Ed Fincham

02/20/2023, 4:00 PM
Hey guys, Trying to set up auth with the flyte-binary and having some issues with the secrets. What I have so far in my values:
    enabled: true
      baseUrl: "<azureAD oidc application>"
      clientId: "<oidc id>"
      clientSecret: <base64 encoded oicd secret>
      clientSecret: <base64 encoded secret>
      clientSecretHash: "<bcrypt hash of above>"
I guess that may not be terribly informative? Point being, I'm quite confident that the
are correct. However, when I install the chart, the
container errors out with:
* error decoding 'appAuth.selfAuthServer.staticClients[flytepropeller].client_secret': illegal base64 data at input byte 0
Couple of questions: • Which client secret is this? • I've tried base64 encoding locally with python and here • Is it possible to store these values in a k8s secret? • Is this really all the auth setup needed? I'm migrating from a pre-binary setup to the binary and there's a lot of complexity in the former chart which is not present in the latter Any pointers would be much appreciated ☺️

Ketan (kumare3)

02/20/2023, 4:17 PM
Cc @Panos Strouth it seems similar to your problem
Cc @Eduardo Apolinario (eapolinario) / @Yee can we solve this one
Also I do have a new version of auth - can you test this


02/20/2023, 4:26 PM
so some background… even though it’s a single executable they’re still different pieces of code at least for now, so the engine (propeller) still needs to auth to the control plane (admin) if you have auth turned on. the way we did this is with the client credentials flow (effectively a username and password). those are these two lines here. the username is constant so there’s no need to configure that. the plaintext is used by propeller as the password, and admin checks the hash. the way to compute the hash is with bcrypt.
$ python -c 'import bcrypt; import base64; print(base64.b64encode(bcrypt.hashpw("some-secret".encode("utf-8"), bcrypt.gensalt(6))))'
@Peeter Piegaze could you help us get this added to the auth docs?
keep in mind the hash will change every time you run that command
regarding the other questions, it is possible to store these in a k8s secret and the plaintext one is already but the hash is not. you can do that but you’ll have to update the helm chart to mount/read from the secret.
yes, it should be all the auth setup that’s necessary… we are running the flyte-binary chart internally with google idp

Ed Fincham

02/20/2023, 5:07 PM
Ahh thank you @Yee - looks like I missed the
in my python. And thank you for the explanation, which makes it much clearer what's going on! Kudos to all the flyte team for being so fantastically responsive and helpful - hugely appreciate your support 🙂

David Espejo (he/him)

02/20/2023, 8:02 PM
@Yee / @Peeter Piegaze there's a PR that adds this (and other) instructions to auth docs: