Pod Mutating Webhook & Secret Annotation Injector

[EngHabu]

Signed-off-by: Haytham Abuelfutuh [email protected]

TL;DR

Add a Pod Mutating WebHook cmd for flytepropeller. The current setup only implements a secrets injector that can either inject secrets available to FlytePropeller or k8s secrets.

Type

• Bug Fix
• Feature
• Plugin

Are all requirements met?

• Code completed
• Smoke tested
• Unit tests added
• Code documentation added
• Any pending items have an associated Issue

Complete description

• flytepropeller webhook init-certs command issues a CA/Cert/PrivateKey and store them into a secret given a secret name
• flytepropeller webhook creates a MutatingWebhookConfigration object in etcd., a webhook server and registers it with API Server. From there:
  1. It starts listening to Pods labeled with inject-flyte-secrets: true.
  2. Parses out annotations on the pod to know which secrets to inject
  3. Lookups the env (envVars and mounted files) for the secret, if found it'll inject it directly into the pod
  4. Adds k8s EnvFrom or VolumeMountSource to mount the right secret into the Pod
• Plugin Manager change to automatically add inject-flyte-secrets: true to CRDs if the task has secrets in its TaskTemplate.

Tracking Issue

flyteorg/flyte#800

[kumare3]

few comments

[codecov]

Codecov Report

Merging #242 (1ea6a05) into master (0d1eeab) will increase coverage by 0.77%.
The diff coverage is 73.65%.

[kumare3]

if we add multiple namespaces - how does this work?

[kumare3]

lgtm, can you update the readme for flytepropeller to add that it contains this too?