mik-laj commented on issue #16684: URL: https://github.com/apache/airflow/issues/16684#issuecomment-875180534
> using valueFrom option. It uses the native secret backend provided by Kubernetes. Unfortunately, he is not considered to be very safe and is quite limited, e.g. it does not support dynamic secrets. Many corporate users prefer solutions that meet more stringent requirements, such as Hashicorp Vault. Unfortunately, This is a limitation of Kubernetes, which has decided to be an all-in-one solution and third-party solutions are supported in a rather limited way. This design problem was solved by Hashicorp Nomad, which does not provide any built-in manager secret, and if you need to, you must use another tool that turns out to be provided by the same company - Hashicorp Vault. For details see, https://learn.hashicorp.com/tutorials/nomad/vault-postgres?in=nomad/integrate-vault The use of environment variables is also quite limiting. If the user would like to change the secret value after starting the container, the secret value will not be updated in the container. There are only third-party solutions that can then force the container to restart so that the variables can be updated. > Environment variables are not updated after a secret update > If a container already consumes a Secret in an environment variable, a Secret update will not be seen by the container unless it is restarted. There are third party solutions for triggering restarts when secrets change. https://kubernetes.io/docs/concepts/configuration/secret/#environment-variables-are-not-updated-after-a-secret-update -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
