Skip to content

Commit

Permalink
Add support for Kubernetes / directory with mounted file style secrets (
Browse files Browse the repository at this point in the history
streamlit#9078)

## Describe your changes
Add Kubernetes/directory style secret support that will allow Streamlit
secrets to be used with [Snowpark Container Services secret
format](https://docs.snowflake.com/en/developer-guide/snowpark-container-services/additional-considerations-services-jobs#using-snowflake-secrets-to-pass-credentials-to-a-container)
which is based on [Kubernetes
Secret](https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#create-a-pod-that-has-access-to-the-secret-data-through-a-volume)

In this format the secrets are expected to be placed under a directory
(such as `/.streamlit/.secrets`) in the following ways:
- user_pass_secret (folder)
   - username (file), content: myuser
   - password (file), content: mypassword
- my_plain_secret (folder)
   - regular_secret (file), content: mysecret

If there are multiple files in a folder they will be available as:
```
> st.secrets['user_pass_secret']['username']
myuser
```

if there's a single file in a folder it will be folded into the folder
name such as:
```
> st.secrets['my_plain_secrets']
mysecret
```

Another feature added is the ability to customize the error messages by
environment to have different messages when running inside Snowflake
environment

## GitHub Issue Link (if applicable)

## Testing Plan

- Explanation of why no additional tests are needed
- Unit Tests (JS and/or Python)
- E2E Tests
- Any manual testing needed?

---

**Contribution License Agreement**

By submitting this pull request you agree that all contributions to this
project are made under the Apache 2.0 license.
sfc-gh-mochen authored Aug 1, 2024

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent 097037b commit de6b5d5
Showing 6 changed files with 445 additions and 133 deletions.
15 changes: 15 additions & 0 deletions lib/streamlit/config.py
Original file line number Diff line number Diff line change
@@ -927,6 +927,21 @@ def _browser_server_port() -> int:
""",
)

# Config Section: Secrets #

_create_section("secrets", "Secrets configuration.")

_create_option(
"secrets.files",
description="""List of locations where secrets are searched. Entries can be a path to toml file or directory path where Kubernetes style secrets will be scanned. Order is important, import is first to last, so secrets in later files will take precedence over earlier ones.""",
default_val=[
# NOTE: The order here is important! Project-level secrets should overwrite global
# secrets.
file_util.get_streamlit_file_path("secrets.toml"),
file_util.get_project_streamlit_file_path("secrets.toml"),
],
)


def get_where_defined(key: str) -> str:
"""Indicate where (e.g. in which file) this option was defined.
Loading

0 comments on commit de6b5d5

Please sign in to comment.