https://flyte.org logo
Join Slack
Powered by
Hello, I need to create secrets and access them in...
# ask-the-community
f
Hello, I need to create secrets and access them in flyte. I am following Creating Secrets with a Secrets Manager https://docs.flyte.org/projects/cookbook/en/latest/auto/core/containerization/use_secrets.html My question is how to create secrets for different environments? Current we have development and beta, and soon will have production envs. Thanks!
k
what do you mean by different environments? different project and domain?
f
So you are running this in k8s, right? There development and beta are separate namespaces, so you can create different secrets for each namespace...
If you don't need to access your secrets programmatically (i.e. you just rely on some env vars being present), you can also just inject those secrets via pod templates and you don't even need to handle it in flytekit python separately...
That is assuming they are the same for all tasks then...
f
@Kevin Su, yes, domain.
@Felix Ruess, I don’t need to access my secrets programmatically. All I need is env vars available for Flyte tasks. And they should be the same for all tasks. How can I inject secrets via pod templates? Note that I don’t want the credentials stored as plain text in pod templates code. We use CI/CD so I think pod templates will be stored in git repo.
f
So this is similar to my usecase then... The pod template is a k8s feature and you need to apply it there... You can create the secrets and pod templates (with same name) per namespace (which is <projectname>-<domain>). You can then tell flyte to use the pod template: https://docs.flyte.org/en/latest/deployment/configuration/general.html#using-default-k8s-podtemplates
As an example, this is the pod template I use (which will injects my secrets as env vars and one as file):
Copy code
apiVersion: v1
kind: PodTemplate
metadata:
  name: flyte-template
template:
  spec:
    runtimeClassName: nvidia
    containers:
      - name: primary
        image: <http://docker.io/rwgrim/docker-noop|docker.io/rwgrim/docker-noop>
        imagePullPolicy: Always
        terminationMessagePath: "/dev/foo"
        envFrom:
          - secretRef:
              name: minio-rc-applied-ai
        volumeMounts:
          - name: rc-license
            mountPath: "/etc/roboception"
            readOnly: true
        lifecycle:
          postStart:
            exec:
              command:
                - /bin/sh
                - -c
                - ln -fs /etc/roboception/rc.license /etc/
      - name: default
        image: <http://docker.io/rwgrim/docker-noop|docker.io/rwgrim/docker-noop>
        terminationMessagePath: "/dev/foo"
    volumes:
      - name: rc-license
        secret:
          secretName: rc-license
    hostNetwork: false
so if you just need to inject env vars from secrets, use the 
envFrom
, you can leave out the volume stuff..
f
@Felix Ruess, that’s what I am looking for. Thanks a lot, and have a great weekend!
f
glad I could help 🙂
f
@Felix Ruess, In fact, we are using helm-charts/flyte-core/flyte-values.yml.tpl to deploy to k8s.
Copy code
# -- Kubernetes specific Flyte configuration
  k8s:
    plugins:
      # -- Configuration section for all K8s specific plugins [Configuration structure](<https://pkg.go.dev/github.com/lyft/flyteplugins/go/tasks/pluginmachinery/flytek8s/config>)
      k8s:
        default-env-vars:
         - AWS_S3_SECRET: VALUE
Do you know the equivalent syntax for pod template below in Helm Charts?
Copy code
env:
  
    - name: BACKEND_USERNAME
  
      valueFrom:
  
        secretKeyRef:
  
          name: backend-user
  
          key: backend-username
f
I just use the flyte-values to set the FLYTE_AW_S3_x env vars that flyte itself needs, the standard AWS_S3_x env vars I inject via secrets and pod template per namespace.... I don't think the helm chart right now supports deploying pod templates as well.. Also if you need AWS_S3_x env vars for your user code that differ from the creds for the flyte bucket, this was just recently fixed with https://github.com/flyteorg/flytekit/pull/1523
f
@Felix Ruess, Thanks for the detailed sharing. However, my use case is different: My Flyte tasks are using Feathr services via Feathr client. And Feathr client will need to access AWS S3 and the only way for Feathr client to obtain AWS S3 credentials is through env vars like this (Flyte client code): access_key = self.envutils.get_environment_variable(‘S3_ACCESS_KEY’) secret_key = self.envutils.get_environment_variable(‘S3_SECRET_KEY’)
So the env vars has to be ‘S3_SECRET_KEY’, etc. literally.
f
even better.... then it should work out of the box with released flyte versions...
you "just" need to inject that secret via env vars
f
Inject via
Copy code
kubectl create secret generic user-info --from-literal=user_secret=mysecret
?
f
essentially, yes... So you create the secret (per namespace) with whatever name you like, and then a add a pod template that injects that secret to every pod in that namespace
nothing flyte specific really (except telling flyte which pod template to use)
f
Great. What’s the syntax to create secrets per domain? kubectl create secret production?
instead of kubectl create secret generic ?
y
just use the 
-n
arg
f
kubectl create secret generic -n production?
y
is that the namespace that you’re running in?
the namespace that flyte sends workflows to can be configured
so where it goes depends on how you’ve configured it
f
basically most kubectl commands take a namespace argument as @Yee said and the namespace is <projectname>-<domain>
f
image.png
This is what I see.
f
you can list namespaces in k8s with 
kubectl get ns
so it would be 
flytesnacks-development
or 
flytesnacks-beta
f
If I want the same secrets applied to multiple projects in the same domain, do I have to create separate secrets for each project-domain?
f
yes, in k8s secrets are only "visible" in the same namespace
f
or run kubectl command multiple times?
f
so if you want the same secret in all flyte domains of the same project, you need to create the secret in every project-domain combination (as these are separate k8s namespaces)
f
Got it, thanks a lot!
168 Views
Open in Slack
PreviousNext
Powered by