Skip to content

docs: Add comprehensive example for configuration via standard Druid environment variables (Secret Injection)#246

Merged
AdheipSingh merged 1 commit intodatainfrahq:masterfrom
renatocron:master
Nov 28, 2025
Merged

docs: Add comprehensive example for configuration via standard Druid environment variables (Secret Injection)#246
AdheipSingh merged 1 commit intodatainfrahq:masterfrom
renatocron:master

Conversation

@renatocron
Copy link
Copy Markdown
Contributor

@renatocron renatocron commented Nov 24, 2025

Description

The current documentation for securing configuration (like metadata store connection strings) primarily uses the inline JSON format ({"type": "environment", "variable": "VAR"}) within runtime.properties.

This approach presents two main limitations:

  1. Scope Restriction: The inline JSON substitution feature appears limited to specific password fields within Druid, leading to configuration failures when applied to other critical properties (like connection URIs).
  2. Redundancy: It forces the user to manually configure both the environment variable in the Pod spec and the inline JSON substitution logic in the .properties files.

This PR introduces and documents the recommended alternative leveraging the default behavior of the official Druid Docker entrypoint: any environment variable prefixed with druid_ is automatically converted into the corresponding Druid property (druid_storage_type becomes druid.storage.type).

This standardized approach offers superior security and flexibility by allowing operators to:

  • Securely inject any sensitive or environment-specific configuration (like database credentials, deep storage keys, or full connection strings) directly from Kubernetes Secrets via valueFrom.
  • Completely remove sensitive data from static configuration files (runtime.properties), adhering to secrets management best practices.

Changes:

  1. Added a new section in docs/examples.md: Configuration via Environment Variables (Recommended for sensitive data), detailing the use of druid_ prefixed environment variables mapped from Kubernetes Secrets.
  2. Updated examples/tiny-cluster.yaml and examples/tiny-cluster-hpa.yaml to demonstrate the new approach by moving metadata storage configuration from runtime.properties to environment variables.
  3. Retained the original JSON-based password documentation for backward reference, but explicitly notes the new method for broader configuration management.

@renatocron
docs(examples): Adds an example of configuration via environment vari…
8e0dae9 
…ables

Adds a section on configuring Druid using environment variables, recommended for sensitive data. Includes an example of secure injection of Druid secrets and properties via Kubernetes Secrets. Removes sensitive settings from `runtime.properties` and replaces them with environment variables in the cluster examples.

This improves security and flexibility, allowing configurations to be easily changed between environments without modifying configuration files.
@AdheipSingh AdheipSingh merged commit a9042ea into datainfrahq:master Nov 28, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@renatocron @AdheipSingh