Secret Values

Secret Values may be used to store sensistive information such as passwords, tokens or keys. While Secret Values are referenced by name from Deployment configurations their actual values are not exposed to users.

Secret Values are bound to a Namespace. Within each Namespace the names of the Secret Values have to be unique.

Secret Values Specification

Plain Secret Values

Plain Secret Values are persisted in plain text within the context of Application Manager. They simply provide a value containing the secret.

kind: SecretValue
metadata:
  name: SECRET_VALUE_NAME
  namespace: default
  ...
spec:
  kind: PLAIN
  value: secret

Using Secret Values

Secret Values may be referenced by name in configurations using ${SECRET_VALUE_NAME}.

Secret Values are only allowed on the following Deployment Template configuration fields:

  • Jar URI (spec.template.artifact.jarUri) if the Artifact is of kind JAR
  • Flink Configuration (spec.template.flinkConfiguration)

Note

When referencing Secret Values curly braces ${} are mandatory.

Attention

The dA distribution of Apache Flink does not include any special precautions for protecting access to secrets. Secret Values may be exposed on the Flink UI and Kubernetes ConfigMaps. Make sure to restrict access to the Kubernetes cluster and to the Flink UI.