https://prefect.io logo
Title
m

Mark Li

02/21/2023, 10:23 PM
Hello All, Have Prefect Orion deployed (version 2.6.4-python3.10). When looking at the Settings section, I noticed the PREFECT_ORION_DATABASE_CONNECTION_URL was not obfuscated. Is there any way to obfuscate that? Or another way to handle the admin/password other than passing it in via the connection string for Helm?
1
z

Zanie

02/21/2023, 10:38 PM
We template the setting
PREFECT_ORION_DATABASE_PASSWORD
into the connection URL
So you can use `${PREFECT_ORION_DATABASE_PASSWORD} `in the connection URL and set the password separately and it’ll be obfuscated
🙌 1
m

Mark Li

02/23/2023, 3:36 AM
Thanks Zanie. I’ll give that a try.
Do I set the password in the password setting within the values.yaml file (after specifying ${PREFECT_ORION_DATABASE_PASSWORD}) Would that be enough to have Prefect aware of where to replace it?
Reading the comments in values.yaml file, I don’t know how I would set the password to pass to the connection string (as it’s using an existing secret (connection string). The password in the values.yaml file seems t o be fore creating a custom user.
z

Zanie

02/23/2023, 3:21 PM
Ah I see you’re using the Helm chart
You’d need to set the database password setting in the server environment variables, I think. I’m not sure if the Helm chart supports this yet. cc @Jamie Zieziula
j

Jamie Zieziula

02/23/2023, 3:32 PM
Hi Mark - you will need to set the password here
Alternatively, you can create your own secret, and pass it here
m

Mark Li

02/24/2023, 3:56 PM
@Jamie Zieziula I have a secret created and passed to the existingsecrets. The secret has the password inside the connection string - My issue with going that route is that the connection string is not obfuscated and the password is exposed when accessing the settings in the Prefect Orion UI.
Double checking - Since I have no need to create the user and intend to authenticate through the connection string, I’m assuming I don’t need to specify the password value in the helm chart since that’s for creating a new user?
@Jamie Zieziula - Bump for clarifying my question. If unclear, please let me know! 🙂 Essentially, I have an AKS secret that’s my connection string (with admin user:password) that’s passed to the Helm Chart to connect Prefect to my external Postgres. When going to the Prefect Orion UI - The connection string (and the password) is exposed on the Settings section of the Prefect Orion UI. What approach can I do via Helm to obfuscate the password on the UI side?
Following up on this: I’ve tried passing in the PREFECT_ORION_DATABASE_PASSWORD as an environment variable directly defined in the Helm Chart and using ${PREFECT_ORION_DATABASE_PASSWORD} inside our connection string to pass the password into the connection string. The connection string is not obfuscated and still displays the credentials in the connection URL - expected as much since it’s just displaying the connection string that it used to connect with.
z

Zanie

02/28/2023, 3:25 PM
These are both obfuscated in my UI
What version are you using..?
m

Mark Li

02/28/2023, 3:37 PM
version 2.6.4-python3.10)
Please use a more recent version
m

Mark Li

02/28/2023, 4:16 PM
Alright, We’ll migrate to a later version and get back to you on it.
Updated to 2.8.3 - obfuscation is working as expected.
z

Zanie

02/28/2023, 9:15 PM
Wonderful!