Hello All,
Have Prefect Orion deployed (version 2...
# ask-communitym
Mark Li
02/21/2023, 10:23 PMHello All,
Have Prefect Orion deployed (version 2.6.4-python3.10).
When looking at the Settings section, I noticed the PREFECT_ORION_DATABASE_CONNECTION_URL was not obfuscated. Is there any way to obfuscate that? Or another way to handle the admin/password other than passing it in via the connection string for Helm?
✅ 1
z
Zanie
02/21/2023, 10:38 PM
We template the setting
PREFECT_ORION_DATABASE_PASSWORDZanie
02/21/2023, 10:39 PM
So you can use `${PREFECT_ORION_DATABASE_PASSWORD} `in the connection URL and set the password separately and it’ll be obfuscated
🙌 1
m
Mark Li
02/23/2023, 3:36 AMThanks Zanie. I’ll give that a try.
Mark Li
02/23/2023, 3:59 AMDo I set the password in the password setting within the values.yaml file (after specifying ${PREFECT_ORION_DATABASE_PASSWORD})
Would that be enough to have Prefect aware of where to replace it?
Mark Li
02/23/2023, 4:01 AMReading the comments in values.yaml file, I don’t know how I would set the password to pass to the connection string (as it’s using an existing secret (connection string). The password in the values.yaml file seems t o be fore creating a custom user.
z
Zanie
02/23/2023, 3:21 PM
Ah I see you’re using the Helm chart
Zanie
02/23/2023, 3:21 PM
You’d need to set the database password setting in the server environment variables, I think. I’m not sure if the Helm chart supports this yet. cc @Jamie Zieziula
j
Jamie Zieziula
02/23/2023, 3:32 PMHi Mark - you will need to set the password here
Jamie Zieziula
02/23/2023, 3:33 PMAlternatively, you can create your own secret, and pass it here
m
Mark Li
02/24/2023, 3:56 PM@Jamie Zieziula I have a secret created and passed to the existingsecrets. The secret has the password inside the connection string - My issue with going that route is that the connection string is not obfuscated and the password is exposed when accessing the settings in the Prefect Orion UI.
Mark Li
02/24/2023, 6:50 PMDouble checking - Since I have no need to create the user and intend to authenticate through the connection string, I’m assuming I don’t need to specify the password value in the helm chart since that’s for creating a new user?
Mark Li
02/27/2023, 3:26 PM@Jamie Zieziula - Bump for clarifying my question. If unclear, please let me know! 🙂
Essentially, I have an AKS secret that’s my connection string (with admin user:password) that’s passed to the Helm Chart to connect Prefect to my external Postgres. When going to the Prefect Orion UI - The connection string (and the password) is exposed on the Settings section of the Prefect Orion UI.
What approach can I do via Helm to obfuscate the password on the UI side?
Mark Li
02/28/2023, 2:55 PMFollowing up on this:
I’ve tried passing in the PREFECT_ORION_DATABASE_PASSWORD as an environment variable directly defined in the Helm Chart and using ${PREFECT_ORION_DATABASE_PASSWORD} inside our connection string to pass the password into the connection string. The connection string is not obfuscated and still displays the credentials in the connection URL - expected as much since it’s just displaying the connection string that it used to connect with.
z
Zanie
02/28/2023, 3:25 PM
These are both obfuscated in my UI
Zanie
02/28/2023, 3:26 PM
What version are you using..?
m
Mark Li
02/28/2023, 3:37 PMversion 2.6.4-python3.10)
z
Zanie
02/28/2023, 3:51 PM
Zanie
02/28/2023, 3:52 PM
Please use a more recent version
m
Mark Li
02/28/2023, 4:16 PMAlright, We’ll migrate to a later version and get back to you on it.
Mark Li
02/28/2023, 9:10 PMUpdated to 2.8.3 - obfuscation is working as expected.
z
Zanie
02/28/2023, 9:15 PM
Wonderful!
3 Views