Configure Kubernetes Secrets¶
Okera is a Kubernetes-based application. Okera can be configured using standard Kubernetes constructs, such as Secrets, to make sensitive values available to Okera (e.g., credentials for JDBC-based data connections).
This page explains how to add Secrets when deploying Okera on Kubernetes, but if you have pre-existing mechanisms or standard practices, you can keep using them as well.
Note: If available, Okera recommends using your cloud provider's normal secrets management capabilities, such as AWS Secrets Manager.
To add custom Secrets to Kubernetes, create a Secrets
object and mount it to the Deployment
and DaemonSet
objects that require it. Okera recommends that you read the Kubernetes Secrets documentation.
Create a Secret
Object¶
You can use a variety of methods to create a Secret
object, including using the kubectl
CLI:
kubectl create secret generic dev-db-secret --from-literal=some_username=myusername --from-literal=some_password='mypassword'
Mount the Secret
¶
Once the Secret
is created, mount it into all the pods that need to access it. In these steps, we mount these values as files, which means they leverage Kubernetes volumes.
In each Deployment
or DaemonSet
to which you want to add the secret, edit the yaml
configuration:
-
In the
volumeMounts
section add:- mountPath: /etc/my-secrets name: my-secrets readOnly: true
-
In the
volumes
section add:- name: my-secrets secret: defaultMode: 420 secretName: dev-db-secret
Note: The
name
in thevolumeMounts
section must match thename
in thevolumes
section. In addition, thesecretName
must match the name of yourSecret
object.
Example: Credentials for a JDBC Data Connection¶
In this example, we store credentials for Azure Synapse as Kubernetes Secrets.
-
Create Synapse credentials:
$ kubectl create secret generic synapse-creds \ --from-literal=synapse_username=myuser@synapse-foo \ --from-literal=synapse_password=abc123’
-
Edit
cerebro-planner
andcerebro-worker
to mount the secret.Add to
volumeMounts
:- mountPath: /etc/synapse-creds name: synapse-creds readOnly: true
Add to
volumes
:- name: synapse-creds secret: defaultMode: 420 secretName: synapse-creds
For
cerebro-planner
:$ kubectl edit deployment cerebro-planner
For
cerebro-worker
:$ kubectl edit daemonset cerebro-worker
-
Use the credentials in a connection.
CREATE DATACONNECTION synapse CXNPROPERTIES ( 'connection_type' = 'JDBC', 'driver' = 'sqlserver', 'host' = 'synapse-foo.sql.azuresynapse.net', 'port'= '1433', 'user'= 'file:///etc/synapse-creds/synapse_username', 'password' = 'file:///etc/synapse-creds/synapse_password', 'jdbc.db.name' = 'mydefaultdb', 'jdbc.schema.name' = 'mydefaultschema' );