Recommended best practice for injecting credentials from AWS Secret Manager for Pinot Controller and Server helm charts

[satnash]

I am maintaining separate helm charts for all Pinot components. Most properties such as downloading certs from cert manager and adding cert to the trust store in the pinot container, I have been able to do.

Where i am getting tripped up is to load Pinot admin or other user credentials from AWS Secrets Manager. This is my flow:

1. Helm install Pinot Controller as statefulset.
2. Init container loads the certs and admin password from secrets manager
3. Able to modify/overwrite cacerts but not able to inject the environment to admin password. Mainly due to all files in the container being owned by root. I could have a template for the configMap to overcome this, but that seems a bit wieldy.

I have seen references to "PINOT_CONTROLLER_ACCESS_CONTROL_PRINCIPALS_ADMIN_PASSWORD" which may be able to replace the latter of the two below. Am I on the right track ?

controller.admin.access.control.principals=admin controller.admin.access.control.principals.admin.password=

If not, what is the recommended best practice or guidance on how Pinot containers now and in the future plan to allow credentials configuration ?

[Jackie-Jiang]

@xiangfu0 @KKcorps Could you please help?

@satnash You may also get help from community if you ask this in Apache Pinot Slack troubleshooting channel