Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add env_name to Secrets #6160

Merged
merged 3 commits into from
Jan 15, 2025
Merged

Add env_name to Secrets #6160

merged 3 commits into from
Jan 15, 2025

Conversation

thomasjpfan
Copy link
Member

@thomasjpfan thomasjpfan commented Jan 10, 2025
edited by flyte-bot
Loading

Tracking issue

Related to #6141 (comment)

Why are the changes needed?

This PR adds an env_name to the Secrets IDL, which has the follow behavior:

  1. If mount_requirement is ENV_VAR, then we set an environment variable named env_name to the value of the secret.
  2. If mount_requirement is FILE, then we set an environment variable named env_name to the path of the mounted secret.

What changes were proposed in this pull request?

This PR adds env_name to the Secrets IDL. This makes it easy to configure a secret in a Flyte task. For example, one can easily set a hugging face secret:

@task(secret_requests=[Secret(..., env_name="HF_TOKEN", mount_requirement=Secret.MountType.ENV_VAR)
def hello():
    ...

Or for secrets that require a file:

@task(secret_requests=[Secret(..., env_name="HF_TOKEN_PATH", mount_requirement=Secret.MountType.FILE)
def hello():
    ...

How was this patch tested?

I ran the following to try the two different modes:

from flytekit import task, Secret, ImageSpec
from typing import Optional
import os

image = ImageSpec(
    apt_packages=["git"],
    packages=[
        "git+https://github.com/thomasjpfan/flytekit.git@615499eae5539036abf70d960beb93621f7f9a29",
    ],
    registry="localhost:30000",
    commands=[
        "uv pip install git+https://github.com/thomasjpfan/flyte.git@ef360e831f26471160c2b76a5e9635e77caab2ae#subdirectory=flyteidl"
    ],
)


@task(
    container_image=image,
    secret_requests=[
        Secret(
            key="token",
            group="my-fun-group",
            mount_requirement=Secret.MountType.ENV_VAR,
            env_name="HELLO_WORLD",
        )
    ],
)
def get_secret_env_var() -> Optional[str]:
    return os.getenv("HELLO_WORLD")


@task(
    container_image=image,
    secret_requests=[
        Secret(
            key="token",
            group="my-fun-group",
            mount_requirement=Secret.MountType.FILE,
            env_name="HELLO_WORLD",
        )
    ],
)
def get_secret_file() -> str:
    with open(os.getenv("HELLO_WORLD"), "r") as f:
        return f.read()

Summary by Bito

This PR implements custom environment variable naming for Flyte secrets by adding an env_name field to the Secret message type. The enhancement supports both ENV_VAR and FILE mount types, allowing users to specify custom environment variable names for secret values and file paths. The implementation includes protobuf definition updates and generated code across multiple languages (Go, TypeScript, JavaScript, Python, Rust).

Unit tests added: True

Estimated effort to review (1-5, lower is better): 3

@thomasjpfan
Generate idl
dd7a215 
Signed-off-by: Thomas J. Fan <[email protected]>
@thomasjpfan
Add env_name to Secrets
ef360e8 
Signed-off-by: Thomas J. Fan <[email protected]>
@thomasjpfan thomasjpfan added the added Merged changes that add new functionality label Jan 10, 2025
@flyte-bot
Copy link
Collaborator

flyte-bot commented Jan 10, 2025
edited
Loading

Code Review Agent Run #40b3bc

Actionable Suggestions - 2
  • flytepropeller/pkg/webhook/k8s_secrets.go - 1
    • Consider extracting duplicate env var logic · Line 90-96
  • flytepropeller/pkg/webhook/utils.go - 1
Review Details
  • Files reviewed - 11 · Commit Range: dd7a215..ef360e8
    • flyteidl/gen/pb-es/flyteidl/core/security_pb.ts
    • flyteidl/gen/pb-go/flyteidl/core/security.pb.go
    • flyteidl/gen/pb-js/flyteidl.d.ts
    • flyteidl/gen/pb-js/flyteidl.js
    • flyteidl/gen/pb_python/flyteidl/core/security_pb2.py
    • flyteidl/gen/pb_python/flyteidl/core/security_pb2.pyi
    • flyteidl/gen/pb_rust/flyteidl.core.rs
    • flyteidl/protos/flyteidl/core/security.proto
    • flytepropeller/pkg/webhook/k8s_secrets.go
    • flytepropeller/pkg/webhook/k8s_secrets_test.go
    • flytepropeller/pkg/webhook/utils.go
  • Files skipped - 4
    • flyteidl/clients/go/assets/admin.swagger.json - Reason: Filter setting
    • flyteidl/gen/pb-go/gateway/flyteidl/service/admin.swagger.json - Reason: Filter setting
    • flyteidl/gen/pb-go/gateway/flyteidl/service/agent.swagger.json - Reason: Filter setting
    • flyteidl/gen/pb-go/gateway/flyteidl/service/external_plugin_service.swagger.json - Reason: Filter setting
  • Tools
    • Golangci-lint (Linter) - ✖︎ Failed
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful

AI Code Review powered by Bito Logo

@thomasjpfan thomasjpfan mentioned this pull request Jan 10, 2025
Open
@flyte-bot
Copy link
Collaborator

Changelist by Bito

This pull request implements the following key changes.

Key Change Files Impacted
Feature Improvement - Add env_name field to Secret IDL

security.proto - Added env_name field to Secret message with documentation

security.pb.go - Generated Go code for env_name field in Secret struct

security_pb.ts - Generated TypeScript code for env_name field

flyteidl.d.ts - Added TypeScript definitions for env_name field

flyteidl.js - Generated JavaScript code for env_name field

security_pb2.py - Generated Python code for env_name field

security_pb2.pyi - Added Python type hints for env_name field

flyteidl.core.rs - Generated Rust code for env_name field
Other Improvements - Implement env_name support in K8s Secret Injector

k8s_secrets.go - Added logic to handle custom environment variable names for secrets
Feature Improvement - Add env_name field to Secret IDL

security.proto - Added env_name field to Secret message with documentation

security.pb.go - Generated Go code for env_name field in Secret struct

security_pb.ts - Generated TypeScript code for env_name field

flyteidl.d.ts - Added TypeScript definitions for env_name field

flyteidl.js - Generated JavaScript code for env_name field

security_pb2.py - Generated Python code for env_name field

security_pb2.pyi - Added Python type hints for env_name field

flyteidl.core.rs - Generated Rust code for env_name field
Testing - Add tests for custom environment variable support

k8s_secrets_test.go - Added test cases for custom environment variable names in both ENV_VAR and FILE mount types

utils.go - Added utility function to create environment variables with custom names for secrets

flyte-bot
flyte-bot reviewed Jan 10, 2025
View reviewed changes
flytepropeller/pkg/webhook/k8s_secrets.go
Comment on lines +90 to +96
if secret.GetEnvName() != "" {
extraEnvVar := *envVar.DeepCopy()
extraEnvVar.Name = secret.GetEnvName()

p.Spec.InitContainers = AppendEnvVars(p.Spec.InitContainers, extraEnvVar)
p.Spec.Containers = AppendEnvVars(p.Spec.Containers, extraEnvVar)
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider extracting duplicate env var logic

Consider extracting the duplicate environment variable injection logic into a helper function. The same pattern of copying and injecting environment variables appears in multiple places. A similar issue was also found in flytepropeller/pkg/webhook/k8s_secrets.go (line 79-82).

Code suggestion
Check the AI-generated fix before applying
Suggested change
if secret.GetEnvName() != "" {
extraEnvVar := *envVar.DeepCopy()
extraEnvVar.Name = secret.GetEnvName()
p.Spec.InitContainers = AppendEnvVars(p.Spec.InitContainers, extraEnvVar)
p.Spec.Containers = AppendEnvVars(p.Spec.Containers, extraEnvVar)
}
if secret.GetEnvName() != "" {
injectEnvVarToContainers(p, envVar, secret.GetEnvName())
}

Code Review Run #40b3bc

Is this a valid issue, or was it incorrectly flagged by the Agent?

  • it was incorrectly flagged

flyte-bot
flyte-bot reviewed Jan 10, 2025
View reviewed changes
flytepropeller/pkg/webhook/utils.go
func CreateVolumeMountEnvVarForSecretWithEnvName(secret *core.Secret) corev1.EnvVar {
return corev1.EnvVar{
Name: secret.GetEnvName(),
Value: filepath.Join(filepath.Join(K8sSecretPathPrefix...), strings.ToLower(secret.GetGroup()), strings.ToLower(secret.GetKey())),
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider path.Join for URL paths

Consider using path.Join() instead of filepath.Join() for URL-like paths. The filepath.Join() uses OS-specific path separators which may cause issues if the path is used in URLs or container environments.

Code suggestion
Check the AI-generated fix before applying
Suggested change
Value: filepath.Join(filepath.Join(K8sSecretPathPrefix...), strings.ToLower(secret.GetGroup()), strings.ToLower(secret.GetKey())),
Value: path.Join(path.Join(K8sSecretPathPrefix...), strings.ToLower(secret.GetGroup()), strings.ToLower(secret.GetKey())),

Code Review Run #40b3bc

Is this a valid issue, or was it incorrectly flagged by the Agent?

  • it was incorrectly flagged

@codecov Codecov
Copy link

codecov bot commented Jan 10, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 78.26087% with 5 lines in your changes missing coverage. Please review.

Project coverage is 37.03%. Comparing base (b010747) to head (05d128f).
Report is 7 commits behind head on master.

Files with missing lines Patch % Lines
flyteidl/gen/pb-go/flyteidl/core/security.pb.go 0.00% 5 Missing ⚠️
Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #6160   +/-   ##
=======================================
  Coverage   37.02%   37.03%           
=======================================
  Files        1317     1317           
  Lines      132523   132557   +34     
=======================================
+ Hits        49066    49086   +20     
- Misses      79211    79225   +14     
  Partials     4246     4246
Flag Coverage Δ
unittests-datacatalog 51.58% <ø> (ø)
unittests-flyteadmin 54.25% <ø> (ø)
unittests-flytecopilot 30.99% <ø> (ø)
unittests-flytectl 62.29% <ø> (ø)
unittests-flyteidl 7.23% <0.00%> (-0.01%) ⬇️
unittests-flyteplugins 53.85% <ø> (ø)
unittests-flytepropeller 42.67% <100.00%> (+0.03%) ⬆️
unittests-flytestdlib 55.11% <ø> (-0.07%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@thomasjpfan
Uses +optional
05d128f 
Signed-off-by: Thomas J. Fan <[email protected]>
@flyte-bot
Copy link
Collaborator

flyte-bot commented Jan 11, 2025
edited
Loading

Code Review Agent Run Status

  • Limitations and other issues: ❌ Failure - We encountered technical difficulties while attempting to generate code feedback. Please try again or contact [email protected].

@thomasjpfan thomasjpfan merged commit 91d0383 into flyteorg:master Jan 15, 2025
53 checks passed
@thomasjpfan thomasjpfan mentioned this pull request Jan 16, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@flyte-bot flyte-bot flyte-bot left review comments

@pingsutw pingsutw pingsutw approved these changes

Assignees
No one assigned
Labels
added Merged changes that add new functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@thomasjpfan @flyte-bot @pingsutw