https://prefect.io logo
Join Slack
Powered by
How do you attach secret block in Kubernetes Job a...
# prefect-kubernetes
n
How do you attach secret block in Kubernetes Job and how it can access those secrets during runtime?
r
you have to do it as a patch document and add it to the deployment infra_overrides
n
So, you mean after deployment file is created we need to manually edit it and deploy it?
r
no - you can pass the patch into the build_from_flow
infra_overrides = dict()
customizations = []
#create patch for each secret store
for secret in secret_stores:
secretPatch = {
"op": "add",
"path": "/spec/template/spec/containers/0/envFrom/-",
"value": {
"secretRef": {
"name": secret.lower()
}
}}
customizations.append(secretPatch)
infra_overrides['customizations'] = customizations
Deployment.build_from_flow(
...
infra_overrides = infra_overrides
)
that is obviously passing all the secrets (secretRef) you can patch in a single one just the same
n
I am sorry I am new to all this. Where you put this patch.
r
See the build_from_flow
Your passing in a dictionary of infra_overrides (json patches for the job template)
n
Thank you was browsing same document 🙂 . Let me review it.
r
your just passing in a list of jsonpatches
n
But right now I am using command like this to deploy.
Copy code
prefect deployments build \                                                                                          flows/flow.py:kubernetes_flow \
    --name prefect-kubernetes-example \
    --infra-block kubernetes-job/prefect-kubernetes-poc \
     --work-queue kubernetes \
                --apply
r
yeah I use python to deploy
command line has 
--override
n
How you can deploy using plain python I thought you can do so only using that command.
r
prefect has a python api to do most things
I find it easier to template up deployments from flows using cookiecutter - easier to debug too
n
Is there any documentation or video somewhere. I only found command line way of doing it.
r
n
Thank you very much.
👍 1
It looks like multi document is not supported Getting this error
Copy code
yaml.composer.ComposerError: expected a single document in the stream
  in "common.yml", line 1, column 1
but found another document
  in "common.yml", line 19, column 1
This is my yaml
Copy code
apiVersion: batch/v1
kind: Job
metadata:
    # labels are required, even if empty
    labels: { }
spec:
    template:
        spec:
            completions: 1
            containers: # the first container is required
                -   env: [ ]  # env is required, even if empty
                    name: prefect-job
                    envFrom:
                        -   secretRef:
                                name: "bidw-access-control-service"
            parallelism: 1
            restartPolicy: Never

---
apiVersion: "<http://koudingspawn.de/v1|koudingspawn.de/v1>"
kind: Vault
metadata:
    name: bidw-access-control-service
    namespace: dev-bidw
spec:
    path: "dev/bidw-access-control-service"
    type: "KEYVALUEV2"
and this is my block.py
Copy code
from prefect.infrastructure.kubernetes import KubernetesJob, KubernetesImagePullPolicy


def create_kubernetes_job():
    block = KubernetesJob(
        image="someimage",
        namespace="dev-bidw",
        image_pull_policy=KubernetesImagePullPolicy.ALWAYS,
        finished_job_ttl=120,
        job_watch_timeout_seconds=6000,
        pod_watch_timeout_seconds=6000,
        env={"environment": "dev"},
        job=KubernetesJob.job_from_file("common.yml")
    )
    block.save("prefect-kubernetes-job-poc", overwrite=True)


if __name__ == "__main__":
    create_kubernetes_job()
Is there anyway to add this?
r
do you not just use annotations in the pod to get the secrets?
n
No I am using Vault to pull secret out. I was able to do this when deploying agent though.
But I had to manually edit yaml
r
isnt it like that? I use rancher, never touched hashicorp stuff
n
No we use this CRD https://vault.koudingspawn.de/ for Vault. Since it restarts pods if secrets get changed at Vault side.
r
so your trying to create the secret from vault into k8s
as part of this deployment
n
Yeah
r
yeah, that wont work
n
Oh 😬 . Let me see if I can make it work other way.
r
n
Looks like I found way to achieve this without multi doc support. Thank you very much for your help.
r
cool
11 Views
Open in Slack
PreviousNext
Powered by