Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upstream revert revert auth token fix #5407

Merged
merged 15 commits into from
May 31, 2024
Merged
Show file tree
Hide file tree
Changes from 13 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions .github/workflows/flytectl-install.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: Flytectl-specific checks

concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true

on:
pull_request:
paths:
- flytectl/**
push:
branches:
- master

jobs:
install-script:
name: Install script
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
version:
- v0.8.20
- latest
# Test the case where no version is specified
- " "
steps:
- uses: actions/checkout@v4
- run: |
chmod +x ./flytectl/install.sh
./flytectl/install.sh ${{ matrix.version }}
./bin/flytectl version

7 changes: 5 additions & 2 deletions charts/flyte-core/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -195,8 +195,11 @@ helm install gateway bitnami/contour -n flyte
| flyteadmin.serviceMonitor.scrapeTimeout | string | `"30s"` | Sets the timeout after which request to scrape metrics will time out |
| flyteadmin.tolerations | list | `[]` | tolerations for Flyteadmin deployment |
| flyteagent.enabled | bool | `false` | |
| flyteagent.plugin_config.plugins.agentService.defaultAgent.endpoint | string | `"dns:///flyteagent.flyte.svc.cluster.local:8000"` | |
| flyteagent.plugin_config.plugins.agentService.defaultAgent.insecure | bool | `true` | |
| flyteagent.plugin_config.plugins.agent-service | object | `{"defaultAgent":{"endpoint":"dns:///flyteagent.flyte.svc.cluster.local:8000","insecure":true},"supportedTaskTypes":["sensor"]}` | Agent service configuration for propeller. |
| flyteagent.plugin_config.plugins.agent-service.defaultAgent | object | `{"endpoint":"dns:///flyteagent.flyte.svc.cluster.local:8000","insecure":true}` | The default agent service to use for plugin tasks. |
| flyteagent.plugin_config.plugins.agent-service.defaultAgent.endpoint | string | `"dns:///flyteagent.flyte.svc.cluster.local:8000"` | The agent service endpoint propeller should connect to. |
| flyteagent.plugin_config.plugins.agent-service.defaultAgent.insecure | bool | `true` | Whether the connection from propeller to the agent service should use TLS. |
| flyteagent.plugin_config.plugins.agent-service.supportedTaskTypes | list | `["sensor"]` | The task types supported by the default agent. |
| flyteagent.podLabels | object | `{}` | Labels for flyteagent pods |
| flyteconsole.affinity | object | `{}` | affinity for Flyteconsole deployment |
| flyteconsole.enabled | bool | `true` | |
Expand Down
11 changes: 10 additions & 1 deletion charts/flyte-core/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -279,10 +279,19 @@ flyteagent:
enabled: false
plugin_config:
plugins:
agentService:
# -- Agent service configuration for propeller.
agent-service:
# -- The default agent service to use for plugin tasks.
defaultAgent:
# -- The agent service endpoint propeller should connect to.
endpoint: "dns:///flyteagent.flyte.svc.cluster.local:8000"
# -- Whether the connection from propeller to the agent service should use TLS.
insecure: true
# -- The task types supported by the default agent.
supportedTaskTypes:
- sensor
# -- Uncomment to enable task type that uses Flyte Agent
# - bigquery_query_job_task
# -- Labels for flyteagent pods
podLabels: {}

Expand Down
62 changes: 26 additions & 36 deletions docs/deployment/configuration/auth_setup.rst
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,7 @@ Apply OIDC Configuration
oidc:
# baseUrl: https://accounts.google.com # Uncomment for Google
# baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
# baseUrl: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize # Uncomment for Azure AD
# baseUrl: https://login.microsoftonline.com/<tenant-id>/v2.0 # Uncomment for Azure AD
# For Okta use the Issuer URI from Okta's default auth server
baseUrl: https://dev-<org-id>.okta.com/oauth2/default
# Replace with the client ID and secret created for Flyte in your IdP
Expand Down Expand Up @@ -488,7 +488,7 @@ Follow the steps in this section to configure `flyteadmin` to use an external au
enabled: true
oidc:
# baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
# baseUrl: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize # Uncomment for Azure AD
# baseUrl: https://login.microsoftonline.com/<tenant-id>/v2.0 # Uncomment for Azure AD
# For Okta, use the Issuer URI of the custom auth server:
baseUrl: https://dev-<org-id>.okta.com/oauth2/<auth-server-id>
# Use the client ID and secret generated by your IdP for the first OIDC registration in the "Identity Management layer : OIDC" section of this guide
Expand Down Expand Up @@ -516,7 +516,7 @@ Follow the steps in this section to configure `flyteadmin` to use an external au
authServerType: External
externalAuthServer:
# baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
# baseUrl: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize # Uncomment for Azure AD
# baseUrl: https://login.microsoftonline.com/<tenant-id>/v2.0 # Uncomment for Azure AD
# For Okta, use the Issuer URI of the custom auth server:
baseUrl: https://dev-<org-id>.okta.com/oauth2/<auth-server-id>
metadataUrl: .well-known/oauth-authorization-server
Expand All @@ -531,8 +531,8 @@ Follow the steps in this section to configure `flyteadmin` to use an external au
userAuth:
openId:
# baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
# baseUrl: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize # Uncomment for Azure AD
# For Okta, use the Issuer URI of the custom auth server:
# baseUrl: https://login.microsoftonline.com/<tenant-id>/v2.0 # Uncomment for Azure AD
# For Okta, use the Issuer URI of the custom auth server:
baseUrl: https://dev-<org-id>.okta.com/oauth2/<auth-server-id>
scopes:
- profile
Expand Down Expand Up @@ -568,39 +568,29 @@ Follow the steps in this section to configure `flyteadmin` to use an external au

authServerType: External

# 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl.
externalAuthServer:
# baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
# baseUrl: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize # Uncomment for Azure AD
# For Okta, use the Issuer URI of the custom auth server:
baseUrl: https://dev-<org-id>.okta.com/oauth2/<auth-server-id>

metadataUrl: .well-known/openid-configuration

thirdPartyConfig:
flyteClient:
# 3. Replace with a new Native/Public Client ID provisioned in the custom authorization server.
clientId: flytectl
# This should not change
redirectUri: http://localhost:53593/callback
# 4. "all" is a required scope and must be configured in the custom authorization server.
scopes:
- offline
- all

userAuth:
openId:
# baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
# baseUrl: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize # Uncomment for Azure AD
# For Okta, use the Issuer URI of the custom auth server:
baseUrl: https://dev-<org-id>.okta.com/oauth2/<auth-server-id>
scopes:
- profile
- openid
# - offline_access # Uncomment if OIdC supports issuing refresh tokens.
clientId: <client id>
# 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl.
externalAuthServer:
# baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
# baseUrl: https://login.microsoftonline.com/<tenant-id>/v2.0 # Uncomment for Azure AD
# For Okta, use the Issuer URI of the custom auth server:
baseUrl: https://dev-<org-id>.okta.com/oauth2/<auth-server-id>

metadataUrl: .well-known/openid-configuration


userAuth:
openId:
# baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
# baseUrl: https://login.microsoftonline.com/<tenant-id>/v2.0 # Uncomment for Azure AD
# For Okta, use the Issuer URI of the custom auth server:
baseUrl: https://dev-<org-id>.okta.com/oauth2/<auth-server-id>
scopes:
- profile
- openid
# - offline_access # Uncomment if OIdC supports issuing refresh tokens.
clientId: <client id>


secrets:
adminOauthClientCredentials:
enabled: true # see the section "Disable Helm secret management" if you require to do so
Expand Down
4 changes: 2 additions & 2 deletions docs/deployment/plugins/k8s/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -17,11 +17,11 @@ Select the integration you need and follow the steps to install the correspondin

.. group-tab:: PyTorch/TensorFlow/MPI

1. Install the `Kubeflow training-operator <https://github.com/kubeflow/training-operator?tab=readme-ov-file#kubeflow-training-operator>`__:
1. Install the `Kubeflow training-operator <https://github.com/kubeflow/training-operator?tab=readme-ov-file#stable-release>`__ (Please install the stable release):

.. code-block:: bash

kubectl apply -k "github.com/kubeflow/training-operator/manifests/overlays/standalone"
kubectl apply -k "github.com/kubeflow/training-operator/manifests/overlays/standalone?ref=v1.7.0"

**Optional: Using a gang scheduler**

Expand Down
9 changes: 4 additions & 5 deletions docs/flyte_agents/developing_agents.md
Original file line number Diff line number Diff line change
Expand Up @@ -140,14 +140,13 @@ You can test your agent in a {ref}`local Python environment <testing_agents_loca
The following is a sample Dockerfile for building an image for a Flyte agent:

```Dockerfile
FROM python:3.9-slim-buster
FROM python:3.10-slim-bookworm

MAINTAINER Flyte Team <[email protected]>
LABEL org.opencontainers.image.source=https://github.com/flyteorg/flytekit

WORKDIR /root
ENV PYTHONPATH /root

# additional dependencies for running in k8s
RUN pip install prometheus-client grpcio-health-checking
# flytekit will autoload the agent if package is installed.
RUN pip install flytekitplugins-bigquery
CMD pyflyte serve agent --port 8000
Expand Down Expand Up @@ -193,7 +192,7 @@ By running agents independently, you can thoroughly test and validate your agent
controlled environment before deploying them to the production cluster.

By default, all agent requests will be sent to the default agent service. However,
you can route particular task requests to designated agent services by adjusting the FlytePropeller configuration.
you can route particular task requests to designated agent services by adjusting the FlytePropeller configuration.

```yaml
plugins:
Expand Down
8 changes: 4 additions & 4 deletions flytectl/cmd/core/cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,10 +73,10 @@ func generateCommandFunc(cmdEntry CommandEntry) func(cmd *cobra.Command, args []
cmdCtx := NewCommandContextNoClient(cmd.OutOrStdout())
if !cmdEntry.DisableFlyteClient {
clientSet, err := admin.ClientSetBuilder().WithConfig(admin.GetConfig(ctx)).
WithTokenCache(pkce.TokenCacheKeyringProvider{
ServiceUser: fmt.Sprintf("%s:%s", adminCfg.Endpoint.String(), pkce.KeyRingServiceUser),
ServiceName: pkce.KeyRingServiceName,
}).Build(ctx)
WithTokenCache(pkce.NewTokenCacheKeyringProvider(
pkce.KeyRingServiceName,
fmt.Sprintf("%s:%s", adminCfg.Endpoint.String(), pkce.KeyRingServiceUser),
)).Build(ctx)
if err != nil {
return err
}
Expand Down
Loading
Loading