Docs Home
Viewing docs for
Self-ManagedNot available for BYOC

Blob Storage

On this page

Provide Credentials Using Mounted Files

Instead of embedding blob storage credentials directly in your Helm values.yaml, you can provide them as files mounted into the Ververica Platform container. Ververica Platform reads the credential files from a configured directory at startup and distributes the values to services that require them.

This approach keeps credentials out of your Helm values, which might be stored in version control or visible to operators who have access to the Helm release.

How It Works

Each credential is stored in a separate file. Ververica Platform discovers credentials by scanning the configured directory and reading every file whose name matches the pattern <provider>.<key>. Each file must contain exactly one value: the raw credential string with no additional formatting.

Example: S3 Credentials

Create one file per credential in your credentials directory:

TEXT
1s3.accessKeyId

The file name determines which provider and key the value is assigned to. The file content is the credential value.

Configuration

Mount your credentials directory into the Ververica Platform pod and set the path in your values.yaml:

YAML
1global:
2  blobStorage:
3    credentialsDir: /conf/blob-creds

Replace /conf/blob-creds with the path where your credentials files are mounted inside the container.

Provide Credentials Using Kubernetes Secrets

Instead of mounting credential files, you can store blob storage credentials in a Kubernetes Secret and reference the Secret by name in your values.yaml. Ververica Platform reads the credentials from the Secret at startup and distributes them to services that require them.

This approach integrates with Kubernetes-native secret management and is compatible with tools like Sealed Secrets, External Secrets Operator, or Vault agent injection.

Create the Secret

Create a Kubernetes Secret with one key per credential. Key names must follow the <provider>.<key> pattern, using the same convention as mounted credential files.

For S3 credentials:

BASH
1kubectl create secret generic blob-storage-credentials \
2  --from-literal=s3.accessKeyId=AKIAEXAMPLEACCESSKEYID \
3  --from-literal=s3.secretAccessKey=wJalrXUtnFEMIEXAMPLEKEYsecretkey \
4  --namespace vvp-system

Reference the Secret in Your Values

Set the secret name in your values.yaml:

YAML
1global:
2  blobStorage:
3    credentialsSecret: blob-storage-credentials  

Replace blob-storage-credentials with the name of your Secret and vvp-system with the namespace where Ververica Platform is installed.

Update Blob Storage Configuration After Installation

You can change blob storage configuration after the initial Helm installation without performing a full reinstall. Run helm upgrade with your updated values.yaml:

BASH
1helm upgrade --install <RELEASE_NAME> \
2  oci://registry.ververica.cloud/platform-charts/ververica-platform \
3  --version <VERSION> \
4  --namespace vvp-system \
5  --values values.yaml

Replace <RELEASE_NAME> with your Helm release name and <VERSION> with the installed platform version.

Provide License Using a Kubernetes Secret

Instead of embedding your Ververica Platform license directly in values.yaml, you can supply it as a Kubernetes Secret mounted into the platform pods. This keeps the license out of Helm configuration files, which may be stored in version control or exposed through CI/CD pipelines.

Create the Secret

Create a Kubernetes Secret containing your license file:

BASH
1kubectl create secret generic vvp-license \
2  --from-file=license.yaml=/path/to/your/license.yaml \
3  --namespace vvp-system

Reference the Secret in Your Values

Set the secret name in your values.yaml:

YAML
1global:
2  license:
3    existingSecret: vvp-license  

Replace vvp-license with the name of your Secret and vvp-system with the namespace where Ververica Platform is installed.

Was this helpful?