feat(identity): add identity service to selfhosted controlplane chart#346
Open
feat(identity): add identity service to selfhosted controlplane chart#346
Conversation
Contributor
Current Aviator status
This pull request is currently open (not queued). How to mergeTo merge this PR, comment
See the real-time status of this PR on the
Aviator webapp.
Use the Aviator Chrome Extension
to see the status of your PR within GitHub.
|
There was a problem hiding this comment.
Pull request overview
Adds an identity service to the selfhosted controlplane Helm chart so selfhosted deployments can enable the User Management page (defaulting to a no-op provider).
Changes:
- Adds
services.identitydefaults/config to the controlplane chart values. - Updates generated Helm snapshot manifests to include identity resources (PDB, ServiceAccount, ConfigMap, Service, Deployment, HPA) across multiple test fixtures.
Reviewed changes
Copilot reviewed 1 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| charts/controlplane/values.yaml | Introduces services.identity configuration (provider defaults + adminClient wiring). |
| tests/generated/controlplane.userclouds.yaml | Updates rendered manifests snapshot to include identity resources. |
| tests/generated/controlplane.external-authz.yaml | Updates rendered manifests snapshot to include identity resources. |
| tests/generated/controlplane.aws.yaml | Updates rendered manifests snapshot to include identity resources. |
| tests/generated/controlplane.aws.billing-enable.yaml | Updates rendered manifests snapshot to include identity resources. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jmonty42
added a commit
that referenced
this pull request
Apr 20, 2026
- Add service override to suppress dangling connect port (83) that would have targeted a non-existent named container port - Fix azure clientSecretName example: remove erroneous union/ prefix (K8s secret keys cannot contain slashes) - Remove FLYTEADMIN_ENDPOINT reference from base values; endpoint is environment-specific and should be set via overlay values Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
4 tasks
…ues file Documents how to configure the identity service with provider: azure when using Entra ID, using outputs from the authn/entraid Terraform module. Includes an extraObjectsOverrides ExternalSecret example to merge the Graph API client secret from GCP Secret Manager into the shared K8s secret. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add service override to suppress dangling connect port (83) that would have targeted a non-existent named container port - Fix azure clientSecretName example: remove erroneous union/ prefix (K8s secret keys cannot contain slashes) - Remove FLYTEADMIN_ENDPOINT reference from base values; endpoint is environment-specific and should be set via overlay values Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
jmonty42
force-pushed
the
monty/identity-service-selfhosted
branch
from
40867ce to
321b997
Compare
The identity service registers both gRPC and Connect hooks. Both defaulted to port 8080 causing a bind conflict on startup. Add sharedService.connectPort: 8081 to move the Connect server to 8081. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The upstream flyte-core chart doesn't render the `private` config section into a separate YAML file. This adds a new ConfigMap template that renders `.Values.flyte.configmap.adminServer.private` into `private.yaml` and mounts it at `/etc/flyte/config/private.yaml` via additionalVolumeMounts. This enables flyteadmin-private config like `logoutUrl` and `supportsTokenRevocation` to be read from Helm values rather than requiring changes to the flyte-core subchart. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Mount private-config to /etc/flyte/private/ instead of attempting a subPath mount into /etc/flyte/config/ which conflicts with the existing clusters-config-volume projected mount. Update configPath to /etc/flyte/*/*.yaml to include both config directories. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Adds the `identity` service to the selfhosted controlplane Helm chart, enabling the User Management page for selfhosted deployments.
The service defaults to `provider: noop` (returns empty results, no external system required). To enable Azure/Entra ID user management, set `provider: azure` and configure the `azure` block with tenant ID, client ID, and a secret reference.
The client secret is read from the mounted K8s secret (`KUBERNETES_SECRET_NAME`) at runtime via `clientSecretName` — never stored in config.
Linked cloud PR: unionai/cloud#15155 (Azure/Entra ID identity provider backend)
What Mike's refactor (#348–353) covered vs. what this PR still adds
Mike's stack added the organizations service (distinct from identity), ingress identity header forwarding, OIDC globals consolidation, and shrank overlays to cloud-specific-only config. The identity service is not included in that stack — this PR remains the sole source of it.
One rebase decision: the
executions:GCP overlay block that was in an earlier version of this PR was dropped. Mike's #352 established that overlays should contain only cloud-specific items (IAM, storage, region); the basevalues.yamldefault (flyteadmin.{{ .Release.Namespace }}.svc.cluster.local:81) is correct for GCP intra-cluster.Customer-Facing Change Log
Selfhosted deployments now include the identity service, enabling the User Management page. Default provider is
noop(no impact on existing deployments). Azure/Entra ID provider can be enabled viaservices.identity.configMap.identity.app.identityProviderConfig.Test Plan (required)
make generate-expected && make testpasses (snapshots regenerated on top of Add selfhosted authorizer defaults and dashboard fixes #348–353)monty-selfhostedstaging withprovider: azureand verify User Management page lists Entra ID usersRollout Plan (required)
Chart change only — no infrastructure changes. Existing selfhosted deployments get the identity service pod on next ArgoCD sync. The
noopdefault means no behavior change untilprovideris explicitly set.Rollback Plan (required)
Set
services.identity.disabled: truein values overlay to skip the identity service deployment.Issue
ref unionai/cloud#15155
Stack
main