Skip to main content
Version 3.0

Security — Delta Lake

ChartVersion3.0.1TypeapplicationAppVersion4.0.1
CompatibilityKubernetes1.32+OpenShift4.19+Rancher2.10.x+
Feature SupportS3supported

The tdp-deltalake chart runs maintenance jobs (VACUUM, OPTIMIZE) against S3/MinIO storage. Bucket access credentials are provided via the Kubernetes Secret s3-credentials, which the CronJobs read using env.secretKeyRef.

Credentials and Secrets

Create the Secret in the namespace before deploying:

kubectl -n <NAMESPACE> create secret generic s3-credentials \
--from-literal=access-key="<ACCESS_KEY>" \
--from-literal=secret-key="<SECRET_KEY>"
KeyDescription
access-keyAccess key for the S3/MinIO bucket
secret-keySecret key for S3 authentication

The Secret name must be exactly s3-credentials. The chart CronJobs reference this name directly.

S3 endpoint configuration

The S3/MinIO endpoint is configured in the maintenance.spark.config block:

maintenance:
spark:
config:
"spark.hadoop.fs.s3a.endpoint": "http://<S3_ENDPOINT>:<S3_PORT>"
"spark.hadoop.fs.s3a.path.style.access": "true"

Replace <S3_ENDPOINT> with the internal S3 service address in the cluster. For the Ozone instance deployed with TDP, the default address follows the pattern:

http://<RELEASE_NAME>-s3g-rest.<NAMESPACE>.svc.cluster.local:9878

Best practices

AspectRecommendation
CredentialsDo not store access-key and secret-key in a Git repository
RotationRecreate the Secret and wait for the next CronJob execution cycle
Least privilegeConfigure credentials with access only to the buckets used by the maintenance jobs

Troubleshooting

ProblemLikely causeFix
CronJob fails with authentication errorSecret missing or keys with incorrect nameCheck Secret s3-credentials in the namespace
S3 endpoint unreachableIncorrect URL or portTest connectivity with kubectl exec inside the namespace
Permission denied on bucketCredentials without access to the configured pathReview permissions in MinIO/Ozone

For the complete list of parameters, use helm show values for the installed chart version.