Skip to content

Kubernetes Secrets

Okera is a Kubernetes-based application. It lets you leverage standard Kubernetes capabilities, such as Secrets, to make sensitive values available to Okera (e.g., credentials for JDBC-based data connections).

The instructions on this page show you how to add these secrets when deploying Okera on Kubernetes, but if you have pre-existing mechanisms or standard practices, you can keep using them as well.

Note: If available, Okera recommends using your cloud provider's normal secrets management capabilities, such as AWS Secrets Manager.

Add Custom Secrets

To add custom secrets to Kubernetes, create a Secrets object and mount it to the Deployment and DaemonSet objects that require it.

Okera recommends that you read the Kubernetes Secrets documentation.

Create a Secret object

You can create a Secret using a variety of methods, including using the kubectl CLI:

kubectl create secret generic dev-db-secret --from-literal=some_username=myusername --from-literal=some_password='mypassword'

Mount the Secret

Once the Secret is created, mount it into all the pods that need to access it. In these steps, we mount these values as files, which means they leverage Kubernetes volumes.

In each Deployment or DaemonSet to which you want to add the secret, edit the yaml configuration:

  1. In the volumeMounts section add:

    - mountPath: /etc/my-secrets
      name: my-secrets
      readOnly: true
    
  2. In the volumes section add:

    - name: my-secrets
      secret:
      defaultMode: 420
      secretName: dev-db-secret
    

Note: The name in the volumeMounts section must match the name in the volumes section. In addition, the secretName must match the name of your Secret object.

Example: Credentials for JDBC Data Connection

In this example, we store credentials for Azure Synapse as Kubernetes Secrets.

  1. Create Synapse credentials:

    $ kubectl create secret generic synapse-creds \
    --from-literal=synapse_username=myuser@synapse-foo  \
    --from-literal=synapse_password=abc123’
    
  2. Edit cerebro-planner and cerebro-worker to mount the secret.

    Add to volumeMounts:

    - mountPath: /etc/synapse-creds
    name: synapse-creds
    readOnly: true
    

    Add to volumes:

    - name:  synapse-creds
    secret:
    defaultMode: 420
    secretName:  synapse-creds
    

    For cerebro-planner:

    $ kubectl edit deployment cerebro-planner
    

    For cerebro-worker:

    $ kubectl edit daemonset cerebro-worker
    
  3. Use the credentials in a connection.

    CREATE DATACONNECTION synapse CXNPROPERTIES (
      'connection_type' = 'JDBC',
      'driver' = 'sqlserver',
      'host' = 'synapse-foo.sql.azuresynapse.net',
      'port'= '1433',
      'user'= 'file:///etc/synapse-creds/synapse_username',
      'password' = 'file:///etc/synapse-creds/synapse_password',
      'jdbc.db.name' = 'mydefaultdb',
      'jdbc.schema.name' = 'mydefaultschema'
    );