From fc5cd5e166e92a2d0e8c5af81b651015c11f274a Mon Sep 17 00:00:00 2001 From: ddl-ebrown Date: Tue, 5 Mar 2024 22:47:58 -0800 Subject: [PATCH] Flyte-core flyteadmin / datacatalog expose ports - Flyteadmin setting for the grpc port is nested and grpcPort should not be used. Address incorrect config / documentation - Both flyteadmin and datacatalog have configurable ports to use for HTTP and GRPC, but the k8s spec for the containers doesn't expose matching ports. Fix that! Signed-off-by: ddl-ebrown --- charts/flyte-core/README.md | 2 +- .../templates/admin/deployment.yaml | 4 +- .../templates/datacatalog/deployment.yaml | 4 +- charts/flyte-core/values-eks.yaml | 5 +- charts/flyte-core/values-gcp.yaml | 3 +- ...loak-idp-flyteclients-without-browser.yaml | 11 +- charts/flyte-core/values.yaml | 3 +- charts/flyte/README.md | 6 +- charts/flyte/values.yaml | 3 +- .../flyte_aws_scheduler_helm_generated.yaml | 7 +- deployment/eks/flyte_generated.yaml | 3 +- .../flyte_helm_controlplane_generated.yaml | 9 +- deployment/eks/flyte_helm_generated.yaml | 9 +- deployment/gcp/flyte_generated.yaml | 3 +- .../flyte_helm_controlplane_generated.yaml | 9 +- deployment/gcp/flyte_helm_generated.yaml | 9 +- deployment/sandbox/flyte_generated.yaml | 3 +- deployment/sandbox/flyte_helm_generated.yaml | 9 +- deployment/test/flyte_generated.yaml | 3 +- .../manifests/complete-agent.yaml | 4 +- .../sandbox-bundled/manifests/complete.yaml | 4 +- docker/sandbox-bundled/manifests/dev.yaml | 4 +- docs/deployment/configuration/auth_setup.rst | 231 +++++++++--------- flyteadmin/flyteadmin_config.yaml | 3 +- .../script/integration/k8s/integration.yaml | 3 +- .../headless/config/admin/server.yaml | 3 +- 26 files changed, 188 insertions(+), 169 deletions(-) diff --git a/charts/flyte-core/README.md b/charts/flyte-core/README.md index 5f0e3dcbb52..c6717e29b35 100644 --- a/charts/flyte-core/README.md +++ b/charts/flyte-core/README.md @@ -87,7 +87,7 @@ helm install gateway bitnami/contour -n flyte | common.ingress.tls | object | `{"enabled":false}` | - Ingress hostname host: | | common.ingress.webpackHMR | bool | `false` | - Enable or disable HMR route to flyteconsole. This is useful only for frontend development. | | configmap.admin | object | `{"admin":{"clientId":"{{ .Values.secrets.adminOauthClientCredentials.clientId }}","clientSecretLocation":"/etc/secrets/client_secret","endpoint":"flyteadmin:81","insecure":true},"event":{"capacity":1000,"rate":500,"type":"admin"}}` | Admin Client configuration [structure](https://pkg.go.dev/github.com/flyteorg/flytepropeller/pkg/controller/nodes/subworkflow/launchplan#AdminConfig) | -| configmap.adminServer | object | `{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpcPort":8089,"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}}` | FlyteAdmin server configuration | +| configmap.adminServer | object | `{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpc":{"port":8089},"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}}` | FlyteAdmin server configuration | | configmap.adminServer.auth | object | `{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}}` | Authentication configuration | | configmap.adminServer.server.security.secure | bool | `false` | Controls whether to serve requests over SSL/TLS. | | configmap.adminServer.server.security.useAuth | bool | `false` | Controls whether to enforce authentication. Follow the guide in https://docs.flyte.org/ on how to setup authentication. | diff --git a/charts/flyte-core/templates/admin/deployment.yaml b/charts/flyte-core/templates/admin/deployment.yaml index dc61d29c28e..23ea9966dfc 100755 --- a/charts/flyte-core/templates/admin/deployment.yaml +++ b/charts/flyte-core/templates/admin/deployment.yaml @@ -151,8 +151,8 @@ spec: imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}" name: flyteadmin ports: - - containerPort: 8088 - - containerPort: 8089 + - containerPort: {{ .Values.configmap.adminServer.server.httpPort }} + - containerPort: {{ .Values.configmap.adminServer.server.grpc.port }} - containerPort: {{ .Values.configmap.adminServer.flyteadmin.profilerPort }} readinessProbe: exec: diff --git a/charts/flyte-core/templates/datacatalog/deployment.yaml b/charts/flyte-core/templates/datacatalog/deployment.yaml index 94e096466d9..c58452f4ce9 100644 --- a/charts/flyte-core/templates/datacatalog/deployment.yaml +++ b/charts/flyte-core/templates/datacatalog/deployment.yaml @@ -66,8 +66,8 @@ spec: imagePullPolicy: "{{ .Values.datacatalog.image.pullPolicy }}" name: datacatalog ports: - - containerPort: 8088 - - containerPort: 8089 + - containerPort: {{ .Values.configmap.datacatalogServer.application.httpPort }} + - containerPort: {{ .Values.configmap.datacatalogServer.application.grpcPort }} - containerPort: {{ index .Values.configmap.datacatalogServer.datacatalog "profiler-port" }} securityContext: allowPrivilegeEscalation: false diff --git a/charts/flyte-core/values-eks.yaml b/charts/flyte-core/values-eks.yaml index b05cd1f61cc..db1fb5f9123 100644 --- a/charts/flyte-core/values-eks.yaml +++ b/charts/flyte-core/values-eks.yaml @@ -147,7 +147,7 @@ common: kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/tags: service_instance=production alb.ingress.kubernetes.io/scheme: internet-facing - alb.ingress.kubernetes.io/target-type: ip + alb.ingress.kubernetes.io/target-type: ip # -- This is the certificate arn of the cert imported in AWS certificate manager. alb.ingress.kubernetes.io/certificate-arn: "{{ .Values.userSettings.certificateArn }}" alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' @@ -216,7 +216,8 @@ configmap: adminServer: server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 security: secure: false useAuth: false diff --git a/charts/flyte-core/values-gcp.yaml b/charts/flyte-core/values-gcp.yaml index 4051fb23b92..3ae72645ebc 100644 --- a/charts/flyte-core/values-gcp.yaml +++ b/charts/flyte-core/values-gcp.yaml @@ -232,7 +232,8 @@ configmap: adminServer: server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 security: secure: false useAuth: false diff --git a/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml b/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml index 380db08be71..2703be69d52 100644 --- a/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml +++ b/charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml @@ -81,7 +81,7 @@ flyteadmin: - configMap: name: sslcerts # name of the ca-certificates.crt configmap in the cluster name: sslcerts - additionalVolumeMounts: + additionalVolumeMounts: - mountPath: /etc/ssl/certs/ # where to mount the above certificate name: sslcerts # -- Appends extra command line arguments to the serve command @@ -459,11 +459,11 @@ configmap: console: BASE_URL: /console CONFIG_DIR: /etc/flyte/config - + logger: show-source: true level: 6 - + # -- Domains configuration for Flyte projects. This enables the specified number of domains across all projects in Flyte. domain: domains: @@ -485,7 +485,8 @@ configmap: # Refer to the [server config](https://pkg.go.dev/github.com/lyft/flyteadmin@v0.3.37/pkg/config#ServerConfig). server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 security: # -- Controls whether to serve requests over SSL/TLS. secure: false @@ -552,7 +553,7 @@ configmap: - profile - openid - offline_access - clientId: + clientId: # -- Datacatalog server config datacatalogServer: diff --git a/charts/flyte-core/values.yaml b/charts/flyte-core/values.yaml index 32fb5c58278..cb8811d35b6 100755 --- a/charts/flyte-core/values.yaml +++ b/charts/flyte-core/values.yaml @@ -626,7 +626,8 @@ configmap: # Refer to the [server config](https://pkg.go.dev/github.com/lyft/flyteadmin@v0.3.37/pkg/config#ServerConfig). server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 security: # -- Controls whether to serve requests over SSL/TLS. secure: false diff --git a/charts/flyte/README.md b/charts/flyte/README.md index f2ac67bdc21..2b97a79adb7 100644 --- a/charts/flyte/README.md +++ b/charts/flyte/README.md @@ -71,7 +71,7 @@ helm upgrade -f values-sandbox.yaml flyte . | contour.tolerations | list | `[]` | tolerations for Contour deployment | | daskoperator | object | `{"enabled":false}` | Optional: Dask Plugin using the Dask Operator | | daskoperator.enabled | bool | `false` | - enable or disable the dask operator deployment installation | -| flyte | object | `{"cluster_resource_manager":{"config":{"cluster_resources":{"customData":[{"production":[{"projectQuotaCpu":{"value":"5"}},{"projectQuotaMemory":{"value":"4000Mi"}}]},{"staging":[{"projectQuotaCpu":{"value":"2"}},{"projectQuotaMemory":{"value":"3000Mi"}}]},{"development":[{"projectQuotaCpu":{"value":"4"}},{"projectQuotaMemory":{"value":"3000Mi"}}]}],"refresh":"5m","refreshInterval":"5m","standaloneDeployment":false,"templatePath":"/etc/flyte/clusterresource/templates"}},"enabled":true,"service_account_name":"flyteadmin","templates":[{"key":"aa_namespace","value":"apiVersion: v1\nkind: Namespace\nmetadata:\n name: {{ namespace }}\nspec:\n finalizers:\n - kubernetes\n"},{"key":"ab_project_resource_quota","value":"apiVersion: v1\nkind: ResourceQuota\nmetadata:\n name: project-quota\n namespace: {{ namespace }}\nspec:\n hard:\n limits.cpu: {{ projectQuotaCpu }}\n limits.memory: {{ projectQuotaMemory }}\n"}]},"common":{"databaseSecret":{"name":"","secretManifest":{}},"flyteNamespaceTemplate":{"enabled":false},"ingress":{"albSSLRedirect":false,"annotations":{"nginx.ingress.kubernetes.io/app-root":"/console"},"enabled":true,"host":"","separateGrpcIngress":false,"separateGrpcIngressAnnotations":{"nginx.ingress.kubernetes.io/backend-protocol":"GRPC"},"tls":{"enabled":false},"webpackHMR":true}},"configmap":{"adminServer":{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpcPort":8089,"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}},"catalog":{"catalog-cache":{"endpoint":"datacatalog:89","insecure":true,"type":"datacatalog"}},"console":{"BASE_URL":"/console","CONFIG_DIR":"/etc/flyte/config"},"copilot":{"plugins":{"k8s":{"co-pilot":{"image":"cr.flyte.org/flyteorg/flytecopilot:v1.11.0-b1","name":"flyte-copilot-","start-timeout":"30s"}}}},"core":{"propeller":{"downstream-eval-duration":"30s","enable-admin-launcher":true,"leader-election":{"enabled":true,"lease-duration":"15s","lock-config-map":{"name":"propeller-leader","namespace":"flyte"},"renew-deadline":"10s","retry-period":"2s"},"limit-namespace":"all","max-workflow-retries":30,"metadata-prefix":"metadata/propeller","metrics-prefix":"flyte","prof-port":10254,"queue":{"batch-size":-1,"batching-interval":"2s","queue":{"base-delay":"5s","capacity":1000,"max-delay":"120s","rate":100,"type":"maxof"},"sub-queue":{"capacity":100,"rate":10,"type":"bucket"},"type":"batch"},"rawoutput-prefix":"s3://my-s3-bucket/","workers":4,"workflow-reeval-duration":"30s"},"webhook":{"certDir":"/etc/webhook/certs","serviceName":"flyte-pod-webhook"}},"datacatalogServer":{"application":{"grpcPort":8089,"grpcServerReflection":true,"httpPort":8080},"datacatalog":{"metrics-scope":"datacatalog","profiler-port":10254,"storage-prefix":"metadata/datacatalog"}},"domain":{"domains":[{"id":"development","name":"development"},{"id":"staging","name":"staging"},{"id":"production","name":"production"}]},"enabled_plugins":{"tasks":{"task-plugins":{"default-for-task-types":{"bigquery_query_job_task":"agent-service","container":"container","container_array":"k8s-array","sidecar":"sidecar"},"enabled-plugins":["container","sidecar","k8s-array","agent-service"]}}},"k8s":{"plugins":{"k8s":{"default-cpus":"100m","default-env-vars":[{"FLYTE_AWS_ENDPOINT":"http://minio.flyte:9000"},{"FLYTE_AWS_ACCESS_KEY_ID":"minio"},{"FLYTE_AWS_SECRET_ACCESS_KEY":"miniostorage"}],"default-memory":"200Mi"}}},"logger":{"logger":{"level":5,"show-source":true}},"remoteData":{"remoteData":{"region":"us-east-1","scheme":"local","signedUrls":{"durationMinutes":3}}},"resource_manager":{"propeller":{"resourcemanager":{"redis":null,"type":"noop"}}},"task_logs":{"plugins":{"logs":{"cloudwatch-enabled":false,"kubernetes-enabled":true,"kubernetes-template-uri":"http://localhost:30082/#/log/{{ \"{{\" }} .namespace {{ \"}}\" }}/{{ \"{{\" }} .podName {{ \"}}\" }}/pod?namespace={{ \"{{\" }} .namespace {{ \"}}\" }}"}}},"task_resource_defaults":{"task_resources":{"defaults":{"cpu":"100m","memory":"200Mi","storage":"5Mi"},"limits":{"cpu":2,"gpu":1,"memory":"1Gi","storage":"20Mi"}}}},"datacatalog":{"affinity":{},"configPath":"/etc/datacatalog/config/*.yaml","image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/datacatalog","tag":"v1.11.0-b1"},"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"500m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}},"service":{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"type":"NodePort"},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]},"tolerations":[]},"db":{"admin":{"database":{"dbname":"flyteadmin","host":"postgres","port":5432,"username":"postgres"}},"datacatalog":{"database":{"dbname":"datacatalog","host":"postgres","port":5432,"username":"postgres"}}},"deployRedoc":true,"flyteadmin":{"additionalVolumeMounts":[],"additionalVolumes":[],"affinity":{},"configPath":"/etc/flyte/config/*.yaml","env":[],"image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/flyteadmin","tag":"v1.11.0-b1"},"initialProjects":["flytesnacks","flytetester","flyteexamples"],"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"250m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}},"secrets":{},"service":{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"loadBalancerSourceRanges":[],"type":"ClusterIP"},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]},"tolerations":[]},"flyteconsole":{"affinity":{},"ga":{"enabled":true,"tracking_id":"G-0QW4DJWJ20"},"image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/flyteconsole","tag":"v1.11.0"},"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"500m","memory":"275Mi"},"requests":{"cpu":"10m","memory":"250Mi"}},"service":{"annotations":{},"type":"ClusterIP"},"tolerations":[]},"flytepropeller":{"affinity":{},"cacheSizeMbs":0,"configPath":"/etc/flyte/config/*.yaml","image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/flytepropeller","tag":"v1.11.0-b1"},"manager":false,"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"200m","ephemeral-storage":"100Mi","memory":"200Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]},"tolerations":[]},"flytescheduler":{"affinity":{},"configPath":"/etc/flyte/config/*.yaml","image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/flytescheduler","tag":"v1.11.0-b1"},"nodeSelector":{},"podAnnotations":{},"resources":{"limits":{"cpu":"250m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}},"secrets":{},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]},"tolerations":[]},"storage":{"bucketName":"my-s3-bucket","custom":{},"gcs":null,"s3":{"region":"us-east-1"},"type":"sandbox"},"webhook":{"enabled":true,"service":{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"type":"ClusterIP"},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]}},"workflow_notifications":{"config":{},"enabled":false},"workflow_scheduler":{"enabled":true,"type":"native"}}` | ------------------------------------------------------------------- Core System settings This section consists of Core components of Flyte and their deployment settings. This includes FlyteAdmin service, Datacatalog, FlytePropeller and Flyteconsole | +| flyte | object | `{"cluster_resource_manager":{"config":{"cluster_resources":{"customData":[{"production":[{"projectQuotaCpu":{"value":"5"}},{"projectQuotaMemory":{"value":"4000Mi"}}]},{"staging":[{"projectQuotaCpu":{"value":"2"}},{"projectQuotaMemory":{"value":"3000Mi"}}]},{"development":[{"projectQuotaCpu":{"value":"4"}},{"projectQuotaMemory":{"value":"3000Mi"}}]}],"refresh":"5m","refreshInterval":"5m","standaloneDeployment":false,"templatePath":"/etc/flyte/clusterresource/templates"}},"enabled":true,"service_account_name":"flyteadmin","templates":[{"key":"aa_namespace","value":"apiVersion: v1\nkind: Namespace\nmetadata:\n name: {{ namespace }}\nspec:\n finalizers:\n - kubernetes\n"},{"key":"ab_project_resource_quota","value":"apiVersion: v1\nkind: ResourceQuota\nmetadata:\n name: project-quota\n namespace: {{ namespace }}\nspec:\n hard:\n limits.cpu: {{ projectQuotaCpu }}\n limits.memory: {{ projectQuotaMemory }}\n"}]},"common":{"databaseSecret":{"name":"","secretManifest":{}},"flyteNamespaceTemplate":{"enabled":false},"ingress":{"albSSLRedirect":false,"annotations":{"nginx.ingress.kubernetes.io/app-root":"/console"},"enabled":true,"host":"","separateGrpcIngress":false,"separateGrpcIngressAnnotations":{"nginx.ingress.kubernetes.io/backend-protocol":"GRPC"},"tls":{"enabled":false},"webpackHMR":true}},"configmap":{"adminServer":{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpc":{"port":8089},"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}},"catalog":{"catalog-cache":{"endpoint":"datacatalog:89","insecure":true,"type":"datacatalog"}},"console":{"BASE_URL":"/console","CONFIG_DIR":"/etc/flyte/config"},"copilot":{"plugins":{"k8s":{"co-pilot":{"image":"cr.flyte.org/flyteorg/flytecopilot:v1.11.0-b1","name":"flyte-copilot-","start-timeout":"30s"}}}},"core":{"propeller":{"downstream-eval-duration":"30s","enable-admin-launcher":true,"leader-election":{"enabled":true,"lease-duration":"15s","lock-config-map":{"name":"propeller-leader","namespace":"flyte"},"renew-deadline":"10s","retry-period":"2s"},"limit-namespace":"all","max-workflow-retries":30,"metadata-prefix":"metadata/propeller","metrics-prefix":"flyte","prof-port":10254,"queue":{"batch-size":-1,"batching-interval":"2s","queue":{"base-delay":"5s","capacity":1000,"max-delay":"120s","rate":100,"type":"maxof"},"sub-queue":{"capacity":100,"rate":10,"type":"bucket"},"type":"batch"},"rawoutput-prefix":"s3://my-s3-bucket/","workers":4,"workflow-reeval-duration":"30s"},"webhook":{"certDir":"/etc/webhook/certs","serviceName":"flyte-pod-webhook"}},"datacatalogServer":{"application":{"grpcPort":8089,"grpcServerReflection":true,"httpPort":8080},"datacatalog":{"metrics-scope":"datacatalog","profiler-port":10254,"storage-prefix":"metadata/datacatalog"}},"domain":{"domains":[{"id":"development","name":"development"},{"id":"staging","name":"staging"},{"id":"production","name":"production"}]},"enabled_plugins":{"tasks":{"task-plugins":{"default-for-task-types":{"bigquery_query_job_task":"agent-service","container":"container","container_array":"k8s-array","sidecar":"sidecar"},"enabled-plugins":["container","sidecar","k8s-array","agent-service"]}}},"k8s":{"plugins":{"k8s":{"default-cpus":"100m","default-env-vars":[{"FLYTE_AWS_ENDPOINT":"http://minio.flyte:9000"},{"FLYTE_AWS_ACCESS_KEY_ID":"minio"},{"FLYTE_AWS_SECRET_ACCESS_KEY":"miniostorage"}],"default-memory":"200Mi"}}},"logger":{"logger":{"level":5,"show-source":true}},"remoteData":{"remoteData":{"region":"us-east-1","scheme":"local","signedUrls":{"durationMinutes":3}}},"resource_manager":{"propeller":{"resourcemanager":{"redis":null,"type":"noop"}}},"task_logs":{"plugins":{"logs":{"cloudwatch-enabled":false,"kubernetes-enabled":true,"kubernetes-template-uri":"http://localhost:30082/#/log/{{ \"{{\" }} .namespace {{ \"}}\" }}/{{ \"{{\" }} .podName {{ \"}}\" }}/pod?namespace={{ \"{{\" }} .namespace {{ \"}}\" }}"}}},"task_resource_defaults":{"task_resources":{"defaults":{"cpu":"100m","memory":"200Mi","storage":"5Mi"},"limits":{"cpu":2,"gpu":1,"memory":"1Gi","storage":"20Mi"}}}},"datacatalog":{"affinity":{},"configPath":"/etc/datacatalog/config/*.yaml","image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/datacatalog","tag":"v1.11.0-b1"},"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"500m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}},"service":{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"type":"NodePort"},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]},"tolerations":[]},"db":{"admin":{"database":{"dbname":"flyteadmin","host":"postgres","port":5432,"username":"postgres"}},"datacatalog":{"database":{"dbname":"datacatalog","host":"postgres","port":5432,"username":"postgres"}}},"deployRedoc":true,"flyteadmin":{"additionalVolumeMounts":[],"additionalVolumes":[],"affinity":{},"configPath":"/etc/flyte/config/*.yaml","env":[],"image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/flyteadmin","tag":"v1.11.0-b1"},"initialProjects":["flytesnacks","flytetester","flyteexamples"],"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"250m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}},"secrets":{},"service":{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"loadBalancerSourceRanges":[],"type":"ClusterIP"},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]},"tolerations":[]},"flyteconsole":{"affinity":{},"ga":{"enabled":true,"tracking_id":"G-0QW4DJWJ20"},"image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/flyteconsole","tag":"v1.11.0"},"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"500m","memory":"275Mi"},"requests":{"cpu":"10m","memory":"250Mi"}},"service":{"annotations":{},"type":"ClusterIP"},"tolerations":[]},"flytepropeller":{"affinity":{},"cacheSizeMbs":0,"configPath":"/etc/flyte/config/*.yaml","image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/flytepropeller","tag":"v1.11.0-b1"},"manager":false,"nodeSelector":{},"podAnnotations":{},"replicaCount":1,"resources":{"limits":{"cpu":"200m","ephemeral-storage":"100Mi","memory":"200Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]},"tolerations":[]},"flytescheduler":{"affinity":{},"configPath":"/etc/flyte/config/*.yaml","image":{"pullPolicy":"IfNotPresent","repository":"cr.flyte.org/flyteorg/flytescheduler","tag":"v1.11.0-b1"},"nodeSelector":{},"podAnnotations":{},"resources":{"limits":{"cpu":"250m","ephemeral-storage":"100Mi","memory":"500Mi"},"requests":{"cpu":"10m","ephemeral-storage":"50Mi","memory":"50Mi"}},"secrets":{},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]},"tolerations":[]},"storage":{"bucketName":"my-s3-bucket","custom":{},"gcs":null,"s3":{"region":"us-east-1"},"type":"sandbox"},"webhook":{"enabled":true,"service":{"annotations":{"projectcontour.io/upstream-protocol.h2c":"grpc"},"type":"ClusterIP"},"serviceAccount":{"annotations":{},"create":true,"imagePullSecrets":[]}},"workflow_notifications":{"config":{},"enabled":false},"workflow_scheduler":{"enabled":true,"type":"native"}}` | ------------------------------------------------------------------- Core System settings This section consists of Core components of Flyte and their deployment settings. This includes FlyteAdmin service, Datacatalog, FlytePropeller and Flyteconsole | | flyte.cluster_resource_manager | object | `{"config":{"cluster_resources":{"customData":[{"production":[{"projectQuotaCpu":{"value":"5"}},{"projectQuotaMemory":{"value":"4000Mi"}}]},{"staging":[{"projectQuotaCpu":{"value":"2"}},{"projectQuotaMemory":{"value":"3000Mi"}}]},{"development":[{"projectQuotaCpu":{"value":"4"}},{"projectQuotaMemory":{"value":"3000Mi"}}]}],"refresh":"5m","refreshInterval":"5m","standaloneDeployment":false,"templatePath":"/etc/flyte/clusterresource/templates"}},"enabled":true,"service_account_name":"flyteadmin","templates":[{"key":"aa_namespace","value":"apiVersion: v1\nkind: Namespace\nmetadata:\n name: {{ namespace }}\nspec:\n finalizers:\n - kubernetes\n"},{"key":"ab_project_resource_quota","value":"apiVersion: v1\nkind: ResourceQuota\nmetadata:\n name: project-quota\n namespace: {{ namespace }}\nspec:\n hard:\n limits.cpu: {{ projectQuotaCpu }}\n limits.memory: {{ projectQuotaMemory }}\n"}]}` | Configuration for the Cluster resource manager component. This is an optional component, that enables automatic cluster configuration. This is useful to set default quotas, manage namespaces etc that map to a project/domain | | flyte.cluster_resource_manager.config.cluster_resources | object | `{"customData":[{"production":[{"projectQuotaCpu":{"value":"5"}},{"projectQuotaMemory":{"value":"4000Mi"}}]},{"staging":[{"projectQuotaCpu":{"value":"2"}},{"projectQuotaMemory":{"value":"3000Mi"}}]},{"development":[{"projectQuotaCpu":{"value":"4"}},{"projectQuotaMemory":{"value":"3000Mi"}}]}],"refresh":"5m","refreshInterval":"5m","standaloneDeployment":false,"templatePath":"/etc/flyte/clusterresource/templates"}` | ClusterResource parameters Refer to the [structure](https://pkg.go.dev/github.com/lyft/flyteadmin@v0.3.37/pkg/runtime/interfaces#ClusterResourceConfig) to customize. | | flyte.cluster_resource_manager.config.cluster_resources.standaloneDeployment | bool | `false` | Starts the cluster resource manager in standalone mode with requisite auth credentials to call flyteadmin service endpoints | @@ -91,8 +91,8 @@ helm upgrade -f values-sandbox.yaml flyte . | flyte.common.ingress.separateGrpcIngressAnnotations | object | `{"nginx.ingress.kubernetes.io/backend-protocol":"GRPC"}` | - Extra Ingress annotations applied only to the GRPC ingress. Only makes sense if `separateGrpcIngress` is enabled. | | flyte.common.ingress.tls | object | `{"enabled":false}` | - TLS Settings | | flyte.common.ingress.webpackHMR | bool | `true` | - Enable or disable HMR route to flyteconsole. This is useful only for frontend development. | -| flyte.configmap | object | `{"adminServer":{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpcPort":8089,"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}},"catalog":{"catalog-cache":{"endpoint":"datacatalog:89","insecure":true,"type":"datacatalog"}},"console":{"BASE_URL":"/console","CONFIG_DIR":"/etc/flyte/config"},"copilot":{"plugins":{"k8s":{"co-pilot":{"image":"cr.flyte.org/flyteorg/flytecopilot:v1.11.0-b1","name":"flyte-copilot-","start-timeout":"30s"}}}},"core":{"propeller":{"downstream-eval-duration":"30s","enable-admin-launcher":true,"leader-election":{"enabled":true,"lease-duration":"15s","lock-config-map":{"name":"propeller-leader","namespace":"flyte"},"renew-deadline":"10s","retry-period":"2s"},"limit-namespace":"all","max-workflow-retries":30,"metadata-prefix":"metadata/propeller","metrics-prefix":"flyte","prof-port":10254,"queue":{"batch-size":-1,"batching-interval":"2s","queue":{"base-delay":"5s","capacity":1000,"max-delay":"120s","rate":100,"type":"maxof"},"sub-queue":{"capacity":100,"rate":10,"type":"bucket"},"type":"batch"},"rawoutput-prefix":"s3://my-s3-bucket/","workers":4,"workflow-reeval-duration":"30s"},"webhook":{"certDir":"/etc/webhook/certs","serviceName":"flyte-pod-webhook"}},"datacatalogServer":{"application":{"grpcPort":8089,"grpcServerReflection":true,"httpPort":8080},"datacatalog":{"metrics-scope":"datacatalog","profiler-port":10254,"storage-prefix":"metadata/datacatalog"}},"domain":{"domains":[{"id":"development","name":"development"},{"id":"staging","name":"staging"},{"id":"production","name":"production"}]},"enabled_plugins":{"tasks":{"task-plugins":{"default-for-task-types":{"bigquery_query_job_task":"agent-service","container":"container","container_array":"k8s-array","sidecar":"sidecar"},"enabled-plugins":["container","sidecar","k8s-array","agent-service"]}}},"k8s":{"plugins":{"k8s":{"default-cpus":"100m","default-env-vars":[{"FLYTE_AWS_ENDPOINT":"http://minio.flyte:9000"},{"FLYTE_AWS_ACCESS_KEY_ID":"minio"},{"FLYTE_AWS_SECRET_ACCESS_KEY":"miniostorage"}],"default-memory":"200Mi"}}},"logger":{"logger":{"level":5,"show-source":true}},"remoteData":{"remoteData":{"region":"us-east-1","scheme":"local","signedUrls":{"durationMinutes":3}}},"resource_manager":{"propeller":{"resourcemanager":{"redis":null,"type":"noop"}}},"task_logs":{"plugins":{"logs":{"cloudwatch-enabled":false,"kubernetes-enabled":true,"kubernetes-template-uri":"http://localhost:30082/#/log/{{ \"{{\" }} .namespace {{ \"}}\" }}/{{ \"{{\" }} .podName {{ \"}}\" }}/pod?namespace={{ \"{{\" }} .namespace {{ \"}}\" }}"}}},"task_resource_defaults":{"task_resources":{"defaults":{"cpu":"100m","memory":"200Mi","storage":"5Mi"},"limits":{"cpu":2,"gpu":1,"memory":"1Gi","storage":"20Mi"}}}}` | ----------------------------------------------------------------- CONFIGMAPS SETTINGS | -| flyte.configmap.adminServer | object | `{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpcPort":8089,"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}}` | FlyteAdmin server configuration | +| flyte.configmap | object | `{"adminServer":{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpc":{"port":8089},"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}},"catalog":{"catalog-cache":{"endpoint":"datacatalog:89","insecure":true,"type":"datacatalog"}},"console":{"BASE_URL":"/console","CONFIG_DIR":"/etc/flyte/config"},"copilot":{"plugins":{"k8s":{"co-pilot":{"image":"cr.flyte.org/flyteorg/flytecopilot:v1.11.0-b1","name":"flyte-copilot-","start-timeout":"30s"}}}},"core":{"propeller":{"downstream-eval-duration":"30s","enable-admin-launcher":true,"leader-election":{"enabled":true,"lease-duration":"15s","lock-config-map":{"name":"propeller-leader","namespace":"flyte"},"renew-deadline":"10s","retry-period":"2s"},"limit-namespace":"all","max-workflow-retries":30,"metadata-prefix":"metadata/propeller","metrics-prefix":"flyte","prof-port":10254,"queue":{"batch-size":-1,"batching-interval":"2s","queue":{"base-delay":"5s","capacity":1000,"max-delay":"120s","rate":100,"type":"maxof"},"sub-queue":{"capacity":100,"rate":10,"type":"bucket"},"type":"batch"},"rawoutput-prefix":"s3://my-s3-bucket/","workers":4,"workflow-reeval-duration":"30s"},"webhook":{"certDir":"/etc/webhook/certs","serviceName":"flyte-pod-webhook"}},"datacatalogServer":{"application":{"grpcPort":8089,"grpcServerReflection":true,"httpPort":8080},"datacatalog":{"metrics-scope":"datacatalog","profiler-port":10254,"storage-prefix":"metadata/datacatalog"}},"domain":{"domains":[{"id":"development","name":"development"},{"id":"staging","name":"staging"},{"id":"production","name":"production"}]},"enabled_plugins":{"tasks":{"task-plugins":{"default-for-task-types":{"bigquery_query_job_task":"agent-service","container":"container","container_array":"k8s-array","sidecar":"sidecar"},"enabled-plugins":["container","sidecar","k8s-array","agent-service"]}}},"k8s":{"plugins":{"k8s":{"default-cpus":"100m","default-env-vars":[{"FLYTE_AWS_ENDPOINT":"http://minio.flyte:9000"},{"FLYTE_AWS_ACCESS_KEY_ID":"minio"},{"FLYTE_AWS_SECRET_ACCESS_KEY":"miniostorage"}],"default-memory":"200Mi"}}},"logger":{"logger":{"level":5,"show-source":true}},"remoteData":{"remoteData":{"region":"us-east-1","scheme":"local","signedUrls":{"durationMinutes":3}}},"resource_manager":{"propeller":{"resourcemanager":{"redis":null,"type":"noop"}}},"task_logs":{"plugins":{"logs":{"cloudwatch-enabled":false,"kubernetes-enabled":true,"kubernetes-template-uri":"http://localhost:30082/#/log/{{ \"{{\" }} .namespace {{ \"}}\" }}/{{ \"{{\" }} .podName {{ \"}}\" }}/pod?namespace={{ \"{{\" }} .namespace {{ \"}}\" }}"}}},"task_resource_defaults":{"task_resources":{"defaults":{"cpu":"100m","memory":"200Mi","storage":"5Mi"},"limits":{"cpu":2,"gpu":1,"memory":"1Gi","storage":"20Mi"}}}}` | ----------------------------------------------------------------- CONFIGMAPS SETTINGS | +| flyte.configmap.adminServer | object | `{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpc":{"port":8089},"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}}` | FlyteAdmin server configuration | | flyte.configmap.adminServer.auth | object | `{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}}` | Authentication configuration | | flyte.configmap.adminServer.server.security.secure | bool | `false` | Controls whether to serve requests over SSL/TLS. | | flyte.configmap.adminServer.server.security.useAuth | bool | `false` | Controls whether to enforce authentication. Follow the guide in https://docs.flyte.org/ on how to setup authentication. | diff --git a/charts/flyte/values.yaml b/charts/flyte/values.yaml index 50a1fc54025..5244a613013 100755 --- a/charts/flyte/values.yaml +++ b/charts/flyte/values.yaml @@ -378,7 +378,8 @@ flyte: # Refer to the [server config](https://pkg.go.dev/github.com/lyft/flyteadmin@v0.3.37/pkg/config#ServerConfig). server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 security: # -- Controls whether to serve requests over SSL/TLS. secure: false diff --git a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml index 83c0d249c53..37e7d8412b3 100644 --- a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml +++ b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml @@ -162,7 +162,8 @@ data: testing: host: http://flyteadmin server: - grpcPort: 8089 + grpc: + port: 8089 httpPort: 8088 security: allowCors: true @@ -847,7 +848,7 @@ spec: template: metadata: annotations: - configChecksum: "2b5c85969f2bd85bb51a084f9fd72c20c3aca94be99e53cb4c4e9f78e77ebc5" + configChecksum: "d50d9b515795be1f4937c58f37335ec9bd505ba4c51f96caf8491fa323abb56" labels: app.kubernetes.io/name: flyteadmin app.kubernetes.io/instance: flyte @@ -1208,7 +1209,7 @@ spec: imagePullPolicy: "IfNotPresent" name: datacatalog ports: - - containerPort: 8088 + - containerPort: 8080 - containerPort: 8089 - containerPort: 10254 securityContext: diff --git a/deployment/eks/flyte_generated.yaml b/deployment/eks/flyte_generated.yaml index b4ee31f106a..486adda58a7 100644 --- a/deployment/eks/flyte_generated.yaml +++ b/deployment/eks/flyte_generated.yaml @@ -8135,7 +8135,8 @@ data: server.yaml: | server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 security: # Controls whether to serve requests over SSL/TLS. secure: false diff --git a/deployment/eks/flyte_helm_controlplane_generated.yaml b/deployment/eks/flyte_helm_controlplane_generated.yaml index b60694f9471..b8b5cd6456c 100644 --- a/deployment/eks/flyte_helm_controlplane_generated.yaml +++ b/deployment/eks/flyte_helm_controlplane_generated.yaml @@ -143,7 +143,8 @@ data: testing: host: http://flyteadmin server: - grpcPort: 8089 + grpc: + port: 8089 httpPort: 8088 security: allowCors: true @@ -553,7 +554,7 @@ spec: template: metadata: annotations: - configChecksum: "053b20ebc40227f6ed8ddc61f5997ee7997c604158f773779f20ec61af11a2f" + configChecksum: "b6087931f4457971d5fcd17d64491188322ffc2f86e31f943b142c76edb9e67" labels: app.kubernetes.io/name: flyteadmin app.kubernetes.io/instance: flyte @@ -914,7 +915,7 @@ spec: imagePullPolicy: "IfNotPresent" name: datacatalog ports: - - containerPort: 8088 + - containerPort: 8080 - containerPort: 8089 - containerPort: 10254 securityContext: @@ -973,7 +974,7 @@ spec: template: metadata: annotations: - configChecksum: "053b20ebc40227f6ed8ddc61f5997ee7997c604158f773779f20ec61af11a2f" + configChecksum: "b6087931f4457971d5fcd17d64491188322ffc2f86e31f943b142c76edb9e67" labels: app.kubernetes.io/name: flytescheduler app.kubernetes.io/instance: flyte diff --git a/deployment/eks/flyte_helm_generated.yaml b/deployment/eks/flyte_helm_generated.yaml index 8f34f4f2361..550c3c3a8d0 100644 --- a/deployment/eks/flyte_helm_generated.yaml +++ b/deployment/eks/flyte_helm_generated.yaml @@ -174,7 +174,8 @@ data: testing: host: http://flyteadmin server: - grpcPort: 8089 + grpc: + port: 8089 httpPort: 8088 security: allowCors: true @@ -878,7 +879,7 @@ spec: template: metadata: annotations: - configChecksum: "053b20ebc40227f6ed8ddc61f5997ee7997c604158f773779f20ec61af11a2f" + configChecksum: "b6087931f4457971d5fcd17d64491188322ffc2f86e31f943b142c76edb9e67" labels: app.kubernetes.io/name: flyteadmin app.kubernetes.io/instance: flyte @@ -1239,7 +1240,7 @@ spec: imagePullPolicy: "IfNotPresent" name: datacatalog ports: - - containerPort: 8088 + - containerPort: 8080 - containerPort: 8089 - containerPort: 10254 securityContext: @@ -1298,7 +1299,7 @@ spec: template: metadata: annotations: - configChecksum: "053b20ebc40227f6ed8ddc61f5997ee7997c604158f773779f20ec61af11a2f" + configChecksum: "b6087931f4457971d5fcd17d64491188322ffc2f86e31f943b142c76edb9e67" labels: app.kubernetes.io/name: flytescheduler app.kubernetes.io/instance: flyte diff --git a/deployment/gcp/flyte_generated.yaml b/deployment/gcp/flyte_generated.yaml index 01d708d860b..55d37525179 100644 --- a/deployment/gcp/flyte_generated.yaml +++ b/deployment/gcp/flyte_generated.yaml @@ -8132,7 +8132,8 @@ data: server.yaml: | server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 security: # Controls whether to serve requests over SSL/TLS. secure: false diff --git a/deployment/gcp/flyte_helm_controlplane_generated.yaml b/deployment/gcp/flyte_helm_controlplane_generated.yaml index 7e0b58b832b..b3b0d47c9ad 100644 --- a/deployment/gcp/flyte_helm_controlplane_generated.yaml +++ b/deployment/gcp/flyte_helm_controlplane_generated.yaml @@ -143,7 +143,8 @@ data: testing: host: http://flyteadmin server: - grpcPort: 8089 + grpc: + port: 8089 httpPort: 8088 security: allowCors: true @@ -568,7 +569,7 @@ spec: template: metadata: annotations: - configChecksum: "2e169a911a8234dd42d06ca0887279093f4ed36033d0543749ce126b26b50f3" + configChecksum: "b35a14d8bfd46ac863acf50bc4f338954b2f1315b66dc1fc17123885cc4dc37" labels: app.kubernetes.io/name: flyteadmin app.kubernetes.io/instance: flyte @@ -929,7 +930,7 @@ spec: imagePullPolicy: "IfNotPresent" name: datacatalog ports: - - containerPort: 8088 + - containerPort: 8080 - containerPort: 8089 - containerPort: 10254 securityContext: @@ -988,7 +989,7 @@ spec: template: metadata: annotations: - configChecksum: "2e169a911a8234dd42d06ca0887279093f4ed36033d0543749ce126b26b50f3" + configChecksum: "b35a14d8bfd46ac863acf50bc4f338954b2f1315b66dc1fc17123885cc4dc37" labels: app.kubernetes.io/name: flytescheduler app.kubernetes.io/instance: flyte diff --git a/deployment/gcp/flyte_helm_generated.yaml b/deployment/gcp/flyte_helm_generated.yaml index 5b8757459c1..263c914af9c 100644 --- a/deployment/gcp/flyte_helm_generated.yaml +++ b/deployment/gcp/flyte_helm_generated.yaml @@ -174,7 +174,8 @@ data: testing: host: http://flyteadmin server: - grpcPort: 8089 + grpc: + port: 8089 httpPort: 8088 security: allowCors: true @@ -901,7 +902,7 @@ spec: template: metadata: annotations: - configChecksum: "2e169a911a8234dd42d06ca0887279093f4ed36033d0543749ce126b26b50f3" + configChecksum: "b35a14d8bfd46ac863acf50bc4f338954b2f1315b66dc1fc17123885cc4dc37" labels: app.kubernetes.io/name: flyteadmin app.kubernetes.io/instance: flyte @@ -1262,7 +1263,7 @@ spec: imagePullPolicy: "IfNotPresent" name: datacatalog ports: - - containerPort: 8088 + - containerPort: 8080 - containerPort: 8089 - containerPort: 10254 securityContext: @@ -1321,7 +1322,7 @@ spec: template: metadata: annotations: - configChecksum: "2e169a911a8234dd42d06ca0887279093f4ed36033d0543749ce126b26b50f3" + configChecksum: "b35a14d8bfd46ac863acf50bc4f338954b2f1315b66dc1fc17123885cc4dc37" labels: app.kubernetes.io/name: flytescheduler app.kubernetes.io/instance: flyte diff --git a/deployment/sandbox/flyte_generated.yaml b/deployment/sandbox/flyte_generated.yaml index cac33303fd3..93364784fa8 100644 --- a/deployment/sandbox/flyte_generated.yaml +++ b/deployment/sandbox/flyte_generated.yaml @@ -2145,7 +2145,8 @@ data: server.yaml: | server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 security: # Controls whether to serve requests over SSL/TLS. secure: false diff --git a/deployment/sandbox/flyte_helm_generated.yaml b/deployment/sandbox/flyte_helm_generated.yaml index c398c5fbf8a..8bd62869925 100644 --- a/deployment/sandbox/flyte_helm_generated.yaml +++ b/deployment/sandbox/flyte_helm_generated.yaml @@ -294,7 +294,8 @@ data: testing: host: http://flyteadmin server: - grpcPort: 8089 + grpc: + port: 8089 httpPort: 8088 security: allowCors: true @@ -6684,7 +6685,7 @@ spec: template: metadata: annotations: - configChecksum: "45f0232531c0d1494809cf83387a95b2fc802019ea095de7a24ccd4f8de86ec" + configChecksum: "9344efaeaf709f9a79cd4a582954516d1baa09f9d5e7130724fa8a60f7b1fac" labels: app.kubernetes.io/name: flyteadmin app.kubernetes.io/instance: flyte @@ -7026,7 +7027,7 @@ spec: imagePullPolicy: "IfNotPresent" name: datacatalog ports: - - containerPort: 8088 + - containerPort: 8080 - containerPort: 8089 - containerPort: 10254 securityContext: @@ -7075,7 +7076,7 @@ spec: template: metadata: annotations: - configChecksum: "45f0232531c0d1494809cf83387a95b2fc802019ea095de7a24ccd4f8de86ec" + configChecksum: "9344efaeaf709f9a79cd4a582954516d1baa09f9d5e7130724fa8a60f7b1fac" labels: app.kubernetes.io/name: flytescheduler app.kubernetes.io/instance: flyte diff --git a/deployment/test/flyte_generated.yaml b/deployment/test/flyte_generated.yaml index ea1954bee08..80a3227e714 100644 --- a/deployment/test/flyte_generated.yaml +++ b/deployment/test/flyte_generated.yaml @@ -293,7 +293,8 @@ data: server.yaml: | server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 security: # Controls whether to serve requests over SSL/TLS. secure: false diff --git a/docker/sandbox-bundled/manifests/complete-agent.yaml b/docker/sandbox-bundled/manifests/complete-agent.yaml index bc96ffac8f0..e0b8ccf0214 100644 --- a/docker/sandbox-bundled/manifests/complete-agent.yaml +++ b/docker/sandbox-bundled/manifests/complete-agent.yaml @@ -816,7 +816,7 @@ type: Opaque --- apiVersion: v1 data: - haSharedSecret: YXFGVndTaXBySjFxWEIxNA== + haSharedSecret: U0hiQTdiMXNvVnpUNlJwQw== proxyPassword: "" proxyUsername: "" kind: Secret @@ -1412,7 +1412,7 @@ spec: metadata: annotations: checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81 - checksum/secret: f5132fa475eb2386265cbda64d4e6d56922b771a5f7f5e6e8e4536a712663e45 + checksum/secret: 72b41c7359900ebfb3ca09949d0364d7f6aa7b3b14150b9d03a74adb3552200f labels: app: docker-registry release: flyte-sandbox diff --git a/docker/sandbox-bundled/manifests/complete.yaml b/docker/sandbox-bundled/manifests/complete.yaml index 36aca312f35..d62dd756b18 100644 --- a/docker/sandbox-bundled/manifests/complete.yaml +++ b/docker/sandbox-bundled/manifests/complete.yaml @@ -796,7 +796,7 @@ type: Opaque --- apiVersion: v1 data: - haSharedSecret: QVo4T0pQZmZLcFZmNjIyNQ== + haSharedSecret: SmlSTDRsVWlrQTZlMVBVUw== proxyPassword: "" proxyUsername: "" kind: Secret @@ -1360,7 +1360,7 @@ spec: metadata: annotations: checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81 - checksum/secret: f5e2b9fbf28a7d7815a094f72366cac395bd0aacd7890faa07e80ec700770fc5 + checksum/secret: 7c2daa5afe193557c150ec77aa9c1d728d9625b3e5044c82d26815721370a263 labels: app: docker-registry release: flyte-sandbox diff --git a/docker/sandbox-bundled/manifests/dev.yaml b/docker/sandbox-bundled/manifests/dev.yaml index 80e06fc6a2c..c610a97d383 100644 --- a/docker/sandbox-bundled/manifests/dev.yaml +++ b/docker/sandbox-bundled/manifests/dev.yaml @@ -499,7 +499,7 @@ metadata: --- apiVersion: v1 data: - haSharedSecret: dktYanZDU0tsa0hTWlZmWA== + haSharedSecret: OTBxZmhLR1UzVU5NSlpCQg== proxyPassword: "" proxyUsername: "" kind: Secret @@ -934,7 +934,7 @@ spec: metadata: annotations: checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81 - checksum/secret: 7956909ef2268e1aad9b4b132d938c8b1a5775321bacfaf61aea7b73cdbcc85e + checksum/secret: 07b7d83b4771bd6129922773e92b596f6a27c550da6b5f6d3284da050a15df29 labels: app: docker-registry release: flyte-sandbox diff --git a/docs/deployment/configuration/auth_setup.rst b/docs/deployment/configuration/auth_setup.rst index 2887e830ede..1131c30e98c 100644 --- a/docs/deployment/configuration/auth_setup.rst +++ b/docs/deployment/configuration/auth_setup.rst @@ -26,9 +26,9 @@ Using an implementation of the `Open ID Connect (OIDC) specification `__, the authorization server's role is to issue *access tokens to the client after successfully authenticating the resource owner and obtaining authorization*. In this context, the *resource owner* is the end user of Flyte; and the *client* is the tool or component that intends to interact with ``flyteadmin`` : ``flytepropeller``, ``flyteconsole`` or any of the CLI tools. There are two supported options to use an authorization server in Flyte: - - * **Internal authorization server**: It comes pre-installed with Flyte and it is a suitable choice for quick start and testing purposes. - * **External (custom) authorization server**: This a service provided by one of the supported IdPs and is the recommended option if your organization needs to retain control over scope definitions and grants, token expiration policies and other advanced security controls. + + * **Internal authorization server**: It comes pre-installed with Flyte and it is a suitable choice for quick start and testing purposes. + * **External (custom) authorization server**: This a service provided by one of the supported IdPs and is the recommended option if your organization needs to retain control over scope definitions and grants, token expiration policies and other advanced security controls. .. note:: @@ -64,7 +64,7 @@ Flyte supports OAuth2 and OpenId Connect to secure the various connections: * :ref:`OpenID Connect `: used to secure user's authentication to ``flyteadmin`` through the UI. * :ref:`OAuth2 `: used to secure connections from clients (i.e. ``pyflyte``, ``flytectl`` and - ``flytepropeller``) to the ``flyteadmin`` service. + ``flytepropeller``) to the ``flyteadmin`` service. Support for these protocols varies per IdP. Checkout the following table to understand the available support level for your IdP: @@ -82,46 +82,46 @@ Identity Management layer : OIDC =================================== In this section, you can find canonical examples of how to set up OIDC on some of the supported IdPs; enabling users to authenticate in the -browser. +browser. .. tabs:: .. group-tab:: Google - + - Create an OAuth2 Client Credential following the `official documentation `__ and take note of the ``client_id`` and ``client_secret`` - - In the **Authorized redirect URIs** field, add ``http://localhost:30081/callback`` for **sandbox** deployments, or ``https:///callback`` for other methods of deployment. - - + - In the **Authorized redirect URIs** field, add ``http://localhost:30081/callback`` for **sandbox** deployments, or ``https:///callback`` for other methods of deployment. + + .. group-tab:: Okta - - + + 1. If you don't already have an Okta account, sign up for one `here `__. 2. Create an app integration, with `OIDC - OpenID Connect` as the sign-on method and `Web Application` as the app type. - 3. Add sign-in redirect URIs: - - - ``http://localhost:30081/callback`` for sandbox or ``https:///callback`` for other Flyte deployment types. - + 3. Add sign-in redirect URIs: + + - ``http://localhost:30081/callback`` for sandbox or ``https:///callback`` for other Flyte deployment types. + 4. *Optional* - Add logout redirect URIs: - - - ``http://localhost:30081/logout`` for sandbox, ``https:///callback`` for other Flyte deployment types). - + + - ``http://localhost:30081/logout`` for sandbox, ``https:///callback`` for other Flyte deployment types). + 5. Take note of the Client ID and Client Secret - + .. group-tab:: Keycloak - + 1. If you don't have a Keycloak installation, you can use `this `__ which provides a quick way to deploy Keycloak cluster on AWS. 2. Create a realm using the `admin console `__ 3. Create an OIDC client with client secret and note them down. Use the following `instructions `__ 4. Add Login redirect URIs: - + - ``http://localhost:30081/callback`` for sandbox or ``https:///callback`` for other Flyte deployment types. - + .. group-tab:: Microsoft Entra ID (Azure AD) - + 1. From the Azure homepage go to **Azure Active Directory** 2. From the **Ovierview** page, take note of the **Tenant ID** 3. Go to **App registrations** @@ -129,20 +129,20 @@ browser. 5. Give it a descriptive name 6. For the **Supported account types** select the option that matches your organization's security policy 7. In the **Redirect URI** section select: - + - **Web** platform - Add ``http://localhost:30081/callback`` for sandbox or ``https:///callback`` for other Flyte deployment types - + 9. Click on **Register** 10. Once created, click on the registered app and go to the **Certificates and secrets** section 11. Go to **Client secrets** and create a **New client secret** 12. Enter a description and an expiration policy 13. Take note of the secret **Value** as it will be used in the Helm chart - + For further reference, check out the official `Azure AD Docs `__ on how to configure the IdP for OpenIDConnect. - + .. note:: - + Make sure the app is registered without `additional claims `__. The OpenIDConnect authentication will not work otherwise, please refer to this `GitHub Issue `__ and `Azure AD Docs `__ for more information. @@ -158,13 +158,13 @@ Apply OIDC Configuration 1. Generate a random password to be used internally by ``flytepropeller`` 2. Use the following command to generate a bcrypt hash for that password: - + .. prompt:: bash $ pip install bcrypt && python -c 'import bcrypt; import base64; print(base64.b64encode(bcrypt.hashpw("".encode("utf-8"), bcrypt.gensalt(6))))' 3. Go to your values file and locate the ``auth`` section and replace values accordingly: - + .. code-block:: yaml auth: @@ -191,13 +191,13 @@ Apply OIDC Configuration 5. Upgrade your Helm release with the new values: .. prompt:: bash $ - - helm upgrade flyteorg/flyte-binary -n --values .yaml + + helm upgrade flyteorg/flyte-binary -n --values .yaml Where: - + * ```` is the name of your Helm release, typically ``flyte-backend``. You can find it using ``helm ls -n `` - + 6. Verify that your Flyte deployment now requires successful login to your IdP to access the UI (``https:///console``) @@ -208,18 +208,18 @@ Apply OIDC Configuration admin: ... authType: Pkce #change from the default `clientCred` to enable client auth without using shared secrets - ... + ... .. group-tab:: flyte-core 1. Generate a random password to be used internally by flytepropeller 2. Use the following command to generate a bcrypt hash for that password: - + .. prompt:: bash $ - + pip install bcrypt && python -c 'import bcrypt; import base64; print(base64.b64encode(bcrypt.hashpw("".encode("utf-8"), bcrypt.gensalt(6))))' - + Take note of the output (only the contents inside `''`) 3. Store the ``client_secret`` provided by your IdP in a Kubernetes secret as follows: @@ -252,7 +252,8 @@ Apply OIDC Configuration adminServer: server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 security: secure: false useAuth: true @@ -277,7 +278,7 @@ Apply OIDC Configuration id: flyte-cli redirect_uris: - http://localhost:53593/callback - - http://localhost:12345/callback + - http://localhost:12345/callback grant_types: - refresh_token - authorization_code @@ -308,7 +309,7 @@ Apply OIDC Configuration flytepropeller: id: flytepropeller # Use the bcrypt hash generated for your random password - client_secret: "" + client_secret: "" redirect_uris: - http://localhost:3846/callback grant_types: @@ -321,7 +322,7 @@ Apply OIDC Configuration - offline - access_token public: false - + authorizedUris: # Use the public URL of flyteadmin (a DNS record pointing to your Ingress resource) - https:// @@ -340,21 +341,21 @@ Apply OIDC Configuration - openid 7. Additionally, outside the ``configmap`` section, add the following block and replace the necessary information: - + .. code-block:: yaml - + secrets: adminOauthClientCredentials: # -- If enabled is true, helm will create and manage `flyte-secret-auth` and populate it with `clientSecret`. # If enabled is false, it's up to the user to create `flyte-secret-auth` enabled: true - # Use the non-encoded version of the random password - clientSecret: "" + # Use the non-encoded version of the random password + clientSecret: "" clientId: flytepropeller .. note:: - For `multi-cluster deployments `__, + For `multi-cluster deployments `__, you must add this Secret definition block to the `values-dataplane.yaml` file. If you are not running `flytepropeller` in the control plane cluster, you do not need to create this secret there. @@ -366,7 +367,7 @@ Apply OIDC Configuration helm upgrade flyteorg/flyte-binary -n --values .yaml - 10. Verify that the `flytepropeller`, `flytescheduler` and `flyteadmin` Pods are restarted and running: + 10. Verify that the `flytepropeller`, `flytescheduler` and `flyteadmin` Pods are restarted and running: .. prompt:: bash $ @@ -379,7 +380,7 @@ Apply OIDC Configuration admin: ... authType: Pkce #change from the default `clientCred` to enable client auth without using shared secrets - ... + ... .. note:: @@ -393,7 +394,7 @@ Custom Authorization Server *************************** -As mentioned previously, Flyte ships with an internal authorization server; hence setting up an external Authorization Server is optional and dependent on your organization's security requirements. +As mentioned previously, Flyte ships with an internal authorization server; hence setting up an external Authorization Server is optional and dependent on your organization's security requirements. In this section, you will find instructions on how to setup an OAuth2 Authorization Server in the different IdPs supported by Flyte: @@ -407,25 +408,25 @@ In this section, you will find instructions on how to setup an OAuth2 Authorizat .. tabs:: .. group-tab:: Okta - + Okta's custom authorization servers are available through an add-on license. The free developer accounts do include access, which you can use to test before rolling out the configuration more broadly. - + 1. From the left-hand menu, go to **Security** > **API** - 2. Click on **Add Authorization Server**. + 2. Click on **Add Authorization Server**. 3. Assign an informative name and set the audience to the public URL of FlyteAdmin (e.g. https://example.foobar.com). - + .. note:: - + The audience must exactly match one of the URIs in the ``authorizedUris`` section above - - 4. Note down the **Issuer URI**; this will be used for all the ``baseUrl`` settings in the Flyte config. - 5. Go to **Scopes** and click **Add Scope**. - 6. Set the name to ``all`` (required) and check ``Required`` under the **User consent** option. - 7. Uncheck the **Block services from requesting this scope** option and save your changes. + + 4. Note down the **Issuer URI**; this will be used for all the ``baseUrl`` settings in the Flyte config. + 5. Go to **Scopes** and click **Add Scope**. + 6. Set the name to ``all`` (required) and check ``Required`` under the **User consent** option. + 7. Uncheck the **Block services from requesting this scope** option and save your changes. 8. Add another scope, named ``offline``. Check both the **Required** and **Include in public metadata** options. - 9. Uncheck the **Block services from requesting this scope** option. - 10. Click **Save**. - 11. Go to **Access Policies**, click **Add New Access Policy**. Enter a name and description and enable **Assign to** - ``All clients``. + 9. Uncheck the **Block services from requesting this scope** option. + 10. Click **Save**. + 11. Go to **Access Policies**, click **Add New Access Policy**. Enter a name and description and enable **Assign to** - ``All clients``. 12. Add a rule to the policy with the default settings (you can fine-tune these later). 13. Navigate back to the **Applications** section. 14. Create an integration for ``flytectl``; it should be created with the **OIDC - OpenID Connect** sign-on method, and the **Native Application** type. @@ -437,12 +438,12 @@ In this section, you will find instructions on how to setup an OAuth2 Authorizat 20. This app does not need a specific redirect URI; nor does it need to be assigned to any users. 21. Note down the **Client ID** and **Client secret**; you will need these later. 22. Take note of the **Issuer URI** for your Authorization Server. It will be used as the baseURL parameter in the Helm chart - + You should have three integrations total - one for the web interface (``flyteconsole``), one for ``flytectl``, and one for ``flytepropeller``. - + .. group-tab:: Keycloak - - + + 1. If you don't have a Keycloak installation, you can use `this `__ which provides quick way to deploy Keycloak cluster on AWS. 2. Create a realm in keycloak installation using its `admin console `__ 3. Under `Client Scopes`, click `Add Create` inside the admin console. @@ -452,7 +453,7 @@ In this section, you will find instructions on how to setup an OAuth2 Authorizat 7. Take note of the client ID and client Secrets provided. .. group-tab:: Azure AD - + 1. Navigate to tab **Overview**, obtain ```` and ```` 2. Navigate to tab **Authentication**, click ``+Add a platform`` 3. Add **Web** for flyteconsole and flytepropeller, **Mobile and desktop applications** for flytectl. @@ -473,10 +474,10 @@ Follow the steps in this section to configure `flyteadmin` to use an external au .. tabs:: .. group-tab:: flyte-binary - + 1. Go to the values YAML file you used to install Flyte using a Helm chart 2. Find the ``auth`` section and follow the inline comments to insert your configuration: - + .. code-block:: yaml auth: @@ -485,7 +486,7 @@ Follow the steps in this section to configure `flyteadmin` to use an external au # baseUrl: https:///auth/realms/ # Uncomment for Keycloak and update with your installation host and realm name # baseUrl: https://login.microsoftonline.com//oauth2/v2.0/authorize # Uncomment for Azure AD # For Okta, use the Issuer URI of the custom auth server: - baseUrl: https://dev-.okta.com/oauth2/ + baseUrl: https://dev-.okta.com/oauth2/ # Use the client ID and secret generated by your IdP for the first OIDC registration in the "Identity Management layer : OIDC" section of this guide clientId: clientSecret: @@ -498,11 +499,11 @@ Follow the steps in this section to configure `flyteadmin` to use an external au clientSecretHash: <-flytepropeller-secret-bcrypt-hash> authorizedUris: # Use here the exact same value used for 'audience' when the Authorization server was configured - - https:// - - + - https:// + + 3. Find the ``inline`` section of the values file and add the following content, replacing where needed: - + .. code-block:: yaml inline: @@ -513,8 +514,8 @@ Follow the steps in this section to configure `flyteadmin` to use an external au # baseUrl: https:///auth/realms/ # Uncomment for Keycloak and update with your installation host and realm name # baseUrl: https://login.microsoftonline.com//oauth2/v2.0/authorize # Uncomment for Azure AD # For Okta, use the Issuer URI of the custom auth server: - baseUrl: https://dev-.okta.com/oauth2/ - metadataUrl: .well-known/oauth-authorization-server + baseUrl: https://dev-.okta.com/oauth2/ + metadataUrl: .well-known/oauth-authorization-server thirdPartyConfig: flyteClient: # Use the clientID generated by your IdP for the `flytectl` app registration @@ -527,16 +528,16 @@ Follow the steps in this section to configure `flyteadmin` to use an external au openId: # baseUrl: https:///auth/realms/ # Uncomment for Keycloak and update with your installation host and realm name # baseUrl: https://login.microsoftonline.com//oauth2/v2.0/authorize # Uncomment for Azure AD - # For Okta, use the Issuer URI of the custom auth server: + # For Okta, use the Issuer URI of the custom auth server: baseUrl: https://dev-.okta.com/oauth2/ - scopes: - - profile - - openid - # - offline_access # Uncomment if your IdP supports issuing refresh tokens (optional) - # Use the client ID and secret generated by your IdP for the first OIDC registration in the "Identity Management layer : OIDC" section of this guide + scopes: + - profile + - openid + # - offline_access # Uncomment if your IdP supports issuing refresh tokens (optional) + # Use the client ID and secret generated by your IdP for the first OIDC registration in the "Identity Management layer : OIDC" section of this guide clientId: - - + + 4. Save your changes 5. Upgrade your Helm release with the new configuration: @@ -544,18 +545,18 @@ Follow the steps in this section to configure `flyteadmin` to use an external au helm upgrade flyteorg/flyte-core -n --values .yaml - + .. group-tab:: flyte-core - + 1. Find the ``auth`` section in your Helm values file, and replace the necessary data: - .. note:: + .. note:: If you were previously using the internal auth server, make sure to delete all the ``selfAuthServer`` section from your values file .. code-block:: yaml - + configmap: auth: appAuth: @@ -566,9 +567,9 @@ Follow the steps in this section to configure `flyteadmin` to use an external au externalAuthServer: # baseUrl: https:///auth/realms/ # Uncomment for Keycloak and update with your installation host and realm name # baseUrl: https://login.microsoftonline.com//oauth2/v2.0/authorize # Uncomment for Azure AD - # For Okta, use the Issuer URI of the custom auth server: + # For Okta, use the Issuer URI of the custom auth server: baseUrl: https://dev-.okta.com/oauth2/ - + metadataUrl: .well-known/openid-configuration thirdPartyConfig: @@ -586,15 +587,15 @@ Follow the steps in this section to configure `flyteadmin` to use an external au openId: # baseUrl: https:///auth/realms/ # Uncomment for Keycloak and update with your installation host and realm name # baseUrl: https://login.microsoftonline.com//oauth2/v2.0/authorize # Uncomment for Azure AD - # For Okta, use the Issuer URI of the custom auth server: + # For Okta, use the Issuer URI of the custom auth server: baseUrl: https://dev-.okta.com/oauth2/ scopes: - profile - openid # - offline_access # Uncomment if OIdC supports issuing refresh tokens. clientId: - - + + secrets: adminOauthClientCredentials: enabled: true # see the section "Disable Helm secret management" if you require to do so @@ -602,7 +603,7 @@ Follow the steps in this section to configure `flyteadmin` to use an external au clientSecret: # Replace with the client_id provided by provided by your IdP for flytepropeller. clientId: - + 2. Save your changes 3. Upgrade your Helm release with the new configuration: @@ -675,7 +676,7 @@ Alternatively, you can instruct Helm not to create and manage the secret for ``f adminOauthClientCredentials: enabled: false #set to false # Replace with the client_id provided by provided by your IdP for flytepropeller. - clientId: + clientId: 2. Create a secret declaratively: @@ -701,75 +702,75 @@ If your organization does any automated registration, then you'll need to authen .. tabs:: .. group-tab:: flytectl - + Flytectl's `config.yaml `_ can be configured to use either PKCE (`Proof key for code exchange `_) or Client Credentials (`Client Credentials `_) flows. - + 1. Update ``config.yaml`` as follows: - + .. code-block:: yaml - + admin: # Update with the Flyte's ingress endpoint (e.g. flyteIngressIP for sandbox or example.foobar.com) # You must keep the 3 forward-slashes after dns: endpoint: dns:/// - + # Update auth type to `Pkce` or `ClientSecret` authType: Pkce - + # Set to the clientId (will be used for both Pkce and ClientSecret flows) # Leave empty to use the value discovered through flyteAdmin's Auth discovery endpoint. clientId: - + # Set to the location where the client secret is mounted. # Only needed/used for `ClientSecret` flow. clientSecretLocation: - + # If required, set the scopes needed here. Otherwise, flytectl will discover scopes required for OpenID # Connect through flyteAdmin's Auth discovery endpoint. # scopes: [ "scope1", "scope2" ] - + To read further about the available config options, please `visit here `_ - + .. group-tab:: Flytekit / pyflyte - + Flytekit configuration variables are automatically designed to look up values from relevant environment variables. .. important:: However, to aid with continuous integration use-cases, Flytekit configuration can also reference other environment variables. - + For instance, if your CI system is not capable of setting custom environment variables like ``FLYTE_CREDENTIALS_CLIENT_SECRET`` but does set the necessary settings under a different variable, you may use ``export FLYTE_CREDENTIALS_CLIENT_SECRET_FROM_ENV_VAR=OTHER_ENV_VARIABLE`` to redirect the lookup. A ``FLYTE_CREDENTIALS_CLIENT_SECRET_FROM_FILE`` redirect is available as well, where the value should be the full path to the file containing the value for the configuration setting, in this case, the client secret. We found this redirect behavior necessary when setting up registration within our own CI pipelines. - + The following is a listing of the Flytekit configuration values we set in CI, along with a brief explanation. - + .. code-block:: bash - + # When using OAuth2 service auth, this is the username and password. export FLYTE_CREDENTIALS_CLIENT_ID= export FLYTE_CREDENTIALS_CLIENT_SECRET= - + # This tells the SDK to use basic authentication. If not set, Flytekit will assume you want to use the # standard OAuth based three-legged flow. export FLYTE_CREDENTIALS_AUTH_MODE=basic - + # This value should be set to conform to this # `header config `_ # on the Admin side. export FLYTE_CREDENTIALS_AUTHORIZATION_METADATA_KEY=
- + # When using basic authentication, you'll need to specify a scope to the IDP (instead of ``openid``, which is # only for OAuth). Set that here. export FLYTE_CREDENTIALS_OAUTH_SCOPES= - + # Set this to force Flytekit to use authentication, even if not required by Admin. This is useful as you're # rolling out the requirement. export FLYTE_PLATFORM_AUTH=True diff --git a/flyteadmin/flyteadmin_config.yaml b/flyteadmin/flyteadmin_config.yaml index 443814572bd..693e290b2a2 100644 --- a/flyteadmin/flyteadmin_config.yaml +++ b/flyteadmin/flyteadmin_config.yaml @@ -4,7 +4,8 @@ # https://github.com/lyft/flyte/blob/b47565c9998cde32b0b5f995981e3f3c990fa7cd/artifacts/flyteadmin.yaml#L72 server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 grpcServerReflection: true kube-config: /Users/ytong/.flyte/sandbox/kubeconfig security: diff --git a/flyteadmin/script/integration/k8s/integration.yaml b/flyteadmin/script/integration/k8s/integration.yaml index 4fae0bab27d..0d03baa901b 100644 --- a/flyteadmin/script/integration/k8s/integration.yaml +++ b/flyteadmin/script/integration/k8s/integration.yaml @@ -245,7 +245,8 @@ data: development.integration: |- server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 kube-config: "$HOME/.kube/config" grpcServerReflection: true security: diff --git a/kustomize/base/single_cluster/headless/config/admin/server.yaml b/kustomize/base/single_cluster/headless/config/admin/server.yaml index e13f3ad156a..780a94bbfef 100644 --- a/kustomize/base/single_cluster/headless/config/admin/server.yaml +++ b/kustomize/base/single_cluster/headless/config/admin/server.yaml @@ -1,6 +1,7 @@ server: httpPort: 8088 - grpcPort: 8089 + grpc: + port: 8089 security: # Controls whether to serve requests over SSL/TLS. secure: false