Fix mounting secrets

charts/flyte-core/README.md

@@ -273,7 +273,7 @@ helm install gateway bitnami/contour -n flyte
 | flytescheduler.tolerations | list | `[]` | tolerations for Flytescheduler deployment |
 | secrets.adminOauthClientCredentials.clientId | string | `"flytepropeller"` |  |
 | secrets.adminOauthClientCredentials.clientSecret | string | `"foobar"` |  |
-| secrets.adminOauthClientCredentials.enabled | bool | `true` | If enabled is true, helm will create and manage `flyte-secret-auth` and populate it with `clientSecret`. If enabled is false, it's up to the user to create `flyte-secret-auth` as described in https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server |
+| secrets.adminOauthClientCredentials.enabled | bool | `true` |  |
 | sparkoperator | object | `{"enabled":false,"plugin_config":{"plugins":{"spark":{"spark-config-default":[{"spark.hadoop.fs.s3a.aws.credentials.provider":"com.amazonaws.auth.DefaultAWSCredentialsProviderChain"},{"spark.hadoop.mapreduce.fileoutputcommitter.algorithm.version":"2"},{"spark.kubernetes.allocation.batch.size":"50"},{"spark.hadoop.fs.s3a.acl.default":"BucketOwnerFullControl"},{"spark.hadoop.fs.s3n.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3n.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3a.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3a.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3a.multipart.threshold":"536870912"},{"spark.blacklist.enabled":"true"},{"spark.blacklist.timeout":"5m"},{"spark.task.maxfailures":"8"}]}}}}` | Optional: Spark Plugin using the Spark Operator |
 | sparkoperator.enabled | bool | `false` | - enable or disable Sparkoperator deployment installation |
 | sparkoperator.plugin_config | object | `{"plugins":{"spark":{"spark-config-default":[{"spark.hadoop.fs.s3a.aws.credentials.provider":"com.amazonaws.auth.DefaultAWSCredentialsProviderChain"},{"spark.hadoop.mapreduce.fileoutputcommitter.algorithm.version":"2"},{"spark.kubernetes.allocation.batch.size":"50"},{"spark.hadoop.fs.s3a.acl.default":"BucketOwnerFullControl"},{"spark.hadoop.fs.s3n.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3n.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3a.impl":"org.apache.hadoop.fs.s3a.S3AFileSystem"},{"spark.hadoop.fs.AbstractFileSystem.s3a.impl":"org.apache.hadoop.fs.s3a.S3A"},{"spark.hadoop.fs.s3a.multipart.threshold":"536870912"},{"spark.blacklist.enabled":"true"},{"spark.blacklist.timeout":"5m"},{"spark.task.maxfailures":"8"}]}}}` | Spark plugin configuration |

charts/flyte-core/templates/common/secret-auth.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.secrets.adminOauthClientCredentials.enabled }}
+{{- if and (.Values.secrets.adminOauthClientCredentials.enabled) (not (empty .Values.secrets.adminOauthClientCredentials.clientSecret)) }}
 apiVersion: v1
 kind: Secret
 metadata:

charts/flyte-core/values-keycloak-idp-flyteclients-without-browser.yaml

@@ -298,9 +298,12 @@ deployRedoc: false
 
 secrets:
   adminOauthClientCredentials:
-    # -- If enabled is true, helm will create and manage `flyte-secret-auth` and populate it with `clientSecret`.
-    # If enabled is false, it's up to the user to create `flyte-secret-auth` as described in
+    # If enabled is true, and `clientSecret` is specified, helm will create and mount `flyte-secret-auth`.
+    # If enabled is true, and `clientSecret` is null, it's up to the user to create `flyte-secret-auth` as described in
     # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server
+    # and helm will mount `flyte-secret-auth`.
+    # If enabled is false, auth is not turned on.
+    # Note: Unsupported combination: enabled.false and clientSecret.someValue
     enabled: true
     clientSecret: "<>" # put the secret for the confidential client flytepropeller defined in the IDP
     clientId: "flytepropeller" #use this client id and secret in the flytectl config with ClientSecret option

charts/flyte-core/values.yaml

@@ -430,9 +430,12 @@ deployRedoc: false
 
 secrets:
   adminOauthClientCredentials:
-    # -- If enabled is true, helm will create and manage `flyte-secret-auth` and populate it with `clientSecret`.
-    # If enabled is false, it's up to the user to create `flyte-secret-auth` as described in
+    # If enabled is true, and `clientSecret` is specified, helm will create and mount `flyte-secret-auth`.
+    # If enabled is true, and `clientSecret` is null, it's up to the user to create `flyte-secret-auth` as described in
     # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server
+    # and helm will mount `flyte-secret-auth`.
+    # If enabled is false, auth is not turned on.
+    # Note: Unsupported combination: enabled.false and clientSecret.someValue
     enabled: true
     clientSecret: foobar
     clientId: flytepropeller

deployment/eks/flyte_aws_scheduler_helm_generated.yaml

@@ -849,7 +849,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "d50d9b515795be1f4937c58f37335ec9bd505ba4c51f96caf8491fa323abb56"
+        configChecksum: "618a516ca42e8bbe5222a76f7865a0a444b6048002d7fcc06144c9188f3fd3d"
       labels: 
         app.kubernetes.io/name: flyteadmin
         app.kubernetes.io/instance: flyte
@@ -1269,7 +1269,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "e7d99d3cce2e4e6d410d7c61f8c05bbb6b5dc901f5e9a199849438d31d5e467"
+        configChecksum: "e7a065fd96ff8a6564199b17e054fac2da37f402b421e20fbe2160fc43f11cc"
       labels: 
         app.kubernetes.io/name: flytepropeller
         app.kubernetes.io/instance: flyte
@@ -1351,7 +1351,7 @@ spec:
         app.kubernetes.io/name: flyte-pod-webhook
         app.kubernetes.io/version: v1.11.1-b1
       annotations:
-        configChecksum: "e7d99d3cce2e4e6d410d7c61f8c05bbb6b5dc901f5e9a199849438d31d5e467"
+        configChecksum: "e7a065fd96ff8a6564199b17e054fac2da37f402b421e20fbe2160fc43f11cc"
     spec:
       securityContext: 
         fsGroup: 65534

deployment/eks/flyte_helm_controlplane_generated.yaml

@@ -554,7 +554,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "b6087931f4457971d5fcd17d64491188322ffc2f86e31f943b142c76edb9e67"
+        configChecksum: "5ce6f593fb92c9a6fd183825231d187471b5f10fe948f601f6d5b56edd02b51"
       labels: 
         app.kubernetes.io/name: flyteadmin
         app.kubernetes.io/instance: flyte
@@ -974,7 +974,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "b6087931f4457971d5fcd17d64491188322ffc2f86e31f943b142c76edb9e67"
+        configChecksum: "5ce6f593fb92c9a6fd183825231d187471b5f10fe948f601f6d5b56edd02b51"
       labels: 
         app.kubernetes.io/name: flytescheduler
         app.kubernetes.io/instance: flyte

deployment/eks/flyte_helm_dataplane_generated.yaml

@@ -428,7 +428,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "e7d99d3cce2e4e6d410d7c61f8c05bbb6b5dc901f5e9a199849438d31d5e467"
+        configChecksum: "e7a065fd96ff8a6564199b17e054fac2da37f402b421e20fbe2160fc43f11cc"
       labels: 
         app.kubernetes.io/name: flytepropeller
         app.kubernetes.io/instance: flyte
@@ -510,7 +510,7 @@ spec:
         app.kubernetes.io/name: flyte-pod-webhook
         app.kubernetes.io/version: v1.11.1-b1
       annotations:
-        configChecksum: "e7d99d3cce2e4e6d410d7c61f8c05bbb6b5dc901f5e9a199849438d31d5e467"
+        configChecksum: "e7a065fd96ff8a6564199b17e054fac2da37f402b421e20fbe2160fc43f11cc"
     spec:
       securityContext: 
         fsGroup: 65534

deployment/eks/flyte_helm_generated.yaml

@@ -880,7 +880,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "b6087931f4457971d5fcd17d64491188322ffc2f86e31f943b142c76edb9e67"
+        configChecksum: "5ce6f593fb92c9a6fd183825231d187471b5f10fe948f601f6d5b56edd02b51"
       labels: 
         app.kubernetes.io/name: flyteadmin
         app.kubernetes.io/instance: flyte
@@ -1300,7 +1300,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "b6087931f4457971d5fcd17d64491188322ffc2f86e31f943b142c76edb9e67"
+        configChecksum: "5ce6f593fb92c9a6fd183825231d187471b5f10fe948f601f6d5b56edd02b51"
       labels: 
         app.kubernetes.io/name: flytescheduler
         app.kubernetes.io/instance: flyte
@@ -1399,7 +1399,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "e7d99d3cce2e4e6d410d7c61f8c05bbb6b5dc901f5e9a199849438d31d5e467"
+        configChecksum: "e7a065fd96ff8a6564199b17e054fac2da37f402b421e20fbe2160fc43f11cc"
       labels: 
         app.kubernetes.io/name: flytepropeller
         app.kubernetes.io/instance: flyte
@@ -1481,7 +1481,7 @@ spec:
         app.kubernetes.io/name: flyte-pod-webhook
         app.kubernetes.io/version: v1.11.1-b1
       annotations:
-        configChecksum: "e7d99d3cce2e4e6d410d7c61f8c05bbb6b5dc901f5e9a199849438d31d5e467"
+        configChecksum: "e7a065fd96ff8a6564199b17e054fac2da37f402b421e20fbe2160fc43f11cc"
     spec:
       securityContext: 
         fsGroup: 65534

deployment/gcp/flyte_helm_controlplane_generated.yaml

@@ -569,7 +569,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "b35a14d8bfd46ac863acf50bc4f338954b2f1315b66dc1fc17123885cc4dc37"
+        configChecksum: "0705f122f2535babec96a6083827c3e6d27e6e9b0e460b4d07292c858079ac7"
       labels: 
         app.kubernetes.io/name: flyteadmin
         app.kubernetes.io/instance: flyte
@@ -989,7 +989,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "b35a14d8bfd46ac863acf50bc4f338954b2f1315b66dc1fc17123885cc4dc37"
+        configChecksum: "0705f122f2535babec96a6083827c3e6d27e6e9b0e460b4d07292c858079ac7"
       labels: 
         app.kubernetes.io/name: flytescheduler
         app.kubernetes.io/instance: flyte

deployment/gcp/flyte_helm_dataplane_generated.yaml

@@ -436,7 +436,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "8a15e3074047b226537f0c506efa34aa2459b94274bbd3073f597126f81a59a"
+        configChecksum: "ddc04c6de49a20c7b297c49103fb428ea5c5f46124331c2546848ac1e2d4bf1"
       labels: 
         app.kubernetes.io/name: flytepropeller
         app.kubernetes.io/instance: flyte
@@ -517,7 +517,7 @@ spec:
         app.kubernetes.io/name: flyte-pod-webhook
         app.kubernetes.io/version: v1.11.1-b1
       annotations:
-        configChecksum: "8a15e3074047b226537f0c506efa34aa2459b94274bbd3073f597126f81a59a"
+        configChecksum: "ddc04c6de49a20c7b297c49103fb428ea5c5f46124331c2546848ac1e2d4bf1"
     spec:
       securityContext: 
         fsGroup: 65534

deployment/gcp/flyte_helm_generated.yaml

@@ -903,7 +903,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "b35a14d8bfd46ac863acf50bc4f338954b2f1315b66dc1fc17123885cc4dc37"
+        configChecksum: "0705f122f2535babec96a6083827c3e6d27e6e9b0e460b4d07292c858079ac7"
       labels: 
         app.kubernetes.io/name: flyteadmin
         app.kubernetes.io/instance: flyte
@@ -1323,7 +1323,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "b35a14d8bfd46ac863acf50bc4f338954b2f1315b66dc1fc17123885cc4dc37"
+        configChecksum: "0705f122f2535babec96a6083827c3e6d27e6e9b0e460b4d07292c858079ac7"
       labels: 
         app.kubernetes.io/name: flytescheduler
         app.kubernetes.io/instance: flyte
@@ -1422,7 +1422,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "8a15e3074047b226537f0c506efa34aa2459b94274bbd3073f597126f81a59a"
+        configChecksum: "ddc04c6de49a20c7b297c49103fb428ea5c5f46124331c2546848ac1e2d4bf1"
       labels: 
         app.kubernetes.io/name: flytepropeller
         app.kubernetes.io/instance: flyte
@@ -1503,7 +1503,7 @@ spec:
         app.kubernetes.io/name: flyte-pod-webhook
         app.kubernetes.io/version: v1.11.1-b1
       annotations:
-        configChecksum: "8a15e3074047b226537f0c506efa34aa2459b94274bbd3073f597126f81a59a"
+        configChecksum: "ddc04c6de49a20c7b297c49103fb428ea5c5f46124331c2546848ac1e2d4bf1"
     spec:
       securityContext: 
         fsGroup: 65534

docker/sandbox-bundled/manifests/complete-agent.yaml

@@ -816,7 +816,7 @@ type: Opaque
 ---
 apiVersion: v1
 data:
-  haSharedSecret: ZjEwSmt1RUY3aDlCdDVsRg==
+  haSharedSecret: d1lEYXc5ckRCSm1JTmFkOQ==
   proxyPassword: ""
   proxyUsername: ""
 kind: Secret
@@ -1412,7 +1412,7 @@ spec:
     metadata:
       annotations:
         checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81
-        checksum/secret: d7249c11a963bd048b55d03454927119ba2f4bbf0a6328ded80c2579cf224f1d
+        checksum/secret: 9864cd5018cca419cae8935a5d7622552b3a930d4b1eae413e16e99b98fccb99
       labels:
         app: docker-registry
         release: flyte-sandbox

docker/sandbox-bundled/manifests/complete.yaml

@@ -796,7 +796,7 @@ type: Opaque
 ---
 apiVersion: v1
 data:
-  haSharedSecret: aWRqOTR0QTVZRE1CaGVRdw==
+  haSharedSecret: OHBWcEpOdXhqZHVIRFJHbQ==
   proxyPassword: ""
   proxyUsername: ""
 kind: Secret
@@ -1360,7 +1360,7 @@ spec:
     metadata:
       annotations:
         checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81
-        checksum/secret: 863f8bfa183a5195d769b933f0d975109a0d5f407710e22937545b2b118e6917
+        checksum/secret: 2a295dba90805d8df9af4250a168421fa16934a6365bfd7c2a75884acd469bc1
       labels:
         app: docker-registry
         release: flyte-sandbox

docker/sandbox-bundled/manifests/dev.yaml

@@ -499,7 +499,7 @@ metadata:
 ---
 apiVersion: v1
 data:
-  haSharedSecret: Z0xGR25hRVd6TlZoOERxZA==
+  haSharedSecret: NWd2OVBoOVg5Q2xCQjRiWA==
   proxyPassword: ""
   proxyUsername: ""
 kind: Secret
@@ -934,7 +934,7 @@ spec:
     metadata:
       annotations:
         checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81
-        checksum/secret: 6c870dc393e0c203d57b719e52c73856e98c35788dd05e75b2d00194cb4392f2
+        checksum/secret: 90abe8e666f3feb903aac09499eb8b9c8a4c3a5616f51345cfe635b7810a1987
       labels:
         app: docker-registry
         release: flyte-sandbox

docs/deployment/configuration/auth_setup.rst

@@ -346,8 +346,12 @@ Apply OIDC Configuration
 
          secrets:
            adminOauthClientCredentials:
-          # -- If enabled is true, helm will create and manage `flyte-secret-auth` and populate it with `clientSecret`.
-          # If enabled is false, it's up to the user to create `flyte-secret-auth`
+           # If enabled is true, and `clientSecret` is specified, helm will create and mount `flyte-secret-auth`.
+           # If enabled is true, and `clientSecret` is null, it's up to the user to create `flyte-secret-auth` as described in
+           # https://docs.flyte.org/en/latest/deployment/cluster_config/auth_setup.html#oauth2-authorization-server
+           # and helm will mount `flyte-secret-auth`.
+           # If enabled is false, auth is not turned on.
+           # Note: Unsupported combination: enabled.false and clientSecret.someValue
              enabled: true
            # Use the non-encoded version of the random password
              clientSecret: "<your-random-password>"
@@ -674,7 +678,8 @@ Alternatively, you can instruct Helm not to create and manage the secret for ``f
 
    secrets:
      adminOauthClientCredentials:
-       enabled: false #set to false
+       enabled: true # enable mounting the flyte-secret-auth secret to the flytepropeller.
+       clientSecret: null # disable Helm from creating the flyte-secret-auth secret.
        # Replace with the client_id provided by provided by your IdP for flytepropeller.
        clientId: <client_id>