Administration
Platform administration covers connections, identity, secrets, environments, and observability. Most day-to-day tasks are performed through the Admin UI; infrastructure tasks use Azure portal, kubectl, and Helm.
Connections and secrets
Data connections
Configure source and target systems in Admin → Connections:
- Relational: PostgreSQL, MySQL, MSSQL, Oracle
- Cloud warehouses: Snowflake, BigQuery, ClickHouse
- Graph: Neo4j
- Lakehouse: Databricks Unity Catalog, Azure environments
Each connection stores credentials securely. On Azure deployments, platform-level secrets are centralized in Key Vault and synced to Kubernetes via External Secrets Operator. See Key Vault Secrets.
Platform secrets
| Area | Management |
|---|---|
| Database passwords | Key Vault; rotated via install scripts or manual az keyvault secret set |
| TLS certificates | Key Vault; synced to ingress TLS secrets |
| OAuth / API keys | Key Vault; referenced by ExternalSecrets |
| GitHub tokens | Key Vault (bh-github-token) for schema repositories |
Never store production secrets in Helm values or Git.
User management
Identity model
- Keycloak is the application identity broker (realm, clients, roles).
- Microsoft Entra ID (or another OIDC provider) federates user authentication.
- Keycloak API supports programmatic user and realm administration.
Admin tasks
| Task | Where |
|---|---|
| Create / edit users | Admin UI → Users |
| Assign roles and permissions | Admin UI → Role Permission |
| Project access | Admin UI → Projects |
| Environment access | Admin UI → Environments |
For Azure RBAC and cluster access, use your organization's Entra groups and AKS RBAC — separate from application-level Keycloak roles.
Environments and compute
| Area | Description |
|---|---|
| Environments | Register AWS, Azure, GCP, or Databricks targets for pipeline execution |
| Compute | Configure processing resources for workloads and LLM inference |
| Scheduled jobs | Automate recurring platform tasks |
| LLM configuration | Register models used by the AI agent and platform chat |
Monitoring and observability
Application health
kubectl get pods -n <platform-namespace>
kubectl get externalsecret -n <platform-namespace>
kubectl logs deployment/<service-name> -n <platform-namespace>
Recommended checks
| Check | Command / location |
|---|---|
| Pod status | kubectl get pods |
| Ingress TLS | Browser or curl -v https://<host> |
| ExternalSecrets | kubectl describe externalsecret <name> |
| Celery workers | Worker pod logs; RabbitMQ management UI |
| PostgreSQL | API health endpoints /api/v1/health |
Optional cluster-level observability (Grafana, Loki, Prometheus) may be deployed alongside the platform depending on your deployment repository.
Alerts
Configure Admin → Notifications for audit events, job failures, and channel routing (email, webhooks, etc.).
Operational procedures
| Procedure | Documentation |
|---|---|
| Initial Azure deploy | Deployment Checklist |
| Upgrade platform chart | Platform Deployment |
| Rotate Key Vault secret | Update vault → ESO syncs → Reloader restarts pods |
| Troubleshoot auth / secrets | Troubleshooting |