Skip to content

Kubernetes Secrets

Prefect Self-Managed requires a number of secrets in order to function to properly. If secrets are generally incorrect in content, format, or missing, pods can possibly CrashLoop, or remain running without any updated data being retrieved from a database. For a POC, or dev-managed environment, the following option is enabled in the prefect-cloud helm chart to create these secrets in the cluster for you, provided they are configured in values.yaml:

# Creates secrets in K8s cluster if true
createAppSecretsInChart: true

For production environments, it is assumed each customer has requirements and security considerations to restrict and follow best-practices within their organization.

As a matter of Best Practices, many Kubernetes environments utilize Secrets Store drivers.

While outside the scope of Prefect Self-Managed, some general suggestions and information for what secrets would need to be provided as a SecretProviderClass are listed below. Note, this list is subject to change as development of the platform is on-going. For how to configure and sync Secrets using the driver, please reference your appropriate cloud section here.

The format below is a list of the top-level Secret kind, the keys + values within. If createAppSecretsInChart is true, these will be created for you during a helm install using supplied values in values.yaml. If createAppSecretsInChart is false, the expectation is that these will already exist in cluster through your own mechanisms.

All Passwords must be URL-encoded. E.g. " !@" should be "%20%21%40"
Usernames are referenced as either the "serviceUser" or the "superUser" from prefect-cloud/values.yaml and can be changed as necessary..
The serviceUser - (prefect by default) is how most database connections and daily platform usage is conducted.
The superUser - (postgres by default) is used to generate the schemas, roles, and perform datbase migrations.

events-replica-user-connection-strings

events-replica-user-connection-strings
  events-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/events
  logs: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/events
  nebula-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/events
  triggers: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/events

events-user-connection-strings

events-user-connection-strings
  db-migration: postgresql://postgres:<superUser URL Encoded Password>@n<database hostname>:<port>/events
  schema-setup: postgresql://postgres:<superUser URL Encoded Password>@n<database hostname>:<port>/postgres
  partman: postgresql+asyncpg://postgres:<superUser URL Encoded Password>@n<database hostname>:<port>/events
  prefect-user-password: <NON URL ENCODED serviceUser password>


  events-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/events
  ladler: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/events
  logs: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/events
  nebula-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/events

  triggers: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/events

external-service-secrets

external-service-secrets
  adfs-client-secret: "" # Only if using ADFS
  okta-api-key: "" # Only if using Okta
  okta-client-secret: "" Only if using Okta
  smtp-password: "" # Only if using SMTP

nebula-replica-user-connection-strings

nebula-replica-user-connection-strings
  actions: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  auth-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  events-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  events-background: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  expiration-setter: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  nebula-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  nebula-background: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  orion-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  search-indexer: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  triggers: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula

nebula-user-connection-strings

nebula-user-connection-strings
  prefect-user-password: <NON URL ENCODED serviceUser password>
  schema-setup: postgresql://postgres:<superUser URL Encoded Password>@n<database hostname>:<port>/postgres
  db-migration: postgresql://postgres:<superUser URL Encoded Password>@n<database hostname>:<port>/nebula

  actions: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  auth-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  events-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  events-background: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  expiration-setter: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  nebula-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  nebula-background: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  orion-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  search-indexer: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  triggers: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula

orion-replica-user-connection-strings

orion-replica-user-connection-strings
  cancellation-cleanup: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  expiration-processor: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  expiration-setter: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  flow-run-notifications: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  flow-run-reads: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  flow-run-writes: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  foreman: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  logs: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  mark-late-runs: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  nebula-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  nebula-background: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  orchestration-ui-reads: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  orion-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  orion-background: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  reaper-man: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  scheduler: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  task-run-reads: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  task-run-writes: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  work-pool-reads: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  worker-monitor: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion

orion-user-connection-strings

orion-user-connection-strings
  db-migration: postgresql://postgres:<superUser URL Encoded Password>@n<database hostname>:<port>/orion
  prefect-user-password: prefect-user-password: <NON URL ENCODED serviceUser password>
  cancellation-cleanup: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  schema-setup: postgresql://postgres:<superUser URL Encoded Password>@n<database hostname>:<port>/postgres

  expiration-processor: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  expiration-setter: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  flow-run-notifications: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  flow-run-reads: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  flow-run-writes: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  foreman: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  logs: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  mark-late-runs: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  nebula-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  nebula-background: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  orchestration-ui-reads: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  orion-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  orion-background: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  reaper-man: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  scheduler: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  task-run-reads: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  task-run-writes: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  work-pool-reads: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  worker-monitor: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion

redis-passwords

# Only necessary if Redis is password protected
redis-passwords
  cache: ""
  events: ""
  task-scheduling: ""
  triggers: ""
  work: ""
  work-pools: ""