Skip to content

Kubernetes Secrets

Prefect Self-Managed requires a number of secrets in order to function to properly. If secrets are generally incorrect in content, format, or missing, pods can possibly CrashLoop, or remain running without any updated data being retrieved from a database. For a POC, or dev-managed environment, the following option is enabled in the prefect-cloud helm chart to create these secrets in the cluster for you, provided they are configured in values.yaml:

# Creates secrets in K8s cluster if true
createAppSecretsInChart: true

For production environments, it is assumed each customer has requirements and security considerations to restrict and follow best-practices within their organization.

The format below is a list of the top-level Secret kind, the keys + values within. If createAppSecretsInChart is true, these will be created for you during a helm install using supplied values in values.yaml. If createAppSecretsInChart is false, the expectation is that these will already exist in cluster through your own mechanisms.

All Passwords must be URL-encoded. E.g. " !@" should be "%20%21%40"
Usernames are referenced as either the "serviceUser" or the "superUser" from prefect-cloud/values.yaml and can be changed as necessary..
The serviceUser - (prefect by default) is how most database connections and daily platform usage is conducted.
The superUser - (postgres by default) is used to generate the schemas, roles, and perform datbase migrations.

events-replica-user-connection-strings

events-replica-user-connection-strings
  db-migration: postgresql://postgres:<superUser URL Encoded Password>@n<replica database hostname>:<port>/events
  events-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/events
  ladler: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/events
  logs: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/events
  nebula-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/events
  partman: postgresql+asyncpg://postgres:<superUser URL Encoded Password>@n<replica database hostname>:<port>/events
  prefect-user-password: <NON URL ENCODED serviceUser password>
  schema-setup: postgresql://postgres:<superUser URL Encoded Password>@n<replica database hostname>:<port>/postgres
  triggers: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/events

events-user-connection-strings

events-user-connection-strings
  db-migration: postgresql://postgres:<superUser URL Encoded Password>@n<database hostname>:<port>/events
  events-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/events
  ladler: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/events
  logs: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/events
  nebula-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/events
  partman: postgresql+asyncpg://postgres:<superUser URL Encoded Password>@n<database hostname>:<port>/events
  prefect-user-password: <NON URL ENCODED serviceUser password>
  schema-setup: postgresql://postgres:<superUser URL Encoded Password>@n<database hostname>:<port>/postgres
  triggers: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/events

external-service-secrets

external-service-secrets
  adfs-client-secret: "" # Only if using ADFS
  entra-client-secret: "" # Only if using Entra
  okta-api-key: "" # Only if using Okta
  okta-client-secret: "" # Only if using Okta
  smtp-password: "" # Only if using SMTP

nebula-replica-user-connection-strings

nebula-replica-user-connection-strings
  actions: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/nebula
  auth-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/nebula
  events-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/nebula
  events-background: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/nebula
  expiration-setter: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/nebula
  nebula-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/nebula
  nebula-background: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/nebula
  orion-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/nebula
  triggers: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/nebula

nebula-user-connection-strings

nebula-user-connection-strings
  prefect-user-password: <NON URL ENCODED serviceUser password>
  schema-setup: postgresql://postgres:<superUser URL Encoded Password>@n<database hostname>:<port>/postgres
  db-migration: postgresql://postgres:<superUser URL Encoded Password>@n<database hostname>:<port>/nebula

  actions: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  auth-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  events-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  events-background: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  expiration-setter: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  nebula-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  nebula-background: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  orion-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula
  triggers: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/nebula

orion-replica-user-connection-strings

orion-replica-user-connection-strings
  expiration-processor: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  expiration-setter: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  flow-run-notifications: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  flow-run-reads: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  flow-run-writes: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  foreman: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  logs: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  mark-late-runs: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  nebula-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  nebula-background: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  orchestration-ui-reads: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  orion-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  orion-background: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  reaper-man: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  scheduler: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  task-run-reads: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  task-run-recorder: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  task-run-writes: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  work-pool-reads: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion
  worker-monitor: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<replica database hostname>:<port>/orion

orion-user-connection-strings

orion-user-connection-strings
  db-migration: postgresql://postgres:<superUser URL Encoded Password>@n<database hostname>:<port>/orion
  prefect-user-password: prefect-user-password: <NON URL ENCODED serviceUser password>
  schema-setup: postgresql://postgres:<superUser URL Encoded Password>@n<database hostname>:<port>/postgres

  expiration-processor: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  expiration-setter: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  flow-run-notifications: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  flow-run-reads: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  flow-run-writes: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  foreman: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  logs: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  mark-late-runs: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  nebula-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  nebula-background: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  orchestration-ui-reads: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  orion-api: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  orion-background: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  reaper-man: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  scheduler: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  task-run-reads: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  task-run-recorder: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  task-run-writes: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  work-pool-reads: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion
  worker-monitor: postgresql+asyncpg://prefect:<serviceUser URL Encoded Password>@n<database hostname>:<port>/orion

redis-passwords

# Only necessary if Redis is password protected
redis-passwords
  cache: ""
  events: ""
  streams: ""