https://flyte.org logo
#ask-the-community
Title
# ask-the-community
c

Carsten Klaus

04/25/2023, 4:35 PM
Hello 🙂, first things first: Thanks for all your work! Flyte is such a great tool! ❤️ Right now we try to establish Flyte in our company, however before we use it in production there are some obstacles to be removed. So my first question: How can I inject secret strings into the backend configuration e.g. S3/MinIO secret keys (We installed our Flyte backend with Helm and I provide a values.conf)
Copy code
provider: s3
    providerConfig:
      s3:
        disableSSL: true
        v2Signing: true
        endpoint: <http://XXXXXXXXXX:9000>
        authType: accesskey
        accessKey: XXXXX <<<<-------
        secretKey: XXXXXXXXXXXXXXX <<<<---
Of course I cant write it into the config file directly. Is there a straightforward way I dont see here? Like Env Vars? Thanks in advance!
d

David Espejo (he/him)

04/25/2023, 4:42 PM
Hi Carsten and welcome to the Flyte community! Your question looks similar to what was discussed on this thread: https://flyte-org.slack.com/archives/CP2HDHKE1/p1678478308746599 Please let us know if it helps
could you elaborate also a bit on what you’re looking for? a way to install helm charts with secret values?
k

Ketan (kumare3)

04/25/2023, 11:18 PM
@Yee / @David Espejo (he/him) they want to use kubernetes secrets or the equivalent for their backend secrets
c

Carsten Klaus

04/26/2023, 9:07 AM
Hi @David Espejo (he/him) I am not addressing the Task, but rather the step before i.e. the backend start. In my case I do a
Copy code
helm install flyte-backend \
    flyteorg/flyte-binary \
    --namespace flyte \
    --values flyte/values.yaml
The
values.yaml
file contains every configuration detail, unfortunately the S3 Keys as plain text. Hi @Yee My
values.yaml
looks very similar, its not exactly the sandbox, but its basically the same. Imagine I do a
git push
into our repo everyone could see the secrets as plain text, big No No!. So I need a way to set some values during runtime. My first idea were environment variables (did not work)
Copy code
accessKey: ${S3_ACCESS_KEY}
My second approach was a helm interpolation
Copy code
accessKey: {{ .Values.accessKey }}
Unfortunately this also did not work because the values.yaml is not interpolatable. Hi @Ketan (kumare3) Is that possible to inject k8s secrets in the values.yaml?
Any ideas so far? 😥 Is my problem even solvable?
k

Ketan (kumare3)

04/28/2023, 12:35 AM
I think it is
Sorry union folks have been busy with pydata
Cc @Yee do you know
y

Yee

04/28/2023, 1:11 AM
so @Carsten Klaus a couple things. unf. that usage patter is not supported by the helm chart as it stands today. however you can definitely change the helm chart to mount a secret volume from k8s, and use that instead. but keep in mind that those two settings in particular were put there mainly to support the case where we use minio as the stand-in for s3. Most installations of flyte should rely on the role that the platform runs as to control s3 access. would you be able to use that instead? to get the database password out of there will require modifying the helm chart though.
c

Carsten Klaus

05/03/2023, 9:05 AM
Hi @Yee, thanks for the detailed explanation. We are working in a on-prem / Azure environment, so the role does not help here. I would like to modify the helm chart. I installed with
helm repo list
(flyteorg https://flyteorg.github.io/flyte) Which of the following charts (folders) was installed here? https://github.com/flyteorg/flyte/tree/master/charts
d

David Espejo (he/him)

05/03/2023, 10:48 AM
In this case, it would be https://github.com/flyteorg/flyte/tree/master/charts/flyte-binary You can also confirm with
helm list --namespace <your-namespace>
j

jeev

05/03/2023, 7:28 PM
this particular setting is tricky because it needs to be propagated to the flyte control plane AND all task pods in the data plane
we could add placeholders in the
values.yaml
file, and use extra volume / extra volume mount to mount overrides from a pre-created secret object. will also need another secret object that will need to be propagated to dataplane namespaces, and added to task pods'
envFrom
in the primary container spec via a pod template likely.
alternatively, you can consider post-rendering the rendered helm template
d

David Espejo (he/him)

05/04/2023, 10:41 AM
@Carsten Klaus here an example using Kustomize as post-renderer injecting -among other things- a secret https://github.com/thomastaylor312/advanced-helm-demos/tree/master/post-render
76 Views