Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Support loading parameter values from secrets. Fixes: #5506 #13899

Open
wants to merge 16 commits into
base: main
Choose a base branch
from
Open

feat: Support loading parameter values from secrets. Fixes: #5506 #13899

wants to merge 16 commits into from

Conversation

shuangkun
Copy link
Member

@shuangkun shuangkun commented Nov 14, 2024
edited
Loading

Fixes #5506 Reference: #11446

Unsolved issues:

Hide secret value in argo template, log, UI

Motivation

Modifications

Verification

Loccal Test and UT

@shuangkun shuangkun force-pushed the parameter/secret branch 2 times, most recently from c9383cb to 5d65f3c Compare November 14, 2024 13:47
@shuangkun shuangkun added the area/spec Changes to the workflow specification. label Nov 20, 2024
@shuangkun shuangkun added the type/security Security related label Dec 19, 2024
terrytangyuan
terrytangyuan reviewed Dec 22, 2024
View reviewed changes
Copy link
Member

@terrytangyuan terrytangyuan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you paste some example outputs and screenshots?

@shuangkun shuangkun requested a review from Joibel as a code owner January 5, 2025 04:23
shuangkun and others added 10 commits January 5, 2025 13:06
@shuangkun
feat: pass secret to workflow as input. Fixes:argoproj#5506
e51e021 
Signed-off-by: shuangkun <[email protected]>
@shuangkun
fix: test
d0b3b5e 
Signed-off-by: shuangkun <[email protected]>
@shuangkun
feat: add watch Permission for controller.
0973820 
Signed-off-by: shuangkun <[email protected]>
@shuangkun
fix: add docs
5650d8b 
Signed-off-by: shuangkun <[email protected]>
@shuangkun @umi0410
fix: change log.
a2b01a2 
Co-authored-by: shuangkun <[email protected]>
Co-authored-by: Jinsu Park <[email protected]>
Signed-off-by: shuangkun <[email protected]>
@shuangkun
fix: fetch info.
c2b56ed 
Signed-off-by: shuangkun <[email protected]>
@shuangkun
fix: secret log.
9037b90 
Signed-off-by: shuangkun <[email protected]>
@shuangkun
fix: golbal parameters.
b53ed57 
Signed-off-by: shuangkun <[email protected]>
@shuangkun
fix: allow secretKeyRef.
f2fa14f 
Signed-off-by: shuangkun <[email protected]>
@shuangkun
fix: add secret informer.
95d1338 
Signed-off-by: shuangkun <[email protected]>
@shuangkun shuangkun force-pushed the parameter/secret branch 2 times, most recently from 2496146 to 95d1338 Compare January 5, 2025 05:28
@shuangkun
fix: docs
09db0f6 
Signed-off-by: shuangkun <[email protected]>
@shuangkun
fix: docs
5e006da 
Signed-off-by: shuangkun <[email protected]>
@shuangkun
Copy link
Member Author

Can you paste some example outputs and screenshots?

Sure.

  1. deploy a secret
apiVersion: v1
kind: Secret
metadata:
  name: simple-parameters
  labels:
    # Note that this label is required for the informer to detect this Secret.
    workflows.argoproj.io/secret-type: Parameter
data:
  msg: "aGVsbG8gd29ybGQK"

opensource % echo "aGVsbG8gd29ybGQK" | base64 -d
hello world
  1. Then we can submit a workflow to reference this secret use new cli.
apiVersion: argoproj.io/v1alpha1
kind: Workflow
metadata:
  generateName: global-parameter-values-from-secret-
  labels:
    workflows.argoproj.io/test: "true"
  annotations:
    workflows.argoproj.io/description: |
      This example demonstrates loading global parameter values from a Secret.
      Note that the "simple-parameters" Secret (defined in `examples/secrets/simple-parameters-secret.yaml`) needs to be created first before submitting this workflow.
spec:
  entrypoint: print-message
  # Parameters can also be passed via secret reference.
  arguments:
    parameters:
      - name: message
        valueFrom:
          secretKeyRef:
            name: simple-parameters
            key: msg

  templates:
    - name: print-message
      container:
        image: busybox
        command: ["echo"]
        args: ["{{workflow.parameters.message}}"]

tianshuangkun@U-4YKHFNR6-2229 opensource % /Users/tianshuangkun/go/src/github.com/argoproj/argo-workflows/dist/argo submit test.yaml
Name:                global-parameter-values-from-secret-68jb8
Namespace:           argo
ServiceAccount:      unset (will run with the default ServiceAccount)
Status:              Pending
Created:             Sun Jan 05 12:31:10 +0800 (now)
Progress:
Parameters:
  1. View the results and successfully reference the secret
tianshuangkun@U-4YKHFNR6-2229 opensource % /Users/tianshuangkun/go/src/github.com/argoproj/argo-workflows/dist/argo get @latest
Name:                global-parameter-values-from-secret-rtfml
Namespace:           argo
ServiceAccount:      unset (will run with the default ServiceAccount)
Status:              Succeeded
Conditions:
 PodRunning          False
 Completed           True
Created:             Sun Jan 05 12:33:22 +0800 (26 seconds ago)
Started:             Sun Jan 05 12:33:22 +0800 (26 seconds ago)
Finished:            Sun Jan 05 12:33:30 +0800 (18 seconds ago)
Duration:            8 seconds
Progress:            1/1
ResourcesDuration:   2s*(100Mi memory),0s*(1 cpu)
Parameters:

STEP                                          TEMPLATE       PODNAME                                    DURATION  MESSAGE
 ✔ global-parameter-values-from-secret-rtfml  print-message  global-parameter-values-from-secret-rtfml  5s
tianshuangkun@U-4YKHFNR6-2229 opensource % /Users/tianshuangkun/go/src/github.com/argoproj/argo-workflows/dist/argo logs @latest
global-parameter-values-from-secret-rtfml: time="2025-01-05T04:33:26.162Z" level=info msg="capturing logs" argo=true
global-parameter-values-from-secret-rtfml: time="2025-01-05T04:33:26.163Z" level=debug msg="ignore signal child exited" argo=true
global-parameter-values-from-secret-rtfml: hello world
global-parameter-values-from-secret-rtfml:
global-parameter-values-from-secret-rtfml: time="2025-01-05T04:33:26.171Z" level=debug msg="ignore signal child exited" argo=true
global-parameter-values-from-secret-rtfml: time="2025-01-05T04:33:27.164Z" level=info msg="sub-process exited" argo=true error="<nil>"

terrytangyuan
terrytangyuan reviewed Jan 13, 2025
View reviewed changes
manifests/cluster-install/workflow-controller-rbac/workflow-controller-role.yaml Outdated
@@ -17,4 +17,5 @@ rules:
- secrets
verbs:
- get
- watch
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This introduces a new requirement. @jessesuen Would you be okay with this addition?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would be equivalent to adding list, which is expanding the scope such that the controller see all secrets in the namespace. (Actually, I'm now wondering why list wasn't added).

Is this Role used only for the controller's namespace (e.g. argo)?

@Joibel
Copy link
Member

Joibel commented Jan 13, 2025

I am uncomfortable with this change without quite a lot more safety.

Things I dislike:

  • It has no documentation.
    • We should document you can do this, and the risks associated with allowing it
  • @shuangkun suggests it needs work on redacting, and I don't want to merge this portion without that work being done
    • I'm happy/would encourage that to be in a separate PR for readability
  • It should be possible to run the controller without the new permissions
    • this needs a test
  • The default permissions and manifests should not change to allow this

I think this is a problematic enough change that some kind of proposal should have been written prior to any implementation so we could have discussed if we even wanted to support this. I'm unsure we do as I can't think of use cases where this isn't better supported by the alternatives or workarounds.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jessesuen jessesuen jessesuen left review comments

@terrytangyuan terrytangyuan terrytangyuan left review comments

@sarabala1979 sarabala1979 Awaiting requested review from sarabala1979 sarabala1979 is a code owner

@Joibel Joibel Awaiting requested review from Joibel Joibel is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
area/spec Changes to the workflow specification. type/security Security related
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Passing k8s secret to a workflow as input
4 participants
@shuangkun @Joibel @terrytangyuan @jessesuen