breezy-furniture-27916
06/26/2023, 1:53 AMtall-lock-23197
average-finland-92144
06/26/2023, 11:17 AMbreezy-furniture-27916
06/27/2023, 1:10 AMauth:
# enabled Enable Flyte authentication
enabled: true
# enableAuthServer Enable built-in authentication server
enableAuthServer: true
# oidc OIDC configuration for Flyte authentication
oidc:
# baseUrl URL for OIDC provider
baseUrl: "http://10.24.50.130:31157/auth/realms/flyte"
# clientId Flyte application client ID
clientId: "flyte"
# clientSecret Flyte application client secret
clientSecret: "3v0q10VDcMU9gCYWAaEnZZ7AHiEAz2RO"
# internal Configuration for internal authentication
# The settings for internal still need to be defined if you wish to use an external auth server
# These credentials are used during communication beteween the FlyteAdmin and Propeller microservices
internal:
# clientId Client ID for internal authentication - set to flytepropeller or external auth server
clientId: flytepropeller
# clientSecret Client secret for internal authentication
clientSecret: "3v0q10VDcMU9gCYWAaEnZZ7AHiEAz2RO"
# clientSecretHash Bcrypt hash of clientSecret
clientSecretHash: "M3YwcTEwVkRjTVU5Z0NZV0FhRW5aWjdBSGlFQXoyUk8K"
# Uncomment next line if needed - set this field if your external Auth server (ex. Auth0) requires an audience parameter
# audience: ""
# flyteClient Configuration for Flyte client authentication
flyteClient:
# clientId Client ID for Flyte client authentication
clientId: flytectl
# redirectUri Redirect URI for Flyte client authentication
redirectUri: http://localhost:53593/callback
# scopes Scopes for Flyte client authentication
scopes:
- all
# audience Audience for Flyte client authentication
audience: ""
# authorizedUris Set of URIs that clients are allowed to visit the service on
authorizedUris: []breezy-furniture-27916
06/27/2023, 1:12 AMaverage-finland-92144
06/27/2023, 6:51 PMclientSecretHash
. It's usually generated by using:
pip install bcrypt && python -c 'import bcrypt; import base64; print(base64.b64encode(bcrypt.hashpw("<your-client-secret>".encode("utf-8"), bcrypt.gensalt(6))))'
When I tried with your clientSecret, it produced a different output than what you have in the values file (not sure if this is only dummy data)
2. Add the `authorizedUris`value to be an exact match of your Flyte ingress-backed URL, which should also be the same as your configured login redirect URI configured at Keycloak, without /callback
3. In the `flyteClient`section under `scopes`add - offline
breezy-furniture-27916
06/28/2023, 1:54 AMauth:
appAuth:
selfAuthServer:
staticClients:
flytepropeller:
client_secret: "JDJiJDA2JFdrSEo1UzZ5Rkcud1ZjakNqZHcyTC5Uc1Q3RGs2Q3hhMGNhOGd1YldtdmlQRnZ2ZlRmTE1D"
grant_types:
- refresh_token
- client_credentials
id: flytepropeller
response_types:
- token
scopes:
- all
- offline
- access_token
flyte-cli:
grant_types:
- refresh_token
- authorization_code
id: flyte-cli
public: true
redirect_uris:
- <http://localhost:53593/callback>
- <http://localhost:12345/callback>
response_types:
- code
- token
scopes:
- all
- offline
- access_token
flytectl:
grant_types:
- refresh_token
- authorization_code
id: flytectl
public: true
redirect_uris:
- <http://localhost:53593/callback>
- <http://localhost:12345/callback>
response_types:
- code
- token
scopes:
- all
- offline
- access_token
thirdPartyConfig:
flyteClient:
audience: ""
clientId: flytectl
redirectUri: <http://localhost:53593/callback>
scopes:
- all
- offline
authorizedUris:
- <http://flyte.nginx.k8s:30699>
- <http://flyte-flyte-binary:8088>
- <http://flyte-flyte-binary.flyte:8088>
- <http://flyte-flyte-binary.flyte.svc:8088>
- <http://flyte-flyte-binary.flyte.svc.cluster.local:8088>
userAuth:
openId:
baseUrl: "<http://10.24.50.130:31157/realms/flyte>"
clientId: "flyte"
scopes:
- profile
- openid
server:
security:
useAuth: true
breezy-furniture-27916
06/28/2023, 2:19 AMaverage-finland-92144
06/28/2023, 11:48 AMauthorizedUris
field
I'm using the domain name without ports
authorizedUris:
- <https://flyte-the-hard-way.uniondemo.run>
- <http://flyte-backend-flyte-binary:8088>
- <http://flyte-backend-flyte-binary.flyte:8088>
- <http://flyte-backend-flyte-binary.flyte.svc:8088>
- <http://flyte-backend-flyte-binary.flyte.svc.cluster.local:8088>
average-finland-92144
06/28/2023, 11:51 AM<http://nginx.ingress.kubernetes.io/ssl-redirect|nginx.ingress.kubernetes.io/ssl-redirect>: "true"
<http://nginx.ingress.kubernetes.io/backend-protocol|nginx.ingress.kubernetes.io/backend-protocol>: "GRPC"
breezy-furniture-27916
06/29/2023, 1:11 AM