Migrating Your Authentication Config#
Flyte previously shipped with only a barebones OIDC setup, and relied on an external authorization server. This migration guide helps you move to Admin’s own authorization server.
Using Okta as an example, you would have previously seen something like the following:
Okta Config changes#
An Application (OpenID Connect Web) for FlyteAdmin itself (e.g. 0oal5rch46pVhCGF45d6).
An Application (OpenID Native app) for Flyte-cli/FlyteCTL (e.g. 0oal62nxuD6OSFSRq5d6). These two applications would be assigned to the relevant users.
An Application (Web) for FlytePropeller (e.g. 0abc5rch46pVhCGF9876). This application would either use the default Authorization server, or you would create a new one.
Admin Config Changes#
server: # ... other settings security: secure: false useAuth: true allowCors: true allowedOrigins: - "*" allowedHeaders: - "Content-Type" oauth: baseUrl: https://dev-62129345.okta.com/oauth2/default/ scopes: - profile - openid - email claims: iss: https://dev-62129345.okta.com/oauth2/default aud: 0oal5rch46pVhCGF45d6 clientId: 0oal5rch46pVhCGF45d6 clientSecretFile: "/Users/ytong/etc/secrets/oauth/secret" authorizeUrl: "https://dev-62129345.okta.com/oauth2/default/v1/authorize" tokenUrl: "https://dev-62129345.okta.com/oauth2/default/v1/token" callbackUrl: "http://localhost:8088/callback" cookieHashKeyFile: "/Users/ytong/etc/secrets/hashkey/hashkey" cookieBlockKeyFile: "/Users/ytong/etc/secrets/blockkey/blockkey" redirectUrl: "/api/v1/projects" thirdPartyConfig: flyteClient: clientId: 0oal62nxuD6OSFSRq5d6 redirectUri: http://localhost:12345/callback
After version 0.13.0 of the platform, you can still use the IdP as the Authorization Server if you wish. That configuration would now become:
server: # ... other settings security: secure: false useAuth: true allowCors: true allowedOrigins: - "*" allowedHeaders: - "Content-Type" auth: authorizedUris: # This should point at your public http Uri. - https://flyte.mycompany.com # This will be used by internal services in the same namespace as flyteadmin - http://flyteadmin:80 # This will be used by internal services in the same cluster but different namespaces - http://flyteadmin.flyte.svc.cluster.local:80 userAuth: openId: # Put the URL of the OpenID Connect provider. baseUrl: https://dev-62129345.okta.com/oauth2/default # Okta with a custom Authorization Server scopes: - profile - openid - offline_access # Uncomment if OIdC supports issuing refresh tokens. # Replace with the client id created for Flyte. clientId: 0oal5rch46pVhCGF45d6 appAuth: # External delegates app auth responsibilities to an external authorization server, Internal means FlyteAdmin does it itself authServerType: External thirdPartyConfig: flyteClient: clientId: 0oal62nxuD6OSFSRq5d6 redirectUri: http://localhost:12345/callback scopes: - all - offline
The original oauth section has been moved two levels higher into its own section and renamed auth but enabling/disabling of authentication remains in the old location.
Secrets by default will now be looked up in /etc/secrets. Use the following command to generate them:
flyteadmin secrets init -p /etc/secrets
This will generate the new cookie hash/block keys, as well as other secrets Admin needs to run the Authorization server.
The clientSecretFile has been moved to /etc/secrets/oidc_client_secret so move that there.
claims has been removed, just delete that.
authorizeUrl and tokenUrl are no longer necessary.
The baseUrl for the external Authorization Server is now in the appAuth section.
The thirdPartyConfig has been moved to appAuth as well.
redirectUrl has been defaulted to /console. If that’s the value you want, then you no longer need this setting.
Propeller Config Changes#
You might have a configuration section that looks like this:
admin: endpoint: dns:///mycompany.domain.com useAuth: true clientId: flytepropeller clientSecretLocation: /etc/secrets/client_secret tokenUrl: https://demo.nuclyde.io/oauth2/token scopes: - all
This can now be simplified to:
admin: endpoint: dns:///mycompany.domain.com # If you are using the built-in authorization server, you can delete the following two lines: clientId: flytepropeller clientSecretLocation: /etc/secrets/client_secret
useAuth is deprecated and will be removed in a future version. Auth requirement will be discovered through an anonymous admin discovery call.
tokenUrl and scopes will also be discovered through a metadata call.
clientId and clientSecretLocation have defaults that work out of the box with the built-in authorization server (e.g. if you setup Google OpenID Connect).
Flyte-cli Config Changes#
You need these two configs set:
FLYTE_PLATFORM_HTTP_URL=http://localhost:8088 FLYTE_CREDENTIALS_CLIENT_ID=0oal62nxuD6OSFSRq5d6 flyte-cli ...
FLYTE_PLATFORM_HTTP_URL is used because flyte-cli uses only gRPC to communicate with Admin. It needs to know the HTTP port (which Admin hosts on a different port because of limitations of the grpc-gateway library). flyte-cli uses this setting to talk to /.well-known/oauth-authorization-server to retrieve information regarding the auth endpoints . Previously this redirected to the Okta Authorization Server’s metadata endpoint. With this change, Admin now hosts its own (even if still using the external Authorization Service).