From c7d82facc9f9854480e8d7ab98e40a440ce1b485 Mon Sep 17 00:00:00 2001 From: Tim Bauer <30375389+bimtauer@users.noreply.github.com> Date: Tue, 19 Oct 2021 22:15:55 +0200 Subject: [PATCH] Update use_secrets.py (#449) Correct the secret prefix and add context for changing it. Signed-off-by: Tim Bauer --- cookbook/core/containerization/use_secrets.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cookbook/core/containerization/use_secrets.py b/cookbook/core/containerization/use_secrets.py index 28946ef8f3..70ba0685d9 100644 --- a/cookbook/core/containerization/use_secrets.py +++ b/cookbook/core/containerization/use_secrets.py @@ -47,7 +47,8 @@ // Paths and names Global secrets need to be made available to the Pod Webhook pod either by mounting them as volumes or as environment variables. This is a good way to make secrets discoverable by tasks in all projects and domains, but as names of the secrets need to be unique it can get a convoluted if you have a large number of secrets. Note that global secrets can only be injected into the task pod as environemnt variables (see examples below). Volumes should be mounted into the path `/etc/secrets//`. -Environment variables should be named `FLYTE_SECRET__`. +Environment variables should be named `__`. +By default FLYTE_SECRETS_ENV_PREFIX is set to "_FSEC_" (see [declaration](https://github.com/flyteorg/flytekit/blob/3b7c2639643df99d9374d8338efadfa381625b87/flytekit/configuration/secrets.py#L6)), but you can override it. When using the K8s secret manager plugin (enabled by default), the secrets need to be available in the same namespace as the task (for example `flytesnacks-development`). K8s secrets can be mounted as both files and injected as environment variables into the task pod, so if you need to make larger files available to the task, then this might be the better option. Furthermore, this method also allows you to have separate credentials for different domains but still using the same name for the secret. The `group` of the secret request corresponds to the K8s secret name, while the `name` of the request corresponds to the key of the specific entry in the secret.