tillrohrmann commented on a change in pull request #12899:
URL: https://github.com/apache/flink/pull/12899#discussion_r476217310
##########
File path: docs/ops/deployment/native_kubernetes.md
##########
@@ -211,6 +211,77 @@ $ ./bin/flink run-application -p 8 -t
kubernetes-application \
local:///opt/flink/usrlib/my-flink-job.jar
{% endhighlight %}
+## Using Secrets
+
+[Kubernetes
Secrets](https://kubernetes.io/docs/concepts/configuration/secret/) is an
object that contains a small amount of sensitive data such as a password, a
token, or a key.
+Such information might otherwise be put in a Pod specification or in an image.
Flink on Kubernetes can use Secrets in two ways:
+
+- Using Secrets as files from a pod;
+
+- Using Secrets as environment variables;
+
+### Using Secrets as files from a pod
+
+Here is an example of a Pod that mounts a Secret in a volume:
+
+{% highlight yaml %}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: foo
+spec:
+ containers:
+ - name: foo
+ image: foo
+ volumeMounts:
+ - name: foo
+ mountPath: "/opt/foo"
+ volumes:
+ - name: foo
+ secret:
+ secretName: foo
+{% endhighlight %}
+
+By applying this yaml, each key in foo Secrets becomes the filename under
`/opt/foo` path. Flink on Kubernetes can enable this feature by the following
command:
+
+{% highlight bash %}
+$ ./bin/kubernetes-session.sh \
+ -Dkubernetes.cluster-id=<ClusterId> \
+ -Dkubernetes.container.image=<CustomImageName> \
+ -Dkubernetes.secrets=foo:/opt/foo
+{% endhighlight %}
+
Review comment:
A link for more details to
https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
could be helpful.
##########
File path: docs/ops/deployment/native_kubernetes.md
##########
@@ -211,6 +211,77 @@ $ ./bin/flink run-application -p 8 -t
kubernetes-application \
local:///opt/flink/usrlib/my-flink-job.jar
{% endhighlight %}
+## Using Secrets
+
+[Kubernetes
Secrets](https://kubernetes.io/docs/concepts/configuration/secret/) is an
object that contains a small amount of sensitive data such as a password, a
token, or a key.
+Such information might otherwise be put in a Pod specification or in an image.
Flink on Kubernetes can use Secrets in two ways:
+
+- Using Secrets as files from a pod;
+
+- Using Secrets as environment variables;
+
+### Using Secrets as files from a pod
+
+Here is an example of a Pod that mounts a Secret in a volume:
+
+{% highlight yaml %}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: foo
+spec:
+ containers:
+ - name: foo
+ image: foo
+ volumeMounts:
+ - name: foo
+ mountPath: "/opt/foo"
+ volumes:
+ - name: foo
+ secret:
+ secretName: foo
+{% endhighlight %}
+
+By applying this yaml, each key in foo Secrets becomes the filename under
`/opt/foo` path. Flink on Kubernetes can enable this feature by the following
command:
+
+{% highlight bash %}
+$ ./bin/kubernetes-session.sh \
+ -Dkubernetes.cluster-id=<ClusterId> \
+ -Dkubernetes.container.image=<CustomImageName> \
+ -Dkubernetes.secrets=foo:/opt/foo
+{% endhighlight %}
+
+### Using Secrets as environment variables
+
+Here is an example of a Pod that uses secrets from environment variables:
+
+{% highlight yaml %}
+apiVersion: v1
+kind: Pod
+metadata:
+ name: foo
+spec:
+ containers:
+ - name: foo
+ image: foo
+ env:
+ - name: FOO_ENV
+ valueFrom:
+ secretKeyRef:
+ name: foo_secret
+ key: foo_key
+{% endhighlight %}
+
+By applying this yaml, an environment variable named `FOO_ENV` is added into
`foo` container, and `FOO_ENV` consumes the value of `foo_key` which is defined
in Secrets `foo_secret`.
+Flink on Kubernetes can enable this feature by the following command:
+
+{% highlight bash %}
+$ ./bin/kubernetes-session.sh \
+ -Dkubernetes.cluster-id=<ClusterId> \
+ -Dkubernetes.container.image=<CustomImageName> \
+ -Dkubernetes.env.secretKeyRef=env:FOO_ENV,secret:foo_secret,key:foo_key
+{% endhighlight %}
+
Review comment:
Same for the env configuration variant:
https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
