> For the complete documentation index, see [llms.txt](https://v2.dataos.info/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://v2.dataos.info/operate/phase-3-configure-tenant-with/stacks.md).

# Vulcan Engine Stacks

Apply these Stacks after the Tenant has a Data plane and Compute.

Vulcan create the Tenant baseline for Data Product setup and validation.

{% hint style="info" %}
Treat this as the Tenant baseline. If these Stacks are not healthy, later steps such as Secrets, Depots, and sanity validation fail or stay blocked.
{% endhint %}

***

## Steps

{% stepper %}
{% step %}

### Apply Vulcan Stacks

Copy the Vulcan Stack YAML for your data source:

<details>

<summary>Vulcan Postgres Stack YAML</summary>

```shellscript
name: vulcan-postgres
version: v2alpha
type: stack
tags:
  - dataos:type:resource
  - dataos:type:tenant-resource
  - dataos:resource:stack
  - dataos:tenant:ct-sandbox
description: dataos vulcan postgres stack v2alpha version 01
owner: shreyasikarwartmdcio
tenant: ct-sandbox
spec:
  name: vulcan
  flavor: postgres
  version: '1.0'
  reconciler: stackManager
  stackSpecValueSchema:
    jsonSchema: >
      {"$schema":"http://json-schema.org/draft-07/schema#","title":"Vulcan
      Config
      Schema","type":"object","properties":{"repo":{"type":"object","description":"Repository
      configuration","properties":{"url":{"type":"string","format":"uri","description":"Git
      repository URL"},"baseDir":{"type":"string","description":"Base directory
      inside the repo"},"syncFlags":{"type":"array","description":"Optional list
      of sync flags for
      clone/fetch","items":{"type":"string"}},"secret":{"type":"string","description":"Secret
      ID for repository
      authentication"}},"required":["url","baseDir"],"additionalProperties":false},"depots":{"type":"array","description":"List
      of depot
      addresses","items":{"type":"string"}},"command":{"type":"array","description":"Command
      to execute (overrides
      default)","items":{"type":"string"}},"arguments":{"type":"array","description":"Arguments
      to pass to command (overrides
      default)","items":{"type":"string"}}},"required":["repo"],"additionalProperties":false}
  workflowJobConfig:
    configFileTemplate: |
      config.yaml: |
      {{ toYaml .ApplicationSpec.StackSpec | indent 2 }}
    containerResourceTemplate: |
      initContainers:
        - name:  "{{.Name}}{{.Stamp}}-ic"
          image: docker.io/tmdcio/git-sync:latest
          imagePullPolicy: IfNotPresent
          command:
          - /git-sync
          args:
          - --repo={{ .ApplicationSpec.StackSpec.repo.url }}
          - --one-time=true
          - --root=/etc/dataos/work
          {{- if .ApplicationSpec.StackSpec.repo.syncFlags }}
          {{- range $flag := .ApplicationSpec.StackSpec.repo.syncFlags }}
          - {{ $flag | quote }}
          {{- end }}
          {{- end }}
          securityContext:
            runAsUser: 1000
            runAsGroup: 1000
            fsGroup: 1000
          volumeMounts:
          - mountPath: /etc/dataos/work
            name: workdir
          envFrom:
          - secretRef:
              name: "{{.EntityHash}}{{.NameHash}}-es"
      container:
        name: "{{.Name}}{{.Stamp}}-main"
        image: tmdcio/vulcan-postgres:0.228.1.23
        imagePullPolicy: IfNotPresent
        command:
          - /opt/venv/bin/python
          - /opt/venv/bin/entrypoint.py
        {{- if or .ApplicationSpec.StackSpec.command .ApplicationSpec.StackSpec.arguments }}
        args:
        {{- range $value := .ApplicationSpec.StackSpec.command }}
          - {{ $value | quote }}
        {{- end }}
        {{- range $value := .ApplicationSpec.StackSpec.arguments }}
          - {{ $value | quote }}
        {{- end }}
        {{- end }}
        volumeMounts:
        {{ if .HasSecretRefs }}
        - mountPath: /etc/dataos/secret
          name: dataos-secret-mount
          readOnly: true
        {{- end }}
        - name: workdir
          mountPath: /etc/dataos/work
        {{ if .ApplicationSpec.EnvironmentVars }}
        env:
          {{- range $conf, $value := .ApplicationSpec.EnvironmentVars }}
          - name: {{$conf}}
            value: {{ $value | quote }}
          {{- end }}
        {{- end}}
        envFrom:
        {{ if .EnvironmentVarsFromSecret }}
        {{- range $secName := .EnvironmentVarsFromSecret }}
        - secretRef:
            name: "{{$secName}}"
        {{- end }}
        {{- end }}
        {{- if .ApplicationSpec.Resources }}
        resources:
        {{toYaml .ApplicationSpec.Resources | indent 2 }}
        {{- end }}
  serviceConfig:
    configFileTemplate: |
      config.yaml: |
      {{ toYaml .ApplicationSpec.StackSpec | indent 2 }}
    containerResourceTemplate: |
      {{- if .ApplicationSpec.StackSpec.repo }}
      initContainers:
        - command:
          - /git-sync
          args:
          - --repo={{ .ApplicationSpec.StackSpec.repo.url }}
          - --one-time=true
          - --root=/etc/dataos/work
          {{- if .ApplicationSpec.StackSpec.repo.syncFlags }}
          {{- range $flag := .ApplicationSpec.StackSpec.repo.syncFlags }}
          - {{ $flag | quote }}
          {{- end }}
          {{- end }}
          image: docker.io/tmdcio/git-sync:latest
          imagePullPolicy: IfNotPresent
          name:  "{{.Name}}{{.Stamp}}-ic"
          securityContext:
            runAsUser: 1000
            runAsGroup: 1000
            fsGroup: 1000
          volumeMounts:
          - mountPath: /etc/dataos/work
            name: workdir
          envFrom:
          - secretRef:
              name: "{{.EntityHash}}{{.NameHash}}-es"
            {{- end }}
      securityContext:
        fsGroup: 1000
      container:
        name: "{{.Name}}{{.Stamp}}-main"
        image: tmdcio/vulcan-postgres:0.228.1.23
        imagePullPolicy: IfNotPresent
        {{- $repo := .ApplicationSpec.StackSpec.repo }}
        command:
          - /opt/venv/bin/python
          - /opt/venv/bin/entrypoint.py
        {{- if or .ApplicationSpec.StackSpec.command .ApplicationSpec.StackSpec.arguments }}
        args:
        {{- range $value := .ApplicationSpec.StackSpec.command }}
          - {{ $value | quote }}
        {{- end }}
        {{- range $value := .ApplicationSpec.StackSpec.arguments }}
          - {{ $value | quote }}
        {{- end }}
        {{- end }}
        volumeMounts:
          {{ if .HasSecretRefs }}
          - mountPath: /etc/dataos/secret
            name: dataos-secret-mount
            readOnly: true
          {{- end }}
          - name: workdir
            mountPath: /etc/dataos/work
          {{ if .HasConfigConfs }}
          - name: dataos-config-mount
            mountPath: /etc/dataos/config
            readOnly: true
          {{- end }}
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          {{ if .ApplicationSpec.EnvironmentVars }}
          {{- range $conf, $value := .ApplicationSpec.EnvironmentVars }}
          - name: {{$conf}}
            value: {{ $value | quote }}
          {{- end }}
          {{- end }}
        envFrom:
          {{ if .EnvironmentVarsFromSecret }}
          {{- range $secName := .EnvironmentVarsFromSecret }}
          - secretRef:
              name: "{{$secName}}"
          {{- end }}
          {{- end }}
        securityContext:
          privileged: false
        {{- if .ApplicationSpec.Resources }}
        resources:
        {{toYaml .ApplicationSpec.Resources | indent 2 }}
        {{- end }}
      sidecars:
        {{- $name := .Name }}
        {{- $stamp := .Stamp }}
        {{- $type := .Type }}
        # GraphQL sidecar
        - name: "{{$name}}-sc-1"
          image: "tmdcio/vulcan-graphql:0.228.1.23"
          imagePullPolicy: IfNotPresent
          command:
            - "dumb-init"
            - "--"
          args:
            - "node"
            - "dist/main.js"
          env:
            - name: VULCAN_API_URL
              value: "http://127.0.0.1:8000"
          envFrom:
          {{ if .EnvironmentVarsFromSecret }}
          {{- range $secName := .EnvironmentVarsFromSecret }}
          - secretRef:
              name: "{{$secName}}"
          {{- end }}
          {{- end }}
          securityContext:
            privileged: false
          {{ if ne $type "workflow" }}
          volumeMounts:
            - name: workdir
              mountPath: /etc/dataos/work
            - name: dataos-secret-mount
              mountPath: /etc/dataos/secret
              readOnly: true
          {{- end }}
        # MySQL sidecar
        - name: "{{$name}}-sc-2"
          image: "tmdcio/mysql-wire:0.0.8"
          imagePullPolicy: IfNotPresent
          command:
            - "/usr/local/bin/mysql-wire"
          env:
            - name: MODE
              value: "server"
            - name: MYSQL_HOST
              value: "0.0.0.0"
            - name: MYSQL_PORT
              value: "3306"
            - name: MYSQL_DB_NAME
              value: "public"
            - name: MYSQL_ALLOW_CLEARTEXT_AUTH
              value: "true"
            - name: MYSQL_SSL_CERT_FILE
              value: /etc/dataos/certs/tls.crt
            - name: MYSQL_SSL_KEY_FILE
              value: /etc/dataos/certs/tls.key
            - name: VULCAN_API_URL
              value: "http://127.0.0.1:8000"
            - name: VULCAN_API_POLL_INITIAL_MS
              value: "10000"
            - name: VULCAN_API_POLL_MAX_MS
              value: "5000"
            - name: VULCAN_API_QUERY_TIMEOUT
              value: "300"
            - name: HTTP_HOST
              value: "0.0.0.0"
            - name: HTTP_PORT
              value: "8080"
            - name: HEIMDALL_AUTH_PATH
              value: "/api/v1/authorize"
            - name: HEIMDALL_TIMEOUT
              value: "10"
            - name: VULCAN_API_HTTP_TIMEOUT
              value: "60"
          envFrom:
          {{ if .EnvironmentVarsFromSecret }}
          {{- range $secName := .EnvironmentVarsFromSecret }}
          - secretRef:
              name: "{{$secName}}"
          {{- end }}
          {{- end }}
          securityContext:
            privileged: false
          {{ if ne $type "workflow" }}
          volumeMounts:
          - name: workdir
            mountPath: /etc/dataos/work
          {{ if .HasSecretRefs }}
          - name: dataos-secret-mount
            mountPath: /etc/dataos/secret
            readOnly: true
          {{- end }}
          - name: tls
            mountPath: /etc/dataos/certs
            readOnly: true
        {{- end }}
  secretJqFilters:
    - .repo.secret
  dataOsAddressJqFilters:
    - .depots[]
  includeAddresses:
    inProjection: true
    secretsInProjection: true
  projection:
    templateType: liquid
    secrets:
      - id: '{{stackSpec.repo.secret}}'
        contextAlias: githubSecret
    projections:
      envVars:
        - key: GITSYNC_USERNAME
          template: '{{ secrets[''githubSecret''].GITSYNC_USERNAME | base64_decode }}'
        - key: GITSYNC_PASSWORD
          template: '{{ secrets[''githubSecret''].GITSYNC_PASSWORD | base64_decode }}'
      envVarsTemplate: >
        VULCAN__TRANSPILER__BASE_URL: "https://{{ defaultProjections.dataOsFqdn
        }}/transpiler"

        VULCAN__HERA__ENABLED: true

        VULCAN__HERA__URL: "https://{{ defaultProjections.dataOsFqdn
        }}/hera/api"

        VULCAN__HERA__TOKEN: "{{ defaultProjections.dataOsRunAsApikey }}"

        VULCAN__GRAPHQL__BASE_URL: http://127.0.0.1:3000

        DATAOS_RUN_AS_APIKEY: {{ defaultProjections.dataOsRunAsApikey }}

        DATAOS_RUN_AS_USER: {{ defaultProjections.dataOsRunAsUser }}

        DEPOT_SERVICE_URL: {{ defaultProjections.depotServiceUrl }}

        HEIMDALL_URL: {{ defaultProjections.heimdallUrl }}

        SCS_SERVICE_URL: {{ defaultProjections.ecsServiceUrl }}

        SCS_SERVICE_USE_TLS_CERTS: {{ defaultProjections.ecsServiceCertsEnabled
        }}

        SCS_SERVICE_DISABLE_HOSTNAME_VERIFICATION: {{
        defaultProjections.ecsServiceHostnameVerificationDisabled }}

        DATAOS_RESOURCE_DESCRIPTION: {{ defaultProjections.dataOsDescription }}

        DATAOS_RESOURCE_TAGS: {{ defaultProjections.dataOsTags }}

        DATAOS_TENANT_ID: {{ defaultProjections.dataOsTenantId }}

        DATAOS_INSTANCE_TENANT_ID: {{ defaultProjections.dataOsInstanceTenantId
        }}

        DATAOS_RESOURCE_ID: {{ defaultProjections.dataOsResourceId }}

        DATAOS_RUN_ID: {{ defaultProjections.dataOsRunId }}

        DATAOS_TYPE: {{ defaultProjections.dataOsType }}

        DATAOS_FQDN: {{ defaultProjections.dataOsFqdn }}

        PUSHGATEWAY_URL: {{ defaultProjections.pushGatewayUrl }}

        DATAOS_WORK_DIR: /etc/dataos/work

        DATAOS_SECRET_DIR: /etc/dataos/secret

        DATAOS_CONFIG_DIR: /etc/dataos/config


        VULCAN__ANALYTICS__ENABLED: true

        VULCAN__ANALYTICS__BASE_URL: "https://{{ defaultProjections.dataOsFqdn
        }}/cloudevents/api/v1"

        VULCAN__ANALYTICS__API_KEY: {{ defaultProjections.dataOsRunAsApikey }}


        VULCAN__HEIMDALL__ENABLED: true

        VULCAN__HEIMDALL__BASE_URL: "{{ defaultProjections.heimdallUrl }}"


        DATAPRODUCT_MYSQL_HOST: {{ defaultProjections.dataOsFqdnTcp }}

        DATAPRODUCT_MYSQL_PORT: "3306"
      filesTemplate: >
        {%- for projection in projectionDepots %}

        {%- assign depot_details = depots[projection.name] %}


        {%- assign last_purpose = projection.secretPurposes.last %}


        {%- assign secret_name = projection.name %}

        {%- assign secret_name = secret_name | append: ":" %}

        {%- assign secret_name = secret_name | append: last_purpose %}

        {%- assign secrets = depotsPurposesSecrets[secret_name] %}



        {%- comment %} Postgres stack: Only handle PostgreSQL depots {%
        endcomment %}

        {%- comment %} Handle JDBC depots - map subprotocol to actual type {%
        endcomment %}

        {%- if depot_details.type == "jdbc" %}

        {%- assign actual_type = depot_details.spec.subprotocol %}

        {%- else %}

        {%- assign actual_type = depot_details.type %}

        {%- endif %}


        {%- if actual_type == "postgresql" %}

        - name: {{ projection.name }}_config.yaml
          contents: |
            connection:
              type: postgres
              host: {{ depot_details.spec.host }}
              port: {{ depot_details.spec.port | default: 5432 }}
              user: {{ secrets.username | strip | replace: '\n', '' | base64_decode }}
              password: {{ secrets.password | strip | replace: '\n', '' | base64_decode }}
              database: {{ depot_details.spec.database }}
              {%- if depot_details.spec.keepalives_idle %}
              keepalives_idle: {{ depot_details.spec.keepalives_idle }}
              {%- endif %}
              {%- if depot_details.spec.connect_timeout %}
              connect_timeout: {{ depot_details.spec.connect_timeout }}
              {%- endif %}
              {%- if depot_details.spec.sslmode %}
              sslmode: {{ depot_details.spec.sslmode }}
              {%- endif %}
              {%- if depot_details.spec.application_name %}
              application_name: {{ depot_details.spec.application_name }}
              {%- endif %}
              {%- if depot_details.spec.role %}
              role: {{ depot_details.spec.role }}
              {%- endif %}
        {%- endif %}

        {%- endfor %}
  executionModes:
    default:
      image:
        registry: docker.io
        repository: tmdcio/vulcan-postgres
        tag: 0.228.1.23
        auth:
          imagePullSecret: dcr
      ignoreArgumentsJqFilters: false
      ignoreCommandJqFilters: false
      ignoreImageJqFilter: false
  certificates:
    generate: true
stamp: '-8ikb'
generation: 1
uid: d03e674b-4b1d-4d8e-a103-c3f4ae2558b1
created: '2026-06-01T11:02:51Z'
status:
  aggregateStatus: active
  webServiceResources:
    - id: vcb9a95fd1db1e59cf967807628b9d9b61e6ad00-read-upd-del-resource
      service: heimdall
      type: access-policy
      self: /policies/vcb9a95fd1db1e59cf967807628b9d9b61e6ad00-read-upd-del-resource
      status: created
  builderState:
    stage: building
    numberOfWantedResources: '1'
    numberOfProcessedResources: '1'
    info: builder is finished with work for now
    properties:
      tmdc.io/entityFullName: '**********'
      tmdc.io/entityHash: '**********'

```

</details>

<details>

<summary>Vulcan Snowflake Stack YAML</summary>

```shellscript
name: vulcan-snowflake
version: v2alpha
type: stack
tags:
  - dataos:type:resource
  - dataos:type:tenant-resource
  - dataos:resource:stack
  - dataos:tenant:ct-sandbox
description: dataos vulcan snowflake stack v1 version
owner: shreyasikarwartmdcio
tenant: ct-sandbox
spec:
  name: vulcan
  flavor: snowflake
  version: '1.0'
  reconciler: stackManager
  stackSpecValueSchema:
    jsonSchema: >
      {"$schema":"http://json-schema.org/draft-07/schema#","title":"Vulcan
      Config
      Schema","type":"object","properties":{"repo":{"type":"object","description":"Repository
      configuration","properties":{"url":{"type":"string","format":"uri","description":"Git
      repository URL"},"baseDir":{"type":"string","description":"Base directory
      inside the repo"},"syncFlags":{"type":"array","description":"Optional list
      of sync flags for
      clone/fetch","items":{"type":"string"}},"secret":{"type":"string","description":"Secret
      ID for repository
      authentication"}},"required":["url","baseDir"],"additionalProperties":false},"depots":{"type":"array","description":"List
      of depot
      addresses","items":{"type":"string"}},"command":{"type":"array","description":"Command
      to execute (overrides
      default)","items":{"type":"string"}},"arguments":{"type":"array","description":"Arguments
      to pass to command (overrides
      default)","items":{"type":"string"}}},"required":["repo"],"additionalProperties":false}
  workflowJobConfig:
    configFileTemplate: |
      config.yaml: |
      {{ toYaml .ApplicationSpec.StackSpec | indent 2 }}
    containerResourceTemplate: |
      initContainers:
        - name:  "{{.Name}}{{.Stamp}}-ic"
          image: docker.io/tmdcio/git-sync:latest
          imagePullPolicy: IfNotPresent
          command:
          - /git-sync
          args:
          - --repo={{ .ApplicationSpec.StackSpec.repo.url }}
          - --one-time=true
          - --root=/etc/dataos/work
          {{- if .ApplicationSpec.StackSpec.repo.syncFlags }}
          {{- range $flag := .ApplicationSpec.StackSpec.repo.syncFlags }}
          - {{ $flag | quote }}
          {{- end }}
          {{- end }}
          securityContext:
            runAsUser: 1000
            runAsGroup: 1000
            fsGroup: 1000
          volumeMounts:
          - mountPath: /etc/dataos/work
            name: workdir
          envFrom:
          - secretRef:
              name: "{{.EntityHash}}{{.NameHash}}-es"
      container:
        name: "{{.Name}}{{.Stamp}}-main"
        image: tmdcio/vulcan-snowflake:0.228.1.23
        imagePullPolicy: IfNotPresent
        command:
          - /opt/venv/bin/python
          - /opt/venv/bin/entrypoint.py
        {{- if or .ApplicationSpec.StackSpec.command .ApplicationSpec.StackSpec.arguments }}
        args:
        {{- range $value := .ApplicationSpec.StackSpec.command }}
          - {{ $value | quote }}
        {{- end }}
        {{- range $value := .ApplicationSpec.StackSpec.arguments }}
          - {{ $value | quote }}
        {{- end }}
        {{- end }}
        volumeMounts:
        {{ if .HasSecretRefs }}
        - name: dataos-secret-mount
          mountPath: /etc/dataos/secret
          readOnly: true
        {{- end }}
        - name: workdir
          mountPath: /etc/dataos/work
        {{ if .ApplicationSpec.EnvironmentVars }}
        env:
          {{- range $conf, $value := .ApplicationSpec.EnvironmentVars }}
          - name: {{$conf}}
            value: {{ $value | quote }}
          {{- end }}
        {{- end}}
        envFrom:
        {{ if .EnvironmentVarsFromSecret }}
        {{- range $secName := .EnvironmentVarsFromSecret }}
        - secretRef:
            name: "{{$secName}}"
        {{- end }}
        {{- end }}
        {{- if .ApplicationSpec.Resources }}
        resources:
        {{toYaml .ApplicationSpec.Resources | indent 2 }}
        {{- end }}
  serviceConfig:
    configFileTemplate: |
      config.yaml: |
      {{ toYaml .ApplicationSpec.StackSpec | indent 2 }}
    containerResourceTemplate: |
      {{- if .ApplicationSpec.StackSpec.repo }}
      initContainers:
        - command:
          - /git-sync
          args:
          - --repo={{ .ApplicationSpec.StackSpec.repo.url }}
          - --one-time=true
          - --root=/etc/dataos/work
          {{- if .ApplicationSpec.StackSpec.repo.syncFlags }}
          {{- range $flag := .ApplicationSpec.StackSpec.repo.syncFlags }}
          - {{ $flag | quote }}
          {{- end }}
          {{- end }}
          image: docker.io/tmdcio/git-sync:latest
          imagePullPolicy: IfNotPresent
          name:  "{{.Name}}{{.Stamp}}-ic"
          securityContext:
            runAsUser: 1000
            runAsGroup: 1000
            fsGroup: 1000
          volumeMounts:
          - mountPath: /etc/dataos/work
            name: workdir
          envFrom:
          - secretRef:
              name: "{{.EntityHash}}{{.NameHash}}-es"
            {{- end }}
      securityContext:
        fsGroup: 1000
      container:
        name: "{{.Name}}{{.Stamp}}-main"
        image: tmdcio/vulcan-snowflake:0.228.1.23
        imagePullPolicy: IfNotPresent
        {{- $repo := .ApplicationSpec.StackSpec.repo }}
        command:
          - /opt/venv/bin/python
          - /opt/venv/bin/entrypoint.py
        {{- if or .ApplicationSpec.StackSpec.command .ApplicationSpec.StackSpec.arguments }}
        args:
        {{- range $value := .ApplicationSpec.StackSpec.command }}
          - {{ $value | quote }}
        {{- end }}
        {{- range $value := .ApplicationSpec.StackSpec.arguments }}
          - {{ $value | quote }}
        {{- end }}
        {{- end }}
        volumeMounts:
          {{ if .HasSecretRefs }}
          - name: dataos-secret-mount
            mountPath: /etc/dataos/secret
            readOnly: true
          {{- end }}
          - name: workdir
            mountPath: /etc/dataos/work
        {{ if .HasConfigConfs }}
          - name: dataos-config-mount
            mountPath: /etc/dataos/config
            readOnly: true
        {{- end }}
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          {{ if .ApplicationSpec.EnvironmentVars }}
          {{- range $conf, $value := .ApplicationSpec.EnvironmentVars }}
          - name: {{$conf}}
            value: {{ $value | quote }}
          {{- end }}
          {{- end }}
        envFrom:
          {{ if .EnvironmentVarsFromSecret }}
          {{- range $secName := .EnvironmentVarsFromSecret }}
          - secretRef:
              name: "{{$secName}}"
          {{- end }}
          {{- end }}
        securityContext:
          privileged: false
        {{- if .ApplicationSpec.Resources }}
        resources:
        {{toYaml .ApplicationSpec.Resources | indent 2 }}
        {{- end }}
      sidecars:
        {{- $name := .Name }}
        {{- $stamp := .Stamp }}
        {{- $type := .Type }}
        # GraphQL sidecar
        - name: "{{$name}}-sc-1"
          image: "tmdcio/vulcan-graphql:0.228.1.23"
          imagePullPolicy: IfNotPresent
          command:
            - "dumb-init"
            - "--"
          args:
            - "node"
            - "dist/main.js"
          env:
            - name: VULCAN_API_URL
              value: "http://127.0.0.1:8000"
          envFrom:
          {{ if .EnvironmentVarsFromSecret }}
          {{- range $secName := .EnvironmentVarsFromSecret }}
          - secretRef:
              name: "{{$secName}}"
          {{- end }}
          {{- end }}
          securityContext:
            privileged: false
          {{ if ne $type "workflow" }}
          volumeMounts:
            - name: workdir
              mountPath: /etc/dataos/work
            {{ if .HasSecretRefs }}
            - name: dataos-secret-mount
              mountPath: /etc/dataos/secret
              readOnly: true
            {{- end }}
          {{- end }}
        # MySQL sidecar
        - name: "{{$name}}-sc-2"
          image: "tmdcio/mysql-wire:0.0.8"
          imagePullPolicy: IfNotPresent
          command:
            - "/usr/local/bin/mysql-wire"
          env:
            - name: MODE
              value: "server"
            - name: MYSQL_HOST
              value: "0.0.0.0"
            - name: MYSQL_PORT
              value: "3306"
            - name: MYSQL_DB_NAME
              value: "public"
            - name: MYSQL_ALLOW_CLEARTEXT_AUTH
              value: "true"
            - name: MYSQL_SSL_CERT_FILE
              value: /etc/dataos/certs/tls.crt
            - name: MYSQL_SSL_KEY_FILE
              value: /etc/dataos/certs/tls.key
            - name: VULCAN_API_URL
              value: "http://127.0.0.1:8000"
            - name: VULCAN_API_POLL_INITIAL_MS
              value: "10000"
            - name: VULCAN_API_POLL_MAX_MS
              value: "5000"
            - name: VULCAN_API_QUERY_TIMEOUT
              value: "300"
            - name: HTTP_HOST
              value: "0.0.0.0"
            - name: HTTP_PORT
              value: "8080"
            - name: HEIMDALL_AUTH_PATH
              value: "/api/v1/authorize"
            - name: HEIMDALL_TIMEOUT
              value: "10"
            - name: VULCAN_API_HTTP_TIMEOUT
              value: "60"
          envFrom:
          {{ if .EnvironmentVarsFromSecret }}
          {{- range $secName := .EnvironmentVarsFromSecret }}
          - secretRef:
              name: "{{$secName}}"
          {{- end }}
          {{- end }}
          securityContext:
            privileged: false
          {{ if ne $type "workflow" }}
          volumeMounts:
          - name: workdir
            mountPath: /etc/dataos/work
          {{ if .HasSecretRefs }}
          - name: dataos-secret-mount
            mountPath: /etc/dataos/secret
            readOnly: true
          {{- end }}
          - name: tls
            mountPath: /etc/dataos/certs
            readOnly: true
        {{- end }}
  secretJqFilters:
    - .repo.secret
  dataOsAddressJqFilters:
    - .depots[]
  includeAddresses:
    inProjection: true
    secretsInProjection: true
  projection:
    templateType: liquid
    secrets:
      - id: '{{stackSpec.repo.secret}}'
        contextAlias: githubSecret
    projections:
      envVars:
        - key: GITSYNC_USERNAME
          template: '{{ secrets[''githubSecret''].GITSYNC_USERNAME | base64_decode }}'
        - key: GITSYNC_PASSWORD
          template: '{{ secrets[''githubSecret''].GITSYNC_PASSWORD | base64_decode }}'
      envVarsTemplate: >
        VULCAN__TRANSPILER__BASE_URL: "https://{{ defaultProjections.dataOsFqdn
        }}/transpiler"

        VULCAN__HERA__URL: "https://{{ defaultProjections.dataOsFqdn
        }}/hera/api"

        VULCAN__HERA__TOKEN: "{{ defaultProjections.dataOsRunAsApikey }}"

        VULCAN__HERA__ENABLED: true

        VULCAN__GRAPHQL__BASE_URL: http://127.0.0.1:3000

        DATAOS_RUN_AS_APIKEY: {{ defaultProjections.dataOsRunAsApikey }}

        DATAOS_RUN_AS_USER: {{ defaultProjections.dataOsRunAsUser }}

        DEPOT_SERVICE_URL: {{ defaultProjections.depotServiceUrl }}

        HEIMDALL_URL: {{ defaultProjections.heimdallUrl }}

        SCS_SERVICE_URL: {{ defaultProjections.ecsServiceUrl }}

        SCS_SERVICE_USE_TLS_CERTS: {{ defaultProjections.ecsServiceCertsEnabled
        }}

        SCS_SERVICE_DISABLE_HOSTNAME_VERIFICATION: {{
        defaultProjections.ecsServiceHostnameVerificationDisabled }}

        DATAOS_RESOURCE_DESCRIPTION: {{ defaultProjections.dataOsDescription }}

        DATAOS_RESOURCE_TAGS: {{ defaultProjections.dataOsTags }}

        DATAOS_TENANT_ID: {{ defaultProjections.dataOsTenantId }}

        DATAOS_INSTANCE_TENANT_ID: {{ defaultProjections.dataOsInstanceTenantId
        }}

        DATAOS_RESOURCE_ID: {{ defaultProjections.dataOsResourceId }}

        DATAOS_RUN_ID: {{ defaultProjections.dataOsRunId }}

        DATAOS_TYPE: {{ defaultProjections.dataOsType }}

        DATAOS_FQDN: {{ defaultProjections.dataOsFqdn }}

        DATAOS_WORK_DIR: /etc/dataos/work

        DATAOS_SECRET_DIR: /etc/dataos/secret

        DATAOS_CONFIG_DIR: /etc/dataos/config


        VULCAN__ANALYTICS__ENABLED: true

        VULCAN__ANALYTICS__BASE_URL: "https://{{ defaultProjections.dataOsFqdn
        }}/cloudevents/api/v1"

        VULCAN__ANALYTICS__API_KEY: {{ defaultProjections.dataOsRunAsApikey }}


        VULCAN__HEIMDALL__ENABLED: true

        VULCAN__HEIMDALL__BASE_URL: "{{ defaultProjections.heimdallUrl }}"


        DATAPRODUCT_MYSQL_HOST: {{ defaultProjections.dataOsFqdnTcp }}

        DATAPRODUCT_MYSQL_PORT: "3306"
      filesTemplate: >
        {%- for projection in projectionDepots %}

        {%- assign depot_details = depots[projection.name] %}


        {%- assign last_purpose = projection.secretPurposes.last %}


        {%- assign secret_name = projection.name %}

        {%- assign secret_name = secret_name | append: ":" %}

        {%- assign secret_name = secret_name | append: last_purpose %}

        {%- assign secrets = depotsPurposesSecrets[secret_name] %}


        {%- assign auth_mode = secrets.auth_mode | base64_decode %}


        {%- if depot_details.type == "snowflake" %}


        {%- if auth_mode == "key-pair" %}

        {%- assign private_key_file_path = projection.name | append:
        "_private_key.pem" %}

        {%- if secrets.key %}

        - name: {{ private_key_file_path }}
          contents: !!binary {{ secrets.key }}
        {%- endif %}

        {%- endif %}


        - name: {{ projection.name }}_config.yaml
          contents: |
            connection:
              type: snowflake
              account: {{ depot_details.spec.account }}
              user: {{ secrets.username | base64_decode | strip }}
              {%- if secrets.password %}
              password: {{ secrets.password | base64_decode | strip }}
              {%- endif %}
              {%- if depot_details.spec.warehouse %}
              warehouse: {{ depot_details.spec.warehouse }}
              {%- endif %}
              {%- if depot_details.spec.database %}
              database: {{ depot_details.spec.database }}
              {%- endif %}
              {%- if depot_details.spec.role %}
              role: {{ depot_details.spec.role }}
              {%- endif %}

              {%- if auth_mode == "key-pair" %}
              authenticator: snowflake_jwt
              private_key_path: /etc/dataos/secret/{{ private_key_file_path }}
              {%- endif %}
              {%- if secrets.passphrase %}
              private_key_passphrase: {{ secrets.passphrase | base64_decode | strip }}
              {%- endif %}
        {%- endif %}

        {%- endfor %}
  executionModes:
    default:
      image:
        registry: docker.io
        repository: tmdcio/vulcan-snowflake
        tag: 0.228.1.23
        auth:
          imagePullSecret: dcr
      ignoreArgumentsJqFilters: false
      ignoreCommandJqFilters: false
      ignoreImageJqFilter: false
  certificates:
    generate: true
stamp: '-q4a9'
generation: 2
uid: df528787-acc4-43f8-9dcf-dcd3c5fe1738
created: '2026-05-27T08:31:17Z'
status:
  aggregateStatus: active
  webServiceResources:
    - id: vada62c258a9492d69e2b822281d85da7359d16c-read-upd-del-resource
      service: heimdall
      type: access-policy
      self: /policies/vada62c258a9492d69e2b822281d85da7359d16c-read-upd-del-resource
      status: created
  builderState:
    stage: building
    numberOfWantedResources: '1'
    numberOfProcessedResources: '1'
    info: builder is finished with work for now
    properties:
      tmdc.io/entityFullName: '**********'
      tmdc.io/entityHash: '**********'

```

</details>

<details>

<summary>Vulcan Spark Stack YAML</summary>

```shellscript
name: vulcan-spark
version: v2alpha
type: stack
tags:
  - dataos:type:resource
  - dataos:type:tenant-resource
  - dataos:resource:stack
  - dataos:tenant:ct-sandbox
owner: shreyasikarwartmdcio
tenant: ct-sandbox
spec:
  name: vulcan
  flavor: spark
  version: '1.0'
  reconciler: stackManager
  stackSpecValueSchema:
    jsonSchema: >
      {"$schema":"http://json-schema.org/draft-07/schema#","title":"Vulcan
      Config
      Schema","type":"object","properties":{"repo":{"type":"object","description":"Repository
      configuration","properties":{"url":{"type":"string","format":"uri","description":"Git
      repository URL"},"baseDir":{"type":"string","description":"Base directory
      inside the repo"},"syncFlags":{"type":"array","description":"Optional list
      of sync flags for
      clone/fetch","items":{"type":"string"}},"secret":{"type":"string","description":"Secret
      ID for repository
      authentication"}},"required":["url","baseDir"],"additionalProperties":false},"depots":{"type":"array","description":"List
      of depot
      addresses","items":{"type":"string"}},"sparkConf":{"type":"object","description":"Additional
      Spark config key-value pairs to merge into the runtime Spark connection.
      Keys are Spark property
      names.","additionalProperties":{"type":["string","number","boolean"]}},"command":{"type":"array","description":"Command
      to execute (overrides
      default)","items":{"type":"string"}},"arguments":{"type":"array","description":"Arguments
      to pass to command (overrides
      default)","items":{"type":"string"}}},"required":["repo"],"additionalProperties":true}
  workflowJobConfig:
    configFileTemplate: |
      jobconfig.yaml: |
      {{ toYaml .ApplicationSpec.StackSpec.job | indent 2 }}
    resourceTemplateConfig:
      templateType: go-template
      resourceTemplateName: vulcan_application_cluster
  serviceConfig:
    configFileTemplate: |
      jobconfig.yaml: |
      {{ toYaml .ApplicationSpec.StackSpec.job | indent 2 }}
    resourceTemplateConfig:
      templateType: go-template
      resourceTemplateName: vulcan_application_service
  secretJqFilters:
    - .repo.secret
  dataOsAddressJqFilters:
    - .depots[]
  argumentsJqFilters:
    - .command[]
    - .arguments[]
  includeAddresses:
    inProjection: true
    secretsInProjection: true
  projection:
    templateType: liquid
    secrets:
      - id: '{{stackSpec.repo.secret}}'
        contextAlias: githubSecret
    projections:
      envVars:
        - key: GITSYNC_USERNAME
          template: '{{ secrets[''githubSecret''].GITSYNC_USERNAME | base64_decode }}'
        - key: GITSYNC_PASSWORD
          template: '{{ secrets[''githubSecret''].GITSYNC_PASSWORD | base64_decode }}'
      envVarsTemplate: >
        VULCAN__TRANSPILER__BASE_URL: "https://{{ defaultProjections.dataOsFqdn
        }}/transpiler"

        VULCAN__HERA__ENABLED: true

        VULCAN__HERA__URL: "https://{{ defaultProjections.dataOsFqdn
        }}/hera/api"

        VULCAN__HERA__TOKEN: "{{ defaultProjections.dataOsRunAsApikey }}"

        VULCAN__GRAPHQL__BASE_URL: http://127.0.0.1:3000

        DATAOS_RUN_AS_APIKEY: {{ defaultProjections.dataOsRunAsApikey }}

        DATAOS_RUN_AS_USER: {{ defaultProjections.dataOsRunAsUser }}

        DEPOT_SERVICE_URL: {{ defaultProjections.depotServiceUrl }}

        HEIMDALL_URL: {{ defaultProjections.heimdallUrl }}

        SCS_SERVICE_URL: {{ defaultProjections.ecsServiceUrl }}

        SCS_SERVICE_USE_TLS_CERTS: {{ defaultProjections.ecsServiceCertsEnabled
        }}

        SCS_SERVICE_DISABLE_HOSTNAME_VERIFICATION: {{
        defaultProjections.ecsServiceHostnameVerificationDisabled }}

        DATAOS_RESOURCE_DESCRIPTION: {{ defaultProjections.dataOsDescription }}

        DATAOS_RESOURCE_TAGS: {{ defaultProjections.dataOsTags }}

        DATAOS_TENANT_ID: {{ defaultProjections.dataOsTenantId }}

        DATAOS_INSTANCE_TENANT_ID: {{ defaultProjections.dataOsInstanceTenantId
        }}

        DATAOS_RESOURCE_ID: {{ defaultProjections.dataOsResourceId }}

        DATAOS_RUN_ID: {{ defaultProjections.dataOsRunId }}

        DATAOS_TYPE: {{ defaultProjections.dataOsType }}

        DATAOS_FQDN: {{ defaultProjections.dataOsFqdn }}

        PUSHGATEWAY_URL: {{ defaultProjections.pushGatewayUrl }}

        DATAOS_WORK_DIR: /etc/dataos/work

        DATAOS_SECRET_DIR: /etc/dataos/secret

        DATAOS_CONFIG_DIR: /etc/dataos/config


        SPARK_CONF_DIR: /etc/dataos/secret

        VULCAN__CACHE_DIR: /tmp/vulcan-cache


        VULCAN__ANALYTICS__ENABLED: true

        VULCAN__ANALYTICS__BASE_URL: "https://{{ defaultProjections.dataOsFqdn
        }}/cloudevents/api/v1"

        VULCAN__ANALYTICS__API_KEY: {{ defaultProjections.dataOsRunAsApikey }}


        VULCAN__HEIMDALL__ENABLED: true

        VULCAN__HEIMDALL__BASE_URL: "{{ defaultProjections.heimdallUrl }}"


        DATAPRODUCT_MYSQL_HOST: {{ defaultProjections.dataOsFqdnTcp }}

        DATAPRODUCT_MYSQL_PORT: "3306"
      filesTemplate: >
        {%- for projection in projectionDepots %}

        {%- assign raw_depot = depots[projection.name] %}

        {%- assign depot_details = raw_depot %}

        {%- if raw_depot.depot %}

        {%- assign depot_details = raw_depot.depot %}

        {%- elsif raw_depot.spec and raw_depot.spec.type and raw_depot.spec.spec
        %}

        {%- assign depot_details = raw_depot.spec %}

        {%- endif %}

        {%- assign depot_type = depot_details.type %}

        {%- if depot_type != "lakehouse" %}{% continue %}{% endif %}


        {%- assign catalog_name = projection.name %}

        {%- assign secret_name = projection.name | append: ":" | append:
        projection.secretPurposes.last %}

        {%- assign secrets_object = depotsPurposesSecrets[secret_name] -%}

        {%- assign aws_access_key = secrets_object.aws_access_key -%}

        {%- assign aws_secret_key = secrets_object.aws_secret_key -%}

        {%- assign gcp_json_key = secrets_object.gcp_json_key -%}

        {%- assign az_account_name = secrets_object.az_account_name -%}

        {%- assign az_account_key = secrets_object.az_account_key -%}

        {%- assign depot_spec = depot_details.spec %}

        {%- assign storage_type = depot_spec.storageType %}

        {%- assign metastore_url = depot_spec.metastoreUrl %}

        {%- assign metastore_relative_path = depot_spec.metastoreRelativePath %}

        {%- assign apikey = defaultProjections.dataOsRunAsApikey %}

        {%- assign catalog_uri = metastore_url | append: metastore_relative_path
        %}



        - name: {{ catalog_name }}_config.yaml
          contents: |
            connection:
              type: spark
              config:
                spark.sql.extensions: "org.apache.iceberg.spark.extensions.IcebergSparkSessionExtensions"
                spark.kubernetes.driverEnv.SPARK_HOME: /opt/spark
                spark.kubernetes.executorEnv.SPARK_HOME: /opt/spark
                spark.driver.extraClassPath: "/etc/dataos/work/{{ stackSpec.repo.baseDir }}/dependencies/java/*"
                spark.metrics.namespace: vulcan
                spark.sql.defaultCatalog: {{ catalog_name }}
                spark.sql.catalog.{{ catalog_name }}: "org.apache.iceberg.spark.SparkCatalog"
                spark.sql.catalog.{{ catalog_name }}.type: "rest"
                spark.sql.catalog.{{ catalog_name }}.uri: "{{ catalog_uri }}"
                spark.sql.catalog.{{ catalog_name }}.header.apikey: "{{ apikey }}"
                {%- if storage_type == "s3" %}
                spark.sql.catalog.{{ catalog_name }}.warehouse: "s3://{{ depot_spec.s3.bucket }}/{{ depot_spec.s3.relativePath }}"
                spark.sql.catalog.{{ catalog_name }}.io-impl: "org.apache.iceberg.aws.s3.S3FileIO"
                spark.sql.catalog.{{ catalog_name }}.s3.path-style-access: "true"
                spark.sql.catalog.{{ catalog_name }}.s3.access-key-id: "{{ aws_access_key | base64_decode }}"
                spark.sql.catalog.{{ catalog_name }}.s3.secret-access-key: "{{ aws_secret_key | base64_decode }}"
                {%- if depot_spec.s3.region %}
                spark.sql.catalog.{{ catalog_name }}.client.region: "{{ depot_spec.s3.region }}"
                {%- endif %}
                {%- elsif storage_type == "gcs" %}
                spark.sql.catalog.{{ catalog_name }}.warehouse: "gs://{{ depot_spec.gcs.bucket }}/{{ depot_spec.gcs.relativePath }}"
                spark.sql.catalog.{{ catalog_name }}.io-impl: "org.apache.iceberg.gcp.gcs.GCSFileIO"
                {%- if gcp_json_key %}
                spark.sql.catalog.{{ catalog_name }}.gcs.credentials: "/etc/dataos/secret/{{ catalog_name }}_gcp_keyfile.json"
                {%- endif %}
                {%- elsif storage_type == "abfss" %}
                spark.sql.catalog.{{ catalog_name }}.warehouse: "abfss://{{ depot_spec.abfss.container }}@{{ depot_spec.abfss.account }}.{{ depot_spec.abfss.endpointSuffix }}/{{ depot_spec.abfss.relativePath }}"
                spark.sql.catalog.{{ catalog_name }}.io-impl: "org.apache.iceberg.azure.adlsv2.ADLSFileIO"
                spark.sql.catalog.{{ catalog_name }}.adls.account: "{{ az_account_name }}"
                spark.sql.catalog.{{ catalog_name }}.adls.shared-key: "{{ az_account_key }}"
                {%- endif %}
                {%- if stackSpec.sparkConf %}
                {%- for pair in stackSpec.sparkConf %}
                {{ pair[0] }}: {{ pair[1] | json }}
                {%- endfor %}
                {%- endif %}
        {%- if storage_type == "gcs" and secrets.gcp_json_key %}

        - name: {{ catalog_name }}_gcp_keyfile.json
          contents: !!binary {{ secrets.gcp_json_key }}
        {%- endif %}

        {%- endfor %}
  executionModes:
    default:
      image:
        registry: docker.io
        repository: tmdcio/vulcan-spark
        tag: 0.228.1.23
        auth:
          imagePullSecret: dcr
      params:
        applicationType: Python
        mainApplicationFile: local:///opt/venv/bin/entrypoint.py
      sideCars:
        - image: tmdcio/vulcan-graphql:0.228.1.23
          command:
            - dumb-init
            - '--'
          arguments:
            - node
            - dist/main.js
          envs:
            VULCAN_API_URL: '**********'
        - image: tmdcio/mysql-wire:0.0.8
          command:
            - /bin/sh
            - '-c'
          arguments:
            - sleep 150; exec /usr/local/bin/mysql-wire
          envs:
            HEIMDALL_AUTH_PATH: '**********'
            HEIMDALL_TIMEOUT: '**********'
            HTTP_HOST: '**********'
            HTTP_PORT: '**********'
            MODE: '**********'
            MYSQL_ALLOW_CLEARTEXT_AUTH: '**********'
            MYSQL_DB_NAME: '**********'
            MYSQL_HOST: '**********'
            MYSQL_PORT: '**********'
            MYSQL_SSL_CERT_FILE: '**********'
            MYSQL_SSL_KEY_FILE: '**********'
            VULCAN_API_HTTP_TIMEOUT: '**********'
            VULCAN_API_POLL_INITIAL_MS: '**********'
            VULCAN_API_POLL_MAX_MS: '**********'
            VULCAN_API_QUERY_TIMEOUT: '**********'
            VULCAN_API_URL: '**********'
      ignoreArgumentsJqFilters: false
      ignoreCommandJqFilters: false
      ignoreImageJqFilter: false
  certificates:
    generate: true
stamp: '-f5is'
generation: 3
uid: 903ca990-73e7-49a0-8dec-83078ee43d2a
created: '2026-05-19T12:33:56Z'
status:
  aggregateStatus: active
  webServiceResources:
    - id: ff04a114af5e1e274dfe93376e84093b2d39268b-read-upd-del-resource
      service: heimdall
      type: access-policy
      self: /policies/ff04a114af5e1e274dfe93376e84093b2d39268b-read-upd-del-resource
      status: created
  builderState:
    stage: building
    numberOfWantedResources: '1'
    numberOfProcessedResources: '1'
    info: builder is finished with work for now
    properties:
      tmdc.io/entityFullName: '**********'
      tmdc.io/entityHash: '**********'

```

</details>

<details>

<summary>Vulcan Trino Stack YAML</summary>

```shellscript
name: vulcan-trino
version: v2alpha
type: stack
tags:
  - dataos:type:resource
  - dataos:type:tenant-resource
  - dataos:resource:stack
  - dataos:tenant:ct-sandbox
description: dataos vulcan trino stack v1 version
owner: shreyasikarwartmdcio
tenant: ct-sandbox
spec:
  name: vulcan
  flavor: trino
  version: '1.0'
  reconciler: stackManager
  stackSpecValueSchema:
    jsonSchema: >
      {"$schema":"http://json-schema.org/draft-07/schema#","title":"Vulcan
      Config
      Schema","type":"object","properties":{"repo":{"type":"object","description":"Repository
      configuration","properties":{"url":{"type":"string","format":"uri","description":"Git
      repository URL"},"baseDir":{"type":"string","description":"Base directory
      inside the repo"},"syncFlags":{"type":"array","description":"Optional list
      of sync flags for
      clone/fetch","items":{"type":"string"}},"secret":{"type":"string","description":"Secret
      ID for repository
      authentication"}},"required":["url","baseDir"],"additionalProperties":false},"depots":{"type":"array","description":"List
      of depot
      addresses","items":{"type":"string"}},"command":{"type":"array","description":"Command
      to execute (overrides
      default)","items":{"type":"string"}},"arguments":{"type":"array","description":"Arguments
      to pass to command (overrides
      default)","items":{"type":"string"}}},"required":["repo"],"additionalProperties":false}
  workflowJobConfig:
    configFileTemplate: |
      config.yaml: |
      {{ toYaml .ApplicationSpec.StackSpec | indent 2 }}
    containerResourceTemplate: |
      initContainers:
        - name:  "{{.Name}}{{.Stamp}}-ic"
          image: docker.io/tmdcio/git-sync:latest
          imagePullPolicy: IfNotPresent
          command:
          - /git-sync
          args:
          - --repo={{ .ApplicationSpec.StackSpec.repo.url }}
          - --one-time=true
          - --root=/etc/dataos/work
          {{- if .ApplicationSpec.StackSpec.repo.syncFlags }}
          {{- range $flag := .ApplicationSpec.StackSpec.repo.syncFlags }}
          - {{ $flag | quote }}
          {{- end }}
          {{- end }}
          securityContext:
            runAsUser: 1000
            runAsGroup: 1000
            fsGroup: 1000
          volumeMounts:
          - mountPath: /etc/dataos/work
            name: workdir
          envFrom:
          - secretRef:
              name: "{{.EntityHash}}{{.NameHash}}-es"
      container:
        name: "{{.Name}}{{.Stamp}}-main"
        image: tmdcio/vulcan-trino:0.228.1.23
        imagePullPolicy: IfNotPresent
        command:
          - /opt/venv/bin/python
          - /opt/venv/bin/entrypoint.py
        {{- if or .ApplicationSpec.StackSpec.command .ApplicationSpec.StackSpec.arguments }}
        args:
        {{- range $value := .ApplicationSpec.StackSpec.command }}
          - {{ $value | quote }}
        {{- end }}
        {{- range $value := .ApplicationSpec.StackSpec.arguments }}
          - {{ $value | quote }}
        {{- end }}
        {{- end }}
        volumeMounts:
        {{ if .HasSecretRefs }}
        - name: dataos-secret-mount
          mountPath: /etc/dataos/secret
          readOnly: true
        {{- end }}
        - name: workdir
          mountPath: /etc/dataos/work
        {{ if .ApplicationSpec.EnvironmentVars }}
        env:
          {{- range $conf, $value := .ApplicationSpec.EnvironmentVars }}
          - name: {{$conf}}
            value: {{ $value | quote }}
          {{- end }}
        {{- end}}
        envFrom:
        {{ if .EnvironmentVarsFromSecret }}
        {{- range $secName := .EnvironmentVarsFromSecret }}
        - secretRef:
            name: "{{$secName}}"
        {{- end }}
        {{- end }}
        {{- if .ApplicationSpec.Resources }}
        resources:
        {{toYaml .ApplicationSpec.Resources | indent 2 }}
        {{- end }}
  serviceConfig:
    configFileTemplate: |
      config.yaml: |
      {{ toYaml .ApplicationSpec.StackSpec | indent 2 }}
    containerResourceTemplate: |
      {{- if .ApplicationSpec.StackSpec.repo }}
      initContainers:
        - command:
          - /git-sync
          args:
          - --repo={{ .ApplicationSpec.StackSpec.repo.url }}
          - --one-time=true
          - --root=/etc/dataos/work
          {{- if .ApplicationSpec.StackSpec.repo.syncFlags }}
          {{- range $flag := .ApplicationSpec.StackSpec.repo.syncFlags }}
          - {{ $flag | quote }}
          {{- end }}
          {{- end }}
          image: docker.io/tmdcio/git-sync:latest
          imagePullPolicy: IfNotPresent
          name:  "{{.Name}}{{.Stamp}}-ic"
          securityContext:
            runAsUser: 1000
            runAsGroup: 1000
            fsGroup: 1000
          volumeMounts:
          - mountPath: /etc/dataos/work
            name: workdir
          envFrom:
          - secretRef:
              name: "{{.EntityHash}}{{.NameHash}}-es"
            {{- end }}
      securityContext:
        fsGroup: 1000
      container:
        name: "{{.Name}}{{.Stamp}}-main"
        image: tmdcio/vulcan-trino:0.228.1.23
        imagePullPolicy: IfNotPresent
        {{- $repo := .ApplicationSpec.StackSpec.repo }}
        command:
          - /opt/venv/bin/python
          - /opt/venv/bin/entrypoint.py
        {{- if or .ApplicationSpec.StackSpec.command .ApplicationSpec.StackSpec.arguments }}
        args:
        {{- range $value := .ApplicationSpec.StackSpec.command }}
          - {{ $value | quote }}
        {{- end }}
        {{- range $value := .ApplicationSpec.StackSpec.arguments }}
          - {{ $value | quote }}
        {{- end }}
        {{- end }}
        volumeMounts:
          {{ if .HasSecretRefs }}
          - name: dataos-secret-mount
            mountPath: /etc/dataos/secret
            readOnly: true
          {{- end }}
          - name: workdir
            mountPath: /etc/dataos/work
        {{ if .HasConfigConfs }}
          - name: dataos-config-mount
            mountPath: /etc/dataos/config
            readOnly: true
        {{- end }}
        env:
          - name: POD_NAME
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
          {{ if .ApplicationSpec.EnvironmentVars }}
          {{- range $conf, $value := .ApplicationSpec.EnvironmentVars }}
          - name: {{$conf}}
            value: {{ $value | quote }}
          {{- end }}
          {{- end }}
        envFrom:
          {{ if .EnvironmentVarsFromSecret }}
          {{- range $secName := .EnvironmentVarsFromSecret }}
          - secretRef:
              name: "{{$secName}}"
          {{- end }}
          {{- end }}
        securityContext:
          privileged: false
        {{- if .ApplicationSpec.Resources }}
        resources:
        {{toYaml .ApplicationSpec.Resources | indent 2 }}
        {{- end }}
      sidecars:
        {{- $name := .Name }}
        {{- $stamp := .Stamp }}
        {{- $type := .Type }}
        # GraphQL sidecar
        - name: "{{$name}}-sc-1"
          image: "tmdcio/vulcan-graphql:0.228.1.23"
          imagePullPolicy: IfNotPresent
          command:
            - "dumb-init"
            - "--"
          args:
            - "node"
            - "dist/main.js"
          env:
            - name: VULCAN_API_URL
              value: "http://127.0.0.1:8000"
          envFrom:
          {{ if .EnvironmentVarsFromSecret }}
          {{- range $secName := .EnvironmentVarsFromSecret }}
          - secretRef:
              name: "{{$secName}}"
          {{- end }}
          {{- end }}
          securityContext:
            privileged: false
          {{ if ne $type "workflow" }}
          volumeMounts:
            - name: workdir
              mountPath: /etc/dataos/work
            {{ if .HasSecretRefs }}
            - name: dataos-secret-mount
              mountPath: /etc/dataos/secret
              readOnly: true
            {{- end }}
          {{- end }}
        # MySQL sidecar
        - name: "{{$name}}-sc-2"
          image: "tmdcio/mysql-wire:0.0.8"
          imagePullPolicy: IfNotPresent
          command:
            - "/usr/local/bin/mysql-wire"
          env:
            - name: MODE
              value: "server"
            - name: MYSQL_HOST
              value: "0.0.0.0"
            - name: MYSQL_PORT
              value: "3306"
            - name: MYSQL_DB_NAME
              value: "public"
            - name: MYSQL_ALLOW_CLEARTEXT_AUTH
              value: "true"
            - name: MYSQL_SSL_CERT_FILE
              value: /etc/dataos/certs/tls.crt
            - name: MYSQL_SSL_KEY_FILE
              value: /etc/dataos/certs/tls.key
            - name: VULCAN_API_URL
              value: "http://127.0.0.1:8000"
            - name: VULCAN_API_POLL_INITIAL_MS
              value: "10000"
            - name: VULCAN_API_POLL_MAX_MS
              value: "5000"
            - name: VULCAN_API_QUERY_TIMEOUT
              value: "300"
            - name: HTTP_HOST
              value: "0.0.0.0"
            - name: HTTP_PORT
              value: "8080"
            - name: HEIMDALL_AUTH_PATH
              value: "/api/v1/authorize"
            - name: HEIMDALL_TIMEOUT
              value: "10"
            - name: VULCAN_API_HTTP_TIMEOUT
              value: "60"
          envFrom:
          {{ if .EnvironmentVarsFromSecret }}
          {{- range $secName := .EnvironmentVarsFromSecret }}
          - secretRef:
              name: "{{$secName}}"
          {{- end }}
          {{- end }}
          securityContext:
            privileged: false
          {{ if ne $type "workflow" }}
          volumeMounts:
          - name: workdir
            mountPath: /etc/dataos/work
          {{ if .HasSecretRefs }}
          - name: dataos-secret-mount
            mountPath: /etc/dataos/secret
            readOnly: true
          {{- end }}
          - name: tls
            mountPath: /etc/dataos/certs
            readOnly: true
        {{- end }}
  secretJqFilters:
    - .repo.secret
  dataOsAddressJqFilters:
    - .depots[]
  includeAddresses:
    inProjection: true
    secretsInProjection: true
  projection:
    templateType: liquid
    secrets:
      - id: '{{stackSpec.repo.secret}}'
        contextAlias: githubSecret
    projections:
      envVars:
        - key: GITSYNC_USERNAME
          template: '{{ secrets[''githubSecret''].GITSYNC_USERNAME | base64_decode }}'
        - key: GITSYNC_PASSWORD
          template: '{{ secrets[''githubSecret''].GITSYNC_PASSWORD | base64_decode }}'
      envVarsTemplate: >
        VULCAN__TRANSPILER__BASE_URL: "https://{{ defaultProjections.dataOsFqdn
        }}/transpiler"

        VULCAN__HERA__URL: "https://{{ defaultProjections.dataOsFqdn
        }}/hera/api"

        VULCAN__HERA__TOKEN: "{{ defaultProjections.dataOsRunAsApikey }}"

        VULCAN__HERA__ENABLED: true

        VULCAN__GRAPHQL__BASE_URL: http://127.0.0.1:3000

        DATAOS_RUN_AS_APIKEY: {{ defaultProjections.dataOsRunAsApikey }}

        DATAOS_RUN_AS_USER: {{ defaultProjections.dataOsRunAsUser }}

        DEPOT_SERVICE_URL: {{ defaultProjections.depotServiceUrl }}

        HEIMDALL_URL: {{ defaultProjections.heimdallUrl }}

        SCS_SERVICE_URL: {{ defaultProjections.ecsServiceUrl }}

        SCS_SERVICE_USE_TLS_CERTS: {{ defaultProjections.ecsServiceCertsEnabled
        }}

        SCS_SERVICE_DISABLE_HOSTNAME_VERIFICATION: {{
        defaultProjections.ecsServiceHostnameVerificationDisabled }}

        DATAOS_RESOURCE_DESCRIPTION: {{ defaultProjections.dataOsDescription }}

        DATAOS_RESOURCE_TAGS: {{ defaultProjections.dataOsTags }}

        DATAOS_TENANT_ID: {{ defaultProjections.dataOsTenantId }}

        DATAOS_INSTANCE_TENANT_ID: {{ defaultProjections.dataOsInstanceTenantId
        }}

        DATAOS_RESOURCE_ID: {{ defaultProjections.dataOsResourceId }}

        DATAOS_TYPE: {{ defaultProjections.dataOsType }}

        DATAOS_FQDN: {{ defaultProjections.dataOsFqdn }}

        PUSHGATEWAY_URL: {{ defaultProjections.pushGatewayUrl }}

        DATAOS_RUN_ID: {{ defaultProjections.dataOsRunId }}

        DATAOS_WORK_DIR: /etc/dataos/work

        DATAOS_SECRET_DIR: /etc/dataos/secret

        DATAOS_CONFIG_DIR: /etc/dataos/config


        VULCAN__ANALYTICS__ENABLED: true

        VULCAN__ANALYTICS__BASE_URL: "https://{{ defaultProjections.dataOsFqdn
        }}/cloudevents/api/v1"

        VULCAN__ANALYTICS__API_KEY: {{ defaultProjections.dataOsRunAsApikey }}


        VULCAN__HEIMDALL__ENABLED: true

        VULCAN__HEIMDALL__BASE_URL: "{{ defaultProjections.heimdallUrl }}"


        DATAPRODUCT_MYSQL_HOST: {{ defaultProjections.dataOsFqdnTcp }}

        DATAPRODUCT_MYSQL_PORT: "3306"
  executionModes:
    default:
      image:
        registry: docker.io
        repository: tmdcio/vulcan-trino
        tag: 0.228.1.23
        auth:
          imagePullSecret: dcr
      ignoreArgumentsJqFilters: false
      ignoreCommandJqFilters: false
      ignoreImageJqFilter: false
  certificates:
    generate: true
stamp: '-1nh6'
generation: 3
uid: 28049279-cdf9-44a0-9b6f-812dab91e57a
created: '2026-05-20T10:10:01Z'
status:
  aggregateStatus: active
  webServiceResources:
    - id: v3fdd9385a8a824b29148f0981ce8ca6ea1d6fb7-read-upd-del-resource
      service: heimdall
      type: access-policy
      self: /policies/v3fdd9385a8a824b29148f0981ce8ca6ea1d6fb7-read-upd-del-resource
      status: created
  builderState:
    stage: building
    numberOfWantedResources: '1'
    numberOfProcessedResources: '1'
    info: builder is finished with work for now
    properties:
      tmdc.io/entityFullName: '**********'
      tmdc.io/entityHash: '**********'

```

</details>

Run the following commands:

```bash
dataos-ctl resource apply -f installs/instance-platform-shell/artifacts/vulcan-postgres-stack.yaml --disable-interpolation
dataos-ctl resource apply -f installs/instance-platform-shell/artifacts/vulcan-snowflake-stack.yaml --disable-interpolation
```

{% hint style="info" %}
Use `--disable-interpolation` so Instance placeholders are not expanded at apply time.
{% endhint %}
{% endstep %}

{% step %}

### Get Vulcan Stack info

Check the Stack versions after the apply:

```bash
dataos-ctl develop stack version get
```

Confirm the Vulcan Stack entries are healthy before you continue.
{% endstep %}
{% endstepper %}

## Troubleshooting

<details>

<summary>Vulcan Stack apply fails</summary>

* Use `--disable-interpolation` on Stack apply commands.
* Confirm the Tenant Dataplane and Compute are attached.
* Re-run `dataos-ctl develop stack version get` and inspect status.

</details>

<details>

<summary>Stack status does not turn healthy</summary>

* Confirm the install artifact path is correct.
* Check Tenant permissions for Stack apply operations.
* Re-apply the manifest after resolving the failure.

</details>

***

{% hint style="success" %}
Continue with Validate tenant readiness after Vulcan Stack(s) are healthy.
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://v2.dataos.info/operate/phase-3-configure-tenant-with/stacks.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
