Configuration Variables
Configuration is passed to the Sundeck Private Broker via environment variables. The following environment variables are required to run the Sundeck Private Broker. The Private Broker is a stateless service, so it is safe to restart the service at any time to apply new configuration.
Note these variables can be set in a variety of ways, including directly in the Docker run command, in a Kubernetes deployment manifest, or in a Docker Compose file. The method of setting these variables will depend on the deployment method chosen.
In addition, the Private Broker can be configured to use a Hashicorp Vault instance to store sensitive information such as Snowflake service account credentials. If you choose to use Vault, many of the environment variables below will not be required, as the Private Broker will fetch the necessary configuration from Vault at runtime.
There are a number of environment variables listed in the table below which pertain to the Sundeck Service Account user in Snowflake. The Sundeck Private Broker makes use of this Snowflake Service Account login to periodically fetch the contents of Pinned Tables, which are cached in broker memory for fast access during broker rules processing.
Note that user queries are not executed using this Service Account user; queries are always executed as the user connecting to the broker.
| Env variable name | Vault Key | Sample value | Description |
|---|---|---|---|
| SUNDECK_BROKER_REST_API_PATH | n/a | https://api.sundeck.io/us-west-2/v1 | The base url for control plane REST APIs - private broker uses this to fetch broker configuration Note that you should provide the URL which corresponds to your Sundeck region. Valid values are: https://api.sundeck.io/us-east-1/v1https://api.sundeck.io/us-east-2/v1https://api.sundeck.io/us-west-2/v1 |
| SUNDECK_BROKER_PORT | n/a | 8080 | The TCP port on which the Sundeck Broker HTTP service listens. Note that SQL clients should not connect to this port directly; connections from clients should be via HTTPS, terminated on a load balancer which then routes to this port over HTTP |
| SUNDECK_BROKER_TOKEN | BrokerToken | sndk_gp6xxx | This token is used by the private broker to authenticate with the Sundeck SaaS Control Plane. Broker tokens can be generated via the SaaS UI, or by running Sundeck DDL through a connection to the Broker: CREATE OR REPLACE SUNDECK TOKEN MY_BROKER_TOKEN PURPOSE = BROKER; |
| SUNDECK_SF_USERNAME | SnowflakeUsername | xx@abc.com | Snowflake username for the Sundeck Service Account user. This user will need to have SELECT rights on any tables in Snowflake which are to be used as Pinned Tables |
| SUNDECK_SF_PASSWORD | SnowflakePassword | yyyyyy | Snowflake password for the Sundeck Service Account user |
| SUNDECK_SF_WAREHOUSE | SnowflakeWarehouse | COMPUTE_WH | Snowflake Warehouse to be used by the Sundeck Service Account user (for reading Pinned Tables) |
| SUNDECK_SF_ROLE | SnowflakeRole | PUBLIC | Snowflake Role to be assumed by the Sundeck Service Account user |
| SUNDECK_SF_PRIVATEKEY | SnowflakePrivateKey | MIIFHDBOBgkq… | RSA private key (can be encrypted or unencrypted), for use if the Sundeck Service Account user is configured for keypair authentication. Please see https://docs.snowflake.com/en/user-guide/key-pair-auth |
| SUNDECK_SF_PRIVATEKEY_PASSPHRASE | SnowflakePrivateKeyPassphrase | <passphrase> | Only required IF keypair encryption is being used, and the RSA key passed to SUNDECK_SF_PRIVATEKEY has been encrypted with a passphrase. |
| SUNDECK_BROKER_SSL_CERT | SSLCertificate | -----BEGIN CERTIFICATE-----MIIDlDCCAxug...-----END CERTIFICATE----------BEGIN PRIVATE KEY-----MIGHAgEAMB...-----END PRIVATE KEY----- | If this config is set, private broker will host HTTPS/SSL endpoint instead of HTTP endpoint. This string value should be the PEM-formatted Certificate concatenated with the PEM-formatted private key (i.e. with the -----BEGIN xxxx----- and -----END xxxx----- lines included.) |
| SUNDECK_BROKER_SSL_CERT_PASSPHRASE | SSLCertificatePassphrase | <passphrase> | Only to be given if SUNDECK_BROKER_SSL_CERT has an encrypted private key. |
Hashicorp Vault can be used to store sensitive information such as Snowflake service account credentials. All keys are expected
to be in the secret named secret/sundeck/broker. The Private Broker is also capable of automatically extracting data from Vault
if the following Vault configuration information is provided.
| Integration type | Env variable name | Sample value | Description |
|---|---|---|---|
| hashicorp/vault | VAULT_ADDR | http://192.168.64.1:8200 | URL of the vault location (hashicorp) |
| hashicorp/vault | VAULT_TOKEN | myroot | Token to access vault (hashicorp) |
Administrators may choose to provide secrets from Vault to the Private Broker directly using orchestration tools like Kubernetes rather than configure the PrivateBroker to access Vault directly.
| Env variable name | Default value | Description |
|---|---|---|
| SUNDECK_LOG_LEVEL | INFO | This value will be used as the log level. Set to DEBUG for debugging |
| SUNDECK_BROKER_FLOW_CACHE_TTL_SECONDS | 120 | The polling interval at which the Private Broker will attempt to fetch configuration information from the Sundeck SaaS Control Plane. |