https://flyte.org logo
#flyte-deployment
Title
# flyte-deployment
a

Alex Beach

02/29/2024, 11:52 PM
what is the recommended way to authorize the github actions? I am using oidc auth with gcp. I would like to setup github actions to trigger registration of workflows
is it possible to do something like this? Can i define extra static clients this way?
Copy code
staticClients:
  github:
    id: github
    client_secret: ${clientSecretHash}
    redirect_uris:
      - <http://localhost:3846/callback>
    grant_types:
      - refresh_token
      - client_credentials
    response_types:
      - token
    scopes:
      - all
      - offline
      - access_token
    public: false
I have not found much documentation on the ClientSecret flow. and the sections in the docs about CI/CD integration omit how to setup ci/cd credentials
a

Andrew

03/01/2024, 11:38 PM
I'd also be interested in learning about this, I'm trying to authorize in gitlab ci/cd
a

Alex Beach

03/01/2024, 11:54 PM
if you setup your flyte-core helm chart, with the auth descried in the docs, the following should work. You just need a file that is just the password you created for flytepropeller. So i think its just a matter of adding another staticClient like i described above for github
Copy code
admin:
  # For GRPC endpoints you might want to use dns:///flyte.myexample.com
  endpoint: dns:///flyte.yoursite.dev
  authType: ClientSecret
  clientId: flytepropeller
  clientSecretLocation: /path/to/secret
a

Andrew

03/02/2024, 2:12 AM
I thought I had tried it exactly like that, but maybe I had something wrong, I’ll have to try again
d

David Espejo (he/him)

03/05/2024, 3:15 PM
@Alex Beach so did the above config work for you?
a

Alex Beach

03/11/2024, 11:39 PM
yeah this config worked
@Andrew if you follow https://docs.flyte.org/en/latest/deployment/configuration/auth_setup.html under flye-core, to generate the bcrypt hash, you can add it to values.yaml for your deployment:
Copy code
selfAuthServer:
  staticClients:
    ........ other clients .......
    github:
      id: github
      client_secret: ${githubClientSecretHash}
      redirect_uris:
        - <http://localhost:3846/callback>
      grant_types:
        - refresh_token
        - client_credentials
      response_types:
        - token
      scopes:
        - all
        - offline
        - access_token
      public: false
a

Andrew

03/12/2024, 2:41 PM
Where does
githubClientSecretHash
(as in, is it stored somewhere, or are you putting the actual value in your values file?) come from in this case? and is the
github
key important? Or is is just for naming, so I could use
gitlab
?
I use terraform/sops to store that hash in source control
githubClientSecretHash is a bcrypt hash of the password that is used by the
config.yaml
Copy code
pip install bcrypt && python -c 'import bcrypt; import base64; print(base64.b64encode(bcrypt.hashpw("<your-random-password>".encode("utf-8"), bcrypt.gensalt(6))))'
a

Andrew

03/12/2024, 5:49 PM
Awesome, thank you!
Hey @Alex Beach , sorry I'm just barely getting back to trying to get this figured out, wondering if I could get your input. I'm currently getting this error:
Underlying Exception: Status Code (401) received from IDP: {"error":"invalid_client","error_description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)."}
Here is the config.yaml that I have setup for gitlab to use (I did test that its reading this file by changing the endpoint, and it did change)
Copy code
admin:
  endpoint: dns:///example.com
  authType: ClientSecret
  #clientId: flytepropeller
  clientId: <id>.<http://apps.googleusercontent.com|apps.googleusercontent.com>
  clientSecretLocation: path/to/.flyte/client_secret
I tried both client ids, with no luck. And the client_secret file is just one line with the password that I set when setting up the app in GCP. Does that seem right? I wasn't sure where
github
came into play in your example, etc.
d

David Espejo (he/him)

04/10/2024, 3:59 PM
@Andrew have you tried the clientId without the
apps.google...
? I haven't used a clientId with that structure yet so not sure if it breaks something
a

Andrew

04/10/2024, 4:04 PM
Looks like that got the same error, after taking that part off
Currently getting this error now:
Copy code
RPC Failed, with Status: StatusCode.UNIMPLEMENTED
	details: unknown service flyteidl.service.AuthMetadataService
Maybe I have some issue with actually connecting to the cluster. I'm trying to go back through the auth docs to see if something is setup weird
5 Views