Secrets Manager and secrets specification for tasks

[kumare3]

Signed-off-by: Ketan Umare [email protected]

TL;DR

[wip]Pending adding secrets to flyteidl tasktemplate
This enables every python task or a python plugin to request for secrets and the secrets are retrieved in a standardized way during the execution using the flytekit context's new SecretsManager.

SecretsManager will resolve the secrets by first looking at Env Var and then at the configured secrets directory.
Rules:

• the env var should be uppercased and should be prefixed with the configured prefix. Default will be FSEC{secret_key}
• If env var is not found, then Secretsmanager will look for a file under {default_dir}/{prefix}{secret_key}
  default_dir is set to /etc/secrets (can be overriden using an env var)
  prefix is set to ""

Type

• Bug Fix
• Feature
• Plugin

Are all requirements met?

• Code completed
• Smoke tested
• Unit tests added
• Code documentation added
• Any pending items have an associated Issue

Tracking Issue

flyteorg/flyte#796
flyteorg/flyte#800

[codecov]

Codecov Report

Merging #406 (93afa0e) into master (c7ff1e8) will increase coverage by 0.09%.
The diff coverage is 94.95%.

@@            Coverage Diff             @@
##           master     #406      +/-   ##
==========================================
+ Coverage   83.98%   84.07%   +0.09%     
==========================================
  Files         337      340       +3     
  Lines       24955    25166     +211     
  Branches     2028     2048      +20     
==========================================
+ Hits        20959    21159     +200     
- Misses       3441     3449       +8     
- Partials      555      558       +3     

Impacted Files	Coverage Δ
flytekit/common/translator.py	90.08% <ø> (ø)
flytekit/models/security.py	86.84% <86.84%> (ø)
tests/flytekit/unit/core/test_type_hints.py	95.54% <93.75%> (-0.06%)	⬇️
flytekit/__init__.py	100.00% <100.00%> (ø)
flytekit/common/tasks/sdk_runnable.py	84.21% <100.00%> (+2.23%)	⬆️
flytekit/common/tasks/task.py	62.89% <100.00%> (ø)
flytekit/configuration/secrets.py	100.00% <100.00%> (ø)
flytekit/core/base_task.py	84.92% <100.00%> (+0.38%)	⬆️
flytekit/core/python_auto_container.py	82.14% <100.00%> (+1.19%)	⬆️
flytekit/core/task.py	87.80% <100.00%> (+0.30%)	⬆️
... and 8 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c7ff1e8...93afa0e. Read the comment docs.

[wild-endeavor]

I feel like the user interface for secrets will evolve as people start using it (and maybe possibly as we add an authz layer). Not sure how exactly though.

[wild-endeavor]

Should this be Secret("my_secret")

[kumare3]

aah yes it should be, and thus in this case maybe i should do a check on this

[kumare3]

done

[cosmicBboy]

why are we removing task_type_version?

[kumare3]

not removing, i am keeping it so that, if something is declared in the base, it does not need to repeated at every class layer - **kwargs should take care of it?

[cosmicBboy]

maybe a strip() here in case of newlines??

[kumare3]

will do

[kumare3]

done

[cosmicBboy]

just a question: is this way of using multi-line strings as in-line comments a convention, or important for sphinx docs?

[kumare3]

Thats what I understand, that sphinx will convert this to a doc-string on the constant

[EngHabu]

This needs to be updated right? it will be <DEFAULT_DIR>/Group/<PREFIX>Key

[EngHabu]

path.join?

[kumare3]

for /etc/secrets you mean?

[EngHabu]

Should this be ANY?

[kumare3]

ANY what? - for MountType?

[EngHabu]

Suggested change

	"secrets", "default_dir", default=os.path.join("etc", "secrets")
	"secrets", "default_dir", default=os.path.join(os.path.sep, "etc", "secrets")