[RND-676] Kubernetes Configuration for Meadowlark #337
Conversation
| name: app-secret | ||
| type: Opaque | ||
| data: | ||
| postgres-password: dG9wc2VjdXJl |
There was a problem hiding this comment.
Is there an alternative to having a hard-coded secret here? Does this file truly belong in source control?
There was a problem hiding this comment.
This is the equivalent of what we currently do in Docker Compose when setting the postgres password in the .env file, this is a minimal security configuration and will not actually be a secret, just a base64 encrypted script (in fact some blogs mention that the name secret is misleading)
https://kubernetes.io/docs/concepts/configuration/secret/ shows a warning about "thinking" that the secrets are actually a security measure.
I think that for the purpose of the demo we could keep the file, but add a notice in the readme to use a different security method for passwords
k8s/meadowlark-api-deployment.yaml
Outdated
| - name: AUTHORIZATION_STORE_PLUGIN | ||
| value: '@edfi/meadowlark-postgresql-backend' | ||
| - name: DOCUMENT_STORE_PLUGIN | ||
| value: '@edfi/meadowlark-postgresql-backend' |
There was a problem hiding this comment.
Would it make sense to standardize on ' or " rather than having both?
Do these value strings actually need to be delimited with one or the other? For example, docker compose doesn't need " around string values for the most part (maybe some exceptions though).
There was a problem hiding this comment.
That's true, this was done automatically from kompose, but according to the YAML specification can be done with double, single or no quotes. Some of the exceptions is true or false as strings to avoid converting to boolean and strings starting with a reserved character (like @)
|
Tested out on Ubuntu with minikube, works great! |
Add a set of configuration files to run Meadowlark in a Kubernetes cluster
Description