add kubernetes secrets provider and API to read secrets (#885)

Co-authored-by: Matt Johnson-Pint <mjp@hypermode.com>

Author: kevinmingtarja

.vscode/launch.json

@@ -180,6 +180,10 @@
           "label": "PostgreSQL Client Example",
           "value": "postgresql"
         },
+        {
+          "label": "Secrets Example",
+          "value": "secrets"
+        },
         {
           "label": "Simple Example",
           "value": "simple"

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 # Change Log
 
+## UNRELEASED
+
+- feat: add kubernetes secrets provider and API to read secrets [#885](https://github.com/hypermodeinc/modus/pull/885)
+
 ## 2025-06-10 - Runtime 0.18.0-alpha.6
 
 - fix: address agent lifecycle issues [#881](https://github.com/hypermodeinc/modus/pull/881)

go.work

@@ -22,5 +22,6 @@ use (
 	./sdk/go/examples/textgeneration
 	./sdk/go/examples/time
 	./sdk/go/examples/vectors
+	./sdk/go/examples/secrets
 	./sdk/go/templates/default
 )

runtime/app/config.go

@@ -18,14 +18,16 @@ import (
 )
 
 type AppConfig struct {
-	environment     string
-	port            int
-	appPath         string
-	useAwsStorage   bool
-	s3Bucket        string
-	s3Path          string
-	refreshInterval time.Duration
-	useJsonLogging  bool
+	environment          string
+	port                 int
+	appPath              string
+	useAwsStorage        bool
+	s3Bucket             string
+	s3Path               string
+	useKubernetesSecret  bool
+	kubernetesSecretName string
+	refreshInterval      time.Duration
+	useJsonLogging       bool
 }
 
 func (c *AppConfig) Environment() string {
@@ -52,6 +54,14 @@ func (c *AppConfig) S3Path() string {
 	return c.s3Path
 }
 
+func (c *AppConfig) UseKubernetesSecret() bool {
+	return c.useKubernetesSecret
+}
+
+func (c *AppConfig) KubernetesSecretName() string {
+	return c.kubernetesSecretName
+}
+
 func (c *AppConfig) RefreshInterval() time.Duration {
 	return c.refreshInterval
 }
@@ -126,6 +136,9 @@ func CreateAppConfig() *AppConfig {
 	fs.StringVar(&cfg.s3Bucket, "s3bucket", cfg.s3Bucket, "The S3 bucket to use, if using AWS storage.")
 	fs.StringVar(&cfg.s3Path, "s3path", cfg.s3Path, "The path within the S3 bucket to use, if using AWS storage.")
 
+	fs.BoolVar(&cfg.useKubernetesSecret, "useKubernetesSecret", cfg.useKubernetesSecret, "Use Kubernetes secrets for reading secrets.")
+	fs.StringVar(&cfg.kubernetesSecretName, "kubernetesSecretName", cfg.kubernetesSecretName, "The Kubernetes secret to read from, if using Kubernetes secrets.")
+
 	fs.DurationVar(&cfg.refreshInterval, "refresh", cfg.refreshInterval, "The refresh interval to reload any changes.")
 	fs.BoolVar(&cfg.useJsonLogging, "jsonlogs", cfg.useJsonLogging, "Use JSON format for logging.")
 

runtime/db/inferencehistory.go

@@ -76,18 +76,11 @@ type inferenceHistory struct {
 func (w *runtimePostgresWriter) GetPool(ctx context.Context) (*pgxpool.Pool, error) {
 	var initErr error
 	w.once.Do(func() {
-		var connStr string
-		var err error
-		if secrets.HasSecret("MODUS_DB") {
-			connStr, err = secrets.GetSecretValue("MODUS_DB")
-		} else if secrets.HasSecret("HYPERMODE_METADATA_DB") {
-			// fallback to old secret name
-			// TODO: remove this after the transition is complete
-			connStr, err = secrets.GetSecretValue("HYPERMODE_METADATA_DB")
-		} else {
+		if !secrets.HasSecret(ctx, "MODUS_DB") {
 			return
 		}
 
+		connStr, err := secrets.GetSecretValue(ctx, "MODUS_DB")
 		if err != nil {
 			initErr = err
 			return

runtime/go.mod

@@ -52,6 +52,10 @@ require (
 	golang.org/x/sys v0.33.0
 	google.golang.org/grpc v1.73.0
 	google.golang.org/protobuf v1.36.6
+	k8s.io/api v0.33.1
+	k8s.io/apimachinery v0.33.1
+	k8s.io/client-go v0.33.1
+	sigs.k8s.io/controller-runtime v0.21.0
 )
 
 require (
@@ -120,13 +124,19 @@ require (
 	github.com/eapache/go-resiliency v1.7.0 // indirect
 	github.com/eapache/go-xerial-snappy v0.0.0-20230731223053-c322873962e3 // indirect
 	github.com/eapache/queue v1.1.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
+	github.com/evanphx/json-patch/v5 v5.9.11 // indirect
 	github.com/felixge/fgprof v0.9.5 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/flowchartsman/retry v1.2.0 // indirect
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.5 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-openapi/jsonpointer v0.21.1 // indirect
+	github.com/go-openapi/jsonreference v0.21.0 // indirect
+	github.com/go-openapi/swag v0.23.1 // indirect
 	github.com/go-sourcemap/sourcemap v2.1.3+incompatible // indirect
 	github.com/gobwas/httphead v0.1.0 // indirect
 	github.com/gobwas/pool v0.2.1 // indirect
@@ -140,6 +150,8 @@ require (
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/codesearch v1.2.0 // indirect
 	github.com/google/flatbuffers v25.2.10+incompatible // indirect
+	github.com/google/gnostic-models v0.6.9 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/pprof v0.0.0-20250128161936-077ca0a936bf // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@@ -170,6 +182,7 @@ require (
 	github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect
 	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
 	github.com/jensneuse/byte-template v0.0.0-20231025215717-69252eb3ed56 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kingledion/go-tools v0.6.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
@@ -178,6 +191,7 @@ require (
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
 	github.com/lestrrat-go/httprc/v3 v3.0.0 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
+	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/miekg/dns v1.1.66 // indirect
@@ -237,6 +251,7 @@ require (
 	github.com/wundergraph/astjson v0.0.0-20250106123708-be463c97e083 // indirect
 	github.com/wundergraph/cosmo/composition-go v0.0.0-20241020204711-78f240a77c99 // indirect
 	github.com/wundergraph/cosmo/router v0.0.0-20240729154441-b20b00e892c6 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xdg/scram v1.0.5 // indirect
 	github.com/xdg/stringprep v1.0.3 // indirect
 	github.com/zeebo/xxh3 v1.0.2 // indirect
@@ -254,17 +269,29 @@ require (
 	golang.org/x/crypto v0.39.0 // indirect
 	golang.org/x/mod v0.25.0 // indirect
 	golang.org/x/net v0.41.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
 	golang.org/x/sync v0.15.0 // indirect
 	golang.org/x/term v0.32.0 // indirect
 	golang.org/x/text v0.26.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 	golang.org/x/tools v0.34.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/api v0.219.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 // indirect
 	gopkg.in/DataDog/dd-trace-go.v1 v1.71.0 // indirect
 	gopkg.in/cenkalti/backoff.v1 v1.1.0 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/apiextensions-apiserver v0.33.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
+	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
 	rogchap.com/v8go v0.9.0 // indirect
+	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )