Skip to main content Skip to complementary content
Qlik Resources
Loading SearchUnify's search If you need assistance with your product, please contact Qlik Support.
Qlik Customer Portal
Loading SearchUnify's search If you need assistance with your product, please contact Qlik Support.
Qlik Customer Portal

Mounting Kubernetes Secret as volumes in Dynamic Engine containers

Instead of using Secret as environment variables, you can mount them as files in the container filesystem, enabling your data integration tasks (including big data), Data Services, and Route tasks to access credentials in configuration files.

Before you begin

See Prerequisites and Important considerations.

About this task

Mounting Kubernetes Secret directly into containers as files provides file-based configuration. This is useful when:

  • Your task expects configuration files (JSON, YAML, properties files)
  • You need to mount certificates or keys as files
  • You need to control file permissions and paths

Procedure

  1. Create a Kubernetes Secret resource file with your credentials.

    Example

    Create a file named external-secret-as-volume.yaml:

    cat <<EOF > external-secret-as-volume.yaml
apiVersion: v1
kind: Secret
metadata:
  name: external-secret-as-volume
  namespace: qlik-processing-env-$DYNAMIC_ENGINE_ENVIRONMENT_ID
type: Opaque
stringData:
  extra-configuration: |
    {
      "database": {
        "host": "db.example.com",
        "port": 5432
      },
      "features": {
        "enabled": true
      }
    }
  tls.crt: |
    -----BEGIN CERTIFICATE-----
    Your_certificate
    -----END CERTIFICATE-----
  tls.key: |
    -----BEGIN PRIVATE KEY-----
    Your_private_key
    -----END PRIVATE KEY-----
EOF

    Replace $DYNAMIC_ENGINE_ENVIRONMENT_ID with your environment ID. Include all the credentials in the stringData section.

  2. Create a Helm values file that configures volume mounting.

    Example

    Create a file named secret-volume-values.yaml:

    configuration:
  # For Data Integration and Big Data Job tasks
  jobDeployment:
    additionalSpec:
      enabled: true
      volumeMounts:
        - name: tmp-extra
          mountPath: /tmp/extra
      volumes:
        - name: tmp-extra
          secret:
            secretName: external-secret-as-volume
            defaultMode: 0700
            items:
              - key: extra-configuration
                path: extra-configuration.json
              - key: tls.crt
                path: tls.crt
              - key: tls.key
                path: tls.key

  # For Data Service and Route tasks
  dataServiceRouteDeployment:
    additionalSpec:
      enabled: true
      volumeMounts:
        - name: tmp-extra
          mountPath: /tmp/extra
      volumes:
        - name: tmp-extra
          secret:
            secretName: external-secret-as-volume
            defaultMode: 0700
            items:
              - key: extra-configuration
                path: extra-configuration.json
              - key: tls.crt
                path: tls.crt
              - key: tls.key
                path: tls.key

    This configuration mounts the Secret at /tmp/extra with defaultMode: 0700 for owner's read, write, and execute permissions.

  3. Deploy or upgrade your Dynamic Engine environment to create the required namespace. 
    helm upgrade --install dynamic-engine-environment-$DYNAMIC_ENGINE_ENVIRONMENT_ID \
  oci://ghcr.io/talend/helm/dynamic-engine-environment \
  --version ${DYNAMIC_ENGINE_VERSION} \
  -f $DYNAMIC_ENGINE_ENVIRONMENT_ID-values.yaml

    Replace ${DYNAMIC_ENGINE_VERSION} with your environment's version.

    This command creates the Dynamic Engine environment and its associated namespace qlik-processing-env-$DYNAMIC_ENGINE_ENVIRONMENT_ID.

  4. Create the Secret in your Dynamic Engine environment namespace. 
    kubectl apply -f external-secret-as-volume.yaml
  5. Upgrade your Dynamic Engine environment with Secret volume mounting. 
    helm upgrade dynamic-engine-environment-$DYNAMIC_ENGINE_ENVIRONMENT_ID \
  oci://ghcr.io/talend/helm/dynamic-engine-environment \
  --version ${DYNAMIC_ENGINE_VERSION} \
  -f $DYNAMIC_ENGINE_ENVIRONMENT_ID-values.yaml \
  -f secret-volume-values.yaml

    Replace $DYNAMIC_ENGINE_ENVIRONMENT_ID with your environment ID and ${DYNAMIC_ENGINE_VERSION} with your environment's version.

  6. Verify the Secret files are mounted in running pods. 
    kubectl get pod <pod-name> -n qlik-processing-env-$DYNAMIC_ENGINE_ENVIRONMENT_ID \
  -o jsonpath='{range .spec.containers[0].volumeMounts[*]}{.name}{": "}{.mountPath}{"\n"}{end}'

    Expected output shows your mounted files with the specified permissions.

Results

Your tasks in the Dynamic Engine environment now have access to configuration files mounted from Kubernetes Secret.

When Secret values are updated, reload behavior differs by task type:

  • For Data Integration (including Big Data) Job tasks, the next task run automatically uses updated Secret values.
  • For Route and Data Services tasks, which run continuously, Secret changes are not automatically reloaded into running containers. To apply credential changes to these tasks, update the task in Talend Management Console to trigger a redeployment on your Kubernetes cluster.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – please let us know!

Leave your feedback here