How do I integrate AWS Secret Store CSI driver to be used as credential providers for metadata database?

[ketozhang]

AWS Secret Store CSI driver is consumable only by mounting the secret as a volume.

IIUC, the helm chart only supports specifying the metadata database credentials by specifying the Secret key in externalDatabase or extraEnv that makes its way to the pod'senv.valueFrom.secretKeyRef field.

Is there any way to use the CSI driver in this Helm chart?

[thesuperzapper]

@ketozhang Your two main options are:

1. Use the Secrets Store CSI Driver to create a Secret resource that you can reference with the normal externalDatabase.passwordSecret values:
   • Note, it seems like for the CSI Driver to create the secret, there has to be at least one Pod that mounts the "volume" version of the secret, and that the secret is deleted when there are no remaining pods that mount it as a volume (which seems a bit dangerous).
   • You could mount it on a custom Pod just to guarantee the secret exists, or mount it on the Airflow Pods like you would a PVC.
2. Use the very popular External Secrets Operator which is only focused on mirroring keeping Kubernetes Secret resources in sync with upstream secret managers (like AWS Secret Manager).

Note, that because we reference the secret via environment variables, if you rotate your DB's password (and the secret gets updated), the Pods will NOT be restarted automatically. To automate these restarts, you would need to use something like these tools (WARNING: these restarts WILL restart all your Airflow Workers, possibly losing work):

• Reloader
• Kyverno (NOTE: this is a much more complex solution, as it does many other things)