Secure Handling of Superset Credentials in UMT’s EKS Deployment

[paulpascal]

Description

We are currently developing a new feature in the User Management Tool (UMT) that integrates with Superset (Issue #191). The integration involves enabling the Superset REST API and authenticating using an admin account to obtain tokens for creating users, roles, filters, etc. A draft pull request is available for review: PR #245.

Challenge

We need a secure and scalable method to manage Superset credentials in our EKS-based deployment. Specifically, we aim to avoid exposing these credentials in:

• Source code
• values.yaml files in Helm
• Any version-controlled repository files

Current Approaches Considered

1. Environment Variables (values.yaml)
2. Kubernetes Secrets
3. AWS Secrets Manager

Desired Solution Criteria

• Retrieve credentials from a secure storage service.
• Simplify the process of updating secrets without modifying Helm charts, possibly through kubectl or other means.

[paulpascal]

Thanks @Hareet , for today's great and insightful call - Here are some keynotes I have kept to document this issue:

We explored various approaches to securely manage Superset credentials in our EKS deployment:

1. Using values.yaml:

• Overview: During Helm installation, values provided in values.yaml are mapped to templates and used in the deployment.
• Consideration: To avoid hardcoding credentials in the values.yaml file within the repository, we can make use GitHub environment variables to inject credentials during the deployment process.

2. Kubernetes Secrets:

• Overview: Kubernetes Secrets can securely store sensitive information.
• Consideration: Similar to the values.yaml approach, we can manage secrets using GitHub environment variables as well to inject them during deployment.

3. AWS Secrets Manager:

• Overview: A sophisticated service for managing secrets with features like automatic rotation.
• Consideration: To maintain flexibility and avoid tight coupling to a specific cloud provider, we might prefer the above approaches rather.

Additional Options Discussed:

• SOPS (Secrets OPerationS): A tool to encrypt secrets and add a decryption step during deployment, allowing encrypted secrets to be stored safely in version control.
• Helm-Secrets Plugin: An advanced tool that integrates with SOPS to manage secrets within Helm charts. It supports cloud integration for future scalability.

For immediate implementation, using GitHub environment variables to manage secrets is a straightforward approach.
For a more sophisticated and flexible solution, especially as our infrastructure evolves, adopting tools like Helm-Secrets or SOPS is recommended.

cc: @alexosugo @mrjones-plip @inromualdo @freddieptf @kennsippell

[paulpascal]

Progress in this PR.

• Using sops encrypt secrets
• Decrypt the secrets
• Combine the decrypted secrets with the values during helm upgrade

cc: @Hareet