Skip to content

Configure Kubernetes Secrets

Okera is a Kubernetes-based application. Okera can be configured using standard Kubernetes constructs, such as Secrets, to make sensitive values available to Okera (e.g., credentials for JDBC-based data connections).

This page explains how to add Secrets when deploying Okera on Kubernetes, but if you have pre-existing mechanisms or standard practices, you can keep using them as well.

Note: If available, Okera recommends using your cloud provider's normal secrets management capabilities, such as AWS Secrets Manager.

To add custom Secrets to Kubernetes, create a Secrets object and mount it to the Deployment and DaemonSet objects that require it. Okera recommends that you read the Kubernetes Secrets documentation.

Create a Secret Object

You can use a variety of methods to create a Secret object, including using the kubectl CLI:

kubectl create secret generic dev-db-secret --from-literal=some_username=myusername --from-literal=some_password='mypassword'

Mount the Secret

Once the Secret is created, mount it into all the pods that need to access it. In these steps, we mount these values as files, which means they leverage Kubernetes volumes.

In each Deployment or DaemonSet to which you want to add the secret, edit the yaml configuration:

  1. In the volumeMounts section add:

    - mountPath: /etc/my-secrets
      name: my-secrets
      readOnly: true
  2. In the volumes section add:

    - name: my-secrets
      defaultMode: 420
      secretName: dev-db-secret

Note: The name in the volumeMounts section must match the name in the volumes section. In addition, the secretName must match the name of your Secret object.

Example: Credentials for a JDBC Data Connection

In this example, we store credentials for Azure Synapse as Kubernetes Secrets.

  1. Create Synapse credentials:

    $ kubectl create secret generic synapse-creds \
    --from-literal=synapse_username=myuser@synapse-foo  \
  2. Edit cerebro-planner and cerebro-worker to mount the secret.

    Add to volumeMounts:

    - mountPath: /etc/synapse-creds
    name: synapse-creds
    readOnly: true

    Add to volumes:

    - name:  synapse-creds
    defaultMode: 420
    secretName:  synapse-creds

    For cerebro-planner:

    $ kubectl edit deployment cerebro-planner

    For cerebro-worker:

    $ kubectl edit daemonset cerebro-worker
  3. Use the credentials in a connection.

      'connection_type' = 'JDBC',
      'driver' = 'sqlserver',
      'host' = '',
      'port'= '1433',
      'user'= 'file:///etc/synapse-creds/synapse_username',
      'password' = 'file:///etc/synapse-creds/synapse_password',
      '' = 'mydefaultdb',
      '' = 'mydefaultschema'