Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure Handling of Superset Credentials in UMT’s EKS Deployment #37

Open
paulpascal opened this issue Feb 13, 2025 · 1 comment
Open

Secure Handling of Superset Credentials in UMT’s EKS Deployment #37

paulpascal opened this issue Feb 13, 2025 · 1 comment
Assignees
@paulpascal

Comments

@paulpascal
Copy link
Collaborator

Description

We are currently developing a new feature in the User Management Tool (UMT) that integrates with Superset (Issue #191). The integration involves enabling the Superset REST API and authenticating using an admin account to obtain tokens for creating users, roles, filters, etc. A draft pull request is available for review: PR #245.

Challenge

We need a secure and scalable method to manage Superset credentials in our EKS-based deployment. Specifically, we aim to avoid exposing these credentials in:

  • Source code
  • values.yaml files in Helm
  • Any version-controlled repository files

Current Approaches Considered

  1. Environment Variables (values.yaml)
  2. Kubernetes Secrets
  3. AWS Secrets Manager

Desired Solution Criteria

  • Retrieve credentials from a secure storage service.
  • Simplify the process of updating secrets without modifying Helm charts, possibly through kubectl or other means.
@paulpascal paulpascal self-assigned this Feb 13, 2025
@paulpascal
Copy link
Collaborator Author

Thanks @Hareet , for today's great and insightful call - Here are some keynotes I have kept to document this issue:

We explored various approaches to securely manage Superset credentials in our EKS deployment:

1. Using values.yaml:

  • Overview: During Helm installation, values provided in values.yaml are mapped to templates and used in the deployment.
  • Consideration: To avoid hardcoding credentials in the values.yaml file within the repository, we can make use GitHub environment variables to inject credentials during the deployment process.

2. Kubernetes Secrets:

  • Overview: Kubernetes Secrets can securely store sensitive information.
  • Consideration: Similar to the values.yaml approach, we can manage secrets using GitHub environment variables as well to inject them during deployment.

3. AWS Secrets Manager:

  • Overview: A sophisticated service for managing secrets with features like automatic rotation.
  • Consideration: To maintain flexibility and avoid tight coupling to a specific cloud provider, we might prefer the above approaches rather.

Additional Options Discussed:

  • SOPS (Secrets OPerationS): A tool to encrypt secrets and add a decryption step during deployment, allowing encrypted secrets to be stored safely in version control.
  • Helm-Secrets Plugin: An advanced tool that integrates with SOPS to manage secrets within Helm charts. It supports cloud integration for future scalability.

For immediate implementation, using GitHub environment variables to manage secrets is a straightforward approach.
For a more sophisticated and flexible solution, especially as our infrastructure evolves, adopting tools like Helm-Secrets or SOPS is recommended.

cc: @alexosugo @mrjones-plip @inromualdo @freddieptf @kennsippell

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@paulpascal paulpascal

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@paulpascal