From 23b36608fc1de985486cbe717453034fe7c75bd0 Mon Sep 17 00:00:00 2001 From: ddl-ebrown Date: Tue, 5 Mar 2024 22:47:58 -0800 Subject: [PATCH] Flyte-core flyteadmin / datacatalog expose ports - Flyteadmin setting for the grpc port is nested and grpcPort should not be used. Address incorrect config / documentation - Both flyteadmin and datacatalog have configurable ports to use for HTTP and GRPC, but the k8s spec for the containers doesn't expose matching ports. Fix that! Signed-off-by: ddl-ebrown --- charts/flyte-core/README.md | 2 +- .../templates/admin/deployment.yaml | 4 +- .../templates/datacatalog/deployment.yaml | 4 +- charts/flyte-core/values-eks.yaml | 5 +- charts/flyte-core/values-gcp.yaml | 3 +- ...loak-idp-flyteclients-without-browser.yaml | 11 +- charts/flyte-core/values.yaml | 3 +- charts/flyte/README.md | 6 +- charts/flyte/values.yaml | 3 +- .../flyte_aws_scheduler_helm_generated.yaml | 7 +- .../flyte_helm_controlplane_generated.yaml | 9 +- deployment/eks/flyte_helm_generated.yaml | 9 +- .../flyte_helm_controlplane_generated.yaml | 9 +- deployment/gcp/flyte_helm_generated.yaml | 9 +- deployment/sandbox/flyte_helm_generated.yaml | 9 +- deployment/test/flyte_generated.yaml | 3 +- .../manifests/complete-agent.yaml | 4 +- .../sandbox-bundled/manifests/complete.yaml | 4 +- docker/sandbox-bundled/manifests/dev.yaml | 4 +- docs/deployment/configuration/auth_setup.rst | 231 +++++++++--------- flyteadmin/flyteadmin_config.yaml | 3 +- .../script/integration/k8s/integration.yaml | 3 +- 22 files changed, 180 insertions(+), 165 deletions(-) diff --git a/charts/flyte-core/README.md b/charts/flyte-core/README.md index 5a18f902cba..f7fca986ddf 100644 --- a/charts/flyte-core/README.md +++ b/charts/flyte-core/README.md @@ -87,7 +87,7 @@ helm install gateway bitnami/contour -n flyte | common.ingress.tls | object | `{"enabled":false}` | - Ingress hostname host: | | common.ingress.webpackHMR | bool | `false` | - Enable or disable HMR route to flyteconsole. This is useful only for frontend development. | | configmap.admin | object | `{"admin":{"clientId":"{{ .Values.secrets.adminOauthClientCredentials.clientId }}","clientSecretLocation":"/etc/secrets/client_secret","endpoint":"flyteadmin:81","insecure":true},"event":{"capacity":1000,"rate":500,"type":"admin"}}` | Admin Client configuration [structure](https://pkg.go.dev/github.com/flyteorg/flytepropeller/pkg/controller/nodes/subworkflow/launchplan#AdminConfig) | -| configmap.adminServer | object | `{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpcPort":8089,"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}}` | FlyteAdmin server configuration | +| configmap.adminServer | object | `{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpc":{"port":8089},"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}}` | FlyteAdmin server configuration | | configmap.adminServer.auth | object | `{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}}` | Authentication configuration | | configmap.adminServer.server.security.secure | bool | `false` | Controls whether to serve requests over SSL/TLS. | | configmap.adminServer.server.security.useAuth | bool | `false` | Controls whether to enforce authentication. Follow the guide in https://docs.flyte.org/ on how to setup authentication. | diff --git a/charts/flyte-core/templates/admin/deployment.yaml b/charts/flyte-core/templates/admin/deployment.yaml index dc61d29c28e..23ea9966dfc 100755 --- a/charts/flyte-core/templates/admin/deployment.yaml +++ b/charts/flyte-core/templates/admin/deployment.yaml @@ -151,8 +151,8 @@ spec: imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}" name: flyteadmin ports: - - containerPort: 8088 - - containerPort: 8089 + - containerPort: {{ .Values.configmap.adminServer.server.httpPort }} + - containerPort: {{ .Values.configmap.adminServer.server.grpc.port }} - containerPort: {{ .Values.configmap.adminServer.flyteadmin.profilerPort }} readinessProbe: exec: diff --git a/charts/flyte-core/templates/datacatalog/deployment.yaml b/charts/flyte-core/templates/datacatalog/deployment.yaml index 94e096466d9..c58452f4ce9 100644 --- a/charts/flyte-core/templates/datacatalog/deployment.yaml +++ b/charts/flyte-core/templates/datacatalog/deployment.yaml @@ -66,8 +66,8 @@ spec: imagePullPolicy: "{{ .Values.datacatalog.image.pullPolicy }}" name: datacatalog ports: - - containerPort: 8088 - - containerPort: 8089 + - containerPort: {{ .Values.configmap.datacatalogServer.application.httpPort }} + - containerPort: {{ .Values.configmap.datacatalogServer.application.grpcPort }} - containerPort: {{ index .Values.configmap.datacatalogServer.datacatalog "profiler-port" }} securityContext: allowPrivilegeEscalation: false diff --git a/charts/flyte-core/values-eks.yaml b/charts/flyte-core/values-eks.yaml index 1dbaded1c7e..3b7cbac830d 100644 --- a/charts/flyte-core/values-eks.yaml +++ b/charts/flyte-core/values-eks.yaml @@ -147,7 +147,7 @@ common: kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/tags: service_instance=production alb.ingress.kubernetes.io/scheme: internet-facing - alb.ingress.kubernetes.io/target-type: ip + alb.ingress.kubernetes.io/target-type: ip # -- This is the certificate arn of the cert imported in AWS certificate manager. alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.userSettings.certificateArn }}" alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' @@ -216,7 +216,8 @@ configmap: adminServer: server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 security: secure: false useAuth: false diff --git a/charts/flyte-core/values-gcp.yaml b/charts/flyte-core/values-gcp.yaml index 181772c0c6e..4c91115c8dc 100644 --- a/charts/flyte-core/values-gcp.yaml +++ b/charts/flyte-core/values-gcp.yaml @@ -232,7 +232,8 @@ configmap: adminServer: server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 security: secure: false useAuth: false diff --git a/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml b/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml index edfd9478bcd..5b12b7b3f9a 100644 --- a/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml +++ b/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml @@ -81,7 +81,7 @@ flyteadmin: - configMap: name: sslcerts # name of the ca-certificates.crt configmap in the cluster name: sslcerts - additionalVolumeMounts: + additionalVolumeMounts: - mountPath: /etc/ssl/certs/ # where to mount the above certificate name: sslcerts # -- Appends extra command line arguments to the serve command @@ -459,11 +459,11 @@ configmap: console: BASE_URL: /console CONFIG_DIR: /etc/flyte/config - + logger: show-source: true level: 6 - + # -- Domains configuration for Flyte projects. This enables the specified number of domains across all projects in Flyte. domain: domains: @@ -485,7 +485,8 @@ configmap: # Refer to the [server config](https://pkg.go.dev/github.com/lyft/flyteadmin@v0.3.37/pkg/config#ServerConfig). server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 security: # -- Controls whether to serve requests over SSL/TLS. secure: false @@ -552,7 +553,7 @@ configmap: - profile - openid - offline_access - clientId: + clientId: # -- Datacatalog server config datacatalogServer: diff --git a/charts/flyte-core/values.yaml b/charts/flyte-core/values.yaml index 0319b3bacae..66bafc233f0 100755 --- a/charts/flyte-core/values.yaml +++ b/charts/flyte-core/values.yaml @@ -626,7 +626,8 @@ configmap: # Refer to the [server config](https://pkg.go.dev/github.com/lyft/flyteadmin@v0.3.37/pkg/config#ServerConfig). server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 security: # -- Controls whether to serve requests over SSL/TLS. secure: false diff --git a/charts/flyte/README.md b/charts/flyte/README.md index 5ead2db7308..7f9b1a197e6 100644 --- a/charts/flyte/README.md +++ b/charts/flyte/README.md @@ -71,7 +71,7 @@ helm upgrade -f values-sandbox.yaml flyte . | contour.tolerations | list | `[]` | tolerations for Contour deployment | | daskoperator | object | `{"enabled":false}` | Optional: Dask Plugin using the Dask Operator | | daskoperator.enabled | bool | `false` | - enable or disable the dask operator deployment installation | -| flyte | object | `{"cluster_resource_manager":{"config":{"cluster_resources":{"customData":[{"production":[{"projectQuotaCpu":{"value":"5"}},{"projectQuotaMemory":{"value":"4000Mi"}}]},{"staging":[{"projectQuotaCpu":{"value":"2"}},{"projectQuotaMemory":{"value":"3000Mi"}}]},{"development":[{"projectQuotaCpu":{"value":"4"}},{"projectQuotaMemory":{"value":"3000Mi"}}]}],"refresh":"5m","refreshInterval":"5m","standaloneDeployment":false,"templatePath":"/etc/flyte/clusterresource/templates"}},"enabled":true,"service_account_name":"flyteadmin","templates":[{"key":"aa_namespace","value":"apiVersion: v1\nkind: Namespace\nmetadata:\n name: {{ namespace }}\nspec:\n finalizers:\n - kubernetes\n"},{"key":"ab_project_resource_quota","value":"apiVersion: v1\nkind: ResourceQuota\nmetadata:\n name: project-quota\n namespace: {{ namespace }}\nspec:\n hard:\n limits.cpu: {{ projectQuotaCpu }}\n limits.memory: {{ projectQuotaMemory }}\n"}]},"common":{"databaseSecret":{"name":"","secretManifest":{}},"flyteNamespaceTemplate":{"enabled":false},"ingress":{"albSSLRedirect":false,"annotations":{"nginx.ingress.kubernetes.io/app-root":"/console"},"enabled":true,"host":"","separateGrpcIngress":false,"separateGrpcIngressAnnotations":{"nginx.ingress.kubernetes.io/backend-protocol":"GRPC"},"tls":{"enabled":false},"webpackHMR":true}},"configmap":{"adminServer":{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpcPort":8089,"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}},"catalog":{"catalog-cache":{"endpoint":"datacatalog:89","insecure":true,"type":"datacatalog"}},"console":{"BASE_URL":"/console","CONFIG_DIR":"/etc/flyte/config"},"copilot":{"plugins":{"k8s":{"co-pilot":{"image":"cr.flyte.org/flyteorg/flytecopilot:v1.11.0","name":"flyte-copilot-","start-timeout":"30s"}}}},"core":{"propeller":{"downstream-eval-duration":"30s","enable-admin-launcher":true,"leader-election":{"enabled":true,"lease-duration":"15s","lock-config-map":{"name":"propeller-leader","namespace":"flyte"},"renew-deadline":"10s","retry-period":"2s"},"limit-namespace":"all","max-workflow-retries":30,"metadata-prefix":"metadata/propeller","metrics-prefix":"flyte","prof-port":10254,"queue":{"batch-size":-1,"batching-interval":"2s","queue":{"base-delay":"5s","capacity":1000,"max-delay":"120s","rate":100,"type":"maxof"},"sub-queue":{"capacity":100,"rate":10,"type":"bucket"},"type":"batch"},"rawoutput-prefix":"s3://my-s3-bucket/","workers":4,"workflow-reeval-duration":"30s"},"webhook":{"certDir":"/etc/webhook/certs","serviceName":"flyte-pod-webhook"}},"datacatalogServer":{"application":{"grpcPort":8089,"grpcServerReflection":true,"httpPort":8080},"datacatalog":{"metrics-scope":"datacatalog","profiler-port":10254,"storage-prefix":"metadata/datacatalog"}},"domain":{"domains":[{"id":"development","name":"development"},{"id":"staging","name":"staging"},{"id":"production","name":"production"}]},"enabled_plugins":{"tasks":{"task-plugins":{"default-for-task-types":{"bigquery_query_job_task":"agent-service","container":"container","container_array":"k8s-array","sidecar":"sidecar"},"enabled-plugins":["container","sidecar","k8s-array","agent-service"]}}},"k8s":{"plugins":{"k8s":{"default-cpus":"100m","default-env-vars":[{"FLYTE_AWS_ENDPOINT":"http://minio.flyte:9000"},{"FLYTE_AWS_ACCESS_KEY_ID":"minio"},{"FLYTE_AWS_SECRET_ACCESS_KEY":"miniostorage"}],"default-memory":"200Mi"}}},"logger":{"logger":{"level":5,"show-source":true}},"remoteData":{"remoteData":{"region":"us-east-1","scheme":"local","signedUrls":{"durationMinutes":3}}},"resource_manager":{"propeller":{"resourcemanager":{"redis":null,"type":"noop"}}},"task_logs":{"plugins":{"logs":{"cloudwatch-enabled":false,"kubernetes-enabled":true,"kubernetes-template-uri":"http://localhost:30082/#/log/{{ \"{{\" }} .namespace {{ \"}}\" }}/{{ \"{{\" }} .podName {{ \"}}\" }}/pod?namespace={{ \"{{\" }} .namespace {{ \"}}\" }}"}}},"task_resource_defaults":{"task_resources":{"defaults":{"cpu":"100m","memory":"200Mi","storage":"5Mi"},"limits":{"cpu":2,"gpu":1,"memory":"1Gi","storage":"20Mi"}}}},"datacatalog":{"affinity":{},"configPath":"/etc/datacatalog/config/*.yaml","image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/datacatalog","tag":"v1.11.0"},"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"500m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}},"service":{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"type":"NodePort"},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]},"tolerations":[]},"db":{"admin":{"database":{"dbname":"flyteadmin","host":"postgres","port":5432,"username":"postgres"}},"datacatalog":{"database":{"dbname":"datacatalog","host":"postgres","port":5432,"username":"postgres"}}},"deployRedoc":true,"flyteadmin":{"additionalVolumeMounts":[],"additionalVolumes":[],"affinity":{},"configPath":"/etc/flyte/config/*.yaml","env":[],"image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/flyteadmin","tag":"v1.11.0"},"initialProjects":["flytesnacks","flytetester","flyteexamples"],"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"250m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}},"secrets":{},"service":{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"loadBalancerSourceRanges":[],"type":"ClusterIP"},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]},"tolerations":[]},"flyteconsole":{"affinity":{},"ga":{"enabled":true,"tracking_id":"G-0QW4DJWJ20"},"image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/flyteconsole","tag":"v1.10.3"},"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"500m","memory":"275Mi"},"requests":{"cpu":"10m","memory":"250Mi"}},"service":{"annotations":{},"type":"ClusterIP"},"tolerations":[]},"flytepropeller":{"affinity":{},"cacheSizeMbs":0,"configPath":"/etc/flyte/config/*.yaml","image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/flytepropeller","tag":"v1.11.0"},"manager":false,"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"200m","ephemeral-storage":"100Mi","memory":"200Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]},"tolerations":[]},"flytescheduler":{"affinity":{},"configPath":"/etc/flyte/config/*.yaml","image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/flytescheduler","tag":"v1.11.0"},"nodeSelector":{},"podAnnotations":{},"resources":{"limits":{"cpu":"250m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}},"secrets":{},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]},"tolerations":[]},"storage":{"bucketName":"my-s3-bucket","custom":{},"gcs":null,"s3":{"region":"us-east-1"},"type":"sandbox"},"webhook":{"enabled":true,"service":{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"type":"ClusterIP"},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]}},"workflow_notifications":{"config":{},"enabled":false},"workflow_scheduler":{"enabled":true,"type":"native"}}` | ------------------------------------------------------------------- Core System settings This section consists of Core components of Flyte and their deployment settings. This includes FlyteAdmin service, Datacatalog, FlytePropeller and Flyteconsole | +| flyte | object | `{"cluster_resource_manager":{"config":{"cluster_resources":{"customData":[{"production":[{"projectQuotaCpu":{"value":"5"}},{"projectQuotaMemory":{"value":"4000Mi"}}]},{"staging":[{"projectQuotaCpu":{"value":"2"}},{"projectQuotaMemory":{"value":"3000Mi"}}]},{"development":[{"projectQuotaCpu":{"value":"4"}},{"projectQuotaMemory":{"value":"3000Mi"}}]}],"refresh":"5m","refreshInterval":"5m","standaloneDeployment":false,"templatePath":"/etc/flyte/clusterresource/templates"}},"enabled":true,"service_account_name":"flyteadmin","templates":[{"key":"aa_namespace","value":"apiVersion: v1\nkind: Namespace\nmetadata:\n name: {{ namespace }}\nspec:\n finalizers:\n - kubernetes\n"},{"key":"ab_project_resource_quota","value":"apiVersion: v1\nkind: ResourceQuota\nmetadata:\n name: project-quota\n namespace: {{ namespace }}\nspec:\n hard:\n limits.cpu: {{ projectQuotaCpu }}\n limits.memory: {{ projectQuotaMemory }}\n"}]},"common":{"databaseSecret":{"name":"","secretManifest":{}},"flyteNamespaceTemplate":{"enabled":false},"ingress":{"albSSLRedirect":false,"annotations":{"nginx.ingress.kubernetes.io/app-root":"/console"},"enabled":true,"host":"","separateGrpcIngress":false,"separateGrpcIngressAnnotations":{"nginx.ingress.kubernetes.io/backend-protocol":"GRPC"},"tls":{"enabled":false},"webpackHMR":true}},"configmap":{"adminServer":{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpc":{"port":8089},"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}},"catalog":{"catalog-cache":{"endpoint":"datacatalog:89","insecure":true,"type":"datacatalog"}},"console":{"BASE_URL":"/console","CONFIG_DIR":"/etc/flyte/config"},"copilot":{"plugins":{"k8s":{"co-pilot":{"image":"cr.flyte.org/flyteorg/flytecopilot:v1.11.0","name":"flyte-copilot-","start-timeout":"30s"}}}},"core":{"propeller":{"downstream-eval-duration":"30s","enable-admin-launcher":true,"leader-election":{"enabled":true,"lease-duration":"15s","lock-config-map":{"name":"propeller-leader","namespace":"flyte"},"renew-deadline":"10s","retry-period":"2s"},"limit-namespace":"all","max-workflow-retries":30,"metadata-prefix":"metadata/propeller","metrics-prefix":"flyte","prof-port":10254,"queue":{"batch-size":-1,"batching-interval":"2s","queue":{"base-delay":"5s","capacity":1000,"max-delay":"120s","rate":100,"type":"maxof"},"sub-queue":{"capacity":100,"rate":10,"type":"bucket"},"type":"batch"},"rawoutput-prefix":"s3://my-s3-bucket/","workers":4,"workflow-reeval-duration":"30s"},"webhook":{"certDir":"/etc/webhook/certs","serviceName":"flyte-pod-webhook"}},"datacatalogServer":{"application":{"grpcPort":8089,"grpcServerReflection":true,"httpPort":8080},"datacatalog":{"metrics-scope":"datacatalog","profiler-port":10254,"storage-prefix":"metadata/datacatalog"}},"domain":{"domains":[{"id":"development","name":"development"},{"id":"staging","name":"staging"},{"id":"production","name":"production"}]},"enabled_plugins":{"tasks":{"task-plugins":{"default-for-task-types":{"bigquery_query_job_task":"agent-service","container":"container","container_array":"k8s-array","sidecar":"sidecar"},"enabled-plugins":["container","sidecar","k8s-array","agent-service"]}}},"k8s":{"plugins":{"k8s":{"default-cpus":"100m","default-env-vars":[{"FLYTE_AWS_ENDPOINT":"http://minio.flyte:9000"},{"FLYTE_AWS_ACCESS_KEY_ID":"minio"},{"FLYTE_AWS_SECRET_ACCESS_KEY":"miniostorage"}],"default-memory":"200Mi"}}},"logger":{"logger":{"level":5,"show-source":true}},"remoteData":{"remoteData":{"region":"us-east-1","scheme":"local","signedUrls":{"durationMinutes":3}}},"resource_manager":{"propeller":{"resourcemanager":{"redis":null,"type":"noop"}}},"task_logs":{"plugins":{"logs":{"cloudwatch-enabled":false,"kubernetes-enabled":true,"kubernetes-template-uri":"http://localhost:30082/#/log/{{ \"{{\" }} .namespace {{ \"}}\" }}/{{ \"{{\" }} .podName {{ \"}}\" }}/pod?namespace={{ \"{{\" }} .namespace {{ \"}}\" }}"}}},"task_resource_defaults":{"task_resources":{"defaults":{"cpu":"100m","memory":"200Mi","storage":"5Mi"},"limits":{"cpu":2,"gpu":1,"memory":"1Gi","storage":"20Mi"}}}},"datacatalog":{"affinity":{},"configPath":"/etc/datacatalog/config/*.yaml","image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/datacatalog","tag":"v1.11.0"},"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"500m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}},"service":{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"type":"NodePort"},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]},"tolerations":[]},"db":{"admin":{"database":{"dbname":"flyteadmin","host":"postgres","port":5432,"username":"postgres"}},"datacatalog":{"database":{"dbname":"datacatalog","host":"postgres","port":5432,"username":"postgres"}}},"deployRedoc":true,"flyteadmin":{"additionalVolumeMounts":[],"additionalVolumes":[],"affinity":{},"configPath":"/etc/flyte/config/*.yaml","env":[],"image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/flyteadmin","tag":"v1.11.0"},"initialProjects":["flytesnacks","flytetester","flyteexamples"],"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"250m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}},"secrets":{},"service":{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"loadBalancerSourceRanges":[],"type":"ClusterIP"},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]},"tolerations":[]},"flyteconsole":{"affinity":{},"ga":{"enabled":true,"tracking_id":"G-0QW4DJWJ20"},"image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/flyteconsole","tag":"v1.10.3"},"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"500m","memory":"275Mi"},"requests":{"cpu":"10m","memory":"250Mi"}},"service":{"annotations":{},"type":"ClusterIP"},"tolerations":[]},"flytepropeller":{"affinity":{},"cacheSizeMbs":0,"configPath":"/etc/flyte/config/*.yaml","image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/flytepropeller","tag":"v1.11.0"},"manager":false,"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"200m","ephemeral-storage":"100Mi","memory":"200Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]},"tolerations":[]},"flytescheduler":{"affinity":{},"configPath":"/etc/flyte/config/*.yaml","image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/flytescheduler","tag":"v1.11.0"},"nodeSelector":{},"podAnnotations":{},"resources":{"limits":{"cpu":"250m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}},"secrets":{},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]},"tolerations":[]},"storage":{"bucketName":"my-s3-bucket","custom":{},"gcs":null,"s3":{"region":"us-east-1"},"type":"sandbox"},"webhook":{"enabled":true,"service":{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"type":"ClusterIP"},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]}},"workflow_notifications":{"config":{},"enabled":false},"workflow_scheduler":{"enabled":true,"type":"native"}}` | ------------------------------------------------------------------- Core System settings This section consists of Core components of Flyte and their deployment settings. This includes FlyteAdmin service, Datacatalog, FlytePropeller and Flyteconsole | | flyte.cluster_resource_manager | object | `{"config":{"cluster_resources":{"customData":[{"production":[{"projectQuotaCpu":{"value":"5"}},{"projectQuotaMemory":{"value":"4000Mi"}}]},{"staging":[{"projectQuotaCpu":{"value":"2"}},{"projectQuotaMemory":{"value":"3000Mi"}}]},{"development":[{"projectQuotaCpu":{"value":"4"}},{"projectQuotaMemory":{"value":"3000Mi"}}]}],"refresh":"5m","refreshInterval":"5m","standaloneDeployment":false,"templatePath":"/etc/flyte/clusterresource/templates"}},"enabled":true,"service_account_name":"flyteadmin","templates":[{"key":"aa_namespace","value":"apiVersion: v1\nkind: Namespace\nmetadata:\n name: {{ namespace }}\nspec:\n finalizers:\n - kubernetes\n"},{"key":"ab_project_resource_quota","value":"apiVersion: v1\nkind: ResourceQuota\nmetadata:\n name: project-quota\n namespace: {{ namespace }}\nspec:\n hard:\n limits.cpu: {{ projectQuotaCpu }}\n limits.memory: {{ projectQuotaMemory }}\n"}]}` | Configuration for the Cluster resource manager component. This is an optional component, that enables automatic cluster configuration. This is useful to set default quotas, manage namespaces etc that map to a project/domain | | flyte.cluster_resource_manager.config.cluster_resources | object | `{"customData":[{"production":[{"projectQuotaCpu":{"value":"5"}},{"projectQuotaMemory":{"value":"4000Mi"}}]},{"staging":[{"projectQuotaCpu":{"value":"2"}},{"projectQuotaMemory":{"value":"3000Mi"}}]},{"development":[{"projectQuotaCpu":{"value":"4"}},{"projectQuotaMemory":{"value":"3000Mi"}}]}],"refresh":"5m","refreshInterval":"5m","standaloneDeployment":false,"templatePath":"/etc/flyte/clusterresource/templates"}` | ClusterResource parameters Refer to the [structure](https://pkg.go.dev/github.com/lyft/flyteadmin@v0.3.37/pkg/runtime/interfaces#ClusterResourceConfig) to customize. | | flyte.cluster_resource_manager.config.cluster_resources.standaloneDeployment | bool | `false` | Starts the cluster resource manager in standalone mode with requisite auth credentials to call flyteadmin service endpoints | @@ -91,8 +91,8 @@ helm upgrade -f values-sandbox.yaml flyte . | flyte.common.ingress.separateGrpcIngressAnnotations | object | `{"nginx.ingress.kubernetes.io/backend-protocol":"GRPC"}` | - Extra Ingress annotations applied only to the GRPC ingress. Only makes sense if `separateGrpcIngress` is enabled. | | flyte.common.ingress.tls | object | `{"enabled":false}` | - TLS Settings | | flyte.common.ingress.webpackHMR | bool | `true` | - Enable or disable HMR route to flyteconsole. This is useful only for frontend development. | -| flyte.configmap | object | `{"adminServer":{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpcPort":8089,"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}},"catalog":{"catalog-cache":{"endpoint":"datacatalog:89","insecure":true,"type":"datacatalog"}},"console":{"BASE_URL":"/console","CONFIG_DIR":"/etc/flyte/config"},"copilot":{"plugins":{"k8s":{"co-pilot":{"image":"cr.flyte.org/flyteorg/flytecopilot:v1.11.0","name":"flyte-copilot-","start-timeout":"30s"}}}},"core":{"propeller":{"downstream-eval-duration":"30s","enable-admin-launcher":true,"leader-election":{"enabled":true,"lease-duration":"15s","lock-config-map":{"name":"propeller-leader","namespace":"flyte"},"renew-deadline":"10s","retry-period":"2s"},"limit-namespace":"all","max-workflow-retries":30,"metadata-prefix":"metadata/propeller","metrics-prefix":"flyte","prof-port":10254,"queue":{"batch-size":-1,"batching-interval":"2s","queue":{"base-delay":"5s","capacity":1000,"max-delay":"120s","rate":100,"type":"maxof"},"sub-queue":{"capacity":100,"rate":10,"type":"bucket"},"type":"batch"},"rawoutput-prefix":"s3://my-s3-bucket/","workers":4,"workflow-reeval-duration":"30s"},"webhook":{"certDir":"/etc/webhook/certs","serviceName":"flyte-pod-webhook"}},"datacatalogServer":{"application":{"grpcPort":8089,"grpcServerReflection":true,"httpPort":8080},"datacatalog":{"metrics-scope":"datacatalog","profiler-port":10254,"storage-prefix":"metadata/datacatalog"}},"domain":{"domains":[{"id":"development","name":"development"},{"id":"staging","name":"staging"},{"id":"production","name":"production"}]},"enabled_plugins":{"tasks":{"task-plugins":{"default-for-task-types":{"bigquery_query_job_task":"agent-service","container":"container","container_array":"k8s-array","sidecar":"sidecar"},"enabled-plugins":["container","sidecar","k8s-array","agent-service"]}}},"k8s":{"plugins":{"k8s":{"default-cpus":"100m","default-env-vars":[{"FLYTE_AWS_ENDPOINT":"http://minio.flyte:9000"},{"FLYTE_AWS_ACCESS_KEY_ID":"minio"},{"FLYTE_AWS_SECRET_ACCESS_KEY":"miniostorage"}],"default-memory":"200Mi"}}},"logger":{"logger":{"level":5,"show-source":true}},"remoteData":{"remoteData":{"region":"us-east-1","scheme":"local","signedUrls":{"durationMinutes":3}}},"resource_manager":{"propeller":{"resourcemanager":{"redis":null,"type":"noop"}}},"task_logs":{"plugins":{"logs":{"cloudwatch-enabled":false,"kubernetes-enabled":true,"kubernetes-template-uri":"http://localhost:30082/#/log/{{ \"{{\" }} .namespace {{ \"}}\" }}/{{ \"{{\" }} .podName {{ \"}}\" }}/pod?namespace={{ \"{{\" }} .namespace {{ \"}}\" }}"}}},"task_resource_defaults":{"task_resources":{"defaults":{"cpu":"100m","memory":"200Mi","storage":"5Mi"},"limits":{"cpu":2,"gpu":1,"memory":"1Gi","storage":"20Mi"}}}}` | ----------------------------------------------------------------- CONFIGMAPS SETTINGS | -| flyte.configmap.adminServer | object | `{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpcPort":8089,"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}}` | FlyteAdmin server configuration | +| flyte.configmap | object | `{"adminServer":{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpc":{"port":8089},"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}},"catalog":{"catalog-cache":{"endpoint":"datacatalog:89","insecure":true,"type":"datacatalog"}},"console":{"BASE_URL":"/console","CONFIG_DIR":"/etc/flyte/config"},"copilot":{"plugins":{"k8s":{"co-pilot":{"image":"cr.flyte.org/flyteorg/flytecopilot:v1.11.0","name":"flyte-copilot-","start-timeout":"30s"}}}},"core":{"propeller":{"downstream-eval-duration":"30s","enable-admin-launcher":true,"leader-election":{"enabled":true,"lease-duration":"15s","lock-config-map":{"name":"propeller-leader","namespace":"flyte"},"renew-deadline":"10s","retry-period":"2s"},"limit-namespace":"all","max-workflow-retries":30,"metadata-prefix":"metadata/propeller","metrics-prefix":"flyte","prof-port":10254,"queue":{"batch-size":-1,"batching-interval":"2s","queue":{"base-delay":"5s","capacity":1000,"max-delay":"120s","rate":100,"type":"maxof"},"sub-queue":{"capacity":100,"rate":10,"type":"bucket"},"type":"batch"},"rawoutput-prefix":"s3://my-s3-bucket/","workers":4,"workflow-reeval-duration":"30s"},"webhook":{"certDir":"/etc/webhook/certs","serviceName":"flyte-pod-webhook"}},"datacatalogServer":{"application":{"grpcPort":8089,"grpcServerReflection":true,"httpPort":8080},"datacatalog":{"metrics-scope":"datacatalog","profiler-port":10254,"storage-prefix":"metadata/datacatalog"}},"domain":{"domains":[{"id":"development","name":"development"},{"id":"staging","name":"staging"},{"id":"production","name":"production"}]},"enabled_plugins":{"tasks":{"task-plugins":{"default-for-task-types":{"bigquery_query_job_task":"agent-service","container":"container","container_array":"k8s-array","sidecar":"sidecar"},"enabled-plugins":["container","sidecar","k8s-array","agent-service"]}}},"k8s":{"plugins":{"k8s":{"default-cpus":"100m","default-env-vars":[{"FLYTE_AWS_ENDPOINT":"http://minio.flyte:9000"},{"FLYTE_AWS_ACCESS_KEY_ID":"minio"},{"FLYTE_AWS_SECRET_ACCESS_KEY":"miniostorage"}],"default-memory":"200Mi"}}},"logger":{"logger":{"level":5,"show-source":true}},"remoteData":{"remoteData":{"region":"us-east-1","scheme":"local","signedUrls":{"durationMinutes":3}}},"resource_manager":{"propeller":{"resourcemanager":{"redis":null,"type":"noop"}}},"task_logs":{"plugins":{"logs":{"cloudwatch-enabled":false,"kubernetes-enabled":true,"kubernetes-template-uri":"http://localhost:30082/#/log/{{ \"{{\" }} .namespace {{ \"}}\" }}/{{ \"{{\" }} .podName {{ \"}}\" }}/pod?namespace={{ \"{{\" }} .namespace {{ \"}}\" }}"}}},"task_resource_defaults":{"task_resources":{"defaults":{"cpu":"100m","memory":"200Mi","storage":"5Mi"},"limits":{"cpu":2,"gpu":1,"memory":"1Gi","storage":"20Mi"}}}}` | ----------------------------------------------------------------- CONFIGMAPS SETTINGS | +| flyte.configmap.adminServer | object | `{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpc":{"port":8089},"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}}` | FlyteAdmin server configuration | | flyte.configmap.adminServer.auth | object | `{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}}` | Authentication configuration | | flyte.configmap.adminServer.server.security.secure | bool | `false` | Controls whether to serve requests over SSL/TLS. | | flyte.configmap.adminServer.server.security.useAuth | bool | `false` | Controls whether to enforce authentication. Follow the guide in https://docs.flyte.org/ on how to setup authentication. | diff --git a/charts/flyte/values.yaml b/charts/flyte/values.yaml index f0d2f7c75a5..ba43f8ada9c 100755 --- a/charts/flyte/values.yaml +++ b/charts/flyte/values.yaml @@ -378,7 +378,8 @@ flyte: # Refer to the [server config](https://pkg.go.dev/github.com/lyft/flyteadmin@v0.3.37/pkg/config#ServerConfig). server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 security: # -- Controls whether to serve requests over SSL/TLS. secure: false diff --git a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml index a5b9e0081fc..4f1cf51ae29 100644 --- a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml +++ b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml @@ -162,7 +162,8 @@ data: testing: host: http://flyteadmin server: - grpcPort: 8089 + grpc: + port: 8089 httpPort: 8088 security: allowCors: true @@ -848,7 +849,7 @@ spec: template: metadata: annotations: - configChecksum: "2b5c85969f2bd85bb51a084f9fd72c20c3aca94be99e53cb4c4e9f78e77ebc5" + configChecksum: "d50d9b515795be1f4937c58f37335ec9bd505ba4c51f96caf8491fa323abb56" labels: app.kubernetes.io/name: flyteadmin app.kubernetes.io/instance: flyte @@ -1209,7 +1210,7 @@ spec: imagePullPolicy: "IfNotPresent" name: datacatalog ports: - - containerPort: 8088 + - containerPort: 8080 - containerPort: 8089 - containerPort: 10254 securityContext: diff --git a/deployment/eks/flyte_helm_controlplane_generated.yaml b/deployment/eks/flyte_helm_controlplane_generated.yaml index 9e813c42753..75480a04b4f 100644 --- a/deployment/eks/flyte_helm_controlplane_generated.yaml +++ b/deployment/eks/flyte_helm_controlplane_generated.yaml @@ -143,7 +143,8 @@ data: testing: host: http://flyteadmin server: - grpcPort: 8089 + grpc: + port: 8089 httpPort: 8088 security: allowCors: true @@ -553,7 +554,7 @@ spec: template: metadata: annotations: - configChecksum: "053b20ebc40227f6ed8ddc61f5997ee7997c604158f773779f20ec61af11a2f" + configChecksum: "b6087931f4457971d5fcd17d64491188322ffc2f86e31f943b142c76edb9e67" labels: app.kubernetes.io/name: flyteadmin app.kubernetes.io/instance: flyte @@ -914,7 +915,7 @@ spec: imagePullPolicy: "IfNotPresent" name: datacatalog ports: - - containerPort: 8088 + - containerPort: 8080 - containerPort: 8089 - containerPort: 10254 securityContext: @@ -973,7 +974,7 @@ spec: template: metadata: annotations: - configChecksum: "053b20ebc40227f6ed8ddc61f5997ee7997c604158f773779f20ec61af11a2f" + configChecksum: "b6087931f4457971d5fcd17d64491188322ffc2f86e31f943b142c76edb9e67" labels: app.kubernetes.io/name: flytescheduler app.kubernetes.io/instance: flyte diff --git a/deployment/eks/flyte_helm_generated.yaml b/deployment/eks/flyte_helm_generated.yaml index bb0b5e966c3..7b98854b841 100644 --- a/deployment/eks/flyte_helm_generated.yaml +++ b/deployment/eks/flyte_helm_generated.yaml @@ -174,7 +174,8 @@ data: testing: host: http://flyteadmin server: - grpcPort: 8089 + grpc: + port: 8089 httpPort: 8088 security: allowCors: true @@ -879,7 +880,7 @@ spec: template: metadata: annotations: - configChecksum: "053b20ebc40227f6ed8ddc61f5997ee7997c604158f773779f20ec61af11a2f" + configChecksum: "b6087931f4457971d5fcd17d64491188322ffc2f86e31f943b142c76edb9e67" labels: app.kubernetes.io/name: flyteadmin app.kubernetes.io/instance: flyte @@ -1240,7 +1241,7 @@ spec: imagePullPolicy: "IfNotPresent" name: datacatalog ports: - - containerPort: 8088 + - containerPort: 8080 - containerPort: 8089 - containerPort: 10254 securityContext: @@ -1299,7 +1300,7 @@ spec: template: metadata: annotations: - configChecksum: "053b20ebc40227f6ed8ddc61f5997ee7997c604158f773779f20ec61af11a2f" + configChecksum: "b6087931f4457971d5fcd17d64491188322ffc2f86e31f943b142c76edb9e67" labels: app.kubernetes.io/name: flytescheduler app.kubernetes.io/instance: flyte diff --git a/deployment/gcp/flyte_helm_controlplane_generated.yaml b/deployment/gcp/flyte_helm_controlplane_generated.yaml index 281fcf87a1e..5b46b86f1d2 100644 --- a/deployment/gcp/flyte_helm_controlplane_generated.yaml +++ b/deployment/gcp/flyte_helm_controlplane_generated.yaml @@ -143,7 +143,8 @@ data: testing: host: http://flyteadmin server: - grpcPort: 8089 + grpc: + port: 8089 httpPort: 8088 security: allowCors: true @@ -568,7 +569,7 @@ spec: template: metadata: annotations: - configChecksum: "2e169a911a8234dd42d06ca0887279093f4ed36033d0543749ce126b26b50f3" + configChecksum: "b35a14d8bfd46ac863acf50bc4f338954b2f1315b66dc1fc17123885cc4dc37" labels: app.kubernetes.io/name: flyteadmin app.kubernetes.io/instance: flyte @@ -929,7 +930,7 @@ spec: imagePullPolicy: "IfNotPresent" name: datacatalog ports: - - containerPort: 8088 + - containerPort: 8080 - containerPort: 8089 - containerPort: 10254 securityContext: @@ -988,7 +989,7 @@ spec: template: metadata: annotations: - configChecksum: "2e169a911a8234dd42d06ca0887279093f4ed36033d0543749ce126b26b50f3" + configChecksum: "b35a14d8bfd46ac863acf50bc4f338954b2f1315b66dc1fc17123885cc4dc37" labels: app.kubernetes.io/name: flytescheduler app.kubernetes.io/instance: flyte diff --git a/deployment/gcp/flyte_helm_generated.yaml b/deployment/gcp/flyte_helm_generated.yaml index 165712c85d3..9db833e79c8 100644 --- a/deployment/gcp/flyte_helm_generated.yaml +++ b/deployment/gcp/flyte_helm_generated.yaml @@ -174,7 +174,8 @@ data: testing: host: http://flyteadmin server: - grpcPort: 8089 + grpc: + port: 8089 httpPort: 8088 security: allowCors: true @@ -902,7 +903,7 @@ spec: template: metadata: annotations: - configChecksum: "2e169a911a8234dd42d06ca0887279093f4ed36033d0543749ce126b26b50f3" + configChecksum: "b35a14d8bfd46ac863acf50bc4f338954b2f1315b66dc1fc17123885cc4dc37" labels: app.kubernetes.io/name: flyteadmin app.kubernetes.io/instance: flyte @@ -1263,7 +1264,7 @@ spec: imagePullPolicy: "IfNotPresent" name: datacatalog ports: - - containerPort: 8088 + - containerPort: 8080 - containerPort: 8089 - containerPort: 10254 securityContext: @@ -1322,7 +1323,7 @@ spec: template: metadata: annotations: - configChecksum: "2e169a911a8234dd42d06ca0887279093f4ed36033d0543749ce126b26b50f3" + configChecksum: "b35a14d8bfd46ac863acf50bc4f338954b2f1315b66dc1fc17123885cc4dc37" labels: app.kubernetes.io/name: flytescheduler app.kubernetes.io/instance: flyte diff --git a/deployment/sandbox/flyte_helm_generated.yaml b/deployment/sandbox/flyte_helm_generated.yaml index 9d032a0735c..83802613ce6 100644 --- a/deployment/sandbox/flyte_helm_generated.yaml +++ b/deployment/sandbox/flyte_helm_generated.yaml @@ -294,7 +294,8 @@ data: testing: host: http://flyteadmin server: - grpcPort: 8089 + grpc: + port: 8089 httpPort: 8088 security: allowCors: true @@ -6684,7 +6685,7 @@ spec: template: metadata: annotations: - configChecksum: "8702cc3d688d44938e6974b267f70fb01ce7fec4780de86b8f2e65f9446c711" + configChecksum: "88625d852360c42642190e21751f32f7dd9501ce3d479fa68b86478995ff689" labels: app.kubernetes.io/name: flyteadmin app.kubernetes.io/instance: flyte @@ -7026,7 +7027,7 @@ spec: imagePullPolicy: "IfNotPresent" name: datacatalog ports: - - containerPort: 8088 + - containerPort: 8080 - containerPort: 8089 - containerPort: 10254 securityContext: @@ -7075,7 +7076,7 @@ spec: template: metadata: annotations: - configChecksum: "8702cc3d688d44938e6974b267f70fb01ce7fec4780de86b8f2e65f9446c711" + configChecksum: "88625d852360c42642190e21751f32f7dd9501ce3d479fa68b86478995ff689" labels: app.kubernetes.io/name: flytescheduler app.kubernetes.io/instance: flyte diff --git a/deployment/test/flyte_generated.yaml b/deployment/test/flyte_generated.yaml index ea1954bee08..80a3227e714 100644 --- a/deployment/test/flyte_generated.yaml +++ b/deployment/test/flyte_generated.yaml @@ -293,7 +293,8 @@ data: server.yaml: | server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 security: # Controls whether to serve requests over SSL/TLS. secure: false diff --git a/docker/sandbox-bundled/manifests/complete-agent.yaml b/docker/sandbox-bundled/manifests/complete-agent.yaml index 50a2722e8ad..5cfb9465bf5 100644 --- a/docker/sandbox-bundled/manifests/complete-agent.yaml +++ b/docker/sandbox-bundled/manifests/complete-agent.yaml @@ -816,7 +816,7 @@ type: Opaque --- apiVersion: v1 data: - haSharedSecret: VTg5RFBvY205cXRtcEVFbw== + haSharedSecret: UVdwd2pjbGhhdUVjcm5Waw== proxyPassword: "" proxyUsername: "" kind: Secret @@ -1412,7 +1412,7 @@ spec: metadata: annotations: checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81 - checksum/secret: b8339a7b42c1e04b994b517d4ddd749074787df4a0eaef9e1aa2181988aea2d7 + checksum/secret: 9b76b6baf665b7778b4ed245f64d2d397dc704c9a3b85bfde6ff65713f3066eb labels: app: docker-registry release: flyte-sandbox diff --git a/docker/sandbox-bundled/manifests/complete.yaml b/docker/sandbox-bundled/manifests/complete.yaml index 73f262a6843..9da71116f3a 100644 --- a/docker/sandbox-bundled/manifests/complete.yaml +++ b/docker/sandbox-bundled/manifests/complete.yaml @@ -796,7 +796,7 @@ type: Opaque --- apiVersion: v1 data: - haSharedSecret: ZTNEUmhqY1VsWDBXNFowTg== + haSharedSecret: dUR1bU00cVhZYUZFUU5nZQ== proxyPassword: "" proxyUsername: "" kind: Secret @@ -1360,7 +1360,7 @@ spec: metadata: annotations: checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81 - checksum/secret: cedf489b22e27428631c5c365e58bfd51cf8465bf04d07a74462677278017b80 + checksum/secret: 690884baadf059587650497fe86564eab0c131a5eeb63a3e55c2a07952bdb4d6 labels: app: docker-registry release: flyte-sandbox diff --git a/docker/sandbox-bundled/manifests/dev.yaml b/docker/sandbox-bundled/manifests/dev.yaml index ae3bcbf29af..dd5f8c6e99a 100644 --- a/docker/sandbox-bundled/manifests/dev.yaml +++ b/docker/sandbox-bundled/manifests/dev.yaml @@ -499,7 +499,7 @@ metadata: --- apiVersion: v1 data: - haSharedSecret: bkV2U2JzN0o2TXNVcHJTMg== + haSharedSecret: ejRCeG1leFNTNHJpamI3bg== proxyPassword: "" proxyUsername: "" kind: Secret @@ -934,7 +934,7 @@ spec: metadata: annotations: checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81 - checksum/secret: 2f2e4b3f4abc8a670a75900bd0c7987fb3afa6b2a287fdf7292fbeb755c00c12 + checksum/secret: dcdedcdcbb00ba7addda5141fd8bb937f1c40a8b45ef98681c35f52b2be4c01e labels: app: docker-registry release: flyte-sandbox diff --git a/docs/deployment/configuration/auth_setup.rst b/docs/deployment/configuration/auth_setup.rst index 2887e830ede..1131c30e98c 100644 --- a/docs/deployment/configuration/auth_setup.rst +++ b/docs/deployment/configuration/auth_setup.rst @@ -26,9 +26,9 @@ Using an implementation of the `Open ID Connect (OIDC) specification `__, the authorization server's role is to issue *access tokens to the client after successfully authenticating the resource owner and obtaining authorization*. In this context, the *resource owner* is the end user of Flyte; and the *client* is the tool or component that intends to interact with ``flyteadmin`` : ``flytepropeller``, ``flyteconsole`` or any of the CLI tools. There are two supported options to use an authorization server in Flyte: - - * **Internal authorization server**: It comes pre-installed with Flyte and it is a suitable choice for quick start and testing purposes. - * **External (custom) authorization server**: This a service provided by one of the supported IdPs and is the recommended option if your organization needs to retain control over scope definitions and grants, token expiration policies and other advanced security controls. + + * **Internal authorization server**: It comes pre-installed with Flyte and it is a suitable choice for quick start and testing purposes. + * **External (custom) authorization server**: This a service provided by one of the supported IdPs and is the recommended option if your organization needs to retain control over scope definitions and grants, token expiration policies and other advanced security controls. .. note:: @@ -64,7 +64,7 @@ Flyte supports OAuth2 and OpenId Connect to secure the various connections: * :ref:`OpenID Connect `: used to secure user's authentication to ``flyteadmin`` through the UI. * :ref:`OAuth2 `: used to secure connections from clients (i.e. ``pyflyte``, ``flytectl`` and - ``flytepropeller``) to the ``flyteadmin`` service. + ``flytepropeller``) to the ``flyteadmin`` service. Support for these protocols varies per IdP. Checkout the following table to understand the available support level for your IdP: @@ -82,46 +82,46 @@ Identity Management layer : OIDC =================================== In this section, you can find canonical examples of how to set up OIDC on some of the supported IdPs; enabling users to authenticate in the -browser. +browser. .. tabs:: .. group-tab:: Google - + - Create an OAuth2 Client Credential following the `official documentation `__ and take note of the ``client_id`` and ``client_secret`` - - In the **Authorized redirect URIs** field, add ``http://localhost:30081/callback`` for **sandbox** deployments, or ``https:///callback`` for other methods of deployment. - - + - In the **Authorized redirect URIs** field, add ``http://localhost:30081/callback`` for **sandbox** deployments, or ``https:///callback`` for other methods of deployment. + + .. group-tab:: Okta - - + + 1. If you don't already have an Okta account, sign up for one `here `__. 2. Create an app integration, with `OIDC - OpenID Connect` as the sign-on method and `Web Application` as the app type. - 3. Add sign-in redirect URIs: - - - ``http://localhost:30081/callback`` for sandbox or ``https:///callback`` for other Flyte deployment types. - + 3. Add sign-in redirect URIs: + + - ``http://localhost:30081/callback`` for sandbox or ``https:///callback`` for other Flyte deployment types. + 4. *Optional* - Add logout redirect URIs: - - - ``http://localhost:30081/logout`` for sandbox, ``https:///callback`` for other Flyte deployment types). - + + - ``http://localhost:30081/logout`` for sandbox, ``https:///callback`` for other Flyte deployment types). + 5. Take note of the Client ID and Client Secret - + .. group-tab:: Keycloak - + 1. If you don't have a Keycloak installation, you can use `this `__ which provides a quick way to deploy Keycloak cluster on AWS. 2. Create a realm using the `admin console `__ 3. Create an OIDC client with client secret and note them down. Use the following `instructions `__ 4. Add Login redirect URIs: - + - ``http://localhost:30081/callback`` for sandbox or ``https:///callback`` for other Flyte deployment types. - + .. group-tab:: Microsoft Entra ID (Azure AD) - + 1. From the Azure homepage go to **Azure Active Directory** 2. From the **Ovierview** page, take note of the **Tenant ID** 3. Go to **App registrations** @@ -129,20 +129,20 @@ browser. 5. Give it a descriptive name 6. For the **Supported account types** select the option that matches your organization's security policy 7. In the **Redirect URI** section select: - + - **Web** platform - Add ``http://localhost:30081/callback`` for sandbox or ``https:///callback`` for other Flyte deployment types - + 9. Click on **Register** 10. Once created, click on the registered app and go to the **Certificates and secrets** section 11. Go to **Client secrets** and create a **New client secret** 12. Enter a description and an expiration policy 13. Take note of the secret **Value** as it will be used in the Helm chart - + For further reference, check out the official `Azure AD Docs `__ on how to configure the IdP for OpenIDConnect. - + .. note:: - + Make sure the app is registered without `additional claims `__. The OpenIDConnect authentication will not work otherwise, please refer to this `GitHub Issue `__ and `Azure AD Docs `__ for more information. @@ -158,13 +158,13 @@ Apply OIDC Configuration 1. Generate a random password to be used internally by ``flytepropeller`` 2. Use the following command to generate a bcrypt hash for that password: - + .. prompt:: bash $ pip install bcrypt && python -c 'import bcrypt; import base64; print(base64.b64encode(bcrypt.hashpw("".encode("utf-8"), bcrypt.gensalt(6))))' 3. Go to your values file and locate the ``auth`` section and replace values accordingly: - + .. code-block:: yaml auth: @@ -191,13 +191,13 @@ Apply OIDC Configuration 5. Upgrade your Helm release with the new values: .. prompt:: bash $ - - helm upgrade flyteorg/flyte-binary -n --values .yaml + + helm upgrade flyteorg/flyte-binary -n --values .yaml Where: - + * ```` is the name of your Helm release, typically ``flyte-backend``. You can find it using ``helm ls -n `` - + 6. Verify that your Flyte deployment now requires successful login to your IdP to access the UI (``https:///console``) @@ -208,18 +208,18 @@ Apply OIDC Configuration admin: ... authType: Pkce #change from the default `clientCred` to enable client auth without using shared secrets - ... + ... .. group-tab:: flyte-core 1. Generate a random password to be used internally by flytepropeller 2. Use the following command to generate a bcrypt hash for that password: - + .. prompt:: bash $ - + pip install bcrypt && python -c 'import bcrypt; import base64; print(base64.b64encode(bcrypt.hashpw("".encode("utf-8"), bcrypt.gensalt(6))))' - + Take note of the output (only the contents inside `''`) 3. Store the ``client_secret`` provided by your IdP in a Kubernetes secret as follows: @@ -252,7 +252,8 @@ Apply OIDC Configuration adminServer: server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 security: secure: false useAuth: true @@ -277,7 +278,7 @@ Apply OIDC Configuration id: flyte-cli redirect_uris: - http://localhost:53593/callback - - http://localhost:12345/callback + - http://localhost:12345/callback grant_types: - refresh_token - authorization_code @@ -308,7 +309,7 @@ Apply OIDC Configuration flytepropeller: id: flytepropeller # Use the bcrypt hash generated for your random password - client_secret: "" + client_secret: "" redirect_uris: - http://localhost:3846/callback grant_types: @@ -321,7 +322,7 @@ Apply OIDC Configuration - offline - access_token public: false - + authorizedUris: # Use the public URL of flyteadmin (a DNS record pointing to your Ingress resource) - https:// @@ -340,21 +341,21 @@ Apply OIDC Configuration - openid 7. Additionally, outside the ``configmap`` section, add the following block and replace the necessary information: - + .. code-block:: yaml - + secrets: adminOauthClientCredentials: # -- If enabled is true, helm will create and manage `flyte-secret-auth` and populate it with `clientSecret`. # If enabled is false, it's up to the user to create `flyte-secret-auth` enabled: true - # Use the non-encoded version of the random password - clientSecret: "" + # Use the non-encoded version of the random password + clientSecret: "" clientId: flytepropeller .. note:: - For `multi-cluster deployments `__, + For `multi-cluster deployments `__, you must add this Secret definition block to the `values-dataplane.yaml` file. If you are not running `flytepropeller` in the control plane cluster, you do not need to create this secret there. @@ -366,7 +367,7 @@ Apply OIDC Configuration helm upgrade flyteorg/flyte-binary -n --values .yaml - 10. Verify that the `flytepropeller`, `flytescheduler` and `flyteadmin` Pods are restarted and running: + 10. Verify that the `flytepropeller`, `flytescheduler` and `flyteadmin` Pods are restarted and running: .. prompt:: bash $ @@ -379,7 +380,7 @@ Apply OIDC Configuration admin: ... authType: Pkce #change from the default `clientCred` to enable client auth without using shared secrets - ... + ... .. note:: @@ -393,7 +394,7 @@ Custom Authorization Server *************************** -As mentioned previously, Flyte ships with an internal authorization server; hence setting up an external Authorization Server is optional and dependent on your organization's security requirements. +As mentioned previously, Flyte ships with an internal authorization server; hence setting up an external Authorization Server is optional and dependent on your organization's security requirements. In this section, you will find instructions on how to setup an OAuth2 Authorization Server in the different IdPs supported by Flyte: @@ -407,25 +408,25 @@ In this section, you will find instructions on how to setup an OAuth2 Authorizat .. tabs:: .. group-tab:: Okta - + Okta's custom authorization servers are available through an add-on license. The free developer accounts do include access, which you can use to test before rolling out the configuration more broadly. - + 1. From the left-hand menu, go to **Security** > **API** - 2. Click on **Add Authorization Server**. + 2. Click on **Add Authorization Server**. 3. Assign an informative name and set the audience to the public URL of FlyteAdmin (e.g. https://example.foobar.com). - + .. note:: - + The audience must exactly match one of the URIs in the ``authorizedUris`` section above - - 4. Note down the **Issuer URI**; this will be used for all the ``baseUrl`` settings in the Flyte config. - 5. Go to **Scopes** and click **Add Scope**. - 6. Set the name to ``all`` (required) and check ``Required`` under the **User consent** option. - 7. Uncheck the **Block services from requesting this scope** option and save your changes. + + 4. Note down the **Issuer URI**; this will be used for all the ``baseUrl`` settings in the Flyte config. + 5. Go to **Scopes** and click **Add Scope**. + 6. Set the name to ``all`` (required) and check ``Required`` under the **User consent** option. + 7. Uncheck the **Block services from requesting this scope** option and save your changes. 8. Add another scope, named ``offline``. Check both the **Required** and **Include in public metadata** options. - 9. Uncheck the **Block services from requesting this scope** option. - 10. Click **Save**. - 11. Go to **Access Policies**, click **Add New Access Policy**. Enter a name and description and enable **Assign to** - ``All clients``. + 9. Uncheck the **Block services from requesting this scope** option. + 10. Click **Save**. + 11. Go to **Access Policies**, click **Add New Access Policy**. Enter a name and description and enable **Assign to** - ``All clients``. 12. Add a rule to the policy with the default settings (you can fine-tune these later). 13. Navigate back to the **Applications** section. 14. Create an integration for ``flytectl``; it should be created with the **OIDC - OpenID Connect** sign-on method, and the **Native Application** type. @@ -437,12 +438,12 @@ In this section, you will find instructions on how to setup an OAuth2 Authorizat 20. This app does not need a specific redirect URI; nor does it need to be assigned to any users. 21. Note down the **Client ID** and **Client secret**; you will need these later. 22. Take note of the **Issuer URI** for your Authorization Server. It will be used as the baseURL parameter in the Helm chart - + You should have three integrations total - one for the web interface (``flyteconsole``), one for ``flytectl``, and one for ``flytepropeller``. - + .. group-tab:: Keycloak - - + + 1. If you don't have a Keycloak installation, you can use `this `__ which provides quick way to deploy Keycloak cluster on AWS. 2. Create a realm in keycloak installation using its `admin console `__ 3. Under `Client Scopes`, click `Add Create` inside the admin console. @@ -452,7 +453,7 @@ In this section, you will find instructions on how to setup an OAuth2 Authorizat 7. Take note of the client ID and client Secrets provided. .. group-tab:: Azure AD - + 1. Navigate to tab **Overview**, obtain ```` and ```` 2. Navigate to tab **Authentication**, click ``+Add a platform`` 3. Add **Web** for flyteconsole and flytepropeller, **Mobile and desktop applications** for flytectl. @@ -473,10 +474,10 @@ Follow the steps in this section to configure `flyteadmin` to use an external au .. tabs:: .. group-tab:: flyte-binary - + 1. Go to the values YAML file you used to install Flyte using a Helm chart 2. Find the ``auth`` section and follow the inline comments to insert your configuration: - + .. code-block:: yaml auth: @@ -485,7 +486,7 @@ Follow the steps in this section to configure `flyteadmin` to use an external au # baseUrl: https:///auth/realms/ # Uncomment for Keycloak and update with your installation host and realm name # baseUrl: https://login.microsoftonline.com//oauth2/v2.0/authorize # Uncomment for Azure AD # For Okta, use the Issuer URI of the custom auth server: - baseUrl: https://dev-.okta.com/oauth2/ + baseUrl: https://dev-.okta.com/oauth2/ # Use the client ID and secret generated by your IdP for the first OIDC registration in the "Identity Management layer : OIDC" section of this guide clientId: clientSecret: @@ -498,11 +499,11 @@ Follow the steps in this section to configure `flyteadmin` to use an external au clientSecretHash: <-flytepropeller-secret-bcrypt-hash> authorizedUris: # Use here the exact same value used for 'audience' when the Authorization server was configured - - https:// - - + - https:// + + 3. Find the ``inline`` section of the values file and add the following content, replacing where needed: - + .. code-block:: yaml inline: @@ -513,8 +514,8 @@ Follow the steps in this section to configure `flyteadmin` to use an external au # baseUrl: https:///auth/realms/ # Uncomment for Keycloak and update with your installation host and realm name # baseUrl: https://login.microsoftonline.com//oauth2/v2.0/authorize # Uncomment for Azure AD # For Okta, use the Issuer URI of the custom auth server: - baseUrl: https://dev-.okta.com/oauth2/ - metadataUrl: .well-known/oauth-authorization-server + baseUrl: https://dev-.okta.com/oauth2/ + metadataUrl: .well-known/oauth-authorization-server thirdPartyConfig: flyteClient: # Use the clientID generated by your IdP for the `flytectl` app registration @@ -527,16 +528,16 @@ Follow the steps in this section to configure `flyteadmin` to use an external au openId: # baseUrl: https:///auth/realms/ # Uncomment for Keycloak and update with your installation host and realm name # baseUrl: https://login.microsoftonline.com//oauth2/v2.0/authorize # Uncomment for Azure AD - # For Okta, use the Issuer URI of the custom auth server: + # For Okta, use the Issuer URI of the custom auth server: baseUrl: https://dev-.okta.com/oauth2/ - scopes: - - profile - - openid - # - offline_access # Uncomment if your IdP supports issuing refresh tokens (optional) - # Use the client ID and secret generated by your IdP for the first OIDC registration in the "Identity Management layer : OIDC" section of this guide + scopes: + - profile + - openid + # - offline_access # Uncomment if your IdP supports issuing refresh tokens (optional) + # Use the client ID and secret generated by your IdP for the first OIDC registration in the "Identity Management layer : OIDC" section of this guide clientId: - - + + 4. Save your changes 5. Upgrade your Helm release with the new configuration: @@ -544,18 +545,18 @@ Follow the steps in this section to configure `flyteadmin` to use an external au helm upgrade flyteorg/flyte-core -n --values .yaml - + .. group-tab:: flyte-core - + 1. Find the ``auth`` section in your Helm values file, and replace the necessary data: - .. note:: + .. note:: If you were previously using the internal auth server, make sure to delete all the ``selfAuthServer`` section from your values file .. code-block:: yaml - + configmap: auth: appAuth: @@ -566,9 +567,9 @@ Follow the steps in this section to configure `flyteadmin` to use an external au externalAuthServer: # baseUrl: https:///auth/realms/ # Uncomment for Keycloak and update with your installation host and realm name # baseUrl: https://login.microsoftonline.com//oauth2/v2.0/authorize # Uncomment for Azure AD - # For Okta, use the Issuer URI of the custom auth server: + # For Okta, use the Issuer URI of the custom auth server: baseUrl: https://dev-.okta.com/oauth2/ - + metadataUrl: .well-known/openid-configuration thirdPartyConfig: @@ -586,15 +587,15 @@ Follow the steps in this section to configure `flyteadmin` to use an external au openId: # baseUrl: https:///auth/realms/ # Uncomment for Keycloak and update with your installation host and realm name # baseUrl: https://login.microsoftonline.com//oauth2/v2.0/authorize # Uncomment for Azure AD - # For Okta, use the Issuer URI of the custom auth server: + # For Okta, use the Issuer URI of the custom auth server: baseUrl: https://dev-.okta.com/oauth2/ scopes: - profile - openid # - offline_access # Uncomment if OIdC supports issuing refresh tokens. clientId: - - + + secrets: adminOauthClientCredentials: enabled: true # see the section "Disable Helm secret management" if you require to do so @@ -602,7 +603,7 @@ Follow the steps in this section to configure `flyteadmin` to use an external au clientSecret: # Replace with the client_id provided by provided by your IdP for flytepropeller. clientId: - + 2. Save your changes 3. Upgrade your Helm release with the new configuration: @@ -675,7 +676,7 @@ Alternatively, you can instruct Helm not to create and manage the secret for ``f adminOauthClientCredentials: enabled: false #set to false # Replace with the client_id provided by provided by your IdP for flytepropeller. - clientId: + clientId: 2. Create a secret declaratively: @@ -701,75 +702,75 @@ If your organization does any automated registration, then you'll need to authen .. tabs:: .. group-tab:: flytectl - + Flytectl's `config.yaml `_ can be configured to use either PKCE (`Proof key for code exchange `_) or Client Credentials (`Client Credentials `_) flows. - + 1. Update ``config.yaml`` as follows: - + .. code-block:: yaml - + admin: # Update with the Flyte's ingress endpoint (e.g. flyteIngressIP for sandbox or example.foobar.com) # You must keep the 3 forward-slashes after dns: endpoint: dns:/// - + # Update auth type to `Pkce` or `ClientSecret` authType: Pkce - + # Set to the clientId (will be used for both Pkce and ClientSecret flows) # Leave empty to use the value discovered through flyteAdmin's Auth discovery endpoint. clientId: - + # Set to the location where the client secret is mounted. # Only needed/used for `ClientSecret` flow. clientSecretLocation: - + # If required, set the scopes needed here. Otherwise, flytectl will discover scopes required for OpenID # Connect through flyteAdmin's Auth discovery endpoint. # scopes: [ "scope1", "scope2" ] - + To read further about the available config options, please `visit here `_ - + .. group-tab:: Flytekit / pyflyte - + Flytekit configuration variables are automatically designed to look up values from relevant environment variables. .. important:: However, to aid with continuous integration use-cases, Flytekit configuration can also reference other environment variables. - + For instance, if your CI system is not capable of setting custom environment variables like ``FLYTE_CREDENTIALS_CLIENT_SECRET`` but does set the necessary settings under a different variable, you may use ``export FLYTE_CREDENTIALS_CLIENT_SECRET_FROM_ENV_VAR=OTHER_ENV_VARIABLE`` to redirect the lookup. A ``FLYTE_CREDENTIALS_CLIENT_SECRET_FROM_FILE`` redirect is available as well, where the value should be the full path to the file containing the value for the configuration setting, in this case, the client secret. We found this redirect behavior necessary when setting up registration within our own CI pipelines. - + The following is a listing of the Flytekit configuration values we set in CI, along with a brief explanation. - + .. code-block:: bash - + # When using OAuth2 service auth, this is the username and password. export FLYTE_CREDENTIALS_CLIENT_ID= export FLYTE_CREDENTIALS_CLIENT_SECRET= - + # This tells the SDK to use basic authentication. If not set, Flytekit will assume you want to use the # standard OAuth based three-legged flow. export FLYTE_CREDENTIALS_AUTH_MODE=basic - + # This value should be set to conform to this # `header config `_ # on the Admin side. export FLYTE_CREDENTIALS_AUTHORIZATION_METADATA_KEY=
- + # When using basic authentication, you'll need to specify a scope to the IDP (instead of ``openid``, which is # only for OAuth). Set that here. export FLYTE_CREDENTIALS_OAUTH_SCOPES= - + # Set this to force Flytekit to use authentication, even if not required by Admin. This is useful as you're # rolling out the requirement. export FLYTE_PLATFORM_AUTH=True diff --git a/flyteadmin/flyteadmin_config.yaml b/flyteadmin/flyteadmin_config.yaml index 443814572bd..693e290b2a2 100644 --- a/flyteadmin/flyteadmin_config.yaml +++ b/flyteadmin/flyteadmin_config.yaml @@ -4,7 +4,8 @@ # https://github.com/lyft/flyte/blob/b47565c9998cde32b0b5f995981e3f3c990fa7cd/artifacts/flyteadmin.yaml#L72 server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 grpcServerReflection: true kube-config: /Users/ytong/.flyte/sandbox/kubeconfig security: diff --git a/flyteadmin/script/integration/k8s/integration.yaml b/flyteadmin/script/integration/k8s/integration.yaml index 4fae0bab27d..0d03baa901b 100644 --- a/flyteadmin/script/integration/k8s/integration.yaml +++ b/flyteadmin/script/integration/k8s/integration.yaml @@ -245,7 +245,8 @@ data: development.integration: |- server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 kube-config: "$HOME/.kube/config" grpcServerReflection: true security: