Consolidate selfhosted auth config: globals, scopes, Entra ID support (FAB-178)

charts/controlplane/templates/authz/configmap.yaml

@@ -1,4 +1,4 @@
-{{- if eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds" -}}
+{{- if or (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "Union") (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds") -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:

charts/controlplane/templates/authz/deployment.yaml

@@ -1,4 +1,4 @@
-{{- if eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds" -}}
+{{- if or (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "Union") (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds") -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:

charts/controlplane/templates/authz/hpa.yaml

@@ -1,4 +1,4 @@
-{{- if and (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds") .Values.union.authz.autoscaling.enabled }}
+{{- if and (or (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "Union") (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds")) .Values.union.authz.autoscaling.enabled }}
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:

charts/controlplane/templates/authz/networkpolicy.yaml

@@ -1,4 +1,4 @@
-{{- if and (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds") .Values.union.authz.networkPolicy.enabled }}
+{{- if and (or (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "Union") (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds")) .Values.union.authz.networkPolicy.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:

charts/controlplane/templates/authz/pdb.yaml

@@ -1,4 +1,4 @@
-{{- if and (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds") .Values.union.authz.pdb.enabled }}
+{{- if and (or (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "Union") (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds")) .Values.union.authz.pdb.enabled }}
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:

charts/controlplane/templates/authz/rbac.yaml

@@ -1,4 +1,4 @@
-{{- if and (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds") .Values.union.authz.serviceAccount.create -}}
+{{- if and (or (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "Union") (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds")) .Values.union.authz.serviceAccount.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

charts/controlplane/templates/authz/service.yaml

@@ -1,4 +1,4 @@
-{{- if eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds" -}}
+{{- if or (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "Union") (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds") -}}
 apiVersion: v1
 kind: Service
 metadata:

charts/controlplane/templates/authz/serviceaccount.yaml

@@ -1,4 +1,4 @@
-{{- if and (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds") .Values.union.authz.serviceAccount.create -}}
+{{- if and (or (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "Union") (eq ((index .Values "services" "authorizer" "configMap" "authorizer" "type") | default "") "UserClouds")) .Values.union.authz.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:

charts/controlplane/values.aws.selfhosted-intracluster.yaml

@@ -108,20 +108,12 @@ global:
   DATAPLANE_ENDPOINT: ""
 
   # --- Authentication Configuration ---
-  # Set all values below to enable OIDC authentication.
-  # Supports any OAuth2/OIDC provider (Okta, Azure AD, Auth0, Keycloak, etc.)
-  #
-  # OIDC issuer URL
-  # Example: "https://dev-123456.okta.com/oauth2/default"
-  OIDC_BASE_URL: ""
-  # Flyteadmin OIDC client ID for browser login flow
-  # Example: "0oa1abc2def3ghi4j5k6"
-  OIDC_CLIENT_ID: ""
-  # CLI client ID for flytectl / uctl (public OAuth app, PKCE flow)
-  # Example: "0oa7mno8pqr9stu0v1w2"
-  CLI_CLIENT_ID: ""
-  # INTERNAL_CLIENT_ID and AUTH_TOKEN_URL are defined in the base values.yaml.
-  # Set them in your environment-specific overlay (Terraform-generated values).
+  # All OIDC/OAuth2 globals are defined in the base values.yaml with documentation.
+  # Set them in your environment-specific values overlay generated by Terraform.
+  # INTERNAL_CLIENT_ID and AUTH_TOKEN_URL are also in the base values.yaml.
+  # Set them in your environment-specific values overlay.
+  # INTERNAL_CLIENT_ID: OAuth2 client ID for service-to-service calls (client_credentials).
+  # AUTH_TOKEN_URL: Token endpoint for service-to-service authentication.
 
 # ----------------------------------------------------------------------------
 # SECTION 2: Image Tag Overrides
@@ -267,36 +259,8 @@ flyte:
           # Subject to removal in the future
           singleTenantOrgID: '{{ .Values.global.UNION_ORG }}'
 
-      # --- OIDC Authentication ---
-      # To enable authentication, set server.security.useAuth: true
-      # and configure the auth globals in Section 1 above.
-      # server:
-      #   security:
-      #     useAuth: true
-      auth:
-        httpAuthorizationHeader: "flyte-authorization"
-        grpcAuthorizationHeader: "flyte-authorization"
-        authorizedUris:
-          - "http://flyteadmin:80"
-          - 'http://flyteadmin.{{ .Release.Namespace }}.svc.cluster.local:80'
-        appAuth:
-          authServerType: "External"
-          externalAuthServer:
-            baseUrl: '{{ .Values.global.OIDC_BASE_URL }}'
-          thirdPartyConfig:
-            flyteClient:
-              clientId: '{{ .Values.global.CLI_CLIENT_ID }}'
-              redirectUri: "http://localhost:53593/callback"
-              scopes: ["all"]
-        userAuth:
-          openId:
-            baseUrl: '{{ .Values.global.OIDC_BASE_URL }}'
-            clientId: '{{ .Values.global.OIDC_CLIENT_ID }}'
-            scopes: ["profile", "openid", "offline_access"]
-          cookieSetting:
-            sameSitePolicy: "LaxMode"
-            domain: ""
-          idpQueryParameter: "idp"
+      # adminServer.auth is now fully configured in the base values.yaml
+      # using globals. No overlay-specific auth config needed.
 
   # Enable scheduler auth secret mount so flyte-secret-auth is mounted at /etc/secrets/.
   # Set clientSecret: null so the subchart does NOT create the secret — it must be
@@ -364,10 +328,22 @@ ingress:
         - "{{ .Values.global.CONTROLPLANE_INTRA_CLUSTER_HOST }}"
       secretName: "{{ .Values.global.TLS_SECRET_NAME }}"
 
+  # --- Ingress Annotations (shared across all ingress objects) ---
+  annotations:
+    # Allow the nginx controller's internal DNS to match ingress rules so that
+    # intra-cluster traffic (DP → CP via nginx service DNS) is routed through
+    # the same auth subrequest as external traffic. Without this, the :authority
+    # header won't match the ingress host and auth is bypassed.
+    nginx.ingress.kubernetes.io/server-alias: "{{ .Values.global.CONTROLPLANE_INTRA_CLUSTER_HOST }}"
+
   # --- Protected Ingress Auth Annotations ---
   # These configure nginx to validate requests via flyteadmin's /me endpoint
   # and redirect unauthenticated users to /login for the OIDC flow.
   # Active when OIDC authentication is enabled (server.security.useAuth: true).
+  #
+  # All protected endpoints use "https://$host/me" so the auth subrequest goes
+  # through nginx itself. This ensures verifyClaims runs on the access token,
+  # which resolves identitytype for all callers (browser, CLI, service-to-service).
   protectedIngressAnnotations:
     nginx.ingress.kubernetes.io/auth-url: "https://$host/me"
     nginx.ingress.kubernetes.io/auth-signin: "https://$host/login?redirect_url=$escaped_request_uri"
@@ -482,23 +458,6 @@ services:
         # Connect to dataplane ingress controller
         secureTunnelTenantURLPattern: '{{ .Values.global.DATAPLANE_ENDPOINT }}'
 
-  # Executions service configuration
-  executions:
-    configMap:
-      executions:
-        app:
-          adminClient:
-            connection:
-              # Flyteadmin endpoint for executions service
-              endpoint: '{{ .Values.global.FLYTEADMIN_ENDPOINT }}'
-              insecure: true
-              # --- Auth fields (active when OIDC is enabled) ---
-              authorizationHeader: "flyte-authorization"
-              clientId: '{{ .Values.global.INTERNAL_CLIENT_ID }}'
-              clientSecretLocation: "/etc/secrets/union/client_secret"
-              tokenUrl: '{{ .Values.global.AUTH_TOKEN_URL }}'
-              scopes: ["all"]
-
 # ----------------------------------------------------------------------------
 # Monitoring Configuration (AWS/EKS specific)
 # ----------------------------------------------------------------------------

charts/controlplane/values.gcp.selfhosted-intracluster.yaml

@@ -116,20 +116,10 @@ global:
   IMAGE_REPOSITORY_PREFIX: "registry.unionai.cloud/controlplane"
 
   # --- Authentication Configuration ---
-  # Set all values below to enable OIDC authentication.
-  # Supports any OAuth2/OIDC-compliant identity provider.
-  #
-  # OIDC issuer URL
-  # Example: "https://login.example.com/oauth2/default"
-  OIDC_BASE_URL: ""
-  # Flyteadmin OIDC client ID for browser login flow
-  # Example: "0oa1abc2def3ghi4j5k6"
-  OIDC_CLIENT_ID: ""
-  # CLI client ID for flytectl / uctl (public OAuth app, PKCE flow)
-  # Example: "0oa7mno8pqr9stu0v1w2"
-  CLI_CLIENT_ID: ""
-  # INTERNAL_CLIENT_ID and AUTH_TOKEN_URL are defined in the base values.yaml.
-  # Set them in your environment-specific overlay (Terraform-generated values).
+  # All OIDC/OAuth2 globals are defined in the base values.yaml with documentation.
+  # Set them in your environment-specific values overlay generated by Terraform.
+  # INTERNAL_CLIENT_ID and AUTH_TOKEN_URL are also in the base values.yaml.
+  # AUTH_TOKEN_URL: Token endpoint for service-to-service authentication.
 
 # ----------------------------------------------------------------------------
 # SECTION 2: Image Tag Overrides
@@ -297,36 +287,8 @@ flyte:
           # Subject to removal in the future
           singleTenantOrgID: '{{ .Values.global.UNION_ORG }}'
 
-      # --- OIDC Authentication ---
-      # To enable authentication, set server.security.useAuth: true
-      # and configure the auth globals in Section 1 above.
-      # server:
-      #   security:
-      #     useAuth: true
-      auth:
-        httpAuthorizationHeader: "flyte-authorization"
-        grpcAuthorizationHeader: "flyte-authorization"
-        authorizedUris:
-          - "http://flyteadmin:80"
-          - 'http://flyteadmin.{{ .Release.Namespace }}.svc.cluster.local:80'
-        appAuth:
-          authServerType: "External"
-          externalAuthServer:
-            baseUrl: '{{ .Values.global.OIDC_BASE_URL }}'
-          thirdPartyConfig:
-            flyteClient:
-              clientId: '{{ .Values.global.CLI_CLIENT_ID }}'
-              redirectUri: "http://localhost:53593/callback"
-              scopes: ["all"]
-        userAuth:
-          openId:
-            baseUrl: '{{ .Values.global.OIDC_BASE_URL }}'
-            clientId: '{{ .Values.global.OIDC_CLIENT_ID }}'
-            scopes: ["profile", "openid", "offline_access"]
-          cookieSetting:
-            sameSitePolicy: "LaxMode"
-            domain: ""
-          idpQueryParameter: "idp"
+      # adminServer.auth is now fully configured in the base values.yaml
+      # using globals. No overlay-specific auth config needed.
 
   # Enable scheduler auth secret mount so flyte-secret-auth is mounted at /etc/secrets/.
   # Set clientSecret: "placeholder" so the subchart renders the secret — it must be
@@ -394,7 +356,14 @@ ingress:
         - "{{ .Values.global.CONTROLPLANE_INTRA_CLUSTER_HOST }}"
       secretName: "{{ .Values.global.TLS_SECRET_NAME }}"
 
-  # Protected ingress auth annotations are now defined in the base values.yaml.
+  # --- Ingress Annotations (shared across all ingress objects) ---
+  annotations:
+    # Allow the nginx controller's internal DNS to match ingress rules so that
+    # intra-cluster traffic (DP → CP via nginx service DNS) is routed through
+    # the same auth subrequest as external traffic.
+    nginx.ingress.kubernetes.io/server-alias: "{{ .Values.global.CONTROLPLANE_INTRA_CLUSTER_HOST }}"
+
+  # Protected ingress auth annotations are defined in the base values.yaml.
   # Override here only if you need to customize auth behavior for this deployment mode.
 
 # ----------------------------------------------------------------------------
@@ -496,23 +465,6 @@ services:
         # Connect to dataplane ingress controller
         secureTunnelTenantURLPattern: '{{ .Values.global.DATAPLANE_ENDPOINT }}'
 
-  # Executions service configuration
-  executions:
-    configMap:
-      executions:
-        app:
-          adminClient:
-            connection:
-              # Flyteadmin endpoint for executions service
-              endpoint: '{{ .Values.global.FLYTEADMIN_ENDPOINT }}'
-              insecure: true
-              # --- Auth fields (active when OIDC is enabled) ---
-              authorizationHeader: "flyte-authorization"
-              clientId: '{{ .Values.global.INTERNAL_CLIENT_ID }}'
-              clientSecretLocation: "/etc/secrets/union/client_secret"
-              tokenUrl: '{{ .Values.global.AUTH_TOKEN_URL }}'
-              scopes: ["all"]
-
 # ----------------------------------------------------------------------------
 # SECTION 9: ScyllaDB Configuration
 # ----------------------------------------------------------------------------