update#323
Merged
fiedlerNr9 merged 4 commits intojan/wip-selfhostedfrom Apr 3, 2026
Merged
Conversation
…auth (#316) These are the manual steps for enabling intra-cluster auth for scylladb in selfhosted environments.
## Summary Move `externalClient.forwardHeaders` out of the commented External example block into explicit defaults. Customers see what headers are forwarded to their external authorization server without reading Go code. Prevents accidentally overriding defaults with a partial list when customizing. ## Test Plan - [x] `make generate-expected` — snapshots regenerated - [x] All test variants include explicit forwardHeaders in rendered configmaps ## Rollout Plan (required) Safe to merge — adds explicit values that match existing Go defaults. No behavior change. ## Rollback Plan (required) Revert PR. Go code `DefaultForwardHeaders` continues to provide the same defaults. ## Checklist * [x] Added tests * [ ] Ran manual integration tests * [ ] Ran a deploy dry run * [ ] Added logging and metrics * [ ] Updated dashboards and alerts * [ ] Updated documentation
…189) (#320) ## Summary Add `useExternalIdentity` config to the authorizer section across all services. When `global.USE_EXTERNAL_IDENTITY` is `"true"`, all services construct `ExternalIdentity` for subjects without the `identitytype` JWT claim. **Why a global?** flyteadmin and cacheservice configs render inside the flyte-core subchart scope where `.Values.services` is not accessible. Using `global.USE_EXTERNAL_IDENTITY` makes the value available across all template scopes. A future release removing the flyte-core subchart dependency will allow direct derivation from `authorizer.type`. Verified on all 9 services: flyteadmin, cacheservice, authorizer, cluster, dataproxy, executions, queue, run-scheduler, usage. ## Customer-Facing Change Log [selfhosted] External authorization now supports IdPs that do not provide custom JWT claims (e.g. Apple IdMS, Entra ID). **New configuration:** Add `global.USE_EXTERNAL_IDENTITY: "true"` to your controlplane values overlay when using External authorization (`services.authorizer.configMap.authorizer.type: "External"`) with an IdP that does not include the `identitytype` custom claim in JWTs. **No migration needed** for existing deployments. This setting only affects new selfhosted deployments enabling External authorization for the first time. Existing deployments with Okta (which provides the `identitytype` claim) are unaffected — the setting defaults to `"false"`. ## Test Plan (required) - [x] New `controlplane.external-authz` test variant — all 9 service configmaps render `useExternalIdentity: 'true'` - [x] Existing `controlplane.aws` test — all configmaps render `useExternalIdentity: 'false'` - [x] `make generate-expected` — snapshots regenerated and pass - [x] Deployed to mike staging env — external authz server receives and authorizes requests ## Rollout Plan (required) Set `global.USE_EXTERNAL_IDENTITY: "true"` in values overlay. No behavior change unless set. For Union-managed selfhosted environments, Terraform derives this from `authorization_mode == "External"`. ## Rollback Plan (required) Remove global or set to `"false"`. Restores fail-fast behavior. ## Issue ref FAB-189 Companion to cloud [#15185](unionai/cloud#15185). ## Checklist * [x] Added tests * [x] Ran manual integration tests * [x] Ran a deploy dry run * [ ] Added logging and metrics * [ ] Updated dashboards and alerts * [x] Updated documentation
* Release 2026.4.0 Bump chart version and appVersion to 2026.4.0. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Bump appVersion to 2026.4.1 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Bump appVersion to 2026.4.2 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This was referenced Apr 3, 2026
Draft
This was referenced Apr 3, 2026
Contributor
|
The base branch (jan/wip-selfhosted) of this pull request is not configured as a base branch. Please edit the base branch of this PR if you wish to merge using Aviator. |
aviator-app Bot
pushed a commit
that referenced
this pull request
Apr 10, 2026
## Summary This is the first iteration on deploying Envoy Gateway (EG) as a replacement for Ingress NGINX. This creates the necessary charts for adding EG and HTTP/GRPC routes. This supports running both EG and Ingress NGINX in the same cluster, using the INGRESS\_PROVIDER global value. You can choose either nginx, envoy, or both. ## Included Features ### Control Plane - Backend Traffic Policy - For defining connection timeout, tcp keep alive, http2 support, and rate limiting for the EG proxy to the downstream GRPC service/connections. - ClientTrafficPolicy - Used to set timeout and buffer size limits - Gateway - configures the gateway itself. Serverless is currently still support, but will be pulled out once we tear down serverless. - All the routes ### Envoy Proxy - Patch policy - Used to define the http filters used for auth token interception/injection. And caching of requests to auth-proxy to avoid hitting rate limits. - Proxy configuration itself - Redis configuration - used by the rate limiter. * `jan/wip-selfhosted` -⚠️ No PR associated with branch <!-- branch-stack --> - \#323 - **Adding Envoy Gateway as control plane ingress** :point\_left:
davidmirror-ops
pushed a commit
that referenced
this pull request
Apr 10, 2026
## Summary This is the first iteration on deploying Envoy Gateway (EG) as a replacement for Ingress NGINX. This creates the necessary charts for adding EG and HTTP/GRPC routes. This supports running both EG and Ingress NGINX in the same cluster, using the INGRESS\_PROVIDER global value. You can choose either nginx, envoy, or both. ## Included Features ### Control Plane - Backend Traffic Policy - For defining connection timeout, tcp keep alive, http2 support, and rate limiting for the EG proxy to the downstream GRPC service/connections. - ClientTrafficPolicy - Used to set timeout and buffer size limits - Gateway - configures the gateway itself. Serverless is currently still support, but will be pulled out once we tear down serverless. - All the routes ### Envoy Proxy - Patch policy - Used to define the http filters used for auth token interception/injection. And caching of requests to auth-proxy to avoid hitting rate limits. - Proxy configuration itself - Redis configuration - used by the rate limiter. * `jan/wip-selfhosted` -⚠️ No PR associated with branch <!-- branch-stack --> - \#323 - **Adding Envoy Gateway as control plane ingress** :point\_left:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
jan/wip-selfhosted-storage.regionin dataplane/values.yaml #172