Hello everyone! Have any of you already managed to use Kubernetes Secrets in your prefect pod? After a discussion with Marvin, it's not really clear how to achieve it. He mentioned adding the following into the deployment prefect.yaml file

job_variables:
  image: myDockerImage
  envFrom:
    - secretRef:
        name: my-secret

But then explained that the

job_variables

field is used to set variables that are used in the job template, not environment variables in the running container. And said that I could update the prefect_job_template.yaml like that

apiVersion: batch/v1
kind: Job
metadata:
  name: {{ job_name }}
  namespace: {{ namespace }}
spec:
  template:
    spec:
      containers:
      - name: flow
        image: {{ image }}
        envFrom:
        - secretRef:
            name: my-secret
        command: ["prefect", "execute", "flow-run"]
        args: ["--flow-run-id", "{{ flow_run_id }}"]
      restartPolicy: Never

But it seems that it is only compatible with Kubernetes agents and not Kubernetes Work Pool? And the agents don't seem to be recommended in the documentation How do you manage that? It seems to be a simple use case to get access to the K8 secrets, so I think I must be missing something. In our case, we used to do things differently in prefect v1, and set up env in the KubernetesRun

run_config = KubernetesRun(
    image=image,
    env=env,
    image_pull_secrets=["gitlab-registry-credentials"],
    job_template_path="./prefect_k8s_job_template.yaml",
    **options,
)

but we can't do that anymore with prefect.deployments.run_deployment

To add the

envFrom

portion of the job manifest to your work pool, you can go to the three dots->Edit->Advanced. You can either hardcode the secretRef there, or make it a variable that can be overridden in your deployments.

@Kevin Grismore aaah ok cool I found it in the UI, thank you! It worked like a charm 🙂

🎉

Hi, I'm having a similar issue. I found the advanced base job template and tried to hard-code a k8s secret in it. Here's my current implementation:

"job_manifest": {
      "kind": "Job",
      "spec": {
        "template": {
          "spec": {
            "containers": [
              {
                "env": [
                  {
                    "name": "SECRET_KEY",
                    "valueFrom": {
                      "secretKeyRef": {
                        "key": "key",
                        "name": "secret-key"
                      }
                    }
                  }
                ],
                "args": "{{ command }}",
                "name": "prefect-job",
                "image": "{{ image }}",
                "imagePullPolicy": "{{ image_pull_policy }}"
              }
            ],....

However, my jobs error out when they can't find that variable. Am I doing something wrong?

Here's how I did it, if it helps.

"job_manifest": {
      "kind": "Job",
      "spec": {
        "template": {
          "spec": {
            "containers": [
              {
                "env": "{{ env }}",
                "args": "{{ command }}",
                "name": "prefect-job",
                "image": "{{ image }}",
                "envFrom": [
                  {
                    "secretRef": {
                      "name": "production-secret"
                    }
                  }
                ],
                "imagePullPolicy": "{{ image_pull_policy }}"
              }
            ],

Great, thank you @Clément Frison. I will give this a try.