Cody Scandore
06/01/2023, 11:27 PM<https://xxxx-apps.com/console>
I am following the guide here for adding Azure openID auth, but it does not look like I have the same secrets, nor configmap available.Ketan (kumare3)
Byron Hsu
06/02/2023, 12:12 AMclientSecretLocation
is in use for us. I think only clientID
mattersCody Scandore
06/02/2023, 4:36 PMNAME STATUS AGE
default Active 38d
flyte Active 38d
flytesnacks-development Active 36d
flytesnacks-production Active 36d
flytesnacks-staging Active 36d
kube-node-lease Active 38d
kube-public Active 38d
kube-system Active 38d
And the flyte ns has the following resources.
NAME READY STATUS RESTARTS AGE
pod/flyte-backend-flyte-binary-5f5465b4f7-7hmt7 1/1 Running 0 22d
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/flyte-backend-flyte-binary-grpc ClusterIP 10.100.27.200 <none> 8089/TCP 22d
service/flyte-backend-flyte-binary-http ClusterIP 10.100.55.136 <none> 8088/TCP 22d
service/flyte-backend-flyte-binary-webhook ClusterIP 10.100.41.202 <none> 443/TCP 22d
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/flyte-backend-flyte-binary 1/1 1 1 22d
NAME DESIRED CURRENT READY AGE
replicaset.apps/flyte-backend-flyte-binary-5f5465b4f7 1 1 1 22d
The flyte ns has the following configmaps
NAME DATA AGE
flyte-backend-flyte-binary-cluster-resource-templates 1 22d
flyte-backend-flyte-binary-config 5 22d
kube-root-ca.crt 1 38d
propeller-leader 0 37d
I don't see the flyte-admin-base-config
listed here
kubectl edit configmap -n flyte flyte-admin-base-config
David Espejo (he/him)
06/02/2023, 5:15 PMflyte-core
chart.
For flyte-binary
the CM is flyte-backend-flyte-binary-config
and I don't think you longer need to edit the secret nor the CM any more.
To confirm please run
kubectl describe cm flyte-backend-flyte-binary-config -n flyte
Cody Scandore
06/02/2023, 5:41 PMName: flyte-backend-flyte-binary-config
Namespace: flyte
Labels: <http://app.kubernetes.io/instance=flyte-backend|app.kubernetes.io/instance=flyte-backend>
<http://app.kubernetes.io/managed-by=Helm|app.kubernetes.io/managed-by=Helm>
<http://app.kubernetes.io/name=flyte-binary|app.kubernetes.io/name=flyte-binary>
<http://app.kubernetes.io/version=1.16.0|app.kubernetes.io/version=1.16.0>
<http://helm.sh/chart=flyte-binary-v1.5.0|helm.sh/chart=flyte-binary-v1.5.0>
Annotations: <http://meta.helm.sh/release-name|meta.helm.sh/release-name>: flyte-backend
<http://meta.helm.sh/release-namespace|meta.helm.sh/release-namespace>: flyte
Data
====
000-core.yaml:
----
admin:
endpoint: localhost:8089
insecure: true
catalog-cache:
endpoint: localhost:8081
insecure: true
type: datacatalog
cluster_resources:
standaloneDeployment: false
templatePath: /etc/flyte/cluster-resource-templates
logger:
show-source: true
level: 5
propeller:
create-flyteworkflow-crd: true
webhook:
certDir: /var/run/flyte/certs
localCert: true
secretName: flyte-backend-flyte-binary-webhook-secret
serviceName: flyte-backend-flyte-binary-webhook
servicePort: 443
001-plugins.yaml:
----
tasks:
task-plugins:
enabled-plugins:
- container
- sidecar
- K8S-ARRAY
default-for-task-types:
- container: container
- container_array: K8S-ARRAY
plugins:
logs:
kubernetes-enabled: false
cloudwatch-enabled: false
stackdriver-enabled: false
k8s:
co-pilot:
image: "<http://cr.flyte.org/flyteorg/flytecopilot-release:v1.5.0|cr.flyte.org/flyteorg/flytecopilot-release:v1.5.0>"
k8s-array:
logs:
config:
kubernetes-enabled: false
cloudwatch-enabled: false
stackdriver-enabled: false
002-database.yaml:
----
database:
postgres:
username: xxxxx
passwordPath: /var/run/secrets/flyte/db-pass
host: <http://xxxxxxxxxrds.amazonaws.com|xxxxxxxxxrds.amazonaws.com>
port: 5432
dbname: xxxxxx
options: "sslmode=disable"
003-storage.yaml:
----
propeller:
rawoutput-prefix: <s3://xxxx-flyte-userdata/data>
storage:
type: stow
stow:
kind: s3
config:
region: us-west-2
disable_ssl: false
v2_signing: false
auth_type: iam
container: xxxxx-flyte-metadata
010-inline-config.yaml:
----
cluster_resources:
customData: null
plugins:
k8s:
default-env-vars:
- AWS_METADATA_SERVICE_TIMEOUT: 5
- AWS_METADATA_SERVICE_NUM_ATTEMPTS: 20
inject-finalizer: true
storage:
cache:
max_size_mbs: 10
target_gc_percent: 100
task_resources:
defaults:
cpu: 100m
memory: 100Mi
storage: 100Mi
limits:
memory: 2Gi
tasks:
task-plugins:
default-for-task-types:
- container: container
- container_array: K8S-ARRAY
enabled-plugins:
- container
- sidecar
- K8S-ARRAY
BinaryData
====
Events: <none>
David Espejo (he/him)
06/02/2023, 5:50 PM004-auth.yaml
section?
Did you have a chance to enable auth
in the Helm values file?Cody Scandore
06/02/2023, 6:06 PMError: INSTALLATION FAILED: execution error at (flyte-binary/templates/deployment.yaml:37:35): Internal client secret hash required when built-in authentication server is enabled
From The Hard Way guide.. it looks like this is required.
auth:
enabled: false
oidc:
baseUrl: <https://signin.hosted.unionai.cloud/oauth2/default>
clientId: <IDP_CLIENT_ID>
clientSecret: <IDP_CLIENT_SECRET>
internal:
clientSecret: <CC_PASSWD>
clientSecretHash: <HASHED_CC_PASSWD>
authorizedUris:
- <https://flyte.company.com>
I can fill out the oidc section with my azure app information, but what is the internal section referencing? Are those k8s cluster secrets?
oidc.clientSecret
refers to the Secret ID
while the internal.clientSecret
refers to the Value
field. Base64 encode the password to produce the internal.clientSecretHash
.David Espejo (he/him)
06/02/2023, 8:29 PMinternal
is there if you're going to use the authorization server that ships with flyteadmin (hence 'internal') as opposed your IdP's authorization serverCody Scandore
06/02/2023, 8:30 PMhelm install
..David Espejo (he/him)
06/02/2023, 8:43 PMauth
parameters:
`enabled`: true
`baseUrl`: you should obtain this from Azure AD (probably @Byron Hsu knows how?)
`clientId`: from Azure AD's registered app
`clienteSecret`: generate it in Azure AD
for `internal`:
`clientId`: flytepropeller
clientSecret: <generate a random password and add it here>
clientSecretHash
Use the following command to produce the hash:
pip install bcrypt && python -c 'import bcrypt; import base64; print(base64.b64encode(bcrypt.hashpw("<your_client-secret>".encode("utf-8"), bcrypt.gensalt(6))))'
I'm working on reproducing this in my environment and adding docsauthorizedUris
would be the FQDN for your Ingress