https://flyte.org logo
#flyte-deployment
Title
# flyte-deployment
f

Fredrick

07/11/2022, 7:17 PM
Hello, Is there a config to specify per project/domain secrets to be read by the tasks/workflows in that project/domain using
flytekit.Secret
?
h

Haytham Abuelfutuh

07/11/2022, 9:18 PM
as in, limit the secrets a project/domain is allowed to read?
f

Fredrick

07/11/2022, 10:50 PM
yes. currently the only way to inject secrets is via default-env-vars-from-env-map-string-string afaiu, which will be available to all tasks irrespective which project/domain they belong.
h

Haytham Abuelfutuh

07/11/2022, 11:08 PM
that’s usually done on the secret manager side. What secret manager are you using? K8s secrets, AWS Secret Manager, Vault? Briefly, • K8s Secrets, you can create the secrets a project/domain is allowed to read within the namespace created for the project/domain. If an exec ran in a different project/domain, it’ll fail to mount the secret and you will get a runtime error. • AWS Secret Manager: You can configure IAM access
so yeah, I would not do that… You can start mounting secrets per namespace
f

Fredrick

07/12/2022, 5:29 PM
@Haytham Abuelfutuh thank you for the clarification. where do i specify the secrets to be mounted for a task using k8s secret manager?
k

Ketan (kumare3)

07/14/2022, 5:15 AM
r

Rupsha Chaudhuri

07/14/2022, 5:21 AM
I already have this ^ in the code. I think there was some discussion around whether all pods end up getting access to whatever secrets they want irrespective of project or domain and if we can configure based on namespace, how to set that up in k8s secrets
f

Fredrick

07/14/2022, 6:35 AM
can flyte tasks read any secret in the namespace they run on (assuming the serviceaccount it runs with has a role to get secret) ? or can we specify which secrets that a workflow's task can access during launch plan ?
k

Ketan (kumare3)

07/14/2022, 1:52 PM
Interesting- no, currently it's all tied to the service account only
Would love to hear this idea - maybe an issue
Is this even possible? To restrict
f

Fredrick

07/26/2022, 6:51 PM
reviving this back. how do we make secrets available to be read by tasks when using
k8s secret manager
. the doc says the below. where do i specify the secrets to be mounted/injected ?
. K8s secrets can be mounted as either files or injected as environment variables into the task pod, so if you need to make larger files available to the task, then this might be the better option.
We have tried using the below. But this is not injecting the secret
Copy code
@task(secret_requests=[Secret(group=SECRET_GROUP, key=SECRET_NAME)])
h

Haytham Abuelfutuh

07/26/2022, 7:50 PM
Hey @Fredrick, apologies for the delayed responses. I'm out of office and @Ketan (kumare3) or @Yee will follow up with you... This is correct.. To double check, SECRET_GROUP represents the name of a secret object that exist in the same namespace as the execution? To troubleshoot: • Check the task pod to see if volumes were mounted for the secret, if yes, then it's likely a mismatch between the name of the secret and the name used to request the secret within the flyte task • check the task pod annotations. There should be annotations added (I forgot the name but something that has flyte and secret in the name), if they are not there, please check propeller logs around the time of task launch • if annotations are there, please check the pod webhook is running and check its logs
y

Yee

07/26/2022, 10:24 PM
@Fredrick can you paste the pod spec for the task? (feel free to redact as necessary)
also can you confirm that the secret does exist in K8s, in the namespace that the task is running in?
lastly, can you get the logs for the webhook? again feel free to redact as necessary. this is the pod running in the flyte namespace that has a name like
flyte-pod-webhook-574bc96747-xsd7w
33 Views