Fix plugin secrets in config #6249
Conversation
✅ Deploy Preview for nextflow-docs-staging ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Here is how I've been testing:
However, it's not loading the It's at least loading |
|
I wonder if the issue is that I'm using the dist release instead of the standard release |
|
It turns out the issue was that I was using the single-VM CE, which doesn't support AWS secrets. It works with AWS Batch. Regarding testing, I don't think we'll need a git repo unless you want to do an e2e test with platform. I'll add a local e2e test that just tests the detection of config secrets -> config reloading. |
|
One minor issue with this double-loading approach is that you can't use secrets in a config include (#5312). On the first load, the secret will be null and the include will likely fail, which means the run will fail However, you should be able to work around this using a dynamic include: includeConfig secrets.GITHUB_TOKEN
? "https://raw.githubusercontent.com/markpanganiban/nf-test/master/ubuntu.config?token=${secrets.GITHUB_TOKEN}"
: '/dev/null'On the first load, it will access the secret, triggering a reload, but won't attempt to include the secured config. On the second load it will include the config. I will add this to the docs on config secrets |
bentsherman
force-pushed
the
fix-plugin-secrets-config
branch
from
e8f25b9 to
5d5ef8a
Compare
bentsherman
force-pushed
the
fix-plugin-secrets-config
branch
from
5d5ef8a to
f03a097
Compare
|
The e2e test that I added is failing in GitHub, but not sure why because it works for me locally |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
bentsherman
force-pushed
the
fix-plugin-secrets-config
branch
from
dd8a536 to
3cb54c2
Compare
bentsherman
force-pushed
the
fix-plugin-secrets-config
branch
from
3cb54c2 to
2012d05
Compare
Signed-off-by: Ben Sherman <[email protected]>
bentsherman
force-pushed
the
fix-plugin-secrets-config
branch
from
2012d05 to
0ba2507
Compare
| @@ -13,6 +13,8 @@ This feature allows you to decouple the use of secrets in your pipelines from th | |||
|
|
|||
| When a pipeline is launched, Nextflow injects the secrets into the run without leaking them into temporary execution files. Secrets are provided to tasks as environment variables. | |||
|
|
|||
| Secrets can be used with the local executor and the grid executors (e.g., Slurm or Grid Engine). Secrets can be used with the AWS Batch executor when launched from [Seqera Platform](https://seqera.io/blog/pipeline-secrets-secure-handling-of-sensitive-information-in-tower/). | |||
There was a problem hiding this comment.
| Secrets can be used with the local executor and the grid executors (e.g., Slurm or Grid Engine). Secrets can be used with the AWS Batch executor when launched from [Seqera Platform](https://seqera.io/blog/pipeline-secrets-secure-handling-of-sensitive-information-in-tower/). | |
| Secrets can be used with the local executor and grid executors (e.g., Slurm or Grid Engine). Secrets can be used with the AWS Batch executor when launched from [Seqera Platform](https://seqera.io/blog/pipeline-secrets-secure-handling-of-sensitive-information-in-tower/). |
| @@ -45,9 +47,32 @@ aws { | |||
| The above snippet accesses the secrets `MY_ACCESS_KEY` and `MY_SECRET_KEY` and assigns them to the corresponding AWS config settings. | |||
|
|
|||
| :::{warning} | |||
| Secrets cannot be assigned to pipeline parameters. | |||
| Secrets should not be assigned to pipeline parameters, as they can be easily leaked by the pipeline. | |||
There was a problem hiding this comment.
| Secrets should not be assigned to pipeline parameters, as they can be easily leaked by the pipeline. | |
| Secrets should not be assigned to pipeline parameters, as they can be leaked by the pipeline. |
Highly optional suggestion
Fix #5494 #5943
This PR fixes support for plugin secrets (i.e. AWS secrets) in the config by loading the config before resolving plugins. If the config attempts to use secrets, it will be reloaded with the complete set of secrets providers.
This is possible because plugin config must be static, unlike other config which can be dynamic and reference secrets. Therefore, we can simply load the config to extract the list of plugins (and other config settings like
tower.enabledandprocess.executorwhich can trigger additional core plugins.To minimize the impact of loading the config twice, we only reload the config if we detect that secrets were used by the config on the first load. This way, the double config load should only affect users who want to use secrets in the config.
In summary: