Skip to content

Kubernetes Secrets

ODAS is a Kubernetes-based application, and allows you to leverage standard Kubernetes capabilities, such as Secrets, in order to make sensitive values available to ODAS (e.g. credentials for JDBC-based data connections).

The instructions in this document are meant to show how to add these secrets when deploying ODAS on Kubernetes, but if you have pre-existing mechanisms or standard practices, you can keep using them as well.

Note

If available, Okera recommends leveraging your cloud provider's normal secrets management capabilities, such as AWS Secrets Manager.

Adding Custom Secrets

In order to add a custom secrets to Kubernetes, you will need to create the Secrets object and mount it to the Deployment and DaemonSet objects that need it.

It is recommended you also read the Kubernetes documentation about Secrets.

Creating a Secret object

You can create a secret using a variety of methods, including using the kubectl CLI:

kubectl create secret generic dev-db-secret --from-literal=some_username=myusername --from-literal=some_password='mypassword'

Mounting the Secret

Once the secret is created, it needs to be mounted into all the pods that need to be able to access it. We will be mounting these values as files, which means they will leverage Kubernetes volumes.

In each Deployment or DaemonSet that you want to add the secret, edit the YAML configuration:

  1. In the volumeMounts section add:

    - mountPath: /etc/my-secrets
      name: my-secrets
      readOnly: true
    
  2. In the volumes section add:

    - name: my-secrets
      secret:
      defaultMode: 420
      secretName: dev-db-secret
    

Note that the name in the volumeMounts section needs to match the name in the volumes section, and that the secretName needs to match the name of your Secret object.

Example: Credentials for JDBC Data Connection

In this example, we will assume we want to store credentials for Azure Synapse as Kubernetes Secrets.

  1. Create Synapse credentials:

    $ kubectl create secret generic synapse-creds \
    --from-literal=synapse_username=myuser@synapse-foo  \
    --from-literal=synapse_password=abc123’
    
  2. Edit cerebro-planner and cerebro-worker to mount the secret:

    Add to volumeMounts:

    - mountPath: /etc/synapse-creds
    name: synapse-creds
    readOnly: true
    

    Add to volumes:

    - name:  synapse-creds
    secret:
    defaultMode: 420
    secretName:  synapse-creds
    

    For cerebro-planner

    $ kubectl edit deployment cerebro-planner
    

    For cerebro-worker

    $ kubectl edit daemonset cerebro-worker
    
  3. Use the credentials in a connection:

    CREATE DATACONNECTION synapse CXNPROPERTIES (
      'connection_type' = 'JDBC',
      'driver' = 'sqlserver',
      'host' = 'synapse-foo.sql.azuresynapse.net',
      'port'= '1433',
      'user'= 'file:///etc/synapse-creds/synapse_username',
      'password' = 'file:///etc/synapse-creds/synapse_password',
      'defaultdb' = 'mydefaultdb',
      'default_schema' = 'mydefaultschema'
    );