Closed marti-jorda-roca closed 5 days ago
To deploy to AWS flyte we need to pass a database password. The default method is to write the password with plain text or env variables in the chart values yaml.
To pass the password in a more secure and easy way in AWS it would be really nice to allow the use of AWS Secrets Manager secrets in Amazon Elastic Kubernetes Service.
Integrate AWS Secret Manager in flyte-core chart, for example:
databaseSecret: name: db-pass volume: - name: db-pass csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: aws-db-secrets-spc volumeMount: - name: db-pass mountPath: "etc/db" readOnly: true secretManifest: apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: aws-db-secrets-spc spec: provider: aws parameters: objects: | - objectName: "{{ .Values.userSettings.db_secret }}" objectType: "secretsmanager" jmesPath: - path: password objectAlias: dbpassword
This would work, but currently, the _helpers.tpl overrides the helm template with a volumes value that is not the required for AWS to work.
if we define and additional volume in datacatalog for example:
datacatalog: # mount another db secret to activate secret-store-csi to create db-pass k8s secret. # https://archive.eksworkshop.com/beginner/194_secrets_manager/sync_native_secrets_env/ additionalVolumes: - name: aws-secret csi: driver: secrets-store.csi.k8s.io readOnly: true volumeAttributes: secretProviderClass: aws-db-secrets-spc additionalVolumeMounts: - name: aws-secret mountPath: "/mnt/aws-secrets" readOnly: true
And we define our databaseSecret as follows:
databaseSecret: name: db-pass secretManifest: apiVersion: secrets-store.csi.x-k8s.io/v1 kind: SecretProviderClass metadata: name: aws-db-secrets-spc spec: provider: aws parameters: objects: | - objectName: "{{ .Values.userSettings.db_secret }}" objectType: "secretsmanager" jmesPath: - path: password objectAlias: dbpassword # Create k8s secret. It requires volume mount first in the pod and then sync. secretObjects: - secretName: db-pass type: Opaque data: - objectName: dbpassword key: dbpassword
It works, but it is a little bit hacky.
https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver.html https://archive.eksworkshop.com/beginner/194_secrets_manager/sync_native_secrets_env/
Thank you for opening your first issue here! 🛠
supported
Motivation: Why do you think this is important?
To deploy to AWS flyte we need to pass a database password. The default method is to write the password with plain text or env variables in the chart values yaml.
To pass the password in a more secure and easy way in AWS it would be really nice to allow the use of AWS Secrets Manager secrets in Amazon Elastic Kubernetes Service.
Goal: What should the final outcome look like, ideally?
Integrate AWS Secret Manager in flyte-core chart, for example:
This would work, but currently, the _helpers.tpl overrides the helm template with a volumes value that is not the required for AWS to work.
Describe alternatives you've considered
if we define and additional volume in datacatalog for example:
And we define our databaseSecret as follows:
It works, but it is a little bit hacky.
Propose: Link/Inline OR Additional context
https://docs.aws.amazon.com/secretsmanager/latest/userguide/integrating_csi_driver.html https://archive.eksworkshop.com/beginner/194_secrets_manager/sync_native_secrets_env/
Are you sure this issue hasn't been raised already?
Have you read the Code of Conduct?