Hey guys, Trying to set up auth with the flyte-binary and having some issues with the secrets. What...

silly-refrigerator-21057

02/20/2023, 4:00 PM

Hey guys, Trying to set up auth with the flyte-binary and having some issues with the secrets. What I have so far in my values:

Copy code

auth:
    enabled: true
    oidc:
      baseUrl: "<azureAD oidc application>"
      clientId: "<oidc id>"
      clientSecret: <base64 encoded oicd secret>
    internal:
      clientSecret: <base64 encoded secret>
      clientSecretHash: "<bcrypt hash of above>"

I guess that may not be terribly informative? Point being, I'm quite confident that the

oidc.baseUrl

and

oidc.clientID

are correct. However, when I install the chart, the

gen-admin-auth-secret

container errors out with:

Copy code

* error decoding 'appAuth.selfAuthServer.staticClients[flytepropeller].client_secret': illegal base64 data at input byte 0

Couple of questions: • Which client secret is this? • I've tried base64 encoding locally with python and here • Is it possible to store these values in a k8s secret? • Is this really all the auth setup needed? I'm migrating from a pre-binary setup to the binary and there's a lot of complexity in the former chart which is not present in the latter Any pointers would be much appreciated ☺️

freezing-airport-6809

02/20/2023, 4:17 PM

Cc @gray-oil-67360 it seems similar to your problem

👍 1

freezing-airport-6809

02/20/2023, 4:17 PM

Cc @high-accountant-32689 / @thankful-minister-83577 can we solve this one

freezing-airport-6809

02/20/2023, 4:18 PM

Also I do have a new version of auth - can you test this https://github.com/flyteorg/flytekit/pull/1458

thankful-minister-83577

02/20/2023, 4:26 PM

so some background… even though it’s a single executable they’re still different pieces of code at least for now, so the engine (propeller) still needs to auth to the control plane (admin) if you have auth turned on. the way we did this is with the client credentials flow (effectively a username and password). those are these two lines here. the username is constant so there’s no need to configure that. the plaintext is used by propeller as the password, and admin checks the hash. the way to compute the hash is with bcrypt.

Copy code

$ python -c 'import bcrypt; import base64; print(base64.b64encode(bcrypt.hashpw("some-secret".encode("utf-8"), bcrypt.gensalt(6))))'
b'JDJiJDA2JHIud1JYLi9WSWJxQnZOMWZ1MWJqNHV5bGVuUERNbTNwcGZza1ZBMEJaZG05bkFOMEhJWDJT'

thankful-minister-83577

02/20/2023, 4:27 PM

@powerful-gold-59386 could you help us get this added to the auth docs?

thankful-minister-83577

02/20/2023, 4:27 PM

keep in mind the hash will change every time you run that command

thankful-minister-83577

02/20/2023, 4:32 PM

regarding the other questions, it is possible to store these in a k8s secret and the plaintext one is already but the hash is not. you can do that but you’ll have to update the helm chart to mount/read from the secret.

thankful-minister-83577

02/20/2023, 4:33 PM

yes, it should be all the auth setup that’s necessary… we are running the flyte-binary chart internally with google idp

silly-refrigerator-21057

02/20/2023, 5:07 PM

Ahh thank you @thankful-minister-83577 - looks like I missed the

.encode("utf-8")

in my python. And thank you for the explanation, which makes it much clearer what's going on! Kudos to all the flyte team for being so fantastically responsive and helpful - hugely appreciate your support 🙂

🔥 4

🙇 4

average-finland-92144

02/20/2023, 8:02 PM

@thankful-minister-83577 / @powerful-gold-59386 there's a PR that adds this (and other) instructions to auth docs: https://github.com/flyteorg/flyte/pull/3062

187 Views

Open in Slack

Previous Next

Flyte

Flyte enables production-grade orchestration for machine learning workflows and data processing created to accelerate local workflows to production.