[Workflows] Auth secret token mounting for Workflows #9151
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ns from the ServerSideLauncher to mlrun/auth/utils so it can be accessed without launcher (such as KFP). Launcher function has been refactored to only handle run/remoteRuntime objects before passing the required info to the new core logic functions. Nuclio endpoint has been updated accordingly.
…cret and use it during create_pipeline CRUD to extract the secret name to mount. Secret name is passed into pipeline adapter where it is mounted to the argo pods
liranbg
requested changes
Jan 4, 2026
Member
liranbg
left a comment
liranbg
left a comment
There was a problem hiding this comment.
well done, naming and some suggestions that improves readability
server/py/services/api/launcher.py
Outdated
|
|
||
| # TODO In ML-11600, implement token name resolution and validation + tests | ||
| def enrich_and_validate_auth_token_name( | ||
| def enrich_and_validate_auth_token_name_on_object( |
Member
There was a problem hiding this comment.
Suggested change
| def enrich_and_validate_auth_token_name_on_object( | |
| def enrich_and_validate_auth_token_name( |
Member
There was a problem hiding this comment.
I think this is pretty obvious from the parameters that you apply it on the given object
server/py/services/api/launcher.py
Outdated
| # Resolve token name and raise error only if token is explicitly provided by the user | ||
| # in ML-11600, we will implement a proper resolution logic that checks all secret tokens | ||
| # of the user and finds a valid one if no token name is provided | ||
| raise_error_on_failure = bool(provided_token_name) |
Member
There was a problem hiding this comment.
| content_type: str, | ||
| env_var_names: list[str], | ||
| secrets_store: "SecretsStore", | ||
| secret_name: typing.Optional[str] = None, |
Member
There was a problem hiding this comment.
Suggested change
| secret_name: typing.Optional[str] = None, | |
| auth_secret_name: typing.Optional[str] = None, |
and change callees + others to reflect this is not an arbitrary secret but auth one
…the raise_error_on_failure resolution inside enrich_and_validate_auth_token_name function
liranbg
approved these changes
Jan 4, 2026
|
|
||
|
|
||
| def replace_kfp_plaintext_secret_env_vars_with_secret_refs( | ||
| def process_kfp_workflow_secret_references( |
Member
There was a problem hiding this comment.
you need to bump patch version for pipeline adapter (under pyproject.toml).
liranbg
requested changes
Jan 4, 2026
mlrun/auth/utils.py
Outdated
Comment on lines
320
to
338
| def enrich_and_validate_auth_token_name(token_name: typing.Optional[str]): | ||
| if mlrun.mlconf.is_iguazio_v4_mode(): | ||
| # Resolve token name and raise error only if token is explicitly provided by the user | ||
| raise_error_on_failure = bool(token_name) | ||
|
|
||
| # If token name not provided, use default | ||
| token_name = ( | ||
| token_name or mlrun.common.constants.MLRUN_RUNTIME_AUTH_DEFAULT_TOKEN_NAME | ||
| ) | ||
| validate_token_name(token_name, raise_error_on_failure=raise_error_on_failure) | ||
| return token_name | ||
|
|
||
|
|
||
| # TODO implement validation in ML-11600 | ||
| def validate_token_name( | ||
| token_name: str, | ||
| raise_error_on_failure: bool = True, | ||
| ): | ||
| pass |
Member
There was a problem hiding this comment.
revisiting this agan, you dont do any enrichment nor validation here at this point (leaving some todos for validation) but honestly, I think it is better off KISSing it at this phase and remove this completely. moving the part of
token_name or mlrun.common.constants.MLRUN_RUNTIME_AUTH_DEFAULT_TOKEN_NAME
)
to its callees
…fix related tests
liranbg
approved these changes
Jan 5, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
📝 Description
Add support for IG4 authentication on workflows by mounting the secret on the argo pods.
This PR moves the core logic of
enrich_and_validate_auth_token_nameout of the launcher to a more common place so it can be used by workflows since they don't go through launcher/runtime handler.🛠️ Changes Made
enrich_and_validate_auth_token_namecore logic from launcher tomlrun.auth.utilsresolve_auth_token_secret_namefor pipelines that gets token name and then extract secret name.replace_kfp_plaintext_secret_env_vars_with_secret_refstoprocess_kfp_workflow_secret_referencesto pass theauth_secret_nameparam so that it gets mounted to the argo pods during_enrich_kfp_workflow_yaml_credentials✅ Checklist
🧪 Testing
Unit tests
test_resolve_auth_secret_nametest_enrich_and_validate_auth_token_name🔗 References
🚨 Breaking Changes?
🔍️ Additional Notes