Skip to main content

Administration

Platform administration covers connections, identity, secrets, environments, and observability. Most day-to-day tasks are performed through the Admin UI; infrastructure tasks use Azure portal, kubectl, and Helm.


Connections and secrets

Data connections

Configure source and target systems in Admin → Connections:

  • Relational: PostgreSQL, MySQL, MSSQL, Oracle
  • Cloud warehouses: Snowflake, BigQuery, ClickHouse
  • Graph: Neo4j
  • Lakehouse: Databricks Unity Catalog, Azure environments

Each connection stores credentials securely. On Azure deployments, platform-level secrets are centralized in Key Vault and synced to Kubernetes via External Secrets Operator. See Key Vault Secrets.

Platform secrets

AreaManagement
Database passwordsKey Vault; rotated via install scripts or manual az keyvault secret set
TLS certificatesKey Vault; synced to ingress TLS secrets
OAuth / API keysKey Vault; referenced by ExternalSecrets
GitHub tokensKey Vault (bh-github-token) for schema repositories

Never store production secrets in Helm values or Git.


User management

Identity model

  • Keycloak is the application identity broker (realm, clients, roles).
  • Microsoft Entra ID (or another OIDC provider) federates user authentication.
  • Keycloak API supports programmatic user and realm administration.

Admin tasks

TaskWhere
Create / edit usersAdmin UI → Users
Assign roles and permissionsAdmin UI → Role Permission
Project accessAdmin UI → Projects
Environment accessAdmin UI → Environments

For Azure RBAC and cluster access, use your organization's Entra groups and AKS RBAC — separate from application-level Keycloak roles.


Environments and compute

AreaDescription
EnvironmentsRegister AWS, Azure, GCP, or Databricks targets for pipeline execution
ComputeConfigure processing resources for workloads and LLM inference
Scheduled jobsAutomate recurring platform tasks
LLM configurationRegister models used by the AI agent and platform chat

Monitoring and observability

Application health

kubectl get pods -n <platform-namespace>
kubectl get externalsecret -n <platform-namespace>
kubectl logs deployment/<service-name> -n <platform-namespace>
CheckCommand / location
Pod statuskubectl get pods
Ingress TLSBrowser or curl -v https://<host>
ExternalSecretskubectl describe externalsecret <name>
Celery workersWorker pod logs; RabbitMQ management UI
PostgreSQLAPI health endpoints /api/v1/health

Optional cluster-level observability (Grafana, Loki, Prometheus) may be deployed alongside the platform depending on your deployment repository.

Alerts

Configure Admin → Notifications for audit events, job failures, and channel routing (email, webhooks, etc.).


Operational procedures

ProcedureDocumentation
Initial Azure deployDeployment Checklist
Upgrade platform chartPlatform Deployment
Rotate Key Vault secretUpdate vault → ESO syncs → Reloader restarts pods
Troubleshoot auth / secretsTroubleshooting