Implement ability to specify additional/override annotations when using Vault Secret Manager #556
Conversation
pradithya
force-pushed
the
vault_extra_annotations
branch
from
0ebca7f
to
2a1ecb3
Compare
pkg/webhook/config/config.go
Outdated
| KVVersion KVVersion `json:"kvVersion" pflag:"-,The KV Engine Version. Defaults to 2. Use 1 for unversioned secrets. Refer to - https://www.vaultproject.io/docs/secrets/kv#kv-secrets-engine."` | ||
| Role string `json:"role" pflag:",Specifies the vault role to use"` | ||
| KVVersion KVVersion `json:"kvVersion" pflag:"-,The KV Engine Version. Defaults to 2. Use 1 for unversioned secrets. Refer to - https://www.vaultproject.io/docs/secrets/kv#kv-secrets-engine."` | ||
| ExtraAnnotations map[string]string `json:"extraAnnotations" pflag:"-,Additional annotation to be added to the pod. Useful to further customize Vault integration (https://developer.hashicorp.com/vault/docs/platform/k8s/injector/annotations)"` |
There was a problem hiding this comment.
Is the term extraAnnotations more descriptive than annotations? I think as long as we are explicit in the docs about which annotations Flyte automatically injects we can simplify this terminology.
There was a problem hiding this comment.
Make sense, I think annotations is the better term since it not only allows Flyte administrator to add extra annotations but also overrides the default annotation created by Flyte.
| { | ||
| name: "KVv3 Secret - with extra annotations", | ||
| args: args{ | ||
| cfg: config.VaultSecretManagerConfig{Role: "flyte", KVVersion: config.KVVersion2, ExtraAnnotations: map[string]string{ |
There was a problem hiding this comment.
Can you add some more examples here to cover the various override scenarios?
There was a problem hiding this comment.
Added cases where users provide their annotation via pod template annotations and system override annotation.
There was a problem hiding this comment.
This is great! I think the only point of contention is ensuring users understand the default vault-specific annotations that Flyte sets so they don't assume this extraAnnotations argument needs to contain something already being set. Does it make sense to update these docs as part of this change as well?
…secret manager Signed-off-by: Pradithya Aria <pradithya.pura@go-jek.com>
Signed-off-by: Jeev B <jeevb@users.noreply.github.com> Signed-off-by: Pradithya Aria <pradithya.pura@go-jek.com>
…rg#554) Signed-off-by: Jeev B <jeevb@users.noreply.github.com> Signed-off-by: Pradithya Aria <pradithya.pura@go-jek.com>
* removed barrier logic Signed-off-by: Daniel Rammer <daniel@union.ai> * deprecated TransitionTypeBarrier Signed-off-by: Daniel Rammer <daniel@union.ai> * removed barrier tests Signed-off-by: Daniel Rammer <daniel@union.ai> * bumping flyteplugins Signed-off-by: Daniel Rammer <daniel@union.ai> --------- Signed-off-by: Daniel Rammer <daniel@union.ai> Signed-off-by: Pradithya Aria <pradithya.pura@go-jek.com>
…org#553) * Check for TerminateExecution error and eat Precondition status Signed-off-by: Haytham Abuelfutuh <haytham@afutuh.com> * lint Signed-off-by: Haytham Abuelfutuh <haytham@afutuh.com> --------- Signed-off-by: Haytham Abuelfutuh <haytham@afutuh.com> Signed-off-by: Pradithya Aria <pradithya.pura@go-jek.com>
Signed-off-by: Pradithya Aria <pradithya.pura@go-jek.com>
pradithya
force-pushed
the
vault_extra_annotations
branch
from
d86aca6
to
87c1702
Compare
…t_extra_annotations
Yes, will add a follow-up PR to update the Vault-related user guide once the PR is merged. |
pradithya
changed the title
Signed-off-by: Pradithya Aria <pradithya.pura@go-jek.com>
pradithya
force-pushed
the
vault_extra_annotations
branch
from
56e2a38
to
dcf3113
Compare
|
Discovered this now when making some updates to my original contribution. I love this feature and its great to know that someone out there is also using flyte with vault :) One thing: I will rename the tests - you introduced a bunch of new ones named KVv3, KVv4 and so on. This was meant to represent the vault kv secret backend version to be tested. To my knowledge there are only 2. |
|
Tbh @bimtauer i atleast know 3/4 companies that use vault |
…ng Vault Secret Manager (flyteorg#556) * Implement ability to specify additional annotations when using Vault secret manager Signed-off-by: Pradithya Aria <pradithya.pura@go-jek.com> * Infer GOOS and GOARCH from environment (flyteorg#552) Signed-off-by: Jeev B <jeevb@users.noreply.github.com> Signed-off-by: Pradithya Aria <pradithya.pura@go-jek.com> * fix makefile to read variables from environment and overrides (flyteorg#554) Signed-off-by: Jeev B <jeevb@users.noreply.github.com> Signed-off-by: Pradithya Aria <pradithya.pura@go-jek.com> * Remove BarrierTick (flyteorg#545) * removed barrier logic Signed-off-by: Daniel Rammer <daniel@union.ai> * deprecated TransitionTypeBarrier Signed-off-by: Daniel Rammer <daniel@union.ai> * removed barrier tests Signed-off-by: Daniel Rammer <daniel@union.ai> * bumping flyteplugins Signed-off-by: Daniel Rammer <daniel@union.ai> --------- Signed-off-by: Daniel Rammer <daniel@union.ai> Signed-off-by: Pradithya Aria <pradithya.pura@go-jek.com> * Check for TerminateExecution error and eat Precondition status (flyteorg#553) * Check for TerminateExecution error and eat Precondition status Signed-off-by: Haytham Abuelfutuh <haytham@afutuh.com> * lint Signed-off-by: Haytham Abuelfutuh <haytham@afutuh.com> --------- Signed-off-by: Haytham Abuelfutuh <haytham@afutuh.com> Signed-off-by: Pradithya Aria <pradithya.pura@go-jek.com> * Rename to annotation Signed-off-by: Pradithya Aria <pradithya.pura@go-jek.com> * Inline merging annotations Signed-off-by: Pradithya Aria <pradithya.pura@go-jek.com> --------- Signed-off-by: Pradithya Aria <pradithya.pura@go-jek.com> Signed-off-by: Jeev B <jeevb@users.noreply.github.com> Signed-off-by: Daniel Rammer <daniel@union.ai> Signed-off-by: Haytham Abuelfutuh <haytham@afutuh.com> Co-authored-by: Jeev B <jeevb@users.noreply.github.com> Co-authored-by: Dan Rammer <daniel@union.ai> Co-authored-by: Haytham Abuelfutuh <haytham@afutuh.com>
TL;DR
Add
annotationsconfiguration to the Vault Secret Manager to provide better flexibility when integrating with Vault.Type
Are all requirements met?
Complete description
When the Vault secret manager is enabled, flyte-pod-webhook is responsible for adding vault-specific annotation to the task pod that requests secret variables. These annotations are used to configure the Vault Agent behavior when retrieving and populating the secret from Vault. As of now, the annotation provided by
flyte-pod-webhookis limited to the one implemented invault_secret_manager.go.This PR allows Flyte administrator to add additional or override default annotations providing better flexibility to customize Vault agent behavior. For example, the following configuration will set the Vault agent authentication type to use GCP and to immediately exit if the authentication failed.
Tracking Issue
NA
Follow-up issue
NA