From 4efaa7b406736a96b54398605dfd146e0d17b199 Mon Sep 17 00:00:00 2001 From: Haytham Abuelfutuh Date: Sun, 11 Apr 2021 06:59:14 -0700 Subject: [PATCH] Simplify authentication setup docs Signed-off-by: Haytham Abuelfutuh --- deployment/eks/flyte_generated.yaml | 83 +++++++- deployment/gcp/flyte_generated.yaml | 83 +++++++- deployment/sandbox/flyte_generated.yaml | 93 ++++++++- deployment/test/flyte_generated.yaml | 81 +++++++- .../base/admindeployment/auth_secret.yaml | 6 + .../base/admindeployment/deployment.yaml | 182 ++++++++++-------- .../base/admindeployment/kustomization.yaml | 1 + .../headless/config/admin/server.yaml | 24 ++- kustomize/overlays/sandbox/kustomization.yaml | 2 +- rsts/howto/authentication/index.rst | 102 ++++------ 10 files changed, 494 insertions(+), 163 deletions(-) create mode 100644 kustomize/base/admindeployment/auth_secret.yaml diff --git a/deployment/eks/flyte_generated.yaml b/deployment/eks/flyte_generated.yaml index de4d19286b..6d34a7ba16 100644 --- a/deployment/eks/flyte_generated.yaml +++ b/deployment/eks/flyte_generated.yaml @@ -8157,13 +8157,35 @@ data: grpcPort: 8089 security: secure: false - useAuth: false + useAuth: true allowCors: true allowedOrigins: # Accepting all domains for Sandbox installation - "*" allowedHeaders: - "Content-Type" + secrets: + secrets-prefix: /etc/secrets/auth/ + auth: + disableForGrpc: true + httpPublicUri: http://localhost:30081/ + appAuth: + thirdPartyConfig: + flyteClient: + clientId: flytectl + redirectUri: https://localhost:53593/callback + scopes: + - offline + - all + userAuth: + openId: + baseUrl: https://accounts.google.com + scopes: + - profile + - openid + clientId: 657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com + callbackUrl: "http://localhost:30081/callback" + redirectUrl: "/api/v1/projects" flyteadmin: roleNameKey: "iam.amazonaws.com/role" profilerPort: 10254 @@ -8207,7 +8229,7 @@ data: gpu: 1 kind: ConfigMap metadata: - name: flyte-admin-config-t2f9g68k65 + name: flyte-admin-config-7g4m67fbc4 namespace: flyte --- apiVersion: v1 @@ -8392,6 +8414,13 @@ metadata: type: Opaque --- apiVersion: v1 +kind: Secret +metadata: + name: flyte-admin-auth + namespace: flyte +type: Opaque +--- +apiVersion: v1 kind: Service metadata: annotations: @@ -8733,6 +8762,8 @@ spec: name: config-volume - mountPath: /etc/db name: db-pass + - mountPath: /etc/secrets/auth + name: auth - command: - sh - -c @@ -8801,12 +8832,51 @@ spec: name: config-volume - mountPath: /etc/db name: db-pass + - args: + - --localPath + - /etc/secrets/auth-new + command: + - flyteadmin + - --config + - /etc/flyte/config/*.yaml + - secrets + - init + image: ghcr.io/flyteorg/flyteadmin:v0.4.7 + imagePullPolicy: IfNotPresent + name: generate-secrets + volumeMounts: + - mountPath: /etc/flyte/config + name: config-volume + - mountPath: /etc/secrets/auth-new + name: new-auth-secrets + - args: + - --fromPath + - /etc/secrets/auth-new + command: + - flyteadmin + - --config + - /etc/flyte/config/*.yaml + - secrets + - create + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: ghcr.io/flyteorg/flyteadmin:v0.4.7 + imagePullPolicy: IfNotPresent + name: save-secrets + volumeMounts: + - mountPath: /etc/flyte/config + name: config-volume + - mountPath: /etc/secrets/auth-new + name: new-auth-secrets serviceAccountName: flyteadmin volumes: - emptyDir: {} name: shared-data - configMap: - name: flyte-admin-config-t2f9g68k65 + name: flyte-admin-config-7g4m67fbc4 name: config-volume - configMap: name: clusterresource-template-tkdkkt4cb5 @@ -8814,6 +8884,11 @@ spec: - name: db-pass secret: secretName: db-pass-bthd2588cc + - name: auth + secret: + secretName: flyte-admin-auth + - emptyDir: {} + name: new-auth-secrets --- apiVersion: apps/v1 kind: Deployment @@ -9086,7 +9161,7 @@ spec: name: clusterresource-template-tkdkkt4cb5 name: resource-templates - configMap: - name: flyte-admin-config-t2f9g68k65 + name: flyte-admin-config-7g4m67fbc4 name: config-volume - name: db-pass secret: diff --git a/deployment/gcp/flyte_generated.yaml b/deployment/gcp/flyte_generated.yaml index 4e7ce1c0c5..e0cf7c0129 100644 --- a/deployment/gcp/flyte_generated.yaml +++ b/deployment/gcp/flyte_generated.yaml @@ -8148,13 +8148,35 @@ data: grpcPort: 8089 security: secure: false - useAuth: false + useAuth: true allowCors: true allowedOrigins: # Accepting all domains for Sandbox installation - "*" allowedHeaders: - "Content-Type" + secrets: + secrets-prefix: /etc/secrets/auth/ + auth: + disableForGrpc: true + httpPublicUri: http://localhost:30081/ + appAuth: + thirdPartyConfig: + flyteClient: + clientId: flytectl + redirectUri: https://localhost:53593/callback + scopes: + - offline + - all + userAuth: + openId: + baseUrl: https://accounts.google.com + scopes: + - profile + - openid + clientId: 657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com + callbackUrl: "http://localhost:30081/callback" + redirectUrl: "/api/v1/projects" flyteadmin: roleNameKey: "iam.amazonaws.com/role" profilerPort: 10254 @@ -8198,7 +8220,7 @@ data: gpu: 1 kind: ConfigMap metadata: - name: flyte-admin-config-7k2dmcb4tg + name: flyte-admin-config-27ggcgm724 namespace: flyte --- apiVersion: v1 @@ -8379,6 +8401,13 @@ metadata: type: Opaque --- apiVersion: v1 +kind: Secret +metadata: + name: flyte-admin-auth + namespace: flyte +type: Opaque +--- +apiVersion: v1 kind: Service metadata: name: cloudsqlproxy @@ -8765,6 +8794,8 @@ spec: name: config-volume - mountPath: /etc/db name: db-pass + - mountPath: /etc/secrets/auth + name: auth - command: - sh - -c @@ -8833,12 +8864,51 @@ spec: name: config-volume - mountPath: /etc/db name: db-pass + - args: + - --localPath + - /etc/secrets/auth-new + command: + - flyteadmin + - --config + - /etc/flyte/config/*.yaml + - secrets + - init + image: ghcr.io/flyteorg/flyteadmin:v0.4.7 + imagePullPolicy: IfNotPresent + name: generate-secrets + volumeMounts: + - mountPath: /etc/flyte/config + name: config-volume + - mountPath: /etc/secrets/auth-new + name: new-auth-secrets + - args: + - --fromPath + - /etc/secrets/auth-new + command: + - flyteadmin + - --config + - /etc/flyte/config/*.yaml + - secrets + - create + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: ghcr.io/flyteorg/flyteadmin:v0.4.7 + imagePullPolicy: IfNotPresent + name: save-secrets + volumeMounts: + - mountPath: /etc/flyte/config + name: config-volume + - mountPath: /etc/secrets/auth-new + name: new-auth-secrets serviceAccountName: flyteadmin volumes: - emptyDir: {} name: shared-data - configMap: - name: flyte-admin-config-7k2dmcb4tg + name: flyte-admin-config-27ggcgm724 name: config-volume - configMap: name: clusterresource-template-tkdkkt4cb5 @@ -8846,6 +8916,11 @@ spec: - name: db-pass secret: secretName: db-pass-bthd2588cc + - name: auth + secret: + secretName: flyte-admin-auth + - emptyDir: {} + name: new-auth-secrets --- apiVersion: apps/v1 kind: Deployment @@ -9118,7 +9193,7 @@ spec: name: clusterresource-template-tkdkkt4cb5 name: resource-templates - configMap: - name: flyte-admin-config-7k2dmcb4tg + name: flyte-admin-config-27ggcgm724 name: config-volume - name: db-pass secret: diff --git a/deployment/sandbox/flyte_generated.yaml b/deployment/sandbox/flyte_generated.yaml index 8073b2a3f5..327c9b05f3 100644 --- a/deployment/sandbox/flyte_generated.yaml +++ b/deployment/sandbox/flyte_generated.yaml @@ -2164,13 +2164,35 @@ data: grpcPort: 8089 security: secure: false - useAuth: false + useAuth: true allowCors: true allowedOrigins: # Accepting all domains for Sandbox installation - "*" allowedHeaders: - "Content-Type" + secrets: + secrets-prefix: /etc/secrets/auth/ + auth: + disableForGrpc: true + httpPublicUri: http://localhost:30081/ + appAuth: + thirdPartyConfig: + flyteClient: + clientId: flytectl + redirectUri: https://localhost:53593/callback + scopes: + - offline + - all + userAuth: + openId: + baseUrl: https://accounts.google.com + scopes: + - profile + - openid + clientId: 657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com + callbackUrl: "http://localhost:30081/callback" + redirectUrl: "/api/v1/projects" flyteadmin: roleNameKey: "iam.amazonaws.com/role" profilerPort: 10254 @@ -2206,7 +2228,7 @@ data: gpu: 1 kind: ConfigMap metadata: - name: flyte-admin-config-5b5g7785h8 + name: flyte-admin-config-tkg6c6ft28 namespace: flyte --- apiVersion: v1 @@ -2467,6 +2489,13 @@ metadata: type: Opaque --- apiVersion: v1 +kind: Secret +metadata: + name: flyte-admin-auth + namespace: flyte +type: Opaque +--- +apiVersion: v1 data: password: bXl1c2Vy user_secret: bXlzZWNyZXQ= @@ -2851,7 +2880,7 @@ spec: - --config - /etc/flyte/config/*.yaml - serve - image: ghcr.io/flyteorg/flyteadmin:v0.4.7 + image: ghcr.io/flyteorg/flyteadmin:ee6db644c1ad1495ccd3b2b6fac059133cfb4293-2 imagePullPolicy: IfNotPresent name: flyteadmin ports: @@ -2869,6 +2898,8 @@ spec: name: config-volume - mountPath: /etc/db name: db-pass + - mountPath: /etc/secrets/auth + name: auth - command: - sh - -c @@ -2902,7 +2933,7 @@ spec: - /etc/flyte/config/*.yaml - migrate - run - image: ghcr.io/flyteorg/flyteadmin:v0.4.7 + image: ghcr.io/flyteorg/flyteadmin:ee6db644c1ad1495ccd3b2b6fac059133cfb4293-2 imagePullPolicy: IfNotPresent name: run-migrations volumeMounts: @@ -2918,7 +2949,7 @@ spec: - seed-projects - flytesnacks - flyteexamples - image: ghcr.io/flyteorg/flyteadmin:v0.4.7 + image: ghcr.io/flyteorg/flyteadmin:ee6db644c1ad1495ccd3b2b6fac059133cfb4293-2 imagePullPolicy: IfNotPresent name: seed-projects volumeMounts: @@ -2932,7 +2963,7 @@ spec: - /etc/flyte/config/*.yaml - clusterresource - sync - image: ghcr.io/flyteorg/flyteadmin:v0.4.7 + image: ghcr.io/flyteorg/flyteadmin:ee6db644c1ad1495ccd3b2b6fac059133cfb4293-2 imagePullPolicy: IfNotPresent name: sync-cluster-resources volumeMounts: @@ -2942,6 +2973,45 @@ spec: name: config-volume - mountPath: /etc/db name: db-pass + - args: + - --localPath + - /etc/secrets/auth-new + command: + - flyteadmin + - --config + - /etc/flyte/config/*.yaml + - secrets + - init + image: ghcr.io/flyteorg/flyteadmin:ee6db644c1ad1495ccd3b2b6fac059133cfb4293-2 + imagePullPolicy: IfNotPresent + name: generate-secrets + volumeMounts: + - mountPath: /etc/flyte/config + name: config-volume + - mountPath: /etc/secrets/auth-new + name: new-auth-secrets + - args: + - --fromPath + - /etc/secrets/auth-new + command: + - flyteadmin + - --config + - /etc/flyte/config/*.yaml + - secrets + - create + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: ghcr.io/flyteorg/flyteadmin:ee6db644c1ad1495ccd3b2b6fac059133cfb4293-2 + imagePullPolicy: IfNotPresent + name: save-secrets + volumeMounts: + - mountPath: /etc/flyte/config + name: config-volume + - mountPath: /etc/secrets/auth-new + name: new-auth-secrets serviceAccountName: flyteadmin volumes: - configMap: @@ -2950,11 +3020,16 @@ spec: - emptyDir: {} name: shared-data - configMap: - name: flyte-admin-config-5b5g7785h8 + name: flyte-admin-config-tkg6c6ft28 name: config-volume - name: db-pass secret: secretName: db-pass-9dgchhk2bm + - name: auth + secret: + secretName: flyte-admin-auth + - emptyDir: {} + name: new-auth-secrets --- apiVersion: apps/v1 kind: Deployment @@ -3328,7 +3403,7 @@ spec: - /etc/flyte/config/*.yaml - clusterresource - sync - image: ghcr.io/flyteorg/flyteadmin:v0.4.7 + image: ghcr.io/flyteorg/flyteadmin:ee6db644c1ad1495ccd3b2b6fac059133cfb4293-2 imagePullPolicy: IfNotPresent name: sync-cluster-resources volumeMounts: @@ -3345,7 +3420,7 @@ spec: name: clusterresource-template-dtg8ff28mt name: resource-templates - configMap: - name: flyte-admin-config-5b5g7785h8 + name: flyte-admin-config-tkg6c6ft28 name: config-volume - name: db-pass secret: diff --git a/deployment/test/flyte_generated.yaml b/deployment/test/flyte_generated.yaml index d0f417a8fa..d8fc2e281a 100644 --- a/deployment/test/flyte_generated.yaml +++ b/deployment/test/flyte_generated.yaml @@ -312,13 +312,35 @@ data: grpcPort: 8089 security: secure: false - useAuth: false + useAuth: true allowCors: true allowedOrigins: # Accepting all domains for Sandbox installation - "*" allowedHeaders: - "Content-Type" + secrets: + secrets-prefix: /etc/secrets/auth/ + auth: + disableForGrpc: true + httpPublicUri: http://localhost:30081/ + appAuth: + thirdPartyConfig: + flyteClient: + clientId: flytectl + redirectUri: https://localhost:53593/callback + scopes: + - offline + - all + userAuth: + openId: + baseUrl: https://accounts.google.com + scopes: + - profile + - openid + clientId: 657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com + callbackUrl: "http://localhost:30081/callback" + redirectUrl: "/api/v1/projects" flyteadmin: roleNameKey: "iam.amazonaws.com/role" profilerPort: 10254 @@ -354,7 +376,7 @@ data: gpu: 1 kind: ConfigMap metadata: - name: flyte-admin-config-k7f4k7g76c + name: flyte-admin-config-42thh57bff namespace: flyte --- apiVersion: v1 @@ -471,6 +493,13 @@ metadata: type: Opaque --- apiVersion: v1 +kind: Secret +metadata: + name: flyte-admin-auth + namespace: flyte +type: Opaque +--- +apiVersion: v1 kind: Service metadata: annotations: @@ -723,6 +752,8 @@ spec: name: config-volume - mountPath: /etc/db name: db-pass + - mountPath: /etc/secrets/auth + name: auth - command: - sh - -c @@ -796,6 +827,45 @@ spec: name: config-volume - mountPath: /etc/db name: db-pass + - args: + - --localPath + - /etc/secrets/auth-new + command: + - flyteadmin + - --config + - /etc/flyte/config/*.yaml + - secrets + - init + image: ghcr.io/flyteorg/flyteadmin:v0.4.7 + imagePullPolicy: IfNotPresent + name: generate-secrets + volumeMounts: + - mountPath: /etc/flyte/config + name: config-volume + - mountPath: /etc/secrets/auth-new + name: new-auth-secrets + - args: + - --fromPath + - /etc/secrets/auth-new + command: + - flyteadmin + - --config + - /etc/flyte/config/*.yaml + - secrets + - create + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: ghcr.io/flyteorg/flyteadmin:v0.4.7 + imagePullPolicy: IfNotPresent + name: save-secrets + volumeMounts: + - mountPath: /etc/flyte/config + name: config-volume + - mountPath: /etc/secrets/auth-new + name: new-auth-secrets serviceAccountName: flyteadmin volumes: - configMap: @@ -804,11 +874,16 @@ spec: - emptyDir: {} name: shared-data - configMap: - name: flyte-admin-config-k7f4k7g76c + name: flyte-admin-config-42thh57bff name: config-volume - name: db-pass secret: secretName: db-pass-9dgchhk2bm + - name: auth + secret: + secretName: flyte-admin-auth + - emptyDir: {} + name: new-auth-secrets --- apiVersion: apps/v1 kind: Deployment diff --git a/kustomize/base/admindeployment/auth_secret.yaml b/kustomize/base/admindeployment/auth_secret.yaml new file mode 100644 index 0000000000..9a1281d776 --- /dev/null +++ b/kustomize/base/admindeployment/auth_secret.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Secret +metadata: + name: flyte-admin-auth + namespace: flyte +type: Opaque diff --git a/kustomize/base/admindeployment/deployment.yaml b/kustomize/base/admindeployment/deployment.yaml index b77ea096a1..846f6f1ac5 100644 --- a/kustomize/base/admindeployment/deployment.yaml +++ b/kustomize/base/admindeployment/deployment.yaml @@ -24,81 +24,113 @@ spec: spec: serviceAccountName: flyteadmin volumes: - - name: shared-data - emptyDir: {} - - name: config-volume - configMap: - name: flyte-admin-config - - name: resource-templates - configMap: - name: clusterresource-template - - name: db-pass - secret: - secretName: db-pass - initContainers: - - name: run-migrations - image: flyteadmin:v0.4.0 - imagePullPolicy: IfNotPresent - command: ["flyteadmin", "--config", "/etc/flyte/config/*.yaml", "migrate", "run"] - volumeMounts: - - name: config-volume - mountPath: /etc/flyte/config - - name: db-pass - mountPath: /etc/db - # Optional, These just seed the project - TODO move them to only - - name: seed-projects - image: flyteadmin:v0.4.0 - imagePullPolicy: IfNotPresent - command: ["flyteadmin", "--config", "/etc/flyte/config/*.yaml", - "migrate", "seed-projects", "flytesnacks", "flytetester", "flyteexamples"] - volumeMounts: - - name: config-volume - mountPath: /etc/flyte/config - - name: db-pass - mountPath: /etc/db - - name: sync-cluster-resources - image: flyteadmin:v0.4.0 - imagePullPolicy: IfNotPresent - command: ["flyteadmin", "--config", "/etc/flyte/config/*.yaml", "clusterresource", "sync"] - volumeMounts: - - name: resource-templates - mountPath: /etc/flyte/clusterresource/templates - - name: config-volume - mountPath: /etc/flyte/config - - name: db-pass - mountPath: /etc/db - containers: - - name: flyteadmin - image: flyteadmin:v0.4.0 - imagePullPolicy: IfNotPresent - command: ["flyteadmin", "--config", "/etc/flyte/config/*.yaml", "serve"] - ports: - - containerPort: 8088 - - containerPort: 8089 - volumeMounts: - name: shared-data - mountPath: /srv/flyte + emptyDir: { } - name: config-volume - mountPath: /etc/flyte/config + configMap: + name: flyte-admin-config + - name: resource-templates + configMap: + name: clusterresource-template - name: db-pass - mountPath: /etc/db - - name: redoc - image: docker.io/redocly/redoc - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8087 - resources: - limits: - memory: "200Mi" - cpu: "0.1" - command: - - sh - - -c - - ln -s /usr/share/nginx/html /usr/share/nginx/html/openapi && sh /usr/local/bin/docker-run.sh - env: - - name: PAGE_TITLE - value: "Flyte Admin OpenAPI" - - name: SPEC_URL - value: "/api/v1/openapi" - - name: PORT - value: "8087" + secret: + secretName: db-pass + - name: auth + secret: + secretName: flyte-admin-auth + - name: new-auth-secrets + emptyDir: { } + initContainers: + - name: run-migrations + image: flyteadmin:v0.4.0 + imagePullPolicy: IfNotPresent + command: [ "flyteadmin", "--config", "/etc/flyte/config/*.yaml", "migrate", "run" ] + volumeMounts: + - name: config-volume + mountPath: /etc/flyte/config + - name: db-pass + mountPath: /etc/db + # Optional, These just seed the project - TODO move them to only + - name: seed-projects + image: flyteadmin:v0.4.0 + imagePullPolicy: IfNotPresent + command: [ "flyteadmin", "--config", "/etc/flyte/config/*.yaml", + "migrate", "seed-projects", "flytesnacks", "flytetester", "flyteexamples" ] + volumeMounts: + - name: config-volume + mountPath: /etc/flyte/config + - name: db-pass + mountPath: /etc/db + - name: sync-cluster-resources + image: flyteadmin:v0.4.0 + imagePullPolicy: IfNotPresent + command: [ "flyteadmin", "--config", "/etc/flyte/config/*.yaml", "clusterresource", "sync" ] + volumeMounts: + - name: resource-templates + mountPath: /etc/flyte/clusterresource/templates + - name: config-volume + mountPath: /etc/flyte/config + - name: db-pass + mountPath: /etc/db + - name: generate-secrets + image: flyteadmin:v0.4.0 + imagePullPolicy: IfNotPresent + command: [ "flyteadmin", "--config", "/etc/flyte/config/*.yaml", "secrets", "init" ] + args: [ "--localPath", "/etc/secrets/auth-new" ] + volumeMounts: + - name: config-volume + mountPath: /etc/flyte/config + - name: new-auth-secrets + mountPath: /etc/secrets/auth-new + - name: save-secrets + image: flyteadmin:v0.4.0 + imagePullPolicy: IfNotPresent + command: [ "flyteadmin", "--config", "/etc/flyte/config/*.yaml", "secrets", "create" ] + args: [ "--fromPath", "/etc/secrets/auth-new" ] + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: config-volume + mountPath: /etc/flyte/config + - name: new-auth-secrets + mountPath: /etc/secrets/auth-new + containers: + - name: flyteadmin + image: flyteadmin:v0.4.0 + imagePullPolicy: IfNotPresent + command: [ "flyteadmin", "--config", "/etc/flyte/config/*.yaml", "serve" ] + ports: + - containerPort: 8088 + - containerPort: 8089 + volumeMounts: + - name: shared-data + mountPath: /srv/flyte + - name: config-volume + mountPath: /etc/flyte/config + - name: db-pass + mountPath: /etc/db + - name: auth + mountPath: /etc/secrets/auth + - name: redoc + image: docker.io/redocly/redoc + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8087 + resources: + limits: + memory: "200Mi" + cpu: "0.1" + command: + - sh + - -c + - ln -s /usr/share/nginx/html /usr/share/nginx/html/openapi && sh /usr/local/bin/docker-run.sh + env: + - name: PAGE_TITLE + value: "Flyte Admin OpenAPI" + - name: SPEC_URL + value: "/api/v1/openapi" + - name: PORT + value: "8087" diff --git a/kustomize/base/admindeployment/kustomization.yaml b/kustomize/base/admindeployment/kustomization.yaml index a944d005ca..5c3fedd15b 100644 --- a/kustomize/base/admindeployment/kustomization.yaml +++ b/kustomize/base/admindeployment/kustomization.yaml @@ -1,3 +1,4 @@ resources: +- auth_secret.yaml - deployment.yaml - service.yaml diff --git a/kustomize/base/single_cluster/headless/config/admin/server.yaml b/kustomize/base/single_cluster/headless/config/admin/server.yaml index 253bf8c776..3607631073 100644 --- a/kustomize/base/single_cluster/headless/config/admin/server.yaml +++ b/kustomize/base/single_cluster/headless/config/admin/server.yaml @@ -3,13 +3,35 @@ server: grpcPort: 8089 security: secure: false - useAuth: false + useAuth: true allowCors: true allowedOrigins: # Accepting all domains for Sandbox installation - "*" allowedHeaders: - "Content-Type" +secrets: + secrets-prefix: /etc/secrets/auth/ +auth: + disableForGrpc: true + httpPublicUri: http://localhost:30081/ + appAuth: + thirdPartyConfig: + flyteClient: + clientId: flytectl + redirectUri: https://localhost:53593/callback + scopes: + - offline + - all + userAuth: + openId: + baseUrl: https://accounts.google.com + scopes: + - profile + - openid + clientId: 657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com + callbackUrl: "http://localhost:30081/callback" + redirectUrl: "/api/v1/projects" flyteadmin: roleNameKey: "iam.amazonaws.com/role" profilerPort: 10254 diff --git a/kustomize/overlays/sandbox/kustomization.yaml b/kustomize/overlays/sandbox/kustomization.yaml index bb1e00f598..bdc0e1e899 100644 --- a/kustomize/overlays/sandbox/kustomization.yaml +++ b/kustomize/overlays/sandbox/kustomization.yaml @@ -25,7 +25,7 @@ resources: images: # FlyteAdmin - name: flyteadmin # match images with this name - newTag: v0.4.7 # FLYTEADMIN_TAG override the tag + newTag: ee6db644c1ad1495ccd3b2b6fac059133cfb4293-2 # FLYTEADMIN_TAG override the tag newName: ghcr.io/flyteorg/flyteadmin # override the name # FlyteConsole - name: flyteconsole # match images with this name diff --git a/rsts/howto/authentication/index.rst b/rsts/howto/authentication/index.rst index 9ff67eee9e..fd04277add 100644 --- a/rsts/howto/authentication/index.rst +++ b/rsts/howto/authentication/index.rst @@ -62,92 +62,62 @@ Please refer to the `inline documentation `__ on how to configure the IdP for OpenIDConnect. + +.. note:: -Flyte Admin secures cookies using AES encryption. In order to achieve that, follow the steps below: + Make sure to create an OAuth2 Client Credential. The `client_id` and `client_secret` will be needed in the following + steps. -1. Generate secure cookie keys. Run this command to generate new keys: +2. Store the `client_secret` in a k8s secrt as follows: .. prompt:: bash - go test -v github.com/lyft/flyteadmin/pkg/auth -run TestSecureCookieLifecycle + kubectl edit secret -n flyte flyte-admin-auth -2. Create two secrets in the ``flyte`` namespace with the generated keys: +Add a new key under `data`: -.. prompt:: bash +.. code-block:: yaml - kubectl create secret generic flyteadmin-cookie-blockkey -n flyte --from-literal=blockkey= + stringData: + oidc_client_secret: from the previous step -.. prompt:: bash +Save and close your editor. - kubectl create secret generic flyteadmin-cookie-hashkey -n flyte --from-literal=hashkey= - kubectl create secret generic flytepropeller-oauth -n flyte --from-literal=secret=5aATwGcDZmFd3n0mLDbuR1uA - -3. Configure FlyteAdmin deployment to mount them to FlyteAdmin pod. - e.g. Add the following to your existing configuration - - .. code-block:: yaml - - containers: - name: flyteadmin - volumeMounts: - - mountPath: /etc/secrets/oauth - name: oauth - readOnly: true - - mountPath: /etc/secrets/hashkey - name: hashkey - readOnly: true - - mountPath: /etc/secrets/blockkey - name: blockkey - readOnly: true - volumes: - - name: oauth - secret: - defaultMode: 420 - secretName: flyteadmin-oauth-client - - name: hashkey - secret: - defaultMode: 420 - secretName: flyteadmin-cookie-hashkey - - name: blockkey - secret: - defaultMode: 420 - secretName: flyteadmin-cookie-blockkey +3. Edit FlyteAdmin config to add `client_id` as follows: -Google IdP -########## +.. prompt:: bash -1. Follow `Google Docs `__ on how to configure the IdP for OpenIDConnect. + kubectl deploy -n flyte flyteadmin -o yaml | grep "name: flyte-admin-config" -2. Create a secret in the ``flyte`` namespace with the value of the client password. +This will output the name of the config map where the `client_id` need to go. .. prompt:: bash - kubectl create secret generic -n flyte flyteadmin-oauth-client --from-literal=secret= + kubectl edit configmap -n flyte + +Find `client_id` and replace with the copied `client_id` + +.. code-block:: yaml + + clientId: 657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com -3. Configure Flyte Admin with the following configuration: +Find `useAuth` and enable Auth enforcement: .. code-block:: yaml - server: - security: - useAuth: true - oauth: - scopes: - - profile - - openid - claims: - iss: https://accounts.google.com - aud: - clientId: - clientSecretFile: "/etc/secrets/oauth/secret" - cookieHashKeyFile: "/etc/secrets/hashkey/hashkey" - cookieBlockKeyFile: "/etc/secrets/blockkey/blockkey" - authorizeUrl: "https://accounts.google.com/o/oauth2/v2/auth?access_type=offline" - tokenUrl: "https://oauth2.googleapis.com/token" - callbackUrl: "http://localhost:8088/callback" - redirectUrl: "/api/v1/projects" + useAuth: true + +Save and exit your editor. + +4. Restart `flyteadmin` for the changes to take effect: + +.. prompt:: bash + + kubectl rollout restart deployment/flyteadmin -n flyte ****** CI