add kubernetes secrets provider and API to read secrets #885
Conversation
mattjohnsonpint
changed the title
There was a problem hiding this comment.
Pull Request Overview
This PR adds Kubernetes as a secrets provider along with a new host function for reading secrets, and updates several runtime and SDK components to support context-driven secret retrieval. Key changes include:
- Introducing the Kubernetes secrets provider and updating its API to require context.
- Adding new command line options and configuration in the runtime.
- Providing examples and updating dependencies for both AssemblyScript and Go SDKs.
Reviewed Changes
Copilot reviewed 35 out of 35 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| sdk/assemblyscript/src/assembly/index.ts | Exports the new secrets module. |
| sdk/assemblyscript/examples/* | New examples for using secrets in AssemblyScript. |
| runtime/secrets/* | Adds Kubernetes secrets provider and updates context usage. |
| runtime/hostfunctions/secrets.go | Registers the secrets host function. |
| runtime/app/config.go | Adds new flags for Kubernetes secret configuration. |
| runtime/db/inferencehistory.go | Updates secret usage to include context and remove legacy fallback. |
| runtime/go.mod & go.work | Updates dependencies and adds secrets example. |
Comments suppressed due to low confidence (1)
runtime/hostfunctions/secrets.go:19
- The constant 'module_name' does not follow Go naming conventions. Consider renaming it to 'moduleName' for consistency.
const module_name = "modus_secrets"
|
I've updated this PR with a few implementation improvements and a full AssemblyScript example to mirror the Go example. The main change is that in user code we will need to limit the available secrets to a subset that have deliberately marked as exposed to the app. In other words, "app secrets" are a subset of modus secrets. They are to be prefixed with For example, if a secret is established as Note that secret keys are case sensitive for now. We can revisit that later if needed. |
Description
This PR introduces Kubernetes as a provider for secrets. It also adds a new host function to read secrets from Kubernetes, implements the necessary runtime support for secrets management, and provides SDK support for both AssemblyScript and Go.
New Command Line Arguments:
--useKubernetesSecret: Enable Kubernetes secrets for reading secrets--kubernetesSecretName: Specify the Kubernetes secret to read from (format:namespace/name). This secret contains a list of key-value pairsThe Kubernetes client we use has a client cache built-in, thanks to controller-runtime, so each get() does not go over the network to the Kubernetes API server. This saves us from having to implement our own polling loop as well.
Context:
Today, we are using
envFromto define all of the Secret's data as environment variables to the container. If there are updates to the Secret, the pod needs to restart before they can read the newly written value.With this PR, we don't need to wait for the pod to restart before it can read the newly written value.
Example:
I have added a new example,
secretsfor Go, with a README to show how to set it up for running locally.Out of scope:
Host function for writing secrets.
Checklist
All PRs should check the following boxes:
Conventional Commits syntax, leading with
fix:,feat:,chore:,ci:, etc.the contributing guide.
If the PR includes a code change, then also check the following boxes. (If not, then delete the
next section.)
CHANGELOG.mdfile.