Hi all! Not sure if this is the best place to ask but: I vaguely remember there being a talk recently going a little deeper on Flyte OAuth integration. Was that talk recorded?

David gave a nice auth overview at a recent community meeting!

there is some exploratory work on IAP integration happening. @cool-lifeguard-49380: cc a GCP reference implementation is also being planned.

Thanks Jeev. I would definitely be interested in hearing more about any learnings from that work exploring IAP integration.

let us know if you have any questions @full-ram-17934

Hey :) we now have a GKE-based deployment with GCE ingress (not nginx), gcp managed certificates, and identity aware proxy working in a sandbox. It does require some small changes and I will make an RFC proposing them (either this week or after my holiday in 2 weeks). We would also contribute those things if the RFC is accepted.

yes please! are there any TF files you could open source as well?

One question I have (and sorry if this is in the docs, I did not find anything when searching): assuming I have oauth fully configured, what can flyteadmin do with this identity information? E.g., can you restrict the ability to view certain projects based on identity? Or, more interestingly to me, is it possible to configure flyteadmin so that user identity is recorded (e.g., using existing k8s label support) on entities, like workflow executions, created by that identity?

Hi @full-ram-17934

can you restrict the ability to view certain projects based on identity?

This is more on the RBAC side, not currently supported in OSS Flyte but in the managed version

is it possible to configure flyteadmin so that user identity is recorded (e.g., using existing k8s label support) on entities, like workflow executions, created by that identity?

Not sure of this one. cc @thankful-minister-83577

i believe it should, it should take some part of the token and write it into the principal field.

any pointers to how to extend that middleware?

unf. not, that bit is not well documented. but maybe follow this hook and trace through how it’s used?

For context: Our goal is, after wiring up auth, to gain better visibility into the principals responsible for different workflow executions using k8s labels. Trying to find the best way to wire all of that up, since it involves this auth layer but also some specific action by the k8s executor (propagating principal information to a label). All of this is to say, I wonder if the auth middleware is sufficient or if we'd also need to extend flyteadmin elsewhere.

will need to extend flyte additionally.

Anyway @cool-lifeguard-49380 you could share how you got grpc service to work? I.e. expose it on GCP gke for flytecli endpoint to hit it successfully?

Hey Haytham, is your goal to expose the grpc endpoint with auth through any ingress or are your security guys requiring you to explicitly use GCP identity aware proxy? If there is no requirement to use IAP (which requires the GCE ingress class), I would recommend you use nginx ingress with cert manager. GCE ingress with IAP is definitely more involved to get to work. Some companies require IAP though. I’ll be back from my holiday next week and will start to upstream the stuff we did to make IAP work. If you don’t have a requirement to use IAP, this doesn’t affect you though, you can use the normal recommended nginx way.