Another Auth Related question I would like to have following Flyte #flyte-deployment

Another Auth Related question. I would like to hav...

Shahwar Saleem

10/13/2022, 3:11 PM

Another Auth Related question. I would like to have following setup: 1. Flyte Console uses Pkce which can be configured using

userAuth

in config. 2. Flyte CTL uses Device Authentication Flow which should be configured as

thirdPartyConfig.flyteClient

3. Flytepropeller and Flyte Scheduler internally use Client Credential flow which are also required to be configured via

thirdPartyConfig.flyteClient

My question is that with Auth enabled, how is this possible to have all of above configured simultaneously? I have 3 clientIds one corresponding to each of above cases. Is it possible for have multiple `flyteClient`s configured using

thirdPartyConfig

Shivay Lamba

10/13/2022, 3:37 PM

@Yee could you take a look here

Yee

10/13/2022, 5:58 PM

i don’t think flyte console should use pkce

Yee

10/13/2022, 5:58 PM

flyteconsole should use the normal 3-legged oauth2 flow with auth0 as the idp.

Yee

10/13/2022, 6:01 PM

2. flytectl should use pkce which I think has just been renamed DeviceFlow. this is just a flytectl config change. (assuming your admin and flytectl have been updated)

Yee

10/13/2022, 6:02 PM

3. this is normal. you can have multiple yes. but this is the other thing that you’re working on right? testing to make sure the new audience works with auth0

Shahwar Saleem

10/13/2022, 6:43 PM

Yes, How can we have multiple? Do you have an example for adding flytectl, propeller, scheduler at the same time? That would be really handy.

Geoff Salmon

10/14/2022, 2:03 PM

In the flyte-core chart values.yaml, I think the 3 clientIds go under the keys 1.

configmap.adminServer.auth.userAuth.openId.clientId

configmap.adminServer.auth.appAuth.thirdPartyConfig.flyteCilent.clientId

secrets.adminOauthClientCredentials.clientId

I'm pretty sure propeller and scheduler are using that 3rd key for their clientId and not the

thirdPartConfig.flyteClient

one.

Shahwar Saleem

10/14/2022, 2:06 PM

Oh, I didn't know that. Maybe latest changes for Audience related to ClientCredentials need to happen in 3.

Geoff Salmon

10/14/2022, 2:22 PM

Checked some more and yeah that seems right. Ultimately the relevant config is reaching the propeller and flytescheduler pods via

admin.yaml

in their config maps here and here which is set from

configmap.admin

in the values.yaml. This chunk of config should set the audience, I think https://github.com/flyteorg/flyte/blob/master/charts/flyte-core/values.yaml#L553-L562

Copy code

# -- Admin Client configuration [structure](<https://pkg.go.dev/github.com/flyteorg/flytepropeller/pkg/controller/nodes/subworkflow/launchplan#AdminConfig>)
  admin:
    event:
      type: admin
      rate: 500
      capacity: 1000
    admin:
      endpoint: flyteadmin:81
      insecure: true
      clientId: "{{ .Values.secrets.adminOauthClientCredentials.clientId }}"
      clientSecretLocation: /etc/secrets/client_secret

Shahwar Saleem

10/14/2022, 2:23 PM

Thanks. I will try these config changes today. Hopefully this solves our problem.

162 Views

Open in Slack

Previous Next