9:54 a.m.
(I am not familiar with Hashicorp vault + k8s auth), but another possible
avenue is using KSOP[1] to encrypt and store secrets in Git, and then
ArgoCD[2] to deploy the secrets. Then, you can just have the ODH-managed
applications refer to the secret in question.
[1] https://github.com/viaduct-ai/kustomize-sops
[2] https://github.com/argoproj/argo-cd
On Tue, May 4, 2021 at 10:53 AM Ricardo Martinelli de Oliveira <
rmartine(a)redhat.com> wrote:
Just FYI I created an issue so we can start this discussion with the
community. Feel free to move that discussion to there or keep it here,
while we update the issue.
https://github.com/opendatahub-io/odh-manifests/issues/420
On Tue, May 4, 2021 at 11:40 AM Ke Zhu <kzhu(a)us.ibm.com> wrote:
> Thanks for the answer!
>
> If the suggestion is using k8s secret, it's fine, which means an admin
> will need to provide required credentials via k8s manually or via
> kustomize out of the ODH operator.
>
> What do you think about Hashicorp vault + its K8s Auth method? which
> provides much better experience for managing secrets.
>
> On Tue, 2021-05-04 at 10:01 -0300, Ricardo Martinelli de Oliveira
> wrote:
> > Hello, You can control the secret name used in Trino deployment with
> > the parameter "s3_credentials_secret". https://github.com/AICoE/idh-
> > manifests/tree/production/trino#s3_credentials_secret You don't need
> > to
> > make kfctl/kustomize
> >
> >
> > Hello,
> >
> > You can control the secret name used in Trino deployment with the
> > parameter
> > "s3_credentials_secret".
> https://github.com/AICoE/idh-manifests/tree/production/trino#s3_credentia...
> >
> > You don't need to make kfctl/kustomize to control the credentials
> > deployment, but you must specify the secret name that contains the
> > right credentials in the parameters, otherwise Trino will use the
> > default "aws_secret" secret that contains only hard-coded
"changeme"
> > values, which you don't want to use in a real environment.
> > Unfortunately, that was the only method to parameterize the
> > credentials in Trino and Data Catalog.
> >
> > Let me know if you have any other questions.
> >
> > On Tue, May 4, 2021 at 9:49 AM Ke Zhu <kzhu(a)us.ibm.com> wrote:
> > > I'm trying to adopt the opendatahub/kubeflow operator with
> > > kustomize
> > > to
> > > provisioning components like Hive/Trino, but one common requirement
> > > for
> > > running production system is credential management.
> > >
> > > what's the general suggestion on managing credentials required by
> > > opendatahub? k8s secrets?
> > >
> > > For example:
> > >
>
https://github.com/opendatahub-io/odh-manifests/blob/master/trino/base/aw...
> > >
> > > I'd prefer not to manage credential in code via kustomize. It's ok
> > > by
> > > using environment variable plus kustomize secret generator, but it
> > > won't work if it's the operator pull then provisioning the
> > > opendatahub
> > > via kfctl/kustomize.
> > > _______________________________________________
> > > Users mailing list -- users(a)lists.opendatahub.io
> > > To unsubscribe send an email to users-leave(a)lists.opendatahub.io
> >
> >
>
>
--
Ricardo Martinelli De Oliveira
Senior Software Engineer, AI CoE
Red Hat Brazil <https://www.redhat.com/>
Av. Brigadeiro Faria Lima, 3900
8th floor
rmartine(a)redhat.com T: +551135426125
M: +5511970696531
@redhatjobs <https://twitter.com/redhatjobs> redhatjobs
<https://www.facebook.com/redhatjobs> @redhatjobs
<https://instagram.com/redhatjobs>
<https://www.redhat.com/>
_______________________________________________
Users mailing list -- users(a)lists.opendatahub.io
To unsubscribe send an email to users-leave(a)lists.opendatahub.io
--
Anish Asthana
He/Him/His
Senior Software Engineer - AI Services
Red Hat <https://www.redhat.com>
300 A Street
Boston, MA-02210
aasthana(a)redhat.com
<https://www.redhat.com>