search

flyteorg / flyte

Scalable and flexible workflow orchestration platform that seamlessly unifies data, ML and analytics stacks.
https://flyte.org
Apache License 2.0
5.42k stars 581 forks source link

[Core feature] Enable AWS Secretes in kubernetes #4336

Closed marti-jorda-roca closed 5 days ago

marti-jorda-roca commented 10 months ago

Motivation: Why do you think this is important?

To deploy to AWS flyte we need to pass a database password. The default method is to write the password with plain text or env variables in the chart values yaml.

To pass the password in a more secure and easy way in AWS it would be really nice to allow the use of AWS Secrets Manager secrets in Amazon Elastic Kubernetes Service.

Goal: What should the final outcome look like, ideally?

Integrate AWS Secret Manager in flyte-core chart, for example:

  databaseSecret:
    name: db-pass
    volume:
      - name: db-pass
        csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: aws-db-secrets-spc

    volumeMount:
      - name: db-pass
        mountPath: "etc/db"
        readOnly: true
    secretManifest:
      apiVersion: secrets-store.csi.x-k8s.io/v1
      kind: SecretProviderClass
      metadata:
        name: aws-db-secrets-spc
      spec:
        provider: aws
        parameters:
          objects: |
            - objectName: "{{ .Values.userSettings.db_secret }}"
              objectType: "secretsmanager"
              jmesPath: 
                  - path: password
                    objectAlias: dbpassword

This would work, but currently, the _helpers.tpl overrides the helm template with a volumes value that is not the required for AWS to work.

Describe alternatives you've considered

if we define and additional volume in datacatalog for example:

datacatalog:
  # mount another db secret to activate secret-store-csi to create db-pass k8s secret.
  # https://archive.eksworkshop.com/beginner/194_secrets_manager/sync_native_secrets_env/
  additionalVolumes:
    - name: aws-secret
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: aws-db-secrets-spc

  additionalVolumeMounts:
    - name: aws-secret
      mountPath: "/mnt/aws-secrets"
      readOnly: true

And we define our databaseSecret as follows:

  databaseSecret:
    name: db-pass
    secretManifest:
      apiVersion: secrets-store.csi.x-k8s.io/v1
      kind: SecretProviderClass
      metadata:
        name: aws-db-secrets-spc
      spec:
        provider: aws
        parameters:
          objects: |
            - objectName: "{{ .Values.userSettings.db_secret }}"
              objectType: "secretsmanager"
              jmesPath: 
                  - path: password
                    objectAlias: dbpassword
        # Create k8s secret. It requires volume mount first in the pod and then sync.
        secretObjects:
          - secretName: db-pass
            type: Opaque
            data:
              - objectName: dbpassword
                key: dbpassword

It works, but it is a little bit hacky.

Propose: Link/Inline OR Additional context

https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver.html https://archive.eksworkshop.com/beginner/194_secrets_manager/sync_native_secrets_env/

Are you sure this issue hasn't been raised already?

Have you read the Code of Conduct?

welcome[bot] commented 10 months ago

Thank you for opening your first issue here! 🛠

kumare3 commented 5 days ago

supported