Merge branch 'main' into yaroslav/queue-idl

Author: iaroslav-ciupin

charts/flyte-binary/README.md

@@ -150,6 +150,10 @@ Chart for basic single Flyte executable deployment
 | flyte-core-components.secret.kubernetes.timeout | string | `"30s"` |  |
 | flyteconnector.enabled | bool | `false` |  |
 | fullnameOverride | string | `""` |  |
+| ingress.apiJwtIngress.annotations | object | `{}` |  |
+| ingress.apiJwtIngress.enabled | bool | `false` |  |
+| ingress.apiJwtIngress.ingressClassName | string | `""` |  |
+| ingress.apiJwtIngress.tls | list | `[]` |  |
 | ingress.commonAnnotations | object | `{}` |  |
 | ingress.create | bool | `false` |  |
 | ingress.host | string | `""` |  |
@@ -161,6 +165,10 @@ Chart for basic single Flyte executable deployment
 | ingress.ingressClassName | string | `""` |  |
 | ingress.labels | object | `{}` |  |
 | ingress.tls | list | `[]` |  |
+| ingress.wellknownIngress.annotations | object | `{}` |  |
+| ingress.wellknownIngress.enabled | bool | `false` |  |
+| ingress.wellknownIngress.ingressClassName | string | `""` |  |
+| ingress.wellknownIngress.tls | list | `[]` |  |
 | nameOverride | string | `""` |  |
 | rbac.annotations | object | `{}` |  |
 | rbac.create | bool | `true` |  |

charts/flyte-binary/templates/_helpers.tpl

@@ -193,6 +193,22 @@ Get the Flyte API paths for ingress.
 - /flyteidl2.app.AppService/*
 - /flyteidl2.trigger.TriggerService
 - /flyteidl2.trigger.TriggerService/*
+- /flyteidl2.auth.IdentityService
+- /flyteidl2.auth.IdentityService/*
+- /flyteidl2.settings.SettingsService
+- /flyteidl2.settings.SettingsService/*
+{{- end -}}
+
+{{/*
+Get the Flyte auth-discovery paths for ingress. These are unauthenticated:
+clients must reach them before they hold a token (OAuth server metadata and the
+auth metadata service). IdentityService and SettingsService require auth and live
+in apiPaths instead.
+*/}}
+{{- define "flyte-binary.ingress.wellknownPaths" -}}
+- /.well-known/oauth-authorization-server
+- /flyteidl2.auth.AuthMetadataService
+- /flyteidl2.auth.AuthMetadataService/*
 {{- end -}}
 
 {{/*

charts/flyte-binary/templates/clusterrole.yaml

@@ -90,6 +90,27 @@ rules:
       - patch
       - update
       - watch
+  {{- if dig "inline" "internalApps" "enabled" false (.Values.configuration | default dict) }}
+  # Knative Serving access for the data-plane app controller, added automatically
+  # when apps are enabled (configuration.inline.internalApps.enabled) so operators
+  # don't have to hand-maintain rbac.extraRules. The controller creates and watches
+  # KServices and deletes their Revisions when an app is stopped.
+  - apiGroups:
+      - serving.knative.dev
+    resources:
+      - services
+      - revisions
+      - configurations
+      - routes
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  {{- end }}
   {{- if .Values.rbac.extraRules }}
   {{- toYaml .Values.rbac.extraRules | nindent 2 }}
   {{- end }}

charts/flyte-binary/templates/ingress/api-jwt.yaml

@@ -0,0 +1,58 @@
+{{- if and .Values.ingress.create .Values.ingress.apiJwtIngress.enabled }}
+{{- $paths := (include "flyte-binary.ingress.apiPaths" .) | fromYamlArray }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "flyte-binary.fullname" . }}-api-jwt
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "flyte-binary.labels" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- tpl ( .Values.commonLabels | toYaml ) . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.ingress.labels }}
+    {{- tpl ( .Values.ingress.labels | toYaml ) . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- if .Values.commonAnnotations }}
+    {{- tpl ( .Values.commonAnnotations | toYaml ) . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.ingress.commonAnnotations }}
+    {{- tpl ( .Values.ingress.commonAnnotations | toYaml ) . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.ingress.apiJwtIngress.annotations }}
+    {{- tpl ( .Values.ingress.apiJwtIngress.annotations | toYaml ) . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- if .Values.ingress.apiJwtIngress.ingressClassName }}
+  ingressClassName: {{ .Values.ingress.apiJwtIngress.ingressClassName | quote }}
+  {{- else if .Values.ingress.ingressClassName }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  {{- end }}
+  {{- if .Values.ingress.apiJwtIngress.tls }}
+  tls: {{- tpl ( .Values.ingress.apiJwtIngress.tls | toYaml ) . | nindent 2 }}
+  {{- else if .Values.ingress.tls }}
+  tls: {{- tpl ( .Values.ingress.tls | toYaml ) . | nindent 2 }}
+  {{- end }}
+  rules:
+  - http:
+      paths:
+      {{- range $path := $paths }}
+        - path: {{ $path }}
+          {{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
+          pathType: ImplementationSpecific
+          {{- end }}
+          backend:
+            {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+            service:
+              name: {{ include "flyte-binary.service.http.name" $ }}
+              port:
+                number: {{ include "flyte-binary.service.http.port" $ }}
+            {{- else }}
+            serviceName: {{ include "flyte-binary.service.http.name" $ }}
+            servicePort: {{ include "flyte-binary.service.http.port" $ }}
+            {{- end }}
+      {{- end }}
+    {{- if .Values.ingress.host }}
+    host: {{ tpl .Values.ingress.host . | quote }}
+    {{- end }}
+{{- end }}

charts/flyte-binary/templates/ingress/wellknown.yaml

@@ -0,0 +1,58 @@
+{{- if and .Values.ingress.create .Values.ingress.wellknownIngress.enabled }}
+{{- $paths := (include "flyte-binary.ingress.wellknownPaths" .) | fromYamlArray }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "flyte-binary.fullname" . }}-wellknown
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "flyte-binary.labels" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- tpl ( .Values.commonLabels | toYaml ) . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.ingress.labels }}
+    {{- tpl ( .Values.ingress.labels | toYaml ) . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- if .Values.commonAnnotations }}
+    {{- tpl ( .Values.commonAnnotations | toYaml ) . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.ingress.commonAnnotations }}
+    {{- tpl ( .Values.ingress.commonAnnotations | toYaml ) . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.ingress.wellknownIngress.annotations }}
+    {{- tpl ( .Values.ingress.wellknownIngress.annotations | toYaml ) . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- if .Values.ingress.wellknownIngress.ingressClassName }}
+  ingressClassName: {{ .Values.ingress.wellknownIngress.ingressClassName | quote }}
+  {{- else if .Values.ingress.ingressClassName }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  {{- end }}
+  {{- if .Values.ingress.wellknownIngress.tls }}
+  tls: {{- tpl ( .Values.ingress.wellknownIngress.tls | toYaml ) . | nindent 2 }}
+  {{- else if .Values.ingress.tls }}
+  tls: {{- tpl ( .Values.ingress.tls | toYaml ) . | nindent 2 }}
+  {{- end }}
+  rules:
+  - http:
+      paths:
+      {{- range $path := $paths }}
+        - path: {{ $path }}
+          {{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
+          pathType: ImplementationSpecific
+          {{- end }}
+          backend:
+            {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+            service:
+              name: {{ include "flyte-binary.service.http.name" $ }}
+              port:
+                number: {{ include "flyte-binary.service.http.port" $ }}
+            {{- else }}
+            serviceName: {{ include "flyte-binary.service.http.name" $ }}
+            servicePort: {{ include "flyte-binary.service.http.port" $ }}
+            {{- end }}
+      {{- end }}
+    {{- if .Values.ingress.host }}
+    host: {{ tpl .Values.ingress.host . | quote }}
+    {{- end }}
+{{- end }}

charts/flyte-binary/values.yaml

@@ -401,6 +401,36 @@ ingress:
   httpExtraPaths:
     prepend: []
     append: []
+  # apiJwtIngress Optional separate ingress that JWT-validates the flyteidl2 API
+  # paths for requests carrying an `Authorization: Bearer` token (SDK/machine
+  # clients). Needed on controllers like AWS ALB where a single ingress cannot
+  # combine cookie-OIDC (browser) and JWT (token) auth. It renders the shared API
+  # paths backed by the http service; supply the controller/JWT config (e.g. ALB
+  # cert-arn, jwt-validation, the `Authorization: Bearer*` match condition, and a
+  # group.order lower than the http ingress (but higher than the wellknown ingress)) via `annotations`.
+  apiJwtIngress:
+    # enabled Create the JWT (Bearer) API ingress
+    enabled: false
+    # annotations Annotations for the JWT API ingress (controller/JWT config)
+    annotations: {}
+    # ingressClassName Ingress class for the JWT API ingress. Overrides `ingressClassName`
+    ingressClassName: ""
+    # tls Add TLS configuration to the JWT API ingress. Overrides `tls`
+    tls: []
+  # wellknownIngress Optional separate ingress for the unauthenticated
+  # auth-discovery endpoints (`/.well-known/oauth-authorization-server`,
+  # AuthMetadataService) — clients must reach these before they hold a token. Give it the highest controller precedence
+  # (e.g. ALB group.order lower than the JWT/http ingresses) so these paths bypass
+  # auth. Supply controller config via `annotations`.
+  wellknownIngress:
+    # enabled Create the unauthenticated auth-discovery ingress
+    enabled: false
+    # annotations Annotations for the auth-discovery ingress (controller config)
+    annotations: {}
+    # ingressClassName Ingress class for the auth-discovery ingress. Overrides `ingressClassName`
+    ingressClassName: ""
+    # tls Add TLS configuration to the auth-discovery ingress. Overrides `tls`
+    tls: []
 
 # rbac Configure Kubernetes RBAC for Flyte
 rbac:

flyteidl2/app/app_definition.proto

@@ -118,6 +118,10 @@ message Condition {
 
   // Actor is the principal that caused the condition.
   common.EnrichedIdentity actor = 5;
+
+  // Finer-grained substate qualifying deployment_status (e.g. FAILED + IMAGE_PULL_ERROR).
+  // Human-readable detail for a failure is carried in the existing `message` field.
+  Status.Substate substate = 6;
 }
 
 // Represents the status of an app.
@@ -150,6 +154,25 @@ message Status {
     DEPLOYMENT_STATUS_DEPLOYING = 10;
   }
 
+  // Finer-grained substate that qualifies a DeploymentStatus, surfaced on a Condition.
+  enum Substate {
+    SUBSTATE_UNSPECIFIED = 0;
+    // The container image is being pulled.
+    PULLING_IMAGE = 1;
+    // The container is starting up.
+    INITIALIZING = 2;
+    // The Knative admission webhook rejected the revision.
+    WEBHOOK_ERROR = 3;
+    // The container image could not be pulled.
+    IMAGE_PULL_ERROR = 4;
+    // A referenced secret could not be mounted.
+    SECRET_MOUNT_ERROR = 5;
+    // The container is repeatedly crashing on startup.
+    CRASH_LOOP = 6;
+    // The container was killed for exceeding its memory limit.
+    OOM_KILLED = 7;
+  }
+
   // Current number of replicas.
   uint32 current_replicas = 2 [(buf.validate.field).uint32.gte = 0];