https://flyte.org logo
#ask-the-community
Title
# ask-the-community
d

Devendra Johari

02/28/2024, 7:15 AM
Hi Everyone I am trying to enable authentication and authorization in flyte . and it is external authentication by Microsoft Azure. I am following this documentation of flyte https://docs.flyte.org/en/latest/deployment/configuration/auth_setup.html I am using flyte on the top of kubernetes (Single Node Cluster). where minio and postgress is already configured for flyte namespace. Although there was an error came up previously regarding securecookie is too long. So I followed this patch version of flyte https://github.com/flyteorg/flyte/pull/4863 I use this repos flyte-binary to deploy our flyte-binary pod on our cluster. But now it is giving me following error in flyte-binary pod logs: I am using helm to deloy flyte-binary. I am also adding values.yaml file . Please let me know if there is any configuration error. Or anything i can do to solve this error. I have to solve it as soon as possible. values.yaml
Copy code
# configuration Specify configuration for Flyte
configuration:
  # database Specify configuration for Flyte's database connection
  database:
    username: <username>
    password: <password>
    host: postgres.flyte.svc.cluster.local
    port: 5432
    dbname: flyteadmin
    options: sslmode=disable
  # storage Specify configuration for object store
  storage:
    type: minio
    metadataContainer: "flyte-bucket"
    userDataContainer: "flyte-bucket"
    provider: s3
    providerConfig:
      # s3 Provider configuration for S3 object store
      s3:
        region: "us-east-1"
        disableSSL: true
        secure: false
        v2Signing: false
        endpoint: "<http://minio.flyte.svc.cluster.local:9200>"
        authType: "accesskey"
        accessKey: <accesskey>
        secretKey: <secret-key>
      
  # logging Specify configuration for logs emitted by Flyte
  logging:
    # level Set the log level
    level: 6

  # auth Specify configuration for Flyte authentication
  auth:
    enabled: true
    oidc:
      baseUrl: <https://login.microsoftonline.com/><tenant-id>/v2.0
      clientId: <client-id>
      clientSecret: <client-secret>

    internal:
      clientSecret: <client-secret>
      clientSecretHash: <client-secret-hash>
    authorizedUris:
    - <https://mlflyte.accounts.intern>
  
  inline:
    auth:
      appAuth:
        authServerType: External
        externalAuthServer:
          baseUrl: <https://login.microsoftonline.com/><tenant-id>/v2.0/
          metadataUrl: .well-known/openid-configuration
          AllowedAudience: 
            - api://<client-id>            
        thirdPartyConfig:
          flyteClient:
              clientId: <client-id>
              redirectUri: <http://localhost:53593/callback>
              scopes:
                - profile
                - openid
                - email
                - offline_access
      userAuth:
        openId:
          baseUrl: <https://login.microsoftonline.com/><tenant-id>/v2.0
          scopes:
            - profile
            - openid
            - email
            - offline_access
          clientId: <client-id>

      plugins:
        k8s:
          inject-finalizer: true
          default-env-vars:
            - FLYTE_AWS_ENDPOINT: "<http://minio.flyte.svc.cluster.local:9200>"
            - FLYTE_AWS_ACCESS_KEY_ID: <access-key>
            - FLYTE_AWS_SECRET_ACCESS_KEY: <secret-key> #Use the same value as the MINIO_ROOT_PASSWORD
      task_resources:
        defaults: 
          cpu: 100m
          memory: 500Mi #change default requested resources and limits to fit your needs
        limits:
          memory: 5Gi
      storage:
        cache:
          max_size_mbs: 100
          target_gc_percent: 100

# deployment Configure Flyte deployment specification
deployment:
  # image Configure image to use for Flyte
  image:
    repository: <repo-link>/flyte-binary # FLYTE_IMAGE
    tag: native # v1.10.6 # FLYTE_TAG
    pullPolicy: IfNotPresent
  # extraEnvVars Array with extra environment variables to add to Flyte
  extraEnvVars:
    - name: HTTP_PROXY
      value: <PROXY-VALUE>
    - name: HTTPS_PROXY
      value: <PROXY-VALUE>
    - name: http_proxy
      value: <PROXY-VALUE>
    - name: https_proxy
      value: <PROXY-VALUE>
    - name: no_proxy
      value: <PROXY-VALUE>
    - name: NO_PROXY
      value: <PROXY-VALUE>
    - name: GODEBUG
      value: "tlsmaxrsasize=16384"
  # extraEnvVarsConfigMap: environment-values
  
# ingress Configure ingress for Flyte
ingress:
  create: true
  host: mlflyte.accounts.intern
  commonAnnotations: 
    <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
    <http://ingress.kubernetes.io/rewrite-target|ingress.kubernetes.io/rewrite-target>: /
    <http://nginx.ingress.kubernetes.io/proxy-buffer-size|nginx.ingress.kubernetes.io/proxy-buffer-size>: "32k"
    <http://nginx.ingress.kubernetes.io/proxy-read-timeout|nginx.ingress.kubernetes.io/proxy-read-timeout>: "600"
    <http://nginx.ingress.kubernetes.io/proxy-send-timeout|nginx.ingress.kubernetes.io/proxy-send-timeout>: "600"
    <http://nginx.ingress.kubernetes.io/ssl-redirect|nginx.ingress.kubernetes.io/ssl-redirect>: "true"
    <http://nginx.ingress.kubernetes.io/affinity|nginx.ingress.kubernetes.io/affinity>: "cookie"
    <http://nginx.ingress.kubernetes.io/session-cookie-name|nginx.ingress.kubernetes.io/session-cookie-name>: "flyte_idt"
  # httpAnnotations Add annotations to http ingress resource
  httpAnnotations:
    <http://nginx.ingress.kubernetes.io/app-root|nginx.ingress.kubernetes.io/app-root>: /console
  # grpcAnnotations Add annotations to grpc ingress resource
  grpcAnnotations:
    <http://nginx.ingress.kubernetes.io/backend-protocol|nginx.ingress.kubernetes.io/backend-protocol>: GRPC
  # ingressClassName Ingress class to use with all ingress resources
  ingressClassName: nginx
  # httpIngressClassName Ingress class to use with all http ingress resource. Overrides `ingressClassName`
  httpIngressClassName: ""
  # grpcIngressClassName Ingress class to use with all grpc ingress resource. Overrides `ingressClassName`
  grpcIngressClassName: ""
  # tls Add TLS configuration to all ingress resources
  tls:
    - hosts:
        - mlflyte.accounts.intern
      secretName: mlflyte
  # httpTls Add TLS configuration to http ingress resource. Overrides `tls`
  httpTls: []
  # grpcTls Add TLS configuration to grpc ingress resource. Overrides `tls`
  grpcTls: []
  # httpExtraPaths Add extra paths to http ingress rule
  httpExtraPaths:
    prepend: []
    append: []
  # grpcExtraPaths Add extra paths to grpc ingress rule
  grpcExtraPaths:
    prepend: []
    append: []


# serviceAccount Configure Flyte ServiceAccount
serviceAccount:
  # create Create ServiceAccount for Flyte
  create: true
  # name Name of service account
  name: ""
  # labels Add labels to ServiceAccount
  labels: {}
  # annotations Add annotations to ServiceAccount
  annotations: {}
  # imagePullSecrets Secrets to use for fetching images from private registries
  # imagePullSecrets: [{ name: developerkey }]
  imagePullSecrets: [{ name: <pull-image-secret> }]
s

Samhita Alla

02/28/2024, 10:17 AM
cc @David Espejo (he/him)
y

Yee

03/02/2024, 2:57 AM
@Yubo Wang i feel like i’ve seen this twice come up now. any ideas?
have you run into this before when testing?
y

Yubo Wang

03/04/2024, 5:34 AM
not really, let me take a look
looks like that is an issue towards the id token, which my code change does not really alternate. @Devendra Johari can you send the id token you are getting?
d

Devendra Johari

03/07/2024, 6:37 AM
Hi @Yubo Wang Sorry for Late reply. There is something wrong with my configuration that's why it is not working before. Although sometimes if it found out there is an existing cookie. It throws error too. But now authorization works fine for Flyte Console. Thanks for the help
y

Yee

03/07/2024, 5:12 PM
what was wrong out of curiosity? (might help someone else in the future who finds this thread)
y

Yubo Wang

03/07/2024, 6:25 PM
@Yee so do you think we should think about merge my PR? though it is not a perfect solution, but seems to solve most use cases
y

Yee

03/07/2024, 6:26 PM
cc @Eduardo Apolinario (eapolinario) i’m in favor of it as long as it’s opt in. i would want someone who knows something about security to take a look also
if we’re just splitting up a long encrypted message into two messages i can’t possibly see how that can be mis-used.
y

Yubo Wang

03/07/2024, 6:27 PM
yeah, it is encrypted already
7 Views