ODAS is a Kubernetes-based application, and allows you to leverage standard Kubernetes capabilities, such as Secrets, in order to make sensitive values available to ODAS (e.g. credentials for JDBC-based data connections).
The instructions in this document are meant to show how to add these secrets when deploying ODAS on Kubernetes, but if you have pre-existing mechanisms or standard practices, you can keep using them as well.
If available, Okera recommends leveraging your cloud provider's normal secrets management capabilities, such as AWS Secrets Manager.
Adding Custom Secrets¶
In order to add a custom secrets to Kubernetes, you will need to create the
Secrets object and mount it to the
DaemonSet objects that need it.
It is recommended you also read the Kubernetes documentation about Secrets.
You can create a secret using a variety of methods, including using the
kubectl create secret generic dev-db-secret --from-literal=some_username=myusername --from-literal=some_password='mypassword'
Once the secret is created, it needs to be mounted into all the pods that need to be able to access it. We will be mounting these values as files, which means they will leverage Kubernetes volumes.
DaemonSet that you want to add the secret, edit the YAML configuration:
- mountPath: /etc/my-secrets name: my-secrets readOnly: true
- name: my-secrets secret: defaultMode: 420 secretName: dev-db-secret
Note that the
name in the
volumeMounts section needs to match the
name in the
volumes section, and that the
secretName needs to match the name of your
Example: Credentials for JDBC Data Connection¶
In this example, we will assume we want to store credentials for Azure Synapse as Kubernetes Secrets.
Create Synapse credentials:
$ kubectl create secret generic synapse-creds \ --from-literal=synapse_username=myuser@synapse-foo \ --from-literal=synapse_password=abc123’
cerebro-workerto mount the secret:
- mountPath: /etc/synapse-creds name: synapse-creds readOnly: true
- name: synapse-creds secret: defaultMode: 420 secretName: synapse-creds
$ kubectl edit deployment cerebro-planner
$ kubectl edit daemonset cerebro-worker
Use the credentials in a connection:
CREATE DATACONNECTION synapse CXNPROPERTIES ( 'connection_type' = 'JDBC', 'driver' = 'sqlserver', 'host' = 'synapse-foo.sql.azuresynapse.net', 'port'= '1433', 'user'= 'file:///etc/synapse-creds/synapse_username', 'password' = 'file:///etc/synapse-creds/synapse_password', 'jdbc.db.name' = 'mydefaultdb', 'jdbc.schema.name' = 'mydefaultschema' );