For the auth setup We found the following information from:
Sören Brunk
10/19/2022, 12:29 PM
I found the relevant section to overwrite the default flyteadmin auth server config via helm:
configmap:
adminServer:
server:
httpPort: 8088
grpcPort: 8089
dataProxy:
upload:
storagePrefix: upload
security:
secure: false
useAuth: true
allowCors: true
allowedOrigins:
# Accepting all domains for Sandbox installation
- '*'
allowedHeaders:
- Content-Type
auth:
appAuth:
authServerType: Self
selfAuthServer:
accessTokenLifespan: 30m0s
authorizationCodeLifespan: 5m0s
claimSymmetricEncryptionKeySecretName: claim_symmetric_key
issuer: ""
oldTokenSigningRSAKeySecretName: token_rsa_key_old.pem
refreshTokenLifespan: 1h0m0s
staticClients:
flyte-cli:
audience: null
grant_types:
- refresh_token
- authorization_code
id: flyte-cli
public: true
redirect_uris:
- <
http://localhost:53593/callback>
- <
http://localhost:12345/callback>
response_types:
- code
- token
scopes:
- all
- offline
- access_token
flytectl:
audience: null
grant_types:
- refresh_token
- authorization_code
id: flytectl
public: true
redirect_uris:
- <
http://localhost:53593/callback>
- <
http://localhost:12345/callback>
response_types:
- code
- token
scopes:
- all
- offline
- access_token
flytepropeller:
audience: null
client_secret: <your client secret hashed and base64 encoded>
grant_types:
- refresh_token
- client_credentials
id: flytepropeller
public: false
redirect_uris:
- <
http://localhost:3846/callback>
response_types:
- token
scopes:
- all
- offline
- access_token
flyterpropeller.client_secret is the relevant change. Unfortunately, it requires the secret as a base64 encoded hash. I'll try to find how we did that hashing.
I think I had to run it through bcrypt:
pip install bcrypt
python
>> import bcrypt
>> bcrypt.hashpw(b"foobar", bcrypt.gensalt(prefix=b"2a"))
The resulting hash should look something like this:b'$2a$12$d3mGDJwq9F5TiQA1YYm0TOVzvEvcBX5VEw2AW0gqrn7Mvh2InuiCS'
then base64 encode it and use that as client_secret in the config.
I hope I remember it correctly, I should have documented the steps properly.
Perhaps someone from the flyte team familiar with the internal auth server can verify if this is the right way or not.
Here we need the matching secret still in cleartext, i.e.
secrets:
adminOauthClientCredentials:
enabled: true
clientSecret: foobar
clientId: flytepropeller