Add identity injection and header forwarding for selfhosted deployments#250
Closed
mhotan wants to merge 3 commits intomike/selfhosted-authfrom
Closed
Add identity injection and header forwarding for selfhosted deployments#250mhotan wants to merge 3 commits intomike/selfhosted-authfrom
mhotan wants to merge 3 commits intomike/selfhosted-authfrom
Conversation
This was referenced Feb 22, 2026
mhotan
force-pushed
the
mike/selfhosted-identity-injection
branch
from
28ee7df to
0fa2cc2
Compare
mhotan
force-pushed
the
mike/selfhosted-auth
branch
2 times, most recently
from
b3c9d83 to
ee5c015
Compare
mhotan
force-pushed
the
mike/selfhosted-identity-injection
branch
3 times, most recently
from
f0d9c7a to
af9a340
Compare
mhotan
changed the title
Adds commented-out identity injection config that maps OAuth/OIDC claims to pod annotations and environment variables. Uses YAML anchors to define the mapping once and reference it for both flyteadmin and executions configmaps. Includes a new selfhosted-intracluster test with generated golden file so reviewers can inspect the rendered configmap output. Co-Authored-By: Claude Opus 4.6 <[email protected]>
Add comments explaining that identity injection reads from the access token, not the ID token. Many IdPs (e.g. Okta) require explicit authorization server configuration to include claims like preferred_username in access tokens. Co-Authored-By: Claude Opus 4.6 <[email protected]>
The V2 UI authenticates via cookies (credentials: 'include'), not Authorization headers. Nginx validates auth by calling /me, which returns X-User-Subject in response headers, but auth-response-headers only forwarded Set-Cookie — identity headers were silently dropped. This caused ResolveCallerSubject to return empty, resulting in "Unknown Owner" for all V2 UI-initiated runs (FAB-92). Co-Authored-By: Claude Opus 4.6 <[email protected]>
mhotan
force-pushed
the
mike/selfhosted-auth
branch
from
04fb019 to
e454af1
Compare
mhotan
force-pushed
the
mike/selfhosted-identity-injection
branch
from
af9a340 to
6355b74
Compare
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds identity injection configuration and auth header forwarding for self-hosted deployments.
_identityInjectionYAML anchor with default claim-to-annotation/env-var mappings for both AWS and GCP selfhosted valuesX-User-Subject,X-User-Claim-Identitytype,X-User-Claim-Preferred-Username) from/meauth subrequest to upstream services viaauth-response-headersannotationIdentity injection mappings (commented out, opt-in)
preferred_username→union.ai/created-byannotationemail→union.ai/user-emailannotationsub→UNION_USER_SUBJECTenv varpreferred_username→UNION_USER_EMAILenv varRelated PRs
Test plan
helm templaterenders correctlyX-User-*headers are forwarded through nginx to upstream servicesmain