https://flyte.org logo
Powered by
s

Shahwar Saleem

10/13/2022, 3:11 PM
Another Auth Related question. I would like to have following setup: 1. Flyte Console uses Pkce which can be configured using 
userAuth
in config. 2. Flyte CTL uses Device Authentication Flow which should be configured as 
thirdPartyConfig.flyteClient
3. Flytepropeller and Flyte Scheduler internally use Client Credential flow which are also required to be configured via 
thirdPartyConfig.flyteClient
My question is that with Auth enabled, how is this possible to have all of above configured simultaneously? I have 3 clientIds one corresponding to each of above cases. Is it possible for have multiple `flyteClient`s configured using 
thirdPartyConfig
?
s

Shivay Lamba

10/13/2022, 3:37 PM
@Yee could you take a look here
y

Yee

10/13/2022, 5:58 PM
i don’t think flyte console should use pkce
flyteconsole should use the normal 3-legged oauth2 flow with auth0 as the idp.
2. flytectl should use pkce which I think has just been renamed DeviceFlow. this is just a flytectl config change. (assuming your admin and flytectl have been updated)
3. this is normal. you can have multiple yes. but this is the other thing that you’re working on right? testing to make sure the new audience works with auth0
s

Shahwar Saleem

10/13/2022, 6:43 PM
Yes, How can we have multiple? Do you have an example for adding flytectl, propeller, scheduler at the same time? That would be really handy.
g

Geoff Salmon

10/14/2022, 2:03 PM
In the flyte-core chart values.yaml, I think the 3 clientIds go under the keys 1. 
configmap.adminServer.auth.userAuth.openId.clientId
2. 
configmap.adminServer.auth.appAuth.thirdPartyConfig.flyteCilent.clientId
3. 
secrets.adminOauthClientCredentials.clientId
I'm pretty sure propeller and scheduler are using that 3rd key for their clientId and not the 
thirdPartConfig.flyteClient
one.
s

Shahwar Saleem

10/14/2022, 2:06 PM
Oh, I didn't know that. Maybe latest changes for Audience related to ClientCredentials need to happen in 3.
g

Geoff Salmon

10/14/2022, 2:22 PM
Checked some more and yeah that seems right. Ultimately the relevant config is reaching the propeller and flytescheduler pods via 
admin.yaml
in their config maps here and here which is set from 
configmap.admin
in the values.yaml. This chunk of config should set the audience, I think https://github.com/flyteorg/flyte/blob/master/charts/flyte-core/values.yaml#L553-L562
Copy code
# -- Admin Client configuration [structure](<https://pkg.go.dev/github.com/flyteorg/flytepropeller/pkg/controller/nodes/subworkflow/launchplan#AdminConfig>)
  admin:
    event:
      type: admin
      rate: 500
      capacity: 1000
    admin:
      endpoint: flyteadmin:81
      insecure: true
      clientId: "{{ .Values.secrets.adminOauthClientCredentials.clientId }}"
      clientSecretLocation: /etc/secrets/client_secret
s

Shahwar Saleem

10/14/2022, 2:23 PM
Thanks. I will try these config changes today. Hopefully this solves our problem.
2 Views
Powered by