Question
In Ververica Platform, how can I set up resource access, e.g. to S3, that is specific to my applications and not visible to others?
Answer
Note: This section applies to Ververica Platform 2.0 - 2.8 Enterprise Edition.
You can make use of Ververica Platform namespaces in combination with Kubernetes Secrets or Ververica Platform Secret Values attached to that namespace. Since deployments only have access to secrets in their namespace, you can isolate all your applications from other applications by putting them into a separate namespace and then configure access credentials and resource access accordingly.
The remainder of this article will go through step-by-step instructions how to create the proposed setup in both Ververica Platform's Web UI and via its REST API.
Tip: The REST interface can be used via the Swagger web client available at https://VERVERICA_PLATFORM_URL/swagger.You can post application/yaml (or JSON if you prefer) to the appropriate endpoints given below.
Namespace Setup
Create a separate namespace for each set of applications that you want to isolate from one another and configure namespace access by assigning roles to users and groups. Also make sure to create a Deployment Target that maps deployments of this namespace to a valid Kubernetes Namespace.
Web UI:
REST Interface
POST /namespaces/v1/namespaces/
{
"name": "namespaces/my-namespace",
"roleBindings": [{
"role": "owner",
"members": ["system:authenticated"]
}]
}Secrets
In the second step, we will create a secret tied to the namespace that you configured. There are two ways of using secrets with Ververica Platform: relying on Kubernetes Secrets (preferred) or using Ververica Platform Secret Values.
Kubernetes Secrets
Assuming you are using a Kubernetes namespace application1, you can create a Kubernetes secret in that namespace that contains your secret value, for example like this:
kubectl --namespace application1 create secret generic my-secret \
--from-literal=key1=supersecret --from-literal=key2=topsecretThen, make sure you have a Deployment Target for the Ververica Platform namespace that points to the Kubernetes namespace application1 (only namespace owners can create these). You can now create deployments that either mount the Kubernetes secret as a volume or make it available as an environment variable (or set this configuration as a Deployment Default for all new deployments in that Ververica Platform namespace):
spec:
template:
spec:
kubernetes:
pods:
volumeMounts:
- name: my-secret
volume:
name: my-secret
secret:
secretName: my-secret
volumeMount:
name: my-secret
mountPath: /var/run/secrets/my-secret
readOnly: true
envVars:
- name: MY_SECRET_KEY1
valueFrom:
secretKeyRef:
name: my-secret
key: key1Ververica Platform Secret Values
Create a secret value in the namespace it should be valid for. You can then use it in the Jar URI or the Flink configuration of any deployment in this namespace by referencing it in the form ${SECRET_VALUE_NAME}
Web UI
REST Interface
POST /api/v1/namespaces/my-namespace/secret-values
kind: SecretValue
metadata:
name: SECRET_VALUE_NAME
namespace: my-namespace
...
spec:
kind: PLAIN
value: secret