https://outerbounds.com/ logo
Join Slack
Powered by
Second conda question: I am distributing internal ...
# dev-metaflow
e
Second conda question: I am distributing internal libraries as conda packages, through an internal conda channel. This channel is protected using BasicHTTPAuth, so it takes credentials to pull a package. What I found on the doc is the ability to use the conda syntax 
channel::package
to specify a channel, however it implies this info is written in plain text in the workflow file. In my case it would be 
<https://login:password@private_channel::package|https://login:password@private_channel::package>
, which would require exposing secrets, which you can understand is a problem to me. Is there a way to leverage a secret there? Or do you know is it is possible to make a custom value for the 
CONDA_CHANNELS
env var available to conda/mamba when creating the environment? This env var has the highest priority to specify channels in the conda ecosystem, so if I can have it be a secret and be available at the right time, there's a chance it could work.
โœ… 1
d
(itโ€™s an env-var but you can set it however you want. still leaks a bit but maybe not as much)
a
@elegant-lamp-40213 correct - you can just set CONDA_CHANNELS env var outside of metaflow and metaflow will automatically respect it
๐Ÿ‘ 1
Fetching the credentials from a secret manager behind the scenes is on our TODO list. What secret manager are you using today?
One mechanism would be to create a script that sets the right auth values to the CONDA_CHANNELS env var from your secret manager and then invokes python flow.py run
e
I am using Bitnami's SealedSecret in my K8s cluster. So it is treated like standard kubernetes secrets and managed by a controller at the cluster level.
It seems like 
CONDA_SRCS_AUTH_INFO
managed as a secret could be a nice solution.
a
We donโ€™t pull down packages from the conda channel inside the kubernetes pod when you are running a step with @kubernetes
If you are running metaflow from within a kubernetes pod, then just setting CONDA_CHANNELS to the right value (referencing the secret) should work out of the box
e
Ok, I believe I tested that. I will test again, then. Thank you for pointing the direction ๐Ÿ™‚
I just realize there is no Conda package to distribute 
metaflow-netflixext
. If I create one on conda-forge, who from the Metaflow team would like to be referenced as a recipe maintainer?
d
You can put me.
Or better: metaflow-dev@netflix.com. Thanks!!
e
I can only add maintainers through a GitHub handle, emails can't be used in this case.
d
Ah. Ok so me. Romain-Intel is my handle.
๐Ÿ‘ 1
e
Fyi @dry-beach-38304, 
metaflow-netflixext
is now available through conda-forge. This package is created from the sources published with the Pypi package, so nothing to change on your release process. One of the conda-forge bots will detect new versions released and open a PR to reflect changes on the conda recipe. I also enabled an automerge feature, so in case where the new recipe successfully builds on the new version branch, the PR would be merged by the bot. This may fail if dependencies need to be updated.
Take home message: the package is available on the conda ecosystem https://anaconda.org/conda-forge/metaflow-netflixext And upon new release on Pypi, there's a chance the new version would rollout to conda-forge automatically.
โค๏ธ 1
d
Thank you!!
5 Views
Open in Slack
PreviousNext
Powered by