Question
Due to security requirements, I have to pass the credentials to Ververica Platform via mounted files (e.g., when retrieving credentials from Hashicorp Vault) rather than the Kubernetes Secrets or plaintext in `values.yaml`. How do I achieve that? Is there any way to load credentials from mounted files in the Ververica Platform pod?
Answer
Note: This section applies to the Ververica Platform 2.5 or later.
Scope
This article describes the ways to provide the following credentials via mounted files. The credentials are categorized into two groups as they need to be treated differently:
Common Credentials
- vvp.persistence.datasource.password
- vvp.auth.bootstrapToken.token
- vvp.auth.oidc.registration.clientId
- vvp.auth.oidc.registration.clientSecret
Blob Storage Credentials
- blobStorageCredentials.s3.accessKeyId
- blobStorageCredentials.s3.secretAccessKey
Note: to integrate Hashicorp Vault with Ververica Platform and load credentials in the Flink jobs running on Ververica Platform, please refer to this link.
Prepare the files with credentials
Common Credentials (single file)
$ cat ./creds-vault.yaml
spring:
datasource:
password: admin123
vvp:
auth:
oidc:
registration:
client-id: victor-test
client-secret: 7wjuJmRNQEC903WuncsdKsrbo8ND528q
bootstrapToken:
token: My_Bstoken
Blob Storage Credentials (two files)
$ cat ./s3.accessKeyId
admin
$ cat ./s3.secretAccessKey
password
Mount the credentials files into the Ververica Platform containers
Getting credentials and mounting them into the Ververica Platform pod depends on where your credentials are stored. When mounting them, please follow the following guides:
Common Credentials
Mount the creds-vault.yaml into the `appmanager` container and the `gateway` container in the Ververica Platform pod under the path `/conf/common-creds/`.
Important: the mounted path and file name can be changed but should not be any existing Ververica Platform directory.
Blob Storage Credentials
Mount the two files (s3.accessKeyId and s3.secretAccessKey) into the `appmanager` container and the `gateway` container in the Ververica Platform pod under the path `/conf/blob-creds/`.
Important: the mounted directory can be changed, but the two filenames must be exactly the same as the ones used here.
Configure the mounted paths
Common Credentials
Add the `creds-vault.yaml` path to the "spring.config.additional-location" in `values.yaml`: (`file:/vvp/etc/`, the default path, must be included)
env:
- name: "spring.config.additional-location"
value: "file:/conf/common-creds/creds-vault.yaml,file:/vvp/etc/"
Important: remember to keep the last `/` in `file:/vvp/etc/`, as it has to be a directory.
Blob Storage Credentials
Set the environment variable "vvp.blob-storage.credentials-dir" to the mounted directory in `values.yaml`:
env:
- name: "vvp.blob-storage.credentials-dir"
value: "/conf/blob-creds/"
Now you can use `values.yaml` to set up your Ververica Platform. It will get those credentials from those mounted files.