# Default values for zenml.

imagePullSecrets: []

nameOverride: ""

fullnameOverride: ""

# ZenML server related options.

server:

replicaCount: 1

# The number of ZenML server worker threads to use. This controls the number

# of concurrent requests that each ZenML server pod/replica can handle at a

# time. If not specified, the default value is 40.

#

# NOTE: this value should be coordinated with the `zenml.database.poolSize`

# and `zenml.database.maxOverflow` values to ensure that the ZenML server

# workers do not block on database connections (i.e. the sum of the pool size

# and max overflow should be greater than or equal to the thread pool size).

#

# threadPoolSize: 40

# The number of ZenML server threads that are dedicated to authentication.

# This controls the number of concurrent requests that can be verified

# concurrently. If not specified, the default value is 5.

#

# NOTE: this value should be coordinated with the `zenml.database.poolSize`

# and `zenml.database.maxOverflow` values to ensure that the ZenML server

# worker threads do not block on database connections (i.e. the sum of the

# pool size and max overflow should be greater than or equal to the main

# thread pool size plus the auth thread pool size).

#

# authThreadPoolSize: 5

# The timeout in seconds after which a request is considered timed out by the

# server if it takes too long to complete. After this time value, the server

# will preemptively return a 429 status code (rate limit exceeded) to the

# client to free up connections. If not specified, the default value is 30.

#

# NOTE: this values should be lower than the client's configured HTTP timeout

# (which defaults at 30 seconds) to avoid the client timing out before the

# server does.

#

# requestTimeout: 20

# Whether to cache request responses and use them to deduplicate retried

# requests. If not specified, the default value is true. Only POST requests

# and requests to endpoints that are known to incur longer processing times

# at scale are cached and deduplicated.

#

# NOTE: don't disable this feature unless you know what you are doing. This is

# crucial to ensure idempotency of POST requests.

#

# requestDeduplication: true

# The timeout in seconds after which a cached request result is deleted.

# If not specified, the default value is 300.

#

# requestCacheTimeout: 300

# Live event streaming for pipeline runs. Dormant unless

# `streamBrokerImplementationSource` is set. Source `ZENML_REDIS_BROKER_URL`

# from a secret via `server.environmentSecretKeyRefs`.

streaming:

# streamBrokerImplementationSource: zenml.zen_server.streaming.brokers.redis_streams.RedisStreamsBroker

#

# SSE heartbeat interval (seconds). Default: 30.

# heartbeatSeconds: 30

#

# Max simultaneous subscribers per run. The N+1th gets 503. Default: 100.

# maxSubscribersPerStream: 100

#

# How long the server keeps a stream's broker reader running after the

# last subscriber disconnects, so quick reconnects don't re-probe the

# broker. Default: 30.

# broadcasterIdleGraceSeconds: 30

image:

repository: zenmldocker/zenml-server

pullPolicy: Always

# Overrides the image tag whose default is the chart appVersion.

tag:

# ZenML Pro related options.

pro:

# Set `enabled` to true to enable ZenML Pro servers. If set, some of the

# configuration options in the `zenml` section will be overridden with

# values specific to ZenML Pro servers computed from the values set in the

# `pro` section.

enabled: false

# The URL where the ZenML Pro server API is reachable

apiURL: https://cloudapi.zenml.io

# The URL where the ZenML Pro dashboard is reachable.

dashboardURL: https://cloud.zenml.io

# Additional origins to allow in the CORS policy.

extraCorsOrigins:

# The ID of the ZenML Pro workspace to use.

workspaceID:

# The name of the ZenML Pro workspace to use.

workspaceName:

# The ID of the ZenML Pro organization to use.

organizationID:

# The name of the ZenML Pro organization to use.

organizationName:

# The enrollment key to use for the ZenML Pro workspace. If not specified,

# an enrollment key will be auto-generated.

enrollmentKey:

# The URL where the ZenML server API is reachable. If not specified, the

# clients will use the same URL used to connect them to the ZenML server.

#

# IMPORTANT: this value must be set for ZenML Pro servers.

serverURL:

# The URL where the ZenML dashboard is reachable.

# If not specified, the `serverURL` value is used. This should be

# configured if the dashboard is served from a different URL than the

# ZenML server.

#

# This is value is used to compute the dashboard URLs during the web login

# authentication workflow, to print dashboard URLs in log messages when

# running a pipeline and for other similar tasks.

#

# This value is overridden if the `zenml.pro.enabled` value is set.

dashboardURL:

debug: true

# Flag to enable/disable the tracking process of the analytics

analyticsOptIn: true

# ZenML server deployment type. This field is used for telemetry purposes.

# Example values are "local", "kubernetes", "aws", "gcp", "azure".

#

# This value is overridden if the `zenml.pro.enabled` value is set.

deploymentType:

# Authentication settings that control how the ZenML server authenticates

# its users.

auth:

# The ZenML authentication scheme. Use one of:

#

# NO_AUTH - No authentication

# HTTP_BASIC - HTTP Basic authentication

# OAUTH2_PASSWORD_BEARER - OAuth2 password bearer

# EXTERNAL - External authentication (e.g. via a remote authenticator)

#

# This value is overridden if the `zenml.pro.enabled` value is set.

authType: OAUTH2_PASSWORD_BEARER

# The secret key used to sign JWT tokens. This should be set to

# a random string with a recommended length of at least 32 characters, e.g.:

#

# ```python

# from secrets import token_hex

# token_hex(32)

# ```

#

# or:

#

# ```shell

# openssl rand -hex 32

# ```

#

# If not explicitly set, a random key will be generated when the helm

# chart is installed and reused for all subsequent upgrades.

jwtSecretKey:

# The JWT token algorithm to use. Use one of:

#

# HS256 - HMAC using SHA-256 hash algorithm

# HS384 - HMAC using SHA-384 hash algorithm

# HS512 - HMAC using SHA-512 hash algorithm

jwtTokenAlgorithm: HS256

# The issuer of the JWT tokens. If not specified, the issuer is set to the

# ZenML Server ID.

jwtTokenIssuer:

# The audience of the JWT tokens. If not specified, the audience is set to

# the ZenML Server ID.

jwtTokenAudience:

# The leeway in seconds allowed when verifying the expiration time of JWT

# tokens.

jwtTokenLeewaySeconds: 10

# The expiration time of JWT tokens in minutes. If not specified, generated

# JWT tokens will not be set to expire.

#

# This value is automatically set if the `zenml.pro.enabled` value is set.

jwtTokenExpireMinutes:

# The name of the http-only cookie used to store the JWT tokens used to

# authenticate web clients. If not specified, the cookie name is set to a

# value computed from the ZenML server ID.

authCookieName:

# The domain of the http-only cookie used to store the JWT tokens used to

# authenticate web clients. If not specified, the cookie domain is set to

# the domain of the ZenML server.

authCookieDomain:

# The origins allowed to make cross-origin requests to the ZenML server. If

# not specified, all origins are allowed. Set this when the ZenML dashboard

# is hosted on a different domain than the ZenML server.

#

# This value is overridden if the `zenml.pro.enabled` value is set.

corsAllowOrigins:

- "*"

# The maximum number of failed authentication attempts allowed for an OAuth

# 2.0 device before the device is locked.

#

# This value is ignored if the `zenml.auth.authType` is set to `EXTERNAL` or

# `NO_AUTH`.

maxFailedDeviceAuthAttempts: 3

# The timeout in seconds after which a pending OAuth 2.0 device

# authorization request expires.

#

# This value is ignored if the `zenml.auth.authType` is set to `EXTERNAL` or

# `NO_AUTH`.

deviceAuthTimeout: 300

# The polling interval in seconds used by clients to poll the OAuth 2.0

# device authorization endpoint for the status of a pending device

# authorization request.

#

# This value is ignored if the `zenml.auth.authType` is set to `EXTERNAL` or

# `NO_AUTH`.

deviceAuthPollingInterval: 5

# The time in minutes that an OAuth 2.0 device is allowed to be used to

# authenticate with the ZenML server. If not set or if

# `zenml.auth.jwtTokenExpireMinutes` is not set, the devices are allowed to

# be used indefinitely. This controls the expiration time of the JWT tokens

# issued to clients after they have authenticated with the ZenML server

# using an OAuth 2.0 device.

#

# This value is ignored if the `zenml.auth.authType` is set to `EXTERNAL` or

# `NO_AUTH`.

deviceExpirationMinutes:

# The time in minutes that a trusted OAuth 2.0 device is allowed to be used

# to authenticate with the ZenML server. If not set or if

# `zenml.auth.jwtTokenExpireMinutes` is not set, the devices are allowed to

# be used indefinitely. This controls the expiration time of the JWT tokens

# issued to clients after they have authenticated with the ZenML server

# using an OAuth 2.0 device that was previously trusted by the user.

#

# This value is ignored if the `zenml.auth.authType` is set to `EXTERNAL` or

# `NO_AUTH`.

trustedDeviceExpirationMinutes:

# The login URL of an external authenticator service to use with the

# `EXTERNAL` authentication scheme. Only relevant if `zenml.auth.authType`

# is set to `EXTERNAL`.

#

# This value is overridden if the `zenml.pro.enabled` value is set.

externalLoginURL:

# The user info URL of an external authenticator service to use with the

# `EXTERNAL` authentication scheme. Only relevant if `zenml.auth.authType`

# is set to `EXTERNAL`.

#

# This value is overridden if the `zenml.pro.enabled` value is set.

externalUserInfoURL:

# The UUID of the ZenML server to use with the `EXTERNAL` authentication

# scheme. If not specified, the regular ZenML server ID (deployment ID) is

# used.

#

# This value is overridden if the `zenml.pro.enabled` value is set.

externalServerID:

# Source pointing to a class implementing the RBAC interface defined by

# `zenml.zen_server.rbac.rbac_interface.RBACInterface`. If not specified,

# RBAC will not be enabled for this server.

#

# This value is overridden if the `zenml.pro.enabled` value is set.

rbacImplementationSource:

# Source pointing to a class implementing the feature gate interface defined

# by `zenml.zen_server.feature_gate.feature_gate_interface.FeatureGateInterface`.

# If not specified, feature gating will not be enabled for this server.

#

# This value is overridden if the `zenml.pro.enabled` value is set.

featureGateImplementationSource:

# The root URL path to use when behind a proxy. This is useful when the

# `rewrite-target` annotation is used in the ingress controller, e.g.:

#

# ```yaml

# rootUrlPath: /zenml

#

# ingress:

# enabled: true

# className: "nginx"

# annotations:

# nginx.ingress.kubernetes.io/rewrite-target: /$1

# host:

# path: /zenml/?(.*)

# ```

rootUrlPath:

defaultProject: default

# Implicit authentication methods featured by service connectors that support

# them are disabled by default, for security reasons. This is because they

# allow users to authenticate to the cloud provider where ZenML is running

# without having to provide any credentials.

enableImplicitAuthMethods: false

# MySQL database configuration. If not set, a local sqlite database will be

# used. To ensure data are not lost, check the persistence part.

# NOTE: the certificate files need to be copied in the helm chart folder and

# the paths configured here need to be relative to the root of the helm chart.

database:

# If set to true, path where the local database is created will be

# mounted as a persistent volume so the data is not lost on pod restarts.

# Only relevant for local sqlite database.

# When persistence is enabled, ensure that podSecurityContext.fsGroup

# is set to 1000 (this is the default) so that the ZenML container can write to

# the persistent volume. The container runs as UID 1000, and without fsGroup

# set, the PVC will be mounted with root:root ownership, causing permission errors.

persistence:

enabled: false

size: 1Gi

storageClassName: ""

# The database URL. If not set, a local sqlite database will be used, which

# will not be persisted across pod restarts. The URL can contain the

# password or it can be provided in a secret using the `passwordSecretRef`

# option.

#

# E.g.: "mysql://admin:password@zenml-mysql:3306/database"

url:

# The Kubernetes secret containing the MySQL password. If not set, the

# password provided in the `url` option will be used.

passwordSecretRef:

# name:

# key:

# Set to true to enable SSL for the MySQL database. Defaults to false.

# NOTE: setting any of the SSL certificate options (sslCa, sslCert, sslKey)

# will automatically set this option to true.

ssl: false

# The MySQL SSL CA certificate. Required for SSL enabled authentication if

# the CA certificate is not part of the certificates shipped with the

# container image. Can be provided as an inline value or as a Kubernetes

# secret reference.

#

# NOTE: it is recommended to use the `zenml.certificates` option instead to

# configure the CA certificate globally. This option only applies to the

# MySQL database.

sslCa:

# value: |

# -----BEGIN CERTIFICATE-----

# ...

# -----END CERTIFICATE-----

#

# secretRef:

# name: ca-certificate

# key: ca.pem

# The MySQL SSL client certificate. Required for SSL enabled authentication

# if client certificates are used. Can be provided as an inline value or as

# a Kubernetes secret reference.

sslCert:

# value: |

# -----BEGIN CERTIFICATE-----

# ...

# -----END CERTIFICATE-----

#

# secretRef:

# name: client-certificate

# key: client-cert.pem

# The MySQL SSL client key. Required for SSL enabled authentication if

# client certificates are used. Can be provided as an inline value or as

# a Kubernetes secret reference.

sslKey:

# value: |

# -----BEGIN PRIVATE KEY-----

# ...

# -----END PRIVATE KEY-----

#

# secretRef:

# name: client-key

# key: client-key.pem

# Set to true to verify the identity of the server against the provided

# server certificate. Defaults to false.

sslVerifyServerCert: false

# Connection pool settings (only relevant for MySQL databases).

#

# NOTE: these values should be coordinated with the `zenml.threadPoolSize`

# to ensure that the ZenML server workers do not block on database

# connections (i.e. the sum of the pool size and max overflow should be

# greater than or equal to the main thread pool size plus the auth thread

# pool size).

#

# poolSize: 20

# maxOverflow: 20

# ZenML supports backing up the database before DB migrations are performed

# and restoring it in case of a DB migration failure. For more information,

# see the following documentation:

# https://docs.zenml.io/getting-started/deploying-zenml/deploy-with-helm#database-backup-and-recovery

#

# Several backup strategies are supported:

#

# disabled - no backup is performed

# in-memory - the database schema and data are stored in memory. This is

# the fastest backup strategy, but the backup is not persisted

# across pod restarts, so no manual intervention is possible

# in case the automatic DB recovery fails after a failed DB

# migration. Adequate memory resources should be allocated to

# the ZenML server pod when using this backup strategy with

# large databases.

# This is the default backup strategy.

# dump-file - the database schema and data are dumped to a local file.

# Users may optionally configure a persistent volume where

# the dump file will be stored by setting the

# `backupPVStorageSize` and optionally the

# `backupPVStorageClass` options. If a

# persistent volume is not configured, the dump file will be

# stored in an emptyDir volume, which is not persisted.

# NOTE: you should set the podSecurityContext.fsGroup option

# if you are using a persistent volume to store the dump file.

# database - the database is copied to a backup database in the same

# database server. This requires the `backupDatabase`

# option to be set to the name of the backup database.

# This backup strategy is only supported for MySQL

# compatible databases and the user specified in the

# database URL must have permissions to manage (create, drop, and

# modify) the backup database in addition to the main

# database.

# mydumper - the database is backed up using mydumper/myloader. This

# requires the mydumper and myloader utilities to be installed

# in the ZenML server container. The `mydumperThreads`,

# `mydumperCompress`, `mydumperExtraArgs`, `myloaderThreads`,

# and `myloaderExtraArgs` options can be used to configure the

# backup and restore processes.

# custom - use a custom backup engine. This requires the `customBackupEngine`

# option to be set to the class path of the custom backup engine.

# The class should extend from the `zenml.zen_stores.migrations.backup.base_backup_engine.BaseBackupEngine`

# base class and be importable from the container image that you

# are using for the ZenML server. Arguments for the custom backup engine

# can be passed using the `customBackupEngineConfig` option.

#

# backupStrategy: in-memory

# backupPVStorageClass: standard

# backupPVStorageSize: 1Gi

# backupDatabase: "zenml_backup"

#

# mydumperThreads: 4

# mydumperCompress: true

# mydumperExtraArgs: []

# myloaderThreads: 4

# myloaderExtraArgs: []

#

# customBackupEngine: my.custom.backup.engine.MyCustomBackupEngine

# customBackupEngineConfig:

# arg1: value1

# arg2: value2

# Secrets store settings. This is used to store centralized secrets.

secretsStore:

# Set to false to disable the secrets store.

enabled: true

# The type of secrets store to use. Use one of:

#

# sql - Use the same SQL database as the ZenML server

# aws - Use the AWS Secrets Manager as a secrets store

# gcp - Use the GCP Secrets Manager as a secrets store

# azure - Use the Azure Key Vault as a secrets store

# hashicorp - Use the HashiCorp Vault as a secrets store

# custom - Use a custom secrets store implementation (needs a custom

# ZenML server image with the custom secrets store implementation

# installed)

#

# Depending on the type, additional configuration options may be required

# under the respective sections.

#

type: sql

# SQL secrets store configuration. Only relevant if the `sql` secrets store

# type is configured.

sql:

# The secret key used to encrypt secrets in the SQL database. Only relevant

# if the SQL secrets store type is used. This should be set to a random

# string with a recommended length of at least 32 characters, e.g.:

#

# ```python

# from secrets import token_hex

# token_hex(32)

# ```

#

# or:

#

# ```shell

# openssl rand -hex 32

# ```

#

# If not set, database secret encryption will be disabled.

#

# IMPORTANT: If you configure encryption for your SQL database secrets

# store, you should keep this value somewhere safe and secure, as it will be

# required to decrypt the secrets in the database. If you lose the

# encryption key, you will not be able to decrypt the secrets in the

# database and will have to reset them. You should not change this value

# after you have already configured encryption for your SQL database

# secrets store.

encryptionKey:

# AWS secrets store configuration. Only relevant if the `aws` secrets store

# type is configured.

#

# The AWS secrets store uses the AWS Service Connector under the hood to

# authenticate with the AWS Secrets Manager API. This means that you can

# use the same authentication methods and configuration as you would use for

# the AWS Service Connector. Just set the `authMethod` field to the

# authentication method that you want to use and set the required

# configuration attributes under the `authConfig` field.

#

# For a list of supported authentication methods and their configuration

# options, see the following documentation:

# https://docs.zenml.io/how-to/auth-management/aws-service-connector#authentication-methods

#

# You can also use the ZenML CLI to get the list of supported authentication

# methods and their configuration options, e.g.:

#

# ```shell

# zenml service-connector describe-type aws

# zenml service-connector describe-type aws --auth-method secret-key

# ```

aws:

# The AWS Service Connector authentication method to use. The currently

# supported authentication methods are:

#

# - implicit - Use the IAM role attached to the ZenML server pod or

# environment variables to authenticate with the AWS Secrets

# Manager API

# - secret-key - Use an AWS secret key

# - iam-role - Use an IAM role

# - session-token - Use an AWS session token derived from an AWS secret

# key

# - federation-token - Use an AWS federation token derived from an AWS

# secret key

authMethod: secret-key

# The AWS Service Connector authentication configuration. This should

# include the corresponding authentication configuration attributes for

# the `authMethod` that you have chosen above.

authConfig:

# The AWS region to use. This must be set to the region where the AWS

# Secrets Manager service that you want to use is located. Mandatory

# for all authentication methods.

region:

# The AWS access key and secret key to use to authenticate with the AWS

# Secrets Manager instance. Both are required if the `authMethod` is set

# to `secret-key`, `sts-token`, `iam-role`, or `federation-token`.

aws_access_key_id:

aws_secret_access_key:

# The AWS role ARN to use to authenticate with the AWS Secrets Manager

# instance. Required if the `authMethod` is set to `iam-role`. Optional

# if the `authMethod` is set to `implicit`.

role_arn:

# The AWS region to use. This must be set to the region where the AWS

# Secrets Manager service that you want to use is located.

#

# NOTE: deprecated; use `authConfig.region` instead.

region_name:

# The AWS credentials to use to authenticate with the AWS Secrets

# Manager instance. You can omit these if you are running the ZenML server

# in an AWS EKS cluster that has an IAM role attached to it that has

# permissions to access the AWS Secrets Manager instance.

#

# NOTE: deprecated; use `authConfig.aws_access_key_id`,

# and `authConfig.aws_secret_access_key` instead.

aws_access_key_id:

aws_secret_access_key:

aws_session_token:

# GCP secrets store configuration. Only relevant if the `gcp` secrets store

# type is configured.

#

# The GCP secrets store uses the GCP Service Connector under the hood to

# authenticate with the GCP Secrets Manager API. This means that you can

# use the same authentication methods and configuration as you would use for

# the GCP Service Connector. Just set the `authMethod` field to the

# authentication method that you want to use and set the required

# configuration attributes under the `authConfig` field.

#

# For a list of supported authentication methods and their configuration

# options, see the following documentation:

# https://docs.zenml.io/how-to/auth-management/gcp-service-connector#authentication-methods

#

# You can also use the ZenML CLI to get the list of supported authentication

# methods and their configuration options, e.g.:

#

# ```shell

# zenml service-connector describe-type gcp

# zenml service-connector describe-type gcp --auth-method service-account

# ```

gcp:

# The GCP Service Connector authentication method to use. The currently

# supported authentication methods are:

#

# - implicit - Use the GCP service account attached to the ZenML server

# pod or environment variables to authenticate with the GCP

# Secrets Manager API

# - user-account - Use a GCP user account

# - service-account - Use a GCP service account

# - impersonation - Use the GCP service account impersonation feature

authMethod: service-account

# The GCP Service Connector authentication configuration. This should

# include the corresponding authentication configuration attributes for

# the `authMethod` that you have chosen above.

authConfig:

# The GCP project ID to use. This must be set to the project ID where

# the GCP Secrets Manager service that you want to use is located.

# Mandatory for all authentication methods.

project_id:

# The GCP user account credentials to use to authenticate with the GCP

# Secrets Manager instance. Required if the `authMethod` is set to

# `user-account`.

user_account_json:

# The GCP service account credentials to use to authenticate with the

# GCP Secrets Manager instance. Required if the `authMethod` is set to

# `service-account` or `impersonation`.

service_account_json:

# The GCP service account to impersonate when authenticating with the

# GCP Secrets Manager instance. Required if the `authMethod` is set to

# `impersonation`.

target_principal:

# The GCP project ID to use. This must be set to the project ID where the

# GCP Secrets Manager service that you want to use is located.

#

# NOTE: deprecated; use `authConfig.project_id` instead.

project_id:

# The JSON content of the GCP credentials file to use to authenticate with

# the GCP Secrets Manager instance. You can omit this if you are running

# the ZenML server in a GCP GKE cluster that uses workload identity to

# authenticate with GCP services without the need for credentials.

#

# NOTE: deprecated; use `authConfig.service_account_json` instead.

google_application_credentials:

# Azure Key Vault secrets store configuration. Only relevant if the `azure`

# secrets store type is configured.

#

# The Azure secrets store uses the Azure Service Connector under the hood to

# authenticate with the Azure Key Vault API. This means that you can

# use the same authentication methods and configuration as you would use for

# the Azure Service Connector. Just set the `authMethod` field to the

# authentication method that you want to use and set the required

# configuration attributes under the `authConfig` field.

#

# For a list of supported authentication methods and their configuration

# options, see the following documentation:

# https://docs.zenml.io/how-to/auth-management/azure-service-connector#authentication-methods

#

# You can also use the ZenML CLI to get the list of supported authentication

# methods and their configuration options, e.g.:

#

# ```shell

# zenml service-connector describe-type azure

# zenml service-connector describe-type azure --auth-method service-principal

# ```

azure:

# The Azure Service Connector authentication method to use. The currently

# supported authentication methods are:

#

# - implicit - Use the Azure managed identity attached to the ZenML server

# pod or environment variables to authenticate with the Azure

# Key Vault API

# - service-principal - Use an Azure service principal

authMethod: service-principal

# The Azure Service Connector authentication configuration. This should

# include the corresponding authentication configuration attributes for

# the `authMethod` that you have chosen above.

authConfig:

# The Azure service principal credentials to use to authenticate with

# the Azure Key Vault API. All three are Required if the `authMethod` is

# set to `service-principal`.

client_id:

client_secret:

tenant_id:

# The name of the Azure Key Vault. This must be set to point to the Azure

# Key Vault instance that you want to use.

key_vault_name:

# The Azure application service principal credentials to use to

# authenticate with the Azure Key Vault API. You can omit these if you are

# running the ZenML server hosted in Azure and are using a managed

# identity to access the Azure Key Vault service.

#

# NOTE: deprecated; use `authConfig.client_id`, `authConfig.client_secret`,

# and `authConfig.tenant_id` instead.

azure_client_id:

azure_client_secret:

azure_tenant_id:

# HashiCorp Vault secrets store configuration. Only relevant if the `hashicorp`

# secrets store type is configured

hashicorp:

# The HashiCorp Vault authentication method to use. The currently

# supported authentication methods are:

#

# - token - Use a static token

# - app_role - Use a Vault App Role (app role ID and secret ID)

# - aws - Use AWS authentication

authMethod: token

authConfig:

# The url of the HashiCorp Vault server

vault_addr: https://vault.example.com

# The Vault Enterprise namespace. Not required for Vault OSS.

vault_namespace:

# The mount point to use (defaults to "secret" if not set)

mount_point:

# Custom mount point to use for the authentication method.

auth_mount_point:

# The role ID to use for the app role authentication method. Required if

# the authentication method is app_role.

app_role_id:

# The secret ID to use for the app role authentication method. Required

# if the authentication method is app_role.

app_secret_id:

# The AWS role to use for the AWS authentication method. Relevant if the

# authentication method is aws.

aws_role:

# The AWS header value to use for the AWS authentication method. Relevant

# if the authentication method is aws and the mount point enforces it.

aws_header_value:

# The token to use with the token authentication method. Required if the

# authentication method is token.

vault_token:

# The maximum number of secret versions to keep. If not set, the default

# value of 1 will be used (only the latest version will be kept).

max_versions:

# Custom secrets store configuration. Only relevant if the `custom` secrets

# store type is configured.

custom:

# The class path of the custom secrets store implementation. This should

# point to a full Python class that extends the

# `zenml.zen_stores.secrets_stores.base_secrets_store.BaseSecretsStore`

# base class. The class should be importable from the container image

# that you are using for the ZenML server.

#

# Any additional configuration options for the custom secrets store

# implementation should be passed through the `environment` and the

# `secretEnvironment` variables and using the `ZENML_SECRETS_STORE_<OPTION_NAME>`

# environment variable naming convention. For example, if the custom

# secrets store implementation expects an `aws_access_key_id` option, you

# should set the `ZENML_SECRETS_STORE_AWS_ACCESS_KEY_ID` environment

# variable in the `zenml.secretEnvironment` variable.

class_path: my.custom.secrets.store.MyCustomSecretsStore

# Backup secrets store settings. This is used as a backup to the primary

# secrets store. Secret values for newly created and updated secrets are also

# saved in the secondary secrets store and there are management commands to

# migrate secret values individually or in bulk from the primary to the

# secondary secrets store and vice versa.

# A backup secrets store is is useful for high availability and disaster

# recovery scenarios where the primary secrets store is unavailable. It is

# also useful as a temporary setup for migrating secrets from one secrets

# store to another.

backupSecretsStore:

# Set to true to enable a backup secrets store.

enabled: false

# The type of secrets store to use. Use one of:

#

# sql - Use the same SQL database as the ZenML server

# aws - Use the AWS Secrets Manager as a secrets store

# gcp - Use the GCP Secrets Manager as a secrets store

# azure - Use the Azure Key Vault as a secrets store

# hashicorp - Use the HashiCorp Vault as a secrets store

# custom - Use a custom secrets store implementation (needs a custom

# ZenML server image with the custom secrets store implementation

# installed)

#

# Depending on the type, additional configuration options may be required

# under the respective sections.

#

type: sql

# SQL backup secrets store configuration. Only relevant if the `sql` backup

# secrets store type is configured.

sql:

# The secret key used to encrypt secrets in the SQL database. Only relevant

# if the SQL secrets store type is used. This should be set to a random

# string with a recommended length of at least 32 characters, e.g.:

#

# ```python

# from secrets import token_hex

# token_hex(32)

# ```

#

# or:

#

# ```shell

# openssl rand -hex 32

# ```

#

# If not set, database secret encryption will be disabled.

#

# IMPORTANT: If you configure encryption for your SQL database secrets

# store, you should keep this value somewhere safe and secure, as it will be

# required to decrypt the secrets in the database. If you lose the

# encryption key, you will not be able to decrypt the secrets in the

# database and will have to reset them. You should not change this value

# after you have already configured encryption for your SQL database

# secrets store.

encryptionKey:

# AWS backup secrets store configuration. Only relevant if the `aws` backup

# secrets store type is configured.

#

# The AWS secrets store uses the AWS Service Connector under the hood to

# authenticate with the AWS Secrets Manager API. This means that you can

# use the same authentication methods and configuration as you would use for

# the AWS Service Connector. Just set the `authMethod` field to the

# authentication method that you want to use and set the required

# configuration attributes under the `authConfig` field.

#

# For a list of supported authentication methods and their configuration

# options, see the following documentation:

# https://docs.zenml.io/how-to/auth-management/aws-service-connector#authentication-methods

#

# You can also use the ZenML CLI to get the list of supported authentication

# methods and their configuration options, e.g.:

#

# ```shell

# zenml service-connector describe-type aws

# zenml service-connector describe-type aws --auth-method secret-key

# ```

aws:

# The AWS Service Connector authentication method to use. The currently

# supported authentication methods are:

#

# - implicit - Use the IAM role attached to the ZenML server pod or

# environment variables to authenticate with the AWS Secrets

# Manager API

# - secret-key - Use an AWS secret key

# - iam-role - Use an IAM role

# - session-token - Use an AWS session token derived from an AWS secret

# key

# - federation-token - Use an AWS federation token derived from an AWS

# secret key

authMethod: secret-key

# The AWS Service Connector authentication configuration. This should

# include the corresponding authentication configuration attributes for

# the `authMethod` that you have chosen above.

authConfig:

# The AWS region to use. This must be set to the region where the AWS

# Secrets Manager service that you want to use is located. Mandatory

# for all authentication methods.

region:

# The AWS access key and secret key to use to authenticate with the AWS

# Secrets Manager instance. Both are required if the `authMethod` is set

# to `secret-key`, `sts-token`, `iam-role`, or `federation-token`.

aws_access_key_id:

aws_secret_access_key:

# The AWS role ARN to use to authenticate with the AWS Secrets Manager

# instance. Required if the `authMethod` is set to `iam-role`.

role_arn:

# GCP backup secrets store configuration. Only relevant if the `gcp` backup

# secrets store type is configured.

#

# The GCP secrets store uses the GCP Service Connector under the hood to

# authenticate with the GCP Secrets Manager API. This means that you can

# use the same authentication methods and configuration as you would use for

# the GCP Service Connector. Just set the `authMethod` field to the

# authentication method that you want to use and set the required

# configuration attributes under the `authConfig` field.

#

# For a list of supported authentication methods and their configuration

# options, see the following documentation:

# https://docs.zenml.io/how-to/auth-management/gcp-service-connector#authentication-methods

#

# You can also use the ZenML CLI to get the list of supported authentication

# methods and their configuration options, e.g.:

#

# ```shell

# zenml service-connector describe-type gcp

# zenml service-connector describe-type gcp --auth-method service-account

# ```

gcp:

# The GCP Service Connector authentication method to use. The currently

# supported authentication methods are:

#

# - implicit - Use the GCP service account attached to the ZenML server

# pod or environment variables to authenticate with the GCP

# Secrets Manager API

# - user-account - Use a GCP user account

# - service-account - Use a GCP service account

# - impersonation - Use the GCP service account impersonation feature

# - external-account - Use workload identity federation to authenticate

# with the GCP Secrets Manager API

authMethod: service-account

# The GCP Service Connector authentication configuration. This should

# include the corresponding authentication configuration attributes for

# the `authMethod` that you have chosen above.

authConfig:

# The GCP project ID to use. This must be set to the project ID where

# the GCP Secrets Manager service that you want to use is located.

# Mandatory for all authentication methods.

project_id:

# The GCP user account credentials to use to authenticate with the GCP

# Secrets Manager instance. Required if the `authMethod` is set to

# `user-account`.

user_account_json:

# The GCP service account credentials to use to authenticate with the

# GCP Secrets Manager instance. Required if the `authMethod` is set to

# `service-account` or `impersonation`.

service_account_json:

# The GCP service account to impersonate when authenticating with the

# GCP Secrets Manager instance. Required if the `authMethod` is set to

# `impersonation`.

target_principal:

# The GCP workload identity credentials to use to authenticate with the

# GCP Secrets Manager instance. Required if the `authMethod` is set to

# `external-account`.

external_account_json:

# Azure backup Key Vault secrets store configuration. Only relevant if the

# `azure` backup secrets store type is configured.

#

# The Azure secrets store uses the Azure Service Connector under the hood to

# authenticate with the Azure Key Vault API. This means that you can

# use the same authentication methods and configuration as you would use for

# the Azure Service Connector. Just set the `authMethod` field to the

# authentication method that you want to use and set the required

# configuration attributes under the `authConfig` field.

#

# For a list of supported authentication methods and their configuration

# options, see the following documentation:

# https://docs.zenml.io/how-to/auth-management/azure-service-connector#authentication-methods

#

# You can also use the ZenML CLI to get the list of supported authentication

# methods and their configuration options, e.g.:

#

# ```shell

# zenml service-connector describe-type azure

# zenml service-connector describe-type azure --auth-method service-principal

# ```

azure: