https://flyte.org logo
#flyte-deployment
Title
# flyte-deployment
s

Shahwar Saleem

10/13/2022, 3:11 PM
Another Auth Related question. I would like to have following setup: 1. Flyte Console uses Pkce which can be configured using
userAuth
in config. 2. Flyte CTL uses Device Authentication Flow which should be configured as
thirdPartyConfig.flyteClient
3. Flytepropeller and Flyte Scheduler internally use Client Credential flow which are also required to be configured via
thirdPartyConfig.flyteClient
My question is that with Auth enabled, how is this possible to have all of above configured simultaneously? I have 3 clientIds one corresponding to each of above cases. Is it possible for have multiple `flyteClient`s configured using
thirdPartyConfig
?
s

Shivay Lamba

10/13/2022, 3:37 PM
@Yee could you take a look here
y

Yee

10/13/2022, 5:58 PM
i don’t think flyte console should use pkce
flyteconsole should use the normal 3-legged oauth2 flow with auth0 as the idp.
2. flytectl should use pkce which I think has just been renamed DeviceFlow. this is just a flytectl config change. (assuming your admin and flytectl have been updated)
3. this is normal. you can have multiple yes. but this is the other thing that you’re working on right? testing to make sure the new audience works with auth0
s

Shahwar Saleem

10/13/2022, 6:43 PM
Yes, How can we have multiple? Do you have an example for adding flytectl, propeller, scheduler at the same time? That would be really handy.
g

Geoff Salmon

10/14/2022, 2:03 PM
In the flyte-core chart values.yaml, I think the 3 clientIds go under the keys 1.
configmap.adminServer.auth.userAuth.openId.clientId
2.
configmap.adminServer.auth.appAuth.thirdPartyConfig.flyteCilent.clientId
3.
secrets.adminOauthClientCredentials.clientId
I'm pretty sure propeller and scheduler are using that 3rd key for their clientId and not the
thirdPartConfig.flyteClient
one.
s

Shahwar Saleem

10/14/2022, 2:06 PM
Oh, I didn't know that. Maybe latest changes for Audience related to ClientCredentials need to happen in 3.
g

Geoff Salmon

10/14/2022, 2:22 PM
Checked some more and yeah that seems right. Ultimately the relevant config is reaching the propeller and flytescheduler pods via
admin.yaml
in their config maps here and here which is set from
configmap.admin
in the values.yaml. This chunk of config should set the audience, I think https://github.com/flyteorg/flyte/blob/master/charts/flyte-core/values.yaml#L553-L562
Copy code
# -- Admin Client configuration [structure](<https://pkg.go.dev/github.com/flyteorg/flytepropeller/pkg/controller/nodes/subworkflow/launchplan#AdminConfig>)
  admin:
    event:
      type: admin
      rate: 500
      capacity: 1000
    admin:
      endpoint: flyteadmin:81
      insecure: true
      clientId: "{{ .Values.secrets.adminOauthClientCredentials.clientId }}"
      clientSecretLocation: /etc/secrets/client_secret
s

Shahwar Saleem

10/14/2022, 2:23 PM
Thanks. I will try these config changes today. Hopefully this solves our problem.
78 Views