https://flyte.org logo
#ask-the-community
Title
# ask-the-community
f

Frank Shen

03/10/2023, 7:58 PM
Hello, I need to create secrets and access them in flyte. I am following Creating Secrets with a Secrets Manager https://docs.flyte.org/projects/cookbook/en/latest/auto/core/containerization/use_secrets.html My question is how to create secrets for different environments? Current we have development and beta, and soon will have production envs. Thanks!
k

Kevin Su

03/10/2023, 8:07 PM
what do you mean by different environments? different project and domain?
f

Felix Ruess

03/10/2023, 8:07 PM
So you are running this in k8s, right? There development and beta are separate namespaces, so you can create different secrets for each namespace...
If you don't need to access your secrets programmatically (i.e. you just rely on some env vars being present), you can also just inject those secrets via pod templates and you don't even need to handle it in flytekit python separately...
That is assuming they are the same for all tasks then...
f

Frank Shen

03/10/2023, 8:22 PM
@Kevin Su, yes, domain.
@Felix Ruess, I don’t need to access my secrets programmatically. All I need is env vars available for Flyte tasks. And they should be the same for all tasks. How can I inject secrets via pod templates? Note that I don’t want the credentials stored as plain text in pod templates code. We use CI/CD so I think pod templates will be stored in git repo.
f

Felix Ruess

03/10/2023, 8:30 PM
So this is similar to my usecase then... The pod template is a k8s feature and you need to apply it there... You can create the secrets and pod templates (with same name) per namespace (which is <projectname>-<domain>). You can then tell flyte to use the pod template: https://docs.flyte.org/en/latest/deployment/configuration/general.html#using-default-k8s-podtemplates
As an example, this is the pod template I use (which will injects my secrets as env vars and one as file):
Copy code
apiVersion: v1
kind: PodTemplate
metadata:
  name: flyte-template
template:
  spec:
    runtimeClassName: nvidia
    containers:
      - name: primary
        image: <http://docker.io/rwgrim/docker-noop|docker.io/rwgrim/docker-noop>
        imagePullPolicy: Always
        terminationMessagePath: "/dev/foo"
        envFrom:
          - secretRef:
              name: minio-rc-applied-ai
        volumeMounts:
          - name: rc-license
            mountPath: "/etc/roboception"
            readOnly: true
        lifecycle:
          postStart:
            exec:
              command:
                - /bin/sh
                - -c
                - ln -fs /etc/roboception/rc.license /etc/
      - name: default
        image: <http://docker.io/rwgrim/docker-noop|docker.io/rwgrim/docker-noop>
        terminationMessagePath: "/dev/foo"
    volumes:
      - name: rc-license
        secret:
          secretName: rc-license
    hostNetwork: false
so if you just need to inject env vars from secrets, use the
envFrom
, you can leave out the volume stuff..
f

Frank Shen

03/10/2023, 8:42 PM
@Felix Ruess, that’s what I am looking for. Thanks a lot, and have a great weekend!
f

Felix Ruess

03/10/2023, 8:43 PM
glad I could help 🙂
f

Frank Shen

03/10/2023, 8:51 PM
@Felix Ruess, In fact, we are using helm-charts/flyte-core/flyte-values.yml.tpl to deploy to k8s.
Copy code
# -- Kubernetes specific Flyte configuration
  k8s:
    plugins:
      # -- Configuration section for all K8s specific plugins [Configuration structure](<https://pkg.go.dev/github.com/lyft/flyteplugins/go/tasks/pluginmachinery/flytek8s/config>)
      k8s:
        default-env-vars:
         - AWS_S3_SECRET: VALUE
Do you know the equivalent syntax for pod template below in Helm Charts?
Copy code
env:
  
    - name: BACKEND_USERNAME
  
      valueFrom:
  
        secretKeyRef:
  
          name: backend-user
  
          key: backend-username
f

Felix Ruess

03/10/2023, 8:57 PM
I just use the flyte-values to set the FLYTE_AW_S3_x env vars that flyte itself needs, the standard AWS_S3_x env vars I inject via secrets and pod template per namespace.... I don't think the helm chart right now supports deploying pod templates as well.. Also if you need AWS_S3_x env vars for your user code that differ from the creds for the flyte bucket, this was just recently fixed with https://github.com/flyteorg/flytekit/pull/1523
f

Frank Shen

03/10/2023, 9:55 PM
@Felix Ruess, Thanks for the detailed sharing. However, my use case is different: My Flyte tasks are using Feathr services via Feathr client. And Feathr client will need to access AWS S3 and the only way for Feathr client to obtain AWS S3 credentials is through env vars like this (Flyte client code): access_key = self.envutils.get_environment_variable(‘S3_ACCESS_KEY’) secret_key = self.envutils.get_environment_variable(‘S3_SECRET_KEY’)
So the env vars has to be ‘S3_SECRET_KEY’, etc. literally.
f

Felix Ruess

03/10/2023, 9:58 PM
even better.... then it should work out of the box with released flyte versions...
you "just" need to inject that secret via env vars
f

Frank Shen

03/10/2023, 10:00 PM
Inject via
Copy code
kubectl create secret generic user-info --from-literal=user_secret=mysecret
?
f

Felix Ruess

03/10/2023, 10:04 PM
essentially, yes... So you create the secret (per namespace) with whatever name you like, and then a add a pod template that injects that secret to every pod in that namespace
nothing flyte specific really (except telling flyte which pod template to use)
f

Frank Shen

03/10/2023, 10:06 PM
Great. What’s the syntax to create secrets per domain? kubectl create secret production?
instead of kubectl create secret generic ?
y

Yee

03/10/2023, 10:06 PM
just use the
-n
arg
f

Frank Shen

03/10/2023, 10:06 PM
kubectl create secret generic -n production?
y

Yee

03/10/2023, 10:07 PM
is that the namespace that you’re running in?
the namespace that flyte sends workflows to can be configured
so where it goes depends on how you’ve configured it
f

Felix Ruess

03/10/2023, 10:08 PM
basically most kubectl commands take a namespace argument as @Yee said and the namespace is <projectname>-<domain>
f

Frank Shen

03/10/2023, 10:08 PM
image.png
This is what I see.
f

Felix Ruess

03/10/2023, 10:08 PM
you can list namespaces in k8s with
kubectl get ns
so it would be
flytesnacks-development
or
flytesnacks-beta
f

Frank Shen

03/10/2023, 10:12 PM
If I want the same secrets applied to multiple projects in the same domain, do I have to create separate secrets for each project-domain?
f

Felix Ruess

03/10/2023, 10:12 PM
yes, in k8s secrets are only "visible" in the same namespace
f

Frank Shen

03/10/2023, 10:13 PM
or run kubectl command multiple times?
f

Felix Ruess

03/10/2023, 10:14 PM
so if you want the same secret in all flyte domains of the same project, you need to create the secret in every project-domain combination (as these are separate k8s namespaces)
f

Frank Shen

03/10/2023, 10:17 PM
Got it, thanks a lot!
89 Views