This section shows you how to securely pass sensitive data to the Collibra DQ Helm Chart through Kubernetes or Microsoft Azure Key Vault (AKV) Secrets. Passing sensitive data, such as PostgreSQL Metastore credentials and the license key, through Kubernetes or AKV Secrets helps mitigate potential security risks to your organization by preventing the exposure of such values in the Helm Chart.
Passing Kubernetes Secrets to the values.yaml file in the Collibra DQ Helm Chart
Note You can use the same Secret to pass additional sensitive data to your Collibra Data Quality & Observability deployment.
- Create a Kubernetes Secret containing the sensitive data, as shown in the example below.
- Pass the Secret to values.yaml file in your Collibra DQ Helm Chart, as shown in the example below.
- If you are updating an existing deployment of Collibra DQ, restart the DQ web and agent pods to complete the updates.
---
apiVersion: v1
kind: Secret
metadata:
name: kubernetes-secret-name
type: Opaque
data:
username: Cg==
password: Cg==
global:
configMap:
data:
metastore_secret_name: "kubernetes-secret-name"
metastore_secret_key_map:
username: SPRING_DATASOURCE_USERNAME
password: SPRING_DATASOURCE_PASSWORD
# Add more key maps to pass additional sensitive data to the DQ web and agent pods.Passing Azure Key Vault secrets to the values.yaml file in the Collibra DQ Helm Chart
Note You can use the same secrets to pass additional sensitive data to your Collibra Data Quality & Observability deployment.
Prerequisites
- You have an Azure Key Vault secret containing sensitive secret objects.
- Your Azure Secret Storage CSI driver is installed on the Azure Kubernetes Service.
- You have grant access to the Azure Key Vault through Managed Identity.
- The base UBI 9 Micro image is available in the same container repository as where the Collibra DQ container images are stored.
Note You can pull this image from the same GCR credentials used for Collibra DQ containers.
- Create an Azure Key Vault secret containing the sensitive data, as shown in the screenshot below.
- Pass the following information to values.yaml file in your Collibra DQ Helm Chart, as shown in the example below.
- Azure Cloud details, including:
- Tenant ID
- Azure-managed identity ID given the grant access on the AKV
- Resource Group
- Subscription ID
- Secrets from the AKV
- Azure Cloud details, including:
- If you are updating an existing deployment of Collibra DQ, restart the DQ web and agent pods to complete the updates.
global:
configMap:
data:
metastore_secret_name: "kubernetes-secret-name"
metastore_secret_key_map:
username: SPRING_DATASOURCE_USERNAME
password: SPRING_DATASOURCE_PASSWORD
# Optionally add more key maps to pass additional sensitive data to the DQ web and agent pods.
vault:
enabled: true
provider: "akv" # akv is the Azure Key Vault
vault_name: "cdq-azure-secret" # Azure Vault storage name to create a K8s object of SecretProviderClass. Make sure to set global.configMap.data.metastore_secret_name to secretName value for the sync.
vault_object_map: # Map Azure Vault object names with the K8s Secret object key names, Azure Vault object name as the key, and the K8s Secret object key as the value.
username: username # The value should have a corresponding key entry at global.configMap.data.metastore_secret_key_map
password: password # The value should have a corresponding key entry at global.configMap.data.metastore_secret_key_map
tenant_id: ""
identity_id: "" # Azure managed identity id
resource_group: ""
subscription_id: ""
image:
name: ubi9-micro
version: latest
pullPolicy: IfNotPresent