Skip to content

Latest commit

 

History

History
749 lines (647 loc) · 92.6 KB

README.md

File metadata and controls

749 lines (647 loc) · 92.6 KB

Sombra Helm Charts

Official Helm charts to deploy Sombra and related services into a Kubernetes cluster.

Deploying with Helm

  1. Make sure you have a working Kubernetes cluster.

  2. Add the Helm repo

    helm repo add transcend https://transcend-io.github.io/helm-charts/
  3. To configure the chart and provide environment variables, create a values.yaml file:

    imageCredentials:
      registry: docker.transcend.io
      username: Transcend
      password: '<TRANSCEND_API_TOKEN>'
    
    transcend_service:
      type: NodePort
    
    transcend_ingress:
      enabled: true
      className: alb
      annotations:
        alb.ingress.kubernetes.io/certificate-arn: <CERT_ARN>
        alb.ingress.kubernetes.io/healthcheck-path: /health
        alb.ingress.kubernetes.io/healthcheck-port: '5042'
        alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
        alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5042}]'
        alb.ingress.kubernetes.io/scheme: internet-facing
        alb.ingress.kubernetes.io/subnets: <VPC_PUBLIC_SUBNET>
        alb.ingress.kubernetes.io/tags: env=dev
        alb.ingress.kubernetes.io/target-type: ip
      hosts:
        - host: <SOMBRA_TRANSCEND_INGRESS_DOMAIN>
          paths:
            - path: /
              pathType: Prefix
    
    customer_service:
      type: NodePort
    
    customer_ingress:
      enabled: true
      className: alb
      annotations:
        alb.ingress.kubernetes.io/certificate-arn: <CERT_ARN>
        alb.ingress.kubernetes.io/healthcheck-path: /health
        alb.ingress.kubernetes.io/healthcheck-port: '5039'
        alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
        alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5039}]'
        alb.ingress.kubernetes.io/scheme: internal
        alb.ingress.kubernetes.io/subnets: <VPC_PRIVATE_SUBNET>
        alb.ingress.kubernetes.io/tags: env=dev
        alb.ingress.kubernetes.io/target-type: ip
      hosts:
        - host: <SOMBRA_CUSTOMER_INGRESS_DOMAIN>
          paths:
            - path: /
              pathType: Prefix
    
    envs:
      - name: ORGANIZATION_URI
        value: '<ORGANIZATION_URI>'
      - name: EMPLOYEE_AUTHENTICATION_METHODS
        value: 'transcend,session'
      - name: DATA_SUBJECT_AUTHENTICATION_METHODS
        value: 'transcend,session'
    
    envs_as_secret:
      - name: INTERNAL_KEY_HASH
        value: '<INTERNAL_KEY_HASH>'
      - name: JWT_ECDSA_KEY
        value: '<JWT_ECDSA_KEY>'
      - name: INTERNAL_KEY
        value: '<INTERNAL_KEY>'

    Note: This example of values.yaml assumes you have deployed (A) a working Kubernetes cluster, and (B) an alb AWS application load balancer ingress controller.

  4. Install the package:

    helm install some-release transcend/sombra -f ~/values.yaml

    To upgrade the package after customization:

    helm upgrade some-release transcend/sombra -f ~/values.yaml

    To uninstall a release:

    helm uninstall some-release

Deployment examples

The following are sample values.yaml files for deploying Sombra in an AWS EKS cluster with different configurations. AWS is not a requirement—Kubernetes can run on any cloud—but AWS is used in these examples for illustrative purposes.

  • Each example assumes you have deployed (A) a working Kubernetes cluster, and (B) an alb AWS application load balancer ingress controller.
  • In each example, we are exposing Sombra's sombra-transcend-ingress server (for communication with Transcend through an internet-facing load balancer) and Sombra's sombra-customer-ingress server (for communication with internal services through an internal load balancer).

Deploying Sombra without TLS

TLS can be terminated at the load balancer, or at Sombra's server. In this example, TLS is terminated at the load balancer.

imageCredentials:
  registry: docker.transcend.io
  username: Transcend
  password: '<TRANSCEND_API_TOKEN>'

transcend_service:
  type: NodePort

transcend_ingress:
  enabled: true
  className: alb
  annotations:
    alb.ingress.kubernetes.io/certificate-arn: <CERT_ARN>
    alb.ingress.kubernetes.io/healthcheck-path: /health
    alb.ingress.kubernetes.io/healthcheck-port: '5042'
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5042}]'
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/subnets: <VPC_PUBLIC_SUBNET>
    alb.ingress.kubernetes.io/tags: env=dev
    alb.ingress.kubernetes.io/target-type: ip
  hosts:
    - host: <SOMBRA_TRANSCEND_INGRESS_DOMAIN>
      paths:
        - path: /
          pathType: Prefix

customer_service:
  type: NodePort

customer_ingress:
  enabled: true
  className: alb
  annotations:
    alb.ingress.kubernetes.io/certificate-arn: <CERT_ARN>
    alb.ingress.kubernetes.io/healthcheck-path: /health
    alb.ingress.kubernetes.io/healthcheck-port: '5039'
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5039}]'
    alb.ingress.kubernetes.io/scheme: internal
    alb.ingress.kubernetes.io/subnets: <VPC_PRIVATE_SUBNET>
    alb.ingress.kubernetes.io/tags: env=dev
    alb.ingress.kubernetes.io/target-type: ip
  hosts:
    - host: <SOMBRA_CUSTOMER_INGRESS_DOMAIN>
      paths:
        - path: /
          pathType: Prefix

envs:
  - name: ORGANIZATION_URI
    value: '<ORGANIZATION_URI>'
  - name: EMPLOYEE_AUTHENTICATION_METHODS
    value: 'transcend,session'
  - name: DATA_SUBJECT_AUTHENTICATION_METHODS
    value: 'transcend,session'

envs_as_secret:
  - name: INTERNAL_KEY_HASH
    value: '<INTERNAL_KEY_HASH>'
  - name: JWT_ECDSA_KEY
    value: '<JWT_ECDSA_KEY>'
  - name: INTERNAL_KEY
    value: '<INTERNAL_KEY>'

Deploying Sombra with TLS

TLS can be terminated at the load balancer, or at Sombra's server. In this example, TLS is terminated at Sombra's server.

imageCredentials:
  registry: docker.transcend.io
  username: Transcend
  password: '<TRANSCEND_API_TOKEN>'

transcend_service:
  type: NodePort

transcend_ingress:
  enabled: true
  className: alb
  annotations:
    alb.ingress.kubernetes.io/certificate-arn: <CERT_ARN>
    alb.ingress.kubernetes.io/healthcheck-path: /health
    alb.ingress.kubernetes.io/healthcheck-port: '5041'
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTPS
    alb.ingress.kubernetes.io/backend-protocol: HTTPS
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5041}]'
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/subnets: <VPC_PUBLIC_SUBNET>
    alb.ingress.kubernetes.io/tags: env=dev
    alb.ingress.kubernetes.io/target-type: ip
  hosts:
    - host: <SOMBRA_TRANSCEND_INGRESS_DOMAIN>
      paths:
        - path: /
          pathType: Prefix

customer_service:
  type: NodePort

customer_ingress:
  enabled: true
  className: alb
  annotations:
    alb.ingress.kubernetes.io/certificate-arn: <CERT_ARN>
    alb.ingress.kubernetes.io/healthcheck-path: /health
    alb.ingress.kubernetes.io/healthcheck-port: '5040'
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTPS
    alb.ingress.kubernetes.io/backend-protocol: HTTPS
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5040}]'
    alb.ingress.kubernetes.io/scheme: internal
    alb.ingress.kubernetes.io/subnets: <VPC_PRIVATE_SUBNET>
    alb.ingress.kubernetes.io/tags: env=dev
    alb.ingress.kubernetes.io/target-type: ip
  hosts:
    - host: <SOMBRA_CUSTOMER_INGRESS_DOMAIN>
      paths:
        - path: /
          pathType: Prefix

envs:
  - name: ORGANIZATION_URI
    value: '<ORGANIZATION_URI>'
  - name: EMPLOYEE_AUTHENTICATION_METHODS
    value: 'transcend,session'
  - name: DATA_SUBJECT_AUTHENTICATION_METHODS
    value: 'transcend,session'

envs_as_secret:
  - name: INTERNAL_KEY_HASH
    value: '<INTERNAL_KEY_HASH>'
  - name: JWT_ECDSA_KEY
    value: '<JWT_ECDSA_KEY>'
  - name: INTERNAL_KEY
    value: '<INTERNAL_KEY>'
  - name: SOMBRA_TLS_KEY
    value: <SOMBRA_TLS_KEY>
  - name: SOMBRA_TLS_KEY_PASSPHRASE
    value: <SOMBRA_TLS_KEY_PASSPHRASE>
  - name: SOMBRA_TLS_CERT
    value: <SOMBRA_TLS_CERT>

Deploying Sombra and the LLM Classifier

This example deploys Sombra with an accompanying LLM Classifier. The LLM Classifer requires an Nvidia GPU to run, so please make sure your cluster supports nvidia.com/gpu as a resource.

imageCredentials:
  registry: docker.transcend.io
  username: Transcend
  password: '<TRANSCEND_API_TOKEN>'

transcend_service:
  type: NodePort

transcend_ingress:
  enabled: true
  className: alb
  annotations:
    alb.ingress.kubernetes.io/certificate-arn: <CERT_ARN>
    alb.ingress.kubernetes.io/healthcheck-path: /health
    alb.ingress.kubernetes.io/healthcheck-port: '5042'
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5042}]'
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/subnets: <VPC_PUBLIC_SUBNET>
    alb.ingress.kubernetes.io/tags: env=prod
    alb.ingress.kubernetes.io/target-type: ip
  hosts:
    - host: <SOMBRA_TRANSCEND_INGRESS_DOMAIN>
      paths:
        - path: /
          pathType: Prefix

customer_service:
  type: NodePort

customer_ingress:
  enabled: true
  className: alb
  annotations:
    alb.ingress.kubernetes.io/certificate-arn: <CERT_ARN>
    alb.ingress.kubernetes.io/healthcheck-path: /health
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5039}]'
    alb.ingress.kubernetes.io/scheme: internal
    alb.ingress.kubernetes.io/subnets: <VPC_PRIVATE_SUBNET>
    alb.ingress.kubernetes.io/tags: env=prod
    alb.ingress.kubernetes.io/target-type: ip
  hosts:
    - host: <SOMBRA_CUSTOMER_INGRESS_DOMAIN>
      paths:
        - path: /
          pathType: Prefix

envs:
  - name: ORGANIZATION_URI
    value: '<ORGANIZATION_URI>'
  - name: EMPLOYEE_AUTHENTICATION_METHODS
    value: 'transcend,session'
  - name: DATA_SUBJECT_AUTHENTICATION_METHODS
    value: 'transcend,session'
  - name: LLM_CLASSIFIER_URL
    value: http://<release-name>-llm-classifier.transcend.svc:6081

envs_as_secret:
  - name: INTERNAL_KEY_HASH
    value: '<INTERNAL_KEY_HASH>'
  - name: JWT_ECDSA_KEY
    value: '<JWT_ECDSA_KEY>'
  - name: INTERNAL_KEY
    value: '<INTERNAL_KEY>'

llm-classifier:
  enabled: true

Deploying the LLM Classifier with tls enabled

This example deploys LLM Classifier with TLS enabled to keep internal communication with sombra encrypted. The LLM Classifer requires an Nvidia GPU to run, so please make sure your cluster supports nvidia.com/gpu as a resource.

imageCredentials:
  registry: docker.transcend.io
  username: Transcend
  password: '<TRANSCEND_API_TOKEN>'

transcend_service:
  type: NodePort

transcend_ingress:
  enabled: true
  className: alb
  annotations:
    alb.ingress.kubernetes.io/certificate-arn: <CERT_ARN>
    alb.ingress.kubernetes.io/healthcheck-path: /health
    alb.ingress.kubernetes.io/healthcheck-port: '5042'
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5042}]'
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/subnets: <VPC_PUBLIC_SUBNET>
    alb.ingress.kubernetes.io/tags: env=prod
    alb.ingress.kubernetes.io/target-type: ip
  hosts:
    - host: <SOMBRA_TRANSCEND_INGRESS_DOMAIN>
      paths:
        - path: /
          pathType: Prefix

customer_service:
  type: NodePort

customer_ingress:
  enabled: true
  className: alb
  annotations:
    alb.ingress.kubernetes.io/certificate-arn: <CERT_ARN>
    alb.ingress.kubernetes.io/healthcheck-path: /health
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5039}]'
    alb.ingress.kubernetes.io/scheme: internal
    alb.ingress.kubernetes.io/subnets: <VPC_PRIVATE_SUBNET>
    alb.ingress.kubernetes.io/tags: env=prod
    alb.ingress.kubernetes.io/target-type: ip
  hosts:
    - host: <SOMBRA_CUSTOMER_INGRESS_DOMAIN>
      paths:
        - path: /
          pathType: Prefix

envs:
  - name: ORGANIZATION_URI
    value: '<ORGANIZATION_URI>'
  - name: EMPLOYEE_AUTHENTICATION_METHODS
    value: 'transcend,session'
  - name: DATA_SUBJECT_AUTHENTICATION_METHODS
    value: 'transcend,session'
  - name: LLM_CLASSIFIER_URL
    value: https://<release-name>-llm-classifier.transcend.svc:6081

envs_as_secret:
  - name: INTERNAL_KEY_HASH
    value: '<INTERNAL_KEY_HASH>'
  - name: JWT_ECDSA_KEY
    value: '<JWT_ECDSA_KEY>'
  - name: INTERNAL_KEY
    value: '<INTERNAL_KEY>'

llm-classifier:
  enabled: true
  tls:
    enabled: true,
    # saved as secret
    cert: |-
      -----BEGIN CERTIFICATE-----
      <base64>
      -----END CERTIFICATE-----
    # saved as secret
    key: |-
      -----BEGIN PRIVATE KEY-----
      <base64>
      -----END PRIVATE KEY-----

  # volume containg cert and key
  volumes:
    - name: llm-classifier-ssl
      secret:
        secretName: llm-classifier-secrets

  # mount the directory containing the cert and key to pod
  volumeMounts:
    - mountPath: "/etc/llm-classifier/ssl"
      name: llm-classifier-ssl
      readOnly: true
  
  # Set the location of cert and key in evironment
  envs:
    - name: LLM_CERT_PATH
      value: "/etc/llm-classifier/ssl/llm-classifier.cert"
    - name: LLM_KEY_PATH
      value: "/etc/llm-classifier/ssl/llm-classifier.key"

Deploying Sombra and Pathfinder

The following example adds Pathfinder to the Kubernetes deployment.

imageCredentials:
  registry: docker.transcend.io
  username: Transcend
  password: '<TRANSCEND_API_TOKEN>'

transcend_service:
  type: NodePort

transcend_ingress:
  enabled: true
  className: alb
  annotations:
    alb.ingress.kubernetes.io/certificate-arn: <CERT_ARN>
    alb.ingress.kubernetes.io/healthcheck-path: /health
    alb.ingress.kubernetes.io/healthcheck-port: '5042'
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5042}]'
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/subnets: <VPC_PUBLIC_SUBNET>
    alb.ingress.kubernetes.io/tags: env=prod
    alb.ingress.kubernetes.io/target-type: ip
  hosts:
    - host: <SOMBRA_TRANSCEND_INGRESS_DOMAIN>
      paths:
        - path: /
          pathType: Prefix

customer_service:
  type: NodePort

customer_ingress:
  enabled: true
  className: alb
  annotations:
    alb.ingress.kubernetes.io/certificate-arn: <CERT_ARN>
    alb.ingress.kubernetes.io/healthcheck-path: /health
    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 5039}]'
    alb.ingress.kubernetes.io/scheme: internal
    alb.ingress.kubernetes.io/subnets: <VPC_PRIVATE_SUBNET>
    alb.ingress.kubernetes.io/tags: env=prod
    alb.ingress.kubernetes.io/target-type: ip
  hosts:
    - host: <SOMBRA_CUSTOMER_INGRESS_DOMAIN>
      paths:
        - path: /
          pathType: Prefix

envs:
  - name: ORGANIZATION_URI
    value: '<ORGANIZATION_URI>'
  - name: EMPLOYEE_AUTHENTICATION_METHODS
    value: 'transcend,session'
  - name: DATA_SUBJECT_AUTHENTICATION_METHODS
    value: 'transcend,session'

envs_as_secret:
  - name: INTERNAL_KEY_HASH
    value: '<INTERNAL_KEY_HASH>'
  - name: JWT_ECDSA_KEY
    value: '<JWT_ECDSA_KEY>'
  - name: INTERNAL_KEY
    value: '<INTERNAL_KEY>'

pathfinder:
  enabled: true
  envs_as_secret:
    - name: OPEN_AI_API_KEY
      value: '<OPEN_AI_API_KEY>'
    - name: AUTHENTICATION_KEY_HASH
      value: '<AUTHENTICATION_KEY_HASH>'
    - name: TRANSCEND_API_KEY
      value: '<TRANSCEND_API_KEY>'

  service:
    type: NodePort

  ingress:
    enabled: true
    annotations:
      alb.ingress.kubernetes.io/certificate-arn: <CERT_ARN>
      alb.ingress.kubernetes.io/healthcheck-path: /health
      alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
      alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 3030}]'
      alb.ingress.kubernetes.io/scheme: internal
      alb.ingress.kubernetes.io/subnets: <VPC_PRIVATE_SUBNET>
      alb.ingress.kubernetes.io/tags: env=prod
      alb.ingress.kubernetes.io/target-type: ip
  hosts:
    - host: <PATHFINDER_INGRESS_DOMAIN>
      paths:
        - path: /
          pathType: Prefix

Deploying Sombra on Azure

The following example deploys Sombra on Azure. This would require setting up an Application Gateway, which will be used as the ingress controller, on Azure and adding the TLS secret into the cluster.

imageCredentials:
  registry: docker.transcend.io
  username: Transcend
  password: '<TRANSCEND_API_TOKEN>'

transcend_service:
  type: ClusterIP

transcend_ingress:
  enabled: true
  className: 'azure-application-gateway'
  annotations:
    appgw.ingress.kubernetes.io/health-probe-hostname: <SOMBRA_TRANSCEND_INGRESS_DOMAIN>
    appgw.ingress.kubernetes.io/health-probe-path: /health
    appgw.ingress.kubernetes.io/health-probe-port: '5042'
  hosts:
    - host: <SOMBRA_TRANSCEND_INGRESS_DOMAIN>
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: <SOMBRA_TRANSCEND_TLS_SECRET_NAME>
      hosts:
        - <SOMBRA_TRANSCEND_INGRESS_DOMAIN>

customer_service:
  type: ClusterIP

customer_ingress:
  enabled: true
  className: 'azure-application-gateway'
  annotations:
    appgw.ingress.kubernetes.io/health-probe-hostname: <SOMBRA_TRANSCEND_INGRESS_DOMAIN>
    appgw.ingress.kubernetes.io/health-probe-path: /health
    appgw.ingress.kubernetes.io/health-probe-port: '5039'
  hosts:
    - host: <SOMBRA_CUSTOMER_INGRESS_DOMAIN>
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: <SOMBRA_CUSTOMER_TLSSECRET_NAME>
      hosts:
        - <SOMBRA_CUSTOMER_INGRESS_DOMAIN>

envs:
  - name: ORGANIZATION_URI
    value: '<ORGANIZATION_URI>'
  - name: EMPLOYEE_AUTHENTICATION_METHODS
    value: 'transcend,session'
  - name: DATA_SUBJECT_AUTHENTICATION_METHODS
    value: 'transcend,session'
  - name: SOMBRA_ID
    value: '<SOMBRA_ID>'

envs_as_secret:
  - name: INTERNAL_KEY_HASH
    value: <INTERNAL_KEY_HASH>
  - name: JWT_ECDSA_KEY
    value: <JWT_ECDSA_KEY>
  - name: INTERNAL_KEY
    value: <INTERNAL_KEY>

livenessProbe:
  httpGet:
    path: /health
    port: 5042
    scheme: HTTP
  timeoutSeconds: 100
  periodSeconds: 30
  successThreshold: 1
  failureThreshold: 10

readinessProbe:
  httpGet:
    path: /health
    port: 5042
    scheme: HTTP
  timeoutSeconds: 100
  periodSeconds: 30
  successThreshold: 1
  failureThreshold: 10

Configuring Sombra

The following is a list of enviroment variables supported by Sombra for its configuration. Please check out our detailed guide on self-hosting Sombra.

Variables Required default secret Description
ORGANIZATION_URI yes N/A no This value can be found under "Sombra Audience" here: https://app.transcend.io/infrastructure/sombra/sombras
SOMBRA_ID no N/A no The SOMBRA_ID parameter is only required when deploying multiple Sombra gateways. This value can be found under "ID" here: https://app.transcend.io/infrastructure/sombra/sombras.
EMPLOYEE_AUTHENTICATION_METHODS yes N/A no We recommend starting with the 'transcend' authentication method. After Single Sign On is setup, 'transcend' can be switched to 'saml'.
DATA_SUBJECT_AUTHENTICATION_METHODS yes N/A no We recommend starting with the 'transcend' authentication method. After Account Login is setup, 'transcend' can be switched to 'oauth' or 'jwt'.
JWT_ECDSA_KEY yes N/A yes The root secrets that you should generate yourself and keep secret. If you are migrating from a Transcend-hosted multi-tenant Sombra to an on-premise and are mid-implementation, it is critical that you re-use the same JWT_ECDSA_KEY from the existing instance. If you already have connected integrations and DSRs, you should deploy the on premise Sombra gateway with the same JWT_ECDSA_KEY and then run a key rotation after the gateway is deployed. To obtain the JWT_ECDSA_KEY reach out to your account manager over Slack or email [email protected] to grant access for you to download the key. You will only be able to reveal the key once for security reasons. The key can be obtained by clicking the Reveal Multi Tenant Root Secret button on the Sombra Gateways panel in the Admin UI.
JWT_AUTHENTICATION_PUBLIC_KEY no N/A no Company's data subject authentication via JWT public key(s). First entry is latest.
ALLOW_EMPLOYEE_CEK_ACCESS no true no Allow employees to submit and download DSRs on behalf of the data subjects.
CONSENT_IDENTIFIER_ENCRYPTION_KEY no N/A yes The Elliptic Curve Diffie Hellman private key(s), for securely communicating with the data subject. Derived from JWT_ECDSA_KEY by default. First entry is latest.
INTERNAL_KEY_HASH yes N/A yes The hash of a randomly-generated API key that will be used to verify incoming requests from your internal systems. You can use this guide for the generation of key.
SAML_ENTRYPOINT no N/A no Identity provider entrypoint (is required to be spec-compliant when the request is signed).
SAML_ISSUER no transcend no Issuer string to supply to identity provider.
SAML_CERT no N/A no The public key to validate the SAML assertion against. The "BEGIN CERTIFICATE" and "END CERTIFICATE" lines should be stripped out and the certificate should be provided on a single line.
SAML_AUDIENCE no transcend no Expected SAML response Audience (if not provided, Audience won't be verified)
OAUTH_CLIENT_ID yes if you configured oauth as one of the DATA_SUBJECT_AUTHENTICATION_METHODS. no no The Client ID of your privacy center's OAuth 2 application.
OAUTH_CLIENT_SECRET yes if you configured oauth as one of the DATA_SUBJECT_AUTHENTICATION_METHODS. N/A yes The Client Secret of your privacy center's OAuth 2 application.
OAUTH_GET_TOKEN_URL yes if you configured oauth as one of the DATA_SUBJECT_AUTHENTICATION_METHODS. N/A no The token URL for your OAuth API (authorization_code => access_token) e.g. https://api.acme.com/oauth/token.
OAUTH_GET_TOKEN_HEADERS yes if you configured oauth as one of the DATA_SUBJECT_AUTHENTICATION_METHODS. N/A no The headers to include when fetching the OAuth token. Expected format is a stringified JSON object, e.g. {"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8"}.
OAUTH_GET_TOKEN_METHOD no POST no The HTTP method to use when retrieving the OAuth token
OAUTH_GET_TOKEN_BODY_GRANT_TYPE no N/A no The grant type for this OAuth token
OAUTH_GET_TOKEN_BODY_REDIRECT_URI yes if you configured oauth as one of the DATA_SUBJECT_AUTHENTICATION_METHODS N/A no The redirect URI for the Oauth token body.
OAUTH_GET_CORE_ID_URL yes if you configured oauth as one of the DATA_SUBJECT_AUTHENTICATION_METHODS N/A no The API endpoint where we can find a user ID or similar core identifier (e.g. https://api.acme.com/user-profile).
OAUTH_GET_CORE_ID_PATH yes if you configured oauth as one of the DATA_SUBJECT_AUTHENTICATION_METHODS N/A no A path to the coreIdentifier (User ID) to traverse a JSON body (path.to.user.id).
OAUTH_GET_CORE_ID_DATA_SUBJECT_TYPE yes if you configured oauth as one of the DATA_SUBJECT_AUTHENTICATION_METHODS N/A no The type of Data Subject that the OAuth configuration refers to. This should use the Data Subject slug, which is the value found in parentheses under DSR Automation -> Request Settings -> Data Subjects.
OAUTH_GET_PROFILE_PICTURE_URL no N/A no Configuration to retrieve additional profile data for the data subject (e.g. nickname, picture).
OAUTH_GET_PROFILE_PICTURE_PATH no N/A no A path to the profile picture URL image, from the OAuth response body.
OAUTH_GET_EMAIL_URL no N/A no The URL that should be hit to fetch the user email address.
OAUTH_GET_EMAIL_PATH no N/A no In the JSON response body for the data subject oauth authentication, what is the path to the email? e.g. profile.email.
OAUTH_EMAIL_IS_VERIFIED_PATH no no no JSON path to the is_verified field on the Oauth profile.
OAUTH_EMAIL_IS_VERIFIED no N/A no Whether all OAuth emails are already verified by default, attested by the organization.
DATA_SUBJECT_SESSION_EXPIRY_TIME no '5 days' no The length in time that the session JWT will last
EMPLOYEE_SESSION_EXPIRY_TIME no '3 hour' no The length in time that the session JWT will last
SOMBRA_TLS_KEY yes, if you want encrypted traffic b/w Sombra and the load balancer. N/A no The TLS private key for this server, base64-encoded in PEM format.
SOMBRA_TLS_KEY_PASSPHRASE yes, if you want encrypted traffic b/w Sombra and the load balancer. N/A yes when generating your TLS cert, you may have been prompted to add a passphrase to your private key. If you did, you can add the passphrase here to let Sombra access it.
SOMBRA_TLS_CERT yes, if you want encrypted traffic b/w Sombra and the load balancer. N/A yes The TLS certificate for this server, base64-encoded in PEM format.
TRUSTED_CLIENT_CA_CERT_ENCODED no N/A yes The public CA cert from a client who is connecting to the internal Sombra over mutual TLS. If set, Sombra will enforce that all incoming requests to non-health routes have a client cert.
EXTERNAL_PORT_HTTPS no 5041 no Port for the external HTTPS server (faces inside firewall).
EXTERNAL_PORT_HTTP no 5042 no Port for the external HTTP server (faces inside firewall)
INTERNAL_PORT_HTTPS no 5040 no Port for the internal HTTPS server (faces inside firewall)
INTERNAL_PORT_HTTP no 5039 no Port for the internal HTTP server (faces inside firewall)
LLM_CLASSIFIER_URL no N/A no The LLM classifier service endpoint.
SOMBRA_IS_BEHIND_PROXY no false no Whether Sombra is behind a proxy.
ODBC_POOL_CACHE_SIZE no no Max size of LRU cache to store the connection pool per database.
ODBC_CONNECTION_MAX_POOL_SIZE no 100 no The maximum number of open Connections the Pool will create
ODBC_CONNECTION_INITIAL_POOL_SIZE no Set a relevant value, to enable connection pooling, based on the number of odbc based Integrations you planning to connect 10 The initial number of Connections created in the Pool
ODBC_CONNECTION_POOL_SIZE_INCREMENT no 10 no How many additional Connections to create when all of the Pool's connections are taken
ODBC_CONNECTION_POOL_SIZE_SHRINK no true no Whether or not the number of Connections should shrink to initialSize as they free up
REUSE_ODBC_CONNECTIONS no false no Whether or not to reuse an existing Connection instead of creating a new one
ODBC_LOGIN_TIMEOUT_IN_SECONDS no 10 no The number of seconds to wait for a login request to complete before returning to the application
ODBC_CONNECTION_TIMEOUT_IN_SECONDS no 0 no The number of seconds to wait for a request on the connection to complete before returning to the application
ODBC_QUERY_TIMEOUT_IN_SECONDS no 60 no How long to wait for each ODBC query to execute before returning to the application
ODBC_POOL_CACHE_TTL_MS no 3600000 no How long the connection pool per database should be cached in milliseconds
MONGODB_SERVER_SELECTION_TIMEOUT_IN_MS no 30000 no How long to wait to connect to MongoDB
MONGODB_CONNECT_TIMEOUT_IN_MS no 30000 no How long to wait for each ongoing connection
KMS_PROVIDER no local no The key management provider. Follow this guide for setup.
AWS_REGION yes, when you are using AWS as KMS_PROVIDER. N/A no The AWS Region where the KMS is hosted
AWS_KMS_KEY_ARN yes, when you are using AWS as KMS_PROVIDER. N/A yes The Amazon Resource Name for the Amazon KMS.
AWS_ACCESS_KEY_ID yes, when you are using AWS as KMS_PROVIDER. N/A yes The AWS access key ID, used to access the Amazon KMS.
AWS_SECRET_ACCESS_KEY yes, when you are using AWS as KMS_PROVIDER. N/A yes The AWS secret access key, used to access the Amazon KMS.
LOG_HTTP_TRANSPORT_URL yes if your want to forward Sombra logs to transcend N/A no The Transcend Collector's HTTPS ingress endpoint.
LOG_HTTP_TRANSPORT_BATCH_INTERVAL_MS no 5000 no The maximum time to wait between batches of logs sent to the Collector.
LOG_HTTP_TRANSPORT_BATCH_COUNT no 10 no The maximum number of log lines to send in a single batched request.
DD_SERVICE_NAME yes if your want to forward Sombra logs to transcend customer_hosted_sombra no The name for your Sombra.
AWS_ACCESS_KEY_ID yes if you want to utilize any of the AWS integrations N/A no The AWS access key ID of the IAM user with the STS:AssumeRole
AWS_SECRET_ACCESS_KEY yes if you want to utilize any of the AWS integrations N/A no The AWS secret access key of the IAM user with the STS:AssumeRole

Configuring the LLM Classifier

Variables Required default secret Description
LLM_SERVER_PORT no 6081 no Port on which server listen to.
LLM_SERVER_CONCURRENCY no (cpu count) * 2 no The number of worker processes for handling requests.
LLM_SERVER_TIMEOUT no 120 no Workers silent for more than this many seconds are killed and restarted.
LLM_SERVER_BACKLOG no 500 no The maximum number of pending connections.
LLM_SERVER_WORKER_CONNECTIONS no 1000 no The maximum number of simultaneous clients.

Configuring Pathfinder

Variables Required default secret Description
AUTHENTICATION_KEY_HASH Required if REQUIRE_AUTHENTICATION is true N/A yes Hash to check Bearer tokens against when services are authenticating to the server. See section on Generating Keys below.
REQUIRE_AUTHENTICATION no N/A yes Whether to require services to authenticate to Pathfinder. May not be necessary if all services using Pathfinder are on the same network.
OPEN_AI_API_KEY yes N/A yes API key for OpenAI, obtained from https://platform.openai.com/account/api-keys.
PORT no 3030 no The internal port to run Pathfinder on.

Generating AUTHENTICATION_KEY_HASH & AUTHENTICATION_KEY for Pathfinder

Run the following to generate keys for Pathfinder

INTERNAL_KEY_BIN=$(openssl rand 32)
AUTHENTICATION_KEY=$(echo -n "$INTERNAL_KEY_BIN" | base64)
AUTHENTICATION_KEY_HASH=$(echo -n "$INTERNAL_KEY_BIN" | openssl dgst -binary -sha256 | openssl base64)
Cyan='\033[0;36m' # Cyan color
NC='\033[0m' # No Color
echo "\n- Set in Pathfinder environment:\n  AUTHENTICATION_KEY_HASH: $Cyan$AUTHENTICATION_KEY_HASH$NC"
echo "\n- Clients should pass this Bearer token in the HTTP authorization headers:\n  PATHFINDER_BEARER_TOKEN: $Cyan$AUTHENTICATION_KEY$NC\n\n  - For example:\n    { authorization: Bearer $AUTHENTICATION_KEY }"

Configure a service to use Pathfinder

For any call to OpenAI, configure your service to use Pathfinder instead by using <your.pathfinder.domain>/api/open-ai instead of the OpenAI base host. Individual endpoints can be appended to this base. For example, https://api.openai.com/v1/chat/completions becomes <your.pathfinder.domain>/api/open-ai/v1/chat/completions.

If you set REQUIRE_AUTHENTICATION to true in your env file, you will also need to add an Authentication header to any API calls to Pathfinder. For example,

{
  headers: {
    // AUTHENTICATION_KEY is the key output in the Generating Keys section above
    Authentication: 'Bearer <AUTHENTICATION_KEY>';
  }
}