Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Add option to provide Prefect API key to created jobs as a Kubernetes secret #99

Merged
merged 4 commits into from
Nov 8, 2023
Merged

Add option to provide Prefect API key to created jobs as a Kubernetes secret #99

merged 4 commits into from
Nov 8, 2023

Conversation

desertaxle
Copy link
Member

@desertaxle desertaxle commented Nov 6, 2023
edited
Loading

Adds an option to have a worker store its Prefect API key as a Kubernetes secret and provide the secret to created jobs. Prevents the exposure of a worker's Prefect API key by inspecting the manifests of the jobs it creates. The worker will clean up any created secrets upon shutdown.

This feature is opt-in because it requires the worker to have the necessary permissions to create secrets. Once it is battle-tested, this feature will be updates to be the default.

Closes PrefectHQ/prefect#10716

Example

To activate, set the PREFECT_KUBERNETES_WORKER_STORE_PREFECT_API_IN_SECRET environment variable:

$ export PREFECT_KUBERNETES_WORKER_STORE_PREFECT_API_IN_SECRET="true"

After running a job, you'll see a new secret created:

$ kubectl get secrets
kubernetesworker-c7d5551b-e0b9-49b1-a592-65c7-api-key   Opaque   1      96s

If you inspect the job, you'll see the same secret used:

$ kubectl get job papaya-lion-cwl2j -o yaml
apiVersion: batch/v1
kind: Job
spec:
  template:
    spec:
      containers:
      - args:
        - prefect
        - flow-run
        - execute
        env:
        - name: PREFECT_API_URL
          value: https://api.prefect.cloud/api/accounts/a0f10033-f08a-42f8-9b8d-b7a7d4b4b3c1/workspaces/e4b1c666-a4ab-42c7-8172-48d43966e691
        - name: PREFECT_API_KEY
          valueFrom:
            secretKeyRef:
              key: value
              name: kubernetesworker-c7d5551b-e0b9-49b1-a592-65c7-api-key

After shutting down the worker, the created secret should be gone:

$ kubectl get secrets 
No resources found in default namespace.

Screenshots

Checklist

  • References any related issue by including "Closes #" or "Closes ".
    • If no issue exists and your change is not a small fix, please create an issue first.
  • Includes tests or only affects documentation.
  • Passes pre-commit checks.
    • Run pre-commit install && pre-commit run --all locally for formatting and linting.
  • Includes screenshots of documentation updates.
    • Run mkdocs serve view documentation locally.
  • Summarizes PR's changes in CHANGELOG.md

@desertaxle desertaxle marked this pull request as ready for review November 7, 2023 04:59
@desertaxle desertaxle requested a review from a team as a code owner November 7, 2023 04:59
chrisguidry
chrisguidry approved these changes Nov 8, 2023
View reviewed changes
Copy link
Contributor

@chrisguidry chrisguidry left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's slick!

@desertaxle desertaxle merged commit baeb9b4 into main Nov 8, 2023
6 checks passed
@taylor-curran
Copy link

Comment from user -- medium priority:

PrefectHQ/prefect#10716 (comment)

@urimandujano urimandujano deleted the secret-api-key branch November 8, 2023 17:36
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@urimandujano urimandujano urimandujano approved these changes

@chrisguidry chrisguidry chrisguidry approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

PREFECT_API_KEY not secured in k8s flow run containers
4 participants
@desertaxle @taylor-curran @chrisguidry @urimandujano