Skip to content

[Core feature] control ENV var name for injected secrets #3053

New issue
New issue
Closed
flyteorg/flyteidl
#423
Closed
[Core feature] control ENV var name for injected secrets#3053
flyteorg/flyteidl
#423
Labels
backloggedFor internal use. Reserved for contributor team workflow.enhancementNew feature or request
@flixr

Description

@flixr
flixr
opened on Nov 5, 2022

Motivation: Why do you think this is important?

Split out from flyteorg/flytekit#1307:

I need to inject k8s secrets as env vars into my raw ContainerTasks (and actually for PythonTasks as well).
As an example I want to inject AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
Essentially I want to do what k8s already nicely provides:
https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#define-a-container-environment-variable-with-data-from-a-single-secret

Using flyte secrets there is no way to control the ENV var name, something like e.g.
Secret(group="minio-write-creds", key="AWS_ACCESS_KEY_ID", mount_requirement=Secret.MountType.ENV_VAR)
will inject the secret as _FSEC_MINIO_WRITE_CREDS_AWS_ACCESS_KEY_ID and this is currently hardcoded in flytepropeller.
This seems sensible iff you need to get the secret in Python code via flytekit context/secret manager, but not for raw containers.
Even for a Python task it would often be easier to just control the env var name (as e.g. in the case of the S3 credentials that boto3 would automatically pick up then).

Goal: What should the final outcome look like, ideally?

Maybe something like

Secret(group="minio-write-creds", key="access_key", mount_requirement=Secret.MountType.ENV_VAR, name="AWS_ACCESS_KEY_ID")

To decouple group/key name from env var name, just like k8s itself.
If name is not given it could still work by naming as prefix + group + key.

Describe alternatives you've considered

Working around this by wrapping my container task in a shell script that pull out the secret from the env var (or file) and populate the correct env var for the actual process.
But this is super cumbersome and actually requires the wrapper script to know about the group name (so k8s secret name), which makes it super awkward to change credentials by just using a different secret.

Same goes for secrets injected as file...

Propose: Link/Inline OR Additional context

No response

Are you sure this issue hasn't been raised already?

  • Yes

Have you read the Code of Conduct?

  • Yes

Metadata

Metadata

Assignees

No one assigned

    Labels

    backloggedFor internal use. Reserved for contributor team workflow.enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions