Sujith Samuel
08/05/2022, 5:25 AMflyte-secret-auth
and populate it with clientSecret
.
# If enabled is false, it's up to the user to create flyte-secret-auth
as described in
# https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server
enabled: true
clientSecret: "CO2n3hovN0J78FqxxOVtjOtkHH5fPL9C"
clientId: "flytepropeller"
-- FlyteAdmin server configuration
adminServer:
# Refer to the server config.
server:
httpPort: 8088
grpcPort: 8089
security:
# -- Controls whether to serve requests over SSL/TLS.
secure: false
# -- Controls whether to enforce authentication. Follow the guide in https://docs.flyte.org/ on how to setup authentication.
useAuth: true
allowCors: true
allowedOrigins:
# Accepting all domains for Sandbox installation
- "*"
allowedHeaders:
- "Content-Type"
- "flyte-authorization"
# Refer to the full structure for documentation.
flyteadmin:
roleNameKey: "iam.amazonaws.com/role"
profilerPort: 10254
metricsScope: "flyte:"
metadataStoragePrefix:
- "metadata"
- "admin"
eventVersion: 2
testing:
host: http://flyteadmin
# -- Authentication configuration
auth:
authorizedUris:
# This should point at your public http Uri.
- https://flytedeployment url
# This will be used by internal services in the same namespace as flyteadmin
- http://flyteadmin:80
# This will be used by internal services in the same cluster but different namespaces
- http://flyteadmin.nmlp.svc.cluster.local:80
# Controls app authentication config
appAuth:
thirdPartyConfig:
flyteClient:
clientId: flytectl
redirectUri: https://<flyte deployment url>/callback
scopes:
- offline
- all
# Controls user authentication
userAuth:
openId:
baseUrl: https://<keycloak production realm>/realms/nsdmlp
scopes:
- profile
- openid
clientId: flytepropeller
I have also edited the flyte-admin-secrets to have the correct client secret
apiVersion: v1
data:
claim_symmetric_key: cWlBYzlYWHdLN3lnaksrWUJGdStFUlRYK0RDdlk4SjVjZFJtaXBTcDBhdw==
cookie_block_key: ejZPdkhrZ1crWXdib21JZHdVZ05IOGJESVp0OE5KWnNZT285KzIyRVM1dw==
cookie_hash_key: Q093TUY2RTdOMW5MeFZ4Rnk1dGNzZGN5NU5aeTNWN2JTMXRPTjBLUGhQQ2JWZ3hGby9XQkVRdi84Yjk4ZEIyeEV3Zm5KYURDVzFkSjBuSGZrbS8zYVE=
oidc_client_secret: CO2n3hovN0J78FqxxOVtjOtkHH5fPL9C
With all the above setting, when i try to login to the flyte console via the ingress, it gives me the below message in the flyteadmin pod logs
{"json":{},"level":"error","msg":"Failed to retrieve tokens from request, redirecting to login handler. Error: [EMPTY_OAUTH_TOKEN] Failure to retrieve cookie [flyte_idt], caused by: http: named cookie not present","ts":"2022-08-04T183411Z"}
{"json":{},"level":"error","msg":"Error when exchanging code oauth2: cannot fetch token: 401 Unauthorized\nResponse: {"error":"unauthorized_client","error_description":"Invalid client secret"}","ts":"2022-08-04T183412Z"}
Logs from 8/5/2022, 120239 AM
And the chrome errors out with 403 access denied page.
I have tried secret and id with and without quotes(just in case if helm was acting crazy) but it still gives the same error.
Please assist.
Thanks,
SujithKetan (kumare3)
Sujith Samuel
08/05/2022, 8:03 AMSören Brunk
08/05/2022, 11:49 AMnsdaiml
in your case. That's the one to put into userAuth:
userAuth:
openId:
baseUrl: https://<keycloak-domain>/auth/realms/<realm>
clientId: nsdaiml
flyte-admin-secrets
as described here: https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#apply-configurationSujith Samuel
08/05/2022, 1:09 PMSören Brunk
08/05/2022, 1:13 PMSujith Samuel
08/05/2022, 1:17 PMSören Brunk
08/05/2022, 1:19 PMSujith Samuel
08/05/2022, 1:27 PMSören Brunk
08/05/2022, 1:30 PMkubectl get secrets/flyte-admin-secrets --template='{{.data.oidc_client_secret | base64decode}}'
do you get the right keycloak secret of your client back?Sujith Samuel
08/05/2022, 1:37 PMSören Brunk
08/05/2022, 1:41 PMstringData
as described in the docs?
Like this:
stringData:
oidc_client_secret: <client_secret from the previous step>
data:
...
Sujith Samuel
08/05/2022, 1:50 PMSören Brunk
08/05/2022, 2:05 PMSujith Samuel
08/05/2022, 2:26 PMSören Brunk
08/05/2022, 2:36 PMFLYTEPROPELLER_CLIENT_ID=$(kcadm create clients -i -r ${REALM} \
-s clientId="flytepropeller" \
-s redirectUris="[\"https://<flyte-domain>/*\"]" \
-s webOrigins="[\"+\"]" \
-s serviceAccountsEnabled="true" \
-s defaultClientScopes="[\"all\", \"offline\"]" \
-s publicClient="false")
echo creating flytepropeller audience mapper
kcadm create clients/${FLYTEPROPELLER_CLIENT_ID}/protocol-mappers/models -r ${REALM} \
-s name=audience-mapper \
-s protocol=openid-connect \
-s protocolMapper=oidc-audience-mapper \
-s config.\"included.custom.audience\"="https://<flyte-domain>" \
-s config.\"access.token.claim\"="true" \
-s config.\"id.token.claim\"="false"
echo creating flytepropeller scp mapper
kcadm create clients/${FLYTEPROPELLER_CLIENT_ID}/protocol-mappers/models -r ${REALM} \
-b '{"name":"scp-claim-mapper","protocol":"openid-connect","protocolMapper":"oidc-hardcoded-claim-mapper","consentRequired":false,"config":{"claim.value":"[\"all\"]","userinfo.token.claim":"false","id.token.claim":"false","access.token.claim":"true","claim.name":"scp","jsonType.label":"JSON","access.tokenResponse.claim":"false"}}'
Sujith Samuel
08/05/2022, 6:11 PMPkce
or ClientSecret
authType: ClientSecret
# Set to the clientId (will be used for both Pkce and ClientSecret flows)
# Leave empty to use the value discovered through flyteAdmin's Auth discovery endpoint.
clientId: nsdmlclient
# Set to the location where the client secret is mounted.
# Only needed/used for ClientSecret
flow.
clientSecretLocation: /home/samuel/install/flyte/clientsecret
I am getting the below error while running the flytectl version command
samuel@samuel-vm-001:~/.flyte$ flytectl version
{"json":{"src":"viper.go:398"},"level":"debug","msg":"Config section [storage] updated. No update handler registered.","ts":"2022-08-05T210624+03:00"}
{"json":{"src":"client.go:183"},"level":"error","msg":"failed to initialize token source provider. Err: rpc error: code = Unknown desc = : HTTP status code 0; transport: missing content-type field","ts":"2022-08-05T210624+03:00"}
{"json":{"src":"client.go:188"},"level":"warning","msg":"Starting an unauthenticated client because: can't create authenticated channel without a TokenSourceProvider","ts":"2022-08-05T210624+03:00"}
{"json":{"src":"client.go:64"},"level":"info","msg":"Initialized Admin client","ts":"2022-08-05T210624+03:00"}
{
"App": "flytectl",
"Build": "2b13e14",
"Version": "0.6.5",
"BuildTime": "2022-08-05 210624.178889411 +0300 EEST m=+0.022552240"
}{"json":{"src":"version.go:103"},"level":"debug","msg":"Failed to get version of control plane rpc error: code = Unknown desc = : HTTP status code 0; transport: missing content-type field: \n","ts":"2022-08-05T210624+03:00"}
{"json":{"src":"version.go:81"},"level":"debug","msg":"rpc error: code = Unknown desc = : HTTP status code 0; transport: missing content-type field","ts":"2022-08-05T210624+03:00"}Sören Brunk
08/05/2022, 7:53 PMadmin:
endpoint: dns:///<flyte-uri>
authType: Pkce
logger:
show-source: true
level: 3
flytectl is configured as a public client in Keycloak. flytectl will use the browser for oauth.Ketan (kumare3)
Sujith Samuel
08/06/2022, 7:44 PMKetan (kumare3)
Sujith Samuel
08/08/2022, 5:20 AMSören Brunk
08/08/2022, 7:13 AMIs there any way to use flytectl inside a container with keycloak enabled ?@Sujith Samuel we actually had a similar setup. For that case we had an additional keycloak client
flytectl-internal
which was a confidential client with Service Accounts Enabled
(aka client credentials grant in oauth terms). I'm trying to find the corresponding flytectl config.Sujith Samuel
08/08/2022, 7:14 AMSören Brunk
08/08/2022, 7:45 AMSujith Samuel
08/08/2022, 8:08 AM--admin.command strings Command for external authentication token generation
Ketan (kumare3)
Babis Kiosidis
08/08/2022, 1:43 PMcat ~/.flyte/config.yaml
admin:
endpoint: myflyteadmin.host:443
insecure: false
authType: ExternalCommand
command: [gcloud,auth,print-identity-token]
Prafulla Mahindrakar
08/08/2022, 1:45 PMadmin:
# For GRPC endpoints you might want to use dns:///flyte.myexample.com
endpoint: dns:///flyte.org
# Change insecure flag to ensure that you use the right setting for your environment
insecure: false
clientId: *********
authType: ClientSecret
clientSecretLocation: /home/runner/secret_location
logger:
# Logger settings to control logger output. Useful to debug logger:
show-source: true
level: 4
where in /home/runner/secret_location
contains the client_secretSujith Samuel
08/08/2022, 1:47 PMPrafulla Mahindrakar
08/08/2022, 1:48 PMSujith Samuel
08/08/2022, 1:50 PMPrafulla Mahindrakar
08/08/2022, 1:50 PMSujith Samuel
08/08/2022, 1:52 PMPrafulla Mahindrakar
08/08/2022, 2:00 PMSujith Samuel
08/08/2022, 2:00 PMPrafulla Mahindrakar
08/08/2022, 2:00 PMSujith Samuel
08/08/2022, 2:02 PMPrafulla Mahindrakar
08/08/2022, 2:05 PMSujith Samuel
08/08/2022, 2:07 PMPrafulla Mahindrakar
08/08/2022, 2:09 PMSujith Samuel
08/08/2022, 2:12 PMPrafulla Mahindrakar
08/08/2022, 2:15 PMSujith Samuel
08/08/2022, 2:20 PMPrafulla Mahindrakar
08/08/2022, 2:21 PMSujith Samuel
08/08/2022, 2:40 PMPrafulla Mahindrakar
08/08/2022, 2:42 PMSujith Samuel
08/08/2022, 2:44 PMPrafulla Mahindrakar
08/08/2022, 2:44 PMSujith Samuel
08/08/2022, 2:46 PMKetan (kumare3)
Sujith Samuel
08/09/2022, 3:13 AMKetan (kumare3)
Sujith Samuel
08/09/2022, 5:56 AM