From f3e3388681e985d96095611a45428b6587df2a20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=B6ren=20Brunk?= Date: Fri, 7 May 2021 11:19:00 +0200 Subject: [PATCH] Add Auth support to Helm chart MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Move grpc routes into template function Based on - 840f250d Add Auth Ingress endpoints (#982) - 1ede3750 Authentication Config Examples (#970) - 77941a32 explicitly grant flyteworkflow finalizer permissions to flytepropeller (#930) Signed-off-by: Sören Brunk --- helm/templates/admin/deployment.yaml | 143 +++++++++++++---------- helm/templates/common/ingress.yaml | 102 +++++++--------- helm/templates/propeller/deployment.yaml | 9 +- helm/templates/propeller/rbac.yaml | 6 + helm/values-gcp.yaml | 20 ++++ helm/values.yaml | 46 +++++++- 6 files changed, 200 insertions(+), 126 deletions(-) diff --git a/helm/templates/admin/deployment.yaml b/helm/templates/admin/deployment.yaml index d088d44c6e..da644f9731 100644 --- a/helm/templates/admin/deployment.yaml +++ b/helm/templates/admin/deployment.yaml @@ -18,57 +18,73 @@ spec: labels: {{ include "flyteadmin.labels" . | nindent 8 }} spec: initContainers: - {{- if .Values.postgres.enabled }} - - name: check-db-ready - image: postgres:10.16-alpine - command: - - sh - - -c - - until pg_isready -h postgres -p 5432; do echo waiting for database; sleep 2; done; - {{- end }} - - command: - - flyteadmin - - --config - - {{ .Values.flyteadmin.configPath }} - - migrate - - run - image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}" - imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}" - name: run-migrations - volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }} - - mountPath: /etc/flyte/config - name: config-volume - - command: - - flyteadmin - - --config - - {{ .Values.flyteadmin.configPath }} - - migrate - - seed-projects - - flytesnacks - - flytetester - - flyteexamples - image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}" - imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}" - name: seed-projects - volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }} - - mountPath: /etc/flyte/config - name: config-volume - {{- if .Values.cluster_resource_manager.enabled }} - - command: - - flyteadmin - - --config - - {{ .Values.flyteadmin.configPath }} - - clusterresource - - sync - image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}" - imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}" - name: sync-cluster-resources - volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }} - - mountPath: /etc/flyte/clusterresource/templates - name: resource-templates - - mountPath: /etc/flyte/config - name: config-volume - {{- end }} + {{- if .Values.postgres.enabled }} + - name: check-db-ready + image: postgres:10.16-alpine + command: + - sh + - -c + - until pg_isready -h postgres -p 5432; do echo waiting for database; sleep 2; done; + {{- end }} + - command: + - flyteadmin + - --config + - {{ .Values.flyteadmin.configPath }} + - migrate + - run + image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}" + imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}" + name: run-migrations + volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }} + - mountPath: /etc/flyte/config + name: config-volume + - command: + - flyteadmin + - --config + - {{ .Values.flyteadmin.configPath }} + - migrate + - seed-projects + - flytesnacks + - flytetester + - flyteexamples + image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}" + imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}" + name: seed-projects + volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }} + - mountPath: /etc/flyte/config + name: config-volume + {{- if .Values.cluster_resource_manager.enabled }} + - command: + - flyteadmin + - --config + - {{ .Values.flyteadmin.configPath }} + - clusterresource + - sync + image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}" + imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}" + name: sync-cluster-resources + volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }} + - mountPath: /etc/flyte/clusterresource/templates + name: resource-templates + - mountPath: /etc/flyte/config + name: config-volume + {{- end }} + - name: generate-secrets + image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}" + imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}" + command: ["/bin/sh", "-c"] + args: + [ + "flyteadmin --config={{ .Values.flyteadmin.configPath }} secrets init --localPath /etc/secrets/auth && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --fromPath /etc/secrets/auth", + ] + volumeMounts: + - name: config-volume + mountPath: /etc/flyte/config + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace containers: - command: - flyteadmin @@ -90,6 +106,8 @@ spec: name: shared-data - mountPath: /etc/flyte/config name: config-volume + - name: auth + mountPath: /etc/secrets/ - command: - sh - -c @@ -112,16 +130,19 @@ spec: memory: 200Mi serviceAccountName: {{ template "flyteadmin.name" . }} volumes: {{- include "databaseSecret.volume" . | nindent 6 }} - - emptyDir: {} - name: shared-data - - configMap: - name: flyte-admin-config - name: config-volume - {{- if .Values.cluster_resource_manager.enabled }} - - configMap: - name: clusterresource-template - name: resource-templates - {{- end }} + - emptyDir: {} + name: shared-data + - configMap: + name: flyte-admin-config + name: config-volume + {{- if .Values.cluster_resource_manager.enabled }} + - configMap: + name: clusterresource-template + name: resource-templates + {{- end }} + - name: auth + secret: + secretName: flyte-admin-auth {{- with .Values.flyteadmin.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} {{- end }} diff --git a/helm/templates/common/ingress.yaml b/helm/templates/common/ingress.yaml index 3fdaa05ca6..7b70e4c5d5 100644 --- a/helm/templates/common/ingress.yaml +++ b/helm/templates/common/ingress.yaml @@ -1,3 +1,36 @@ +{{- define "grpcRoutes" -}} +# NOTE: Port 81 in flyteadmin is the GRPC server port for FlyteAdmin. +- path: /flyteidl.service.AdminService + pathType: ImplementationSpecific + backend: + serviceName: flyteadmin + servicePort: 81 +- path: /flyteidl.service.AdminService/* + pathType: ImplementationSpecific + backend: + serviceName: flyteadmin + servicePort: 81 +- path: /flyteidl.service.AuthMetadataService + pathType: ImplementationSpecific + backend: + serviceName: flyteadmin + servicePort: 81 +- path: /flyteidl.service.AuthMetadataService/* + pathType: ImplementationSpecific + backend: + serviceName: flyteadmin + servicePort: 81 +- path: /flyteidl.service.IdentityService + pathType: ImplementationSpecific + backend: + serviceName: flyteadmin + servicePort: 81 +- path: /flyteidl.service.IdentityService/* + pathType: ImplementationSpecific + backend: + serviceName: flyteadmin + servicePort: 81 +{{- end }} {{- if .Values.common.ingress.enabled }} apiVersion: networking.k8s.io/v1beta1 kind: Ingress @@ -69,6 +102,11 @@ spec: backend: serviceName: flyteadmin servicePort: 80 + - path: /.well-known + pathType: ImplementationSpecific + backend: + serviceName: flyteadmin + servicePort: 80 - path: /.well-known/* pathType: ImplementationSpecific backend: @@ -120,37 +158,7 @@ spec: serviceName: flyteadmin servicePort: 80 {{- if not .Values.common.ingress.separateGrpcIngress }} - # NOTE: Port 81 in flyteadmin is the GRPC server port for FlyteAdmin. - - path: /flyteidl.service.AdminService - pathType: ImplementationSpecific - backend: - serviceName: flyteadmin - servicePort: 81 - - path: /flyteidl.service.AdminService/* - pathType: ImplementationSpecific - backend: - serviceName: flyteadmin - servicePort: 81 - - path: /flyteidl.service.AuthMetadataService - pathType: ImplementationSpecific - backend: - serviceName: flyteadmin - servicePort: 81 - - path: /flyteidl.service.AuthMetadataService/* - pathType: ImplementationSpecific - backend: - serviceName: flyteadmin - servicePort: 81 - - path: /flyteidl.service.IdentityService - pathType: ImplementationSpecific - backend: - serviceName: flyteadmin - servicePort: 81 - - path: /flyteidl.service.IdentityService/* - pathType: ImplementationSpecific - backend: - serviceName: flyteadmin - servicePort: 81 + {{- include "grpcRoutes" . | nindent 10 -}} {{- end }} {{- with .Values.common.ingress.host }} host: {{ . }} @@ -190,37 +198,7 @@ spec: path: /* pathType: ImplementationSpecific {{- end }} - # NOTE: Port 81 in flyteadmin is the GRPC server port for FlyteAdmin. - - path: /flyteidl.service.AdminService - pathType: ImplementationSpecific - backend: - serviceName: flyteadmin - servicePort: 81 - - path: /flyteidl.service.AdminService/* - pathType: ImplementationSpecific - backend: - serviceName: flyteadmin - servicePort: 81 - - path: /flyteidl.service.AuthMetadataService - pathType: ImplementationSpecific - backend: - serviceName: flyteadmin - servicePort: 81 - - path: /flyteidl.service.AuthMetadataService/* - pathType: ImplementationSpecific - backend: - serviceName: flyteadmin - servicePort: 81 - - path: /flyteidl.service.IdentityService - pathType: ImplementationSpecific - backend: - serviceName: flyteadmin - servicePort: 81 - - path: /flyteidl.service.IdentityService/* - pathType: ImplementationSpecific - backend: - serviceName: flyteadmin - servicePort: 81 + {{- include "grpcRoutes" . | nindent 10 -}} {{- with .Values.common.ingress.host }} host: {{ . }} {{- end }} diff --git a/helm/templates/propeller/deployment.yaml b/helm/templates/propeller/deployment.yaml index fc11b1eb3d..7b5ae7e63a 100644 --- a/helm/templates/propeller/deployment.yaml +++ b/helm/templates/propeller/deployment.yaml @@ -37,13 +37,18 @@ spec: - containerPort: 10254 resources: {{ toYaml .Values.flytepropeller.resources | nindent 10 }} volumeMounts: - - mountPath: /etc/flyte/config - name: config-volume + - name: config-volume + mountPath: /etc/flyte/config + - name: auth + mountPath: /etc/secrets/ serviceAccountName: {{ template "flytepropeller.name" . }} volumes: - configMap: name: flyte-propeller-config name: config-volume + - name: auth + secret: + secretName: flyte-propeller-auth {{- with .Values.flytepropeller.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} {{- end }} diff --git a/helm/templates/propeller/rbac.yaml b/helm/templates/propeller/rbac.yaml index 003704cf3b..bddb8b5688 100644 --- a/helm/templates/propeller/rbac.yaml +++ b/helm/templates/propeller/rbac.yaml @@ -18,6 +18,7 @@ metadata: name: {{ template "flytepropeller.name" . }} labels: {{ include "flytepropeller.labels" . | nindent 4 }} rules: +# Allow RO access to PODS - apiGroups: - "" resources: @@ -26,6 +27,7 @@ rules: - get - list - watch +# Allow Event recording access - apiGroups: - "" resources: @@ -35,6 +37,7 @@ rules: - update - delete - patch +# Allow Access All plugin objects - apiGroups: - '*' resources: @@ -47,6 +50,7 @@ rules: - update - delete - patch +# Allow Access to CRD - apiGroups: - apiextensions.k8s.io resources: @@ -58,10 +62,12 @@ rules: - create - delete - update +# Allow Access to all resources under flyte.lyft.com - apiGroups: - flyte.lyft.com resources: - flyteworkflows + - flyteworkflows/finalizers verbs: - get - list diff --git a/helm/values-gcp.yaml b/helm/values-gcp.yaml index cbe96ceee7..8f9a0069f8 100644 --- a/helm/values-gcp.yaml +++ b/helm/values-gcp.yaml @@ -6,11 +6,31 @@ common: databaseSecret: {} ingress: +# ----------------------------------------------------- +# Core dependencies that should be configured for Flyte to work on any platform +# Specifically 2 - Storage (s3, gcs etc), Production RDBMS - Aurora, CloudSQL etc +# ------------------------------------------------------ +# +# STORAGE SETTINGS +# + +storage: + # -- Sets the storage type. Supported values are sandbox, s3, gcs and custom. + type: gcs + # -- bucketName defines the storage bucket flyte will use. Required for all types except for sandbox. + bucketName: + gcs: + projectId: + # # CONFIGMAPS # configmap: + remoteData: + remoteData: + scheme: "gcp" + tasks: max-plugin-phase-versions: 1000000 task-plugins: diff --git a/helm/values.yaml b/helm/values.yaml index 8cfb7e8d40..998e420fe4 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -427,9 +427,17 @@ configmap: httpPort: 8088 grpcPort: 8089 security: + # -- Controls whether to serve requests over SSL/TLS. secure: false + # -- Controls whether to enforce authentication. Follow the guide in https://docs.flyte.org/ on how to setup authentication. useAuth: false allowCors: true + allowedOrigins: + # Accepting all domains for Sandbox installation + - "*" + allowedHeaders: + - "Content-Type" + - "flyte-authorization" # Refer to the full [structure](https://pkg.go.dev/github.com/lyft/flyteadmin@v0.3.37/pkg/runtime/interfaces#ApplicationConfig) for documentation. flyteadmin: roleNameKey: "iam.amazonaws.com/role" @@ -441,7 +449,34 @@ configmap: eventVersion: 1 testing: host: http://flyteadmin - + # -- Authentication configuration + auth: + authorizedUris: + # This should point at your public http Uri. + - https://localhost:30081 + # This will be used by internal services in the same namespace as flyteadmin + - http://flyteadmin:80 + # This will be used by internal services in the same cluster but different namespaces + - http://flyteadmin.flyte.svc.cluster.local:80 + + # Controls app authentication config + appAuth: + thirdPartyConfig: + flyteClient: + clientId: flytectl + redirectUri: https://localhost:53593/callback + scopes: + - offline + - all + # Controls user authentication + userAuth: + openId: + baseUrl: https://accounts.google.com + scopes: + - profile + - openid + clientId: 657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com + # -- Datacatalog server config datacatalogServer: datacatalog: @@ -477,6 +512,8 @@ configmap: admin: endpoint: flyteadmin:81 insecure: true + clientId: flytepropeller + clientSecretLocation: /etc/secrets/client_secret # -- Catalog Client configuration [structure](https://pkg.go.dev/github.com/flyteorg/flytepropeller/pkg/controller/nodes/task/catalog#Config) # Additional advanced Catalog configuration [here](https://pkg.go.dev/github.com/lyft/flyteplugins/go/tasks/pluginmachinery/catalog#Config) @@ -567,6 +604,13 @@ configmap: show-source: true level: 4 + remoteData: + remoteData: + region: "us-east-1" + scheme: "local" + signedUrls: + durationMinutes: 3 + # -- Resource manager configuration resource_manager: # -- resource manager configuration