From 99552560d535dbef9e34773470685a7dac403352 Mon Sep 17 00:00:00 2001 From: Yini <131146298+yini7777@users.noreply.github.com> Date: Thu, 11 Apr 2024 23:22:36 +0200 Subject: [PATCH] Fix mounting secrets (#5063) Signed-off-by: yini.gao@schibsted.com --- charts/flyte-core/README.md | 2 +- charts/flyte-core/templates/common/secret-auth.yaml | 2 +- ...ues-keycloak-idp-flyteclients-without-browser.yaml | 7 +++++-- charts/flyte-core/values.yaml | 7 +++++-- docker/sandbox-bundled/manifests/complete-agent.yaml | 4 ++-- docker/sandbox-bundled/manifests/complete.yaml | 4 ++-- docker/sandbox-bundled/manifests/dev.yaml | 4 ++-- docs/deployment/configuration/auth_setup.rst | 11 ++++++++--- 8 files changed, 26 insertions(+), 15 deletions(-) diff --git a/charts/flyte-core/README.md b/charts/flyte-core/README.md index 00fd69f368..55d327a25f 100644 --- a/charts/flyte-core/README.md +++ b/charts/flyte-core/README.md @@ -273,7 +273,7 @@ helm install gateway bitnami/contour -n flyte | flytescheduler.tolerations | list | `[]` | tolerations for Flytescheduler deployment | | secrets.adminOauthClientCredentials.clientId | string | `"flytepropeller"` | | | secrets.adminOauthClientCredentials.clientSecret | string | `"foobar"` | | -| secrets.adminOauthClientCredentials.enabled | bool | `true` | If enabled is true, helm will create and manage `flyte-secret-auth` and populate it with `clientSecret`. If enabled is false, it's up to the user to create `flyte-secret-auth` as described in https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server | +| secrets.adminOauthClientCredentials.enabled | bool | `true` | | | sparkoperator | object | `{"enabled":false,"plugin_config":{"plugins":{"spark":{"spark-config-default":[{"spark.hadoop.fs.s3a.aws.credentials.provider":"com.amazonaws.auth.DefaultAWSCredentialsProviderChain"},{"spark.hadoop.mapreduce.fileoutputcommitter.algorithm.version":"2"},{"spark.kubernetes.allocation.batch.size":"50"},{"spark.hadoop.fs.s3a.acl.default":"BucketOwnerFullControl"},{"spark.hadoop.fs.s3n.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3n.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3a.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3a.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3a.multipart.threshold":"536870912"},{"spark.blacklist.enabled":"true"},{"spark.blacklist.timeout":"5m"},{"spark.task.maxfailures":"8"}]}}}}` | Optional: Spark Plugin using the Spark Operator | | sparkoperator.enabled | bool | `false` | - enable or disable Sparkoperator deployment installation | | sparkoperator.plugin_config | object | `{"plugins":{"spark":{"spark-config-default":[{"spark.hadoop.fs.s3a.aws.credentials.provider":"com.amazonaws.auth.DefaultAWSCredentialsProviderChain"},{"spark.hadoop.mapreduce.fileoutputcommitter.algorithm.version":"2"},{"spark.kubernetes.allocation.batch.size":"50"},{"spark.hadoop.fs.s3a.acl.default":"BucketOwnerFullControl"},{"spark.hadoop.fs.s3n.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3n.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3a.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3a.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3a.multipart.threshold":"536870912"},{"spark.blacklist.enabled":"true"},{"spark.blacklist.timeout":"5m"},{"spark.task.maxfailures":"8"}]}}}` | Spark plugin configuration | diff --git a/charts/flyte-core/templates/common/secret-auth.yaml b/charts/flyte-core/templates/common/secret-auth.yaml index 50290357d8..d13247bd9a 100644 --- a/charts/flyte-core/templates/common/secret-auth.yaml +++ b/charts/flyte-core/templates/common/secret-auth.yaml @@ -1,4 +1,4 @@ -{{- if .Values.secrets.adminOauthClientCredentials.enabled }} +{{- if and (.Values.secrets.adminOauthClientCredentials.enabled) (not (empty .Values.secrets.adminOauthClientCredentials.clientSecret)) }} apiVersion: v1 kind: Secret metadata: diff --git a/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml b/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml index 5b12b7b3f9..22624d8775 100644 --- a/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml +++ b/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml @@ -298,9 +298,12 @@ deployRedoc: false secrets: adminOauthClientCredentials: - # -- If enabled is true, helm will create and manage `flyte-secret-auth` and populate it with `clientSecret`. - # If enabled is false, it's up to the user to create `flyte-secret-auth` as described in + # If enabled is true, and `clientSecret` is specified, helm will create and mount `flyte-secret-auth`. + # If enabled is true, and `clientSecret` is null, it's up to the user to create `flyte-secret-auth` as described in # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server + # and helm will mount `flyte-secret-auth`. + # If enabled is false, auth is not turned on. + # Note: Unsupported combination: enabled.false and clientSecret.someValue enabled: true clientSecret: "<>" # put the secret for the confidential client flytepropeller defined in the IDP clientId: "flytepropeller" #use this client id and secret in the flytectl config with ClientSecret option diff --git a/charts/flyte-core/values.yaml b/charts/flyte-core/values.yaml index 8b1e4b89d6..f3580786a6 100755 --- a/charts/flyte-core/values.yaml +++ b/charts/flyte-core/values.yaml @@ -430,9 +430,12 @@ deployRedoc: false secrets: adminOauthClientCredentials: - # -- If enabled is true, helm will create and manage `flyte-secret-auth` and populate it with `clientSecret`. - # If enabled is false, it's up to the user to create `flyte-secret-auth` as described in + # If enabled is true, and `clientSecret` is specified, helm will create and mount `flyte-secret-auth`. + # If enabled is true, and `clientSecret` is null, it's up to the user to create `flyte-secret-auth` as described in # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server + # and helm will mount `flyte-secret-auth`. + # If enabled is false, auth is not turned on. + # Note: Unsupported combination: enabled.false and clientSecret.someValue enabled: true clientSecret: foobar clientId: flytepropeller diff --git a/docker/sandbox-bundled/manifests/complete-agent.yaml b/docker/sandbox-bundled/manifests/complete-agent.yaml index 2db8226933..4b31375fc3 100644 --- a/docker/sandbox-bundled/manifests/complete-agent.yaml +++ b/docker/sandbox-bundled/manifests/complete-agent.yaml @@ -816,7 +816,7 @@ type: Opaque --- apiVersion: v1 data: - haSharedSecret: WEJxZGNCTWJiNFUwZEd1bQ== + haSharedSecret: WlVScnNIb3I2RFM4UFhrcA== proxyPassword: "" proxyUsername: "" kind: Secret @@ -1412,7 +1412,7 @@ spec: metadata: annotations: checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81 - checksum/secret: 45571013e2bcbc17744162363ccc7fc5c99072b2553a3fe29f41660a07e2e864 + checksum/secret: a041f8b1e9c41f465e4f113957cc10f1b48b2e259a5d193657571ae597305e2c labels: app: docker-registry release: flyte-sandbox diff --git a/docker/sandbox-bundled/manifests/complete.yaml b/docker/sandbox-bundled/manifests/complete.yaml index 98b5aa3657..4f5f878a00 100644 --- a/docker/sandbox-bundled/manifests/complete.yaml +++ b/docker/sandbox-bundled/manifests/complete.yaml @@ -796,7 +796,7 @@ type: Opaque --- apiVersion: v1 data: - haSharedSecret: a1Zqcm1HUlcxZUN4SExqSw== + haSharedSecret: VU5MNDc1MDZUU05OWmZOYw== proxyPassword: "" proxyUsername: "" kind: Secret @@ -1360,7 +1360,7 @@ spec: metadata: annotations: checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81 - checksum/secret: bf4abdac7aaf5a74cf2f12f7511d4af46e5c2b8228637c5eb29f9ed5399e4942 + checksum/secret: 0c9fcdc5ba4f5091dbd31e0a907c4748391313df162b5e1d3ace3084b62cdd40 labels: app: docker-registry release: flyte-sandbox diff --git a/docker/sandbox-bundled/manifests/dev.yaml b/docker/sandbox-bundled/manifests/dev.yaml index 49c259b0d9..43144186ce 100644 --- a/docker/sandbox-bundled/manifests/dev.yaml +++ b/docker/sandbox-bundled/manifests/dev.yaml @@ -499,7 +499,7 @@ metadata: --- apiVersion: v1 data: - haSharedSecret: dkdTTTV4ZkNpc2pneXZBRQ== + haSharedSecret: RXhwTzhZT25HZzJjdUllSQ== proxyPassword: "" proxyUsername: "" kind: Secret @@ -934,7 +934,7 @@ spec: metadata: annotations: checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81 - checksum/secret: 40299f1a8b9fffd1ef10051c289e1d654de7f755fff5f44cde65a9cf96bcd543 + checksum/secret: 6f8a6d8c2b4e54840abf28822833192923adeb062f926c962e8e0785b96877d5 labels: app: docker-registry release: flyte-sandbox diff --git a/docs/deployment/configuration/auth_setup.rst b/docs/deployment/configuration/auth_setup.rst index d9a7f2c7eb..bb73bef8e3 100644 --- a/docs/deployment/configuration/auth_setup.rst +++ b/docs/deployment/configuration/auth_setup.rst @@ -346,8 +346,12 @@ Apply OIDC Configuration secrets: adminOauthClientCredentials: - # -- If enabled is true, helm will create and manage `flyte-secret-auth` and populate it with `clientSecret`. - # If enabled is false, it's up to the user to create `flyte-secret-auth` + # If enabled is true, and `clientSecret` is specified, helm will create and mount `flyte-secret-auth`. + # If enabled is true, and `clientSecret` is null, it's up to the user to create `flyte-secret-auth` as described in + # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server + # and helm will mount `flyte-secret-auth`. + # If enabled is false, auth is not turned on. + # Note: Unsupported combination: enabled.false and clientSecret.someValue enabled: true # Use the non-encoded version of the random password clientSecret: "" @@ -677,7 +681,8 @@ Alternatively, you can instruct Helm not to create and manage the secret for ``f secrets: adminOauthClientCredentials: - enabled: false #set to false + enabled: true # enable mounting the flyte-secret-auth secret to the flytepropeller. + clientSecret: null # disable Helm from creating the flyte-secret-auth secret. # Replace with the client_id provided by provided by your IdP for flytepropeller. clientId: