Get Started
Beginner Tutorial
First-Time Setup
Connect to Existing Instance
Language Clients
Learn
Key Features
Target Audience
Basic Concepts
Intro to Data Versioning
Intro to Pipelines
Intro to Console
Developer Workflow
Diagrams
Glossary
Set Up
Cloud Deploy
Local Deploy
On-Prem Deploy
Pachctl
Pachctl Auto-completion
Unified Deployment
Authentication & IdP Connectors
Authorization (RBAC)
Connection
Environment Variables
Kubernetes RBAC
Import a Kubernetes Context
Log Aggregation (Loki)
Non-Default Namespaces
Enterprise Edition
Enterprise Server (ES)
S3 Gateway API
TLS (SSL, HTTPS)
Tracing (Jaeger)
Blob/Object Storage
Global Config
Manage
Helm Chart Values (HCVs)
S3 Gateway
Backup & Restore
Upgrade
PachCTL Shell
Check IdP User
Supported Releases & Features
PostgresSQL Fine-Tuning
Cluster Access
Deactivate Authorization
GPUs
Log In via IdP
Revoke User Access
Scaling Limits (CE)
👉 Secrets
Sidecar S3 Gateway
Storage Optimization
Usage Metrics
Monitor with Prometheus
Uninstall
Prepare Data
Datum Batching
Defer Processing via Staging Branch
Ingest Data
Mount Volumes
Skip Failed Datums
Time-Windowed Data
Transactions
Build Pipelines & DAGs
Pipeline Specification (PPS)
Pipeline Ops
Project Ops
Branch Ops
Datum Ops
Provenance Ops
Tutorials
Export Data
Egress To An SQL Database
Export via Egress
Export via PachCTL
Mount a Repo Locally
S3 Gateway Operations
Integrate
Determined
Google BigQuery
JupyterLab
Label Studio
Superb AI
VS Code Auto-Completion
Weights and Biases
Run Commands
pachctl
pachctl auth
pachctl auth activate
pachctl auth check
pachctl auth check project
pachctl auth check repo
pachctl auth deactivate
pachctl auth get
pachctl auth get cluster
pachctl auth get enterprise
pachctl auth get project
pachctl auth get repo
pachctl auth get-config
pachctl auth get-groups
pachctl auth get-robot-token
pachctl auth login
pachctl auth logout
pachctl auth revoke
pachctl auth roles-for-permission
pachctl auth rotate-root-token
pachctl auth set
pachctl auth set cluster
pachctl auth set enterprise
pachctl auth set project
pachctl auth set repo
pachctl auth set-config
pachctl auth use-auth-token
pachctl auth whoami
pachctl buildinfo
pachctl check
pachctl check status
pachctl completion
pachctl completion bash
pachctl completion zsh
pachctl config
pachctl config delete
pachctl config delete context
pachctl config get
pachctl config get active-context
pachctl config get active-enterprise-context
pachctl config get context
pachctl config get metrics
pachctl config import-kube
pachctl config list
pachctl config list context
pachctl config set
pachctl config set active-context
pachctl config set active-enterprise-context
pachctl config set context
pachctl config set metrics
pachctl config update
pachctl config update context
pachctl connect
pachctl copy
pachctl copy file
pachctl create
pachctl create branch
pachctl create defaults
pachctl create pipeline
pachctl create project
pachctl create repo
pachctl create secret
pachctl debug
pachctl debug analyze
pachctl debug binary
pachctl debug dump
pachctl debug local
pachctl debug log-level
pachctl debug profile
pachctl debug template
pachctl delete
pachctl delete all
pachctl delete branch
pachctl delete commit
pachctl delete commitV2
pachctl delete defaults
pachctl delete file
pachctl delete job
pachctl delete pipeline
pachctl delete project
pachctl delete repo
pachctl delete secret
pachctl delete transaction
pachctl diff
pachctl diff file
pachctl draw
pachctl draw pipeline
pachctl edit
pachctl edit pipeline
pachctl enterprise
pachctl enterprise deactivate
pachctl enterprise get-state
pachctl enterprise heartbeat
pachctl enterprise pause
pachctl enterprise pause-status
pachctl enterprise register
pachctl enterprise sync-contexts
pachctl enterprise unpause
pachctl exit
pachctl find
pachctl find commit
pachctl finish
pachctl finish commit
pachctl finish transaction
pachctl fsck
pachctl get
pachctl get file
pachctl glob
pachctl glob file
pachctl idp
pachctl idp create-client
pachctl idp create-connector
pachctl idp delete-client
pachctl idp delete-connector
pachctl idp get-client
pachctl idp get-config
pachctl idp get-connector
pachctl idp list-client
pachctl idp list-connector
pachctl idp set-config
pachctl idp update-client
pachctl idp update-connector
pachctl inspect
pachctl inspect branch
pachctl inspect cluster
pachctl inspect commit
pachctl inspect datum
pachctl inspect defaults
pachctl inspect file
pachctl inspect job
pachctl inspect pipeline
pachctl inspect project
pachctl inspect repo
pachctl inspect secret
pachctl inspect transaction
pachctl kube-events
pachctl license
pachctl license activate
pachctl license add-cluster
pachctl license delete-all
pachctl license delete-cluster
pachctl license get-state
pachctl license list-clusters
pachctl license update-cluster
pachctl list
pachctl list branch
pachctl list commit
pachctl list datum
pachctl list file
pachctl list job
pachctl list pipeline
pachctl list project
pachctl list repo
pachctl list secret
pachctl list transaction
pachctl logs
pachctl loki
pachctl mount
pachctl port-forward
pachctl put
pachctl put file
pachctl rerun
pachctl rerun pipeline
pachctl restart
pachctl restart datum
pachctl resume
pachctl resume transaction
pachctl run
pachctl run cron
pachctl run pfs-load-test
pachctl run pps-load-test
pachctl shell
pachctl squash
pachctl squash commit
pachctl squash commitV2
pachctl start
pachctl start commit
pachctl start pipeline
pachctl start transaction
pachctl stop
pachctl stop job
pachctl stop pipeline
pachctl stop transaction
pachctl subscribe
pachctl subscribe commit
pachctl unmount
pachctl update
pachctl update defaults
pachctl update pipeline
pachctl update project
pachctl update repo
pachctl validate
pachctl validate pipeline
pachctl version
pachctl wait
pachctl wait commit
pachctl wait job
Debug
Common Issues
Debug Pipelines
Troubleshooting Deployments
View Audit Logs
View Kubernetes Logs
Pachyderm SDK
Client Initialization (Start Here)
Method Mapping
First Project
Examples
Reference Docs
Contribute
Coding Conventions
Contributor Setup
Developing on Windows with VSCode
Documentation Style Guide
GitHub

Secrets

Learn how to create and manage Kubernetes secrets.

April 4, 2024

HPE ML Data Management uses Kubernetes’ Secrets to store and manage sensitive data, such as passwords, OAuth tokens, or ssh keys. You can use any of Kubernetes’ types of Secrets that match your use case. Namely, generic (or Opaque), tls, or docker-registry.

About Secrets #

When you install or upgrade a cluster, you can provide values for the configuration fields in your Helm Chart values.yaml file. However, some of those values are sensitive and should not be stored in your values.yaml file.

HPE ML Data Management provides a way to inject those values at the time of the deployment or upgrade. We call those values platform secrets.

HPE ML Data Management Platform Secrets Map #

If no Secret KEY name is provided for the Helm Chart’s Secret NAME Attribute, HPE ML Data Management will use the Helm Chart’s RAW Attribute to populate its own platform secrets at the time of the installation/upgrade. Those that are not marked as required are automatically generated by the platform if not provided.

RequiredSecret KEY Name : Platform SecretHelm Chart’s Secret NAME AttributeHelm Chart’s RAW Attribute
Yesenterprise-license-key : pachyderm-licensepachd.enterpriseLicenseKeySecretNamepachd.enterpriseLicenseKey
Yesupstream-idps : pachyderm-identityoidc.upstreamIDPsSecretNameoidc.upstreamIDPs
NorootToken : pachyderm-authpachd.rootTokenSecretNamepachd.rootToken
Noauth-config : pachyderm-authpachd.oauthClientSecretSecretNamepachd.oauthClientSecret
Nocluster-role-bindings : pachyderm-authUse plain text in your values.yamlpachd.pachAuthClusterRoleBindings
Nopostgresql-password : postgresglobal.postgresql.postgresqlExistingSecretNameglobal.postgresql.postgresqlPassword
NoOAUTH_CLIENT_SECRET : pachyderm-console-secretconsole.config.oauthClientSecretSecretNameconsole.config.oauthClientSecret
NoN/A; passed into deployment manifest as plaintext.pachd.enterpriseServerTokenSecretNamepachd.enterpriseServerToken
Noenterprise-secret : pachyderm-enterprisepachd.enterpriseSecretSecretNamepachd.enterpriseSecret

Create A Secret #

The creation of a Secret in HPE ML Data Management requires a JSON configuration file.

A good way to create this file is:

  1. To generate it by calling a dry-run of the kubectl create secret ... --dry-run=client --output=json > myfirstsecret.json command.
  2. Then call pachctl create secret -f myfirstsecret.json.
⚠ī¸

Kubernetes Secrets are, by default, stored as unencrypted base64-encoded strings (i.e., the values for all keys in the data field have to be base64-encoded strings). When using the kubectl create secret command, the encoding is done for you. If you choose to manually create your JSON file, make sure to use your own base 64 encoder.

Generate Your Secret Config File #

Let’s first generate your secret configuration file using the kubectl command. For example:

  • for a generic authentication secret:
    kubectl create secret generic mysecretname --from-literal=username=<myusername> --from-literal=password=<mypassword> --dry-run=client  --output=json > myfirstsecret.json
  • for a tls secret:
    kubectl create secret tls mysecretname --cert=<Path to your certificate> --key=<Path to your SSH key> --dry-run=client  --output=json > myfirstsecret.json
  • for a docker registry secret:
    kubectl create secret docker-registry mysecretname --dry-run=client --docker-server=<DOCKER_REGISTRY_SERVER> --docker-username=<DOCKER_USER> --docker-password=<DOCKER_PASSWORD> --output=json > myfirstsecret.json

Generic Secret Example #

{
   "apiVersion": "v1",
   "kind": "Secret",
   "metadata": {
      "name": "clearml"
   },
   "type": "Opaque",
   "stringData": {
      "access": "<CLEARML_API_ACCESS_KEY>",
      "secret": "<CLEARML_API_SECRET_KEY>"
   }
}

Find more detailed information on the creation of Secrets in Kubernetes documentation.

Create your Secret in HPE ML Data Management #

Next, run the following to actually create the secret in the HPE ML Data Management Kubernetes cluster:

pachctl create secret -f myfirstsecret.json

You can run pachctl list secret to verify that your secret has been properly created. You should see an output that looks like the following:

NAME     TYPE                           CREATED        
mysecret kubernetes.io/dockerconfigjson 11 seconds ago
ℹī¸

Use pachctl delete secret to delete a secret given its name, pachctl inspect secret to list a secret given its name.

You can now edit your pipeline specification file as follow.

Reference a Secret in a Pipeline Spec #

Now that your secret is created on HPE ML Data Management cluster, you will need to notify your pipeline by updating your pipeline specification file. In HPE ML Data Management, a Secret can be used in three different ways:

  1. As a container environment variable:

    In this case, in HPE ML Data Management’s pipeline specification file, you need to reference Kubernetes’ Secret by its:

    • name
    • and specify an environment variable named envVar that the value of your key should be bound to.

    This makes for easy access to your Secret’s data in your pipeline’s code. For example, this is useful for passing the password to a third-party system to your pipeline’s code.

    "transform": {
   "image": "string",
   "cmd": [ string ],
   ...
   "secrets": [ {
      "name": "string",
      "envVar": "string",
      "key": string
   }]
}

    Example #

    Example of a pipeline specification file assigning a Secret’s values to environment variables.

    Look at the pipeline specification in this example and see how we used the "envVar" to pass CLEARML API credentials to the pipeline code.

    {
   "pipeline": {
      "name": "mnist"
   },
   "description": "MNIST example logging to ClearML",
   "input": {
      "pfs": {
         "repo": "data",
         "branch": "master",
         "glob": "/*"
      }
   },
   "transform": {
      "cmd": [
         "/bin/sh"
      ],
      "stdin": [
         "python pytorch_mnist.py --lr 0.2 --save-location /pfs/out"
      ],
      "image": "pachyderm/clearml_mnist:dev0.11",
      "secrets": [
         {
         "name": "clearml",
         "envVar": "CLEARML_API_ACCESS_KEY",
         "key": "access"
         },
         {
         "name": "clearml",
         "envVar": "CLEARML_API_SECRET_KEY",
         "key": "secret"
         }
      ]
   }
}

  2. As a file in a volume mounted on a container:

    In this case, in HPE ML Data Management’s pipeline specification file, you need to reference Kubernetes’ Secret by its:

    • name
    • and specify the mount point (mount_path) to the secret (ex: "/var/my-app-secret").

    HPE ML Data Management mounts all of the keys in the secret with file names corresponding to the keys. This is useful for secure configuration files.

    "transform": {
   "image": "string",
   "cmd": [ string ],
   ...
   "secrets": [ {
      "name": "string",
      "mount_path": string
   }]
}

  3. When pulling images:

    Image pull Secrets are a different kind of secret used to store access credentials to your private image registry.

    You reference Image Pull Secrets (or Docker Registry Secrets) by setting the imagePullSecrets field of your pipeline specification file to the secret’s name you created (ex: "mysecretname").

    "transform": {
   "image": "string",
   "cmd": [ string ],
   ...
   "imagePullSecrets": [ string ]
}
👈 Scaling Limits (CE) Sidecar S3 Gateway 👉