From 3619926b548f32fd46658e8eca9e52d442001100 Mon Sep 17 00:00:00 2001 From: "yini.gao@schibsted.com" Date: Fri, 15 Mar 2024 13:28:50 +0100 Subject: [PATCH 1/6] add 'create' key for adminOauthClientCredentials Signed-off-by: yini.gao@schibsted.com Signed-off-by: Yini --- charts/flyte-core/templates/common/secret-auth.yaml | 2 +- charts/flyte-core/values.yaml | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/charts/flyte-core/templates/common/secret-auth.yaml b/charts/flyte-core/templates/common/secret-auth.yaml index 50290357d8e..3fa7a257b2d 100644 --- a/charts/flyte-core/templates/common/secret-auth.yaml +++ b/charts/flyte-core/templates/common/secret-auth.yaml @@ -1,4 +1,4 @@ -{{- if .Values.secrets.adminOauthClientCredentials.enabled }} +{{- if .Values.secrets.adminOauthClientCredentials.create }} apiVersion: v1 kind: Secret metadata: diff --git a/charts/flyte-core/values.yaml b/charts/flyte-core/values.yaml index 0319b3bacae..fb40a402b59 100755 --- a/charts/flyte-core/values.yaml +++ b/charts/flyte-core/values.yaml @@ -430,10 +430,13 @@ deployRedoc: false secrets: adminOauthClientCredentials: - # -- If enabled is true, helm will create and manage `flyte-secret-auth` and populate it with `clientSecret`. - # If enabled is false, it's up to the user to create `flyte-secret-auth` as described in + # -- If enabled is true, helm will populate `flyte-secret-auth` with `clientSecret`. + # If enabled is false, helm will not populate `flyte-secret-auth`. + # If create is true, helm will create the `flyte-secret-auth`. + # If create is false, it's up to the user to create `flyte-secret-auth` as described in # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server enabled: true + create: true clientSecret: foobar clientId: flytepropeller From 1de6d0dd035fdebb20040d81460b7b1d7a2fd6d1 Mon Sep 17 00:00:00 2001 From: "yini.gao@schibsted.com" Date: Fri, 15 Mar 2024 13:55:09 +0100 Subject: [PATCH 2/6] Update README.md Signed-off-by: yini.gao@schibsted.com Signed-off-by: Yini --- charts/flyte-core/README.md | 3 ++- ...keycloak-idp-flyteclients-without-browser.yaml | 7 +++++-- charts/flyte-core/values.yaml | 4 ++-- docs/deployment/configuration/auth_setup.rst | 15 +++++++++++---- 4 files changed, 20 insertions(+), 9 deletions(-) diff --git a/charts/flyte-core/README.md b/charts/flyte-core/README.md index 5a18f902cba..da38e5ac87b 100644 --- a/charts/flyte-core/README.md +++ b/charts/flyte-core/README.md @@ -273,7 +273,8 @@ helm install gateway bitnami/contour -n flyte | flytescheduler.tolerations | list | `[]` | tolerations for Flytescheduler deployment | | secrets.adminOauthClientCredentials.clientId | string | `"flytepropeller"` | | | secrets.adminOauthClientCredentials.clientSecret | string | `"foobar"` | | -| secrets.adminOauthClientCredentials.enabled | bool | `true` | If enabled is true, helm will create and manage `flyte-secret-auth` and populate it with `clientSecret`. If enabled is false, it's up to the user to create `flyte-secret-auth` as described in https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server | +| secrets.adminOauthClientCredentials.enabled | bool | `true` | If enabled is true, helm will mount `flyte-secret-auth`. If enabled is false, helm will not mount `flyte-secret-auth` | + | secrets.adminOauthClientCredentials.create | bool | `true` | If create is true, helm will create the `flyte-secret-auth`. If create is false, it's up to the user to create `flyte-secret-auth` as described in https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server | | sparkoperator | object | `{"enabled":false,"plugin_config":{"plugins":{"spark":{"spark-config-default":[{"spark.hadoop.fs.s3a.aws.credentials.provider":"com.amazonaws.auth.DefaultAWSCredentialsProviderChain"},{"spark.hadoop.mapreduce.fileoutputcommitter.algorithm.version":"2"},{"spark.kubernetes.allocation.batch.size":"50"},{"spark.hadoop.fs.s3a.acl.default":"BucketOwnerFullControl"},{"spark.hadoop.fs.s3n.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3n.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3a.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3a.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3a.multipart.threshold":"536870912"},{"spark.blacklist.enabled":"true"},{"spark.blacklist.timeout":"5m"},{"spark.task.maxfailures":"8"}]}}}}` | Optional: Spark Plugin using the Spark Operator | | sparkoperator.enabled | bool | `false` | - enable or disable Sparkoperator deployment installation | | sparkoperator.plugin_config | object | `{"plugins":{"spark":{"spark-config-default":[{"spark.hadoop.fs.s3a.aws.credentials.provider":"com.amazonaws.auth.DefaultAWSCredentialsProviderChain"},{"spark.hadoop.mapreduce.fileoutputcommitter.algorithm.version":"2"},{"spark.kubernetes.allocation.batch.size":"50"},{"spark.hadoop.fs.s3a.acl.default":"BucketOwnerFullControl"},{"spark.hadoop.fs.s3n.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3n.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3a.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3a.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3a.multipart.threshold":"536870912"},{"spark.blacklist.enabled":"true"},{"spark.blacklist.timeout":"5m"},{"spark.task.maxfailures":"8"}]}}}` | Spark plugin configuration | diff --git a/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml b/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml index edfd9478bcd..b1361492987 100644 --- a/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml +++ b/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml @@ -298,10 +298,13 @@ deployRedoc: false secrets: adminOauthClientCredentials: - # -- If enabled is true, helm will create and manage `flyte-secret-auth` and populate it with `clientSecret`. - # If enabled is false, it's up to the user to create `flyte-secret-auth` as described in + # If enabled is true, helm will mount `flyte-secret-auth`. + # If enabled is false, helm will not mount `flyte-secret-auth`. + # If create is true, helm will create the `flyte-secret-auth`. + # If create is false, it's up to the user to create `flyte-secret-auth` as described in # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server enabled: true + create: true clientSecret: "<>" # put the secret for the confidential client flytepropeller defined in the IDP clientId: "flytepropeller" #use this client id and secret in the flytectl config with ClientSecret option diff --git a/charts/flyte-core/values.yaml b/charts/flyte-core/values.yaml index fb40a402b59..a368305fcb4 100755 --- a/charts/flyte-core/values.yaml +++ b/charts/flyte-core/values.yaml @@ -430,8 +430,8 @@ deployRedoc: false secrets: adminOauthClientCredentials: - # -- If enabled is true, helm will populate `flyte-secret-auth` with `clientSecret`. - # If enabled is false, helm will not populate `flyte-secret-auth`. + # If enabled is true, helm will mount `flyte-secret-auth`. + # If enabled is false, helm will not mount `flyte-secret-auth`. # If create is true, helm will create the `flyte-secret-auth`. # If create is false, it's up to the user to create `flyte-secret-auth` as described in # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server diff --git a/docs/deployment/configuration/auth_setup.rst b/docs/deployment/configuration/auth_setup.rst index 2887e830ede..89cb61dba0a 100644 --- a/docs/deployment/configuration/auth_setup.rst +++ b/docs/deployment/configuration/auth_setup.rst @@ -345,9 +345,13 @@ Apply OIDC Configuration secrets: adminOauthClientCredentials: - # -- If enabled is true, helm will create and manage `flyte-secret-auth` and populate it with `clientSecret`. - # If enabled is false, it's up to the user to create `flyte-secret-auth` + # If enabled is true, helm will mount `flyte-secret-auth`. + # If enabled is false, helm will not mount `flyte-secret-auth`. + # If create is true, helm will create the `flyte-secret-auth`. + # If create is false, it's up to the user to create `flyte-secret-auth` as described in + # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server enabled: true + create: true # Use the non-encoded version of the random password clientSecret: "" clientId: flytepropeller @@ -597,7 +601,8 @@ Follow the steps in this section to configure `flyteadmin` to use an external au secrets: adminOauthClientCredentials: - enabled: true # see the section "Disable Helm secret management" if you require to do so + enabled: true + create: true # see the section "Disable Helm secret management" if you require to do so # Replace with the client_secret provided by your IdP for flytepropeller. clientSecret: # Replace with the client_id provided by provided by your IdP for flytepropeller. @@ -617,6 +622,7 @@ Follow the steps in this section to configure `flyteadmin` to use an external au secrets: adminOauthClientCredentials: enabled: true + create: true clientSecret: clientId: --- @@ -673,7 +679,8 @@ Alternatively, you can instruct Helm not to create and manage the secret for ``f secrets: adminOauthClientCredentials: - enabled: false #set to false + enabled: true # mount the flyte-secret-auth secret to the flytepropeller. + create: false # set to false # Replace with the client_id provided by provided by your IdP for flytepropeller. clientId: From 0d499fda81ce3d2cc7ca7876e3ce0ea1cccdb6d3 Mon Sep 17 00:00:00 2001 From: Yini Date: Mon, 18 Mar 2024 11:20:19 +0100 Subject: [PATCH 3/6] update README Signed-off-by: Yini --- charts/flyte-core/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/flyte-core/README.md b/charts/flyte-core/README.md index da38e5ac87b..96b527a367a 100644 --- a/charts/flyte-core/README.md +++ b/charts/flyte-core/README.md @@ -274,7 +274,7 @@ helm install gateway bitnami/contour -n flyte | secrets.adminOauthClientCredentials.clientId | string | `"flytepropeller"` | | | secrets.adminOauthClientCredentials.clientSecret | string | `"foobar"` | | | secrets.adminOauthClientCredentials.enabled | bool | `true` | If enabled is true, helm will mount `flyte-secret-auth`. If enabled is false, helm will not mount `flyte-secret-auth` | - | secrets.adminOauthClientCredentials.create | bool | `true` | If create is true, helm will create the `flyte-secret-auth`. If create is false, it's up to the user to create `flyte-secret-auth` as described in https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server | +| secrets.adminOauthClientCredentials.create | bool | `true` | If create is true, helm will create the `flyte-secret-auth`. If create is false, it's up to the user to create `flyte-secret-auth` as described in https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server | | sparkoperator | object | `{"enabled":false,"plugin_config":{"plugins":{"spark":{"spark-config-default":[{"spark.hadoop.fs.s3a.aws.credentials.provider":"com.amazonaws.auth.DefaultAWSCredentialsProviderChain"},{"spark.hadoop.mapreduce.fileoutputcommitter.algorithm.version":"2"},{"spark.kubernetes.allocation.batch.size":"50"},{"spark.hadoop.fs.s3a.acl.default":"BucketOwnerFullControl"},{"spark.hadoop.fs.s3n.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3n.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3a.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3a.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3a.multipart.threshold":"536870912"},{"spark.blacklist.enabled":"true"},{"spark.blacklist.timeout":"5m"},{"spark.task.maxfailures":"8"}]}}}}` | Optional: Spark Plugin using the Spark Operator | | sparkoperator.enabled | bool | `false` | - enable or disable Sparkoperator deployment installation | | sparkoperator.plugin_config | object | `{"plugins":{"spark":{"spark-config-default":[{"spark.hadoop.fs.s3a.aws.credentials.provider":"com.amazonaws.auth.DefaultAWSCredentialsProviderChain"},{"spark.hadoop.mapreduce.fileoutputcommitter.algorithm.version":"2"},{"spark.kubernetes.allocation.batch.size":"50"},{"spark.hadoop.fs.s3a.acl.default":"BucketOwnerFullControl"},{"spark.hadoop.fs.s3n.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3n.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3a.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3a.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3a.multipart.threshold":"536870912"},{"spark.blacklist.enabled":"true"},{"spark.blacklist.timeout":"5m"},{"spark.task.maxfailures":"8"}]}}}` | Spark plugin configuration | From 40aa00f826fec52dbcd28f39889c868fa571f377 Mon Sep 17 00:00:00 2001 From: Yini Date: Mon, 18 Mar 2024 18:03:46 +0100 Subject: [PATCH 4/6] rename 'enabled' to 'mount' Signed-off-by: Yini --- charts/flyte-core/README.md | 2 +- .../templates/clusterresourcesync/deployment.yaml | 4 ++-- .../templates/flytescheduler/deployment.yaml | 6 +++--- .../flyte-core/templates/propeller/deployment.yaml | 4 ++-- charts/flyte-core/templates/propeller/manager.yaml | 4 ++-- ...es-keycloak-idp-flyteclients-without-browser.yaml | 6 +++--- charts/flyte-core/values.yaml | 6 +++--- docs/deployment/configuration/auth_setup.rst | 12 ++++++------ 8 files changed, 22 insertions(+), 22 deletions(-) diff --git a/charts/flyte-core/README.md b/charts/flyte-core/README.md index 96b527a367a..a99aed01b03 100644 --- a/charts/flyte-core/README.md +++ b/charts/flyte-core/README.md @@ -273,7 +273,7 @@ helm install gateway bitnami/contour -n flyte | flytescheduler.tolerations | list | `[]` | tolerations for Flytescheduler deployment | | secrets.adminOauthClientCredentials.clientId | string | `"flytepropeller"` | | | secrets.adminOauthClientCredentials.clientSecret | string | `"foobar"` | | -| secrets.adminOauthClientCredentials.enabled | bool | `true` | If enabled is true, helm will mount `flyte-secret-auth`. If enabled is false, helm will not mount `flyte-secret-auth` | +| secrets.adminOauthClientCredentials.mount | bool | `true` | If mount is true, helm will mount `flyte-secret-auth`. If mount is false, helm will not mount `flyte-secret-auth` | | secrets.adminOauthClientCredentials.create | bool | `true` | If create is true, helm will create the `flyte-secret-auth`. If create is false, it's up to the user to create `flyte-secret-auth` as described in https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server | | sparkoperator | object | `{"enabled":false,"plugin_config":{"plugins":{"spark":{"spark-config-default":[{"spark.hadoop.fs.s3a.aws.credentials.provider":"com.amazonaws.auth.DefaultAWSCredentialsProviderChain"},{"spark.hadoop.mapreduce.fileoutputcommitter.algorithm.version":"2"},{"spark.kubernetes.allocation.batch.size":"50"},{"spark.hadoop.fs.s3a.acl.default":"BucketOwnerFullControl"},{"spark.hadoop.fs.s3n.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3n.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3a.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3a.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3a.multipart.threshold":"536870912"},{"spark.blacklist.enabled":"true"},{"spark.blacklist.timeout":"5m"},{"spark.task.maxfailures":"8"}]}}}}` | Optional: Spark Plugin using the Spark Operator | | sparkoperator.enabled | bool | `false` | - enable or disable Sparkoperator deployment installation | diff --git a/charts/flyte-core/templates/clusterresourcesync/deployment.yaml b/charts/flyte-core/templates/clusterresourcesync/deployment.yaml index a2fb5d04ae0..531b89f6998 100644 --- a/charts/flyte-core/templates/clusterresourcesync/deployment.yaml +++ b/charts/flyte-core/templates/clusterresourcesync/deployment.yaml @@ -42,7 +42,7 @@ spec: {{- if not .Values.cluster_resource_manager.config.cluster_resources.standaloneDeployment }} {{- include "databaseSecret.volumeMount" . | nindent 10 }} {{- else }} - {{- if .Values.secrets.adminOauthClientCredentials.enabled }} + {{- if .Values.secrets.adminOauthClientCredentials.mount }} - name: auth mountPath: /etc/secrets/ {{- end }} @@ -69,7 +69,7 @@ spec: secretName: cluster-credentials {{- end }} {{- if .Values.cluster_resource_manager.config.cluster_resources.standaloneDeployment }} - {{- if .Values.secrets.adminOauthClientCredentials.enabled }} + {{- if .Values.secrets.adminOauthClientCredentials.mount }} - name: auth secret: secretName: flyte-secret-auth diff --git a/charts/flyte-core/templates/flytescheduler/deployment.yaml b/charts/flyte-core/templates/flytescheduler/deployment.yaml index 14db8c48a79..96feae2841f 100755 --- a/charts/flyte-core/templates/flytescheduler/deployment.yaml +++ b/charts/flyte-core/templates/flytescheduler/deployment.yaml @@ -48,7 +48,7 @@ spec: volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }} - mountPath: /etc/flyte/config name: config-volume - {{- if .Values.secrets.adminOauthClientCredentials.enabled }} + {{- if .Values.secrets.adminOauthClientCredentials.mount }} - name: auth mountPath: /etc/secrets/ {{- end }} @@ -78,7 +78,7 @@ spec: volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }} - mountPath: /etc/flyte/config name: config-volume - {{- if .Values.secrets.adminOauthClientCredentials.enabled }} + {{- if .Values.secrets.adminOauthClientCredentials.mount }} - name: auth mountPath: /etc/secrets/ {{- end }} @@ -95,7 +95,7 @@ spec: - configMap: name: flyte-scheduler-config name: config-volume - {{- if .Values.secrets.adminOauthClientCredentials.enabled }} + {{- if .Values.secrets.adminOauthClientCredentials.mount }} - name: auth secret: secretName: flyte-secret-auth diff --git a/charts/flyte-core/templates/propeller/deployment.yaml b/charts/flyte-core/templates/propeller/deployment.yaml index 5fd09e5d5da..21ecb056901 100644 --- a/charts/flyte-core/templates/propeller/deployment.yaml +++ b/charts/flyte-core/templates/propeller/deployment.yaml @@ -82,7 +82,7 @@ spec: volumeMounts: - name: config-volume mountPath: /etc/flyte/config - {{- if .Values.secrets.adminOauthClientCredentials.enabled }} + {{- if .Values.secrets.adminOauthClientCredentials.mount }} - name: auth mountPath: /etc/secrets/ {{- end }} @@ -100,7 +100,7 @@ spec: - configMap: name: flyte-propeller-config name: config-volume - {{- if .Values.secrets.adminOauthClientCredentials.enabled }} + {{- if .Values.secrets.adminOauthClientCredentials.mount }} - name: auth secret: secretName: flyte-secret-auth diff --git a/charts/flyte-core/templates/propeller/manager.yaml b/charts/flyte-core/templates/propeller/manager.yaml index 21eb894ba84..1bbb436e877 100644 --- a/charts/flyte-core/templates/propeller/manager.yaml +++ b/charts/flyte-core/templates/propeller/manager.yaml @@ -43,7 +43,7 @@ template: volumeMounts: - name: config-volume mountPath: /etc/flyte/config - {{- if .Values.secrets.adminOauthClientCredentials.enabled }} + {{- if .Values.secrets.adminOauthClientCredentials.mount }} - name: auth mountPath: /etc/secrets/ {{- end }} @@ -55,7 +55,7 @@ template: - configMap: name: flyte-propeller-config name: config-volume - {{- if .Values.secrets.adminOauthClientCredentials.enabled }} + {{- if .Values.secrets.adminOauthClientCredentials.mount }} - name: auth secret: secretName: flyte-secret-auth diff --git a/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml b/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml index b1361492987..2b55bb83f56 100644 --- a/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml +++ b/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml @@ -298,12 +298,12 @@ deployRedoc: false secrets: adminOauthClientCredentials: - # If enabled is true, helm will mount `flyte-secret-auth`. - # If enabled is false, helm will not mount `flyte-secret-auth`. + # If mount is true, helm will mount `flyte-secret-auth`. + # If mount is false, helm will not mount `flyte-secret-auth`. # If create is true, helm will create the `flyte-secret-auth`. # If create is false, it's up to the user to create `flyte-secret-auth` as described in # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server - enabled: true + mount: true create: true clientSecret: "<>" # put the secret for the confidential client flytepropeller defined in the IDP clientId: "flytepropeller" #use this client id and secret in the flytectl config with ClientSecret option diff --git a/charts/flyte-core/values.yaml b/charts/flyte-core/values.yaml index a368305fcb4..becda27de6b 100755 --- a/charts/flyte-core/values.yaml +++ b/charts/flyte-core/values.yaml @@ -430,12 +430,12 @@ deployRedoc: false secrets: adminOauthClientCredentials: - # If enabled is true, helm will mount `flyte-secret-auth`. - # If enabled is false, helm will not mount `flyte-secret-auth`. + # If mount is true, helm will mount `flyte-secret-auth`. + # If mount is false, helm will not mount `flyte-secret-auth`. # If create is true, helm will create the `flyte-secret-auth`. # If create is false, it's up to the user to create `flyte-secret-auth` as described in # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server - enabled: true + mount: true create: true clientSecret: foobar clientId: flytepropeller diff --git a/docs/deployment/configuration/auth_setup.rst b/docs/deployment/configuration/auth_setup.rst index 89cb61dba0a..b9f318fb778 100644 --- a/docs/deployment/configuration/auth_setup.rst +++ b/docs/deployment/configuration/auth_setup.rst @@ -345,12 +345,12 @@ Apply OIDC Configuration secrets: adminOauthClientCredentials: - # If enabled is true, helm will mount `flyte-secret-auth`. - # If enabled is false, helm will not mount `flyte-secret-auth`. + # If mount is true, helm will mount `flyte-secret-auth`. + # If mount is false, helm will not mount `flyte-secret-auth`. # If create is true, helm will create the `flyte-secret-auth`. # If create is false, it's up to the user to create `flyte-secret-auth` as described in # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server - enabled: true + mount: true create: true # Use the non-encoded version of the random password clientSecret: "" @@ -601,7 +601,7 @@ Follow the steps in this section to configure `flyteadmin` to use an external au secrets: adminOauthClientCredentials: - enabled: true + mount: true create: true # see the section "Disable Helm secret management" if you require to do so # Replace with the client_secret provided by your IdP for flytepropeller. clientSecret: @@ -621,7 +621,7 @@ Follow the steps in this section to configure `flyteadmin` to use an external au secrets: adminOauthClientCredentials: - enabled: true + mount: true create: true clientSecret: clientId: @@ -679,7 +679,7 @@ Alternatively, you can instruct Helm not to create and manage the secret for ``f secrets: adminOauthClientCredentials: - enabled: true # mount the flyte-secret-auth secret to the flytepropeller. + mount: true # mount the flyte-secret-auth secret to the flytepropeller. create: false # set to false # Replace with the client_id provided by provided by your IdP for flytepropeller. clientId: From 0692b2eaa33e4d58329d3ab84fb612381266f93e Mon Sep 17 00:00:00 2001 From: Yini Date: Tue, 19 Mar 2024 13:59:28 +0100 Subject: [PATCH 5/6] switch order of keys Signed-off-by: Yini --- ...es-keycloak-idp-flyteclients-without-browser.yaml | 6 +++--- charts/flyte-core/values.yaml | 6 +++--- docs/deployment/configuration/auth_setup.rst | 12 ++++++------ 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml b/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml index 2b55bb83f56..68dbeb594d4 100644 --- a/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml +++ b/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml @@ -298,13 +298,13 @@ deployRedoc: false secrets: adminOauthClientCredentials: - # If mount is true, helm will mount `flyte-secret-auth`. - # If mount is false, helm will not mount `flyte-secret-auth`. # If create is true, helm will create the `flyte-secret-auth`. # If create is false, it's up to the user to create `flyte-secret-auth` as described in # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server - mount: true + # If mount is true, helm will mount `flyte-secret-auth`. + # If mount is false, helm will not mount `flyte-secret-auth`. create: true + mount: true clientSecret: "<>" # put the secret for the confidential client flytepropeller defined in the IDP clientId: "flytepropeller" #use this client id and secret in the flytectl config with ClientSecret option diff --git a/charts/flyte-core/values.yaml b/charts/flyte-core/values.yaml index becda27de6b..bc4a621c31f 100755 --- a/charts/flyte-core/values.yaml +++ b/charts/flyte-core/values.yaml @@ -430,13 +430,13 @@ deployRedoc: false secrets: adminOauthClientCredentials: - # If mount is true, helm will mount `flyte-secret-auth`. - # If mount is false, helm will not mount `flyte-secret-auth`. # If create is true, helm will create the `flyte-secret-auth`. # If create is false, it's up to the user to create `flyte-secret-auth` as described in # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server - mount: true + # If mount is true, helm will mount `flyte-secret-auth`. + # If mount is false, helm will not mount `flyte-secret-auth`. create: true + mount: true clientSecret: foobar clientId: flytepropeller diff --git a/docs/deployment/configuration/auth_setup.rst b/docs/deployment/configuration/auth_setup.rst index b9f318fb778..026874650f1 100644 --- a/docs/deployment/configuration/auth_setup.rst +++ b/docs/deployment/configuration/auth_setup.rst @@ -345,13 +345,13 @@ Apply OIDC Configuration secrets: adminOauthClientCredentials: - # If mount is true, helm will mount `flyte-secret-auth`. - # If mount is false, helm will not mount `flyte-secret-auth`. # If create is true, helm will create the `flyte-secret-auth`. # If create is false, it's up to the user to create `flyte-secret-auth` as described in # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server - mount: true + # If mount is true, helm will mount `flyte-secret-auth`. + # If mount is false, helm will not mount `flyte-secret-auth`. create: true + mount: true # Use the non-encoded version of the random password clientSecret: "" clientId: flytepropeller @@ -601,8 +601,8 @@ Follow the steps in this section to configure `flyteadmin` to use an external au secrets: adminOauthClientCredentials: - mount: true create: true # see the section "Disable Helm secret management" if you require to do so + mount: true # Replace with the client_secret provided by your IdP for flytepropeller. clientSecret: # Replace with the client_id provided by provided by your IdP for flytepropeller. @@ -621,8 +621,8 @@ Follow the steps in this section to configure `flyteadmin` to use an external au secrets: adminOauthClientCredentials: - mount: true create: true + mount: true clientSecret: clientId: --- @@ -679,8 +679,8 @@ Alternatively, you can instruct Helm not to create and manage the secret for ``f secrets: adminOauthClientCredentials: - mount: true # mount the flyte-secret-auth secret to the flytepropeller. create: false # set to false + mount: true # mount the flyte-secret-auth secret to the flytepropeller. # Replace with the client_id provided by provided by your IdP for flytepropeller. clientId: From 3e61e6967104e706c834230b2946748918477f2e Mon Sep 17 00:00:00 2001 From: Yini Date: Tue, 19 Mar 2024 14:05:49 +0100 Subject: [PATCH 6/6] add comment to warn user the unsupported combo Signed-off-by: Yini --- .../values-keycloak-idp-flyteclients-without-browser.yaml | 1 + charts/flyte-core/values.yaml | 1 + docs/deployment/configuration/auth_setup.rst | 1 + 3 files changed, 3 insertions(+) diff --git a/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml b/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml index 68dbeb594d4..505ac171495 100644 --- a/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml +++ b/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml @@ -303,6 +303,7 @@ secrets: # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server # If mount is true, helm will mount `flyte-secret-auth`. # If mount is false, helm will not mount `flyte-secret-auth`. + # Note: Unsupported combination: create.true and mount.false. create: true mount: true clientSecret: "<>" # put the secret for the confidential client flytepropeller defined in the IDP diff --git a/charts/flyte-core/values.yaml b/charts/flyte-core/values.yaml index bc4a621c31f..bef9995ed8f 100755 --- a/charts/flyte-core/values.yaml +++ b/charts/flyte-core/values.yaml @@ -435,6 +435,7 @@ secrets: # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server # If mount is true, helm will mount `flyte-secret-auth`. # If mount is false, helm will not mount `flyte-secret-auth`. + # Note: Unsupported combination: create.true and mount.false. create: true mount: true clientSecret: foobar diff --git a/docs/deployment/configuration/auth_setup.rst b/docs/deployment/configuration/auth_setup.rst index 026874650f1..46e8a0df361 100644 --- a/docs/deployment/configuration/auth_setup.rst +++ b/docs/deployment/configuration/auth_setup.rst @@ -350,6 +350,7 @@ Apply OIDC Configuration # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server # If mount is true, helm will mount `flyte-secret-auth`. # If mount is false, helm will not mount `flyte-secret-auth`. + # Note: Unsupported combination: create.true and mount.false. create: true mount: true # Use the non-encoded version of the random password