Customizing Lakehouse/Catalog secrets Innovation Release

Required for deployments with the analytics installation scenario enabled.

Confounding key: A critical randomized string used to encrypt storage credentials.

Warning: Loss of this key prevents access to managed Lakehouse data. Always back up the pg-confounding-key secret.

Creating Catalog secret

1. You can create a confounding key secret with the edbctl CLI for environments with the analytics scenario enabled.

   • For manual installations, run this command and follow the interactive prompts:

     → WrapCopy

     edbctl setup create-install-secrets --version <version> --scenario analytics

   • If you are running the installation via a CI/CD pipeline, you must suppress interactive prompts. The method for achieving this depends on your edbctl version:

     1. Configure edbctl for non-interactive behavior:

        → WrapCopy

        edbctl config set interactive_mode off
        edbctl config set confirm_mode off

     2. Run the setup command:

        → WrapCopy

        edbctl setup create-install-secrets --version <version> --scenario analytics

   Note

   • A confounding key is a randomized string that's at least 32 bytes long.
   • Create a confounding key for each Hybrid Manager deployment.

2. The Hybrid Manager administrator must keep the confounding key safe and back it up.

   Warning

   The loss of the confounding key in a disaster scenario leads to a situation in which there's no mechanism for accessing the Lakehouse data managed by the Hybrid Manager data catalog. Instead, the administrator would have to create and store the new key, restart the upm-lakekeeper/lakekeeper workload, and rebuild all of the existing data catalogs carefully without deleting them. That procedure is very risky and would require support from EDB PG AI Professional Services team.

   Fetch the key:

   → WrapCopy

   kubectl get secrets -n upm-lakekeeper pg-confounding-key -o yaml

   Store the key safely.