Skip to main content

Global Secret Providers

Global Secrets in Flyte provide a mechanism to inject credentials or configuration into task pods directly from the environment of the Flyte admission webhook. This is typically used for shared secrets that are available across the entire process space or mounted as files in the webhook's own pod.

The GlobalSecrets manager acts as the first line of resolution for any secret request. When a task pod is created, the SecretsPodMutator (found in flyteplugins/go/tasks/pluginmachinery/secret/secrets_pod_mutator.go) iterates through enabled secret managers, always placing GlobalSecrets at the beginning of the list:

// From flyteplugins/go/tasks/pluginmachinery/secret/secrets_pod_mutator.go
func NewSecretsMutator(ctx context.Context, cfg *config.Config, podNamespace string, scope promutils.Scope) (*SecretsPodMutator, error) {
	enabledSecretManagerTypes := []config.SecretManagerType{
		config.SecretManagerTypeGlobal,
	}
    // ... other managers added later
}

Secret Lookup Mechanism

The GlobalSecrets manager relies on the FileEnvSecretManager to retrieve secret values. This provider performs a two-step lookup within the webhook's process space:

  1. Environment Variables: It first looks for an environment variable named by concatenating a configured prefix, the secret group, and the secret key (all converted to uppercase).
  2. Filesystem: If not found in the environment, it looks for a file at a path constructed from a base directory, the secret group, and the secret key.

The lookup logic is implemented in flyteplugins/go/tasks/pluginmachinery/secretmanager/secrets.go:

// From flyteplugins/go/tasks/pluginmachinery/secretmanager/secrets.go
func (f FileEnvSecretManager) GetForSecret(ctx context.Context, secret *coreIdl.Secret) (string, error) {
	// ... validation ...
	envVar := fmt.Sprintf(envVarLookupFormatter, f.envPrefix, strings.ToUpper(secret.Group), strings.ToUpper(secret.Key))
	v, ok := os.LookupEnv(envVar)
	if ok {
		return v, nil
	}

	secretFile := filepath.Join(f.secretPath, filepath.Join(secret.Group, secret.Key))
    // ... read from file ...
}

Injection into Task Pods

Once a secret value is retrieved, GlobalSecrets injects it into the task pod as an environment variable. It does not support mounting secrets as files; if a secret request specifically requires MountRequirement: FILE, the injection will fail with an error.

The injected environment variable name follows the pattern: {SecretEnvVarPrefix}{GROUP}_{KEY}.

For example, if the SecretEnvVarPrefix is configured as _UNION_, a secret with group database and key password will be injected as _UNION_DATABASE_PASSWORD.

Additionally, GlobalSecrets injects a special environment variable FLYTE_SECRETS_ENV_PREFIX into the pod, which contains the prefix used for secret environment variables. This allows the Flyte SDK within the task to correctly identify and retrieve these secrets.

// From flyteplugins/go/tasks/pluginmachinery/secret/global_secrets.go
envVar := corev1.EnvVar{
    Name:  strings.ToUpper(g.cfg.SecretEnvVarPrefix + secret.Group + EnvVarGroupKeySeparator + secret.Key),
    Value: v,
}

prefixEnvVar := corev1.EnvVar{
    Name:  SecretEnvVarPrefix, // "FLYTE_SECRETS_ENV_PREFIX"
    Value: g.cfg.SecretEnvVarPrefix,
}

Configuration

Global secrets are configured through two main sections in the Flyte configuration: the secrets section for the lookup manager and the webhook section for the injection prefix.

Lookup Configuration (secrets section)

Defined in flyteplugins/go/tasks/pluginmachinery/secretmanager/config.go, these settings control how the webhook finds secrets in its own environment:

  • env-prefix: The prefix used to look up environment variables in the webhook process (default: FLYTE_SECRET_).
  • secrets-prefix: The base directory where the manager looks for secret files (default: /etc/secrets).

Injection Configuration (webhook section)

Defined in flyteplugins/go/tasks/pluginmachinery/secret/config/config.go, this setting controls how secrets are named when injected into the task pod:

  • secretEnvVarPrefix: The prefix for environment variables injected into the task pod (default: _UNION_).

Constraints and Requirements

When using Global Secrets, keep the following implementation details in mind:

  • Environment Variables Only: Global secrets can only be injected as environment variables. The Inject method in global_secrets.go explicitly rejects coreIdl.Secret_FILE requirements.
  • Mandatory Group and Key: Both the Group and Key fields of the secret request must be non-empty. If either is missing, the FileEnvSecretManager will return an error.
  • Case Insensitivity: While the lookup and injection logic uses strings.ToUpper for environment variable names, the underlying os.LookupEnv behavior depends on the operating system (though typically treated as case-sensitive in Linux environments where Flyte usually runs).