Add support for authentication in flyte-binary chart (#3155)

Signed-off-by: Jeev B <[email protected]>

Signed-off-by: Jeev B <[email protected]>

charts/flyte-binary/README.md

@@ -16,6 +16,12 @@ Chart for basic single Flyte executable deployment
 | commonAnnotations | object | `{}` |  |
 | commonLabels | object | `{}` |  |
 | configuration.annotations | object | `{}` |  |
+| configuration.auth.enabled | bool | `false` |  |
+| configuration.auth.internal.clientSecret | string | `""` |  |
+| configuration.auth.internal.clientSecretHash | string | `""` |  |
+| configuration.auth.oidc.baseUrl | string | `""` |  |
+| configuration.auth.oidc.clientId | string | `""` |  |
+| configuration.auth.oidc.clientSecret | string | `""` |  |
 | configuration.database.dbname | string | `"flyte"` |  |
 | configuration.database.host | string | `"127.0.0.1"` |  |
 | configuration.database.options | string | `"sslmode=disable"` |  |
@@ -54,6 +60,11 @@ Chart for basic single Flyte executable deployment
 | deployment.extraPodSpec | object | `{}` |  |
 | deployment.extraVolumeMounts | list | `[]` |  |
 | deployment.extraVolumes | list | `[]` |  |
+| deployment.genAdminAuthSecret.args | list | `[]` |  |
+| deployment.genAdminAuthSecret.command | list | `[]` |  |
+| deployment.genAdminAuthSecret.image.pullPolicy | string | `"IfNotPresent"` |  |
+| deployment.genAdminAuthSecret.image.repository | string | `"cr.flyte.org/flyteorg/flyteadmin"` |  |
+| deployment.genAdminAuthSecret.image.tag | string | `"v1.1.57"` |  |
 | deployment.image.pullPolicy | string | `"IfNotPresent"` |  |
 | deployment.image.repository | string | `"ghcr.io/flyteorg/flyte-sandbox"` |  |
 | deployment.image.tag | string | `"flytebinary_1007"` |  |

charts/flyte-binary/templates/_helpers.tpl

@@ -132,6 +132,20 @@ templates: {{- toYaml .custom | nindent 2 -}}
 {{- end -}}
 {{- end -}}
 
+{{/*
+Get the Secret name for Flyte admin authentication secrets.
+*/}}
+{{- define "flyte-binary.configuration.auth.adminAuthSecretName" -}}
+{{- printf "%s-admin-auth" (include "flyte-binary.fullname" .) -}}
+{{- end -}}
+
+{{/*
+Get the Secret name for Flyte authentication client secrets.
+*/}}
+{{- define "flyte-binary.configuration.auth.clientSecretName" -}}
+{{- printf "%s-client-secrets" (include "flyte-binary.fullname" .) -}}
+{{- end -}}
+
 {{/*
 Get the Flyte cluster resource templates ConfigMap name.
 */}}

charts/flyte-binary/templates/admin-auth-secret.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.configuration.auth.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "flyte-binary.configuration.auth.adminAuthSecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "flyte-binary.labels" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- if .Values.commonAnnotations }}
+    {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
+type: Opaque
+{{- end }}

charts/flyte-binary/templates/auth-client-secret.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.configuration.auth.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "flyte-binary.configuration.auth.clientSecretName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "flyte-binary.labels" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- if .Values.commonAnnotations }}
+    {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
+type: Opaque
+stringData:
+  client_secret: {{ required "Internal client secret required when authentication is enabled" .Values.configuration.auth.internal.clientSecret | quote }}
+  oidc_client_secret: {{ required "OIDC client secret required when authentication is enabled" .Values.configuration.auth.oidc.clientSecret | quote }}
+{{- end }}

charts/flyte-binary/templates/configmap.yaml

@@ -108,6 +108,82 @@ data:
     {{- end }}
       container: {{ required "Metadata container required" .metadataContainer }}
     {{- end }}
+  {{- if.Values.configuration.auth.enabled }}
+  004-auth.yaml: |
+    auth:
+      appAuth:
+        selfAuthServer:
+          staticClients:
+            flytepropeller:
+              client_secret: {{ required "Internal client secret hash required when authentication is enabled" .Values.configuration.auth.internal.clientSecretHash | quote }}
+              grant_types:
+              - refresh_token
+              - client_credentials
+              id: flytepropeller
+              response_types:
+              - token
+              scopes:
+              - all
+              - offline
+              - access_token
+            flyte-cli:
+              grant_types:
+              - refresh_token
+              - authorization_code
+              id: flyte-cli
+              public: true
+              redirect_uris:
+              - http://localhost:53593/callback
+              - http://localhost:12345/callback
+              response_types:
+              - code
+              - token
+              scopes:
+              - all
+              - offline
+              - access_token
+            flytectl:
+              grant_types:
+              - refresh_token
+              - authorization_code
+              id: flytectl
+              public: true
+              redirect_uris:
+              - http://localhost:53593/callback
+              - http://localhost:12345/callback
+              response_types:
+              - code
+              - token
+              scopes:
+              - all
+              - offline
+              - access_token
+        thirdPartyConfig:
+          flyteClient:
+            clientId: flytectl
+            redirectUri: http://localhost:53593/callback
+            scopes:
+            - offline
+            - all
+      authorizedUris:
+      {{- if .Values.ingress.host }}
+      - https://{{ include "flyte-binary.renderTemplate" ( dict "value" .Values.ingress.host "context" $ ) }}
+      {{- end }}
+      - http://{{ include "flyte-binary.fullname" . }}:{{ include "flyte-binary.service.httpPort" . }}
+      - http://{{ include "flyte-binary.fullname" . }}.{{ .Release.Namespace }}:{{ include "flyte-binary.service.httpPort" . }}
+      - http://{{ include "flyte-binary.fullname" . }}.{{ .Release.Namespace }}.svc:{{ include "flyte-binary.service.httpPort" . }}
+      - http://{{ include "flyte-binary.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ include "flyte-binary.service.httpPort" . }}
+      userAuth:
+        openId:
+          baseUrl: {{ required "OIDC base URL required when authentication is enabled" .Values.configuration.auth.oidc.baseUrl | quote }}
+          clientId: {{ required "OIDC client ID required when authentication is enabled" .Values.configuration.auth.oidc.clientId | quote }}
+          scopes:
+          - profile
+          - openid
+    server:
+      security:
+        useAuth: true
+  {{- end }}
   {{- if .Values.configuration.inline }}
   010-inline-config.yaml: |
     {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.configuration.inline "context" $ ) | nindent 4 }}

charts/flyte-binary/templates/deployment.yaml

@@ -42,6 +42,10 @@ spec:
         {{- if and .Values.configuration.database.password (not .Values.configuration.externalConfigMap) }}
         checksum/db-password-secret: {{ include (print $.Template.BasePath "/db-password-secret.yaml") . | sha256sum }}
         {{- end }}
+        {{- if .Values.configuration.auth.enabled }}
+        checksum/admin-auth-secret: {{ include (print $.Template.BasePath "/admin-auth-secret.yaml") . | sha256sum }}
+        checksum/auth-client-secret: {{ include (print $.Template.BasePath "/auth-client-secret.yaml") . | sha256sum }}
+        {{- end }}
         {{- if .Values.commonAnnotations }}
         {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 8 }}
         {{- end }}
@@ -91,6 +95,43 @@ spec:
           resources: {{- toYaml .Values.deployment.resources | nindent 12 }}
           {{- end }}
         {{- end }}
+        {{- if .Values.configuration.auth.enabled }}
+        - name: gen-admin-auth-secret
+          {{- with .Values.deployment.genAdminAuthSecret.image }}
+          image: {{ printf "%s:%s" .repository .tag | quote }}
+          imagePullPolicy: {{ .pullPolicy | quote }}
+          {{- end }}
+          command:
+            {{- if .Values.deployment.genAdminAuthSecret.command }}
+            {{- include "flyte-binary.renderTemplate" (dict "value" .Values.deployment.genAdminAuthSecret.command "context" $) | nindent 12 }}
+            {{- else }}
+            - sh
+            - -ec
+            {{- end }}
+          args:
+            {{- if .Values.deployment.genAdminAuthSecret.args }}
+            {{- include "flyte-binary.renderTemplate" (dict "value" .Values.deployment.genAdminAuthSecret.args "context" $) | nindent 12 }}
+            {{- else }}
+            - |
+              flyteadmin --config=/etc/flyte/config.d/*.yaml \
+                secrets init --localPath /tmp/admin-auth-secret
+              flyteadmin --config=/etc/flyte/config.d/*.yaml \
+                secrets create \
+                --name {{ include "flyte-binary.configuration.auth.adminAuthSecretName" . }} \
+                --fromPath /tmp/admin-auth-secret
+            {{- end }}
+          env:
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          volumeMounts:
+            - name: config
+              mountPath: /etc/flyte/config.d
+          {{- if .Values.deployment.resources }}
+          resources: {{- toYaml .Values.deployment.resources | nindent 12 }}
+          {{- end }}
+        {{- end }}
         {{- if .Values.deployment.initContainers }}
         {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.deployment.initContainers "context" $ ) | nindent 8 }}
         {{- end }}
@@ -168,6 +209,10 @@ spec:
           lifecycle: {{- include "flyte-binary.renderTemplate" (dict "value" .Values.deployment.lifecycleHooks "context" $) | nindent 12 }}
           {{- end }}
           volumeMounts:
+            {{- if .Values.configuration.auth.enabled }}
+            - name: auth
+              mountPath: /etc/secrets
+            {{- end }}
             - name: cluster-resource-templates
               mountPath: /etc/flyte/cluster-resource-templates
             - name: config
@@ -186,6 +231,15 @@ spec:
         {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.deployment.sidecars "context" $ ) | nindent 8 }}
         {{- end }}
       volumes:
+        {{- if .Values.configuration.auth.enabled }}
+        - name: auth
+          projected:
+            sources:
+            - secret:
+                name: {{ include "flyte-binary.configuration.auth.adminAuthSecretName" . }}
+            - secret:
+                name: {{ include "flyte-binary.configuration.auth.clientSecretName" . }}
+        {{- end }}
         - name: cluster-resource-templates
           configMap:
             name: {{ include "flyte-binary.clusterResourceTemplates.configMapName" . }}

charts/flyte-binary/values.yaml

@@ -73,6 +73,24 @@ configuration:
         enabled: false
         templateUri: ""
       custom: []
+  # auth Specify configuration for Flyte authentication
+  auth:
+    # enabled Enable Flyte authentication
+    enabled: false
+    # oidc OIDC configuration for Flyte authentication
+    oidc:
+      # baseUrl URL for OIDC provider
+      baseUrl: ""
+      # clientId Flyte application client ID
+      clientId: ""
+      # clientSecret Flyte application client secret
+      clientSecret: ""
+    # internal Configuration for internal authentication
+    internal:
+      # clientSecret Client secret for internal authentication
+      clientSecret: ""
+      # clientSecretHash Bcrypt hash of of clientSecret
+      clientSecretHash: ""
   # externalConfigMap Specify an existing, external ConfigMap to use as configuration for Flyte
   # If set, this no ConfigMap generated by this chart
   externalConfigMap: ""
@@ -156,6 +174,20 @@ deployment:
     command: []
     # args Override default init container args
     args: []
+  # genAdminAuthSecret Configure init container to generate secrets for internal use
+  genAdminAuthSecret:
+    # image Configure image to use for gen-admin-auth-secret init container
+    image:
+      # repository Init container image repository
+      repository: cr.flyte.org/flyteorg/flyteadmin
+      # tag Init container image tag
+      tag: v1.1.57
+      # pullPolicy Init container image pull policy
+      pullPolicy: IfNotPresent
+    # command Override default init container command
+    command: []
+    # args Override default init container args
+    args: []
   # labels Add labels to Flyte deployment
   labels: {}
   # annotations Add annotations to Flyte deployment

charts/flyte-sandbox/Chart.lock

@@ -15,4 +15,4 @@ dependencies:
   repository: https://charts.bitnami.com/bitnami
   version: 12.1.0
 digest: sha256:ce2d6bd1488364f3ca98cc306554e479f1190ac828925af78a468a52f752449c
-generated: "2022-12-14T12:10:02.400116-08:00"
+generated: "2022-12-14T20:07:29.49547-08:00"

docker/sandbox-bundled/manifests/compiled.yaml

@@ -698,7 +698,7 @@ type: Opaque
 ---
 apiVersion: v1
 data:
-  haSharedSecret: TmlVTUpabjh5RGI5c3E3Mg==
+  haSharedSecret: ZzBxYVNHclBTTWtBWnFHNw==
   proxyPassword: ""
   proxyUsername: ""
 kind: Secret
@@ -1000,7 +1000,7 @@ spec:
     metadata:
       annotations:
         checksum/config: 044987b193c168f87ad6b75510b710dae15de36461cb822559e13e6f3bf1789a
-        checksum/secret: 5bd04f7a79cf46595637b045ca93a072b7add79ded27415becc6db6b01cdcc42
+        checksum/secret: 72a6bbe72d54584038d8aa7f79754ee807898053f9564c2beeede9fab93b7c25
       labels:
         app: docker-registry
         release: sandbox