https://flyte.org logo
Join Slack
Powered by
what is the recommended way to authorize the githu...
# flyte-deployment
a
what is the recommended way to authorize the github actions? I am using oidc auth with gcp. I would like to setup github actions to trigger registration of workflows
is it possible to do something like this? Can i define extra static clients this way?
Copy code
staticClients:
  github:
    id: github
    client_secret: ${clientSecretHash}
    redirect_uris:
      - <http://localhost:3846/callback>
    grant_types:
      - refresh_token
      - client_credentials
    response_types:
      - token
    scopes:
      - all
      - offline
      - access_token
    public: false
I have not found much documentation on the ClientSecret flow. and the sections in the docs about CI/CD integration omit how to setup ci/cd credentials
a
I'd also be interested in learning about this, I'm trying to authorize in gitlab ci/cd
a
if you setup your flyte-core helm chart, with the auth descried in the docs, the following should work. You just need a file that is just the password you created for flytepropeller. So i think its just a matter of adding another staticClient like i described above for github
Copy code
admin:
  # For GRPC endpoints you might want to use dns:///flyte.myexample.com
  endpoint: dns:///flyte.yoursite.dev
  authType: ClientSecret
  clientId: flytepropeller
  clientSecretLocation: /path/to/secret
a
I thought I had tried it exactly like that, but maybe I had something wrong, I’ll have to try again
d
@Alex Beach so did the above config work for you?
a
yeah this config worked
@Andrew if you follow https://docs.flyte.org/en/latest/deployment/configuration/auth_setup.html under flye-core, to generate the bcrypt hash, you can add it to values.yaml for your deployment:
Copy code
selfAuthServer:
  staticClients:
    ........ other clients .......
    github:
      id: github
      client_secret: ${githubClientSecretHash}
      redirect_uris:
        - <http://localhost:3846/callback>
      grant_types:
        - refresh_token
        - client_credentials
      response_types:
        - token
      scopes:
        - all
        - offline
        - access_token
      public: false
a
Where does 
githubClientSecretHash
(as in, is it stored somewhere, or are you putting the actual value in your values file?) come from in this case? and is the 
github
key important? Or is is just for naming, so I could use 
gitlab
?
a
I use terraform/sops to store that hash in source control
githubClientSecretHash is a bcrypt hash of the password that is used by the 
config.yaml
Copy code
pip install bcrypt && python -c 'import bcrypt; import base64; print(base64.b64encode(bcrypt.hashpw("<your-random-password>".encode("utf-8"), bcrypt.gensalt(6))))'
a
Awesome, thank you!
Hey @Alex Beach , sorry I'm just barely getting back to trying to get this figured out, wondering if I could get your input. I'm currently getting this error: 
Underlying Exception: Status Code (401) received from IDP: {"error":"invalid_client","error_description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)."}
Here is the config.yaml that I have setup for gitlab to use (I did test that its reading this file by changing the endpoint, and it did change)
Copy code
admin:
  endpoint: dns:///example.com
  authType: ClientSecret
  #clientId: flytepropeller
  clientId: <id>.<http://apps.googleusercontent.com|apps.googleusercontent.com>
  clientSecretLocation: path/to/.flyte/client_secret
I tried both client ids, with no luck. And the client_secret file is just one line with the password that I set when setting up the app in GCP. Does that seem right? I wasn't sure where 
github
came into play in your example, etc.
d
@Andrew have you tried the clientId without the 
apps.google...
? I haven't used a clientId with that structure yet so not sure if it breaks something
a
Looks like that got the same error, after taking that part off
Currently getting this error now:
Copy code
RPC Failed, with Status: StatusCode.UNIMPLEMENTED
	details: unknown service flyteidl.service.AuthMetadataService
Maybe I have some issue with actually connecting to the cluster. I'm trying to go back through the auth docs to see if something is setup weird
12 Views
Open in Slack
PreviousNext
Powered by