Channels
pacc-may-31-2023
prefect-ai
pacc-clearcover-june-12-2023
marvin-in-the-wild
data-ecosystem
geo-israel
geo-japan
prefect-cloud
ppcc-may-16-2023
prefect-azure
prefect-docker
prefect-recipes
gratitude
geo-nyc
geo-bay-area
geo-boston
geo-london
geo-dc
geo-chicago
geo-berlin
geo-texas
geo-seattle
geo-colorado
prefect-community
data-tricks-and-tips
prefect-aws
prefect-gcp
introductions
find-a-prefect-job
prefect-dbt
random
events
ask-marvin
show-us-what-you-got
prefect-getting-started
prefect-integrations
prefect-contributors
best-practices-coordination-plane
announcements
prefect-server
prefect-ui
prefect-kubernetes
Title
m
Mark Li
02/21/2023, 10:23 PMHello All,
Have Prefect Orion deployed (version 2.6.4-python3.10).
When looking at the Settings section, I noticed the PREFECT_ORION_DATABASE_CONNECTION_URL was not obfuscated. Is there any way to obfuscate that? Or another way to handle the admin/password other than passing it in via the connection string for Helm?
✅ 1
z
Zanie
02/21/2023, 10:38 PMWe template the setting
PREFECT_ORION_DATABASE_PASSWORDSo you can use `${PREFECT_ORION_DATABASE_PASSWORD} `in the connection URL and set the password separately and it’ll be obfuscated
🙌 1
m
Mark Li
02/23/2023, 3:36 AMThanks Zanie. I’ll give that a try.
Do I set the password in the password setting within the values.yaml file (after specifying ${PREFECT_ORION_DATABASE_PASSWORD})
Would that be enough to have Prefect aware of where to replace it?
Reading the comments in values.yaml file, I don’t know how I would set the password to pass to the connection string (as it’s using an existing secret (connection string). The password in the values.yaml file seems t o be fore creating a custom user.
z
Zanie
02/23/2023, 3:21 PMAh I see you’re using the Helm chart
You’d need to set the database password setting in the server environment variables, I think. I’m not sure if the Helm chart supports this yet. cc @Jamie Zieziula
j
Jamie Zieziula
02/23/2023, 3:32 PMHi Mark - you will need to set the password here
Alternatively, you can create your own secret, and pass it here
m
Mark Li
02/24/2023, 3:56 PM@Jamie Zieziula I have a secret created and passed to the existingsecrets. The secret has the password inside the connection string - My issue with going that route is that the connection string is not obfuscated and the password is exposed when accessing the settings in the Prefect Orion UI.
Double checking - Since I have no need to create the user and intend to authenticate through the connection string, I’m assuming I don’t need to specify the password value in the helm chart since that’s for creating a new user?
@Jamie Zieziula - Bump for clarifying my question. If unclear, please let me know! 🙂
Essentially, I have an AKS secret that’s my connection string (with admin user:password) that’s passed to the Helm Chart to connect Prefect to my external Postgres. When going to the Prefect Orion UI - The connection string (and the password) is exposed on the Settings section of the Prefect Orion UI.
What approach can I do via Helm to obfuscate the password on the UI side?
Following up on this:
I’ve tried passing in the PREFECT_ORION_DATABASE_PASSWORD as an environment variable directly defined in the Helm Chart and using ${PREFECT_ORION_DATABASE_PASSWORD} inside our connection string to pass the password into the connection string. The connection string is not obfuscated and still displays the credentials in the connection URL - expected as much since it’s just displaying the connection string that it used to connect with.
z
Zanie
02/28/2023, 3:25 PMThese are both obfuscated in my UI
What version are you using..?
m
Mark Li
02/28/2023, 3:37 PMversion 2.6.4-python3.10)
z
Zanie
02/28/2023, 3:51 PMPlease use a more recent version
m
Mark Li
02/28/2023, 4:16 PMAlright, We’ll migrate to a later version and get back to you on it.
Updated to 2.8.3 - obfuscation is working as expected.
z
Zanie
02/28/2023, 9:15 PMWonderful!