRobot application. Must adhere to the format: aeshex256:<AES-256 key>
DATAROBOT_DRSECURE_KEY: The asymmetric key required by the DataRobot application. Must adhere to the format: aeshex256:<AES-256 keys>
/common/datarobot/mmapp-credentials¶
{
"password": "MMAPP_PASSWORD"
}
MMAPP_PASSWORD: The password for the MMApp service. Must be a random 42-character string.
/common/datarobot/datarobot-image-pull-secret¶
{
".dockerconfigjson": "DOCKER_CONFIG_JSON"
}
DOCKER_CONFIG_JSON: The registry login confiuration file in the json file that holds an authorization token. For more details see: Interpretation of config.json
/common/datarobot/pcs-redis¶
{
"redis-password": "REDIS_PASSWORD"
}
REDIS_PASSWORD: The password for the Redis database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-elasticsearch¶
{
"elasticsearch-password": "ELASTICSEARCH_PASSWORD"
}
ELASTICSEARCH_PASSWORD: The password for the Elasticsearch database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-mongo¶
{
"mongodb-replica-set-key": "MONGODB_REPLICA_SET_KEY",
"mongodb-root-password": "MONGODB_ROOT_PASSWORD",
"mongodb-root-username": "MONGODB_ROOT_USERNAME"
}
MONGODB_REPLICA_SET_KEY: The key for the MongoDB replica set. Must be a random, alphanumeric string with a minimum length of 42 characters.
MONGODB_ROOT_PASSWORD: The password for the MongoDB database. Must be a random, alphanumeric string with a minimum length of 24 characters.
MONGODB_USERNAME: The username for the MongoDB database instance. Example: pcs-mongodb.
/common/datarobot/pcs-rabbitmq¶
{
"rabbitmq-erlang-cookie": "RABBITMQ_ERLANG_COOKIE",
"rabbitmq-password": "RABBITMQ_PASSWORD",
"rabbitmq-username": "RABBITMQ_USERNAME"
}
RABBITMQ_ERLANG_COOKIE: The shared secret (cookie) used by Erlang nodes for inter-node authentication and clustering in the RabbitMQ environment. Must be a random, alphanumeric string with a minimum length of 32 characters.
RABBITMQ_PASSWORD: The password for the RabbitMQ database. Must be a random, alphanumeric string with a minimum length of 24 characters.
RABBITMQ_USERNAME: The username for the RabbitMQ database instance. Example: pcs-rabbitmq.
/common/datarobot/pcs-rabbitmq-definition¶
{
"load_definition.json": "{\"permissions\":[{\"configure\":\".*\",\"read\":\".*\",\"user\":\"RABBITMQ_USERNAME\",\"vhost\":\"analytics\",\"write\":\".*\"},{\"configure\":\".*\",\"read\":\".*\",\"user\":\"RABBITMQ_USERNAME\",\"vhost\":\"auto_apps\",\"write\":\".*\"},{\"configure\":\".*\",\"read\":\".*\",\"user\":\"RABBITMQ_USERNAME\",\"vhost\":\"mmqueue\",\"write\":\".*\"},{\"configure\":\".*\",\"read\":\".*\",\"user\":\"RABBITMQ_USERNAME\",\"vhost\":\"notifications\",\"write\":\".*\"},{\"configure\":\".*\",\"read\":\".*\",\"user\":\"RABBITMQ_USERNAME\",\"vhost\":\"orm\",\"write\":\".*\"},{\"configure\":\".*\",\"read\":\".*\",\"user\":\"RABBITMQ_USERNAME\",\"vhost\":\"queue\",\"write\":\".*\"},{\"configure\":\".*\",\"read\":\".*\",\"user\":\"RABBITMQ_USERNAME\",\"vhost\":\"nbx\",\"write\":\".*\"},{\"configure\":\".*\",\"read\":\".*\",\"user\":\"RABBITMQ_USERNAME\",\"vhost\":\"csp-spark\",\"write\":\".*\"},{\"configure\":\".*\",\"read\":\".*\",\"user\":\"RABBITMQ_USERNAME\",\"vhost\":\"buzok\",\"write\":\".*\"},{\"configure\":\".*\",\"read\":\".*\",\"user\":\"RABBITMQ_USERNAME\",\"vhost\":\"network_policies\",\"write\":\".*\"},{\"configure\":\".*\",\"read\":\".*\",\"user\":\"RABBITMQ_USERNAME\",\"vhost\":\"entitlement-service-civ2\",\"write\":\".*\"},{\"configure\":\".*\",\"read\":\".*\",\"user\":\"RABBITMQ_USERNAME\",\"vhost\":\"covalent\",\"write\":\".*\"},{\"configure\":\".*\",\"read\":\".*\",\"user\":\"RABBITMQ_USERNAME\",\"vhost\":\"apigateway\",\"write\":\".*\"},{\"configure\":\".*\",\"read\":\".*\",\"user\":\"RABBITMQ_USERNAME\",\"vhost\":\"/\",\"write\":\".*\"}],\"users\":[{\"name\":\"RABBITMQ_USERNAME\",\"password\":\"RABBITMQ_PASSWORD\",\"tags\":\"administrator\"}],\"vhosts\":[{\"name\":\"analytics\"},{\"name\":\"auto_apps\"},{\"name\":\"mmqueue\"},{\"name\":\"notifications\"},{\"name\":\"orm\"},{\"name\":\"queue\"},{\"name\":\"nbx\"},{\"name\":\"csp-spark\"},{\"name\":\"buzok\"},{\"name\":\"network_policies\"},{\"name\":\"entitlement-service-civ2\"},{\"name\":\"covalent\"},{\"name\":\"apigateway\"},{\"name\":\"/\"}]}"
}
RABBITMQ_PASSWORD: The password for the RabbitMQ database. Must be a random, alphanumeric string with a minimum length of 24 characters.
RABBITMQ_USERNAME: The username for the RabbitMQ database instance. Example: pcs-rabbitmq.
/common/datarobot/pcs-postgresql¶
{
"database": "datarobot",
"password": "POSTGRESQL_PASSOWRD",
"postgres-password": "POSTGRESQL_PASSOWRD",
"postgres-username": "postgres",
"repmgr-password": "REPMGR_PASSWORD",
"repmgr-username": "repmgr",
"username": "datarobot"
}
POSTGRESQL_PASSOWRD: The password for the PostgreSQL database. Must be a random, alphanumeric string with a minimum length of 24 characters.
REPMGR_PASSWORD: The password for the PostgreSQL repmgr database user. This user is essential for managing replication and failover in the HA setup. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-pgpool¶
{
"admin-password": "PGPOOL_PASSOWRD",
"sr-check-password": "POSTGRESQL_PASSOWRD"
}
PGPOOL_PASSOWRD: The password for the PgPool service user, typically used for connecting to and managing the PostgreSQL cluster. Must be a random, alphanumeric string with a minimum length of 24 characters.
POSTGRESQL_PASSOWRD: The password for the PostgreSQL database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-pgpool-userdb¶
{
"user.sql": "DO $$ BEGIN IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'postgres') THEN CREATE ROLE postgres; END IF; END $$;\nGRANT postgres TO postgres;\nALTER USER postgres WITH LOGIN PASSWORD 'POSTGRESQL_PASSOWRD';\nSELECT 'CREATE DATABASE postgres' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'postgres')\\gexec\nALTER DATABASE postgres OWNER TO postgres;\nGRANT ALL PRIVILEGES ON DATABASE postgres TO postgres;\n",
"userdb.sh": "#!/bin/bash\nset +e\nIFS=','\nread -ra hosts <<< \"$PGPOOL_BACKEND_NODES\"\nfor host_segment in \"${hosts[@]}\"; do\n host=\"$( echo $host_segment | cut -d ':' -f2)\"\n port=\"$( echo $host_segment | cut -d ':' -f3)\"\n echo \"connecting to $host:$port\"\n psql_output=$(psql postgres://$POSTGRESQL_INITSCRIPTS_USERNAME:$POSTGRESQL_INITSCRIPTS_PASSWORD@$host:$port -f /opt/bitnami/initscript/user.sql 2>&1)\n if grep -q \"read-only transaction\" <<< \"$psql_output\"; then\n echo \" skip read-only node $host:$port\"\n continue\n fi\ndone\n"
}
POSTGRESQL_PASSOWRD: The password for the PostgreSQL database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-pgpool-custom-users¶
{
"passwords": "POSTGRESQL_PASSOWRD,MODMON_PASSWORD,CSPSPARK_PASSWORD,COMPUTEJOBS_PASSWORD,BUILDSERVICE_PASSWORD,MESSAGEQUEUE_PASSWORD,PREDENV_PASSWORD,SUSHIHYDRA_PASSWORD,IDENTITYRESOURCESERVICE_PASSWORD,ENTITLEMENT_PASSWORD,OAUTHPROVIDERS_PASSWORD,COVALENT_PASSWORD,APIGATEWAY_PASSWORD,AIRFLOWMANAGER_PASSWORD",
"usernames": "postgres,modmon,cspspark,computejobs,buildservice,messagequeue,predenv,sushihydra,identityresourceservice,entitlement,oauthproviders,covalent,apigateway,airflowmanager"
}
POSTGRESQL_PASSOWRD: The password for the PostgreSQL database. Must be a random, alphanumeric string with a minimum length of 24 characters.
MODMON_PASSWORD: The password for the modmon database. Must be a random, alphanumeric string with a minimum length of 24 characters.
CSPSPARK_PASSWORD: The password for the cspspark database. Must be a random, alphanumeric string with a minimum length of 24 characters.
COMPUTEJOBS_PASSWORD: The password for the computejobs database. Must be a random, alphanumeric string with a minimum length of 24 characters.
BUILDSERVICE_PASSWORD: The password for the buildservice database. Must be a random, alphanumeric string with a minimum length of 24 characters.
MESSAGEQUEUE_PASSWORD: The password for the messagequeue database. Must be a random, alphanumeric string with a minimum length of 24 characters.
PREDENV_PASSWORD: The password for the predenv database. Must be a random, alphanumeric string with a minimum length of 24 characters.
SUSHIHYDRA_PASSWORD: The password for the sushihydra database. Must be a random, alphanumeric string with a minimum length of 24 characters.
IDENTITYRESOURCESERVICE_PASSWORD: The password for the identityresourceservice database. Must be a random, alphanumeric string with a minimum length of 24 characters.
ENTITLEMENT_PASSWORD: The password for the entitlement database. Must be a random, alphanumeric string with a minimum length of 24 characters.
OAUTHPROVIDERS_PASSWORD: The password for the oauthproviders database. Must be a random, alphanumeric string with a minimum length of 24 characters.
COVALENT_PASSWORD: The password for the covalent database. Must be a random, alphanumeric string with a minimum length of 24 characters.
APIGATEWAY_PASSWORD: The password for the apigateway database. Must be a random, alphanumeric string with a minimum length of 24 characters.
AIRFLOWMANAGER_PASSWORD: The password for the airflowmanager database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-db-airflowmanager¶
{
"database": "airflowmanager",
"password": "AIRFLOWMANAGER_PASSWORD",
"username": "airflowmanager"
}
AIRFLOWMANAGER_PASSWORD: The password for the airflowmanager database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-db-apigateway¶
{
"database": "apigateway",
"password": "APIGATEWAY_PASSWORD",
"username": "apigateway"
}
APIGATEWAY_PASSWORD: The password for the apigateway database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-db-buildservice¶
{
"database": "buildservice",
"password": "BUILDSERVICE_PASSWORD",
"username": "buildservice"
}
BUILDSERVICE_PASSWORD: The password for the buildservice database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-db-computejobs¶
{
"database": "computejobs",
"password": "COMPUTEJOBS_PASSWORD",
"username": "computejobs"
}
COMPUTEJOBS_PASSWORD: The password for the computejobs database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-db-covalent¶
{
"database": "covalent",
"password": "COVALENT_PASSWORD",
"username": "covalent"
}
COVALENT_PASSWORD: The password for the covalent database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-db-cspspark¶
{
"database": "cspspark",
"password": "CSPSPARK_PASSWORD",
"username": "cspspark"
}
CSPSPARK_PASSWORD: The password for the cspspark database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-db-entitlement¶
{
"database": "entitlement",
"password": "ENTITLEMENT_PASSWORD",
"username": "entitlement"
}
ENTITLEMENT_PASSWORD: The password for the entitlement database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-db-identityresourceservice¶
{
"database": "identityresourceservice",
"password": "IDENTITYRESOURCESERVICE_PASSWORD",
"username": "identityresourceservice"
}
IDENTITYRESOURCESERVICE_PASSWORD: The password for the identityresourceservice database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-db-messagequeue¶
{
"database": "messagequeue",
"password": "MESSAGEQUEUE_PASSWORD",
"username": "messagequeue"
}
MESSAGEQUEUE_PASSWORD: The password for the messagequeue database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-db-modmon¶
{
"database": "modmon",
"password": "MODMON_PASSWORD",
"username": "modmon"
}
MODMON_PASSWORD: The password for the modmon database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-db-oauthproviders¶
{
"database": "oauthproviders",
"password": "OAUTHPROVIDERS_PASSWORD",
"username": "oauthproviders"
}
OAUTHPROVIDERS_PASSWORD: The password for the oauthproviders database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-db-predenv¶
{
"database": "predenv",
"password": "PREDENV_PASSWORD",
"username": "predenv"
}
PREDENV_PASSWORD: The password for the predenv database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-db-sushihydra¶
{
"database": "sushihydra",
"password": "SUSHIHYDRA_PASSWORD",
"username": "sushihydra"
}
SUSHIHYDRA_PASSWORD: The password for the sushihydra database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-postgresql-initdb¶
{
"airflowmanager.sql": "DO $$ BEGIN IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'airflowmanager') THEN CREATE ROLE airflowmanager; END IF; END $$;\nGRANT airflowmanager TO postgres;\nALTER USER airflowmanager WITH LOGIN PASSWORD 'AIRFLOWMANAGER_PASSWORD';\nSELECT 'CREATE DATABASE airflowmanager' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'airflowmanager')\\gexec\nALTER DATABASE airflowmanager OWNER TO airflowmanager;\nGRANT ALL PRIVILEGES ON DATABASE airflowmanager TO airflowmanager;\n",
"buildservice.sql": "DO $$ BEGIN IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'buildservice') THEN CREATE ROLE buildservice; END IF; END $$;\nGRANT buildservice TO postgres;\nALTER USER buildservice WITH LOGIN PASSWORD 'BUILDSERVICE_PASSWORD';\nSELECT 'CREATE DATABASE buildservice' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'buildservice')\\gexec\nALTER DATABASE buildservice OWNER TO buildservice;\nGRANT ALL PRIVILEGES ON DATABASE buildservice TO buildservice;\n",
"computejobs.sql": "DO $$ BEGIN IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'computejobs') THEN CREATE ROLE computejobs; END IF; END $$;\nGRANT computejobs TO postgres;\nALTER USER computejobs WITH LOGIN PASSWORD 'COMPUTEJOBS_PASSWORD';\nSELECT 'CREATE DATABASE computejobs' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'computejobs')\\gexec\nALTER DATABASE computejobs OWNER TO computejobs;\nGRANT ALL PRIVILEGES ON DATABASE computejobs TO computejobs;\n",
"covalent.sql": "DO $$ BEGIN IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'covalent') THEN CREATE ROLE covalent; END IF; END $$;\nGRANT covalent TO postgres;\nALTER USER covalent WITH LOGIN PASSWORD 'COVALENT_PASSWORD';\nSELECT 'CREATE DATABASE covalent' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'covalent')\\gexec\nALTER DATABASE covalent OWNER TO covalent;\nGRANT ALL PRIVILEGES ON DATABASE covalent TO covalent;\n",
"cspspark.sql": "DO $$ BEGIN IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'cspspark') THEN CREATE ROLE cspspark; END IF; END $$;\nGRANT cspspark TO postgres;\nALTER USER cspspark WITH LOGIN PASSWORD 'CSPSPARK_PASSWORD';\nSELECT 'CREATE DATABASE cspspark' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'cspspark')\\gexec\nALTER DATABASE cspspark OWNER TO cspspark;\nGRANT ALL PRIVILEGES ON DATABASE cspspark TO cspspark;\n",
"entitlement.sql": "DO $$ BEGIN IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'entitlement') THEN CREATE ROLE entitlement; END IF; END $$;\nGRANT entitlement TO postgres;\nALTER USER entitlement WITH LOGIN PASSWORD 'ENTITLEMENT_PASSWORD';\nSELECT 'CREATE DATABASE entitlement' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'entitlement')\\gexec\nALTER DATABASE entitlement OWNER TO entitlement;\nGRANT ALL PRIVILEGES ON DATABASE entitlement TO entitlement;\n",
"identityresourceservice.sql": "DO $$ BEGIN IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'identityresourceservice') THEN CREATE ROLE identityresourceservice; END IF; END $$;\nGRANT identityresourceservice TO postgres;\nALTER USER identityresourceservice WITH LOGIN PASSWORD 'IDENTITYRESOURCESERVICE_PASSWORD';\nSELECT 'CREATE DATABASE identityresourceservice' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'identityresourceservice')\\gexec\nALTER DATABASE identityresourceservice OWNER TO identityresourceservice;\nGRANT ALL PRIVILEGES ON DATABASE identityresourceservice TO identityresourceservice;\n",
"messagequeue.sql": "DO $$ BEGIN IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'messagequeue') THEN CREATE ROLE messagequeue; END IF; END $$;\nGRANT messagequeue TO postgres;\nALTER USER messagequeue WITH LOGIN PASSWORD 'MESSAGEQUEUE_PASSWORD';\nSELECT 'CREATE DATABASE messagequeue' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'messagequeue')\\gexec\nALTER DATABASE messagequeue OWNER TO messagequeue;\nGRANT ALL PRIVILEGES ON DATABASE messagequeue TO messagequeue;\n",
"modmon.sql": "DO $$ BEGIN IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'modmon') THEN CREATE ROLE modmon; END IF; END $$;\nGRANT modmon TO postgres;\nALTER USER modmon WITH LOGIN PASSWORD 'MODMON_PASSWORD';\nSELECT 'CREATE DATABASE modmon' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'modmon')\\gexec\nALTER DATABASE modmon OWNER TO modmon;\nGRANT ALL PRIVILEGES ON DATABASE modmon TO modmon;\n",
"oauthproviders.sql": "DO $$ BEGIN IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'oauthproviders') THEN CREATE ROLE oauthproviders; END IF; END $$;\nGRANT oauthproviders TO postgres;\nALTER USER oauthproviders WITH LOGIN PASSWORD 'OAUTHPROVIDERS_PASSWORD';\nSELECT 'CREATE DATABASE oauthproviders' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'oauthproviders')\\gexec\nALTER DATABASE oauthproviders OWNER TO oauthproviders;\nGRANT ALL PRIVILEGES ON DATABASE oauthproviders TO oauthproviders;\n",
"predenv.sql": "DO $$ BEGIN IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'predenv') THEN CREATE ROLE predenv; END IF; END $$;\nGRANT predenv TO postgres;\nALTER USER predenv WITH LOGIN PASSWORD 'PREDENV_PASSWORD';\nSELECT 'CREATE DATABASE predenv' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'predenv')\\gexec\nALTER DATABASE predenv OWNER TO predenv;\nGRANT ALL PRIVILEGES ON DATABASE predenv TO predenv;\n",
"sushihydra.sql": "DO $$ BEGIN IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname = 'sushihydra') THEN CREATE ROLE sushihydra; END IF; END $$;\nGRANT sushihydra TO postgres;\nALTER USER sushihydra WITH LOGIN PASSWORD 'SUSHIHYDRA_PASSWORD';\nSELECT 'CREATE DATABASE sushihydra' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = 'sushihydra')\\gexec\nALTER DATABASE sushihydra OWNER TO sushihydra;\nGRANT ALL PRIVILEGES ON DATABASE sushihydra TO sushihydra;\n"
}
MODMON_PASSWORD: The password for the modmon database. Must be a random, alphanumeric string with a minimum length of 24 characters.
CSPSPARK_PASSWORD: The password for the cspspark database. Must be a random, alphanumeric string with a minimum length of 24 characters.
COMPUTEJOBS_PASSWORD: The password for the computejobs database. Must be a random, alphanumeric string with a minimum length of 24 characters.
BUILDSERVICE_PASSWORD: The password for the buildservice database. Must be a random, alphanumeric string with a minimum length of 24 characters.
MESSAGEQUEUE_PASSWORD: The password for the messagequeue database. Must be a random, alphanumeric string with a minimum length of 24 characters.
PREDENV_PASSWORD: The password for the predenv database. Must be a random, alphanumeric string with a minimum length of 24 characters.
SUSHIHYDRA_PASSWORD: The password for the sushihydra database. Must be a random, alphanumeric string with a minimum length of 24 characters.
IDENTITYRESOURCESERVICE_PASSWORD: The password for the identityresourceservice database. Must be a random, alphanumeric string with a minimum length of 24 characters.
ENTITLEMENT_PASSWORD: The password for the entitlement database. Must be a random, alphanumeric string with a minimum length of 24 characters.
OAUTHPROVIDERS_PASSWORD: The password for the oauthproviders database. Must be a random, alphanumeric string with a minimum length of 24 characters.
COVALENT_PASSWORD: The password for the covalent database. Must be a random, alphanumeric string with a minimum length of 24 characters.
AIRFLOWMANAGER_PASSWORD: The password for the airflowmanager database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/pcs-postgresql-initdb-cfg¶
{
"POSTGRESQL_INITSCRIPTS_PASSWORD": "POSTGRESQL_PASSOWRD",
"POSTGRESQL_INITSCRIPTS_USERNAME": "postgres"
}
POSTGRESQL_PASSOWRD: The password for the PostgreSQL database. Must be a random, alphanumeric string with a minimum length of 24 characters.
/common/datarobot/bootstrap-hydra¶
{
"hydraClientId": "HYDRA_CLIENTID",
"hydraClientSecret": "HYDRA_CLIENTSECRET"
}
HYDRA_CLIENTID: The unique identifier (client ID) used for authentication and authorization with the Hydra OAuth 2.0 server. Exmaple: 3571ef40-207b-4b6b-83c1-e49bdbdb2149.
HYDRA_CLIENTSECRET: Hydra client secret. Must be a random, alphanumeric string with a minimum length of 18 characters.
/common/datarobot/auth-server-system-secrets¶
{
"secretsCookie": "AUTH_SECRETS_COOKIE",
"secretsSystem": "AUTH_SECRETS_SYSTEM"
}
AUTH_SECRETS_COOKIE: The signing and encryption key used to protect and validate authentication cookies stored on the client side. Must be a random, alphanumeric string with a minimum length of 32 characters.
AUTH_SECRETS_SYSTEM: The master key used for internal system communication and the cryptographic protection of stored application secrets. Must be a random, alphanumeric string with a minimum length of 32 characters.
/common/datarobot/oauth-providers-service-secret¶
{
"encryptionKey": "ENCRYPTION_KEY",
"signingKey": "SIGNING_KEY",
"testClientId": "TEST_CLIENT_ID"
}
ENCRYPTION_KEY: The symmetric encryption key used to encrypt sensitive internal data, such as authentication tokens or session data. Must be a random, alphanumeric string with a minimum length of 32 characters.
SIGNING_KEY: The cryptographic key used to digitally sign authentication tokens (e.g., JWTs) to ensure their integrity and authenticity. Must be a random, alphanumeric string with a minimum length of 63 characters.
TEST_CLIENT_ID: The standard client ID format (e.g., UUID). Must be a random, alphanumeric string with a minimum length of 16 characters.
/common/datarobot/build-service-env-secret¶
{
"BUILD_SERVICE_EXTERNAL_SECRET": "true"
}
/common/datarobot/buzok-llm-gateway-secrets¶
{
"BUZOK_LLM_GATEWAY": "true",
"LLM_ANTHROPIC_CREDENTIALS": "{\"endpoints\":[{\"region\":\"us\",\"api_key\":\"ANTHROPIC_API_KEY\"}]}",
"LLM_AZURE_OPENAI_CREDENTIALS": "{\"endpoints\":[{\"region\":\"northcentralus\",\"api_type\":\"azure\",\"api_base\":\"AZURE_OPENAI_API_BASE\",\"api_version\":\"2025-03-01-preview\",\"api_key\":\"AZURE_OPENAI_API_KEY\",\"unsupported_models\":[\"azure-openai-gpt-4-turbo\"]},{\"region\":\"eastus2\",\"api_type\":\"azure\",\"api_base\":\"AZURE_OPENAI_API_BASE\",\"api_version\":\"2025-03-01-preview\",\"api_key\":\"AZURE_OPENAI_API_KEY\"}]}"
}
ANTHROPIC_API_KEY: The API key required to authenticate and authorize requests to the Anthropic LLM service.
AZURE_OPENAI_API_BASE: The base URL or domain name for the Azure OpenAI deployment instance (e.g., https://your-instance.openai.azure.com/).
AZURE_OPENAI_API_KEY: The API key required to authenticate and authorize requests to the Azure OpenAI service.
/common/datarobot/datavolt¶
{
"password": "DATAVOLT_KEY"
}
DATAVOLT_KEY: The master key or password required for authentication with and securing the DataVolt service. Must be a random, alphanumeric string with a minimum length of 42 characters.
/common/datarobot/covalent-kek¶
{
"passphrase": "COVALENT_KEK",
"version": "1"
}
COVALENT_KEK: The Key Encryption Key (KEK) used by the Covalent service for wrapping or encrypting other sensitive keys. Must be a random, alphanumeric string with a minimum length of 42 characters.
/common/datarobot/covalent-key¶
{
"key": "COVALENT_KEY"
}
COVALENT_KEY: The master key or primary secret required for the core functionality or security of the Covalent service. Must be 2048 RSA Private Key.
/common/datarobot/cert¶
{
"tls.crt": "INGRESS_TLS_CRT",
"tls.key": "INGRESS_TLS_KEY"
}
INGRESS_TLS_CRT: The TLS/SSL certificate (public key) used by the ingress controller or load balancer to establish a secure connection with clients.
INGRESS_TLS_KEY: The private key corresponding to the provided TLS certificate. This key is used to decrypt traffic.
NODE_SECRET: The secret used to establish communication between Tyk Gateway and Tyk API Controller. Must be a random, alphanumeric string with a minimum length of 32 characters.