Skip to main content
Version: 3.1

Blob Storage

Provide Credentials Using Mounted Files

Instead of embedding blob storage credentials directly in your Helm values.yaml, you can provide them as files mounted into the Ververica Platform container. Ververica Platform reads the credential files from a configured directory at startup and distributes the values to services that require them.

This approach keeps credentials out of your Helm values, which might be stored in version control or visible to operators who have access to the Helm release.

How It Works

Each credential is stored in a separate file. Ververica Platform discovers credentials by scanning the configured directory and reading every file whose name matches the pattern <provider>.<key>. Each file must contain exactly one value: the raw credential string with no additional formatting.

Example: S3 Credentials

Create one file per credential in your credentials directory:

s3.accessKeyId
AKIAEXAMPLEACCESSKEYID
s3.secretAccessKey
wJalrXUtnFEMIEXAMPLEKEYsecretkey

The file name determines which provider and key the value is assigned to. The file content is the credential value.

Configuration

Mount your credentials directory into the Ververica Platform pod and set the path in your values.yaml:

global:
  blobStorage:
    credentialsDir: /conf/blob-creds

Replace /conf/blob-creds with the path where your credentials files are mounted inside the container.

warning

File names must follow the <provider>.<key> pattern exactly. Ververica Platform silently ignores files that do not match the pattern. Incorrectly named files are not loaded and the corresponding credentials are unavailable. Verify file names if credentials are not being picked up.

Provide Credentials Using Kubernetes Secrets

Instead of mounting credential files, you can store blob storage credentials in a Kubernetes Secret and reference the Secret by name in your values.yaml. Ververica Platform reads the credentials from the Secret at startup and distributes them to services that require them.

This approach integrates with Kubernetes-native secret management and is compatible with tools like Sealed Secrets, External Secrets Operator, or Vault agent injection.

Create the Secret

Create a Kubernetes Secret with one key per credential. Key names must follow the <provider>.<key> pattern, using the same convention as mounted credential files.

For S3 credentials:

kubectl create secret generic blob-storage-credentials \
  --from-literal=s3.accessKeyId=AKIAEXAMPLEACCESSKEYID \
  --from-literal=s3.secretAccessKey=wJalrXUtnFEMIEXAMPLEKEYsecretkey \
  --namespace vvp-system

Reference the Secret in Your Values

Set the secret name in your values.yaml:

global:
  blobStorage:
    credentialsSecret: blob-storage-credentials

Replace blob-storage-credentials with the name of your Secret and vvp-system with the namespace where Ververica Platform is installed.

warning

Secret key names must follow the <provider>.<key> pattern exactly. Ververica Platform silently ignores keys that do not match the pattern. Verify key names if credentials are not being picked up.

Update Blob Storage Configuration After Installation

You can change blob storage configuration after the initial Helm installation without performing a full reinstall. Run helm upgrade with your updated values.yaml:

helm upgrade --install <RELEASE_NAME> \
  oci://registry.ververica.cloud/platform-charts/ververica-platform \
  --version <VERSION> \
  --namespace vvp-system \
  --values values.yaml

Replace <RELEASE_NAME> with your Helm release name and <VERSION> with the installed platform version.

note

Updating blob storage configuration triggers a restart of the Ververica Platform pods. Running Flink jobs are not affected, but avoid making configuration changes while deployments are actively transitioning state.

Provide License Using a Kubernetes Secret

Instead of embedding your Ververica Platform license directly in values.yaml, you can supply it as a Kubernetes Secret mounted into the platform pods. This keeps the license out of Helm configuration files, which may be stored in version control or exposed through CI/CD pipelines.

Create the Secret

Create a Kubernetes Secret containing your license file:

kubectl create secret generic vvp-license \
  --from-file=license.yaml=/path/to/your/license.yaml \
  --namespace vvp-system

Reference the Secret in Your Values

Set the secret name in your values.yaml:

global:
  license:
    existingSecret: vvp-license

Replace vvp-license with the name of your Secret and vvp-system with the namespace where Ververica Platform is installed.

On this page