Hello 🙂, first things first: Thanks for all your work! Flyte is such a great tool! ❤️ Right now we try to establish Flyte in our company, however before we use it in production there are some obstacles to be removed. So my first question: How can I inject secret strings into the backend configuration e.g. S3/MinIO secret keys (We installed our Flyte backend with Helm and I provide a values.conf)

provider: s3
    providerConfig:
      s3:
        disableSSL: true
        v2Signing: true
        endpoint: <http://XXXXXXXXXX:9000>
        authType: accesskey
        accessKey: XXXXX <<<<-------
        secretKey: XXXXXXXXXXXXXXX <<<<---

Of course I cant write it into the config file directly. Is there a straightforward way I dont see here? Like Env Vars? Thanks in advance!

Hi Carsten and welcome to the Flyte community! Your question looks similar to what was discussed on this thread: https://flyte-org.slack.com/archives/CP2HDHKE1/p1678478308746599 Please let us know if it helps

you copied that from here right? https://github.com/flyteorg/flyte/blob/bf6d6350c43c73939d4dab718b34e51c8ec2859e/charts/flyte-sandbox/values.yaml#L23-L30

@Yee / @David Espejo (he/him) they want to use kubernetes secrets or the equivalent for their backend secrets

Hi @David Espejo (he/him) I am not addressing the Task, but rather the step before i.e. the backend start. In my case I do a

helm install flyte-backend \
    flyteorg/flyte-binary \
    --namespace flyte \
    --values flyte/values.yaml

The

values.yaml

file contains every configuration detail, unfortunately the S3 Keys as plain text. Hi @Yee My

values.yaml

looks very similar, its not exactly the sandbox, but its basically the same. Imagine I do a

git push

into our repo everyone could see the secrets as plain text, big No No!. So I need a way to set some values during runtime. My first idea were environment variables (did not work)

accessKey: ${S3_ACCESS_KEY}

My second approach was a helm interpolation

accessKey: {{ .Values.accessKey }}

Unfortunately this also did not work because the values.yaml is not interpolatable. Hi @Ketan (kumare3) Is that possible to inject k8s secrets in the values.yaml?

I think it is

so @Carsten Klaus a couple things. unf. that usage patter is not supported by the helm chart as it stands today. however you can definitely change the helm chart to mount a secret volume from k8s, and use that instead. but keep in mind that those two settings in particular were put there mainly to support the case where we use minio as the stand-in for s3. Most installations of flyte should rely on the role that the platform runs as to control s3 access. would you be able to use that instead? to get the database password out of there will require modifying the helm chart though.

Hi @Yee, thanks for the detailed explanation. We are working in a on-prem / Azure environment, so the role does not help here. I would like to modify the helm chart. I installed with

helm repo list

(flyteorg https://flyteorg.github.io/flyte) Which of the following charts (folders) was installed here? https://github.com/flyteorg/flyte/tree/master/charts

In this case, it would be https://github.com/flyteorg/flyte/tree/master/charts/flyte-binary You can also confirm with

helm list --namespace <your-namespace>

this particular setting is tricky because it needs to be propagated to the flyte control plane AND all task pods in the data plane

@Carsten Klaus here an example using Kustomize as post-renderer injecting -among other things- a secret https://github.com/thomastaylor312/advanced-helm-demos/tree/master/post-render