From b0275ac7697b9fbfdd299c8954458d41097f9cfd Mon Sep 17 00:00:00 2001 From: "Yuan (Bob) Gong" Date: Fri, 10 Jul 2020 23:57:50 +0800 Subject: [PATCH] refactor: pipelines profile controller should get minio access keys from the secret (#1372) * refactor: pipelines profile controller should get minio access keys from the secret * do not print secrets in log --- .../deployment.yaml | 11 +++++++ .../pipelines-profile-controller/sync.py | 31 +++++++++++-------- 2 files changed, 29 insertions(+), 13 deletions(-) diff --git a/pipeline/installs/multi-user/pipelines-profile-controller/deployment.yaml b/pipeline/installs/multi-user/pipelines-profile-controller/deployment.yaml index 0ccf450289..4481e8e191 100644 --- a/pipeline/installs/multi-user/pipelines-profile-controller/deployment.yaml +++ b/pipeline/installs/multi-user/pipelines-profile-controller/deployment.yaml @@ -16,6 +16,17 @@ spec: envFrom: - configMapRef: name: profile-controller-env + env: + - name: MINIO_ACCESS_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: accesskey + - name: MINIO_SECRET_KEY + valueFrom: + secretKeyRef: + name: mlpipeline-minio-artifact + key: secretkey volumeMounts: - name: hooks mountPath: /hooks diff --git a/pipeline/installs/multi-user/pipelines-profile-controller/sync.py b/pipeline/installs/multi-user/pipelines-profile-controller/sync.py index 8604ef4ef6..c25ba9e5b5 100644 --- a/pipeline/installs/multi-user/pipelines-profile-controller/sync.py +++ b/pipeline/installs/multi-user/pipelines-profile-controller/sync.py @@ -15,9 +15,12 @@ from http.server import BaseHTTPRequestHandler, HTTPServer import json import os +import base64 kfp_version = os.environ["KFP_VERSION"] disable_istio_sidecar = os.environ.get("DISABLE_ISTIO_SIDECAR") == "true" +mlpipeline_minio_access_key = os.environ.get("MINIO_ACCESS_KEY") +mlpipeline_minio_secret_key = os.environ.get("MINIO_SECRET_KEY") class Controller(BaseHTTPRequestHandler): @@ -49,18 +52,6 @@ def sync(self, parent, children): # parent is a namespace namespace = parent.get("metadata", {}).get("name") desired_resources = [ - { - "apiVersion": "v1", - "kind": "Secret", - "metadata": { - "name": "mlpipeline-minio-artifact", - "namespace": namespace, - }, - "data": { - "accesskey": "bWluaW8=", # base64 for minio - "secretkey": "bWluaW8xMjM=", # base64 for minio123 - }, - }, { "apiVersion": "v1", "kind": "ConfigMap", @@ -255,7 +246,21 @@ def sync(self, parent, children): } }, ] - print('Received request', parent, desired_resources) + print('Received request:', parent) + print('Desired resources except secrets:', desired_resources) + # Moved after the print argument because this is sensitive data. + desired_resources.append({ + "apiVersion": "v1", + "kind": "Secret", + "metadata": { + "name": "mlpipeline-minio-artifact", + "namespace": namespace, + }, + "data": { + "accesskey": base64.b64encode(mlpipeline_minio_access_key), + "secretkey": base64.b64encode(mlpipeline_minio_secret_key), + }, + }) return {"status": desired_status, "children": desired_resources}