Skip to content

Add selfhosted authorizer defaults and dashboard fixes #348

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aviator-app merged 1 commit into from
Apr 20, 2026
+521 −134
Merged

Add selfhosted authorizer defaults and dashboard fixes #348

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 25 additions & 21 deletions charts/controlplane/dashboards/union-controlplane-overview.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2299,12 +2299,12 @@
"type": "timeseries",
"targets": [
{
"expr": "histogram_quantile(0.95, sum by (le) (rate(cluster:svc:update_status:success_ms_count{namespace=\"$namespace\"}[$__rate_interval]))) / 1000",
"expr": "cluster:svc:update_status:success_ms{namespace=\"$namespace\", quantile=\"0.95\"} / 1000",
"legendFormat": "UpdateStatus p95",
"refId": "A"
},
{
"expr": "histogram_quantile(0.95, sum by (le) (rate(cluster:svc:heartbeat:success_ms_count{namespace=\"$namespace\"}[$__rate_interval]))) / 1000",
"expr": "cluster:svc:heartbeat:success_ms{namespace=\"$namespace\", quantile=\"0.95\"} / 1000",
"legendFormat": "Heartbeat p95",
"refId": "B"
}
Expand Down Expand Up @@ -2581,17 +2581,17 @@
"type": "timeseries",
"targets": [
{
"expr": "rate(flyte:cacheservice:cache:cache_hit{namespace=\"$namespace\"}[$__rate_interval])",
"expr": "rate(flyte:cacheservice:cache:cache_hit_unlabeled{namespace=\"$namespace\"}[$__rate_interval])",
"legendFormat": "Hits",
"refId": "A"
},
{
"expr": "rate(flyte:cacheservice:cache:not_found{namespace=\"$namespace\"}[$__rate_interval])",
"expr": "rate(flyte:cacheservice:cache:not_found_unlabeled{namespace=\"$namespace\"}[$__rate_interval])",
"legendFormat": "Misses",
"refId": "B"
},
{
"expr": "rate(flyte:cacheservice:cache:get_failure{namespace=\"$namespace\"}[$__rate_interval])",
"expr": "rate(flyte:cacheservice:cache:get_failure_unlabeled{namespace=\"$namespace\"}[$__rate_interval])",
"legendFormat": "Get failures",
"refId": "C"
}
Expand Down Expand Up @@ -2628,17 +2628,17 @@
"type": "timeseries",
"targets": [
{
"expr": "rate(flyte:cacheservice:cache:reservation_contention{namespace=\"$namespace\"}[$__rate_interval])",
"expr": "rate(flyte:cacheservice:cache:reservation_contention_unlabeled{namespace=\"$namespace\"}[$__rate_interval])",
"legendFormat": "Contention",
"refId": "A"
},
{
"expr": "rate(flyte:cacheservice:cache:get_reservation_success{namespace=\"$namespace\"}[$__rate_interval])",
"expr": "rate(flyte:cacheservice:cache:get_reservation_success_unlabeled{namespace=\"$namespace\"}[$__rate_interval])",
"legendFormat": "Reservation acquired",
"refId": "B"
},
{
"expr": "rate(flyte:cacheservice:cache:release_reservation_success{namespace=\"$namespace\"}[$__rate_interval])",
"expr": "rate(flyte:cacheservice:cache:release_reservation_success_unlabeled{namespace=\"$namespace\"}[$__rate_interval])",
"legendFormat": "Reservation released",
"refId": "C"
}
Expand Down Expand Up @@ -2689,12 +2689,12 @@
"type": "timeseries",
"targets": [
{
"expr": "rate(authorizer:authz_allowed{namespace=\"$namespace\"}[$__rate_interval])",
"expr": "rate(authorizer:authorizer:cloudauthorizer:connect:authz_allowed{namespace=\"$namespace\"}[$__rate_interval])",
"legendFormat": "Allowed",
"refId": "A"
},
{
"expr": "rate(authorizer:authz_denied{namespace=\"$namespace\"}[$__rate_interval])",
"expr": "rate(authorizer:authorizer:cloudauthorizer:connect:authz_denied{namespace=\"$namespace\"}[$__rate_interval])",
"legendFormat": "Denied",
"refId": "B"
}
Expand Down Expand Up @@ -2731,17 +2731,17 @@
"type": "timeseries",
"targets": [
{
"expr": "authorizer:authorize_duration{namespace=\"$namespace\", quantile=\"0.5\"}",
"expr": "authorizer:authorizer:cloudauthorizer:connect:authorize_duration_ms{namespace=\"$namespace\", quantile=\"0.5\"}",
"legendFormat": "p50",
"refId": "A"
},
{
"expr": "authorizer:authorize_duration{namespace=\"$namespace\", quantile=\"0.9\"}",
"expr": "authorizer:authorizer:cloudauthorizer:connect:authorize_duration_ms{namespace=\"$namespace\", quantile=\"0.9\"}",
"legendFormat": "p90",
"refId": "B"
},
{
"expr": "authorizer:authorize_duration{namespace=\"$namespace\", quantile=\"0.99\"}",
"expr": "authorizer:authorizer:cloudauthorizer:connect:authorize_duration_ms{namespace=\"$namespace\", quantile=\"0.99\"}",
"legendFormat": "p99",
"refId": "C"
}
Expand Down Expand Up @@ -2778,7 +2778,7 @@
"type": "timeseries",
"targets": [
{
"expr": "rate(authorizer:authz_denied{namespace=\"$namespace\"}[$__rate_interval]) / (rate(authorizer:authz_allowed{namespace=\"$namespace\"}[$__rate_interval]) + rate(authorizer:authz_denied{namespace=\"$namespace\"}[$__rate_interval]))",
"expr": "rate(authorizer:authorizer:cloudauthorizer:connect:authz_denied{namespace=\"$namespace\"}[$__rate_interval]) / (rate(authorizer:authorizer:cloudauthorizer:connect:authz_allowed{namespace=\"$namespace\"}[$__rate_interval]) + rate(authorizer:authorizer:cloudauthorizer:connect:authz_denied{namespace=\"$namespace\"}[$__rate_interval]))",
"legendFormat": "Deny %",
"refId": "A"
}
Expand Down Expand Up @@ -2807,10 +2807,14 @@
{
"type": "value",
"options": {
"noop": { "text": "Noop", "index": 0 },
"userclouds": { "text": "UserClouds", "index": 1 },
"external": { "text": "External", "index": 2 },
"authorizer": { "text": "Authorizer", "index": 3 }
"Noop": { "text": "Noop", "index": 0 },
"noop": { "text": "Noop", "index": 1 },
"UserClouds": { "text": "UserClouds", "index": 2 },
"userclouds": { "text": "UserClouds", "index": 3 },
"External": { "text": "External", "index": 4 },
"external": { "text": "External", "index": 5 },
"Authorizer": { "text": "Authorizer", "index": 6 },
"authorizer": { "text": "Authorizer", "index": 7 }
}
}
]
Expand Down Expand Up @@ -3366,17 +3370,17 @@
"type": "timeseries",
"targets": [
{
"expr": "usage:messages:processing_time{namespace=\"$namespace\", quantile=\"0.5\"}",
"expr": "usage:messages:processing_time_ms{namespace=\"$namespace\", quantile=\"0.5\"}",
"legendFormat": "p50",
"refId": "A"
},
{
"expr": "usage:messages:processing_time{namespace=\"$namespace\", quantile=\"0.9\"}",
"expr": "usage:messages:processing_time_ms{namespace=\"$namespace\", quantile=\"0.9\"}",
"legendFormat": "p90",
"refId": "B"
},
{
"expr": "usage:messages:processing_time{namespace=\"$namespace\", quantile=\"0.99\"}",
"expr": "usage:messages:processing_time_ms{namespace=\"$namespace\", quantile=\"0.99\"}",
"legendFormat": "p99",
"refId": "C"
}
Expand Down
38 changes: 26 additions & 12 deletions charts/controlplane/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -412,20 +412,9 @@ services:
#
# Supported types:
# - "Noop" — no enforcement (default)
# - "UserClouds" — Union Cloud's authorization backend
# - "UserClouds" — Union RBAC (just set type, defaults are pre-configured)
# - "External" — customer-provided gRPC authorization server (selfhosted)
#
# --- Union Cloud (UserClouds) ---
# For Union Cloud deployments, set type to "UserClouds":
# authorizer:
# type: "UserClouds"
# userCloudsClient:
# tenantUrl: 'http://{{ .Release.Name }}-union-authz.{{ .Release.Namespace }}.svc.cluster.local:8080'
# tenantID: '623771e7-ddd6-4575-bedb-7c970ec75b87'
# clientID: '{{ .Values.union.authz.clientID }}'
# clientSecretName: 'union/client_secret'
# enableLogging: true
#
# --- External Authorization (selfhosted) ---
# For selfhosted deployments with a customer-provided authz server:
# authorizer:
Expand Down Expand Up @@ -467,6 +456,31 @@ services:
forwardHeaders:
- authorization
- flyte-authorization
# --- UserClouds client defaults (pre-configured) ---
# These defaults are used when type is set to "UserClouds" (Union RBAC).
# They are ignored when type is "Noop" or "External".
# To enable Union RBAC, just change type to "UserClouds" — no other
# configuration is needed. Override individual fields only if your
# deployment uses non-standard naming or secrets.
userCloudsClient:
tenantUrl: 'http://{{ .Release.Name }}-union-authz.{{ .Release.Namespace }}.svc.cluster.local:8080'
tenantID: '623771e7-ddd6-4575-bedb-7c970ec75b87'
clientID: '{{ .Values.union.authz.clientID }}'
clientSecretName: 'union/client_secret'
enableLogging: true
internalCommunicationConfig:
enabled: false
bootstrap:
organization: ""
domains:
- development
- staging
- production
projects: []
serviceAccounts: []
adminUsers: []
retryInterval: 5s
maxRetries: 30
Comment on lines +459 to +483
Copy link

Copilot AI Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description mentions adding a defaultIdentityToSubject authorizer config default for non-Okta IdPs, but that setting doesn’t appear to be introduced anywhere in the chart/values changes in this PR. Either add the corresponding value + wiring, or update the PR description/migration notes to avoid implying this behavior exists.

Copilot uses AI. Check for mistakes.
sharedService:
connectPort: 8081
metrics:
Expand Down
65 changes: 44 additions & 21 deletions tests/generated/controlplane.aws.billing-enable.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -682,12 +682,31 @@ data:
grpcConfig:
host: dns:///authorizer.union.svc.cluster.local:80
insecure: true
bootstrap:
adminUsers: []
domains:
- development
- staging
- production
maxRetries: 30
organization: ""
projects: []
retryInterval: 5s
serviceAccounts: []
externalClient:
forwardHeaders:
- authorization
- flyte-authorization
internalCommunicationConfig:
enabled: false
type: Noop
useExternalIdentity: 'false'
userCloudsClient:
clientID: 'union-authz-client'
clientSecretName: union/client_secret
enableLogging: true
tenantID: 623771e7-ddd6-4575-bedb-7c970ec75b87
tenantUrl: http://release-name-union-authz.union.svc.cluster.local:8080
cache:
identity:
enabled: false
Expand Down Expand Up @@ -3576,12 +3595,12 @@ data:
"type": "timeseries",
"targets": [
{
"expr": "histogram_quantile(0.95, sum by (le) (rate(cluster:svc:update_status:success_ms_count{namespace=\"$namespace\"}[$__rate_interval]))) / 1000",
"expr": "cluster:svc:update_status:success_ms{namespace=\"$namespace\", quantile=\"0.95\"} / 1000",
"legendFormat": "UpdateStatus p95",
"refId": "A"
},
{
"expr": "histogram_quantile(0.95, sum by (le) (rate(cluster:svc:heartbeat:success_ms_count{namespace=\"$namespace\"}[$__rate_interval]))) / 1000",
"expr": "cluster:svc:heartbeat:success_ms{namespace=\"$namespace\", quantile=\"0.95\"} / 1000",
"legendFormat": "Heartbeat p95",
"refId": "B"
}
Expand Down Expand Up @@ -3858,17 +3877,17 @@ data:
"type": "timeseries",
"targets": [
{
"expr": "rate(flyte:cacheservice:cache:cache_hit{namespace=\"$namespace\"}[$__rate_interval])",
"expr": "rate(flyte:cacheservice:cache:cache_hit_unlabeled{namespace=\"$namespace\"}[$__rate_interval])",
"legendFormat": "Hits",
"refId": "A"
},
{
"expr": "rate(flyte:cacheservice:cache:not_found{namespace=\"$namespace\"}[$__rate_interval])",
"expr": "rate(flyte:cacheservice:cache:not_found_unlabeled{namespace=\"$namespace\"}[$__rate_interval])",
"legendFormat": "Misses",
"refId": "B"
},
{
"expr": "rate(flyte:cacheservice:cache:get_failure{namespace=\"$namespace\"}[$__rate_interval])",
"expr": "rate(flyte:cacheservice:cache:get_failure_unlabeled{namespace=\"$namespace\"}[$__rate_interval])",
"legendFormat": "Get failures",
"refId": "C"
}
Expand Down Expand Up @@ -3905,17 +3924,17 @@ data:
"type": "timeseries",
"targets": [
{
"expr": "rate(flyte:cacheservice:cache:reservation_contention{namespace=\"$namespace\"}[$__rate_interval])",
"expr": "rate(flyte:cacheservice:cache:reservation_contention_unlabeled{namespace=\"$namespace\"}[$__rate_interval])",
"legendFormat": "Contention",
"refId": "A"
},
{
"expr": "rate(flyte:cacheservice:cache:get_reservation_success{namespace=\"$namespace\"}[$__rate_interval])",
"expr": "rate(flyte:cacheservice:cache:get_reservation_success_unlabeled{namespace=\"$namespace\"}[$__rate_interval])",
"legendFormat": "Reservation acquired",
"refId": "B"
},
{
"expr": "rate(flyte:cacheservice:cache:release_reservation_success{namespace=\"$namespace\"}[$__rate_interval])",
"expr": "rate(flyte:cacheservice:cache:release_reservation_success_unlabeled{namespace=\"$namespace\"}[$__rate_interval])",
"legendFormat": "Reservation released",
"refId": "C"
}
Expand Down Expand Up @@ -3966,12 +3985,12 @@ data:
"type": "timeseries",
"targets": [
{
"expr": "rate(authorizer:authz_allowed{namespace=\"$namespace\"}[$__rate_interval])",
"expr": "rate(authorizer:authorizer:cloudauthorizer:connect:authz_allowed{namespace=\"$namespace\"}[$__rate_interval])",
"legendFormat": "Allowed",
"refId": "A"
},
{
"expr": "rate(authorizer:authz_denied{namespace=\"$namespace\"}[$__rate_interval])",
"expr": "rate(authorizer:authorizer:cloudauthorizer:connect:authz_denied{namespace=\"$namespace\"}[$__rate_interval])",
"legendFormat": "Denied",
"refId": "B"
}
Expand Down Expand Up @@ -4008,17 +4027,17 @@ data:
"type": "timeseries",
"targets": [
{
"expr": "authorizer:authorize_duration{namespace=\"$namespace\", quantile=\"0.5\"}",
"expr": "authorizer:authorizer:cloudauthorizer:connect:authorize_duration_ms{namespace=\"$namespace\", quantile=\"0.5\"}",
"legendFormat": "p50",
"refId": "A"
},
{
"expr": "authorizer:authorize_duration{namespace=\"$namespace\", quantile=\"0.9\"}",
"expr": "authorizer:authorizer:cloudauthorizer:connect:authorize_duration_ms{namespace=\"$namespace\", quantile=\"0.9\"}",
"legendFormat": "p90",
"refId": "B"
},
{
"expr": "authorizer:authorize_duration{namespace=\"$namespace\", quantile=\"0.99\"}",
"expr": "authorizer:authorizer:cloudauthorizer:connect:authorize_duration_ms{namespace=\"$namespace\", quantile=\"0.99\"}",
"legendFormat": "p99",
"refId": "C"
}
Expand Down Expand Up @@ -4055,7 +4074,7 @@ data:
"type": "timeseries",
"targets": [
{
"expr": "rate(authorizer:authz_denied{namespace=\"$namespace\"}[$__rate_interval]) / (rate(authorizer:authz_allowed{namespace=\"$namespace\"}[$__rate_interval]) + rate(authorizer:authz_denied{namespace=\"$namespace\"}[$__rate_interval]))",
"expr": "rate(authorizer:authorizer:cloudauthorizer:connect:authz_denied{namespace=\"$namespace\"}[$__rate_interval]) / (rate(authorizer:authorizer:cloudauthorizer:connect:authz_allowed{namespace=\"$namespace\"}[$__rate_interval]) + rate(authorizer:authorizer:cloudauthorizer:connect:authz_denied{namespace=\"$namespace\"}[$__rate_interval]))",
"legendFormat": "Deny %",
"refId": "A"
}
Expand Down Expand Up @@ -4084,10 +4103,14 @@ data:
{
"type": "value",
"options": {
"noop": { "text": "Noop", "index": 0 },
"userclouds": { "text": "UserClouds", "index": 1 },
"external": { "text": "External", "index": 2 },
"authorizer": { "text": "Authorizer", "index": 3 }
"Noop": { "text": "Noop", "index": 0 },
"noop": { "text": "Noop", "index": 1 },
"UserClouds": { "text": "UserClouds", "index": 2 },
"userclouds": { "text": "UserClouds", "index": 3 },
"External": { "text": "External", "index": 4 },
"external": { "text": "External", "index": 5 },
"Authorizer": { "text": "Authorizer", "index": 6 },
"authorizer": { "text": "Authorizer", "index": 7 }
}
}
]
Expand Down Expand Up @@ -4643,17 +4666,17 @@ data:
"type": "timeseries",
"targets": [
{
"expr": "usage:messages:processing_time{namespace=\"$namespace\", quantile=\"0.5\"}",
"expr": "usage:messages:processing_time_ms{namespace=\"$namespace\", quantile=\"0.5\"}",
"legendFormat": "p50",
"refId": "A"
},
{
"expr": "usage:messages:processing_time{namespace=\"$namespace\", quantile=\"0.9\"}",
"expr": "usage:messages:processing_time_ms{namespace=\"$namespace\", quantile=\"0.9\"}",
"legendFormat": "p90",
"refId": "B"
},
{
"expr": "usage:messages:processing_time{namespace=\"$namespace\", quantile=\"0.99\"}",
"expr": "usage:messages:processing_time_ms{namespace=\"$namespace\", quantile=\"0.99\"}",
"legendFormat": "p99",
"refId": "C"
}
Expand Down
Loading
Loading