From 25158b0cae66e6d1ff726b83f0e10ea88290daec Mon Sep 17 00:00:00 2001 From: ddl-ebrown Date: Thu, 11 Jul 2024 20:38:55 -0700 Subject: [PATCH 1/2] Remove core flyteadmin init-secret initContainer - A separate container instance that requires Kubernetes API access is unnecessary when Helm is able to generate the same secret values in the client before submitting resources to Kubernetes. The declarative approach here is identical to what the code does in https://github.com/flyteorg/flyte/blob/master/flyteadmin/auth/init_secrets.go#L80-L151 - The lookup function is used so that on upgrades, the secret is not regenerated -- the existing values in the cluster are used. - Note that Helm always creates secret resources before deployment resources, so the secret values are guaranteed to be available before flyteadmin starts - Update helm chart regenerate check so that it only fails if the diff has new or removed lines Signed-off-by: ddl-ebrown --- .../templates/admin/deployment.yaml | 25 ----------------- charts/flyte-core/templates/admin/secret.yaml | 17 +++++++++++ .../flyte_aws_scheduler_helm_generated.yaml | 28 ++++--------------- .../flyte_helm_controlplane_generated.yaml | 28 ++++--------------- deployment/eks/flyte_helm_generated.yaml | 28 ++++--------------- .../flyte_helm_controlplane_generated.yaml | 28 ++++--------------- deployment/gcp/flyte_helm_generated.yaml | 28 ++++--------------- deployment/sandbox/flyte_helm_generated.yaml | 28 ++++--------------- script/generate_helm.sh | 3 +- 9 files changed, 55 insertions(+), 158 deletions(-) diff --git a/charts/flyte-core/templates/admin/deployment.yaml b/charts/flyte-core/templates/admin/deployment.yaml index 23ea9966df..512fb80de8 100755 --- a/charts/flyte-core/templates/admin/deployment.yaml +++ b/charts/flyte-core/templates/admin/deployment.yaml @@ -107,31 +107,6 @@ spec: {{- end }} {{- end }} {{- end }} - - name: generate-secrets - image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}" - imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}" - command: ["/bin/sh", "-c"] - args: - [ - "flyteadmin --config={{ .Values.flyteadmin.configPath }} secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", - ] - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - mountPath: /etc/flyte/config - name: base-config-volume - - mountPath: /etc/scratch - name: scratch - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - {{- with .Values.flyteadmin.env -}} - {{- tpl (toYaml .) $ | nindent 12 }} - {{- end }} containers: - command: - flyteadmin diff --git a/charts/flyte-core/templates/admin/secret.yaml b/charts/flyte-core/templates/admin/secret.yaml index 3d1cd1ec80..cfb140f90a 100644 --- a/charts/flyte-core/templates/admin/secret.yaml +++ b/charts/flyte-core/templates/admin/secret.yaml @@ -1,11 +1,28 @@ {{- if .Values.flyteadmin.enabled }} +{{- $secret := (lookup "v1" "Secret" (include "flyte.namespace" .) "flyte-admin-secrets") -}} apiVersion: v1 kind: Secret metadata: name: flyte-admin-secrets namespace: {{ template "flyte.namespace" . }} type: Opaque +data: +{{- if $secret }} + token_rsa_key.pem: | + {{ index $secret.data "token_rsa_key.pem" }} + cookie_hash_key: {{ index $secret.data "cookie_hash_key" }} + cookie_block_key: {{ index $secret.data "cookie_block_key" }} + claim_symmetric_key: {{ index $secret.data "claim_symmetric_key" }} +{{- else }} + token_rsa_key.pem: | + {{ genPrivateKey "rsa" | b64enc }} +{{- end }} stringData: +{{- if not $secret }} + cookie_hash_key: {{ trimSuffix "==" (randBytes 64) | quote }} + cookie_block_key: {{ trimSuffix "=" (randBytes 32) | quote }} + claim_symmetric_key: {{ trimSuffix "=" (randBytes 32) | quote }} +{{- end }} {{- with .Values.flyteadmin.secrets -}} {{ tpl (toYaml .) $ | nindent 2 }} {{- end }} diff --git a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml index 0ce940cfa9..fe9e371bb1 100644 --- a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml +++ b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml @@ -56,7 +56,13 @@ metadata: name: flyte-admin-secrets namespace: flyte type: Opaque +data: + token_rsa_key.pem: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0NBZ0VBb0MzaFU0eml4QjNVbG9hY0FNaVYvME9OejdTVjVlbzBoVGw4OVluYmpvL2RqVWZECmpJbENZTUhxd2RKTHo2SXRsaUh6MmZCY3pwQndST1ovSVpvenhBbkZINWNoRkRMQjVydnJDeHBRQzJMZzRFRTYKQlpPenZYa1A2cVo2YnpMZmwxQ2tKWVN0cHAzcjlJMXBhVEtTYWQyRGxuUkl2ZzhxUUJWcHRpcmlLSHFvVzNMZgo1ZVBSZy91M0VaMTY5ekdoWisraFpGM1JTSFJEOEZKN0dqZXJtMjJyNkFGRzlWM2dSOTN4aVY5ZHJoR3BCNUpQCjBzQzcyOUtuT3U0OXByL0daKzhVZnlJY2JFaXhWUWFFUWNvZ2V2RDRnWmRoY0xRQmEyVlp0WXZ2Y1RDcFJvbisKMDFvbGhnQ04xU0lZK1cxK1ZuMlJ4emRWUjh2TEpTWm1aY1FvQmNleXpwbmtOditwbTV5WjRIOUcvT0V1Mm1GbQp2ZTRsVTJJZFJtWEZJV2FOUFQ1T0J2anpaVUlteXNZdlBmdXJwQXoxUms5aERKR2FKeURXQ05wdFB3Q1RyV3J0CmpDUFVDbUt3MUhWOGJhWFBOOFVUNWtWV1F3ODdOOExpVi9Rd0ZxZURHYlIyZTQ2M01YNFE4MkoxRGhnTkZwZ1cKTFlKWjhiSlU2VWRLZ1lZZFl1S095WjlybDd2UGpuT3NvSVRocmJ4YnlkbTE2U3FKTisrbmx3WWowT0hYa1E2OQprUHNKcWVPcTVZUzBVeG5McUp3Y0dMcHFabEpBTlhMUk5JR2FEM1pjLzdzZFhtWUlBY3pCeTlTcDE3cmdLUWZrCjY0LzFLWkJuV3pZR2lWYTNCSmlYOXBRYmdDY1ZEMTVuNmZPWlFYL2xEVWVJQ1M2VnFjVEhEcVBjMk1NQ0F3RUEKQVFLQ0FnQnJycXhlV01aU0JhUFhGZU5tZTNLclNxVFpUNU8rSHZiejRUUHFkYVVPY0JVSFY0bFV2eW5LbGxMVgp2aVNORDRBS0FBVkpMRmVYM200N1E2R1AyM1NWZytQcld0UTRHZTlVeUZ3NCtKVjdNaHZ2WnFvMCtaako5Y3NICmVxZXdmY2ptbHFYak94RHFoQndPS2NzRmw2UHFXNnFNeU52bU9aZXp3VEZ4Nzk1ZVRDZEdZekcyQUxQblFKOVAKemtqT1NhVXlsRnd4ZHdpczVzeU5rVVdFMkl3YlQxMVQrUmZVK0NsQTV5bnJxaHIyWEpUL3JCTFJvaFFvc2JNTwo0UDY5VFF0Njc3VWR5cmJFN1JHYUVXbDBPUWdnM2tLU0RFekxVWmZxdFJYY0FKa1Z4UnJuZXZtKzZFbDFqb1hMCkZNTXBXN3lsTklGK0plckUrM0kwSlY2Tlo1Tm5UeE1VUHR4T1Mrdkh1REdlOXJETVZtbnRWdXhiSmFBaEt3RjMKcXUrVWpETmtPbmdSd0h2TjJKUjB3YTFtMmFHajBaYUhRWXpCOC91QlpCTXhSalRDSjN2SnNNZ1VRYVduQ2hKQgp3bWh4STZpbVhDNUtFNGJRUFhjRkMxYlRuRUdKbzZDMy80T0dmTzJxSWFoL28zWG5PdFNlREU3YWNpTmE0ZXE4CkZSMzZ2UGU0UDJqMnBnZDNCSHdKYVN6R0pxQlRIRkV0YnMyU015R1BUV3FPS0pBejhFaElTNVNMWC9SV1RpK00KUlZVMzJtdTBpd0lvb21sNE9CSjlyaDZJc3Y4TzBicWNMM2FvWWZlcXJHd2o1ZXd6TkFhbjdrUGE4RVFFZ2w5LwpGRXRZTFNucU1TUTVOd0dObGI3MWU4aFNjOHZabmpaT1VJUllLMWFjWG15U1lYQXNBUUtDQVFFQXlKQ0ZiVzBWCllrSklOL1BpbVJ1dXBER3pXZ3I5UGkzL1NEM3ZjeFJnS3lUMmVpdXdZOEdNOEtHV2NZcjhlWlRERGpxR1A0MncKcTFHWGhZZEZzdllQcDJ5Z2Vma1p1bXRsUTlRcEdSMmFTamtVRDNoM21vQjFCamFhZTFnY1Q4cWJnRU9EaGxvNwp2aHNpdUREclphYUdHcVV0TyswVENseEczQnBMNXNDeFVMVnFaNWNwK0lzYUxVVnorbFZlRHFUWWEwQy9rZytHCnlNU2pqREVBdVNOZmVLYTUyamphUi8wZ1RsRjdoREV3cEZXUkFjUk54NXV5VWdXdG5sSDF0cUF3M2RrVXh6amoKZGlWZzVIWWRyWkVRaFFHQlIwS0h6NzIwbDdvd25LNUdMdCt4cnFRYWo2Y2FMeUN6dXR2QnB0SExla2VKZFZYUQpKTERUY2h4RXNoYlR3d0tDQVFFQXpIUEp4Y1JZcjRneE1VeUF4Z1BlazRHS2RCWXdUcitvdXdTTDJ6VnNkVEw2CjFjWHRKMGtTMUFManpzRXdjVVZYMENaNzZtSHR5UzBGMFlFOGZqUnhkWDhobWFLN3V3TWtqdnhsVkJ0UFdvMnQKNC9LM2FvZmdIYTgrUTRJYXRxVjZrTVB3M3BFcktXSENxTGJacllyU3I0aS9YaWQxMzhTYUlVZW5VRitEZUNlZQpLcWlvaGtwMDZUbFdkMllwWmhUa3JSV2pTRjFYR0FLeERVNDl4dHVmNTJUZ1Z4QWFRUVpqYmEvLzlIRGg5dEZWCnhYYnRlS1Y2eUJKVnQzRjFQWDNDQU9BbmpsZkkvZkpLUExUSGRvYXIvaHpmNW1kcTM3UkFOYWJxM3RNVkdUV3QKeThJNVVNenNpMXBLWm9uREdtbHFVYlhZcVZzaTh1b2dZTGtmNGNxWEFRS0NBUUVBai82U2pQbWdQS2R4eWhvagpPZUdTQlBoWjErL0QyWHlVcDMwd0NPTThHRDIxYUFrdDNyRDdTMWYzOXhUZUp6d1N2b2h1RWZyY09HT2Y4WklwCkRFOTA5Yk1iay9hdjdoTms1TW5ScCtLRS8zenpWaGdiWnFXTFh5YWN5cWw3eWgyZ2Z2bjUxOSs0dk1nbXFTOFcKRWlqNFp2RG9CUG8walYrcTBDTmhFdzZOUDNEQU1CZHJYcklmM1JqY0o0SmF3UkRCQUYvQUtsRlRaNWttQW1TOApMQytsUDY0VUNRU0FVdWI4NXIzQmZDc0V6VGRSb0g4YmlJL1QrdWR3dXhZRTMxVXJRRnUyZTBId3JNWXhSbFUzCkFZSUE1ajBxWDhyNFRzSFlnb1orbUQ3V3pKaDFyUGpNeVE0ajBtb2NINi9lM0xJSzhJT2p3TVlYWmdBK0R0TVUKenZkc21RS0NBUUJyelhIS3Nha0JoUkpMS0VlT0lXUXU2dE1TT3REbDlQRUhDM0tpOXh4ay82aDdKNDNRZFJ0VQpadUd2bHZYd0E5dzFpTlUxMU1VSW1wREMweDRPZmFDRmo2OHJ6ejZsY1JiSnZoTy9zVmE2TEpKUDZ4OERNUG5mCkxSUHJqS0tCUStmSWhVaHdVcU1yZ3J5ZE1TeTk4TUQraFdCQ1NSUkNGT3dnT0NQa29UZzFGczZ6TjVNRW5DWGgKQTdhdjVsSlYzUlptblU0blRmQXFYT0QyWHhiN3o3b1V6SC90NkRPdnJhcW5uM0dhZGhydmhabHdNVEV0dUROeApZeG1IVEcvQktKb3UxQUtIYjRvdlBKNGdQRUlnSVFwM1JzcFlOcGVIdFFkV1F0ajgvTmZYSHhLd3FZeUhLa1pmCmhCQk8yTHpqSkVwSEkxZEdsU05zYWo4QVFSeXFkYVFCQW9JQkFIN21lNE4xU0owbzcwWnVwellPR0M0aGcvdU0KeTJLM2dkK1hRSGs5TEhzdUVhYmFwZFlCM0MxV08rcHZyYWhXbCtqU3ZLcTR2ekljMlFXZkRqOUhYT0ZWK1dISQoyNnVzdkRqTnFMclRzVW9PNGtjVXlTN2U3SUZTVWUvQ2N4Ly9ZYm4xbjgrL1pGR09YZ0tVeUNmNHZpaWxiSkh4Cm9xdWdiVXUwMDdIVU9ZOFNxaDZNK09GWDFHb2pGM050MWVPOTVidHlROGhNNHJWd0d5cFZEdUovU1FMcFIwYzEKNmhXRnFzb0Q2aVpqcmV6ZUgvbzVOLzBEenJuUjJ3MGw1ODNkVUNqZmNPdERXNkJTbHNaWEdVOVpxUU1aN2JlYgpwU2I1NXZ0cDVvQnBQYmhYVEZTdnlnNk82ZWdUa0dicVpqM3oweXVWSXByWHpXR0hzZjRXVTFhN1lVaz0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K stringData: + cookie_hash_key: "MuJrZ6SO749aiiuCUHTt0soA9wTTc1hyL8joh+UWZ9AqwxJ0GH5fjwDM0EF5umqLUg81nl3MGqD108vZPad4eA" + cookie_block_key: "4lcZsm7g6hAac3c2O8i5QV04jewLPDUT+QfwdGkfONI" + claim_symmetric_key: "seUw6e6wnsbCuAaW1L2U/iLItvtIWxlNAUQ3r9Gozj8" --- # Source: flyte-core/templates/common/secret-auth.yaml apiVersion: v1 @@ -931,28 +937,6 @@ spec: name: clusters-config-volume - mountPath: /etc/secrets/ name: admin-secrets - - name: generate-secrets - image: "cr.flyte.org/flyteorg/flyteadmin:v1.13.0" - imagePullPolicy: "IfNotPresent" - command: ["/bin/sh", "-c"] - args: - [ - "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", - ] - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - mountPath: /etc/flyte/config - name: base-config-volume - - mountPath: /etc/scratch - name: scratch - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace containers: - command: - flyteadmin diff --git a/deployment/eks/flyte_helm_controlplane_generated.yaml b/deployment/eks/flyte_helm_controlplane_generated.yaml index d9ebf1d7bd..e861b390f2 100644 --- a/deployment/eks/flyte_helm_controlplane_generated.yaml +++ b/deployment/eks/flyte_helm_controlplane_generated.yaml @@ -46,7 +46,13 @@ metadata: name: flyte-admin-secrets namespace: flyte type: Opaque +data: + token_rsa_key.pem: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0NBZ0VBdzJ5a3pFUm9ieEROM2JndjVHdEdDaDBFT0MraG5ESFM1WUZiUlBma1hBdmZyNFR4ClBoU1hwM0hubytEWm9GaXJtcWNSRE9iS0FlOXhOVncycDN2Y3V0SnEzdlRTT2F5UDdrZXBEckk5ZW9XYXY2R08Kbm5Lc3lKU3VuSUt2Kyt2WVlxZFAvUE9tZVBkKzB4MU56RTEzYTViZFdlMjhhMWgvdytmTmViWnJ0bFIvMlFDYwp6ZHQ5TGtUdUQzOXdieXhvNy8wTzNnRVJ2aWc3WXhUSmhOVWFLVWo3ME1UTTNSeCtzTGdQcXV5SGFZd1JUaHFXCm04SmlaU1ZXTCtFYm9CbGQ0aVNHOVRVeWVRVTQ5M2RBRjN4cWc5UFNkU0N1NXdHWUpVTzdTY1FnRnJkRm43YysKVkFBM0p4a3hkRjIrSWg0L3pBdzhWSGV3dFdlUC9qcksyTWxqanBLNmprTE5VbHgycFh4N3RpaDlxQ2dwNVJXTgoyVGZ5Y2htL2l5ZWFuYThVd3lWeHVyNHI4OHk0UEFQUUoyek5KQlgyWDRjd21va1RReFRpRzRjMWlKZEJtb2tzClFWaGhiTnMyTmlCcHpjd2pISjZ3T1RWSitReCs1U3V3Z2o3UzhiUG5hTnlOdm9DZUIvUDhWUTZIZHF4eEFlMG0KSXh1K3NjQzBBT0dYVWZXN2xoaitQaTRuTC85MmR2M09ScjgrOWtNWTFiL1dkSlRGTkFhUkJvUU5JbnZ4UDdZSgpkeWtnS3NtWHp1bGhMWHpyQXRkT3dEVE81NUVwTFRQeFVJNHZidklRdFY5SkhJbG5uc3BCTHJLalpzYW94c1dmCjRrNFpwdVhJVzBQTEw2NklRVUF5N2FOYkc0c2o5SzNKYk82dnhQeHk5ZGJnblEyVDIzYjJGR2NubUtFQ0F3RUEKQVFLQ0FnQUZnR2gvUzZtNC9yc2M4OU45VmJ2S0N4a1VUOXIzMzdzMU5OZ1I3L3lnenNERVd6VERiNmI1VXM2WApvWHZlOU1BWUFYNE1ZKzdwOFFpNTNOZTVEVmFnZDg0RWF0WUVRNlJscStUSmdpRVM4dkh4VlNZRHRlekJWTlk1Cmw4QkdrbFFzS3RPb3BsOVlabmRPa0RPaGZjalA0Wlpuc3Jhc092aVYxay9Gam1vbjN1Y2VmOUxxUkxTWWVkNU4KMTJPZDdaMGlySGdmcmQ0SEFYRHlrQ0pBT0JPZGQrMkc2aE51WWgvNjc2T1pSMEZrcWtuT2JoY3hXVjZWeEdCUgp4citWV1VGNFhWampURlVZYlJvMmRVZjdvVWdLWUFzN3V1alJuZ3pmZDdHdEdQVmlUbFNLYzRrd3FqVGpSK1ZKCmhsNFU3YzhUK29BMFRJNVAvUk5qcjlvSUVsdFlHb1FuellnUUI2a0kzTS80SmowcVpBQWVmcyswM3pLWmpxREgKVEthamlwc3p0YWhVYjdsZEtHN3lrNzluMjhDOW5PQjBYbS9RNlA2dGZQZ1lDamdlb2dNSm51RzVWd2VRNHhaWgpxWjlSdTB2UlUxblQ1bG9Fb0N5K3JoYS9kVDc0YitETzU2c1JiNWQ1YkJMaWliWXZPdDFyM25Kei9HVEhlUThJCnc2dllHcjVITzQ5eVZvSEx0SXNUcklOTEdrZEphaXd3YUh6QlBlUmlUdzg4ZTh3V1N0aWppUFpRTU0zN3FBSU4KaWpiV2l0SGxzS25uNU00YkM4dTR4OGw5ZkJyRkVpcjEwQWYwUk5nRHM0b0tSS2FIWFlqWjR1eGJMcDhqdXVOWAplaWlPWW94akFVOTZkNlpERGkwUjlFOGZPMFhXVUE1bkIrZG5ERkkyc2NoZFExSGhwUUtDQVFFQXlJeExXMDRvCkN3aS9WNzZObVQ5ampsSDhodjJIZjZhTTdFUTdqdy9ESGlkK3A3c04yc2dzejJqZUk5aXpES1lZUU4xV3lJL1MKUFJZV0VXWldzT250MlF3cjluOENLSnZ1SGI0aDFmQVhiOHNJSjBSbUdQUnJlWWhwbXo5bmpVVjNNQW1Fb2wxZgpaQUh4d0E2TmhHK1RZZ0Z0ZDZ5N2NiNkc4bEFpNHI1YTZqM1d2SkRiRUFJMFNwWjFHdjZKVkRHNW1ZdG1ZZW8xClFlUFFTbk12cTk3QWpmMWxXeUoySy8wcktWOUdnQVl0eXZlQWNpTFZvNzF3MUNKdmJ2Si81NitaZGdFcTI0OEcKUXhackdiWmRKSmJXa3RrbktKK0IwcElQWWg4ZVFPZG9xWU4vb2RHbTBSU3VnNkw1UTYzTXBpbUZvVVlRZ1ZLMQpCSTFVdFJGU0tkcVh1d0tDQVFFQStYV3MwUW1RTTVhZXRPMVBxTHJyZjR4Ymw5VUx6UzdLZ1dHRFNwSlIzQ3F4CkJBVjVaenV4cGt3SkFBVmlkRlBRRlRGSUs0WVg5NjhoSVR3VWNDYVQ3UU9yb3JsdEplN2E2NlFaU2pOUXRUVngKcjNUUEQ5dVhpWjFzVXcydVUva3g5OVNnQ0lUYm51bGUxV1VwUngwcktIMWFlbXkzNG9HQS9wc2RsZDJUTXg4ZQovQW5HdjhZTDVNWnlWVW1lWlpZWElwbTBHRDc3WWpINk9JQ3g3bkQ0dzREcGlObk5GQ1ZMRytQMHZhcEN3cTNzClV6Q09lWHJ2NGo2VU5pNDdJV1pIYU9pTjJJbWUxZ2JCSkNqaXFocjl6d3ZJdHpFMEZhUFpSNUlua3VsQWpaVm0KT09KWkhuei9OdkNwRk1PVTJjb255R252YTdIWnBLdWtDTzFhNlhsRlV3S0NBUUFCY29uRXNlNjJEYTBiM0FNMwpuTzZDQTNONElmSk5hSTFSMHpnKzB4Vk1iV3FMbVYwRFBEaWVrcG92MWd1TXh0SWIvYnozbTVvZjJMMzJDREFOCi9OSTdvOHZaYnBjOFpjdTFLVDhqUlNWV0tEZjUySk9JRUpPS0FBTUxITTBKaHZ2U08rOWFJS1JrbTJMOFNONmEKbXhlTU9JaHF1Yk5zb2J4bG1WQjNKSHFSZ0RyQmg2WWRHbmI0SnRmWGh3akVzOHNzSVladXBIc1g2NllBTTQ2ZgpoZThMMTAxWStBbTBUWkozTFBuY1NLOGg3T0ZmY1lMck9KM00yaWJGdlRoUkdzSlh5TEJmZjB2RFJqRWxzVnhBCnZGbjJHMTBkL1BDNTdWWHhGbHBvaTRNRTNpOFlvdU82VkpUaDNGWkNOOG5uVlJ0aXk1ZW81MGpwTEgvMUFwZisKTjFhckFvSUJBQTByalVnci9SVDhLcnphbW80SjhFejNtQTVZRFJ0MEVQVHJ0UWJHMnRPSTNYZWM0bC8wNHRnbwp3NERneCtYa1Z1UUhpZ3ZpTkhtN0lVQ2o3MkJNYVJybVNyVjRuSzZZQWE3WEp3Nm56dWNDUDFKSUZIWjkzVzVDCmhXbU5HMXNMbVB2QW1nSlpJVTh1ZXZkQk5BQ3hKWW9wdEJFcWxEcTlJNVpOa2k1TFdHNG1nbmhEKzk0OEVueXQKalhPN1EwV1J1djcwcG5GeFFjeFpYeUNFaXVCUHpwSmp4L0NWcnlJVkpmWCsvdmpVZUZuVzNOYzNoUTRjMDNWYQpZSERMMkF0WFh3WEc0VlpCVGNWMjdkTis1UmlkL0RCbUt0NmhGbUxlRjZhVHJNc3d6VnVzTzQxZFJkODZNaTh3ClhYemZKb2lwQjVpcEh4N01jUFVrcXJCZDk2TEQ2RWtDZ2dFQkFMUUZJSllVWFRPb05EYXFiQ2pkQlZIK3Vxd2oKaDVtRjNWTll0K1NjZmc2N3NuMkw0a0ZnOUdsaTFTek14aHFvcUk1S3l3TGNlN09vbllOdzc2czlkWitGSGw4dApDZE5vcEE0dE9SS0JGK3JZM01BS2J0NE51cE5sb011SFJDWG96WEJNYzFyMXRzaTFUYlJ4UTNQNkJVbGlOZUdoClJqK1M5S2t3cEtNWDZETFJHODUwK2MzZ3h4T1lWQW8wWStSb0EyekpvNGVJU1ZUcHNveVJqYituMXNsRUR6emoKajR6NWFrK0ZBYkwwaFIxai9lZmF2WEc1SzFjbGxJWmQrVW5Bc3pKVjJmQkJZVmtXZ3RVdjVPY2VFN0l1b29MbQpoWXpibDRkb1dOdWoxVXVMNmlKYW5GZ0Y2SzRMZm9PWFdZd3cxejh3bm44TW44YlpCQ2pLTUQ4dkxEVT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K stringData: + cookie_hash_key: "1F+qN7eZFwjiFNDsHXCakfzy4/48fQsRgrsRb/afdkNEG6JtQHPH/Z+I7KIa6NC09fX3G2rEIv60Ilalj30MrQ" + cookie_block_key: "FYhmYGHm+19l0TKL6iimMoGRuqElhy6XWkBU9IARdI8" + claim_symmetric_key: "6uOdTrZ70G3osUcym8w2koLkwI+peRgwX0O/V9oSawU" --- # Source: flyte-core/templates/common/secret-auth.yaml apiVersion: v1 @@ -636,28 +642,6 @@ spec: name: clusters-config-volume - mountPath: /etc/secrets/ name: admin-secrets - - name: generate-secrets - image: "cr.flyte.org/flyteorg/flyteadmin:v1.13.0" - imagePullPolicy: "IfNotPresent" - command: ["/bin/sh", "-c"] - args: - [ - "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", - ] - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - mountPath: /etc/flyte/config - name: base-config-volume - - mountPath: /etc/scratch - name: scratch - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace containers: - command: - flyteadmin diff --git a/deployment/eks/flyte_helm_generated.yaml b/deployment/eks/flyte_helm_generated.yaml index 5fc562963e..06689b8b0e 100644 --- a/deployment/eks/flyte_helm_generated.yaml +++ b/deployment/eks/flyte_helm_generated.yaml @@ -68,7 +68,13 @@ metadata: name: flyte-admin-secrets namespace: flyte type: Opaque +data: + token_rsa_key.pem: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS0FJQkFBS0NBZ0VBMzhWc0hFMzlNVGs5b3BVV2ZZa21KMHYzSlpBdUt5ZjhYem5QUVN4bVozNU9HVHRYCmVUZ1lIdmhvd3d3RXRBTzh2WDhyVkN5VlVFS0J3ei94UFdBcGNiWEhaaXdXWDVPWDE5ZC8xK1VRQm9ER3VFRU0Kbzc0SjBpUENuQWdVV0htOVhKZzFuclA1Qms3STRPNmVXZi9TZGFHTmgyVWJFMmd1WWMwWjlGNzJHelMwbkRSUwpvemMxUUFuT25CWVBkZ1FhNE0wMWE2VnA3WUEzdW43cTV2SGlPVTBMbGVOZnNOeXREZzAxWkE1SE9Hc09ob0MxCk5NV2NGaUtPbkdnWHhrMVg3dE5DVFV3eTZFcDZ0b3lQbHp5ZE1IMHVEcVpqZVgvaDRmV3ZnWjJrTjZWSkVrVmoKWmZpV0VWZDZMN3VEOExKaFpGaEUxdGFBSkxPWWM3QVd6QU1lV21hSFVLVlRMa1RNL3dkU0ZLaENsdE5OZWhJawpRMGdZcHk1aEhaSXloVVVTUE0xWUVkS2VtRmFqTVVITjc2dnM0ck9IV1lJUldCQkh3a3BRbWN3R0RHUFZpaFFzCkcvVExXaTZuc2d0SklHb05mVjUrcGRMbGhPQVBVeDRkM2R4NGYzK0Nxa0g2Z0tBeENuKzFnNXJPcHp2RG50MlAKME00Qks4YXMvU0U4NGR6aTcxUXZNNVNMU3g2YjhlS1JyUFlMUHpEWDJLNU9DMEJvZ1VHREpOVlJwaG1sYVFueAorUkppSy9xb0tzcDV3bExtd1E1U3N3VzVmTUdnc0RRbGpWaEdTaHVpamNaWHRHRDJhNjU1Q2RDamhQRnZXcUZBCkZHcE1DZjdlUFV5ZDF3bWdlaUlndVNqc1RaV3hiRHBEeGEyc2xQVDhpYTJ6TDRaRmVZb08xQ3ZwaHVNQ0F3RUEKQVFLQ0FnRUExNGRjdU9wNUt6Y1o0WVc5c3M0dG5IM3pudzkvR0h3Yi9WQStDbVVNZ1RSTFhzd2tWWklzMFcrcgozK21zZ2dKemdRV0NvMEdKMDFNcmp2Y0FrWUFVaXZ4dUFVQUhrS2tsQUhVRkl0bnpGSUJtWnNQb3U3SG4zYW9wCjRJVjdxemdlcHBmSVZZSzlJVkV5OUV1QTQraWVPa1NQZjlCblFzcittWjZtR0JSNjhQdFQxbndpK0NmTnQwOTYKM0NYM1lGRlYzaDVwRExTM0VWV0UxN0UwNlpvaXJkUkNpMjBFRnVLR0lGbWlpaXVpZDNuTjlNajFQODN4cC9SQwo3ZXpvc1V4L25IMkloOUVUMjE4WlVNaVQ2VFF0cHExN2RnclhGd2lRZFVaaGMvTjFYMDlvMFJ0YVFMWXRQS2pICi9EK2RObkZwa3UvZDVodVdNME4wWEVGSHc5cGhHUjVGdnd2enpTWHZ1Vi9CdE9SazNOOGpldTlWWE53N2JUMGoKWE5JaWhTNjFuLzNHL200YkhxWElycEhiMzdqUEtwRUtoaEZZM01WdHNyM1ZXNndhbVRsN2dHU3RxVDFjVSsxbgptY3JoY21la1l0d1doeW8wTlI5bGJIakk5NlZDb01kNWdVSzFHcGtSbzZ5TWpld25PVG1SaFlVOFhjcEZyYnZPCktScUFlQTBrblZJa1ZIbnBiY3h5TW5WYzVJR2crMkpRR3E1Yi9nMjdsbVRjUU0zVGJSTXh0TlFOU2tGVnV3Y2EKZXRDSjg1akhtSi9aTUlZbjlPL1BuK0hocXppLzM3L0RZaFZTQnRDK0YrRSs1RWFrbjZzUlNWdVhKSjBvcmVTTgphcndkemxqaDlNKzM2YkpWRjkrdVd6ZWRJMmpRTVpSdzBSMllPWDllMThnTW1sVHdNZGtDZ2dFQkFPOGZKUnViCmt2N2YzdERMS2owTDZ5RlVsMldNQmdEYk13V240Zzd4dmJLbDVoV2R1RzM1QlQxOEZOREI1VnJkUU5tbUwvOXMKTTZESDdZcjVoTGNRdHZNNjJWT2pYT1BIMFdZM0JWbXZvOXN6dTR5cXpSQjI5WFdXam9aazYwZFBPWHN5ei9XbwpUd0d3SVNBWDhjVU1kTmwvU0E3MjUvL1RjUjBDOEk3ZFNJTzRsV0pJSVBSOWwveG1BdHlETzZRb05RV2RPVjZKCnF4eHo5a2Z6V0g4UGJHMlFoTUFKbk1WZlRZdTBPbHRlaXppRTlzRU0yU1p2dXZHaWhOM3Z2dkpkZ3BOejJCekUKclZ6V1hnQU5ORjJyZDMrQzB3SkREaEREVE5LQ3d3ZVB6WjZkNHNEVUYxR3JCZHA2RmRDSWlkRUNyNEZpZEI0bgpVRGgxTUp1OWZDK2xiUjBDZ2dFQkFPK1E1aDZ6Q0F4N3o5UmVuLytrL2s2bllWbk9tb0pzQUhCb1RzWlFpOTV5CkdsbE5VNCtTb3RXU3l4T1RrQ1ROazl2SC96TDFGK3M2bkJ6OHJYQ1d3SnVxM2w1Uy9HcEFGMG52d0VyWndoVVYKTmJTcm9YQkJubnZsZGtBVFhuR2I1RmlWNmZHVWhvckw2NlhkZi9TRS95V0dDZjNLMzd3S1NxRXVNQzFSZ085eApLT2ZxU0VKYW1rc3pURVozTXR1Y3VGYWVHd1ptSnBXNVFncXBWRkwyOGpUWEszMUZZY3NvN3RybitiL2s4Rjd4CjJ0R0NlT2JzUFQyaURWNDV6d1ZjcGpKVllscWZ2OHNGNmFtVFk4WHpVWUxPdHl4VHdKNzhFamU4YTcrbUNhN1IKYmsrRFFVbnVaMWwzd0sxaWtSVDZGdkYzQzcyU1cxVktiQVFoa1VhOGcvOENnZ0VBZTZOZzdudHNiL2lWSHVSTgpmSzhTN25Mc3JRYlBlOVhhOWN1dWFRZTVqQXVYZ2duQStLdlBkOUVXZWpJblF1b3Z3OW5YNjN1bzNqTkJzWi8rCmJTRnBWeTVRZkp4MVJSbG1QakdveEl5NmJuYTdQS3A3eVUyWThTbmRtOFBHbTJKdFdEUVhydTlObXBQVkxPRDAKazJ3elp0b1hDaFhFTTFUQ29idUpZblVzTDE5YmJpdlpUbEU2S3JrY05hUnRUQjIxL0tja3FLc0tISFloRzJiSgpsVGtHV1VobU8xMDlBQmljNGVWWVh6SHRUbFlCdUNQS2k4TXRxQTdlSUZyOEloa1RrT1pQRWVEbnVwN2tqNlpFCk0wS2JVUVQxMGErV01EaXJHaFdlZmVSdTd0cTRDZmdmN293OVJJL25nNkYxa09xUWtKZTFibm5wVXFmVmNGRnoKU3JlQVNRS0NBUUJEcE0xbGM3WGRHSVNwZVlLQ0E4dU8xL0pFRW5OTVNrU2hlTUp0ZXNiVHE3Skc3dStlUlpCVwo3OWtKa1F3TmFFTE10eDhXKzEraW11MER2bEVXem1wYVNoZjUyRUxQbVlNNTdFbUdtUkFWTmVUeE85a2N3bHFHCnIxY0JacmF2SzQ2QmVPc1N2SlowMEhtY1h2dkhSbHBvOVAwVFBWcUpWUHFYb2x3V0g4SmhXYmxzS3BuMnFuQ1EKdFU1ZlF6OElCYXVEUWFkdDJpQWcvS3RxS1QvWElVVm9xQ3p1ZFUzVXVKMGhFSWxUcHNnOGR0d0xkbVMvQjR1UApRSmUzdUdqOUlaa0g4MVlQTXJaTUZFSlRFSHdHbzlxckxjVkk3ZWtndXhwRnhKMUVBeFVPMkxIbUg3Q3F1SGRVCkt0MHIxLzRSUjBCOU05a0wwU3lhMjZXK1VPQWRjaE52QW9JQkFHcGQ1WVZBKzUxV0xBaXFUNUtmNkFIcks0V0wKS2JQRmVHYXF3d3k2ckFOaXBWczdhVUhwTmx0QVFxakU4ZC9oQkZRQnZmMEpUVmxLeGV2UE5YSDFlYUlrQzJZSwpjL09JanhGSGpYdXd5OGxiNFRKN1JXQ3MwR1grTFRoWEFISmR4cVQ3WEJwSDFBZlQ0Z1F4cElEZldieitrdDlHCk90MTlISVgxc1BRZWlkaGVPOXVtRkFPNjRaMVBwVmZYZStVMlpXL3gvNmtldzJWWklSeXd2elFjM1o0REZZZHoKMUtQa0VZNE1UM1N2OUxXVGI1V2RjejZ5ZUhEZ1VZQjdFdTJUcU1CQyswRzBkbDJRVFBaUUlTZlhtdlZCUm5sNgpLN283SWIxQ0RXdmt1M1d4RTdPUXdESXFBQUcvMG1heXRrR0xCYjl3QlUyZmREOUdwcmpUUjFzci9QTT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K stringData: + cookie_hash_key: "4EfCL3f4u3SEl7fGNd0hUqnfASxC6W1oFOQH7njT8NSFhZQV78Y4H/xRxa/ttF9QfTd/Th79s3W+w+ATo5IAlA" + cookie_block_key: "FivnWNlPDsZ988UdMuUoS7SEghTA91QYfYHi7npCCP8" + claim_symmetric_key: "qGeM76T9DLdOoFhoefC7sy9rzvm/EehF8bj2BDNvTU8" --- # Source: flyte-core/templates/common/secret-auth.yaml apiVersion: v1 @@ -962,28 +968,6 @@ spec: name: clusters-config-volume - mountPath: /etc/secrets/ name: admin-secrets - - name: generate-secrets - image: "cr.flyte.org/flyteorg/flyteadmin:v1.13.0" - imagePullPolicy: "IfNotPresent" - command: ["/bin/sh", "-c"] - args: - [ - "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", - ] - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - mountPath: /etc/flyte/config - name: base-config-volume - - mountPath: /etc/scratch - name: scratch - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace containers: - command: - flyteadmin diff --git a/deployment/gcp/flyte_helm_controlplane_generated.yaml b/deployment/gcp/flyte_helm_controlplane_generated.yaml index e83e4ebe24..1dbe7761a0 100644 --- a/deployment/gcp/flyte_helm_controlplane_generated.yaml +++ b/deployment/gcp/flyte_helm_controlplane_generated.yaml @@ -46,7 +46,13 @@ metadata: name: flyte-admin-secrets namespace: flyte type: Opaque +data: + token_rsa_key.pem: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBb01oR05BalNNcDZBdmNOOEdNS1Bjb05nS0dYeFl1eVNRUUNqNkIrdFVyNk0rTmtHCllETmRoYU93aXZ6b2Evc2k3QVdmTC9MYmRzVjdNaTlVbkQySlJxNzR2U2VLeFlwZzBZblh5b0tjQVd4QXpSVjgKL3U5Y1V6czd2cXZIUFpoa2s2TUdvZWYvNi8zd01Fb2p0WWZRbWF2bkV2SDZqMnpXRGMrTzFCRk9DMStBUXlJVwpsMzBxWUlwTU9HVVlHeXN4b1VOTEZhdVhzeHAwdEJEeWpZc0xGMU5zZzJSdUJ0bWlLcDJpaTlmbkxBc0FHN2FlCklRNnppamdkQTRkK0V1RmZvS0xVZnI4YlQrbks1Y1Zaa3RvZ0pEYnlDeHZ5YnRwemtLOHNHNFd0aWNHWjZlMkcKTmxYamRZMk9zVkRCSWpjWTNFNVRzTEI4cmcyU0JjcGo0amJXR2N0MTd1aElLb3VtbTFIK3pjRm92VlloTjMyeAo4dnBacmg0c0t3NDlNakowMGVUY2hxVFBQY1NsdzdJWWY1b1EvYzJrNnp3WkV5bXVybzNiTnFudFhpeEtqVTFtCmU4M3ZDQzlPUyt3ekhZQVRHQytNczRtRE50TWlLV2pYd1pLZm0zWEI1UlQ4OEl2S2tnL3o2RXNjcENyRk9WT0oKbUVLMVRNQVUxenR1NG5TeEVWVXNYOGp4K2FXdlhrN2YwMG1ZK09TNXA3YmpDTnNnZWRJbm9RMFE5a1JoS0U1dwpHWjU3dUFmdGVQOXpndnNiRnNDNTRCWkt3RXM3aVhzQXVQcjg1c1FUQVA5eW9SOEhEcmhMaGtzY1Fna2FuUzdnCmhqcFZpc0dMMEFJTGhnc2t2NThUcGd0RUdObnAzUy9qR1o4a1M0SFJtV0pYVGZSc2p5UXFSeGhGRkRrQ0F3RUEKQVFLQ0FnRUFtQW5xd1FmYVpUMlhkbHJsL2EvMTRBNjFubDRRTGtDUmFPQ0hIbGplR0pIU1V2cysyVGVaWjJkTAo2WktRNHBOZ0NacWpWcjhyb3h2SmpNSlBHMVBoZlRLMlNvQ2E3SVFYVys0aVhnQzJMMjVEdE90dUFORXVHQks2ClEyckRCTThYeExoejdDU3IwR2lZZWNHU0ZQWXlYeTY4V3lEeGxERVNGWXRCZis1QlErWHlMd21NSFlLaDBSclcKU3JubVdzSzBzczhrc0lCTCtuUzVDUkhCbS9GdzhvVFQ1MGZQOTdCVGRrTU1VM3M5d2x0QXBmUkJnZmNaOWtscgp2a3VnLzQrWlV4akhJbmZyQnQySkhWQktqT0N4WmkyREl0Z3huM3Y1cmtiSHlkcldLSjhud1pyM3dHZmxxT0xNCm5ZWkVxK3M0R2hRRGRlRGVkZVNsUWM2S04zOHRZMFZKMHRIYmJ4T1pvTEdnNFdQVnlObWc4MW9HYVlMNUx4RXoKR25RVzZrTUlNTlRhNEw0MjVEM1hlN1hERlhySWlnbmlqbXlVNGs5NzZSdkdNVFA2Qnk4TW1vbEtrbHYyRWQ0OApuU2EwWE1kRy94RkZvN21IY09iTFV6UUJTQVUwbmNWOUp2WXFYWGdCdXRubzdCR2U4RW9ZbHFaNGpGVTFzZjRGCmJ1TWFMVUtjQ2RrWXhaVzErdUdINEdzTGZBUWhwSGpjSjJ2OGtCOExqRHlTOS9xcjhOTzNrZGM3SjRXdExjNlQKM2hkQlNjalkwUTdtNE9KWkNLY1dScksrdDNpR0VmazFGQlA2UVNGZ1ZQcEhuZ3VDdTdVYlQyZGlTa05WWE1nTgoyWGZkRXprYXZsaFg3S2ZnRStBc3lxR29NMFM3OGFXSUJacW9LdkhwL1FYc3JsWGlrWVVDZ2dFQkFNN21INllpCjhZU0dnT09PZEZRM3QvRHZCY2VPK2xkZnNLbXB2Mkk4REFpVnpIM0dFWTNBbG5QK1F2TUhYQWtab0lIRDBETFIKVXdtMTdvdUFMM2NVWlpGb045RW9QUy9iVVZjUUF6Q1BTanZUNmRXbmF1OHE4R1BIcW9HS09IU3V1c3F2QW8vdgowNlp3Nll3Q2xBcS9qMFJLYWNUTGJLVzJ5b1ZWZ1lsSU9CU0p1LzRkSU9MekhmSXB4NWo3Ump5SjJ2cmFUTzNNClZUNEhrUlBlTlhrYWxJUUtodU9FbjRtQUpvZEQybVJ5VEdaNTdSbzZXMVVZV1I4QTJWQUF3YWxNb0dTZkVZM2gKUldlWlBiVWJNZzl1QkpDenFOd3lEcFRSb1Z3YzdzSzE4RUFCajBQalNvTEoyVm54T0p4YnRkYXJLU0VyQ3B2TQo0TGFRWGovQ3pEdnFvUDhDZ2dFQkFNYndaWEN3eUgzUVRHcmpXeEJDYStORkZhV09jZXFPakFabzRwNU9IUDlaCnhQSHNDaDh2SU5kUkFFT2NFZmNoUVlUWmFyY2MxZkpSR3ljMXFTU2RxZ0x4Mi90QytkRDRvUXVIbXRITXV4dGEKUFo4cG9lSENDUGVjdG9QNnFybytySFJBK3ByMHBzOTM2SzlxbjI4M0tDZHF1Zkx2Y3FiMEdCT1pCcHJUL21PcQo4YUkyblNRdTBKRUo1VE5sWmswZ0lpVkZjRTU2TjQ3amUrUXFhWE83Nkdub1NpTmRsNVMzclJqNHg3Q3l3N0YvCldBNnJjRDZCaUlFQ3ZzVTI1NzZ2dzhhR2NMV2hVTEp0d3VRSUZ0cENrS0lFSGpYN1ZNbTdXTlBxK05YcjZPdnUKcU0xNHF2SHVOS1NjOUt2VzZhZkV2VVBsczNlSUFPb1ZRQnMrQW1wd0VzY0NnZ0VBTmV2VG84REhvUHBNN1FGYgpYL2VGZ00xS2ZFL08vcVo1ckQ0Skd0ajdhZUZnZ2diMDNEU3RBVjNxcE52dUtKRDlPOVNFbGpubm9rZy8reXRWCk0zdWxYTmdFZEFaQXJCQkVpcVFwc0tZbmVxQW4rUDdBNThRUkVuQWZCOU8yRXZMV3k2d0F4dktCL29hKzF6WjAKenJoTjVrWmVlbU5wMVdabU1ZbXZVTS81amFDMzFlcFJmOVJNb2FneDFMVG9BUzhNV3dRNXVGL2dkMklSZFZRYwpLNHU1MlEvRlI5WnduYTFBWFZCWndvUG5WVzNCVld5UUVRVmZkSzBMOWNXOHN4cTlVbndDWHkrdW51bFpJN0lLCndlcXlWZVA4eGlabGxuTnIwazNZQy9iT3ZsK3BycysxdzVCSGpTRkkxN2N2Rk50V3hNWXE1Wi9ua0t6ZlkwNnAKVzVReWtRS0NBUUVBaU5YVmtGdW9yQkZZWHJVZmIrR2YvK1VHN0tjNzU5QkF0Qy8wb0ZxdVMxMWR2K0ZSWFAyMwpveUtPQWZNWjBGaEpqcTFWWDdvdjFzcSsySXRxV2tzd0kzSmtrMEVRUUJLa0F5QTA5MVhRNVJGL0RUay9wZDhtCjk5b05HRjZVakNLTDBETFpyVGZXZlNISEpORTc5TzJGYXdkWCs2ZUR2eDVxYVNCNmtJaDhrK1dDNnNhUjg4OVgKbWt1cUlWMy9yZEVLYTRTRnFSVWJuZWNPMG5QeHNLOXhQMWVObHlITEgzbnZVQnZlanNXSElWR3NLZnIxNjZpQgpVZXVuZUZNNXQ4bUI2YzJUUFB0R1hGUnZGeFlSVWZNek5KMk1naWpydXc1b0hPdWtXTkE1bC83Q2tRSU00dmVyCnNnWmJyTTdZVEpOZ2M1Rk5qa3c0Qk1xMUc0ZmRkWVM5QlFLQ0FRQXZNVWFBbGdQQVQydmJLck43RWlldzg4Sm8KOUpBRWNVaGYxL0lMcTBzQmg0UC9FVytqZHQ1YXZyZlFzdnFiNExTY1lMUFphV0ZWVWFJcEJ4aE5nRFM0UkV4Ngp4ci9FSWptZm9lOU5rVlJPWjJYYlN3enFNY0psLzNIejZkdnNxWW1GcDNneWw0SzRDakFWdDFyZU1STXJ3dUJKCjBEWWRSQWJtalI3TjRlOEwvSGxSRTROek9KYks1Q1Badi81S1gveGdid0txRDZjY3A3V2RFaXZ2S29kVTlwbWUKNG54VlAzWGtQTzltWWdOUDd5dWhYY21QNC91K2UzaEFUb2QrWTg0VmlhMVRUbGgyeTRuQ2M1TWxHWlhMK3BDSgowTEYvUGxWdUZJOG03RE92Y2ZzY3U0Z3FUZDZCL3NzQkpiMEYwMktnTkhaM2NkREZHRVNzZ0sxcmEwMWkKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K stringData: + cookie_hash_key: "224C3Ib4Ot7syRdB4Sow85SP+0qFy4ajoblBfrg2jZ6ZbGNWjN4qovT5ISlAUbVH4Jjcjc5QmTH3JgRLRRVZqA" + cookie_block_key: "8y9sMLhYYEBE8x3kNIm4u0NSM38pXjwBKYOhRywl9Fg" + claim_symmetric_key: "OSQU5zyXmgCd8tNCreYxec0w5Y2H8Lfyt+7jSlkG9HE" --- # Source: flyte-core/templates/common/secret-auth.yaml apiVersion: v1 @@ -651,28 +657,6 @@ spec: name: clusters-config-volume - mountPath: /etc/secrets/ name: admin-secrets - - name: generate-secrets - image: "cr.flyte.org/flyteorg/flyteadmin:v1.13.0" - imagePullPolicy: "IfNotPresent" - command: ["/bin/sh", "-c"] - args: - [ - "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", - ] - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - mountPath: /etc/flyte/config - name: base-config-volume - - mountPath: /etc/scratch - name: scratch - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace containers: - command: - flyteadmin diff --git a/deployment/gcp/flyte_helm_generated.yaml b/deployment/gcp/flyte_helm_generated.yaml index 4e3fe06e38..cfbc5d7e14 100644 --- a/deployment/gcp/flyte_helm_generated.yaml +++ b/deployment/gcp/flyte_helm_generated.yaml @@ -68,7 +68,13 @@ metadata: name: flyte-admin-secrets namespace: flyte type: Opaque +data: + token_rsa_key.pem: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKSndJQkFBS0NBZ0VBc2tuR1pTU0M3dGgyQzgzWlV4bTBwTUFtSVljK3N5eWZhNWdyUUNmWHlwdENoN3ZlCmVWemdaWlM1U09OVHFYcEtwU2NvckJyalpXYy8zZmZ5dDRBZ21KNDJqTEMyMVc4cmhCWlE2akpqNU5ic2x5UGkKbVJPdmIyMDlORFNqbHEwMTJXOUNVNVBUK2lQZDNHL2ZnNnRZb3QvVU1DbkJZa0NkY2VCNGgzRHVxM1BEUlh2ZApzVzB1cGEvRVFFOXhha3NJbWg3TDBiWk85U2JZM2pyR2trSGR5VzBVVlZ2S3VHUVNKeUdEME5ZSzk2WEVlMnVWCkQ4SXFUN1ozeVZLMHZwR1dOS01IcGR1a3JReSsyaVk0VFBNdXlVYjFNVllqWStvbGhseno0ZU9GOU5odG14Q1QKM0EwOVRLaExaR3FNYUtLdVVHemNHbEJZVmtlYUtDL29za1QvU3RSUXBzN3l0V0RhWE4wTFl3T2pjcnNKMlJiVwo3VGVpYnFjK2ZyLytHVnQwbzRlK0pTNE40TVFwZXp1UWFpS3FYNXZydjFTTTQ4ak9HODJUUEJVVm9PU2VYeFM2CmFJSERRMy8rcDNnSGxIbmlQeHlLT2tZdXovTE5jRk5MOTJGMnk4UXQ0ZmQxZHNhTFBLY3IwMjhTZnA2QThjS3cKc3U4blErM2Z4VUcyamlxaDc0cWZ3WXBnMWtwMDlWTWh3Mm1OL00wMDZlNXZIMHplc09SYW1FckRjUnYwc3lpdwp2M3hETWVlL3FzZERJUzB2Z0s3ajBlNko2bDNNNXVvSlloVzQ3bnBYZ3VvRkpqMk9jZi9LcmJvcTNDVFJZcStqClBwcmpKR3phbW90WUJVOEFiWHY4VjBBSk5BN0JpMkluQm5mcnRhS21HdnY0elM3L01tL3NDdE16aTBrQ0F3RUEKQVFLQ0FnQjR4cGxyY3V4dnVKdGZLN2VKSCtUTHBvOHVMMXcrTElCaWR0YjF3d2ZmN0lXSlJhOVVMNktqcmJoRwp0Qmk4dW1kT3NkUlBvbmRnL2l5NXhYbmE3U1VudmlYZDhPZ3FkZ0RZbmZWNmNXQlNhWFlrZk43SUxCbXdOaVE3CjlWek1lZEg4MWUzc2lEd1ZPNjdUNGNWY2dQcXVlMHBXeGpLR3lKYmZ5ZHhjaEJocWRTVlhNSzNodjhEVjVOZmgKYU8rL3ZjeTUreHEvbWV5ckRnSGpxWlZUQnVPanpBejJOaFNDRE9odk1ia0dBN215UWMxMGZsQ2dPRHhKZTZaeAo3MkVacDY1RlFodXdNN2ErczkrbUVEWWJpckdyRURLUmxYU3IvcllrNjFzYkx2SlVCemxZemtZYno2d3kvZDcwCnkya0tpUW5rMlpuUkNaU04vanRqOWZDQXMxVHN6cWFzMmpKdzllRXlsNGNFQzRBZEdjT2YvSWZaOHFyNlAybUMKLy93SzN0YTd3WmU4dWN5ZzB5VmhpSko0WDdvc2xKbnM2Y0EzRHA5Ukl6Zkt0WktJYm9xYjhmbUNkYkhNZEplZwpjaTJQVXo3cFBUZ2QyUGJLVWdvOWdHQjNCWGFnbmdHQUpvdmMxVFhuMVVHMllVbEd2L2JhcUs1SUYvS1FtVVg1CjI3L2llUFVXWHpsVmhQQmhHelNURUZqR3libDFFTm1HYU1MNURJZDB2NTQvQS9senBHM242OVc3aTUrbjYwOXYKTnVJNGE2VFNqRWtXM2tMUjB6aXpvRXNIaENTN0c2cXFVOTAyN2xxNlJMMk9LdWdTaVp5TjJzSnYxOUJnWDZrYgpNcUVDUHJuMVY4TWRqMEtZNlAzY3dSVW5CQkVVWEFRR1J0Qms5UERjQnliQ3pNYXF3UUtDQVFFQTB5VFRLZEd2CjlidFNDRldsNHhBZ2JkcDhBUHFaQTAwK1RJZzJYUkhXUUF4a1B4T0trMlJjOGdZL3hHenVhRmxjUXBqdDQvanoKZ1d2UUc0WmZXdTJQYm5OUWdieTQrSk94L2R3blU4S1lvR2cxVXVqRjVQYXNYTzRNYmU3QkVTQXpkSkowYVU3Qgo0Z2xaV1dGbkVsWW11aXNSRWZsTzZDQ25CRFRxbVBPcnJrbmxZVGNuUWs0cldZenM1TFJVMkkzMm1qZ2QvTjcxCmcwd2JMQnozTlYvRlFVclgvVWFiRVdJRTF0bXlRdWZwZ2hTSlh0UXF3QlhFLzZhRTZYUlBtczdRWWY4REpQQ00KTmdZc1lkcTRGTE43MUptc2kxWVhXcHZMbEhHT29SVWp3ZUMzbFJZV3lsc1BVM0NxWjJXZjhZdmJMOE83cWNGOQo0WUk3ZU5tcE4ySzZ2UUtDQVFFQTJDb1RuMm0wUytiVWNHblZlREx6clc2QmdSMVA3RCsxdjlTODV5TkhjeU5FCmVMeXlXalhaNXJqYUdKNGRmbmlGbXRaTncwS0plL1Z6NGlpbEJGbVQxN2RaREZRS0FJQVRqeExuREVVbzNqY1oKczZvem9UTEUyaVJuWFJ0alFiU1lzdzFEMm0xemMxdG93M3UwUFM5QTcxbng4aG5DVS9Td0xFK1JPNkZKLzBtSgpIRWxHb2x5c0J3b0tlcFZ1alU3cCtpbkJRRktYaU1HekZrS1NzMytKUk1iOFFnNFh4UjF5cU5VR3dnWTBEemxVCmlTQmJhbzA5aHp6SkpOTk5rK3ByOWZJQ1daOWtQbmJEREZubmI0RUlQYTJ4V1NSV0NZczZCN1ZhUk5ZOVBKb3YKb1QxMEZyNUQyVlNzcklIc3RmcjJ4RFd4aURJMnRTSGwzN0RUMmx3aGZRS0NBUUFJd2JnNFBjZ01hdTVtQmhkUgpLWFFPMmtiV1M0NVpBclVZdTNWMXVxMm1EbDJCK0MrQkdXSjVieVRwNHBLb3BUd2NUdmRld3c1bVNiQmgwOXJVCmpKR3NSUUFMd1dYeWVUMmloNlRoNW1vcURPaFpQZW9uS3N2UE50Z3hIdnZHMkEwS1FxQ3RWV1RaR1FZcG5NNkgKaGljcEJXdzUwSnNqS1dlRDF5WDduZTk2MVBtOFpHc3Vac3VKZFR6RjUyeTFabjNadTRZUzNMUlY4NndVMGthMgpZZmh1VXNwT2FNVTVuVlVTREFsR21ST29IMjNyRHVXTy9kZ2p1aVk5QUdQa3licit0WExONzJRQlFaUkpvcWFMCnhUM1hmV0FZajBOOHNJVnE3S0s3cjRMQ0lhMjdjeVVTMDEvNVYrelpTTyt2TnR1cVNYWFkvbnRZQk95dWdHaHkKTVpnSkFvSUJBRmdRN0dXcDN2WjlXRmRrQnNBdG9mRXFjRUIxL0xXM1R3aVVWMUdqb2R4YXBlNjZrYjhHNlh1QwpHL2lqa2tpUU9YNVhpTjdnSUxzTHlPWit3SndCRXFaejRDZVJwWEdHdkhFeHRrZmRkVVR6RmRtSW9mZ3VndHlNCnNEL1NoS0drUGdIVWlheFhvdzJBVkRJd0Y4SkZtaUxwZGhTNFFkK0tkS3ZZenNhSWMyazZRRTN4M0lFUldGU1YKMXFjU2NqUEh6ck5JaDU3NUJ4dUVMcjRHNlZXUHhCRHRNS0NJdFU1dExPVnp4SWtQbGU0TjRVN3NpOUhoTVF3RAp5NzdoQjE0WHgxd3YrSjBpdnVoajRoc0tGYXZyMmJ1bkkvVzVSQVFuWU1EN05ZZU44T3pidEVQd2tYY2lsT25hCkFXOVdqMldrbFJ4aTg2MFZLQXlyZnNlZmR2QWpVTkVDZ2dFQU9RSllqSzIxMXhFOUVUZlI5V1BnQ1JZVE01L2gKY1l2bnRNa0R4UjJqWTdJYWVUc3VGOGRMUTdyZmdtbXVqUXJ2cHhxb1NpK2FDRnJPbmJiRElhVjFPWnhZMERCNwoyNmtmN1hxbUpwZjZrbW5veWc2UjZZOU1yR0xNOTBDdXhnTUVPMVZlaExXNTFTWjQ1TVRRL3JsOG02NFZGL1IwCnFtd0hid1BDQ1JVeUVCUnJkc1BETDVUbldERmxTZHp2cTcxT2tPZEZTSm5MT1lqUHVXcHdrdlBacGxMbjEydWoKMk84OVFHTXk0QWZyUmlpR2pUSlVkd3Z3SFQrOWVxZFBEVlBidVN0NVpFYzM4QkdMZm93TkMzZ1FEaE9YcDVkagp4RG5MeFU1dG1uOHllNEpqb3Y5U2IzUE5zanI3R1psUXh5ejBZNzgwZllGZE05a3IrTElHZUF0TVFRPT0KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K stringData: + cookie_hash_key: "uc95qZyRRLaA/uAO1RuEX7NqDD8Mw2JWnF/VpFuujFth+mmbvmloe6cS1AqL1fVhHsgmDf39qAJ/wRK3u9hp0A" + cookie_block_key: "vqdfBTFgSZWohVAfCICTEvOlnO0zt1oykTvqLq+Jwig" + claim_symmetric_key: "R1Tre/w/OacURlkTJZ48bWyMqlMfEtlhRV9/h9CJ1Q8" --- # Source: flyte-core/templates/common/secret-auth.yaml apiVersion: v1 @@ -985,28 +991,6 @@ spec: name: clusters-config-volume - mountPath: /etc/secrets/ name: admin-secrets - - name: generate-secrets - image: "cr.flyte.org/flyteorg/flyteadmin:v1.13.0" - imagePullPolicy: "IfNotPresent" - command: ["/bin/sh", "-c"] - args: - [ - "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", - ] - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - mountPath: /etc/flyte/config - name: base-config-volume - - mountPath: /etc/scratch - name: scratch - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace containers: - command: - flyteadmin diff --git a/deployment/sandbox/flyte_helm_generated.yaml b/deployment/sandbox/flyte_helm_generated.yaml index f53025f850..6659d87162 100644 --- a/deployment/sandbox/flyte_helm_generated.yaml +++ b/deployment/sandbox/flyte_helm_generated.yaml @@ -116,7 +116,13 @@ metadata: name: flyte-admin-secrets namespace: flyte type: Opaque +data: + token_rsa_key.pem: | + LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS2dJQkFBS0NBZ0VBMVpWRjFOdUFHNmZRYXZ3ZHRwMzB3NGlQYzZ3bHB3ZXJ0M1R4RlhTT1FDWnRLSG13CjZWZUljM25WcHRBYUVnUm1CVTh4bkE3bE15WVd6RFVQeEVqbXNVR01sUVpPT1pnZ0d0Ty96WlFpZkhQYmhvUEsKOTMxSVQxanEvUkRqT2hQelV2YkdvenNFdzVGSkdEeTNpQ1ZlODd4SzhqYmRJQVpaYkNLeWx4ZHkrNjNSaTFlcAowdWVRZVZ0aWh5d2dzcGxRaEk4a0ZZd0c2N1ZDS25kcVJIMlFTUXNzaWpsVCtML2RDNk13UXUrdFlSa1YwZ09qClRwalphTDNZRFp6TU9UdmUzQlBFWHlNci9MZ0RDaHpsbVVicSt3aHozRW9WRzdLUjhzZ1Z5aExNVEtzNTZtTmwKTXl5T3pyQXBzaCtZTGxHNEplZngzczM3eVp5WklDUjdqTlZvRktaZDYrSC9Nc0wyaDdpclJzUUc5U1JEaFJVRAoxWHE5UksrdkhoSnJONDY3VC80TW9iL0RtZ1J3MXRDUG9qcjZQRkZvaW92OGswaUs3Wnl2cVlQd2VGSG1oVXliCnhvQzIyWVZTelFYcFk3aGk2TEVKRkdTMEZGdFVPbDZoNk51MEM5ekFBNndFOU1PanF6TjRLazBWNzdncElVMTkKZW9Lc28ySWdFcXVaSzZSZEIzVU5wT1EwL3F6MTBJaGNsd1ZTWVd1MVpPSW52TkxVT2sva1FrTmVMbW1tdUc4MgoyQWRUNVUzc0VzUnkya3hMYnlPMzlmek43UHFwak5VSkQ3VUpGQ0kybUxLbkFzWHJBQ2o1QnRCdEp6TWxzSVpFCnpDVmY2RFc4VCtMNzBrMWVRcUYzVXorL283cDhnWHdaWUZNUUkwbU83WWh1UVVQa2MwS2JPc3BVQmM4Q0F3RUEKQVFLQ0FnRUFxMDdJTE50Rm5HajBOT3MwbGVXSmpVKzU1NGhheHViVEp4bG55TktzeWUxSVBsK2tzdlBmWU9lRwpvdjVrK3JDR2Q1bTJhN3BTd2J5NktsNGc0RW1zcHQyeGVWSU9hZ21ITHAxS1NRU1l5SU5RdjBwMEFCOS9ZUTByCnBZRG5FQTB5YkFlOCtPMThlN1BMRWVLWlBsempGTkdndHpla0VteWxTcU5sNU9RTStLckkyRitldWFlNzdHcU0KMDJoa2JYdWs1ajI5TG44YWlmSGZPUnFBcEtDbG1zQ1luK0V0WmVYVjBPQzU4K1l6aFI3T3JwejJYak1ncGU4bgpISHY0SGF2VXEyWTdhaWRXdjZPRDVKZWEzRjdTV0RqR1hSa2FaeFhLRkJYQnpFdFppK0VHV2VZUkpJT0hvMllPCmUyejE3YWpqNzV0akYxYlZyamFwWnV0OElWQ0Y0aHI2UG51aGdoODhKWkIvajZEM05MeEE5bWpjSUpUNXcyekkKV0FqaGduZEYrZHgxSXRBODZTODBuVkJNU1dSeHpsMHBxOWRUQVlSR21LVGhlNCtVOFBTTkpKclpZWWtzaEpjTQo2Tm9jZW1PVndPaUYzSXRueXF4U0lGUkZHT1B5WWQyQ0Y0TDZaUk5PTXJ3Q3NhbDFFbW10ZEYvRGJvYjlSdWdOCmpDTDdURmZlZnMwR0lDcTA3YTY0WlJsbDMrT1p4ckt6OUV3MEIxamRpdlo4LzlyalhOcjFCV0FSMmFpVWFFN2IKRExlNE1YZms1MDEwZHdBYXF3NjR0RzlYUVRhTC9ING5XYXFjcnJNVlNjMmJXQ2lnaEl0Y1B6VUhscGhidE9nZgpSaGRhUVlHOWdOcGRJTGwxTmdrVm90RHJjL2dRZm5objN5Snh6b3FadE8vKzVyM0VrMmtDZ2dFQkFPUVRxSWQxCmJsQ2ZLbi83ZWxFdW94UzFtM3BWZ3ZCck9oZzk5N1J4cXkwNXVLalQrWEhqWmNUR1J5WWtxME80clVaNjJ4NGkKbnB4cTdIOTJwb1BOeWRxdTZ6RnE3RHRxa2ZNc0xkZXBIQWZkNlhzWk1Jd3A5WGkzOUFMMXdaSjRaUE8zdUpmeApMS0s1RzFjYUoyS1NLb1RsY00rUkVMLzljTElOYTdnMG5mS1cyZ1FTZzczUnloTUlHWTBTT2Q3OTArOXlUQlluCjFwNlpnYWxiTEY5eWlmNVNMYWQ4ak40a1hlK1hZMHNDbTJob3F2MTl0Q3ViUGVRdlBMTXlCUnpmRm9oT01XaXkKeWIzaC8raHhsVlRjQmJwejJxanRNSVZ4WVhiRjZmQS9MZm04dStIQXZWMWFQMnUyRTZSY2g5aHNxU0RubDVzVQpVY2xJYVZ3UXZubE1wT01DZ2dFQkFPKzdXeEVza1h5TmZMcHRXL2w4ZkVJcW9ZMFNNOUJnUlNEVWtmb2hCUEtZCmpHV3pzMk1KdVp1VTcyWWNaQnVDTTRyUmx0dnliZGh3SktzN0tZU3dab3V1WHF6NWF5ZkFITlVjOXZtV28rR2gKS0oyT1JHODRmZExWQk04RktPU2IrdFZiYm9Oc21UNjRaaXZVNFFZZGYyRERHUEl2Vm1QS1RRc2lCcjFIUDRjTQppdzdTd0FQeC9lZjk4K2lIMzJLZjM0VmJPNzZQcmFXNVlXSEltdmZQSkxGZm5ZQXFHcVJxUG5YOUFWR01JdHRyCmJvUDZzd1EwYlRvS2RaTGlBRnozWERrT1FwWm9zTytXUm5EN1NUeGVVSTFKWnR1U0NydWJmbUo4ckNKSEYyMlcKd0N4d2pWbFhIcTYxaWpMdlhBWkNTNTY2b2lzQXdnMlBnQkVUNWdLbTJ5VUNnZ0VBVUhsdk9YeUIxQWlWSWx0RgpLV2ZmT3V0cFZKemZlcDBhL25xKzcvZzdnZFdnQmxIazdmNWlaaS9mNHVHRlhIdkpCOWxKZnpTUDZuai93V25JCkR6R0pTNVAwZ0pkTml4bHJMZllrcHJlUW9HWDRmK3EvYW5WVG02aXNmRzdpUWlBZzNxMndnRXdraDdYd282Y2kKeG5EMGQ3Zk5PaS9oVFJ6THFzZDVmcUZ5S2FwNGVuOWQ1SmdsU05uT3lpdm9KM3BBVVhodXlGSitNNi9PUkVkYgpQTUpaVmxjQXJOd1JpRUFrdE9raHE5SGJxOWRpbmRiQXY3SWpBR1I2Y20vdnhlUWhPeTc3MkFsZGpaWTBpWHVxClNTcnBDb1RlWGtSeW5tTUhGTFY0ZWNDUkpGRW5xZHdyOU1obklFWTZZQUFXSHBNWWlmZXRVcGEwMU9TcjZFUXcKTVBTT0tRS0NBUUVBcVpHSWRMbGxud2dsTldpdEtlZFhyU1dpWjdwOFUrUUVnWmhhT09hcUxUNmg4RDRQb1BuOApBNFJ4WVhTcmlwbXFBNE1FaGtjUVU0dmZKQThRNnY0clNwbm45Y25tZFpONTBYUlBiWE9VTDhCaWppOVhVS1JRCnU1UlpkbVZiNjNnNUVEbEFEazMraDFLL1VqbWRnVW5VRTRsc1Y4SU1CVUhQQlJUb1YzSFNDYUJocS9aK1Ewd2sKSUxpTWtlbXBwSVVaQWFicXQzdkJnL3VBV2o0ZS96SFI3blNIWDJSb3UrczZpeEtPb0RQVFpBaTFmejBRNnVSNgpiaGQvMm9scFlGakhMc1JiYlRCWUZ0L2dxNEhTNTVSK3ZiRXh4QldrNmRhdXF0TXNub0pTbS8ySnFPVmoxZEc5CnJpNVN0bnlBUngwVmlBelRNRCsxQXdxQnQ1S3ZteWlTMFFLQ0FRRUFtTkkzSWlJa2dZem81aEpZNTZySERnSGcKdURXZ0lHbVNsd2dPRUI0UWJkWXBLMVQ0cXBWUzl4dFJkYWJBbmNQOVVxakFlekRMLzViaGtObExMTHhOM3V4bwowelpPa2JRd0FhYVJiaER4Qm9rUzJRc1JYeXFvbU56K3dYQ0k0MnJ6eTQvTE1Sd3NGdFRwdnptN0gyR1BRUzVkCndsSlhkZFduR3gxYnRNanJ1bFdJa1hGRWMxZ1JyMEdSaG1qT0J2d3VCTlJuK2tDSDFRSGRicHRGU1NkWXNJTkoKS2gyaGtjMUFSYjh3VERDcVlxejBqajl6SXBtZDg1T21JL21CUlFJeTNxYU5pRmhTSTY3M1l4SWZ6MlBZTTVtcApCS29QUjZtYVBZOTk3TFNMSVJibWZpbEFCNFNuSDZRT01BUm84bGlqMmh3SklCWmJ4dXlQWFR0RkVqTEZVUT09Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg== stringData: + cookie_hash_key: "PJ9zto3iT6VOnUl7n0wC1U4GgSv7+Tf/YL5ceObYL4aQJMH+woZqTicYGeTb2B1wowmCl+BG9eW4oA7kD9wDIQ" + cookie_block_key: "jexJFHkPp9jgn0xoI4mpO/k7/9dyzR7415Dl75uebW0" + claim_symmetric_key: "4x8n7MqI+FPPOcN+DnremPA/l6ZAs8tL0Z2P18yijfk" --- # Source: flyte/charts/flyte/templates/common/secret-auth.yaml apiVersion: v1 @@ -6766,28 +6772,6 @@ spec: name: clusters-config-volume - mountPath: /etc/secrets/ name: admin-secrets - - name: generate-secrets - image: "cr.flyte.org/flyteorg/flyteadmin:v1.13.0" - imagePullPolicy: "IfNotPresent" - command: ["/bin/sh", "-c"] - args: - [ - "flyteadmin --config=/etc/flyte/config/*.yaml secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", - ] - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: ["ALL"] - volumeMounts: - - mountPath: /etc/flyte/config - name: base-config-volume - - mountPath: /etc/scratch - name: scratch - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace containers: - command: - flyteadmin diff --git a/script/generate_helm.sh b/script/generate_helm.sh index 1c836b9002..89b2ee7371 100755 --- a/script/generate_helm.sh +++ b/script/generate_helm.sh @@ -56,7 +56,8 @@ ${GOPATH:-~/go}/bin/helm-docs -c ${DIR}/../charts/ # This section is used by GitHub workflow to ensure that the generation step was run if [ -n "$DELTA_CHECK" ]; then - DIRTY=$(git status --porcelain) + # find only deleted or removed lines, not replaced values + DIRTY=$(git diff --word-diff | grep "^[{\[]") if [ -n "$DIRTY" ]; then echo "FAILED: helm code updated without committing generated code." echo "Ensure make helm has run and all changes are committed." From b3e424ebf1707a06a24875572caffbf631ab35fa Mon Sep 17 00:00:00 2001 From: ddl-ebrown Date: Thu, 11 Jul 2024 20:51:17 -0700 Subject: [PATCH 2/2] Formalize oidc_client_secret in flyte-admin-secrets - When setting up integrations with an IdP like Keycloak, the oidc_client_secret must also be set in flyte-admin-secrets. Formalize that and make it more discoverable Signed-off-by: ddl-ebrown --- charts/flyte-core/templates/admin/secret.yaml | 4 ++++ deployment/eks/flyte_aws_scheduler_helm_generated.yaml | 1 + deployment/eks/flyte_helm_controlplane_generated.yaml | 1 + deployment/eks/flyte_helm_generated.yaml | 1 + deployment/gcp/flyte_helm_controlplane_generated.yaml | 1 + deployment/gcp/flyte_helm_generated.yaml | 1 + deployment/sandbox/flyte_helm_generated.yaml | 1 + 7 files changed, 10 insertions(+) diff --git a/charts/flyte-core/templates/admin/secret.yaml b/charts/flyte-core/templates/admin/secret.yaml index cfb140f90a..e6609b7cde 100644 --- a/charts/flyte-core/templates/admin/secret.yaml +++ b/charts/flyte-core/templates/admin/secret.yaml @@ -13,6 +13,7 @@ data: cookie_hash_key: {{ index $secret.data "cookie_hash_key" }} cookie_block_key: {{ index $secret.data "cookie_block_key" }} claim_symmetric_key: {{ index $secret.data "claim_symmetric_key" }} + oidc_client_secret: {{ index $secret.data "oidc_client_secret" }} {{- else }} token_rsa_key.pem: | {{ genPrivateKey "rsa" | b64enc }} @@ -22,6 +23,9 @@ stringData: cookie_hash_key: {{ trimSuffix "==" (randBytes 64) | quote }} cookie_block_key: {{ trimSuffix "=" (randBytes 32) | quote }} claim_symmetric_key: {{ trimSuffix "=" (randBytes 32) | quote }} +{{- if .Values.secrets.adminOauthClientCredentials.enabled }} + oidc_client_secret: {{ .Values.secrets.adminOauthClientCredentials.clientSecret | quote }} +{{- end }} {{- end }} {{- with .Values.flyteadmin.secrets -}} {{ tpl (toYaml .) $ | nindent 2 }} diff --git a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml index fe9e371bb1..b52e30dbcd 100644 --- a/deployment/eks/flyte_aws_scheduler_helm_generated.yaml +++ b/deployment/eks/flyte_aws_scheduler_helm_generated.yaml @@ -63,6 +63,7 @@ stringData: cookie_hash_key: "MuJrZ6SO749aiiuCUHTt0soA9wTTc1hyL8joh+UWZ9AqwxJ0GH5fjwDM0EF5umqLUg81nl3MGqD108vZPad4eA" cookie_block_key: "4lcZsm7g6hAac3c2O8i5QV04jewLPDUT+QfwdGkfONI" claim_symmetric_key: "seUw6e6wnsbCuAaW1L2U/iLItvtIWxlNAUQ3r9Gozj8" + oidc_client_secret: "foobar" --- # Source: flyte-core/templates/common/secret-auth.yaml apiVersion: v1 diff --git a/deployment/eks/flyte_helm_controlplane_generated.yaml b/deployment/eks/flyte_helm_controlplane_generated.yaml index e861b390f2..983a0204a2 100644 --- a/deployment/eks/flyte_helm_controlplane_generated.yaml +++ b/deployment/eks/flyte_helm_controlplane_generated.yaml @@ -53,6 +53,7 @@ stringData: cookie_hash_key: "1F+qN7eZFwjiFNDsHXCakfzy4/48fQsRgrsRb/afdkNEG6JtQHPH/Z+I7KIa6NC09fX3G2rEIv60Ilalj30MrQ" cookie_block_key: "FYhmYGHm+19l0TKL6iimMoGRuqElhy6XWkBU9IARdI8" claim_symmetric_key: "6uOdTrZ70G3osUcym8w2koLkwI+peRgwX0O/V9oSawU" + oidc_client_secret: "foobar" --- # Source: flyte-core/templates/common/secret-auth.yaml apiVersion: v1 diff --git a/deployment/eks/flyte_helm_generated.yaml b/deployment/eks/flyte_helm_generated.yaml index 06689b8b0e..a01d5ce0a5 100644 --- a/deployment/eks/flyte_helm_generated.yaml +++ b/deployment/eks/flyte_helm_generated.yaml @@ -75,6 +75,7 @@ stringData: cookie_hash_key: "4EfCL3f4u3SEl7fGNd0hUqnfASxC6W1oFOQH7njT8NSFhZQV78Y4H/xRxa/ttF9QfTd/Th79s3W+w+ATo5IAlA" cookie_block_key: "FivnWNlPDsZ988UdMuUoS7SEghTA91QYfYHi7npCCP8" claim_symmetric_key: "qGeM76T9DLdOoFhoefC7sy9rzvm/EehF8bj2BDNvTU8" + oidc_client_secret: "foobar" --- # Source: flyte-core/templates/common/secret-auth.yaml apiVersion: v1 diff --git a/deployment/gcp/flyte_helm_controlplane_generated.yaml b/deployment/gcp/flyte_helm_controlplane_generated.yaml index 1dbe7761a0..acb8700013 100644 --- a/deployment/gcp/flyte_helm_controlplane_generated.yaml +++ b/deployment/gcp/flyte_helm_controlplane_generated.yaml @@ -53,6 +53,7 @@ stringData: cookie_hash_key: "224C3Ib4Ot7syRdB4Sow85SP+0qFy4ajoblBfrg2jZ6ZbGNWjN4qovT5ISlAUbVH4Jjcjc5QmTH3JgRLRRVZqA" cookie_block_key: "8y9sMLhYYEBE8x3kNIm4u0NSM38pXjwBKYOhRywl9Fg" claim_symmetric_key: "OSQU5zyXmgCd8tNCreYxec0w5Y2H8Lfyt+7jSlkG9HE" + oidc_client_secret: "foobar" --- # Source: flyte-core/templates/common/secret-auth.yaml apiVersion: v1 diff --git a/deployment/gcp/flyte_helm_generated.yaml b/deployment/gcp/flyte_helm_generated.yaml index cfbc5d7e14..3e0fb4648c 100644 --- a/deployment/gcp/flyte_helm_generated.yaml +++ b/deployment/gcp/flyte_helm_generated.yaml @@ -75,6 +75,7 @@ stringData: cookie_hash_key: "uc95qZyRRLaA/uAO1RuEX7NqDD8Mw2JWnF/VpFuujFth+mmbvmloe6cS1AqL1fVhHsgmDf39qAJ/wRK3u9hp0A" cookie_block_key: "vqdfBTFgSZWohVAfCICTEvOlnO0zt1oykTvqLq+Jwig" claim_symmetric_key: "R1Tre/w/OacURlkTJZ48bWyMqlMfEtlhRV9/h9CJ1Q8" + oidc_client_secret: "foobar" --- # Source: flyte-core/templates/common/secret-auth.yaml apiVersion: v1 diff --git a/deployment/sandbox/flyte_helm_generated.yaml b/deployment/sandbox/flyte_helm_generated.yaml index 6659d87162..4987a458b3 100644 --- a/deployment/sandbox/flyte_helm_generated.yaml +++ b/deployment/sandbox/flyte_helm_generated.yaml @@ -123,6 +123,7 @@ stringData: cookie_hash_key: "PJ9zto3iT6VOnUl7n0wC1U4GgSv7+Tf/YL5ceObYL4aQJMH+woZqTicYGeTb2B1wowmCl+BG9eW4oA7kD9wDIQ" cookie_block_key: "jexJFHkPp9jgn0xoI4mpO/k7/9dyzR7415Dl75uebW0" claim_symmetric_key: "4x8n7MqI+FPPOcN+DnremPA/l6ZAs8tL0Z2P18yijfk" + oidc_client_secret: "foobar" --- # Source: flyte/charts/flyte/templates/common/secret-auth.yaml apiVersion: v1