DSM System Namespace

DSM System Namespace

DSM System Namespace

Overview

The dsm-system namespace is designated for storing and managing system-wide secrets and configurations in DSM. It is intended to centralize system resources, ensuring they are secure and easily accessible for administrative tasks. DSM Admins have the ability to create, update, and read resources in this namespace, while DSM Users can only read specific resources.

Capabilities

DSM Admins

  • Create, update, and read:

    • ConfigMaps

    • Secrets

    • BackupLocations

    • DirectoryServices

    • ImageRegistry

    • MetricsTarget

    • SupportBundle

DSM Users

  • Read-only access to:

    • BackupLocations

    • DirectoryServices

    • ConfigMaps

Note: DSM Users cannot read Secrets.

Key Actions for DSM Admins

  • ConfigMaps and Secrets:

    • Create or update trust bundles.

    • Manage system-wide backup locations.

    • Configure system-wide ldap directory service.

  • User Access:

    • Allow users to read backup locations, directory services, and ConfigMaps.

    • Restrict users from reading Secrets.

Pre-defined Well-Known Resources

  1. ConfigMap trusted-root-ca

    • Contains the list of trusted root CAs used by DSM as a trust bundle.

  2. Directory Service ldap-default

    • The directory service used by DSM Appliance and Database clusters for authentication.

  3. ConfigMap vcenter-ca

    • Contains the server issuer CA of the vCenter server connected to DSM.

  4. BackupLocation default-provider-log-repo

    • An S3-compatible object store for saving log bundles generated on the Provider VM.

  5. BackupLocation default-provider-backup-repo

    • An S3-compatible object store for periodically backing up the Provider VM database.

  6. ConfigMap advanced-system-config

    • Contains advanced system-wide configuration options that apply to the entire DSM system. These settings are managed by DSM Admins and affect system behavior across all data services and clusters. Changing default values must be done with caution. Supported keys:

      • default-namespace-allowed-for-new-data-service-instance (boolean, default: "false"): When "true", allows Postgres and MySQL clusters to be created in the legacy “default” namespace. When "false" or not set, clusters must be created in dsm-managed namespaces.

      • postgrescluster-allow-non-ssl-system-users (boolean, default: "false"): When "true", allows non-SSL connections for system users (admin user, monitoring user) in Postgres clusters. This overrides the default SSL enforcement for system users introduced in DSM release >= 9.0.2. Applies to new clusters immediately; existing clusters will pick up the change on next update.

By managing these resources, DSM Admins ensure that the DSM environment remains secure and properly configured, while allowing DSM Users appropriate access to necessary configurations and services.