Replace init secrets init container with helm #5557
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #5557 +/- ##
==========================================
- Coverage 60.98% 60.97% -0.02%
==========================================
Files 796 796
Lines 51647 51647
==========================================
- Hits 31498 31492 -6
- Misses 17249 17255 +6
Partials 2900 2900
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
ddl-ebrown
force-pushed
the
replace-init-secrets-initContainer-with-helm
branch
2 times, most recently
from
873cbab
to
fc035cc
Compare
script/generate_helm.sh
Outdated
| @@ -56,7 +56,8 @@ ${GOPATH:-~/go}/bin/helm-docs -c ${DIR}/../charts/ | |||
|
|
|||
| # This section is used by GitHub workflow to ensure that the generation step was run | |||
| if [ -n "$DELTA_CHECK" ]; then | |||
| DIRTY=$(git status --porcelain) | |||
| # find only deleted or removed lines, not replaced values | |||
| DIRTY=$(git diff --word-diff | grep '^[{\[]') | |||
There was a problem hiding this comment.
The CI check needs to be updated to understand that some values may change when regenerating Helm charts
An alternative approach would be to add values.yaml entries and plumb them through -- but that feels a bit overkill
There was a problem hiding this comment.
cc @eapolinario please take a look
ddl-ebrown
force-pushed
the
replace-init-secrets-initContainer-with-helm
branch
from
fc035cc
to
4a95b31
Compare
- A separate container instance that requires Kubernetes API access is unnecessary when Helm is able to generate the same secret values in the client before submitting resources to Kubernetes. The declarative approach here is identical to what the code does in https://github.com/flyteorg/flyte/blob/master/flyteadmin/auth/init_secrets.go#L80-L151 - The lookup function is used so that on upgrades, the secret is not regenerated -- the existing values in the cluster are used. - Note that Helm always creates secret resources before deployment resources, so the secret values are guaranteed to be available before flyteadmin starts - Update helm chart regenerate check so that it only fails if the diff has new or removed lines Signed-off-by: ddl-ebrown <[email protected]>
- When setting up integrations with an IdP like Keycloak, the oidc_client_secret must also be set in flyte-admin-secrets. Formalize that and make it more discoverable Signed-off-by: ddl-ebrown <[email protected]>
ddl-ebrown
force-pushed
the
replace-init-secrets-initContainer-with-helm
branch
from
4a95b31
to
b3e424e
Compare
There was a problem hiding this comment.
Also reproduced this and works as expected. Thank you!
@ddl-ebrown do you think you could PR the cleanup tasks you mention in the description? I think it makes sense:
It may be useful to deprecate / remove the code previously used to generate secrets if it's not otherwise needed (not sure what the standalone binary chart does for init)
The ClusterRole should be updated to remove the ability to write / delete secrets - as it stands, https://github.com/flyteorg/flyte/blob/master/charts/flyte-core/values.yaml#L71-L94 is extremely permissive and a bit of a security liability (why does flyteadmin need access to all secrets in the cluster?). Using Helm to init the secret allows for restricting the service account more appropriately
Happy to remove any dead code used to generate these values -- that should be easy. I'd like someone on your side to confirm the |
Yep, the changes to the ClusterRole should be a separate PR, as the removal of the unused code. |
Ok, so then to get this one merged we just need to get the CI check green |
Tracking issue
Why are the changes needed?
Removes deployment complexity
A couple of other things to call out here:
flyteadminneed access to all secrets in the cluster?). Using Helm to init the secret allows for restricting the service account more appropriatelyWhat changes were proposed in this pull request?
Remove core flyteadmin init-secret initContainer
A separate container instance that requires Kubernetes API access is
unnecessary when Helm is able to generate the same secret values in
the client before submitting resources to Kubernetes.
The declarative approach here is identical to what the code does in
https://github.com/flyteorg/flyte/blob/master/flyteadmin/auth/init_secrets.go#L80-L151
The lookup function is used so that on upgrades, the secret is not
regenerated -- the existing values in the cluster are used.
Note that Helm always creates secret resources before deployment
resources, so the secret values are guaranteed to be available before
flyteadmin starts
Formalize oidc_client_secret in flyte-admin-secrets
When setting up integrations with an IdP like Keycloak, the
oidc_client_secret must also be set in flyte-admin-secrets.
Formalize that and make it more discoverable
How was this patch tested?
Setup process
Screenshots
Check all the applicable boxes
Related PRs
Docs link