Knowledge base

How to secure passwords/secrets in values.yaml with Kubernetes secrets

Written by Jun Qin | 23 May 2024

Question

When setting up Ververica Platform Enterprise Edition, a password or a secret may need to be added to values.yaml. How can I get rid of those plain text passwords/secrets and secure them with Kubernetes secrets instead?

Use Cases

  1. Removing the plaintext vvp.auth.oidc.registration.clientSecret from your Ververica Platform authentication configuration.
  2. Removing the plaintext vvp.persistence.datasource.password from your Ververica Platform JDBC Persistence configuration.
  3. Removing the plaintext vvp.auth.bootstrapToken.token from your Ververica Platform Bootstrap Token Configuration.

Answer

Note: This article applies to Ververica Platform Enterprise Edition versions 2.1 or later.

Assuming, the plaintext password/secret is top-Secret, the following steps explain how to secure the clientSecret, the data source password, and the bootstrap token by using Kubernetes secrets:

1) Encode your password/secret with base64

% echo -n top-Secret | base64
dG9wLVNlY3JldA==

2) Create the Kubernetes Secret with the encoded password/secret, and provide a name (mysecrets in the example) and keys mapping to the individual secrets (oidc, jdbc and bst in the example).

Tip: You may also separate these into individual Kubernetes secrets.

# file: mysecrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: mysecrets
type: Opaque
data:
  oidc: dG9wLVNlY3JldA==
  jdbc: dG9wLVNlY3JldA==
  bst: dG9wLVNlY3JldA==
# file: env_secret.yaml
env:
# OIDC authentication:
- name: vvp.auth.oidc.registration.clientSecret
  valueFrom:
    secretKeyRef:
      name: mysecrets
      key: oidc
# JDBC persistence:
- name: spring.datasource.password
  valueFrom:
    secretKeyRef:
      name: mysecrets
      key: jdbc
# Bootstrap Token:
- name: vvp.auth.bootstrapToken.token
  valueFrom:
    secretKeyRef:
      name: mysecrets
      key: bst

3) Create a yaml file referencing the Kubernetes secret name and keys above, and give the environment variable a name

Note: The names of these environment variables are considered internal API and may change in the future. Make sure to check the release notes before upgrading.

4) Remove the plaintext passwords/secrets/token from your values.yaml

5) Setup (helm install) / Upgrade(helm upgrade) your Ververica Platform with the created secret

helm install/upgrade vvp ververica/ververica-platform \
    --version 4.2.0 \
    --values values.yaml \
    --values values-license.yaml \
    --values env_secret.yaml

Related Information
View full post