diff --git a/rsts/deployment/configuration/auth_setup.rst b/rsts/deployment/configuration/auth_setup.rst index 5089510998..828b6ee9cb 100644 --- a/rsts/deployment/configuration/auth_setup.rst +++ b/rsts/deployment/configuration/auth_setup.rst @@ -126,81 +126,129 @@ Flyte supports connecting with external OIdC providers. Here are some examples f Apply Configuration ^^^^^^^^^^^^^^^^^^^ +.. tabs:: + + .. group-tab:: Helm (``flyte-binary`` chart) + + Edit your Helm values files and add the following :: + + auth: + enabled: true + oidc: + baseUrl: https://your.domain.com/oauth2/default + clientId: youroidcclientidfromIdP + clientSecret: yourIdPprovidedsecret + internal: + clientSecret: 'mypassword' + clientSecretHash: + authorizedUris: + - https://your.domain.com + + The ``mypassword`` is the password that Flyte will use to talk to itself. That is, even though Flyte is running as just one executable here, the data plane component of it is still treated as a separate entity and communication to the control plane portion is done over localhost authenticated with client credentials. The hash can be generated by running. + + .. prompt:: bash + + pip install bcrypt && python -c 'import bcrypt; import base64; print(base64.b64encode(bcrypt.hashpw("mypassword".encode("utf-8"), bcrypt.gensalt(6))))' + + Note that this configuration uses the internal authorization server. See the other tab for additional information on how to configure an external server (like Okta). -Store the `client_secret` in a k8s secret as follows: + .. group-tab:: Helm (``flyte`` & ``flyte-core`` charts) -.. prompt:: bash $ + #. Store the `client_secret` in a k8s secret as follows: - kubectl edit secret -n flyte flyte-admin-secrets + .. prompt:: bash $ -Add a new key under `stringData`: + kubectl edit secret -n flyte flyte-admin-secrets -.. code-block:: yaml + Add a new key under `stringData`: - stringData: - oidc_client_secret: - data: - ... + .. code-block:: yaml -Save and close your editor. + stringData: + oidc_client_secret: + data: + ... + + Save and close your editor. + + #. Edit FlyteAdmin config to add `client_id` and configure auth as follows: + + .. prompt:: bash $ + + kubectl edit configmap -n flyte flyte-admin-base-config + + Follow the inline comments to make the necessary changes: + + .. code-block:: yaml + + server: + ... + security: + secure: false + # 1. Enable Auth by turning useAuth to true + useAuth: true + ... + auth: + userAuth: + openId: + # 2. Put the URL of the OpenID Connect provider. + # baseUrl: https:///auth/realms/ # Uncomment for Keycloak and update with your installation host and realm name + # baseUrl: https://accounts.google.com # Uncomment for Google + baseUrl: https://dev-14186422.okta.com/oauth2/default # Okta with a custom Authorization Server + scopes: + - profile + - openid + # - offline_access # Uncomment if OIdC supports issuing refresh tokens. + # 3. Replace with the client ID created for Flyte. + clientId: 0oakkheteNjCMERst5d6 + authorizedUris: + # 4. Update with a public domain name (for non-sandbox deployments). + # - https://example.foobar.com + # Or uncomment this line for sandbox deployment + # - http://localhost:30081 + - http://flyteadmin:80 + - http://flyteadmin.flyte.svc.cluster.local:80 -Edit FlyteAdmin config to add `client_id` and configure auth as follows: + Save and exit your editor. -.. prompt:: bash $ + #. Replace the default `clientSecret` for `flytepropeller` using an encoded/hashed secret of your choice: - kubectl edit configmap -n flyte flyte-admin-base-config + .. prompt:: bash -Follow the inline comments to make the necessary changes: + pip install bcrypt && python -c 'import bcrypt; import base64; print(base64.b64encode(bcrypt.hashpw("mypassword".encode("utf-8"), bcrypt.gensalt(6))))' -.. code-block:: yaml + #. In the `values.yaml` file for the `flyte-core` release, find the following section and insert the encoded/hashed secret generated in the previous step: - server: - ... - security: - secure: false - # 1. Enable Auth by turning useAuth to true - useAuth: true - ... - auth: - userAuth: - openId: - # 2. Put the URL of the OpenID Connect provider. - # baseUrl: https:///auth/realms/ # Uncomment for Keycloak and update with your installation host and realm name - # baseUrl: https://accounts.google.com # Uncomment for Google - baseUrl: https://dev-14186422.okta.com/oauth2/default # Okta with a custom Authorization Server - scopes: - - profile - - openid - # - offline_access # Uncomment if OIdC supports issuing refresh tokens. - # 3. Replace with the client ID created for Flyte. - clientId: 0oakkheteNjCMERst5d6 - authorizedUris: - # 4. Update with a public domain name (for non-sandbox deployments). - # - https://example.foobar.com - # Or uncomment this line for sandbox deployment - # - http://localhost:30081 - - http://flyteadmin:80 - - http://flyteadmin.flyte.svc.cluster.local:80 + .. code-block:: yaml + + client_secret: + #. While in the same file, find the following section and replace `foobar` with the non-hashed/non-encoded version of the secret you used in step #3: -Save and exit your editor. + .. code-block:: yaml + + secrets: + adminOauthClientCredentials: + enabled: true + clientSecret: foobar + clientId: flytepropeller -Restart `flyteadmin` for the changes to take effect: + #. Restart `flyteadmin` for the changes to take effect: -.. prompt:: bash $ + .. prompt:: bash $ - kubectl rollout restart deployment/flyteadmin -n flyte + kubectl rollout restart deployment/flyteadmin -n flyte -Restart `flytepropeller` to start using authenticated requests: + #. Restart `flytepropeller` to start using authenticated requests: -.. prompt:: bash $ + .. prompt:: bash $ - kubectl rollout restart deployment/flytepropeller -n flyte + kubectl rollout restart deployment/flytepropeller -n flyte -Restart ``flytescheduler``` to start using authenticated requests: + #. Restart ``flytescheduler``` to start using authenticated requests: -.. prompt:: bash $ + .. prompt:: bash $ - kubectl rollout restart deployment/flytescheduler -n flyte + kubectl rollout restart deployment/flytescheduler -n flyte .. note::