secret

package
v2.0.21 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 10, 2026 License: Apache-2.0, Apache-2.0 Imports: 54 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// AWSSecretArnEnvVar defines the environment variable name to use to specify to the sidecar container which secret
	// to pull.
	AWSSecretArnEnvVar = "SECRET_ARN"

	// AWSSecretFilenameEnvVar defines the environment variable name to use to specify to the sidecar container where
	// to store the secret.
	AWSSecretFilenameEnvVar = "SECRET_FILENAME"

	// AWSSecretsVolumeName defines the static name of the volume used for mounting/sharing secrets between init-container
	// sidecar and the rest of the containers in the pod.
	AWSSecretsVolumeName = "aws-secret-vol" // #nosec

	// AWS SideCar Docker Container expects the mount to always be under /tmp
	AWSInitContainerMountPath = "/tmp"

	// AWSSecretMountPath defines the default mount path for secrets
	AWSSecretMountPath = "/etc/flyte/secrets" // #nosec G101
)
View Source 
const (
	AzureSecretsVolumeName = "azure-secret-vol" // #nosec G101

	AzureSecretMountPath = "/etc/flyte/secrets" // #nosec G101
)
View Source 
const (
	// Static name of the volume used for mounting secrets with file mount requirement.
	EmbeddedSecretsFileMountVolumeName = "embedded-secret-vol" // #nosec G101
	EmbeddedSecretsFileMountPath       = "/etc/flyte/secrets"  // #nosec G101

	// Name of the environment variable in the init container used for mounting secrets as files.
	// This environment variable is used to pass secret names and values to the init container.
	// The init container then reads its value and writes secrets to files.
	// Format of this environment variable's value:
	// 		secret_name1=base64_encoded_secret_value1
	// 		secret_name2=base64_encoded_secret_value2
	//		...
	EmbeddedSecretsFileMountInitContainerEnvVariableName = "SECRETS" // #nosec G101

	ProjectLabel      = "project"
	DomainLabel       = "domain"
	OrganizationLabel = "organization"
	EmptySecretScope  = ""

	// All of the namespace, group and key cannot contain '/' so it is safe to use '/' as a delimiter.
	NamespaceGroupKeyDelimiter = "/"

	SecretNotFoundErrorFormat                                   = "secret %v not found in the secret manager"                                // #nosec G101
	SecretReadFailureErrorFormat                                = "secret %v failed to be read from secret manager"                          // #nosec G101
	SecretNilErrorFormat                                        = "secret %v read as empty from the secret manager"                          // #nosec G101
	SecretRequirementsErrorFormat                               = "secret read requirements not met due to empty %v field in the pod labels" // #nosec G101
	SecretSecretNotFoundAcrossAllScopes                         = "secret not found across all scopes"                                       // #nosec G101
	ErrCodeSecretRequirementsError       stdlibErrors.ErrorCode = "SecretRequirementsError"                                                  // #nosec G101
	ErrCodeSecretNotFound                stdlibErrors.ErrorCode = "SecretNotFound"                                                           // #nosec G101
	ErrCodeSecretNotFoundAcrossAllScopes stdlibErrors.ErrorCode = "SecretNotFoundAcrossAllScopes"                                            // #nosec G101
	ErrCodeSecretReadFailure             stdlibErrors.ErrorCode = "SecretReadFailure"                                                        // #nosec G101
	ErrCodeSecretNil                     stdlibErrors.ErrorCode = "SecretNil"                                                                // #nosec G101
)
View Source 
const (
	// GCPSecretsVolumeName defines the static name of the volume used for mounting/sharing secrets between init-container
	// sidecar and the rest of the containers in the pod.
	GCPSecretsVolumeName = "gcp-secret-vol" // #nosec G101

	GCPSecretMountPath = "/etc/flyte/secrets" // #nosec G101
)
View Source 
const (
	SecretPathDefaultDirEnvVar = "FLYTE_SECRETS_DEFAULT_DIR" // #nosec
	SecretPathFilePrefixEnvVar = "FLYTE_SECRETS_FILE_PREFIX" // #nosec
	SecretEnvVarPrefix         = "FLYTE_SECRETS_ENV_PREFIX"  // #nosec
	SecretsID                  = "secrets"
)
View Source 
const (
	AWSSecretLatestVersion = "AWSCURRENT"
)
View Source 
const (
	EmptyString = ""
)
View Source 
const (
	EnvVarGroupKeySeparator = "_"
)
View Source 
const (
	GCPSecretNameFormat = "projects/%s/secrets/%s/versions/latest" // #nosec G101
)
View Source 
const (
	// NotFoundAcrossAllScopesMsg is the error message prefix returned when a secret is not found across all scopes,
	// and is used to match on errors.
	NotFoundAcrossAllScopesMsg = "none of the secret managers injected secret"
)

Variables

View Source 
var (
	ImagePullLabels = map[string]string{
		// contains filtered or unexported fields
	}
)
View Source 
var (
	K8sSecretPathPrefix = []string{string(os.PathSeparator), "etc", "flyte", "secrets"}
)
View Source 
var (
	VaultSecretPathPrefix = []string{string(os.PathSeparator), "etc", "flyte", "secrets"}
)

Functions

func AppendEnvVars 

func AppendEnvVars(containers []corev1.Container, envVars ...corev1.EnvVar) []corev1.Container

func AppendVolume 

func AppendVolume(volumes []corev1.Volume, volume corev1.Volume) []corev1.Volume

func AppendVolumeMounts 

func AppendVolumeMounts(containers []corev1.Container, mount corev1.VolumeMount) []corev1.Container

func BinaryToAzureSecret 

func BinaryToAzureSecret(value []byte) (string, error)

Encodes a binary value to appropriate Json format for Azure Key Vault storage

func CreateEnvVarForSecret 

func CreateEnvVarForSecret(secret *core.Secret, envVarPrefix string) corev1.EnvVar

func CreateVaultAnnotationsForSecret 

func CreateVaultAnnotationsForSecret(secret *core.Secret, kvversion config.KVVersion) map[string]string

func CreateVolumeForSecret 

func CreateVolumeForSecret(secret *core.Secret) corev1.Volume

func CreateVolumeMountEnvVarForSecretWithEnvName 

func CreateVolumeMountEnvVarForSecretWithEnvName(secret *core.Secret) corev1.EnvVar

func CreateVolumeMountForSecret 

func CreateVolumeMountForSecret(volumeName string, secret *core.Secret) corev1.VolumeMount

func DecodeAzureSecretName 

func DecodeAzureSecretName(encodedSecretName string) (string, error)

Azure Key Vault specific decoding for secret names. Reverses EncodeAzureSecretName.

func EncodeAzureSecretName 

func EncodeAzureSecretName(secretName string) (string, error)

Azure Key Vault specific encoding for secret names. Union introduces __ to deliminate contextual information into the secret.

This codec unwraps the Union specific Key encoding and re-encodes it to a format that is compatible with Azure Key Vault. The encoding scheme is versioned and is as follows: - Uses 0 as an escape character - Uses 1 to escape hyphens - Uses 2 to escape underscores - Uses base32 encoding for the name component

Ref: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.KeyVault.SecretName/

func EncodeK8sSecretName 

func EncodeK8sSecretName(secretName string) string

A Kubernetes Secret object's name must be a valid DNS subdomain, which prohibits the use of "_". However, Union uses "__" to delimit contextual information. There are no restrictions on key names within a Kubernetes Secret object, so we can store the original secret name as a key inside the Secret. To ensure the Kubernetes Secret name complies with DNS subdomain rules, we can use a hash of the original secret name. Since this is just for avoid Kubernetes naming restrictions and not for security, we can use a simple hash function like MD5.

func EncodeSecretName 

func EncodeSecretName(org, domain, project, name string) string

func EncodeSecretNamePrefix 

func EncodeSecretNamePrefix(org, domain, project string) string

EncodeSecretNamePrefix creates a prefix to search for in the secrets manager

func GetSecretID 

func GetSecretID(secretKey string, labels map[string]string) (string, error)

func StringToAzureSecret 

func StringToAzureSecret(value string) (string, error)

Encodes a string value to appropriate Json format for Azure Key Vault storage

func ToImagePullK8sLabels 

func ToImagePullK8sLabels(components SecretNameComponents) map[string]string

ToImagePullK8sLabels generates a map of labels that can be used to identify the image pull Kubernetes secret. These labels are intended to supplement the hashed secret name and provide additional metadata.

func ToImagePullK8sName 

func ToImagePullK8sName(components SecretNameComponents) string

ToImagePullK8sName generates a Kubernetes secret name based on the provided secret name components. The name includes a consistent hash of the components to ensure uniqueness, be Kubernetes compliant, and avoid collisions.

Types

type AWSSecretFetcher 

type AWSSecretFetcher struct {
	// contains filtered or unexported fields
}

func (AWSSecretFetcher) GetSecretValue 

func (a AWSSecretFetcher) GetSecretValue(ctx context.Context, secretID string) (*SecretValue, error)

type AWSSecretManagerClient 

type AWSSecretManagerClient interface {
	GetSecretValue(context.Context, *secretsmanager.GetSecretValueInput, ...func(*secretsmanager.Options)) (*secretsmanager.GetSecretValueOutput, error)
}

AWSSecretManagerClient AWS Secret Manager API interface used in the webhook for looking up the secret to mount on the user pod.

type AWSSecretManagerInjector 

type AWSSecretManagerInjector struct {
	// contains filtered or unexported fields
}

AWSSecretManagerInjector allows injecting of secrets from AWS Secret Manager as files. It uses AWS-provided SideCar as an init-container to download the secret and save it to a local volume shared with all other containers in the pod. It supports multiple secrets to be mounted but that will result into adding an init container for each secret. The role/serviceaccount used to run the Pod must have permissions to pull the secret from AWS Secret Manager. Otherwise, the Pod will fail with an init-error. Files will be mounted on /etc/flyte/secrets/<SecretGroup>/<SecretKey>

func NewAWSSecretManagerInjector 

func NewAWSSecretManagerInjector(cfg config.AWSSecretManagerConfig) AWSSecretManagerInjector

NewAWSSecretManagerInjector creates a SecretInjector that's able to mount secrets from AWS Secret Manager.

func (AWSSecretManagerInjector) Inject 

func (i AWSSecretManagerInjector) Inject(ctx context.Context, secret *core.Secret, p *corev1.Pod) (newP *corev1.Pod, injected bool, err error)

func (AWSSecretManagerInjector) Type 

func (i AWSSecretManagerInjector) Type() config.SecretManagerType

type AzureError 

type AzureError struct {
	Code    string `json:"code"`
	Message string `json:"message"`
}

type AzureErrorResponse 

type AzureErrorResponse struct {
	Error AzureError `json:"error"`
}

The AzureErrorResponse object represents an error response from Azure Key Vault API.

Ref: https://learn.microsoft.com/en-us/azure/key-vault/general/authentication-requests-and-responses

type AzureKeyVaultClient 

type AzureKeyVaultClient interface {
	GetSecret(ctx context.Context, name string, version string, options *azsecrets.GetSecretOptions) (azsecrets.GetSecretResponse, error)
}

AzureKeyVaultClient Azure Key Vault API interface used in the webhook for looking up the secret to mount on the user pod.

type AzureSecretFetcher 

type AzureSecretFetcher struct {
	// contains filtered or unexported fields
}

func (AzureSecretFetcher) GetSecretValue 

func (a AzureSecretFetcher) GetSecretValue(ctx context.Context, secretID string) (*SecretValue, error)

type AzureSecretManagerInjector 

type AzureSecretManagerInjector struct {
	// contains filtered or unexported fields
}

AzureSecretManagerInjector allows injecting of secrets from Azure Key Vault as files. It uses a Azure az-cli SDK SideCar as an init-container to download the secret and save it to a local volume shared with all other containers in the pod. It supports multiple secrets to be mounted but that will result into adding an init container for each secret. The Azure user-assigned managed identity associated with the Pod via Workload Identity Federation, must have permissions to pull the secret from Azure Key Vault.

Files will be mounted on - /etc/flyte/secrets/<SecretGroup>/<SecretGroupVersion> when GroupVersion is set - /etc/flyte/secrets/<SecretGroup> when GroupVersion is not set, retrieving the latest version.

func NewAzureSecretManagerInjector 

func NewAzureSecretManagerInjector(cfg config.AzureSecretManagerConfig) AzureSecretManagerInjector

func (AzureSecretManagerInjector) Inject 

func (a AzureSecretManagerInjector) Inject(ctx context.Context, secret *core.Secret, p *corev1.Pod) (newP *corev1.Pod, injected bool, err error)

func (AzureSecretManagerInjector) Type 

func (a AzureSecretManagerInjector) Type() config.SecretManagerType

type EmbeddedSecretManagerInjector 

type EmbeddedSecretManagerInjector struct {
	// contains filtered or unexported fields
}

AWSSecretManagerInjector allows injecting of secrets from AWS Secret Manager as environment variable. It uses AWS-provided SideCar as an init-container to download the secret and save it to a local volume shared with all other containers in the pod. It supports multiple secrets to be mounted but that will result into adding an init container for each secret. The role/serviceaccount used to run the Pod must have permissions to pull the secret from AWS Secret Manager. Otherwise, the Pod will fail with an init-error. Files will be mounted on /etc/flyte/secrets/<SecretGroup>/<SecretKey>

func (*EmbeddedSecretManagerInjector) Inject 

func (i *EmbeddedSecretManagerInjector) Inject(
	ctx context.Context,
	secret *core.Secret,
	pod *corev1.Pod,
) (*corev1.Pod, bool, error)

func (*EmbeddedSecretManagerInjector) Type 

func (i *EmbeddedSecretManagerInjector) Type() config.SecretManagerType

type GCPSecretFetcher 

type GCPSecretFetcher struct {
	// contains filtered or unexported fields
}

func (GCPSecretFetcher) GetSecretValue 

func (g GCPSecretFetcher) GetSecretValue(ctx context.Context, secretID string) (*SecretValue, error)

type GCPSecretManagerClient 

type GCPSecretManagerClient interface {
	AccessSecretVersion(ctx context.Context, req *secretmanagerpb.AccessSecretVersionRequest, opts ...gax.CallOption) (*secretmanagerpb.AccessSecretVersionResponse, error)
}

GCPSecretManagerClient GCP Secret Manager API interface used in the webhook for looking up the secret to mount on the user pod.

type GCPSecretManagerInjector 

type GCPSecretManagerInjector struct {
	// contains filtered or unexported fields
}

GCPSecretManagerInjector allows injecting of secrets from GCP Secret Manager as files. It uses a Google Cloud SDK SideCar as an init-container to download the secret and save it to a local volume shared with all other containers in the pod. It supports multiple secrets to be mounted but that will result into adding an init container for each secret. The Google serviceaccount (GSA) associated with the Pod, either via Workload Identity (recommended) or the underlying node's serviceacccount, must have permissions to pull the secret from GCP Secret Manager. Currently, the secret must also exist in the same project. Otherwise, the Pod will fail with an init-error. Files will be mounted on /etc/flyte/secrets/<SecretGroup>/<SecretGroupVersion>

func NewGCPSecretManagerInjector 

func NewGCPSecretManagerInjector(cfg config.GCPSecretManagerConfig) GCPSecretManagerInjector

NewGCPSecretManagerInjector creates a SecretInjector that's able to mount secrets from GCP Secret Manager.

func (GCPSecretManagerInjector) Inject 

func (i GCPSecretManagerInjector) Inject(ctx context.Context, secret *core.Secret, p *corev1.Pod) (newP *corev1.Pod, injected bool, err error)

func (GCPSecretManagerInjector) Type 

func (i GCPSecretManagerInjector) Type() config.SecretManagerType

type GlobalSecretProvider 

type GlobalSecretProvider interface {
	GetForSecret(ctx context.Context, secret *coreIdl.Secret) (string, error)
}

type GlobalSecrets 

type GlobalSecrets struct {
	// contains filtered or unexported fields
}

GlobalSecrets allows the injection of secrets from the process memory space (env vars) or mounted files into pods intercepted through this admission webhook. Secrets injected through this type will be mounted as environment variables. If a secret has a mounting requirement that does not allow Env Vars, it'll fail to inject the secret.

func NewGlobalSecrets 

func NewGlobalSecrets(provider GlobalSecretProvider, cfg *config.Config) GlobalSecrets

func (GlobalSecrets) Inject 

func (g GlobalSecrets) Inject(ctx context.Context, secret *coreIdl.Secret, p *corev1.Pod) (newP *corev1.Pod, injected bool, err error)

func (GlobalSecrets) Type 

func (g GlobalSecrets) Type() config.SecretManagerType

type K8sSecretFetcher 

type K8sSecretFetcher struct {
	// contains filtered or unexported fields
}

func (K8sSecretFetcher) GetSecretValue 

func (s K8sSecretFetcher) GetSecretValue(ctx context.Context, secretID string) (*SecretValue, error)

type K8sSecretInjector 

type K8sSecretInjector struct {
	// contains filtered or unexported fields
}

K8sSecretInjector allows injecting of secrets into pods by specifying either EnvVarSource or SecretVolumeSource in the Pod Spec. It'll, by default, mount secrets as files into pods. The current version does not allow mounting an entire secret object (with all keys inside it). It only supports mounting a single key from the referenced secret object. The secret.Group will be used to reference the k8s secret object, the Secret.Key will be used to reference a key inside and the secret.Version will be ignored. Environment variables will be named _UNION_<SecretGroup>_<SecretKey>. Files will be mounted on /etc/flyte/secrets/<SecretGroup>/<SecretKey>

func NewK8sSecretsInjector 

func NewK8sSecretsInjector(cfg *config.Config) K8sSecretInjector

func (K8sSecretInjector) Inject 

func (i K8sSecretInjector) Inject(ctx context.Context, secret *core.Secret, p *corev1.Pod) (newP *corev1.Pod, injected bool, err error)

func (K8sSecretInjector) Type 

func (i K8sSecretInjector) Type() config.SecretManagerType

type MockableControllerRuntimeClient 

type MockableControllerRuntimeClient interface {
	client.Client
}

type SecretFetcher 

type SecretFetcher interface {
	GetSecretValue(ctx context.Context, secretID string) (*SecretValue, error)
}

func NewAWSSecretFetcher 

func NewAWSSecretFetcher(cfg config.AWSConfig, client AWSSecretManagerClient) SecretFetcher

NewAWSSecretFetcher creates a secret value fetcher for AWS

func NewAzureSecretFetcher 

func NewAzureSecretFetcher(client AzureKeyVaultClient) SecretFetcher

func NewGCPSecretFetcher 

func NewGCPSecretFetcher(cfg config.GCPConfig, client GCPSecretManagerClient) SecretFetcher

NewGCPSecretFetcher creates a secret value fetcher for GCP

func NewK8sSecretFetcher 

func NewK8sSecretFetcher(secretClient v1.SecretInterface) SecretFetcher

NewK8sSecretFetcher creates a secret value fetcher for K8s

func NewSecretFetcher 

func NewSecretFetcher(ctx context.Context, cfg config.EmbeddedSecretManagerConfig) (SecretFetcher, error)

type SecretNameComponents 

type SecretNameComponents struct {
	Org     string
	Domain  string
	Project string
	Name    string // Secret name
}

func DecodeSecretName 

func DecodeSecretName(encodedSecretName string) (*SecretNameComponents, error)

func (SecretNameComponents) String 

func (s SecretNameComponents) String() string

type SecretValue 

type SecretValue struct {
	StringValue string
	BinaryValue []byte
}

func AzureToUnionSecret 

func AzureToUnionSecret(secret azsecrets.Secret) (*SecretValue, error)

type SecretsInjector 

type SecretsInjector interface {
	Type() config.SecretManagerType
	Inject(ctx context.Context, secrets *core.Secret, p *corev1.Pod) (newP *corev1.Pod, injected bool, err error)
}

func NewEmbeddedSecretManagerInjector 

func NewEmbeddedSecretManagerInjector(
	cfg config.EmbeddedSecretManagerConfig,
	secretFetchers []SecretFetcher,
	k8sClient client.Client,
	referenceNamespace string,
	secretCache goCache.CacheInterface[SecretValue],
	parentCfg *config.Config,
) SecretsInjector

type SecretsPodMutator 

type SecretsPodMutator struct {
	// contains filtered or unexported fields
}

func NewSecretsMutator 

func NewSecretsMutator(ctx context.Context, cfg *config.Config, podNamespace string, scope promutils.Scope) (*SecretsPodMutator, error)

NewSecretsMutator creates a new SecretsMutator with all available plugins.

func (SecretsPodMutator) ID 

func (s SecretsPodMutator) ID() string

func (*SecretsPodMutator) LabelSelector 

func (s *SecretsPodMutator) LabelSelector() *metav1.LabelSelector

func (*SecretsPodMutator) Mutate 

func (s *SecretsPodMutator) Mutate(ctx context.Context, pod *corev1.Pod) (newP *corev1.Pod, podChanged bool, errResponse *admission.Response)

type VaultSecretManagerInjector 

type VaultSecretManagerInjector struct {
	// contains filtered or unexported fields
}

VaultSecretManagerInjector allows injecting of secrets into pods by leveraging an existing deployment of Vault Agent Vault Agent functions as an additional webhook that is triggered through annotations and then retrieves and mounts the requested secrets from Vault. This injector parses a secret Request into vault annotations, interpreting the secret Group as the vault secret path and the secret Key as the key for which to extract a value from a Vault secret. It supports adding multiple secrets. (The common annotations will simply be overwritten if added several times) Note that you need to configure the Vault role that this injector will try to use and add Vault policies for the service account and namespaces that your workflows run under. Files will be mounted at /etc/flyte/secrets/<SecretGroup>/<SecretKey>

func NewVaultSecretManagerInjector 

func NewVaultSecretManagerInjector(cfg config.VaultSecretManagerConfig) VaultSecretManagerInjector

func (VaultSecretManagerInjector) Inject 

func (i VaultSecretManagerInjector) Inject(ctx context.Context, secret *coreIdl.Secret, p *corev1.Pod) (newP *corev1.Pod, injected bool, err error)

func (VaultSecretManagerInjector) Type 

func (i VaultSecretManagerInjector) Type() config.SecretManagerType

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.