(I am not familiar with Hashicorp vault + k8s auth), but another possible
avenue is using KSOP to encrypt and store secrets in Git, and then
ArgoCD to deploy the secrets. Then, you can just have the ODH-managed
applications refer to the secret in question.
On Tue, May 4, 2021 at 10:53 AM Ricardo Martinelli de Oliveira <
Just FYI I created an issue so we can start this discussion with the
community. Feel free to move that discussion to there or keep it here,
while we update the issue.
On Tue, May 4, 2021 at 11:40 AM Ke Zhu <kzhu(a)us.ibm.com> wrote:
> Thanks for the answer!
> If the suggestion is using k8s secret, it's fine, which means an admin
> will need to provide required credentials via k8s manually or via
> kustomize out of the ODH operator.
> What do you think about Hashicorp vault + its K8s Auth method? which
> provides much better experience for managing secrets.
> On Tue, 2021-05-04 at 10:01 -0300, Ricardo Martinelli de Oliveira
> > Hello, You can control the secret name used in Trino deployment with
> > the parameter "s3_credentials_secret". https://github.com/AICoE/idh-
> > manifests/tree/production/trino#s3_credentials_secret You don't need
> > to
> > make kfctl/kustomize
> > Hello,
> > You can control the secret name used in Trino deployment with the
> > parameter
> > "s3_credentials_secret".
> > You don't need to make kfctl/kustomize to control the credentials
> > deployment, but you must specify the secret name that contains the
> > right credentials in the parameters, otherwise Trino will use the
> > default "aws_secret" secret that contains only hard-coded
> > values, which you don't want to use in a real environment.
> > Unfortunately, that was the only method to parameterize the
> > credentials in Trino and Data Catalog.
> > Let me know if you have any other questions.
> > On Tue, May 4, 2021 at 9:49 AM Ke Zhu <kzhu(a)us.ibm.com> wrote:
> > > I'm trying to adopt the opendatahub/kubeflow operator with
> > > kustomize
> > > to
> > > provisioning components like Hive/Trino, but one common requirement
> > > for
> > > running production system is credential management.
> > >
> > > what's the general suggestion on managing credentials required by
> > > opendatahub? k8s secrets?
> > >
> > > For example:
> > >
> > >
> > > I'd prefer not to manage credential in code via kustomize. It's ok
> > > by
> > > using environment variable plus kustomize secret generator, but it
> > > won't work if it's the operator pull then provisioning the
> > > opendatahub
> > > via kfctl/kustomize.
> > > _______________________________________________
> > > Users mailing list -- users(a)lists.opendatahub.io
> > > To unsubscribe send an email to users-leave(a)lists.opendatahub.io
Ricardo Martinelli De Oliveira
Senior Software Engineer, AI CoE
Red Hat Brazil <https://www.redhat.com/>
Av. Brigadeiro Faria Lima, 3900
rmartine(a)redhat.com T: +551135426125
Users mailing list -- users(a)lists.opendatahub.io
To unsubscribe send an email to users-leave(a)lists.opendatahub.io
Senior Software Engineer - AI Services
Red Hat <