Hey guys Trying to set up auth with the flyte binary and hav Flyte #ask-the-community

Hey guys, Trying to set up auth with the flyte-bi...

Ed Fincham

02/20/2023, 4:00 PM

Hey guys, Trying to set up auth with the flyte-binary and having some issues with the secrets. What I have so far in my values:

Copy code

auth:
    enabled: true
    oidc:
      baseUrl: "<azureAD oidc application>"
      clientId: "<oidc id>"
      clientSecret: <base64 encoded oicd secret>
    internal:
      clientSecret: <base64 encoded secret>
      clientSecretHash: "<bcrypt hash of above>"

I guess that may not be terribly informative? Point being, I'm quite confident that the

oidc.baseUrl

and

oidc.clientID

are correct. However, when I install the chart, the

gen-admin-auth-secret

container errors out with:

Copy code

* error decoding 'appAuth.selfAuthServer.staticClients[flytepropeller].client_secret': illegal base64 data at input byte 0

Couple of questions: • Which client secret is this? • I've tried base64 encoding locally with python and here • Is it possible to store these values in a k8s secret? • Is this really all the auth setup needed? I'm migrating from a pre-binary setup to the binary and there's a lot of complexity in the former chart which is not present in the latter Any pointers would be much appreciated ☺️

Ketan (kumare3)

02/20/2023, 4:17 PM

Cc @Panos Strouth it seems similar to your problem

Ketan (kumare3)

02/20/2023, 4:17 PM

Cc @Eduardo Apolinario (eapolinario) / @Yee can we solve this one

Ketan (kumare3)

02/20/2023, 4:18 PM

Also I do have a new version of auth - can you test this https://github.com/flyteorg/flytekit/pull/1458

Yee

02/20/2023, 4:26 PM

so some background… even though it’s a single executable they’re still different pieces of code at least for now, so the engine (propeller) still needs to auth to the control plane (admin) if you have auth turned on. the way we did this is with the client credentials flow (effectively a username and password). those are these two lines here. the username is constant so there’s no need to configure that. the plaintext is used by propeller as the password, and admin checks the hash. the way to compute the hash is with bcrypt.

Copy code

$ python -c 'import bcrypt; import base64; print(base64.b64encode(bcrypt.hashpw("some-secret".encode("utf-8"), bcrypt.gensalt(6))))'
b'JDJiJDA2JHIud1JYLi9WSWJxQnZOMWZ1MWJqNHV5bGVuUERNbTNwcGZza1ZBMEJaZG05bkFOMEhJWDJT'

Yee

02/20/2023, 4:27 PM

@Peeter Piegaze could you help us get this added to the auth docs?

Yee

02/20/2023, 4:27 PM

keep in mind the hash will change every time you run that command

Yee

02/20/2023, 4:32 PM

regarding the other questions, it is possible to store these in a k8s secret and the plaintext one is already but the hash is not. you can do that but you’ll have to update the helm chart to mount/read from the secret.

Yee

02/20/2023, 4:33 PM

yes, it should be all the auth setup that’s necessary… we are running the flyte-binary chart internally with google idp

Ed Fincham

02/20/2023, 5:07 PM

Ahh thank you @Yee - looks like I missed the

.encode("utf-8")

in my python. And thank you for the explanation, which makes it much clearer what's going on! Kudos to all the flyte team for being so fantastically responsive and helpful - hugely appreciate your support 🙂

David Espejo (he/him)

02/20/2023, 8:02 PM

@Yee / @Peeter Piegaze there's a PR that adds this (and other) instructions to auth docs: https://github.com/flyteorg/flyte/pull/3062

181 Views

Open in Slack

Previous Next