Skip to content

Commit

Permalink
Remove core flyteadmin init-secret initContainer
Browse files Browse the repository at this point in the history
 - A separate container instance that requires Kubernetes API access is
   unnecessary when Helm is able to generate the same secret values in
   the client before submitting resources to Kubernetes.

   The declarative approach here is identical to what the code does in
   https://github.com/flyteorg/flyte/blob/master/flyteadmin/auth/init_secrets.go#L80-L151

 - The lookup function is used so that on upgrades, the secret is not
   regenerated -- the existing values in the cluster are used.

 - Note that Helm always creates secret resources before deployment
   resources, so the secret values are guaranteed to be available before
   flyteadmin starts

 - Update helm chart regenerate check so that it only fails if the diff
   has new or removed lines

Signed-off-by: ddl-ebrown <[email protected]>
  • Loading branch information
ddl-ebrown committed Jul 12, 2024
1 parent 81afb76 commit 56f1cf5
Show file tree
Hide file tree
Showing 9 changed files with 55 additions and 158 deletions.
25 changes: 0 additions & 25 deletions charts/flyte-core/templates/admin/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -107,31 +107,6 @@ spec:
{{- end }}
{{- end }}
{{- end }}
- name: generate-secrets
image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}"
imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}"
command: ["/bin/sh", "-c"]
args:
[
"flyteadmin --config={{ .Values.flyteadmin.configPath }} secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets",
]
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts:
- mountPath: /etc/flyte/config
name: base-config-volume
- mountPath: /etc/scratch
name: scratch
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- with .Values.flyteadmin.env -}}
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
containers:
- command:
- flyteadmin
Expand Down
17 changes: 17 additions & 0 deletions charts/flyte-core/templates/admin/secret.yaml
Original file line number Diff line number Diff line change
@@ -1,11 +1,28 @@
{{- if .Values.flyteadmin.enabled }}
{{- $secret := (lookup "v1" "Secret" (include "flyte.namespace" .) "flyte-admin-secrets") -}}
apiVersion: v1
kind: Secret
metadata:
name: flyte-admin-secrets
namespace: {{ template "flyte.namespace" . }}
type: Opaque
data:
{{- if $secret }}
token_rsa_key.pem: |
{{ index $secret.data "token_rsa_key.pem" }}
cookie_hash_key: {{ index $secret.data "cookie_hash_key" }}
cookie_block_key: {{ index $secret.data "cookie_block_key" }}
claim_symmetric_key: {{ index $secret.data "claim_symmetric_key" }}
{{- else }}
token_rsa_key.pem: |
{{ genPrivateKey "rsa" | b64enc }}
{{- end }}
stringData:
{{- if not $secret }}
cookie_hash_key: {{ randAlphaNum 64 | b64enc | quote }}
cookie_block_key: {{ randAlphaNum 32 | b64enc | quote }}
claim_symmetric_key: {{ randAlphaNum 32 | b64enc | quote }}
{{- end }}
{{- with .Values.flyteadmin.secrets -}}
{{ tpl (toYaml .) $ | nindent 2 }}
{{- end }}
Expand Down
28 changes: 6 additions & 22 deletions deployment/eks/flyte_aws_scheduler_helm_generated.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,13 @@ metadata:
name: flyte-admin-secrets
namespace: flyte
type: Opaque
data:
token_rsa_key.pem: |
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBdmFyejEwYzBvbW14OUdNUUVlZDh6ZzN6cUFmWGZDLzM5MFV3YUFFSENJd21zYlhTCk5rV2dUNGZyUzdOS3JML2syS2FCVjVVaC9neUF2cWFQTnlUczBVak9xL1ZieG45ZUlUVG50bE9lQ0VZWE9pZ2gKWWQ2a2FPbVlXakNicWdTMC93QlhHMjlkVHlycWxtZFFOWFlZZVJOOU80cEhPNGIzb3R0Rm1SWEVOenBBTEM1Vwo2c1NyNmpJRENXSzA2c3NmM1B4WEc1TEJaQ1hDaFpiQXNZZFNGUVlnc3ByZ0hXWTRzbEZIUmlDbm5BdWxyMEJxCjlkdVMxM0NJWkp3TE5aK1JDS2RRM0JKQ3pxZ1lnNDcwTXpXTXlUMnp4SkpFR1pLaGhYeEFuV1VZVmMzYkZHckoKNWl4cVZvWjZQM2QvUkZBeXIwc0k2UjZ3N1ZnUzlpQktabkpNV3FzMGdHRlpQRkdiVS9lcm9va0JKN2toakdFWApUbjF6eWZJMHlLSGwwNDZ4VmZ3Y1J0cUJvTVh3aWpmcFFjNDlManNJTzVuaVdxTm5rQ3pLanJJNHhBNElUNkhECi9YOFlVRnphbTZnY0NJdk4vaHZkZXdka3U4SndoOGI5Y0hDd2U0cHB0ZVZvTnVxdjV0SHBhOE9EZityZlR1MUwKYWM1QXRzVUR5TGRrSXNWL2pkaUlBKzlGTTJWN211YVVTVEM0bEVOS0xwQm1yZHFuUm5oVFFKSlNCZGVGMzhEWApqZFlOWUs5K0RKK25ReEdjVVA0c3Y2anorUVUvTkI4RTRMMFM4aVRIemZ0MkpOQTBFZmh5WWh4OVJXbHNzQ0RRCnJlc011ZVFkbVBubWJWcFBUMi80YjhVOVEyN1NIQ3krbmxsODdnb0NzWVY0Q1ZYeGFUU0RYQU5HZFdzQ0F3RUEKQVFLQ0FnRUFqZ1VoR3hUZGE3TzdKYVM3MXJ4QWJzWnhxV05kemtiWTVSV3czbC9PbFc3a1ZuTXdHYVZmR2M1TAp1TjVpenlITlNSQzhqd2xEYjhpSzZyY3JTLzVoT1lETUNHVHJ1S0dNcVU3RkpuaE1RQ1BEcHE5Lzk1blFBQ0xTCkNzNlU4T1VmWmtZcDg0Z2JGWG1zT0x6WmlYNkphcmZXTVN3a2xJVkdqbktrRmJIL3Y5N2xTRy9XYzJxYTAvMW8KMnJGSGlQeGFPbzNVNS9lbXljZWdkWWxoZGswK2dER2JjRUdhQ1VtT3NLODlzRndwUlNaUGhQKzJWNngzc3N3Mwp4U1kzR29zRi9iWFRUVVo3TWVVYW5nQUFDUXhUQkNrb244dHFKTC93SkZUYXlVQjJ6V0VjWjVoaTMvQm9HNndNCmc5T0Z2M0JSMDRKYkJMd1BmVmxTc1d1U2FrMnhyM1NWTmV4RjQwdkVURVZpMHJ0OE5aQzFDU1kwTkIxbDdzUnEKVW5hQmFsSldkalA1NkJQYTQ2SHNLQUF1aWVXRUw4K1Q3MUZkR1pUV012Mk13enpOT2tmYmNSczNtZ2wvdlRpOApkUmlFNWExYnpoUlRiOW1Bd09UNE56SFdsSHlWaENpSXFjM2J2WE5Id0FRN0M1OStjZjFCWW5leittM1RYQjVmCk8vNFpPWWFUNkkvN2wvMGREZ1pDOHlOYU1VMGhTUzVwbXFoYkhxWHdiejhncUt4dUQ4czFkdjBQWW1LQ3VPTkgKTmdpbWJxWUZNVGFzT2NvWHc0M0V2WjkwKzNONXQ4b1g1OWhnQm51WFNQaVVwSTVQM3hBbTZkV01yWFpIZkNySQpET2txQW1hVGUxMHN0VTB1bjJWeXJJVFZTaGhiT1Z1QlN5V2FyYVdBbU4xVTc3ZnF3dmtDZ2dFQkFOV2M3QUtxCkIyVUNJRGYyRHc5dGZjdVNRWjFIRndMVm05T1d4a3Vsc0Ywd1ZIank5SGlBaHB6SjMwc3pRK2I4ZkNWVFk5MFAKYXZlRHdqMnA4QitESkxVSXBWdGg4ZTB0VVVBaUF3S3FyaGV2RnJSTytKOEVDcVB3WVY0MUZNVGNVMmJXSXRqOQpSM1NxeitFVTJDdXVWbS9iaC9UL3FxMEtnMk9nQWJtUjJNM3ZkeEYzcWFJeVlnRkU2KzN3dkltQmhXNWJkZWNCCmdzd3RiZThyQVVDelZjb2l1Z3V4bEpiUVhXakticjZGRVRyUSszUmxDemg3SUVTNUVvaFVQK2orKzJYNHFHWE8KTVc2OTZDMmdBTTQ1Y0MxQkl1YUdlZEpzbXRmUXQrbFVlWWl5a043d05ET2orYWhacTVIaU96SXpRTndIb2kxcQphVFhxN3hoRmpSQ2cvdVVDZ2dFQkFPTk5xcDNjSHFVNXRiMmQ3RUJjTXdvV09ub2dGK3QvT244KysyWks1b1RlClF5bVcvTVJ0cE5aMlFuRkZKZ2tHZXdkZDhzbzVPZFVudmg1SnI4RUd1ZkVwVDNWNGVjc2kxbllIR29HU21vb2wKL2J5U0lsVHRONzVERW1SNWpYckZUUWxic1BBRk1TK3o0ODBseitGQW5ReE1ZK0lUVjc3dllQc3RRQkhjNllGNApRTWgrRU5DUGh5L3RORFJqc1lIeThRNXFxT1dnNmswV0tmQ1JsdTJNaUVpcDI5OW0zSytnY2xNUFBINlZCZ1YrCnd3MndEMjE4TnB2RDhvQmlwTjBneTZ3QkpqMk5OSkRMU0JES1dkSHBialJwdVg2Tm05Q3hRdGFyMnppTDF6ZTYKNncvTVM1c0NtRlZkendaZU5mL1pCZUFyZ21qZUhEMkU5RlAwLzViYkRnOENnZ0VBRUFiTytrQXhmOVdSLzBEWgp6bW1EbDZOb2d0bFRrNlhkSkJuYTFOQWdsRTFNK1NvWlIzVTFKRXhORVlKT0pPVnFsdzVUbnNGS1lEbWxlQ1RvCjNDUmx1Nk5qYktERG11emNmTGhRaTRHc3dDQWx6dTloM2VSYXZBUUwraHAzYlhHdVhEZlNzMzhGUG02V1hDZkoKTkRYSFRHc25IeTJUYTVvdlUya3MxL1JtVk1VVHBON2FmazNUWm83Nk9JYm9UbFRHWXdvL3BVNUt0dkR0bjVVVgphZnBLaEhqb2hub1RVT0ZmTUw2SFlvbnZTZjlsN2t5cWM5bGhDV2J0U2djd0tGWUJISngwWGZjRFpIQ2hHOU0yClhFS1k5UHcvRnhhZHl6alV3VDVxbmZuMWlGa0ZYNFNjRmdmR2NtZ1A1RWtaOGVGQWk0R1RIRjh3ZDVnaHlpdGwKc3dxeE5RS0NBUUVBb1pRbE04QTB2S2tRYXpFbXJ2MmJmcEVja3BIYnp4a0xBVWRKT0ljSDVPMkdlcnNOQmFrWApZeWgveExzdDlYNTQyRnpOYVRsU3hoWlJUSUIvQWswQXd0RGwzaEI5SzR5aFBSZUJuUmdVNlIxbWlMU3MyUWdqCjl3a0F1eEc1STh1N0htcmlsVXhya1loajZBSDRDeHgrUnk3S1Zmd0FCUWR2UGo0RmJHMUlSRE95Z1pNejZyNE0Ka0dJakdSYkJLU29FZDRZVWQ5OXlqc2V4bW9RejhMdFVhYXJ0VkpwdlNCMWJCM1l1UDZFNXZaQkZvYVpFNFVSSwpJV0lpTVdkdDRJOGVtUy9iK2ljMWRiUTdqMHY0bTRJL1I5emI4bjFCaFJGcy9PTC9tK3UwV3JaeHdESXVrSXRBCnRIWlI0eW4zWXQ3b0VWbDhnNFZZTjljYVE5QkdHL3V0dXdLQ0FRQjJsYTJZcENqTGhrKy9HLzJudXNFVk5HcGkKY1NiNXBmcXg3Q1N3WnhFeElPb21Ld0lJL1Z1REJqVVRkd1hqcVEwZVJqN3pncVBtQnZNenlFMkszbzdMVjluWAplbUpzd212WGloZnRWMVcyZVhKNHU1UTFyVW1kckFZK09BdUdyMHNXalpxMEV5YXRaN0RwaTVKY1M5UGR1bWtoCmZTN1VBMHNXdDI2d0pWcGZkT1F1T1F6dWFna3U3UVU3bVE4cGV0VDBzVmJKa2RjemJvRFdIR3F1VDJaV3VRSGEKT0dCSjZzSG5iWlF5VkVVOGtoT3VFV0xrakFVMnNIQ0hWQ1gvK0NPdExlR0lDaTc3bTdGVHVVaWdrd2lhalVrZgo5L0RrZ3N6dlNLb1l0cjFxbjFTVE1vendPYUpFR2Q4azZYVjVWS3ZjZkpQRFlYRy94SEdZcWU5WGl4Q3gKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
stringData:
cookie_hash_key: "QkszemVLWGdFU3h5UlhVS0JuU0oyWUNHcUNUdnhwQ2w2RTJsQktaR3gwcFg3MldNMGY0eFE0Z2VWS0t0bHp2QQ=="
cookie_block_key: "TVhSV3dVZjZlYkduQWtWWlFVZENkcE13bWpqYnk3NE8="
claim_symmetric_key: "RkptQ1dJODJvTGk0NGphb1ZSVWRpb1RZbEFaWHBIZTQ="
---
# Source: flyte-core/templates/common/secret-auth.yaml
apiVersion: v1
Expand Down Expand Up @@ -931,28 +937,6 @@ spec:
name: clusters-config-volume
- mountPath: /etc/secrets/
name: admin-secrets
- name: generate-secrets
image: "cr.flyte.org/flyteorg/flyteadmin:v1.13.0"
imagePullPolicy: "IfNotPresent"
command: ["/bin/sh", "-c"]
args:
[
"flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets",
]
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts:
- mountPath: /etc/flyte/config
name: base-config-volume
- mountPath: /etc/scratch
name: scratch
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
containers:
- command:
- flyteadmin
Expand Down
28 changes: 6 additions & 22 deletions deployment/eks/flyte_helm_controlplane_generated.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,13 @@ metadata:
name: flyte-admin-secrets
namespace: flyte
type: Opaque
data:
token_rsa_key.pem: |
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBN2JmelZvb01DSENyV09LVXJjaUdCRUFWQVFicStsQ1BYRUV2TGsreWxmZmxRbVVwCkVTRHp1KzJpRm8vSklRZTdkc2hlaXN6VWlkVWdXUXRCSEt6THdtaXZ4YmdqeTRub2Z5RGhmSXhBdURpTW9NREsKUlVpTFQxeTZxdDIzcjRLY21lTDhKamVwbmlQbHdaZUJjU21YRk9vUktoWFRrUmRITkFKWm1oaU1RTUJaZTZUYwpTTDRrc0NVdlEvV2o4SkFmRjlwM1RmMk9CTVpYMnBqQU5xSlU3S0l3SzFWSTlndFp0REJUL0xDam8yZnl2TVJaClEzbDRndm9HeTNtSUhGK0Y5N0tJd09RWUNFZVE3RnpsS0tFanpySEVyUllXUW5BRk9qekhTcU1vREJtZnpsajIKY1VqcHY4UXBkM1JjWDhUNG9YWG5CVWFKK1YwMVN2WVRmV0pwaG5OcC9mL0QycTVSM004QWlCNE9uQjJzTHdldQpVb1dUYmx1OWl1UHhCMkhISlhzZ0pXd0xqSkhMOEhjZXZUaGZncUVEOVpFQTV2dDBzb3pkV2svOFZLbDlHczlqClIrYVExSE41cHl1SDg3N3oxcE1sTTAwSW5sNG5UTldCUDNncy9KZGIzZzBWZjNuVnAzRnZCcHpPcnlWemg3UFEKYzhINXBqTWVjeXZpUW53di82YWFCbXdHT0owUHdIRmpKSzlvM0hFejVySHlWcDM1K1R1clJkeDNYNmgrcVVVRgpUdXlnaXk0Zis3RFFpeS9PdDBhbkdGWUNaaEc3N21PSXlCaXBZdHVQRW9pL3ZMNWpsWm9KQTdKQ3JYOVk4UjZjCjJUN1dlWXVPRlRGUnFreHJ4MWNDYW9sb1BobTl4Z0pPSFBkT3k4RmVoelg3K0JjTFZVTGdOaXVrOWljQ0F3RUEKQVFLQ0FnRUF6L2ZKZkdGRFM3TCtSTUhkWHZmNlB3ZXRHSHZyNE5mUHc5OEhIdFg4bi9VQzdnWkFXa3JnMFAyQgplNG1KWlVzMWR5S3VpM0hOVTFSUWUzWThIWkVTcGQ4ZVA3VHNJK3BmcTdDaGRHdmpSd2U2Qi8wQ09JRFIxN21CCldYQ2xmWGVmOTRVOElWYzdIaTI3bUpVcVdrMFBidTJqM0pUQnhjSit1WUtBenk1QXJYbGFEN0RZUXcrT1cwZjgKeE5ERy92T25NQ0FobGVxSWI2YnlQenk1bEZLS1I0ZFE2dWd1NzRwWWpTcG1uOEFOT1N6OGtLYWFqVXhjNFFGSwpKb01KVUFGRjI4Q21vVklyc0Rxa0VCVHBLcFZuRlRJeXBWYVlYTUZSNFhSQXlneFpRZFM5R1RKOVQvaUEveExuClVDbE5rejlvWVNFYjNtS3EzS3p0cmNvQW5RWVcyQ2lmREV4RkpYTHlidWhaMUs2RS9zZ0pKQm9FYUxGWWZ3NW8KRUNPNGhJb3l3ZFpWMmUwS2xqamRYVDVmVzZXRkh5WHRQcktpdEZFcjJsRk9mbC85emsrclR0QTFGckdNK2hWaQo1UXkwZEw1ZEU5Y1FGYWN4UkhZWnJiN2ltMGxkL2lNS21VODJmYXF0K0dEMXdKSlpNeW1FeDRtTmp6NXpEMkxtCjV1Q0FGVGF6dUx6anlwM01RL1JHZzRDTzdGdFhBS2VuYXhGNFplOGVFNHJXQk1WSkNwSC9xV3pXb0p4TWpEcm8KQlZZQlRsV0F0eG9hOUgzZUxlLys3bnA2cWp4NW5tS0pLTzFJVGxjTmJKbmw4aVJINjJlaEdPVTFIcnVrOWx6SgpoOVQxUFp2akdjbFRUVklNWmZjK1RMTTAxam91alBtRHl1ckovOFlISEU1U3BlejJHd0VDZ2dFQkFQMWtpeDVKCnU3TUhxRDFFOWw5MGJqK3JnK1V3UllyOFIybUIzKzlyVjBOSEwxaEUxdEtJNDdra0c5RFp5NlphbWwyTk9vbnoKcFFFd0dIeTRTUUVmSWxPc3RzMlJUQkdicnV4QlF2RDFxOVJiNUlmV2ZEN2lwWTFBZGc5WXgrYlNmNmlJMzlVcApmalVjUDNSeElUb1luckJhSWd5TW5YQmNOQzFlWlJ1blNSRytTcHNyaGVsTXM1TVNaWFlYd0FRUFNvSy91U2hiCmpOZU9qU2dha016NWRUdW1mMDM4MU9WalFCNEI1cGFiRnhSbEtwaERQSnR5NUFhYkhkckltS2tWZUc1SEF0QU4Kb0ZmZmNqUjJCRkQ2c1hhSEcrSXhkTTIxTmZHeHVBODFvNWZMNUgwdXhxdkkwRGYyNUJPR3Y1Y28wZE9HTTNnQQp2YnZpbzBpUkV2dnBnYWNDZ2dFQkFQQXFIcnR5WHYzQlM4NVhja0dDRi92eDlkQzluRzk5NnkveGNIM1pUOENxCnRZY0RIWjFoRmcycms0aUdmVk16eW9iSS9IblJhTVVjanNDbXFTb2dGZEhXODdnbC9pMTJ5eWUrM2JSN0xEQ0sKOWR4eGZWazZPT0hwcGV1TS90YlJoLzg2ejdQN2dPTE12bW12MCsxU3dIUitBc1pYUXNLSWZmQ08zOFRFajBWSQpTYndpdGdlaFI4Ym8rNDlnMjFmUk8xRVVvTjkrUnk5d3hkS3pMSnZ5b1pDNmU3ZDEzTVJ1LytKS3o4UDIrQkR1CnlWZmp2d3JBMGZZampLeHBkRWJCVEdrS3NuRURpVDhORzVUa1JnZEtBMVVPbTZaVU01UUIzdWMrYzh1YXdOMFoKMkIvRUVEZEtOZDdMQitEZU1UbklIZnFscmNqdk1UckM5RjJmd0cxYWQ0RUNnZ0VCQUpnNmF3bUxLbVJuMlQ3Vgp5MTJWU1JhZkorSHNtaHJoYk5XSjNNcXRKZ09aSkd4WER1ZjByVHB3NHZVWm95c1JpMk5na1NhSFpUM05jeWlhClhlRjZudGkrRGlSNWdjV2lUZmhKVExvT0hXaTZ2QlNQV3AwODlGQmp4WWw2d0wxL0FJcHprR1V6UkVzTDZXTS8KQThNdlAwYWJINUdDZUtNa0FZU3dEUFlNRGUzRzhITkFObmJ1U1lPMXJaYkF0ZTY2Y1AwVHlWemhneitNdUdpNwpiUHAzYzJLZXFDUm1IRkNpeThZN1JoaDhtK1Q0MGhvZmFxM0kzQXpMNjZlZ2szWWhHL1RFWElBNWIzYmJHblZCCjRWMzAvZUJEVXhFVXZTTklGbHhaZEVaTzV6VXVuTnBIMjdzZ0xWY3h6OXViUEViSGt5Y01uS2NmYXQwUlR4OHQKYU1aR2hra0NnZ0VBZWlIeFh3SGFyTkVQNis4c2U0UGREcE1ObnduTjlDVGs1WXl5MkUwYThhL2VnTHBrNVJQcQpVeWxkN1ovM084aXF4Y0NRSktNSjFMT2hKUGVjTDRBQm1LVG5iRTVsNUZqMUYxRkpEZTlWbVpvUlRmbW85U2RXCnBneGNCRjIvZXg4ek9laCtsOWpld25lOG5hSjg4OE9SZTZ4WlhPUWpYeXBxWVZ0SEVKbWxBbWF3bUt4T1JiTU8KL1dpZUJWd01MNnlIcmNQL3k2ZzhLelArWmhnWUozWk1FMzNDVEpuem16R1hqMHpjTzV2c3F5L0QxSjVOR1ByVgp5NFpvazRWTlRHNGduWXFERkZYb0JkaDBubE00Q1p6cDlPZG80RDBSdmNMMXlFTktQOUNESSsxd3F6Ylp5RVJGCkFQZmZHY3ZrM0syWUVVOFFBWThpU2UrNnRhSDRDYVJvQVFLQ0FRQWRUUnJxUS9pcCtnUGxVQWtpTjgwMjAxRHMKOURVZmVJNTAxRnhSMHdHU2ZuYVg0WGVvS25GNHNPdjJjSzQzRFlMSTNRSnYwZEdPSnZRRm5CY1NrdHMzSi90KwozT0VkMlYySzdXdlNLd2F1S1BZT2l5TElVOUwyRm9UTkFKK1lHdkdjM0NBRTM3NjI4NGpXRFhMYWtmVnZ4cmsvCnVjS2FhZmtlOVg1NGw1VXZDb29HbmZvQWhZTURWeGtRWUp2QUd2OXNxWnpnNk9XcExCR2lLTkZ6U2I3MjQvN3oKN1hnR0NLQWpDUXNJSE00YURJUElLbE9IRm5saTd5M2drQzdaTnRkcDVnZmlONEw1MDFzUUNNYXJnUFg5ZGptMQpiOWExckdUdUEvbUc1U3dSczRxaTAva3EzS3Q5NEllb2NSSlROWU5ZMkc4bC90azRWUkFEWEpjK2R0VHQKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
stringData:
cookie_hash_key: "VlY3UEcxNFY2SFFLeUpucUdxSnRSNFJUbnpyOVNnaXZjOEZnMHF4NU4zaDFBaDhPT3FhMU9BaHREU05UWExhRw=="
cookie_block_key: "WXk3WDFQb2w2MFhTRjdCa3ZsTDNqVlNjTDBmOFN3aVY="
claim_symmetric_key: "cEVhdGFUNzRMOVFlZnBScVlDOVJ6SVBoZXE4dEpPRDg="
---
# Source: flyte-core/templates/common/secret-auth.yaml
apiVersion: v1
Expand Down Expand Up @@ -636,28 +642,6 @@ spec:
name: clusters-config-volume
- mountPath: /etc/secrets/
name: admin-secrets
- name: generate-secrets
image: "cr.flyte.org/flyteorg/flyteadmin:v1.13.0"
imagePullPolicy: "IfNotPresent"
command: ["/bin/sh", "-c"]
args:
[
"flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets",
]
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts:
- mountPath: /etc/flyte/config
name: base-config-volume
- mountPath: /etc/scratch
name: scratch
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
containers:
- command:
- flyteadmin
Expand Down
28 changes: 6 additions & 22 deletions deployment/eks/flyte_helm_generated.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,13 @@ metadata:
name: flyte-admin-secrets
namespace: flyte
type: Opaque
data:
token_rsa_key.pem: |
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0NBZ0VBMDkyT3BDdks1aWxGN0FhWUlxMTJoT1VhQkVkWkl0amNWUTBzWE1kMDgvMEcwVFlhCmQwNHZwTjRSUlZGZXJncnlEVlJNVHE1bTZ3UzJhdEVkQWpEL2lzWUszTnFxRndod01SYVRMdGJTQTIwUmZsYTIKZlUvbTQyNjVqMkJQcnYvUVMyVExUKzVGQjNIQ0J2YzlDcHMxSGJIQzcrSjNUdGk1bG95WTl3bjFIcDJ5STkwcwpyaHp5ZXJWczN1Y1lyNVphVHpvZTIwU1dMdVdmN1ZXS0FnVksyY0dNZFgyckVCZFNncHJ3cm95QkZFdXc3a1pKCjFPeFpmeDNodHhJaVJ5TVZFRE1aWmwxTjhIM3RXdnBVUnp1dy9ZelFuNHF0U0JMdWtLWElma3VsZ3RjQUtGd0YKTkE4VmNoeFAxcjN1alo1OWtpKzhqYW1LNkp0T0tKQjB5b05ycVhNajNRckRXcHMwamhVYzJvRVVFS1RDZXI4dAo2cytWcmxEMFRSVGhSRTZvTW4zbXlYbjByRCtGcktaM2FGNFdmdUNzZXVhek8rb1MxdG50NEx2eUdZWjVsRzdJCjlNSmZQWGYrcmViS3JzTXhDUWlPU042VTJyUVBrTXE2SzgyeTE4a2NyVE5IVWlVcWU3SUpjemluNUhSTldLZDQKQ1dWbHJ4ZTBxTExEcDkrQUY1RlBDeTlOSVZjeEcxYzAzRUlKZFcwSWRQMzloT0FDdjltWjRuWW8zOG5sQW5HKwpoWnR6OHI5bDduRk1XM3VuRHZxWGlBUWtTek03OHJaRlA2U1NwTFpHejlTc2Nkc0Z1VkxBTExSSzlOYnZUZnEzCmtaVURpU0hNU2NvTHBGR2pWd2s2N3dhLzlZUHkxOTFRb1pSVzNWdStKbTVsbzZNWnhHRThUZ2VNVzVzQ0F3RUEKQVFLQ0FnQmxZUjlnYjVRbmpwaG0yTUR6MXcxZmlrRm95cnRjY1dqOVNkQndsUURodjdJRGFtQS90cW9WdWkySgpmZVpRWWV4eGRHVVBRV1QrRU1NNVdkY0h0V3FTZlRHMWZPem5HS0tXMnJhVE16aExhMlZ6andyRDYvZ1AzR3Z1CnI2ZHhsZmVXSENVdG1sWnR1WUdlMDYvaDQyTUhVb2gxUVdqVjBkNzhxMHFHNjd6ZmFaWlVrd0ZPVDR1NExCaHMKa1NpKzNMTmFOZldOOXNQbXJQcGFGeFJ5NHhWdUhhK1lpUW5TS1ZiU0tGSURORGlQL2Fnc1hIWDM3U0RtTXVaUApNOTR6TEJab0tndDljQ2hiYSthb0lpRXg5TjQ4ZGFWZXNuMDRmOWFvWUt3UHd5THYrUEdhWG00ZSt4aklBY1F5CmZiQXBGQzRDUmRWejlDMEVJVXpGSEZyR2pSeDJtaW8xS0dsYXB2clZRaGwzeE5HeG1MWVBsOTV5aTZyTjBRcVcKUStWeVZkS2VoWWdXYkl0QmVIZ2dURGhZV1gyc3VRY3Y1cFhYR2s3VHB0dzJkNWtySm1oZDFZZDZQMkd0T2hraApmYWt5RFF2U2cxcmtPR2VTa2c1UkJZL21zTFFzMzlVclBaL1NQTjRRRjNzY1FPOWd5UEwyL0prNGZpdUVOcWtzClpMd2pka1lCSEFaWXJoMmlSMkQxRWZIVHljYmRCTjhhZUU2d0lHVnI1ZnFKK04yUDBkZTM1ZFpZUG1mTXZiejIKSmcya0RGVThGaERGcnNzL3B4MG5wdGN0Y3EwUk1LblJMT2w2VW1oeERMM2NjUW9vZGx1ZHhkUzdIeVorbUNzQgpPMHZvTzlUeElONGhZT2ZvK25yVkhCSGhuMmFSM1hpbFlOZTM5NGo2UWtBYXJsN3dBUUtDQVFFQTcyN0U2bGNaCmhodTF6eDJ6Qmk0d3RhT0FqaTRVN1hINVdPNUl3Q1VuRS8xbFg1MXhjSzgyTjcwSWJmOFpGV3ZDY2s2RVoyU0EKbzZEdFRjYWUvSnM2NngwYXEvVmhQYmZuQS91OTBpTEd0Z2FKeEg1U2tZdnV0cXpxK09WY25aTXQ1SmliRXV4egpDRElrS2tlSTBjeHpSYktSVHY5U2NtVGF4VnV6VG1GSE8xMldjWTFzeTlzZllqMjhvM3A5QXNMSGgxWnpUQkVuCk54YmFyLzdOUC93UEYwWWUxVVFzdEhvam9kdE0yMjdHRVh6b2tVd3ZEcEhEaDdGQkdzS3JsOWI0a0F5M2Z5LzQKRnRHWmlFU0JieFlmNHZqcGRkcWR2RjNNV0E0UFJJdEdBOFhqeEdZOVdUUzJSb21TNUQ1U3RTbjQ0Y2JEQjlqdQorTXZTQStYZnpJSGd5d0tDQVFFQTRvWjRvTEk4eFB5cHpPMzJwU09hR2lrWTV2Vk5MaTFzNTZEZEIzS0hVeTZOCnRHL0c0MkZNTkQ2RFJWUjhFYUZJQURxZjYyaFp0T1Qva3hPdjBvclVydzRTMnhPMWE5N2dKeWpaODZlRVYrVEEKK0hXRVArQ2FpaTJZRXQ1ZjVzTHkzMFpVMkxCc2RtL2dmMDZOOWVuTG9Od1YyTnlYYVU0aDR6ZkNGQjVrYU1KeApzZnN1Si9jWktqYkxlbmFyQ2NUTGxMOVZua0czcUw3ZE81UG1TMFhTWm9yMDN6d3hCdGhJQkdLQVlxSjI1by8xCmVGY2pKb3RiNVV4bTNWa2pwSXllMkd3OE1vYWF0dHZOVlJKU0VqYTJwWS9VRE05Y2IxeGFEbDNrQVRidmUxZFcKR0V4UkNGL05sblVva3VBci9PTlk4eGEyUXd2N0VrT2RIUjlXVjA0bWNRS0NBUUFHNlllOXpDM3NkVGhXZG1FSQp1S1NuV2NVSVZjUTg1cUZ3TTlEZDJ6UzVtd01tTTRGbTQyZ0pTK2ZHWlNyd04yQXh0SnFWOFl6VkxId3RWcUtZCllGTGZIc1A2V3VjbnhQdGlYZzRvMXVBdHVScVpGWnlFbnltUkZJVGtFcHNONFlYZHA1b3lmYWtFZjQ0VHVtVDAKeVpZNldPRmhDblh5MzM2QlhCaGRGdW5iaU9RaSt4WTgvR0ozajVpMmozNjBhYk1nOFJuN0JEUEJuMk5JMlc1TApmcGRnOEtGTFB1Q2JoVHNxSFE2bTl4ZTR3WVpsUzNIQVZlenpLZWJiUXV0NVFyZUNVUnVyREZONU5TdmRoenpGClhEb25iMUF1R3RXYTdvcExzSHc0V2x6M0Z1dHdiQk14VkJnL0NSRzRqU1FPSHR3VWlJeHcyWTVzbUZYRHp3c2EKK0ZUcEFvSUJBUUNGRkljdHNVanVXWm5RSVVVenczUzNSY214ZGc5L3Y0UXBtR0lDREJEZ2w0cjhwR1p1RXkxWAp6Qm9HMHhtSXFmM0kxS2c2L3JVbEJ4djI1aXYzUDBTd0MwNmNram1WUS96Z1JLbTI4WVZZdGJXQXdsbU54WUJGCkNZQThKWlNsMTRZa0VnZXF2Z3Nha2FPTVp6UVRjdVVFZmdmL3ZhamVYdDZkeEpZcWg2aHB1MEpjVTdyTUUra2UKMmM0MUJoNTV3TG54aTI3YmFMUmpXSzVVWUJGOXkybE9nUGhYWmQ5UHJDU3pIc05hTHlRM1UvL2NVU1QvY2dQcwo5RFBDZXFucjlBa21FSUJWRnFzeUhuUEZOTnd1Z3lKT3BlN29EN0s0WWNNdWlZNTRBRFExZkJ2Q2JxTjBqZ1FVCkRvUmx0WGxpT3BaNVNiQ09OeTJyanpsd2NJYWpCL0NoQW9JQkFDZHgzMVFBcTZadGtRdnFUMCtoYUF0cW94M0EKVXR0YTFWOVpvOTJudDdZcGZPbnI4OGRYUVVjOXBYYVQ0aUh1MnltL3ZneVY4M1JZZVZvM3QzejlPeGxmL0NhbApJbkFMaVhPNlNYdkJ6RDZHTkdUTHdvQVpJcnJCcCtoYVdNY0dNSWZLVWVVeThLMzcxdk1zbjYrRFUyV0RmQS92Cm41U3NYZDJ0dTYydnNXUTlKaVE1TEZrdzN2NVpzajhOZk5VN0p1bDhCV3BRNUsxaUF0d214M1NEdys3Y2FiYk4KTjNjMnYrcEszb0pDNzM2dWpKSnM2N3BwM1VBK3BySjJCbTlWR1JCVEZUWGJmZTBXdFV1Z3hGVGRGVnMzcGxQQgpRelV3Q1U2cVNmOVVQSFBNWE5mUW1UNmI1WDVsb3B6dVJIUERnOFdGKzVwWjVxSEhkRGoxOFpTTFNzUT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
stringData:
cookie_hash_key: "SmVNNUxQb0NmbG40VDFnTlF2TmtuRTBMNHJHNG9qRG5UNmQ5aGRqdGRoZ05GWE5uZUViS2trVm5IT2k3OGRRNA=="
cookie_block_key: "bnB5NlBudHFleHB1WUx2SWRDd1RYR09IY1BpaUxVZUo="
claim_symmetric_key: "WUlJN0NyRmhaaFpGQVVUZXc3bnRSTTJoS1hnTVMzMUU="
---
# Source: flyte-core/templates/common/secret-auth.yaml
apiVersion: v1
Expand Down Expand Up @@ -962,28 +968,6 @@ spec:
name: clusters-config-volume
- mountPath: /etc/secrets/
name: admin-secrets
- name: generate-secrets
image: "cr.flyte.org/flyteorg/flyteadmin:v1.13.0"
imagePullPolicy: "IfNotPresent"
command: ["/bin/sh", "-c"]
args:
[
"flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets",
]
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
volumeMounts:
- mountPath: /etc/flyte/config
name: base-config-volume
- mountPath: /etc/scratch
name: scratch
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
containers:
- command:
- flyteadmin
Expand Down
Loading

0 comments on commit 56f1cf5

Please sign in to comment.