7:07 p.m.
I'm trying to adopt the opendatahub/kubeflow operator with kustomize to
provisioning components like Hive/Trino, but one common requirement for
running production system is credential management.
what's the general suggestion on managing credentials required by
opendatahub? k8s secrets?
For example:
https://github.com/opendatahub-io/odh-manifests/blob/master/trino/base/aw...
I'd prefer not to manage credential in code via kustomize. It's ok by
using environment variable plus kustomize secret generator, but it
won't work if it's the operator pull then provisioning the opendatahub
via kfctl/kustomize.
8:01 a.m.
Hello,
You can control the secret name used in Trino deployment with the parameter
"s3_credentials_secret".
https://github.com/AICoE/idh-manifests/tree/production/trino#s3_credentia...
You don't need to make kfctl/kustomize to control the credentials
deployment, but you must specify the secret name that contains the right
credentials in the parameters, otherwise Trino will use the default
"aws_secret" secret that contains only hard-coded "changeme" values,
which
you don't want to use in a real environment. Unfortunately, that was the
only method to parameterize the credentials in Trino and Data Catalog.
Let me know if you have any other questions.
On Tue, May 4, 2021 at 9:49 AM Ke Zhu <kzhu(a)us.ibm.com> wrote:
I'm trying to adopt the opendatahub/kubeflow operator with
kustomize to
provisioning components like Hive/Trino, but one common requirement for
running production system is credential management.
what's the general suggestion on managing credentials required by
opendatahub? k8s secrets?
For example:
https://github.com/opendatahub-io/odh-manifests/blob/master/trino/base/aw...
I'd prefer not to manage credential in code via kustomize. It's ok by
using environment variable plus kustomize secret generator, but it
won't work if it's the operator pull then provisioning the opendatahub
via kfctl/kustomize.
_______________________________________________
Users mailing list -- users(a)lists.opendatahub.io
To unsubscribe send an email to users-leave(a)lists.opendatahub.io
--
Ricardo Martinelli De Oliveira
Senior Software Engineer, AI CoE
Red Hat Brazil <https://www.redhat.com/>
Av. Brigadeiro Faria Lima, 3900
8th floor
rmartine(a)redhat.com T: +551135426125
M: +5511970696531
@redhatjobs <https://twitter.com/redhatjobs> redhatjobs
<https://www.facebook.com/redhatjobs> @redhatjobs
<https://instagram.com/redhatjobs>
<https://www.redhat.com/>
9:40 a.m.
Thanks for the answer!
If the suggestion is using k8s secret, it's fine, which means an admin
will need to provide required credentials via k8s manually or via
kustomize out of the ODH operator.
What do you think about Hashicorp vault + its K8s Auth method? which
provides much better experience for managing secrets.
On Tue, 2021-05-04 at 10:01 -0300, Ricardo Martinelli de Oliveira
wrote:
Hello, You can control the secret name used in Trino deployment
with
the parameter "s3_credentials_secret". https://github.com/AICoE/idh-
manifests/tree/production/trino#s3_credentials_secret You don't need
to
make kfctl/kustomize
Hello,
You can control the secret name used in Trino deployment with the
parameter
"s3_credentials_secret". https://github.com/AICoE/idh-manifests/tree/production/trino#s3_credentials_secret
You don't need to make kfctl/kustomize to control the credentials
deployment, but you must specify the secret name that contains the
right credentials in the parameters, otherwise Trino will use the
default "aws_secret" secret that contains only hard-coded "changeme"
values, which you don't want to use in a real environment.
Unfortunately, that was the only method to parameterize the
credentials in Trino and Data Catalog.
Let me know if you have any other questions.
On Tue, May 4, 2021 at 9:49 AM Ke Zhu <kzhu(a)us.ibm.com> wrote:
> I'm trying to adopt the opendatahub/kubeflow operator with
> kustomize
> to
> provisioning components like Hive/Trino, but one common requirement
> for
> running production system is credential management.
>
> what's the general suggestion on managing credentials required by
> opendatahub? k8s secrets?
>
> For example:
>
https://github.com/opendatahub-io/odh-manifests/blob/master/trino/base/aw...
>
> I'd prefer not to manage credential in code via kustomize. It's ok
> by
> using environment variable plus kustomize secret generator, but it
> won't work if it's the operator pull then provisioning the
> opendatahub
> via kfctl/kustomize.
> _______________________________________________
> Users mailing list -- users(a)lists.opendatahub.io
> To unsubscribe send an email to users-leave(a)lists.opendatahub.io
9:51 a.m.
Just FYI I created an issue so we can start this discussion with the
community. Feel free to move that discussion to there or keep it here,
while we update the issue.
https://github.com/opendatahub-io/odh-manifests/issues/420
On Tue, May 4, 2021 at 11:40 AM Ke Zhu <kzhu(a)us.ibm.com> wrote:
Thanks for the answer!
If the suggestion is using k8s secret, it's fine, which means an admin
will need to provide required credentials via k8s manually or via
kustomize out of the ODH operator.
What do you think about Hashicorp vault + its K8s Auth method? which
provides much better experience for managing secrets.
On Tue, 2021-05-04 at 10:01 -0300, Ricardo Martinelli de Oliveira
wrote:
> Hello, You can control the secret name used in Trino deployment with
> the parameter "s3_credentials_secret". https://github.com/AICoE/idh-
> manifests/tree/production/trino#s3_credentials_secret You don't need
> to
> make kfctl/kustomize
>
>
> Hello,
>
> You can control the secret name used in Trino deployment with the
> parameter
> "s3_credentials_secret".
https://github.com/AICoE/idh-manifests/tree/production/trino#s3_credentia...
>
> You don't need to make kfctl/kustomize to control the credentials
> deployment, but you must specify the secret name that contains the
> right credentials in the parameters, otherwise Trino will use the
> default "aws_secret" secret that contains only hard-coded
"changeme"
> values, which you don't want to use in a real environment.
> Unfortunately, that was the only method to parameterize the
> credentials in Trino and Data Catalog.
>
> Let me know if you have any other questions.
>
> On Tue, May 4, 2021 at 9:49 AM Ke Zhu <kzhu(a)us.ibm.com> wrote:
> > I'm trying to adopt the opendatahub/kubeflow operator with
> > kustomize
> > to
> > provisioning components like Hive/Trino, but one common requirement
> > for
> > running production system is credential management.
> >
> > what's the general suggestion on managing credentials required by
> > opendatahub? k8s secrets?
> >
> > For example:
> >
https://github.com/opendatahub-io/odh-manifests/blob/master/trino/base/aw...
> >
> > I'd prefer not to manage credential in code via kustomize. It's ok
> > by
> > using environment variable plus kustomize secret generator, but it
> > won't work if it's the operator pull then provisioning the
> > opendatahub
> > via kfctl/kustomize.
> > _______________________________________________
> > Users mailing list -- users(a)lists.opendatahub.io
> > To unsubscribe send an email to users-leave(a)lists.opendatahub.io
>
>
--
Ricardo Martinelli De Oliveira
Senior Software Engineer, AI CoE
Red Hat Brazil <https://www.redhat.com/>
Av. Brigadeiro Faria Lima, 3900
8th floor
rmartine(a)redhat.com T: +551135426125
M: +5511970696531
@redhatjobs <https://twitter.com/redhatjobs> redhatjobs
<https://www.facebook.com/redhatjobs> @redhatjobs
<https://instagram.com/redhatjobs>
<https://www.redhat.com/>
9:54 a.m.
(I am not familiar with Hashicorp vault + k8s auth), but another possible
avenue is using KSOP[1] to encrypt and store secrets in Git, and then
ArgoCD[2] to deploy the secrets. Then, you can just have the ODH-managed
applications refer to the secret in question.
[1] https://github.com/viaduct-ai/kustomize-sops
[2] https://github.com/argoproj/argo-cd
On Tue, May 4, 2021 at 10:53 AM Ricardo Martinelli de Oliveira <
rmartine(a)redhat.com> wrote:
Just FYI I created an issue so we can start this discussion with the
community. Feel free to move that discussion to there or keep it here,
while we update the issue.
https://github.com/opendatahub-io/odh-manifests/issues/420
On Tue, May 4, 2021 at 11:40 AM Ke Zhu <kzhu(a)us.ibm.com> wrote:
> Thanks for the answer!
>
> If the suggestion is using k8s secret, it's fine, which means an admin
> will need to provide required credentials via k8s manually or via
> kustomize out of the ODH operator.
>
> What do you think about Hashicorp vault + its K8s Auth method? which
> provides much better experience for managing secrets.
>
> On Tue, 2021-05-04 at 10:01 -0300, Ricardo Martinelli de Oliveira
> wrote:
> > Hello, You can control the secret name used in Trino deployment with
> > the parameter "s3_credentials_secret". https://github.com/AICoE/idh-
> > manifests/tree/production/trino#s3_credentials_secret You don't need
> > to
> > make kfctl/kustomize
> >
> >
> > Hello,
> >
> > You can control the secret name used in Trino deployment with the
> > parameter
> > "s3_credentials_secret".
> https://github.com/AICoE/idh-manifests/tree/production/trino#s3_credentia...
> >
> > You don't need to make kfctl/kustomize to control the credentials
> > deployment, but you must specify the secret name that contains the
> > right credentials in the parameters, otherwise Trino will use the
> > default "aws_secret" secret that contains only hard-coded
"changeme"
> > values, which you don't want to use in a real environment.
> > Unfortunately, that was the only method to parameterize the
> > credentials in Trino and Data Catalog.
> >
> > Let me know if you have any other questions.
> >
> > On Tue, May 4, 2021 at 9:49 AM Ke Zhu <kzhu(a)us.ibm.com> wrote:
> > > I'm trying to adopt the opendatahub/kubeflow operator with
> > > kustomize
> > > to
> > > provisioning components like Hive/Trino, but one common requirement
> > > for
> > > running production system is credential management.
> > >
> > > what's the general suggestion on managing credentials required by
> > > opendatahub? k8s secrets?
> > >
> > > For example:
> > >
>
https://github.com/opendatahub-io/odh-manifests/blob/master/trino/base/aw...
> > >
> > > I'd prefer not to manage credential in code via kustomize. It's ok
> > > by
> > > using environment variable plus kustomize secret generator, but it
> > > won't work if it's the operator pull then provisioning the
> > > opendatahub
> > > via kfctl/kustomize.
> > > _______________________________________________
> > > Users mailing list -- users(a)lists.opendatahub.io
> > > To unsubscribe send an email to users-leave(a)lists.opendatahub.io
> >
> >
>
>
--
Ricardo Martinelli De Oliveira
Senior Software Engineer, AI CoE
Red Hat Brazil <https://www.redhat.com/>
Av. Brigadeiro Faria Lima, 3900
8th floor
rmartine(a)redhat.com T: +551135426125
M: +5511970696531
@redhatjobs <https://twitter.com/redhatjobs> redhatjobs
<https://www.facebook.com/redhatjobs> @redhatjobs
<https://instagram.com/redhatjobs>
<https://www.redhat.com/>
_______________________________________________
Users mailing list -- users(a)lists.opendatahub.io
To unsubscribe send an email to users-leave(a)lists.opendatahub.io
--
Anish Asthana
He/Him/His
Senior Software Engineer - AI Services
Red Hat <https://www.redhat.com>
300 A Street
Boston, MA-02210
aasthana(a)redhat.com
<https://www.redhat.com>
1081
days inactive
1081
days old
4 comments
3 participants
participants (3)
-
Anish Asthana -
Ke Zhu -
Ricardo Martinelli de Oliveira