channel Is it possible to utilize kubernetes secrets in Pre Prefect Community #ask-community

@channel Is it possible to utilize kubernetes secr...

Deepak Pilligundla

02/08/2024, 3:06 PM

@channel Is it possible to utilize kubernetes secrets in Prefect blocks or some how utilize kubernetes secrets with prefect-workers in kubernetes? please let me know ,Thanks

Nate

02/08/2024, 3:12 PM

can you be more specific about what you want to use k8s secrets for as it relates to workers?

Nate

02/08/2024, 3:13 PM

typically worker config is associated with job-level infra config, not cluster level

Deepak Pilligundla

02/08/2024, 3:26 PM

instead of using AWS secrets we would like to deploy kubernetes secrets with prefect-workers

Nate

02/08/2024, 3:38 PM

deploy kubernetes secrets with prefect-workers

hmm i am not so sure what you mean by this - this is not a pattern I'm familiar with at a high level can you explain what you're trying to do?

Deepak Pilligundla

02/08/2024, 4:29 PM

is there a way that flow can refer to kubernetes secrets in short instead of values getting from aws secrets.

Nate

02/08/2024, 4:30 PM

its possible, although not supported first class because kubernetes secrets are often used for cluster level config in my experience, whereas the secrets you'd reference in a

prefect.yaml

would be for jobs that run on that cluster can you explain why you need to reference k8s secrets in a prefect.yaml?

Deepak Pilligundla

02/08/2024, 4:35 PM

@Norman Blakely ^^

Norman Blakely

02/08/2024, 4:42 PM

Hey @Nate I can answer the questions you have. So we currently use AWS Secrets Manager to store and encrypt our secrets. Our flows are developed to make an API call out to the Secrets Manager API to pull secrets during flow execution. We wanted to stream line the process by using External-Secrets Operator to sync the secrets to the kubernetes cluster.

Norman Blakely

02/08/2024, 4:43 PM

This will decrease the amount of privileges that we have to assign to the prefect workers and lessens the amount of API calls to AWS during the execution

Norman Blakely

02/08/2024, 4:44 PM

So referencing a namespaced secret in kubernetes for flows made sense in my head, but I can't find anywhere in the documentation that allows flows to do this source of referencing

Nate

02/08/2024, 5:00 PM

gotcha, so it seems there's a couple ways to go about this if you're comfortable storing secrets in prefect, you can just create secret blocks for each secret and then just

.load

/ reference them as needed for reference, you can refer to a secret in a

prefect.yaml

like this

Copy code

pull:
    - prefect.deployments.steps.git_clone:
        repository: <https://bitbucket.org/org/repo.git>
        access_token: "{{ prefect.blocks.secret.bitbucket-token }}"

or load one in a flow like this

Copy code

@flow
def foo():
  assert Secret.load("my-secret-name").get() == "very-secret-value"

i'd note that in general we recommend passing the name of secret blocks to flows instead of their values --- otherwise, the interesting thing about our steps like

prefect.deployments.steps.git_clone

is that they're just fully qualified function names so if you can write a python function that fetches from your desired secret location, you could save them as env vars on the runtime machine and load them inside the flow

Norman Blakely

02/08/2024, 8:09 PM

Thanks for the info. One of these I thought of but I wanted confirmation from the experts first 😃 Thanks again

Nate

02/08/2024, 8:10 PM

👍

8 Views

Open in Slack

Previous Next