-
Notifications
You must be signed in to change notification settings - Fork 3.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support Injecting Secrets into Apps Running in the Cloud
Adds a new '--secret' flag to 'lightning run app': lightning run app --cloud --secret MY_SECRET=my-secret-name app.py When the Lightning App runs in the cloud, the 'MY_SECRET' environment variable will be populated with the value of the referenced Secret. The value of the Secret is encrypted in the database, and will only be decrypted and accessible to the Flow/Work processes in the cloud.
- Loading branch information
1 parent
b84c03f
commit b2c75eb
Showing
7 changed files
with
114 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
from typing import Dict, List | ||
|
||
from lightning_app.utilities.network import LightningClient | ||
from lightning_app.utilities.cloud import _get_project | ||
|
||
|
||
def _names_to_ids(secret_names: List[str]) -> Dict[str, str]: | ||
""" | ||
Returns the name/ID pair for each given Secret name. | ||
""" | ||
lightning_client = LightningClient() | ||
|
||
project = _get_project(lightning_client) | ||
secrets = lightning_client.secret_service_list_secrets(project.project_id) | ||
|
||
secret_names_to_ids: Dict[str, str] = {} | ||
for secret in secrets.secrets: | ||
if secret.name in secret_names: | ||
secret_names_to_ids[secret.name] = secret.id | ||
|
||
return secret_names_to_ids |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
import pytest | ||
from typing import Dict, List | ||
from unittest import mock | ||
from unittest.mock import MagicMock | ||
|
||
from lightning_cloud.openapi import ( | ||
V1ListMembershipsResponse, | ||
V1Membership, | ||
V1ListSecretsResponse, | ||
V1Secret, | ||
) | ||
|
||
from lightning_app.utilities.secrets import _names_to_ids | ||
|
||
|
||
@pytest.mark.parametrize( | ||
"secret_names, expected", | ||
[ | ||
([], {}), | ||
( | ||
["first-secret", "second-secret"], | ||
{"first-secret": "1234", "second-secret": "5678"}, | ||
), | ||
], | ||
) | ||
@mock.patch("lightning_cloud.login.Auth.authenticate", MagicMock()) | ||
@mock.patch("lightning_app.utilities.network.LightningClient.secret_service_list_secrets") | ||
@mock.patch("lightning_app.utilities.network.LightningClient.projects_service_list_memberships") | ||
def test_names_to_ids( | ||
list_memberships: MagicMock, | ||
list_secrets: MagicMock, | ||
secret_names: List[str], | ||
expected: Dict[str, str], | ||
): | ||
list_memberships.return_value = V1ListMembershipsResponse(memberships=[V1Membership(project_id="default-project")]) | ||
list_secrets.return_value = V1ListSecretsResponse( | ||
secrets=[V1Secret(name="first-secret", id="1234"), V1Secret(name="second-secret", id="5678")] | ||
) | ||
|
||
assert _names_to_ids(secret_names) == expected |