Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.getcollate.io/llms.txt

Use this file to discover all available pages before exploring further.

Hybrid Ingestion Runner deployment

The Hybrid Runner acts as a proxy between the Collate Server and your Argo Workflows installation (the orchestration system). Communication is established via a secure WebSocket connection (TLS), initiated outbound from your cluster. Collate never stores or accesses the secrets used to connect to your data sources — those are managed by your own infrastructure and retrieved at runtime by the Runner.

Architecture Overview

Hybrid Runner architecture diagram showing the WebSocket connection between Collate SaaS and the Hybrid Runner, and the flow from Argo Workflows through ingestion pods to Kubernetes Secrets The Runner retrieves connector credentials from a Secrets Store at ingestion time. By default, native Kubernetes Secrets are used — the Helm chart automatically creates the necessary RBAC permissions. You can optionally integrate with a cloud-native secrets manager (AWS Secrets Manager, GCP Secret Manager, or Azure Key Vault) depending on your environment.

Requirements

Hardware

A Kubernetes cluster with at least 2 worker nodes. Each node requires:
  • 2 x86 vCPUs
  • 8 GiB Memory
  • 64 GiB Storage

Software

  • Kubernetes 1.28 or later
  • Helm CLI and kubectl installed locally
  • Argo Workflows 3.7 (installed automatically by the Helm chart)

Secrets Store (Required)

A Secrets Store is required to use the Hybrid Runner. Connector credentials (passwords, API keys, tokens) must be stored in a secrets store — they cannot be entered as plain text in the Collate UI when using the Hybrid Runner.
The following options are supported:
OptionDescriptionBest for
Kubernetes Secrets (default)Native k8s secrets; Helm chart installs required RBAC automaticallyMost customers — no additional setup needed
AWS Secrets ManagerCloud-managed secrets via IAM/IRSAAWS EKS deployments
GCP Secret ManagerCloud-managed secrets via Workload IdentityGKE deployments
Azure Key VaultCloud-managed secrets via Workload IdentityAKS deployments
See your cloud provider’s deployment guide for provider-specific setup instructions.

Troubleshooting

Could not get the secret value / Forbidden

ERROR (metadata.utils.kubernetes_secrets_manager:159) - Could not get the secret value of <path>
Reason: Forbidden
This error means the ingestion pod’s service account does not have permission to read the secret. Common causes:
  • Using a cloud secrets manager (AWS SM, GCP SM, Azure KV) without configuring IAM/Workload Identity. Ensure the ingestion service account has the required role or policy attached.
  • The secret path does not match the configured prefix. The Runner expects secrets under secret:/collate/hybrid-ingestion-runner/<name>. Verify the secret was created at the correct path.
  • Missing secretsManager Helm value. If you intend to use a cloud secrets manager, you must explicitly set config.secretsManager in your values.yaml. Without it, the Runner falls back to Kubernetes Secrets and cannot resolve cloud SM paths.
To verify which secrets manager your Runner is using, check the pod logs: 
kubectl logs -l app=hybrid-runner -n argo-workflows | grep secretsManager

Runner shows as Inactive in the Collate UI

  • Check that the authToken in values.yaml is the correct and unexpired JWT from the IngestionBot.
  • Verify outbound TLS (port 443) is allowed from your cluster to <your-instance>.getcollate.io.
  • Confirm the pod is running: kubectl get pods -n argo-workflows.

ImagePullBackoff on the Runner pod

The ECR credentials cron job may not have run yet. Trigger it manually: 
kubectl create job --from=cronjob/ecr-registry-helper manual -n argo-workflows