Platform configuration
Platform configuration is a key-value store in the Core API database (PlatformConfigurations). It holds deployment-wide settings so values can be changed without rebuilding images and restored after disaster recovery.
This page documents operator and platform keys. The full legacy public_api_v1.* catalog (connection strings, Mailjet, Cosmos, and similar) is internal-only: see the engineering catalog in the monorepo at docs/src/content/_internal/platform-configuration-keys.md. Machine-readable inventory: docs/platform-config-keys.json (regenerate with node docs/scripts/extract-platform-config-keys.mjs).
Where keys are managed
| Surface | Use |
|---|---|
| Cluster Manager | Configuration → Manage Settings for operators |
| v2 API | Authenticated GET/POST/PUT under /api/v2/config (dashboard roles) |
| In-cluster services | Core API GET/POST/PUT/DELETE under /api/config (privileged callers) |
HEAT Auth loads the public_api_v1 prefix from Core API at startup. Python runners read runner_config via GET /api/config/runner_config (nested JSON). The scheduler reads GET /api/config/system and GET /api/config/scheduler.
Access and redaction
- External integrators may read
public_api_v1.*andfrontend.facadeonly. - Keys whose names contain
connectionstringorsecretreturn**REDACTED**unless the caller has Privileged or System context. - Creating or updating
system.*keys requires Privileged or System context.
Prefix guide
| Prefix | Audience | Purpose |
|---|---|---|
system.* | Operator / platform | Core API auth, retention, statics rotation, project worker image |
runner_config.* | Operator | Default object store and S3 gzip behaviour for runners |
frontend.* | Operator | Cluster Manager login integration |
report.* | Operator | Legacy facade report definitions |
monitoring.Grafana.* | Operator | Embedded Grafana URLs in Cluster Manager |
scheduler.* | Operator | Scheduler poll intervals and runner pod limits (optional) |
qa.* | Operator (non-prod) | Cypress QA user reset |
public_api_v1.* | Integrator (legacy) | v1 cloud settings bundle (internal catalog) |
system.*
| Key | Purpose | Affects | Limitations | Default |
|---|---|---|---|---|
system.core.auth_mode | Core API authentication mode: Local, ClusterOnly, or Strict. | Every Core API request via CoreAuthMiddleware. | ClusterOnly requires ingress to set X-HEAT-Request-Source: external for outside traffic. | Local (seeded at setup) |
system.core.internal_request_privilege | Privilege for in-cluster requests without the external header. | Internal service access to platform-only resources. | Use System only for trusted services (for example v2 API aggregating statics). Default Privileged. | Privileged |
system.retention.tick_minutes | Minutes between session output retention archive sweeps. | Session retention background job. | Integer 1-1440; invalid values fall back to ~5 minutes. | ~5 |
system.statics.global_singleton_session_rotate_hour_utc | UTC hour (0-23) to rotate global singleton static backing sessions. | Statics (for example Resource Monitor). | Unset: no platform-wide rotation hour. | (none) |
system.ProjectWorkerContainerImage | Container image for project-worker (JetStream ingest). | Scheduler provisioning of per-project workers. | Must exist in cluster registry; privileged key. | heatglobal.azurecr.io/heat-project-worker:latest |
runner_config.*
Read as nested JSON from GET /api/config/runner_config (for example default_store under the runner_config object).
| Key | Purpose | Affects | Limitations | Default |
|---|---|---|---|---|
runner_config.default_store | Default data source name when nodes omit dataSourceName. | Python runners, system-utils dimension nodes, uploads. | Must match a registered data source (usually HEAT Managed Object Store). | HEAT Managed Object Store |
runner_config.gzip_node_outputs | When literal true, eligible JSON S3 node outputs may be stored gzip-compressed. | system-utils S3 writers, node output download path. | Empty means off. | (empty, off) |
frontend.*
| Key | Purpose | Affects | Limitations | Default |
|---|---|---|---|---|
frontend.facade | When true, Cluster Manager login uses HEAT Auth. | Cluster Manager /login flow. | Required for HEAT Auth login; setup forces true. | true |
report.*
Legacy v1 facade reports only. Authoring detail: monorepo docs/src/content/_internal/facade/Report.md.
| Key | Purpose | Affects | Limitations | Default |
|---|---|---|---|---|
report.Settings.Reports | JSON array of available report definitions. | Legacy report UI and /v1/Report routing. | Each entry needs matching report.Configurations.{key}.* keys. | Seeded session-list entry |
report.Settings.Default | Default report key when none is requested. | Legacy report export. | Must exist in report.Settings.Reports. | session-list |
report.Configurations.sessionList.Columns.Date | Column spec for session date. | Session list report | Legacy only | JSON column |
report.Configurations.sessionList.Columns.Account | Column spec for account name. | Session list report | Legacy only | JSON column |
report.Configurations.sessionList.Columns.DimensionName | Column spec for dimension name. | Session list report | Legacy only | JSON column |
report.Configurations.sessionList.FileName | Export filename prefix. | Session list CSV/export | Legacy only | Session_List |
report.Configurations.{configurationKey}.* | Pattern: per-report blocks (columns, FileName, and similar). | Custom legacy reports | Add keys for each configurationKey in report.Settings.Reports | (operator-defined) |
monitoring.Grafana.*
Operator-added keys for on-prem Grafana. Example dashboard names: CoreApi, HeatAuth, HeatScheduler, LegacyRunner, V1ExternalApi.
| Key | Purpose | Affects | Limitations |
|---|---|---|---|
monitoring.Grafana.BaseUrl | Grafana base URL for embeds. | Cluster Manager monitoring pages | Must match live Grafana ingress |
monitoring.Grafana.Dashboards.{name} | Pattern: public dashboard path per service. | Embedded panels in Cluster Manager | One key per dashboard |
scheduler.*
Optional keys returned as nested JSON from GET /api/config/scheduler. If missing, the scheduler uses built-in defaults (poll_interval_ms and config_update_interval_ms typically 10000).
| Key | Purpose | Affects | Limitations |
|---|---|---|---|
scheduler.poll_interval_ms | Task polling interval (ms). | Runner task claiming | String numeric value |
scheduler.config_update_interval_ms | Config reload interval (ms). | Scheduler control loop | String numeric value |
scheduler.limits.{runnerName}.* | Pattern: min/max pods per runner type. | Kubernetes runner deployments | Must match SchedulerConfig shape |
system.ProjectWorkerContainerImage is exposed to the scheduler via GET /api/config/system as ProjectWorkerContainerImage (not under the scheduler. prefix).
qa.*
Non-production Cypress environments only. See monorepo tests/qa-environments.md.
| Key | Purpose | Affects | Limitations |
|---|---|---|---|
qa.enabled | Enables QA user reset endpoint. | HEAT Auth QaController | Never true in production |
qa.lastResetUtc | Last successful reset timestamp (ISO). | Written by reset endpoint | Runtime-written |
qa.users.admin | Current QA admin external user GUID. | Cypress admin login | Runtime-written |
qa.users.instructor | Current QA instructor GUID. | Cypress | Runtime-written |
qa.users.trainee | Current QA trainee GUID. | Cypress | Runtime-written |
qa.users.developer | Current QA developer GUID. | Cypress | Runtime-written |
Feature toggles (legacy bundle)
The Next dashboard feature flag API reads FeatureToggleSettings.FeatureToggles from the nested public_api_v1 configuration (comma-separated names). That key lives in the public_api_v1.* internal catalog, not in the operator table above.
Related
- Session retention
- Statics
- Grafana on-prem
- Runners and Core Utils
- HEAT.Common client (
GetPlatformConfigurationByPrefixAsyncfor integrators)