Hi, We are using Azure ADLS Gen 2 as a diststorage for Dremio, configured to run on AKS using Helm charts.
Is there any way how we cannot expose the accesskey and use some k8s secrets to authenticate to the Azure storage. In the current method, we have to explicitly mention the access key in the values.yaml.
Any help please?
@balaji.ramaswamy
@ramprasd89 You should be able to do this but it does requires modifying the templates. It’s been a while since I tested this but this should still work.
Create a few environmental variables first. Change these parameters as needed for your own environment:
AKS_PERS_RESOURCE_GROUP=your_resource_group
AKS_PERS_STORAGE_ACCOUNT_NAME=your_storage_account
Get storage account key and store as variable:
STORAGE_KEY_HOST=$(az storage account keys list --resource-group $AKS_PERS_RESOURCE_GROUP --account-name $AKS_PERS_STORAGE_ACCOUNT_NAME --query "[0].value" -o tsv)
Create a K8s Secret:
kubectl create secret generic azure-secret --from-literal=azurestorageaccountkey=$STORAGE_KEY_HOST
Edit dremio-cloud-tools/charts/dremio_v2/templates/dremio-master.yaml
Under line 65 env:, add the following:
- name: STORAGE_KEY
valueFrom:
secretKeyRef:
name: azure-secret
key: azurestorageaccountkey
Edit dremio-cloud-tools/charts/dremio_v2/templates/dremio-executor.yaml
Under line 56 env:, add the following:
- name: STORAGE_KEY
valueFrom:
secretKeyRef:
name: azure-secret
key: azurestorageaccountkey
Do the above for dremio-coordinator.yaml too if you plan to launch multiple coordinators.
Now modify values.yaml at dremio-cloud-tools/charts/dremio_v2/values.yaml and configure your storage account as below:
distStorage:
type: "azureStorage"
#...
azureStorage:
accountName: "your_storage_account"
filesystem: "your_storage_container"
path: "/"
credentials:
accessKey: "${env.STORAGE_KEY}"
You should be set.
If you do not want to modify templates and such, another way is to put everything you need in core-site.xml and make that itself a K8s secret.
Hello,
Thanks for the quick response. I have created an env variable(AZURE_STORAGE_ACCESS_KEY) in the templates as you mentioned, and passed the Azure access key in the values.yaml as:
accessKey: $(AZURE_STORAGE_ACCESS_KEY)
however the dremio-master pod keeps failing while trying to recognize the access key with the error:
Caused by: java.lang.IllegalArgumentException: Illegal base 64 character 24
Any idea??
ALso could you elaborate on the core-site.xml method you mentioned at the end.
If you’re creating an environmental variable, then you need to prefix it with env. and use double-quotes. So try:
accessKey: "${env.AZURE_STORAGE_ACCESS_KEY}"
Re: core-site.xml. The values that you are using in values.yaml get put into core-site.xml when helm launches the pods. And that’s what Dremio uses to get the access key. You can put everything you need in this file, and create a k8s secret with it and then use that as a file in the pods such that it gets added to Dremio’s config path
Hello,
Thanks for your response,
It worked!!