diff --git a/charts/flyte-binary/README.md b/charts/flyte-binary/README.md index 0a8f1f2e1b..35c2e73780 100644 --- a/charts/flyte-binary/README.md +++ b/charts/flyte-binary/README.md @@ -16,6 +16,12 @@ Chart for basic single Flyte executable deployment | commonAnnotations | object | `{}` | | | commonLabels | object | `{}` | | | configuration.annotations | object | `{}` | | +| configuration.auth.enabled | bool | `false` | | +| configuration.auth.internal.clientSecret | string | `""` | | +| configuration.auth.internal.clientSecretHash | string | `""` | | +| configuration.auth.oidc.baseUrl | string | `""` | | +| configuration.auth.oidc.clientId | string | `""` | | +| configuration.auth.oidc.clientSecret | string | `""` | | | configuration.database.dbname | string | `"flyte"` | | | configuration.database.host | string | `"127.0.0.1"` | | | configuration.database.options | string | `"sslmode=disable"` | | @@ -54,6 +60,11 @@ Chart for basic single Flyte executable deployment | deployment.extraPodSpec | object | `{}` | | | deployment.extraVolumeMounts | list | `[]` | | | deployment.extraVolumes | list | `[]` | | +| deployment.genAdminAuthSecret.args | list | `[]` | | +| deployment.genAdminAuthSecret.command | list | `[]` | | +| deployment.genAdminAuthSecret.image.pullPolicy | string | `"IfNotPresent"` | | +| deployment.genAdminAuthSecret.image.repository | string | `"cr.flyte.org/flyteorg/flyteadmin"` | | +| deployment.genAdminAuthSecret.image.tag | string | `"v1.1.57"` | | | deployment.image.pullPolicy | string | `"IfNotPresent"` | | | deployment.image.repository | string | `"ghcr.io/flyteorg/flyte-sandbox"` | | | deployment.image.tag | string | `"flytebinary_1007"` | | diff --git a/charts/flyte-binary/templates/_helpers.tpl b/charts/flyte-binary/templates/_helpers.tpl index 4f0b160eb2..c97d89f4cf 100644 --- a/charts/flyte-binary/templates/_helpers.tpl +++ b/charts/flyte-binary/templates/_helpers.tpl @@ -132,6 +132,20 @@ templates: {{- toYaml .custom | nindent 2 -}} {{- end -}} {{- end -}} +{{/* +Get the Secret name for Flyte admin authentication secrets. +*/}} +{{- define "flyte-binary.configuration.auth.adminAuthSecretName" -}} +{{- printf "%s-admin-auth" (include "flyte-binary.fullname" .) -}} +{{- end -}} + +{{/* +Get the Secret name for Flyte authentication client secrets. +*/}} +{{- define "flyte-binary.configuration.auth.clientSecretName" -}} +{{- printf "%s-client-secrets" (include "flyte-binary.fullname" .) -}} +{{- end -}} + {{/* Get the Flyte cluster resource templates ConfigMap name. */}} diff --git a/charts/flyte-binary/templates/admin-auth-secret.yaml b/charts/flyte-binary/templates/admin-auth-secret.yaml new file mode 100644 index 0000000000..55cdeb4564 --- /dev/null +++ b/charts/flyte-binary/templates/admin-auth-secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.configuration.auth.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "flyte-binary.configuration.auth.adminAuthSecretName" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "flyte-binary.labels" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +{{- end }} diff --git a/charts/flyte-binary/templates/auth-client-secret.yaml b/charts/flyte-binary/templates/auth-client-secret.yaml new file mode 100644 index 0000000000..d58fecc193 --- /dev/null +++ b/charts/flyte-binary/templates/auth-client-secret.yaml @@ -0,0 +1,19 @@ +{{- if .Values.configuration.auth.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "flyte-binary.configuration.auth.clientSecretName" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "flyte-binary.labels" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +stringData: + client_secret: {{ required "Internal client secret required when authentication is enabled" .Values.configuration.auth.internal.clientSecret | quote }} + oidc_client_secret: {{ required "OIDC client secret required when authentication is enabled" .Values.configuration.auth.oidc.clientSecret | quote }} +{{- end }} diff --git a/charts/flyte-binary/templates/configmap.yaml b/charts/flyte-binary/templates/configmap.yaml index fa993ff18d..77af0868a9 100644 --- a/charts/flyte-binary/templates/configmap.yaml +++ b/charts/flyte-binary/templates/configmap.yaml @@ -108,6 +108,82 @@ data: {{- end }} container: {{ required "Metadata container required" .metadataContainer }} {{- end }} + {{- if.Values.configuration.auth.enabled }} + 004-auth.yaml: | + auth: + appAuth: + selfAuthServer: + staticClients: + flytepropeller: + client_secret: {{ required "Internal client secret hash required when authentication is enabled" .Values.configuration.auth.internal.clientSecretHash | quote }} + grant_types: + - refresh_token + - client_credentials + id: flytepropeller + response_types: + - token + scopes: + - all + - offline + - access_token + flyte-cli: + grant_types: + - refresh_token + - authorization_code + id: flyte-cli + public: true + redirect_uris: + - http://localhost:53593/callback + - http://localhost:12345/callback + response_types: + - code + - token + scopes: + - all + - offline + - access_token + flytectl: + grant_types: + - refresh_token + - authorization_code + id: flytectl + public: true + redirect_uris: + - http://localhost:53593/callback + - http://localhost:12345/callback + response_types: + - code + - token + scopes: + - all + - offline + - access_token + thirdPartyConfig: + flyteClient: + clientId: flytectl + redirectUri: http://localhost:53593/callback + scopes: + - offline + - all + authorizedUris: + {{- if .Values.ingress.host }} + - https://{{ include "flyte-binary.renderTemplate" ( dict "value" .Values.ingress.host "context" $ ) }} + {{- end }} + - http://{{ include "flyte-binary.fullname" . }}:{{ include "flyte-binary.service.httpPort" . }} + - http://{{ include "flyte-binary.fullname" . }}.{{ .Release.Namespace }}:{{ include "flyte-binary.service.httpPort" . }} + - http://{{ include "flyte-binary.fullname" . }}.{{ .Release.Namespace }}.svc:{{ include "flyte-binary.service.httpPort" . }} + - http://{{ include "flyte-binary.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local:{{ include "flyte-binary.service.httpPort" . }} + userAuth: + openId: + baseUrl: {{ required "OIDC base URL required when authentication is enabled" .Values.configuration.auth.oidc.baseUrl | quote }} + clientId: {{ required "OIDC client ID required when authentication is enabled" .Values.configuration.auth.oidc.clientId | quote }} + scopes: + - profile + - openid + server: + security: + useAuth: true + {{- end }} {{- if .Values.configuration.inline }} 010-inline-config.yaml: | {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.configuration.inline "context" $ ) | nindent 4 }} diff --git a/charts/flyte-binary/templates/deployment.yaml b/charts/flyte-binary/templates/deployment.yaml index 438b5985e3..3959c8511d 100644 --- a/charts/flyte-binary/templates/deployment.yaml +++ b/charts/flyte-binary/templates/deployment.yaml @@ -42,6 +42,10 @@ spec: {{- if and .Values.configuration.database.password (not .Values.configuration.externalConfigMap) }} checksum/db-password-secret: {{ include (print $.Template.BasePath "/db-password-secret.yaml") . | sha256sum }} {{- end }} + {{- if .Values.configuration.auth.enabled }} + checksum/admin-auth-secret: {{ include (print $.Template.BasePath "/admin-auth-secret.yaml") . | sha256sum }} + checksum/auth-client-secret: {{ include (print $.Template.BasePath "/auth-client-secret.yaml") . | sha256sum }} + {{- end }} {{- if .Values.commonAnnotations }} {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 8 }} {{- end }} @@ -91,6 +95,43 @@ spec: resources: {{- toYaml .Values.deployment.resources | nindent 12 }} {{- end }} {{- end }} + {{- if .Values.configuration.auth.enabled }} + - name: gen-admin-auth-secret + {{- with .Values.deployment.genAdminAuthSecret.image }} + image: {{ printf "%s:%s" .repository .tag | quote }} + imagePullPolicy: {{ .pullPolicy | quote }} + {{- end }} + command: + {{- if .Values.deployment.genAdminAuthSecret.command }} + {{- include "flyte-binary.renderTemplate" (dict "value" .Values.deployment.genAdminAuthSecret.command "context" $) | nindent 12 }} + {{- else }} + - sh + - -ec + {{- end }} + args: + {{- if .Values.deployment.genAdminAuthSecret.args }} + {{- include "flyte-binary.renderTemplate" (dict "value" .Values.deployment.genAdminAuthSecret.args "context" $) | nindent 12 }} + {{- else }} + - | + flyteadmin --config=/etc/flyte/config.d/*.yaml \ + secrets init --localPath /tmp/admin-auth-secret + flyteadmin --config=/etc/flyte/config.d/*.yaml \ + secrets create \ + --name {{ include "flyte-binary.configuration.auth.adminAuthSecretName" . }} \ + --fromPath /tmp/admin-auth-secret + {{- end }} + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + volumeMounts: + - name: config + mountPath: /etc/flyte/config.d + {{- if .Values.deployment.resources }} + resources: {{- toYaml .Values.deployment.resources | nindent 12 }} + {{- end }} + {{- end }} {{- if .Values.deployment.initContainers }} {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.deployment.initContainers "context" $ ) | nindent 8 }} {{- end }} @@ -168,6 +209,10 @@ spec: lifecycle: {{- include "flyte-binary.renderTemplate" (dict "value" .Values.deployment.lifecycleHooks "context" $) | nindent 12 }} {{- end }} volumeMounts: + {{- if .Values.configuration.auth.enabled }} + - name: auth + mountPath: /etc/secrets + {{- end }} - name: cluster-resource-templates mountPath: /etc/flyte/cluster-resource-templates - name: config @@ -186,6 +231,15 @@ spec: {{- include "flyte-binary.renderTemplate" ( dict "value" .Values.deployment.sidecars "context" $ ) | nindent 8 }} {{- end }} volumes: + {{- if .Values.configuration.auth.enabled }} + - name: auth + projected: + sources: + - secret: + name: {{ include "flyte-binary.configuration.auth.adminAuthSecretName" . }} + - secret: + name: {{ include "flyte-binary.configuration.auth.clientSecretName" . }} + {{- end }} - name: cluster-resource-templates configMap: name: {{ include "flyte-binary.clusterResourceTemplates.configMapName" . }} diff --git a/charts/flyte-binary/values.yaml b/charts/flyte-binary/values.yaml index 39140a97f0..7ed6180e21 100644 --- a/charts/flyte-binary/values.yaml +++ b/charts/flyte-binary/values.yaml @@ -73,6 +73,24 @@ configuration: enabled: false templateUri: "" custom: [] + # auth Specify configuration for Flyte authentication + auth: + # enabled Enable Flyte authentication + enabled: false + # oidc OIDC configuration for Flyte authentication + oidc: + # baseUrl URL for OIDC provider + baseUrl: "" + # clientId Flyte application client ID + clientId: "" + # clientSecret Flyte application client secret + clientSecret: "" + # internal Configuration for internal authentication + internal: + # clientSecret Client secret for internal authentication + clientSecret: "" + # clientSecretHash Bcrypt hash of of clientSecret + clientSecretHash: "" # externalConfigMap Specify an existing, external ConfigMap to use as configuration for Flyte # If set, this no ConfigMap generated by this chart externalConfigMap: "" @@ -156,6 +174,20 @@ deployment: command: [] # args Override default init container args args: [] + # genAdminAuthSecret Configure init container to generate secrets for internal use + genAdminAuthSecret: + # image Configure image to use for gen-admin-auth-secret init container + image: + # repository Init container image repository + repository: cr.flyte.org/flyteorg/flyteadmin + # tag Init container image tag + tag: v1.1.57 + # pullPolicy Init container image pull policy + pullPolicy: IfNotPresent + # command Override default init container command + command: [] + # args Override default init container args + args: [] # labels Add labels to Flyte deployment labels: {} # annotations Add annotations to Flyte deployment diff --git a/charts/flyte-sandbox/Chart.lock b/charts/flyte-sandbox/Chart.lock index 115e6f3883..9b192cad1d 100644 --- a/charts/flyte-sandbox/Chart.lock +++ b/charts/flyte-sandbox/Chart.lock @@ -15,4 +15,4 @@ dependencies: repository: https://charts.bitnami.com/bitnami version: 12.1.0 digest: sha256:ce2d6bd1488364f3ca98cc306554e479f1190ac828925af78a468a52f752449c -generated: "2022-12-14T12:10:02.400116-08:00" +generated: "2022-12-14T20:07:29.49547-08:00" diff --git a/charts/flyte-sandbox/charts/flyte-binary-0.1.0.tgz b/charts/flyte-sandbox/charts/flyte-binary-0.1.0.tgz index a3b36300ed..9e4bbebd6e 100644 Binary files a/charts/flyte-sandbox/charts/flyte-binary-0.1.0.tgz and b/charts/flyte-sandbox/charts/flyte-binary-0.1.0.tgz differ diff --git a/docker/sandbox-bundled/manifests/compiled.yaml b/docker/sandbox-bundled/manifests/compiled.yaml index 25723382e0..842449edad 100644 --- a/docker/sandbox-bundled/manifests/compiled.yaml +++ b/docker/sandbox-bundled/manifests/compiled.yaml @@ -698,7 +698,7 @@ type: Opaque --- apiVersion: v1 data: - haSharedSecret: TmlVTUpabjh5RGI5c3E3Mg== + haSharedSecret: ZzBxYVNHclBTTWtBWnFHNw== proxyPassword: "" proxyUsername: "" kind: Secret @@ -1000,7 +1000,7 @@ spec: metadata: annotations: checksum/config: 044987b193c168f87ad6b75510b710dae15de36461cb822559e13e6f3bf1789a - checksum/secret: 5bd04f7a79cf46595637b045ca93a072b7add79ded27415becc6db6b01cdcc42 + checksum/secret: 72a6bbe72d54584038d8aa7f79754ee807898053f9564c2beeede9fab93b7c25 labels: app: docker-registry release: sandbox