diff --git a/dagster/helm/dagster/Chart.lock b/dagster/helm/dagster/Chart.lock index 6baa50495..7e90ccc14 100644 --- a/dagster/helm/dagster/Chart.lock +++ b/dagster/helm/dagster/Chart.lock @@ -2,6 +2,9 @@ dependencies: - name: postgres repository: https://pluralsh.github.io/module-library version: 0.1.16 +- name: oidc-config + repository: https://pluralsh.github.io/module-library + version: 0.1.6 - name: dagster repository: https://dagster-io.github.io/helm version: 1.5.4 @@ -11,5 +14,5 @@ dependencies: - name: test-base repository: https://pluralsh.github.io/module-library version: 0.1.10 -digest: sha256:429db54a06ff1d43d546fb5b8da1534e7f06f12a0e408a83e146222eb2585cbb -generated: "2023-10-20T10:53:15.243597+02:00" +digest: sha256:711eb99a3aa598dc5755698003710c6e4f175f99cfbf68589e27fbb19ef1a6b0 +generated: "2023-12-18T10:52:48.079022-05:00" diff --git a/dagster/helm/dagster/Chart.yaml b/dagster/helm/dagster/Chart.yaml index cb1e2feb8..0e610526e 100644 --- a/dagster/helm/dagster/Chart.yaml +++ b/dagster/helm/dagster/Chart.yaml @@ -2,12 +2,16 @@ apiVersion: v2 name: dagster description: A Helm chart for Kubernetes type: application -version: 0.1.46 +version: 0.1.47 appVersion: 1.5.4 dependencies: - name: postgres version: 0.1.16 repository: https://pluralsh.github.io/module-library +- name: oidc-config + version: 0.1.6 + repository: https://pluralsh.github.io/module-library + condition: oidc-config.enabled - name: dagster version: 1.5.4 repository: https://dagster-io.github.io/helm diff --git a/dagster/helm/dagster/charts/oidc-config-0.1.6.tgz b/dagster/helm/dagster/charts/oidc-config-0.1.6.tgz new file mode 100644 index 000000000..6369d78af Binary files /dev/null and b/dagster/helm/dagster/charts/oidc-config-0.1.6.tgz differ diff --git a/dagster/helm/dagster/templates/oidc.yaml b/dagster/helm/dagster/templates/oidc.yaml deleted file mode 100644 index b67a67b9e..000000000 --- a/dagster/helm/dagster/templates/oidc.yaml +++ /dev/null @@ -1,49 +0,0 @@ -{{- if .Values.oidcProxy.enabled }} -apiVersion: v1 -kind: Service -metadata: - name: dagster-oauth2-proxy - labels: - endpoint: oauth2-proxy - {{- include "dagster-plural.labels" . | nindent 4 }} -spec: - ports: - - port: 80 - targetPort: 4180 - protocol: TCP - name: http-oauth - - port: 44180 - targetPort: 44180 - protocol: TCP - name: metrics-oauth - selector: - {{- include "dagster.selectorLabels" . | nindent 4 }} - component: {{ include "dagster.webserver.componentName" . }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: dagster-proxy-config -type: Opaque -stringData: - OAUTH2_PROXY_PROVIDER: oidc - OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:4180 - OAUTH2_PROXY_METRICS_ADDRESS: 0.0.0.0:44180 - OAUTH2_PROXY_COOKIE_EXPIRE: 48h - OAUTH2_PROXY_COOKIE_REFRESH: 24h - OAUTH2_PROXY_COOKIE_SECURE: "true" - OAUTH2_PROXY_COOKIE_NAME: _oauth2_proxy - OAUTH2_PROXY_COOKIE_SAMESITE: lax - OAUTH2_PROXY_EMAIL_DOMAINS: "*" - OAUTH2_PROXY_OIDC_ISSUER_URL: {{ .Values.oidcProxy.issuer }} - OAUTH2_PROXY_PASS_ACCESS_TOKEN: "true" - OAUTH2_PROXY_SCOPE: "openid profile" - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER: "true" - OAUTH2_PROXY_SET_XAUTHREQUEST: "true" - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true" - OAUTH2_PROXY_UPSTREAMS: {{ .Values.oidcProxy.upstream }} - OAUTH2_PROXY_USER_ID_CLAIM: email - OAUTH2_PROXY_CLIENT_ID: {{ .Values.oidcProxy.clientID }} - OAUTH2_PROXY_CLIENT_SECRET: {{ .Values.oidcProxy.clientSecret }} - OAUTH2_PROXY_COOKIE_SECRET: {{ .Values.oidcProxy.cookieSecret }} -{{ end }} \ No newline at end of file diff --git a/dagster/helm/dagster/values.yaml b/dagster/helm/dagster/values.yaml index 185958a84..f6cb71a90 100644 --- a/dagster/helm/dagster/values.yaml +++ b/dagster/helm/dagster/values.yaml @@ -1,6 +1,18 @@ global: serviceAccountName: dagster +oidc-config: + enabled: false + service: + name: dagster-oauth2-proxy + selector: + app.kubernetes.io/instance: dagster + component: dagster-webserver + secret: + env: + OAUTH2_PROXY_UPSTREAM_TIMEOUT: '120s' + + postgres: team: plural user: dagster diff --git a/dagster/helm/dagster/values.yaml.tpl b/dagster/helm/dagster/values.yaml.tpl index 006ef7e0c..d8da1ab14 100644 --- a/dagster/helm/dagster/values.yaml.tpl +++ b/dagster/helm/dagster/values.yaml.tpl @@ -12,13 +12,19 @@ postgres: password: {{ $postgresPwd }} {{ if .OIDC }} -oidcProxy: +{{ $prevSecret := dedupe . "dagster.oidcProxy.cookieSecret" (randAlphaNum 32) }} +oidc-config: enabled: true - upstream: http://localhost:80 - issuer: {{ .OIDC.Configuration.Issuer }} - clientID: {{ .OIDC.ClientId }} - clientSecret: {{ .OIDC.ClientSecret }} - cookieSecret: {{ dedupe . "dagster.oidcProxy.cookieSecret" (randAlphaNum 32) }} + secret: + name: dagster-proxy-config + issuer: {{ .OIDC.Configuration.Issuer }} + clientID: {{ .OIDC.ClientId }} + clientSecret: {{ .OIDC.ClientSecret }} + cookieSecret: {{ dedupe . "dagster.oidc-config.secret.cookieSecret" $prevSecret }} + {{ if .Values.users }} + users: + {{ toYaml .Values.users | nindent 4 }} + {{ end }} {{ end }} dagster: diff --git a/dagster/plural/docs/basic-auth.md b/dagster/plural/docs/basic-auth.md new file mode 100644 index 000000000..4f44699f0 --- /dev/null +++ b/dagster/plural/docs/basic-auth.md @@ -0,0 +1,30 @@ +## Configuring Basic Auth + +Dagster's api and web interface is not authenticated by default. We provide an oauth proxy by default to grant some security to your dagster install, but in order to integrate with tools like airflow, you'll likely want a means to authenticate with static creds. That's where basic auth can be very useful. The process is very simple. + +### modify context.yaml + +in the `context.yaml` file at the root of your repo, simply add: + +```yaml +configuration: + dagster: + users: + : + : +``` +you can use `plural crypto random` to generate a high-entropy password if that is helpful as well. + +### redeploy + +Simply run `plural build --only dagster && plural deploy --commit "enabling basic auth"` to wire in the credentials to our oauth proxy. Occasionally you need to restart the web pods to get it to take, you can find them with: + +```sh +kubectl get pods -n dagster | grep dagster-webserver +``` + +then delete them (allowing k8s to restart) with: + +```sh +kubectl delete pod -n dagster +``` \ No newline at end of file diff --git a/retool/helm/retool/Chart.lock b/retool/helm/retool/Chart.lock index 753933f6c..63363944f 100644 --- a/retool/helm/retool/Chart.lock +++ b/retool/helm/retool/Chart.lock @@ -4,6 +4,6 @@ dependencies: version: 0.1.5 - name: retool repository: https://charts.retool.com - version: 6.0.2 -digest: sha256:64e43f4c30b1d885101d9c50fe2f314e54f86d33e555ba6df3d9b90dda8784d4 -generated: "2023-09-26T12:08:59.73891-04:00" + version: 6.0.11 +digest: sha256:c182bac59d78a9f260acb187063a7ffbfff0b887fc81a383959c88b22a03e337 +generated: "2023-12-18T10:33:05.569756-05:00" diff --git a/retool/helm/retool/Chart.yaml b/retool/helm/retool/Chart.yaml index 92b8ffabc..e088b3b91 100644 --- a/retool/helm/retool/Chart.yaml +++ b/retool/helm/retool/Chart.yaml @@ -2,12 +2,12 @@ apiVersion: v2 name: retool description: helm chart for retool type: application -version: 0.1.7 -appVersion: "v3.12.2" +version: 0.1.8 +appVersion: "v3.24.1" dependencies: - name: postgres version: 0.1.5 repository: https://pluralsh.github.io/module-library - name: retool - version: 6.0.2 + version: 6.0.11 repository: https://charts.retool.com diff --git a/retool/helm/retool/charts/retool-6.0.11.tgz b/retool/helm/retool/charts/retool-6.0.11.tgz new file mode 100644 index 000000000..7c434538b Binary files /dev/null and b/retool/helm/retool/charts/retool-6.0.11.tgz differ diff --git a/retool/helm/retool/charts/retool-6.0.2.tgz b/retool/helm/retool/charts/retool-6.0.2.tgz deleted file mode 100644 index 52075a45a..000000000 Binary files a/retool/helm/retool/charts/retool-6.0.2.tgz and /dev/null differ diff --git a/retool/helm/retool/values.yaml b/retool/helm/retool/values.yaml index d031b412e..8b2ea41f1 100644 --- a/retool/helm/retool/values.yaml +++ b/retool/helm/retool/values.yaml @@ -19,7 +19,7 @@ retool: image: repository: tryretool/backend - tag: 3.12.2 + tag: 3.24.1 workflows: temporal: