-
Notifications
You must be signed in to change notification settings - Fork 3
Add OIDC globals for multi-IdP support (Okta, Entra ID, Keycloak) #349
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
89d28c3
Add selfhosted authorizer defaults and dashboard fixes
mhotan 9d010ad
Add selfhosted authorizer defaults and dashboard fixes
mhotan 351da2b
Add OIDC globals for multi-IdP support (Okta, Entra ID, Keycloak)
mhotan f5c9149
Merge branch 'main' into mike/selfhosted-oidc-globals
aviator-app[bot] File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -116,20 +116,80 @@ global: | |
| IMAGE_REPOSITORY_PREFIX: "registry.unionai.cloud/controlplane" | ||
|
|
||
| # --- Authentication Configuration --- | ||
| # Set all values below to enable OIDC authentication. | ||
| # Supports any OAuth2/OIDC-compliant identity provider. | ||
| # Configure your OAuth2/OIDC identity provider below. | ||
| # Supports any OIDC-compliant provider (Okta, Azure AD / Entra ID, Keycloak, etc.) | ||
| # | ||
| # OIDC issuer URL | ||
| # Example: "https://login.example.com/oauth2/default" | ||
| # Required for all providers: | ||
| # OIDC_BASE_URL, OIDC_CLIENT_ID, CLI_CLIENT_ID | ||
| # INTERNAL_CLIENT_ID, AUTH_TOKEN_URL (in base values.yaml) | ||
| # | ||
| # Provider-specific (may be required depending on your IdP): | ||
| # OIDC_METADATA_URL, OIDC_ALLOWED_AUDIENCE, OIDC_APP_SCOPE, OIDC_APP_AUDIENCE | ||
| # | ||
| # See also: flyte.configmap.adminServer.auth.appAuth.identityTypeClaimsForApps | ||
| # for IdP-specific identity type claim mapping (set in values overlay, not as a global). | ||
|
|
||
| # OIDC issuer URL (authorization server base URL). | ||
| # This is the base URL for token validation, JWKS discovery, and user info. | ||
| # Okta example: "https://dev-123456.okta.com/oauth2/default" | ||
| # Entra ID example: "https://login.microsoftonline.com/{tenant-id}/v2.0" | ||
| OIDC_BASE_URL: "" | ||
| # Flyteadmin OIDC client ID for browser login flow | ||
| # Example: "0oa1abc2def3ghi4j5k6" | ||
|
|
||
| # OIDC metadata discovery endpoint (relative to OIDC_BASE_URL). | ||
| # Flyteadmin resolves this against OIDC_BASE_URL to fetch JWKS and token endpoints. | ||
| # Most providers support one or both of these endpoints: | ||
| # ".well-known/oauth-authorization-server" — RFC 8414 (Okta) | ||
| # ".well-known/openid-configuration" — OpenID Connect Discovery (Entra ID, Keycloak) | ||
| # Default: ".well-known/oauth-authorization-server" | ||
| OIDC_METADATA_URL: ".well-known/oauth-authorization-server" | ||
|
|
||
| # OAuth2 client ID for the browser/web UI login app (confidential client, | ||
| # authorization_code grant). This is the "flyteadmin" or "browser" app | ||
| # in your IdP's OAuth application configuration. | ||
| # Okta example: "0oa1abc2def3ghi4j5k6" | ||
| # Entra ID example: "f0b2667d-5e99-45f2-ae4a-2ab47cb5fa12" | ||
| OIDC_CLIENT_ID: "" | ||
| # CLI client ID for flytectl / uctl (public OAuth app, PKCE flow) | ||
| # Example: "0oa7mno8pqr9stu0v1w2" | ||
|
|
||
| # OAuth2 client ID for the CLI/SDK app (public client, PKCE flow). | ||
| # Used by flytectl, uctl, and the Flyte SDK for interactive authentication. | ||
| # Okta example: "0oa7mno8pqr9stu0v1w2" | ||
| # Entra ID example: "3df10225-18a5-4636-b1ef-582e5a8ea21c" | ||
| CLI_CLIENT_ID: "" | ||
|
|
||
| # Allowed JWT audiences for access token validation. | ||
| # Flyteadmin checks the access token "aud" claim against this list. | ||
| # When empty, defaults to ["https://{UNION_HOST}"] (the deployment domain). | ||
| # Override for IdPs that use different audience formats in access tokens. | ||
| # Okta: typically uses the auth server issuer URL (leave empty to use default). | ||
| # Entra ID example: ["api://my-app-name", "f0b2667d-5e99-45f2-ae4a-2ab47cb5fa12"] | ||
| OIDC_ALLOWED_AUDIENCE: [] | ||
|
Comment on lines
+159
to
+165
|
||
|
|
||
| # OAuth2 resource scope for the flyteadmin app. | ||
| # When set, this scope is requested during browser login and CLI PKCE flows | ||
| # so the IdP returns access tokens scoped to your app (correct audience). | ||
| # Without this, some IdPs (notably Entra ID) return generic access tokens | ||
| # with the wrong audience, causing access token validation to fail. | ||
| # Okta: leave empty (Okta scopes are configured on the auth server). | ||
| # Entra ID example: "api://my-app-name/all" | ||
| OIDC_APP_SCOPE: "" | ||
|
|
||
| # Audience identifier for the CLI/SDK PKCE flow. | ||
| # Some IdPs require an explicit audience parameter in the authorization request. | ||
| # Okta: leave empty (derived from auth server). | ||
| # Entra ID example: "api://my-app-name" | ||
| OIDC_APP_AUDIENCE: "" | ||
|
|
||
| # OAuth2 scope for service-to-service authentication (client_credentials grant). | ||
| # Used by internal controlplane services (App 3) and dataplane operator (App 4). | ||
| # Okta: leave empty (defaults to "all", configured on the auth server). | ||
| # Entra ID example: "api://my-app-name/.default" | ||
| # Entra requires /.default suffix for client_credentials grants. | ||
| OIDC_S2S_SCOPE: "" | ||
|
|
||
| # INTERNAL_CLIENT_ID and AUTH_TOKEN_URL are defined in the base values.yaml. | ||
| # Set them in your environment-specific overlay (Terraform-generated values). | ||
| # Set them in your environment-specific values overlay. | ||
| # INTERNAL_CLIENT_ID: OAuth2 client ID for service-to-service calls (client_credentials). | ||
| # AUTH_TOKEN_URL: Token endpoint for service-to-service authentication. | ||
|
|
||
| # ---------------------------------------------------------------------------- | ||
| # SECTION 2: Image Tag Overrides | ||
|
|
@@ -298,30 +358,84 @@ flyte: | |
| singleTenantOrgID: '{{ .Values.global.UNION_ORG }}' | ||
|
|
||
| # --- OIDC Authentication --- | ||
| # To enable authentication, set server.security.useAuth: true | ||
| # and configure the auth globals in Section 1 above. | ||
| # Flyteadmin acts as both the OAuth2 resource server (validates access tokens) | ||
| # and the OIDC relying party (browser login flow). Configure the globals in | ||
| # Section 1 above, then enable auth: | ||
| # | ||
| # server: | ||
| # security: | ||
| # useAuth: true | ||
| # | ||
| # The sections below map to different authentication flows: | ||
| # | ||
| # auth.appAuth.externalAuthServer | ||
| # Resource server config — validates access tokens from ALL flows. | ||
| # Uses OIDC_BASE_URL for JWKS discovery and token validation. | ||
| # Uses: OAuth Apps 1-5 (all tokens are validated here). | ||
| # Flows: Browser login, CLI/SDK PKCE, service-to-service. | ||
| # | ||
| # auth.appAuth.thirdPartyConfig.flyteClient | ||
| # CLI/SDK PKCE client config — returned by GetPublicClientConfig RPC. | ||
| # The SDK/CLI uses this to initiate the PKCE authorization flow. | ||
| # Uses: OAuth App 2 (CLI — public client). | ||
| # Flow: CLI/SDK PKCE (Flow 2). | ||
| # | ||
| # auth.userAuth.openId | ||
| # Browser login config — OIDC redirect flow for web console. | ||
| # Uses: OAuth App 1 (Browser — confidential client). | ||
| # Flow: Browser login (Flow 1). | ||
| # | ||
| # Service-to-service auth (OAuth Apps 3-5) is configured separately: | ||
| # - INTERNAL_CLIENT_ID + AUTH_TOKEN_URL in globals (App 3) | ||
| # - Operator and EAGER credentials in dataplane values (Apps 4, 5) | ||
| auth: | ||
| # Custom authorization header name. All services use this instead of | ||
| # the standard "authorization" header to avoid conflicts with service | ||
| # meshes (e.g. Linkerd, Istio) that intercept the default header. | ||
| httpAuthorizationHeader: "flyte-authorization" | ||
| grpcAuthorizationHeader: "flyte-authorization" | ||
| # URIs that flyteadmin accepts as valid audiences in its own tokens. | ||
| authorizedUris: | ||
| - "http://flyteadmin:80" | ||
| - 'http://flyteadmin.{{ .Release.Namespace }}.svc.cluster.local:80' | ||
|
|
||
| # --- Resource Server (validates access tokens from all flows) --- | ||
| appAuth: | ||
| authServerType: "External" | ||
| externalAuthServer: | ||
| # OIDC issuer for JWKS discovery and token validation. | ||
| baseUrl: '{{ .Values.global.OIDC_BASE_URL }}' | ||
| # Metadata discovery endpoint (see OIDC_METADATA_URL global). | ||
| metadataUrl: '{{ .Values.global.OIDC_METADATA_URL }}' | ||
| # allowedAudience: list of accepted JWT audiences for access token validation. | ||
| # Set in your environment-specific values overlay (list type, can't use a | ||
| # single global). Default: ["https://{domain}"]. | ||
| # Override via OIDC_ALLOWED_AUDIENCE or in your values overlay. | ||
|
|
||
| # --- CLI/SDK PKCE Client (Flow 2: SDK/CLI authentication) --- | ||
| # Returned by the GetPublicClientConfig RPC. The SDK reads this to | ||
| # know which client ID, scopes, and audience to use for PKCE auth. | ||
| thirdPartyConfig: | ||
| flyteClient: | ||
| # OAuth App 2: CLI (public client, PKCE flow) | ||
| clientId: '{{ .Values.global.CLI_CLIENT_ID }}' | ||
| redirectUri: "http://localhost:53593/callback" | ||
| scopes: ["all"] | ||
| # Resource scope — determines the audience of the access token. | ||
| # See OIDC_APP_SCOPE global. | ||
| scopes: | ||
| - '{{ default "all" .Values.global.OIDC_APP_SCOPE }}' | ||
| # Audience parameter for the authorization request. | ||
| # See OIDC_APP_AUDIENCE global. | ||
| audience: '{{ default "" .Values.global.OIDC_APP_AUDIENCE }}' | ||
|
|
||
| # --- Browser Login (Flow 1: OIDC redirect for web console) --- | ||
| userAuth: | ||
| openId: | ||
| # OAuth App 1: Browser (confidential client, authorization_code grant) | ||
| baseUrl: '{{ .Values.global.OIDC_BASE_URL }}' | ||
| clientId: '{{ .Values.global.OIDC_CLIENT_ID }}' | ||
| # Scopes requested during browser OIDC login. | ||
| # For Entra ID, append OIDC_APP_SCOPE here in your values overlay. | ||
| scopes: ["profile", "openid", "offline_access"] | ||
| cookieSetting: | ||
| sameSitePolicy: "LaxMode" | ||
|
|
@@ -511,7 +625,8 @@ services: | |
| clientId: '{{ .Values.global.INTERNAL_CLIENT_ID }}' | ||
| clientSecretLocation: "/etc/secrets/union/client_secret" | ||
| tokenUrl: '{{ .Values.global.AUTH_TOKEN_URL }}' | ||
| scopes: ["all"] | ||
| scopes: | ||
| - '{{ default "all" .Values.global.OIDC_S2S_SCOPE }}' | ||
|
|
||
| # ---------------------------------------------------------------------------- | ||
| # SECTION 9: ScyllaDB Configuration | ||
|
|
||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OIDC_ALLOWED_AUDIENCEis introduced and documented here, but it is not actually wired into the rendered flyteadmin auth config (e.g.,flyte.configmap.adminServer.auth.appAuth.externalAuthServer.allowedAudienceis never set). As a result, setting this value has no effect despite the docs implying it will be used. Either plumb this list into the flyteadmin auth config or remove the global/doc references to avoid a misleading configuration knob.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm assuming these changes are just setting up dependencies for the later diffs in the stack?