Skip to content

[Secrets] Remove labels param when reading secret in store_secrets() [feature/ig4-authentication] #8796

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
moranbental merged 4 commits into from
Oct 30, 2025
Merged

[Secrets] Remove labels param when reading secret in store_secrets() [feature/ig4-authentication] #8796

moranbental merged 4 commits into from
Oct 30, 2025

Conversation

@elbamit
Copy link
Contributor

@elbamit elbamit commented Oct 29, 2025
edited
Loading

📝 Description

As part of #8484, read_secret() was refactored to (optionally) check for a label in the k8s secret. This is needed for IG4's secret tokens.
However, the labels parameter is not needed in store_secrets function (k8s.py).

When running a workflow, the secret is initially created in k8s with the label mlrun/username:admin (for the admin user). However, when resolving KFP secret environment variables to k8s secrets, store_secrets is called with the label mlrun/username:MLRUN_AUTH_SESSION. Using this label with read_secret results in None being returned instead of the actual secret.

🛠️ Changes Made

  • Remove label param when calling read_secret in store_secrets

✅ Checklist

  • I updated the documentation (if applicable)
  • I have tested the changes in this PR
  • I confirmed whether my changes are covered by system tests
    • If yes, I ran all relevant system tests and ensured they passed before submitting this PR
    • I updated existing system tests and/or added new ones if needed to cover my changes
  • If I introduced a deprecation:

🧪 Testing

Regression test that was failing now works when run manually

🔗 References

🚨 Breaking Changes?

  • Yes (explain below)
  • No

🔍️ Additional Notes

@elbamit elbamit changed the base branch from development to feature/ig4-authentication October 29, 2025 13:32
@elbamit elbamit marked this pull request as ready for review October 29, 2025 13:32
@elbamit elbamit requested review from a team and quaark as code owners October 29, 2025 13:32
@elbamit elbamit changed the title [Secrets] Remove labels param when reading secret in store_secrets() [Secrets] Remove labels param when reading secret in store_secrets() [feature/ig4-authentication] Oct 29, 2025
liranbg
liranbg reviewed Oct 29, 2025
View reviewed changes
server/py/services/api/tests/unit/utils/singletons/test_k8s_utils.py Outdated


# Labels param in read_secret should be used only with IG4 secrets
def test_store_secrets_does_not_pass_labels_to_read_secret(k8s_helper):
Copy link
Member

@liranbg liranbg Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

move comment to test func doc so we can see it nicely on test output when it fails
"Test ensures that ..."

Yacouby
Yacouby requested changes Oct 29, 2025
View reviewed changes
Copy link
Member

@Yacouby Yacouby left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few suggestions to improve readability.

server/py/services/api/tests/unit/utils/singletons/test_k8s_utils.py Outdated
Comment on lines 299 to 300
for call in k8s_helper.read_secret.call_args_list:
assert "labels" not in call.kwargs
Copy link
Member

@Yacouby Yacouby Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can be simplified with a direct call argument assertion:

Suggested change
for call in k8s_helper.read_secret.call_args_list:
assert "labels" not in call.kwargs
k8s_helper.read_secret.assert_called_once_with(secret_name="my-secret", namespace="default")

server/py/services/api/tests/unit/utils/singletons/test_k8s_utils.py Outdated



def test_store_secrets_does_not_pass_labels_to_read_secret(k8s_helper):
Copy link
Member

@Yacouby Yacouby Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

test name too long. if you write in the comment of the test what it does, then IMO it can be shortened, something like:

Suggested change
def test_store_secrets_does_not_pass_labels_to_read_secret(k8s_helper):
def test_no_labels_in_read_secret(k8s_helper):

Copy link
Member

@Yacouby Yacouby Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

or test_store_secrets_ignores_labels

@elbamit elbamit requested review from a team and jillnogold as code owners October 30, 2025 08:34
@mlrun mlrun deleted a comment from review-notebook-app bot Oct 30, 2025
@moranbental moranbental merged commit 4df2c4f into mlrun:feature/ig4-authentication Oct 30, 2025
34 of 35 checks passed
@moranbental moranbental mentioned this pull request Oct 30, 2025
Merged
6 tasks
liranbg pushed a commit that referenced this pull request Nov 3, 2025
@moranbental @rokatyy @elbamit
[Authentication] Allow authentication against IG4 (#8724)
aca1350 
### 📝 Description
<!-- A short summary of what this PR does. -->
<!-- Include any relevant context or background information. -->
This PR introduces support for MLRun authentication with IG4.
It rebases the `feature/ig4-authentication` branch onto `development`

This PR includes the following PRs:

1. #8345
2. #8370
3.  #8366
4. #8388
5. #8440
6. #8408
7. #8466
8. #8471
9. #8443
10. #8484
11. #8498
12. #8574
13. #8529
14. #8584
15. #8588
16. #8589
17. #8567
18. #8623
19. #8612
20. #8514
21. #8626
22. #8632
23. #8633
24. #8667
25. #8668
26. #8674
27. #8780
28. #8754
29. #8796
30. #8811
---

### 🛠️ Changes Made
<!-- - Key changes (e.g., added feature X, refactored Y, fixed Z) -->
To enable IG4 project authorization, set the following configs in mlrun
api:

```
MLRUN_HTTPDB__AUTHENTICATION__MODE: iguazio-v4
MLRUN_HTTPDB__AUTHENTICATION__IGUAZIO__SESSION_VERIFICATION_ENDPOINT: v1/identity/self
MLRUN_IGUAZIO_API_URL: http://igz-api:8000
```

Before importing MLRun, you must set:
```
MLRUN_AUTH_WITH_OAUTH_TOKEN__ENABLED=true
MLRUN_AUTH_TOKEN_ENDPOINT="https://igz-api.<namespace>.<system-domain>/api/v1/refresh-access-token"
```

---

### ✅ Checklist
- [x] I updated the documentation (if applicable)
- [x] I have tested the changes in this PR
- [ ] If I introduced a deprecation:
  - [ ] I followed the [Deprecation Guidelines](./DEPRECATION.md)
  - [ ] I updated the relevant Jira ticket for documentation

---

### 🧪 Testing
<!-- - How it was tested (unit tests, manual, integration) -->  
<!-- - Any special cases covered. -->  
Tested on IG4 system + unit tests

---

### 🔗 References
- Ticket link: https://iguazio.atlassian.net/browse/ML-9683,
https://iguazio.atlassian.net/browse/ML-9870,
https://iguazio.atlassian.net/browse/ML-9998
- Design docs links:
https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/399179866/Support+IG4+Authentication+in+MLRun+AuthVerifier+HLD,
https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/411960071/Support+sdk-side+IG4+authentication+-+token+usage+and+management+HLD,
https://iguazio.atlassian.net/wiki/spaces/MLRUN/pages/404521061/BE+Secret+Token+Support+HLD,
- External links:
https://iguazio.atlassian.net/wiki/spaces/ARC/pages/361103361/MLRun+Secret+Tokens+in+IG4

---

### 🚨 Breaking Changes?

- [x] Yes (explain below)
- [] No

Removed unused API endpoints `- POST /api/v1/user-secrets` which was not
in used

---

### 🔍️ Additional Notes


How to enable IG4 authentication -
https://iguazio.atlassian.net/wiki/spaces/PLAT/pages/457671097/Enable+IG4+Authentication+in+MLRun

---------

Co-authored-by: Katerina Molchanova <35141662+rokatyy@users.noreply.github.com>
Co-authored-by: Amit Elbaz <66309521+elbamit@users.noreply.github.com>
@elbamit elbamit deleted the ML-11330 branch December 18, 2025 09:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@liranbg liranbg liranbg approved these changes

@Yacouby Yacouby Yacouby approved these changes

@moranbental moranbental moranbental approved these changes

@quaark quaark Awaiting requested review from quaark

@jillnogold jillnogold Awaiting requested review from jillnogold

Assignees

No one assigned

Labels

area/api area/automation area/ci area/docs area/framework area/sdk area/server area/system-tests area/tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@elbamit @liranbg @Yacouby @moranbental