Thread
#flyte-deployment
    Justin Tyberg

    Justin Tyberg

    2 weeks ago
    I’m looking for an example of programmatically invoking
    flytectl register
    from a CI workflow, with Flyte auth enabled. We’re on GCP/GKE. Ideally, I’d like to register files from a pod running on the GKE cluster. I think this would use the OAuth2 flow that flyte components use? Alternatively, we could run
    flytectl register
    from the CI runner, as this doc implies. I’d love to find an example of doing this.
    our flyteadmin config
    adminServer:
        server:
          httpPort: 8088
          grpcPort: 8089
          security:
            useAuth: true
        auth:
          appAuth:
            thirdPartyConfig:
              flyteClient:
                clientId: flytectl
                redirectUri: <http://localhost:53593/callback>
                scopes:
                  - offline
                  - all
          authorizedUris:
            - https://{{ .Values.userSettings.hostName }}:443
            - <http://flyteadmin:80>
            - <http://flyteadmin.flyte.svc.cluster.local:80>
          userAuth:
            openId:
              baseUrl: <https://accounts.google.com>
              clientId: "{{ .Values.userSettings.oauthClientId }}"
              scopes:
                - profile
                - openid
    Yee

    Yee

    2 weeks ago
    flytectl is also capable of using the client credentials (username/password) flow.
    let me dig up some docs in a bit.
    so flyte ships by default with a client credentials application already, one that hits the Admin’s own authorization server. you can hit this by using
    flytectl --admin.authType ClientSecret --config ~/.flyte/dev-uniondemo.yaml --admin.clientId flytepropeller --admin.clientSecretLocation /tmp/p get workflow -p flytesnacks -d development
    where
    foobar
    is in
    /tmp/p
    This isn’t really recommended though. It’s complicated to specify the client structure in yaml, and also you have a password effectively in cleartext stored in config (hashed), and you have to hash it in a special way (not sure will need to ask around more). Assuming you have an IDP hooked up, what you should do is just create a client credentials application (like in okta), and just call flytectl the same way.
    Justin Tyberg

    Justin Tyberg

    2 weeks ago
    i was just looking at the helm values to see how flytepropeller authenticates, here and here.
    Yee

    Yee

    2 weeks ago
    yeah… should probably change/disable that for real deployments
    Justin Tyberg

    Justin Tyberg

    2 weeks ago
    we do have GCP client credentials application, and we use it for user auth flow
    Yee

    Yee

    2 weeks ago
    is it not working?
    Justin Tyberg

    Justin Tyberg

    2 weeks ago
    it works fine for users, with a browser
    Yee

    Yee

    2 weeks ago
    hmm really? the browser solution should not be client credentials though
    it should auth through your IDP
    Justin Tyberg

    Justin Tyberg

    2 weeks ago
    but i haven’t figured out how to automate it without a browser, using client credentials instead of pkce
    user = browser + pkce
    app/ci/automation - i am looking for the right commands to use client credentials flow
    Yee

    Yee

    2 weeks ago
    i don’t even know if this is possible with google.
    we use okta internally to create these credentials.
    Justin Tyberg

    Justin Tyberg

    2 weeks ago
    yeah, that’s what i was gleaning from this doc
    Google IdP does not offer an OAuth2 Authorization Server that could be used to protect external services (For example Flyte). In this case, Google offers a separate Cloud Product called Google Cloud Identity. Configuration for Cloud Identity is not included in this guide. If unavailable, setup can stop here and FlyteAdmin BuiltIn OAuth2 Authorization Server can be used instead.
    Yee

    Yee

    2 weeks ago
    ah yes, that was written by us?
    Justin Tyberg

    Justin Tyberg

    2 weeks ago
    your doc, yup
    which is why i started looking into how flytepropeller does auth