added bcrypt

Signed-off-by: Yee Hing Tong <[email protected]>
flyteorg · Jul 10, 2023 · 1a1d6cc · 1a1d6cc
1 parent 393e37a
commit 1a1d6cc
Showing 1 changed file with 100 additions and 52 deletions.
diff --git a/rsts/deployment/configuration/auth_setup.rst b/rsts/deployment/configuration/auth_setup.rst
@@ -126,81 +126,129 @@ Flyte supports connecting with external OIdC providers. Here are some examples f
 
 Apply Configuration
 ^^^^^^^^^^^^^^^^^^^
+.. tabs::
+
+   .. group-tab:: Helm (``flyte-binary`` chart)
+
+        Edit your Helm values files and add the following ::
+
+          auth:
+            enabled: true
+            oidc:
+              baseUrl: https://your.domain.com/oauth2/default
+              clientId: youroidcclientidfromIdP
+              clientSecret: yourIdPprovidedsecret
+            internal:
+              clientSecret: 'mypassword'
+              clientSecretHash: <hash of 'mypassword'>
+            authorizedUris:
+              - https://your.domain.com
+
+        The ``mypassword`` is the password that Flyte will use to talk to itself. That is, even though Flyte is running as just one executable here, the data plane component of it is still treated as a separate entity and communication to the control plane portion is done over localhost authenticated with client credentials. The hash can be generated by running.
+
+           .. prompt:: bash
+
+              pip install bcrypt && python -c 'import bcrypt; import base64; print(base64.b64encode(bcrypt.hashpw("mypassword".encode("utf-8"), bcrypt.gensalt(6))))'
+
+        Note that this configuration uses the internal authorization server. See the other tab for additional information on how to configure an external server (like Okta).
 
-Store the `client_secret` in a k8s secret as follows:
+   .. group-tab:: Helm (``flyte`` & ``flyte-core`` charts)
 
-.. prompt:: bash $
+        #. Store the `client_secret` in a k8s secret as follows:
 
-  kubectl edit secret -n flyte flyte-admin-secrets
+            .. prompt:: bash $
 
-Add a new key under `stringData`:
+              kubectl edit secret -n flyte flyte-admin-secrets
 
-.. code-block:: yaml
+            Add a new key under `stringData`:
 
-  stringData:
-    oidc_client_secret: <client_secret from the previous step>
-  data:
-    ...
+            .. code-block:: yaml
 
-Save and close your editor.
+              stringData:
+                oidc_client_secret: <client_secret from the previous step>
+              data:
+                ...
+
+            Save and close your editor.
+
+        #. Edit FlyteAdmin config to add `client_id` and configure auth as follows:
+
+            .. prompt:: bash $
+
+               kubectl edit configmap -n flyte flyte-admin-base-config
+
+            Follow the inline comments to make the necessary changes:
+
+            .. code-block:: yaml
+
+               server:
+                 ...
+                 security:
+                   secure: false
+                   # 1. Enable Auth by turning useAuth to true
+                   useAuth: true
+                   ...
+               auth:
+                 userAuth:
+                   openId:
+                     # 2. Put the URL of the OpenID Connect provider.
+                     #    baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
+                     #    baseUrl: https://accounts.google.com # Uncomment for Google
+                     baseUrl: https://dev-14186422.okta.com/oauth2/default # Okta with a custom Authorization Server
+                     scopes:
+                       - profile
+                       - openid
+                       # - offline_access # Uncomment if OIdC supports issuing refresh tokens.
+                     # 3. Replace with the client ID created for Flyte.
+                     clientId: 0oakkheteNjCMERst5d6
+                 authorizedUris:
+                   # 4. Update with a public domain name (for non-sandbox deployments).
+                   # - https://example.foobar.com
+                   # Or uncomment this line for sandbox deployment
+                   # - http://localhost:30081
+                   - http://flyteadmin:80
+                   - http://flyteadmin.flyte.svc.cluster.local:80
 
-Edit FlyteAdmin config to add `client_id` and configure auth as follows:
+            Save and exit your editor.
 
-.. prompt:: bash $
+        #. Replace the default `clientSecret` for `flytepropeller` using an encoded/hashed secret of your choice:
 
-   kubectl edit configmap -n flyte flyte-admin-base-config
+           .. prompt:: bash
 
-Follow the inline comments to make the necessary changes:
+              pip install bcrypt && python -c 'import bcrypt; import base64; print(base64.b64encode(bcrypt.hashpw("mypassword".encode("utf-8"), bcrypt.gensalt(6))))'
 
-.. code-block:: yaml
+        #. In the `values.yaml` file for the `flyte-core` release, find the following section and insert the encoded/hashed secret generated in the previous step:
 
-   server:
-     ...
-     security:
-       secure: false
-       # 1. Enable Auth by turning useAuth to true
-       useAuth: true
-       ...
-   auth:
-     userAuth:
-       openId:
-         # 2. Put the URL of the OpenID Connect provider.
-         #    baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
-         #    baseUrl: https://accounts.google.com # Uncomment for Google
-         baseUrl: https://dev-14186422.okta.com/oauth2/default # Okta with a custom Authorization Server
-         scopes:
-           - profile
-           - openid
-           # - offline_access # Uncomment if OIdC supports issuing refresh tokens.
-         # 3. Replace with the client ID created for Flyte.
-         clientId: 0oakkheteNjCMERst5d6
-     authorizedUris:
-       # 4. Update with a public domain name (for non-sandbox deployments).
-       # - https://example.foobar.com
-       # Or uncomment this line for sandbox deployment
-       # - http://localhost:30081
-       - http://flyteadmin:80
-       - http://flyteadmin.flyte.svc.cluster.local:80
+           .. code-block:: yaml
+              
+              client_secret: <your client secret hashed and base64 encoded>
+        #. While in the same file, find the following section and replace `foobar` with the non-hashed/non-encoded version of the secret you used in step #3:
 
-Save and exit your editor.
+           .. code-block:: yaml
+           
+              secrets:
+               adminOauthClientCredentials:
+                enabled: true
+                clientSecret: foobar
+                clientId: flytepropeller
 
-Restart `flyteadmin` for the changes to take effect:
+        #. Restart `flyteadmin` for the changes to take effect:
 
-.. prompt:: bash $
+           .. prompt:: bash $
 
-   kubectl rollout restart deployment/flyteadmin -n flyte
+              kubectl rollout restart deployment/flyteadmin -n flyte
 
-Restart `flytepropeller` to start using authenticated requests:
+        #. Restart `flytepropeller` to start using authenticated requests:
 
-.. prompt:: bash $
+           .. prompt:: bash $
 
-   kubectl rollout restart deployment/flytepropeller -n flyte
+              kubectl rollout restart deployment/flytepropeller -n flyte
 
-Restart ``flytescheduler``` to start using authenticated requests:
+        #. Restart ``flytescheduler``` to start using authenticated requests:
 
-.. prompt:: bash $
+           .. prompt:: bash $
 
-   kubectl rollout restart deployment/flytescheduler -n flyte
+              kubectl rollout restart deployment/flytescheduler -n flyte
 
 .. note::