[BUG] flyte-secret-auth secret not mounted properly

[yini7777]

Describe the bug

When setting Values.secrets.adminOauthClientCredentials.enabled as false and managing the flyte-secret-auth with secret manager ourselves (reference: flyte doc on auth setup), it seems the auth is not mounted as expected due to this condition.

We propose enhancing the configuration in values.yaml by introducing an additional key to indicate whether flyte-secret-auth to create. This enhancement would enable conditional mounting of flyte-secret-auth based on its creation status.

Expected behavior

Able to mount the flyte-secret-auth secret properly when Values.secrets.adminOauthClientCredentials.enabled as false.

Additional context to reproduce

No response

Screenshots

No response

Are you sure this issue hasn't been raised already?

• Yes

Have you read the Code of Conduct?

• Yes

[welcome]

Thank you for opening your first issue here! 🛠

[dosubot]

Hey there @yini7777! Great to see you back with us, diving into the depths of Flyte's secrets management. Hope you've been well since our last chat!

Thank you for bringing this to our attention. It seems like you're encountering an issue with the flyte-secret-auth secret not being mounted as expected when Values.secrets.adminOauthClientCredentials.enabled is set to false.

I found a similar issue in the Flyte repository: [BUG] Do not mount flyte-secret-auth secret if .Values.secrets.adminOauthClientCredentials.enabled is false.. This issue was closed by a pull request: fix: mount flyte-secret-auth secret conditionally on February 20, 2024. It seems like this issue was addressed, but you're still experiencing a problem.

As for your proposal to enhance the configuration in values.yaml by introducing an additional key to indicate whether flyte-secret-auth should be created, this is indeed a feasible solution. The configuration in values.yaml can be enhanced by introducing an additional key to indicate whether flyte-secret-auth should be created. This allows for conditional mounting of flyte-secret-auth based on a new condition, rather than solely relying on Values.secrets.adminOauthClientCredentials.enabled.

Here's an example of how you could introduce a new key under secrets named createSecretAuth and use it in conjunction with the existing adminOauthClientCredentials.enabled key to control the creation of the secret:

{{- if and .Values.secrets.createSecretAuth (not .Values.secrets.adminOauthClientCredentials.enabled) }}
apiVersion: v1
kind: Secret
metadata:
  name: flyte-secret-auth
  namespace: {{ template "flyte.namespace" . }}
type: Opaque
stringData:
  {{- with .Values.secrets.adminOauthClientCredentials.clientSecret }}
  client_secret: {{  tpl (toYaml .) $ }}
  {{- end }}
{{- end }}

In this scenario, flyte-secret-auth would only be created if createSecretAuth is set to true and adminOauthClientCredentials.enabled is set to false. This approach provides more granular control over the creation of the secret and allows for more flexible configuration options in your Helm chart.

Currently, when Values.secrets.adminOauthClientCredentials.enabled is set to false, the flyte-secret-auth secret is not created. This is because the creation of the secret is conditional upon .Values.secrets.adminOauthClientCredentials.enabled being true. If this condition evaluates to false, the entire block defining the flyte-secret-auth secret is skipped.

I hope this information helps. If you have any further questions or need additional clarification, please don't hesitate to ask.

Sources

• [BUG] Do not mount flyte-secret-auth secret if .Values.secrets.adminOauthClientCredentials.enabled is false.
• charts/flyte-core/templates/common/secret-auth.yaml

About Dosu

This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.

Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant.

If you want to continue the conversation, start your reply with @dosu-bot.

[lowc1012]

Hi @yini7777, thank you for reporting this issue.
Could you please elaborate on this like which component occurs errors? or provide error logs
Thank you

[yini7777]

@lowc1012 Thanks for your prompt response!
Error log looks like:

│ Error: cannot patch "flytescheduler" with kind Deployment: Deployment.apps "flytescheduler" is invalid: spec.template.spec.initContainers[0].volumeMounts[2].name: Not found: "auth"
│ 
│   with helm_release.flyte-unstable-core,
│   on flyte-unstable.tf line 1, in resource "helm_release" "flyte-unstable-core":
│    1: resource "helm_release" "flyte-unstable-core" {

Context --> we're upgrading from v1.10.6 to v1.11.0 and nothing has been changed on our end.
we set Values.secrets.adminOauthClientCredentials.enabled to false because we don't want Flyte to create the secret, as we have created it via an ExternalSecret . In this case Flyte does not mount the secret to the flytescheduler.

Solution --> Add a new value as Values.secrets.adminOauthClientCredentials.create . We will set this to false and enabled to true.