Azure KeyVault Support

[Shaked]

Hey,

We have started using Kale recently, and we are very happy with it.

We are mounting all of our secrets (and some general configuration) via Azure KeyVault (AKV) in order to keep everything secure.

Currently, we have a PodDefault defined for AKV which works perfect.

We have managed to manually integrate AKV with Kale by adding the following code to the .py file:

def attachAKV(phase):
    return phase.add_volume(k8s_client.V1Volume(name='akv', flex_volume=k8s_client.V1FlexVolumeSource(
        driver="azure/kv",
        secret_ref=k8s_client.V1LocalObjectReference(name="keyvaultcreds"),
        options={
            "keyvaultname": "keyvault-name-in-azure",
            "keyvaultobjectnames": "kubeflow-config;trains-config",
            "keyvaultobjectaliases": "secrets.json;trains.conf",
            "keyvaultobjecttypes": "secret;secret",
            "tenantid": "<tenantId>"
        })
    )).add_volume_mount(k8s_client.V1VolumeMount(
        mount_path="/secrets",
        name="akv",
        read_only=True
    ))

Then we just make count(tasks) calls attachAKV(THE_TASK).

We are thinking to make a PR that will add an official support, so that we won't need to manually add this to the .py file.

One idea was to have an external plugin that allows users to define their AKV settings (you can have different pipeline mounting different AKV settings), and then maybe add to the Kale UI an option to choose AKV settings from a list. Will it make sense?

[StefanoFioravanzo]

@Shaked This would be a very welcome contribution! We have been talking about supporting secrets already, especially with @LeonardAukea .

It would be great if we could have a general way to attach both standard K8s secrets and have handlers for other types, like AKV.

Let's focus on the backend side first and then think how to handle this on the frontend. If you want to start opening a PR, I will be happy to review it and provide some direction.