When creating a Dataset in Fluid, sometimes we need to configure some sensitive information in the mounts
. To ensure security, Fluid provides the ability to configure these sensitive information using Secret. The following takes access to the Aliyun OSS data set as an example to illustrate how to configure.
$ cat << EOF >> dataset.yaml
apiVersion: data.fluid.io/v1alpha1
kind: Dataset
metadata:
name: mydata
spec:
mounts:
- mountPoint: oss://<OSS_BUCKET>/<OSS_DIRECTORY>/
name: mydata
options:
fs.oss.endpoint: <OSS_ENDPOINT>
encryptOptions:
- name: fs.oss.accessKeyId
valueFrom:
secretKeyRef:
name: mysecret
key: fs.oss.accessKeyId
- name: fs.oss.accessKeySecret
valueFrom:
secretKeyRef:
name: mysecret
key: fs.oss.accessKeySecret
---
apiVersion: data.fluid.io/v1alpha1
kind: AlluxioRuntime
metadata:
name: mydata
spec:
replicas: 1
tieredstore:
levels:
- mediumtype: MEM
path: /dev/shm
quota: 2Gi
high: "0.95"
low: "0.7"
properties:
alluxio.user.block.size.bytes.default: 256MB
alluxio.user.streaming.reader.chunk.size.bytes: 256MB
alluxio.user.local.reader.chunk.size.bytes: 256MB
alluxio.worker.network.reader.buffer.size: 256MB
alluxio.user.streaming.data.timeout: 300sec
fuse:
args:
- fuse
- --fuse-opts=kernel_cache,ro,max_read=131072,attr_timeout=7200,entry_timeout=7200,nonempty,max_readahead=0
EOF
As you can see, in the above configuration, unlike the direct configuration of fs.oss.endpoint
, we changed the configuration of fs.oss.accessKeyId
and fs.oss.accessKeySecret
to read from Secret to ensure safety.
It should be noted that if the same key is configured both in
options
andencryptOptions
, then the value inencryptOptions
will override the corresponding value inoptions
.
In the Secret to be created, you need to specify the sensitive information that needs to be configured in the above Dataset.
$ cat<<EOF >mysecret.yaml
apiVersion: v1
kind: Secret
metadata:
name: mysecret
stringData:
fs.oss.accessKeyId: <OSS_ACCESS_KEY_ID>
fs.oss.accessKeySecret: <OSS_ACCESS_KEY_SECRET>
EOF
As you can see, the specific contents of fs.oss.accessKeySecret
and fs.oss.accessKeyId
are written in Secret, and Dataset reads the corresponding value by looking for the Secret and key accroding to its configuration, instead of reading them in its configuration directly. So the security of some data is guaranteed.