Customizing GenAI Builder secrets Innovation Release

Required for deployments with the ai installation scenario enabled. These secrets handle model pulls and data encryption for AI agents.

NGC API Key: Required for pulling NVIDIA NIM models.

Fernet key: Used for symmetric encryption of sensitive data within the GenAI stack.

Object storage: Requires S3-compatible buckets (AWS, GCS, etc.) for the DataLake.

Creating GenAI Builder secrets

1. One of the secrets you will create require an NGC API key. Create one following the NVIDIA NGC documentation to enable model image pulls.

2. You can create a Fernet key secret and NGC key secrets using the edbctl CLI.

   • For manual installations, run this command and follow the interactive prompts:

     → WrapCopy

     edbctl setup create-install-secrets --version <version> --scenario ai

   • If you are running the installation via a CI/CD pipeline, you must suppress interactive prompts. The method for achieving this depends on your edbctl version:

     1. Ensure the NGC API key you created above is available as a variable.

     2. Configure edbctl for non-interactive behavior:

        → WrapCopy

        edbctl config set interactive_mode off
        edbctl config set confirm_mode off

     3. Run the setup command:

        → WrapCopy

        edbctl setup create-install-secrets --version <version> --scenario ai

     This creates the Fernet key secret, as well as nvidia-nim-secrets and ngc-cred secrets in the default namespace with the appropriate replication annotations.

     Note

     Fernet is a cryptographic library used by Python. It provides symmetric encryption/decryption and is required to store secret data.

3. The HM administrator must keep the Fernet key safe and back it up. The secret name and namespace depend on the version of Hybrid Manager you are running.

   For versions 2026.2 and earlier, the solution is based on Griptape. Use the following command to retrieve the secret:

   → WrapCopy

   kubectl get secret -n upm-griptape fernet-secret -o yaml

   For versions 2026.3 and later, the solution shifted to LangFlow. The secret is now stored in the default namespace:

   → WrapCopy

   kubectl get secret langflow-secret -n default -o yaml

   Store the key safely.

4. Configure DataLake object storage for GenAI builder by creating a DataLake bucket in the object storage you're using for your Hybrid Manager deployment. GenAI Builder uses it to store structures, tools, and indexed data.

   • AWS S3
   • Google Cloud Storage (GCS)
   • Other S3-compatible storage

   → WrapCopy

   aws s3 mb s3://<your-datalake-bucket-name> –region     <your-region>

   → WrapCopy

   gsutil mb -l <your-region> gs://<your-datalake-bucket-name>

   Use your provider’s management console or CLI to create a bucket with a unique name for your DataLake bucket.

5. Capture the following information for your bucket. You will need it later when you first use the GenAI launchpad application. The console will prompt you for your DataLake bucket configuration, which requires:

   • DATA_LAKE_ROOT_BUCKET: The name of the bucket for use with DataLake.

   • DATA_LAKE_S3_ACCESS_KEY: The access_key used to connect to the DataLake bucket.

   • DATA_LAKE_S3_SECRET_ACCESS_KEY: The secret_access_key used to connect to the DataLake bucket.

   • DATA_LAKE_S3_ENDPOINT_UR: The endpoint URL used to connect to the DataLake bucket.

6. Update the bucket's settings with the CORS configuration:

   • AWS S3
   • Google Cloud Storage (GCS)
   • Other S3-compatible storage

   Update the bucket's settings to have the following CORS configuration:

   → WrapCopy

   [
       {
           "AllowedHeaders": [
               "*"
           ],
           "AllowedMethods": [
               "PUT",
               "POST",
               "DELETE",
               "GET",
               "HEAD"
           ],
           "AllowedOrigins": [
               "https://${PORTAL_DOMAIN_NAME}"
           ],
           "ExposeHeaders": []
       }
   ]

   Where https://${PORTAL_DOMAIN_NAME} is the domain configured for your Hybrid Manager.

   The S3 interoperability layer in GCS allows GenAI Builder to use GCS as an S3-compatible object store.

   1. In the GCS console, under Settings, turn on the s3 interoperability.

   2. Update or create a service account with the Storage Admin and Service Account Token Creator roles.

   3. Create an HMAC key pair for the service account.

   4. Create a config file with a CORS configuration that points at the Hybrid Manager endpoint:

      → WrapCopy

      cat cors-config.json
      [
        {
          "origin": ["https://${PORTAL_DOMAIN_NAME}"],
          "method": ["GET", "PUT", "POST", "DELETE", "HEAD"],
          "responseHeader": ["*"],
          "maxAgeSeconds": 3600
        }
      ]

      Where https://${PORTAL_DOMAIN_NAME} is the domain configured for your Hybrid Manager.

   5. Apply the CORS configuration to the previously created bucket:

      → WrapCopy

      gsutil cors set cors-config.json gs://<bucket name>

   Use your provider’s management console or CLI to configure cross-origin resource sharing (CORS) with Hybrid Manager.