Metaflow Support for CSI Secret Store secret driver & exit hooks.

[roofurmston]

We are using Argo Workflows extensively for all of our workflows. We are looking to rollout Metaflow, but there are several pieces of Argo functionality not currently supported by Metaflow.

These include the following:

• We use the CSI secret store driver to load secrets directly from AWS secret manager. This requires us to define volumes on a workflow-level and volume mounts on a step-level.

• We use exit hooks to (conditionally) trigger templates when a workflow exits.

An example workflow with these two use cases is given below.

apiVersion: argoproj.io/v1alpha1
kind: CronWorkflow
metadata:
  name: test-csi-secrets-cronworkflow
spec:
  schedule: "30 9 * * *"
  concurrencyPolicy: "Forbid"
  startingDeadlineSeconds: 0
  workflowSpec:
    entrypoint: test-secret-template
    serviceAccountName: example-serviceaccount
    hooks:
      exit:
        templateRef:
          name: slack-alerting-namespace-templates
          template: send-slack-message
    volumes:
    - name: secrets-store-inline
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: "example-mlpipeline-secrets"
    templates:
    - name: test-secret-template
      container:
        volumeMounts:
        - name: secrets-store-inline
          mountPath: "/mnt/secrets-store"
          readOnly: true
        image: python:3.9-slim
        command: ["/bin/sh"]
        args: ["-c", "echo $SECRET_USERNAME; echo $SECRET_PASSWORD"]
        env:
        - name: SECRET_USERNAME
          valueFrom:
            secretKeyRef:
              name: testsecret
              key: username
        - name: SECRET_PASSWORD
          valueFrom:
            secretKeyRef:
              name: testsecret
              key: password

It would be great if Metaflow supported volumes, volume mounts and hooks so that these pieces of Argo functionality can be used. via Metaflow.