Thread
#flyte-deployment
    Fredrick

    Fredrick

    2 months ago
    Hello, Is there a config to specify per project/domain secrets to be read by the tasks/workflows in that project/domain using
    flytekit.Secret
    ?
    Haytham Abuelfutuh

    Haytham Abuelfutuh

    2 months ago
    as in, limit the secrets a project/domain is allowed to read?
    Fredrick

    Fredrick

    2 months ago
    yes. currently the only way to inject secrets is via default-env-vars-from-env-map-string-string afaiu, which will be available to all tasks irrespective which project/domain they belong.
    Haytham Abuelfutuh

    Haytham Abuelfutuh

    2 months ago
    that’s usually done on the secret manager side. What secret manager are you using? K8s secrets, AWS Secret Manager, Vault? Briefly, • K8s Secrets, you can create the secrets a project/domain is allowed to read within the namespace created for the project/domain. If an exec ran in a different project/domain, it’ll fail to mount the secret and you will get a runtime error. • AWS Secret Manager: You can configure IAM access
    so yeah, I would not do that… You can start mounting secrets per namespace
    Fredrick

    Fredrick

    2 months ago
    @Haytham Abuelfutuh thank you for the clarification. where do i specify the secrets to be mounted for a task using k8s secret manager?
    Ketan (kumare3)

    Ketan (kumare3)

    2 months ago
    Rupsha Chaudhuri

    Rupsha Chaudhuri

    2 months ago
    I already have this ^ in the code. I think there was some discussion around whether all pods end up getting access to whatever secrets they want irrespective of project or domain and if we can configure based on namespace, how to set that up in k8s secrets
    Fredrick

    Fredrick

    2 months ago
    can flyte tasks read any secret in the namespace they run on (assuming the serviceaccount it runs with has a role to get secret) ? or can we specify which secrets that a workflow's task can access during launch plan ?
    Ketan (kumare3)

    Ketan (kumare3)

    2 months ago
    Interesting- no, currently it's all tied to the service account only
    Would love to hear this idea - maybe an issue
    Is this even possible? To restrict
    Fredrick

    Fredrick

    2 months ago
    reviving this back. how do we make secrets available to be read by tasks when using
    k8s secret manager
    . the doc says the below. where do i specify the secrets to be mounted/injected ?
    . K8s secrets can be mounted as either files or injected as environment variables into the task pod, so if you need to make larger files available to the task, then this might be the better option.
    We have tried using the below. But this is not injecting the secret
    @task(secret_requests=[Secret(group=SECRET_GROUP, key=SECRET_NAME)])
    Haytham Abuelfutuh

    Haytham Abuelfutuh

    2 months ago
    Hey @Fredrick, apologies for the delayed responses. I'm out of office and @Ketan (kumare3) or @Yee will follow up with you... This is correct.. To double check, SECRET_GROUP represents the name of a secret object that exist in the same namespace as the execution? To troubleshoot: • Check the task pod to see if volumes were mounted for the secret, if yes, then it's likely a mismatch between the name of the secret and the name used to request the secret within the flyte task • check the task pod annotations. There should be annotations added (I forgot the name but something that has flyte and secret in the name), if they are not there, please check propeller logs around the time of task launch • if annotations are there, please check the pod webhook is running and check its logs
    Yee

    Yee

    2 months ago
    @Fredrick can you paste the pod spec for the task? (feel free to redact as necessary)
    also can you confirm that the secret does exist in K8s, in the namespace that the task is running in?
    lastly, can you get the logs for the webhook? again feel free to redact as necessary. this is the pod running in the flyte namespace that has a name like
    flyte-pod-webhook-574bc96747-xsd7w