Replace flyte-core subchart with direct templates (FAB-277)#354
Open
Replace flyte-core subchart with direct templates (FAB-277)#354
Conversation
This was referenced Apr 20, 2026
mhotan
force-pushed
the
mike/selfhosted-dashboard-update
branch
from
2acf6a8 to
a404489
Compare
mhotan
force-pushed
the
mike/remove-flyte-subchart
branch
from
b55008d to
0779e2f
Compare
There was a problem hiding this comment.
Pull request overview
Replaces the flyte-core subchart’s flyteadmin/flyteconsole rendering with first-party templates in the controlplane chart, gated by flyte.useDirectTemplates (default on), while keeping the subchart as a legacy fallback.
Changes:
- Added direct-rendered templates for flyteadmin and flyteconsole (configmaps, deployments, services, RBAC, HPA, secrets).
- Consolidated/expanded Flyte helper templates into
templates/_flyte-core.tpland updatedvalues.yamldefaults to disable subchart components. - Updated generated manifest snapshots to reflect the new template sources and label ordering/changes.
Reviewed changes
Copilot reviewed 14 out of 19 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/generated/controlplane.userclouds.yaml | Snapshot updated for flyteadmin/flyteconsole resources now sourced from direct templates + label changes/reordering. |
| tests/generated/controlplane.external-authz.yaml | Snapshot updated for direct-template rendering and label changes/reordering. |
| tests/generated/controlplane.aws.yaml | Snapshot updated for direct-template rendering and label changes/reordering. |
| tests/generated/controlplane.aws.billing-enable.yaml | Snapshot updated for direct-template rendering and label changes/reordering. |
| charts/controlplane/values.yaml | Introduces flyte.useDirectTemplates defaulting to true and disables subchart components by default. |
| charts/controlplane/values.gcp.selfhosted-intracluster.yaml | Expands/rewrites the GCP intra-cluster overlay and updates Flyte-related overrides. |
| charts/controlplane/values.aws.selfhosted-intracluster.yaml | Expands/rewrites the AWS intra-cluster overlay and updates Flyte-related overrides. |
| charts/controlplane/templates/flyteconsole/service.yaml | New flyteconsole Service rendered directly when useDirectTemplates is enabled. |
| charts/controlplane/templates/flyteconsole/deployment.yaml | New flyteconsole Deployment rendered directly when useDirectTemplates is enabled. |
| charts/controlplane/templates/flyteconsole/configmap.yaml | New flyteconsole ConfigMap rendered directly when useDirectTemplates is enabled. |
| charts/controlplane/templates/flyteadmin/service.yaml | New flyteadmin Service rendered directly when useDirectTemplates is enabled. |
| charts/controlplane/templates/flyteadmin/secret.yaml | New flyteadmin Secret (admin secrets) rendered directly when useDirectTemplates is enabled. |
| charts/controlplane/templates/flyteadmin/secret-auth.yaml | New OIDC client secret Secret rendered directly when useDirectTemplates is enabled. |
| charts/controlplane/templates/flyteadmin/rbac.yaml | New flyteadmin ServiceAccount + RBAC rendered directly when useDirectTemplates is enabled. |
| charts/controlplane/templates/flyteadmin/hpa.yaml | New flyteadmin HPA rendered directly when autoscaling is enabled. |
| charts/controlplane/templates/flyteadmin/deployment.yaml | New flyteadmin Deployment rendered directly when useDirectTemplates is enabled. |
| charts/controlplane/templates/flyteadmin/configmap.yaml | New flyteadmin config ConfigMaps rendered directly when useDirectTemplates is enabled. |
| charts/controlplane/templates/_flyte-core.tpl | Promotes flyte-core helpers to canonical helpers used by direct templates (labels/storage/databaseSecret/etc). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| port: 80 | ||
| protocol: TCP | ||
| {{- if .Values.flyte.flyteconsole.service.appProtocols.enabled }} | ||
| appProtocol: TCP |
There was a problem hiding this comment.
When service.appProtocols.enabled is true, the Service ports set appProtocol: TCP. appProtocol is meant to declare the application protocol (e.g. http, https, grpc) and should not duplicate the transport protocol: TCP. Consider using the appropriate appProtocol value(s) for these ports, or make it configurable via values (similar to console.service.appProtocol).
Suggested change
| appProtocol: TCP | |
| appProtocol: http |
Comment on lines
+24
to
+45
| appProtocol: TCP | ||
| {{- end }} | ||
| targetPort: 8088 | ||
| - name: grpc | ||
| port: 81 | ||
| protocol: TCP | ||
| # intentionally set to TCP instead of grpc | ||
| {{- if .Values.flyte.flyteadmin.service.appProtocols.enabled }} | ||
| appProtocol: TCP | ||
| {{- end }} | ||
| targetPort: 8089 | ||
| - name: redoc | ||
| protocol: TCP | ||
| {{- if .Values.flyte.flyteadmin.service.appProtocols.enabled }} | ||
| appProtocol: TCP | ||
| {{- end }} | ||
| port: 87 | ||
| targetPort: 8087 | ||
| - name: http-metrics | ||
| protocol: TCP | ||
| {{- if .Values.flyte.flyteadmin.service.appProtocols.enabled }} | ||
| appProtocol: TCP |
There was a problem hiding this comment.
When service.appProtocols.enabled is true, the Service ports set appProtocol: TCP. appProtocol should describe the application protocol (e.g. http, grpc, kubernetes.io/h2c) rather than repeating the transport protocol. Consider using the correct values per port (http/grpc) or making the appProtocol values configurable.
Suggested change
| appProtocol: TCP | |
| {{- end }} | |
| targetPort: 8088 | |
| - name: grpc | |
| port: 81 | |
| protocol: TCP | |
| # intentionally set to TCP instead of grpc | |
| {{- if .Values.flyte.flyteadmin.service.appProtocols.enabled }} | |
| appProtocol: TCP | |
| {{- end }} | |
| targetPort: 8089 | |
| - name: redoc | |
| protocol: TCP | |
| {{- if .Values.flyte.flyteadmin.service.appProtocols.enabled }} | |
| appProtocol: TCP | |
| {{- end }} | |
| port: 87 | |
| targetPort: 8087 | |
| - name: http-metrics | |
| protocol: TCP | |
| {{- if .Values.flyte.flyteadmin.service.appProtocols.enabled }} | |
| appProtocol: TCP | |
| appProtocol: http | |
| {{- end }} | |
| targetPort: 8088 | |
| - name: grpc | |
| port: 81 | |
| protocol: TCP | |
| {{- if .Values.flyte.flyteadmin.service.appProtocols.enabled }} | |
| appProtocol: grpc | |
| {{- end }} | |
| targetPort: 8089 | |
| - name: redoc | |
| protocol: TCP | |
| {{- if .Values.flyte.flyteadmin.service.appProtocols.enabled }} | |
| appProtocol: http | |
| {{- end }} | |
| port: 87 | |
| targetPort: 8087 | |
| - name: http-metrics | |
| protocol: TCP | |
| {{- if .Values.flyte.flyteadmin.service.appProtocols.enabled }} | |
| appProtocol: http |
Comment on lines
+294
to
+298
| # Set clientSecret: "placeholder" so the subchart renders the secret — it must be | ||
| # overwritten externally (e.g. via ExternalSecrets) with the real credential. | ||
| secrets: | ||
| adminOauthClientCredentials: | ||
| enabled: true |
There was a problem hiding this comment.
This overlay sets flyte.secrets.adminOauthClientCredentials.enabled: true. With flyte.useDirectTemplates: true (default in the chart) the controlplane direct template also renders the flyte-secret-auth Secret when clientSecret is non-empty, so enabling the subchart secret here is likely to produce duplicate Secret manifests with the same name. Prefer leaving enabled: false (as in base values.yaml) and only setting clientSecret (or explicitly set flyte.useDirectTemplates: false if you want legacy subchart rendering).
Suggested change
| # Set clientSecret: "placeholder" so the subchart renders the secret — it must be | |
| # overwritten externally (e.g. via ExternalSecrets) with the real credential. | |
| secrets: | |
| adminOauthClientCredentials: | |
| enabled: true | |
| # Leave the legacy subchart secret renderer disabled to avoid duplicate Secret | |
| # manifests when direct templates are enabled. Keep clientSecret non-empty so | |
| # the direct template renders the secret, then overwrite it externally | |
| # (e.g. via ExternalSecrets) with the real credential. | |
| secrets: | |
| adminOauthClientCredentials: | |
| enabled: false |
Comment on lines
+265
to
+270
| # Enable scheduler auth secret mount so flyte-secret-auth is mounted at /etc/secrets/. | ||
| # Set clientSecret: null so the subchart does NOT create the secret — it must be | ||
| # provisioned externally (e.g. via ExternalSecrets from Secrets Manager). | ||
| secrets: | ||
| adminOauthClientCredentials: | ||
| enabled: true |
There was a problem hiding this comment.
This overlay sets flyte.secrets.adminOauthClientCredentials.enabled: true. With flyte.useDirectTemplates: true (default), the controlplane direct templates will also render the flyte-secret-auth Secret when clientSecret is non-empty, which can result in duplicate Secret manifests with the same name. Prefer leaving enabled: false and only setting clientSecret, or set flyte.useDirectTemplates: false if the intent is to rely on the flyte-core subchart for this Secret.
Suggested change
| # Enable scheduler auth secret mount so flyte-secret-auth is mounted at /etc/secrets/. | |
| # Set clientSecret: null so the subchart does NOT create the secret — it must be | |
| # provisioned externally (e.g. via ExternalSecrets from Secrets Manager). | |
| secrets: | |
| adminOauthClientCredentials: | |
| enabled: true | |
| # Configure scheduler auth secret mount so flyte-secret-auth is mounted at /etc/secrets/. | |
| # With direct templates enabled, keep subchart secret rendering disabled to avoid | |
| # generating duplicate flyte-secret-auth Secret manifests. | |
| secrets: | |
| adminOauthClientCredentials: | |
| enabled: false |
| # When true, flyteadmin and flyteconsole are rendered by controlplane templates | ||
| # (templates/flyteadmin/, templates/flyteconsole/) instead of the flyte-core subchart. | ||
| # Set to false + re-enable flyteadmin.enabled/flyteconsole.enabled for legacy behavior. | ||
| # Requires `helm upgrade --force` when switching (label changes on immutable selectors). |
There was a problem hiding this comment.
The comment says switching flyte.useDirectTemplates “requires helm upgrade --force (label changes on immutable selectors)”. In the rendered manifests shown in snapshots, the selector labels for flyteadmin/flyteconsole appear unchanged (still name+instance), and the label changes are on resource metadata/pod labels, which are mutable. Suggest clarifying when --force is actually required (or removing the claim if no immutable fields change) to avoid unnecessary forced upgrades.
Suggested change
| # Requires `helm upgrade --force` when switching (label changes on immutable selectors). | |
| # Switching modes may require `helm upgrade --force` only if the rendered manifests | |
| # change immutable fields (for example, selectors). Check the rendered diff first. |
| {{- end }} | ||
| {{- with .Values.flyte.flyteadmin.service.loadBalancerSourceRanges }} | ||
| loadBalancerSourceRanges: | ||
| {{ . }} |
There was a problem hiding this comment.
loadBalancerSourceRanges is rendered via {{ . }}. If the value is the usual YAML list (e.g. ["10.0.0.0/8"]), this will stringify instead of emitting a proper sequence, producing invalid Service YAML. Render it with toYaml/tpl + proper indentation (similar to other list-valued fields).
Suggested change
| {{ . }} | |
| {{ tpl (toYaml .) $ | nindent 4 }} |
| command: ["/bin/sh", "-c"] | ||
| args: | ||
| [ | ||
| "flyteadmin --config={{ .Values.flyte.flyteadmin.configPath }} secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", |
There was a problem hiding this comment.
In the generate-secrets initContainer, the first command uses .Values.flyte.flyteadmin.configPath, but the second flyteadmin ... secrets create command is hardcoded to /etc/flyte/config/*.yaml. If configPath is customized, these two commands will run with different configs. Use the same configurable configPath for both commands (or consistently use the mounted config path).
Suggested change
| "flyteadmin --config={{ .Values.flyte.flyteadmin.configPath }} secrets init --localPath /etc/scratch/secrets && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", | |
| "flyteadmin --config={{ .Values.flyte.flyteadmin.configPath }} secrets init --localPath /etc/scratch/secrets && flyteadmin --config={{ .Values.flyte.flyteadmin.configPath }} secrets create --name flyte-admin-secrets --fromPath /etc/scratch/secrets", |
aviator-app Bot
pushed a commit
that referenced
this pull request
Apr 20, 2026
## Overview Adds authorizer configuration defaults for selfhosted deployments and fixes dashboard panel issues. - **defaultIdentityToSubject**: Config for non-Okta IdPs (FAB-189) that don't include `identitytype` claim natively. When enabled, subjects without identitytype are treated as users. - **UserClouds client defaults**: Pre-configured connection settings in the controlplane values so terraform doesn't need deep-merge overrides. - **Dashboard fixes**: Authorizer Mode panel value mappings for case sensitivity, metric name mismatches. ## Migration Notes No migration required. Additive defaults only — existing deployments are not affected. ## Test Plan - [x] `helm template` renders correctly - [x] Verified on identity-testing environment ref FAB-189 ref FAB-178 🤖 Generated with [Claude Code](https://claude.com/claude-code) - `main` <!-- branch-stack --> - **Add selfhosted authorizer defaults and dashboard fixes** :point\_left: - \#349 - \#350 - \#351 - \#352 - \#353 - \#354
aviator-app Bot
pushed a commit
that referenced
this pull request
Apr 20, 2026
## Overview Adds OIDC/OAuth2 globals to support identity providers beyond Okta (Entra ID, Keycloak, Authentik). **New globals** (all empty by default — Okta behavior unchanged): - `OIDC_METADATA_URL` — metadata discovery endpoint (Okta: `.well-known/oauth-authorization-server`, Entra: `.well-known/openid-configuration`) - `OIDC_APP_SCOPE` — resource scope for CLI/SDK and task pods (Entra: `api://my-app/.default`) - `OIDC_APP_AUDIENCE` — audience parameter for PKCE flows (Entra: `api://my-app`) - `OIDC_S2S_SCOPE` — service-to-service scope (Entra: `api://my-app/.default`) - Dataplane S2S scope support via `OIDC_S2S_SCOPE` Includes inline documentation with Okta/Entra ID examples, OAuth app flow references, and test fixture for non-Okta configuration. ## Migration Notes No migration required. All new globals default to empty which preserves existing Okta behavior. Non-Okta IdPs can now be configured without terraform deep-merge overrides. ## Test Plan - [x] Added `tests/values/controlplane.custom-oidc.yaml` test fixture - [x] `helm template` renders correctly with both empty and non-empty globals - [x] Verified on identity-testing environment with Entra ID ref FAB-178 🤖 Generated with [Claude Code](https://claude.com/claude-code) - `main` <!-- branch-stack --> - **Add OIDC globals for multi-IdP support (Okta, Entra ID, Keycloak)** :point\_left: - \#350 - \#351 - \#352 - \#353 - \#354
xjerod
approved these changes
Apr 20, 2026
mhotan
force-pushed
the
mike/selfhosted-dashboard-update
branch
from
a404489 to
be6eb97
Compare
mhotan
force-pushed
the
mike/remove-flyte-subchart
branch
from
0779e2f to
47eac63
Compare
aviator-app Bot
pushed a commit
that referenced
this pull request
Apr 21, 2026
…350) ## Summary - **server-alias annotation**: Allows DP→CP intra-cluster traffic through nginx ingress by matching the internal service DNS name - **gRPC configuration-snippet**: Forwards identity headers (X-User-Subject, X-User-Claim-Identitytype) from auth subrequest to gRPC backends. Required for BYOC since Oct 2024, now ported to selfhosted chart. - **Organizations service**: New controlplane service for settings/org APIs. Required by CreateRun since #15107. - **Fix organizations connectPort** in configmap Stacked on #349 → #348 → main ## Migration Notes **New behavior:** Intra-cluster DP→CP gRPC traffic now goes through nginx auth subrequests (via server-alias). This ensures consistent identity resolution for all callers. Previously, intra-cluster traffic could bypass auth if the `:authority` header didn't match the ingress host. **Action required:** None for new deployments. Existing deployments will get the server-alias annotation on next helm upgrade. ## Risk Assessment **Medium** — Changes ingress behavior. Test: DP→CP traffic, browser login. ## Test Plan - [ ] Verify DP→CP gRPC traffic still works through ingress - [ ] Verify browser login flow unchanged - [ ] Verify organizations service endpoints respond - [ ] `helm template` produces expected manifests ref FAB-178, FAB-195 🤖 Generated with [Claude Code](https://claude.com/claude-code) - `main` <!-- branch-stack --> - **Add selfhosted ingress identity forwarding and organizations service** :point\_left: - \#351 - \#352 - \#353 - \#354
aviator-app Bot
pushed a commit
that referenced
this pull request
Apr 21, 2026
## Summary - Move all OIDC/OAuth2 auth configuration into a documented `flyte.configmap.adminServer.auth` block in base values.yaml with inline Okta/Entra ID examples - Move `adminClient.connection` to base (was duplicated in AWS/GCP overlays) - Wire `OIDC_S2S_SCOPE` for CP S2S auth (Entra requires `/.default`, Okta uses `all`) - Add `OIDC_BROWSER_SCOPE` for Entra browser auth (AADSTS90009 fix) - Deprecate scattered auth globals: `OIDC_BASE_URL`, `OIDC_CLIENT_ID`, `CLI_CLIENT_ID` - Authz templates accept both `"Union"` and `"UserClouds"` type Stacked on #350 → #349 → #348 → main ## Migration Notes **Auth config location changed:** All auth config now lives in `flyte.configmap.adminServer.auth` in base values.yaml. Cloud overlays no longer set auth values — terraform authn modules output complete `app_auth`/`user_auth` blocks. **Deprecated globals:** `OIDC_BASE_URL`, `OIDC_CLIENT_ID`, `CLI_CLIENT_ID` still work but are deprecated. New deployments should use the auth block directly. **New globals:** `OIDC_S2S_SCOPE` (default: `all`), `OIDC_BROWSER_SCOPE`, `INTERNAL_SUBJECT_ID` (default: `INTERNAL_CLIENT_ID`). **UserClouds → Union:** Authz templates accept `type: "Union"` alongside `"UserClouds"`. Both are equivalent; `"Union"` preferred for new deployments. ## Risk Assessment **Medium** — Restructures auth config. Verified by `compare_manifests.py` producing zero structural diffs against baseline. ## Test Plan - [ ] `helm template` with Okta defaults produces identical auth config - [ ] `helm template` with Entra overrides produces correct scopes/audiences - [ ] Verify deprecated globals still work for backward compatibility - [ ] `compare_manifests.py` zero diffs against baseline ref FAB-178, FAB-195 🤖 Generated with [Claude Code](https://claude.com/claude-code) - `main` <!-- branch-stack --> - **Consolidate auth config into base values.yaml** :point\_left: - \#352 - \#353 - \#354
mhotan
force-pushed
the
mike/selfhosted-dashboard-update
branch
from
be6eb97 to
20b7ffe
Compare
mhotan
force-pushed
the
mike/remove-flyte-subchart
branch
from
47eac63 to
8e4c50a
Compare
mhotan
force-pushed
the
mike/selfhosted-dashboard-update
branch
from
20b7ffe to
7222586
Compare
mhotan
force-pushed
the
mike/remove-flyte-subchart
branch
from
8e4c50a to
bb35389
Compare
aviator-app Bot
pushed a commit
that referenced
this pull request
Apr 21, 2026
## Summary - Move cloud-agnostic config from AWS/GCP overlays into base values.yaml - **AWS overlay**: \~400 → 102 lines - **GCP overlay**: 504 → 105 lines - Base chart is now self-contained for selfhosted deployments - Overlays reduced to only cloud-specific items: IAM, storage, region, scylla provisioner Stacked on #351 → #350 → #349 → #348 → main ### What moved to base - Namespace-derived FQDNs (`admin.endpoint`, `rootTenantURLPattern`) - Ingress configuration (server-alias, protectedIngress annotations) - ingress-nginx (enabled, ClusterIP, fullnameOverride) - Monitoring (kube\* disabled, serviceMonitor enabled) - Image repos (default: `registry.unionai.cloud/controlplane`) - Secrets (union-operator, union-secrets) - ScyllaDB generic config - envoy-gateway defaults ### What stays in overlays (\~100 lines each) - Cloud region, DB, storage bucket, IAM identifiers - `flyte.storage` (type:s3/gcs, region/projectId) - IAM annotations (IRSA / Workload Identity) - scylla storageClass provisioner - dataproxy endpoint, artifacts stow config ## Migration Notes **Base chart is now self-contained:** New selfhosted deployments only need cloud-specific overlay values (IAM, storage, DB). **Image repository default:** Base defaults to `registry.unionai.cloud/controlplane`. Internal deployments using ECR must set `IMAGE_REPOSITORY_PREFIX` via terraform. **Namespace-derived FQDNs:** Services use `{{ .Release.Namespace }}` instead of hardcoded values. Resolves identically in standard deployments. ## Risk Assessment **Higher** — Touches most of values.yaml. Verified by `compare_manifests.py` producing zero structural diffs against baseline from `mike/overlay-consolidated-backup-2026-04-20`. ## Test Plan - [ ] `helm template` with AWS overlay produces identical manifests to baseline - [ ] `helm template` with GCP overlay produces identical manifests to baseline - [ ] `compare_manifests.py` zero diffs against baseline - [ ] Deploy to identity-testing environment and verify all services healthy ref FAB-178, FAB-195, FAB-276 🤖 Generated with [Claude Code](https://claude.com/claude-code) - `main` <!-- branch-stack --> - **Move generic selfhosted config from overlays to base values.yaml** :point\_left: - \#353 - \#354
mhotan
force-pushed
the
mike/selfhosted-dashboard-update
branch
from
7222586 to
d6c3ccb
Compare
mhotan
force-pushed
the
mike/remove-flyte-subchart
branch
from
bb35389 to
eaa576f
Compare
aviator-app Bot
pushed a commit
that referenced
this pull request
Apr 21, 2026
## Summary - Overhaul authorizer row in union-controlplane-overview dashboard for standardized `BackendMetrics` - Fix metric name mismatches, query bugs, and Authorizer Mode value mappings - Add `identity_type` breakdown (User/App/External/Unknown) to auth panels - Add proper units (ops, ms, percentunit), thresholds, and zero-state handling - Fix legendFormat double-escaping - Remove "(V1 + V2)" labels from row titles - Regenerate test snapshots Stacked on #352 → #351 → #350 → #349 → #348 → main ## Migration Notes **Dashboard auto-updates:** Deployed via ConfigMap sidecar — updates on next helm upgrade. **New metrics required:** Panels reference `authz_backend_*` metrics from standardized `BackendMetrics`. Emitted by cloud v2026.4.x+. Older versions show "No data" for backend panels. ## Risk Assessment **Low** — Dashboard JSON only + generated test snapshots. ## Test Plan - [ ] Dashboard loads in Grafana without errors - [ ] Panels show data with cloud v2026.4.x+ - [ ] Zero-state panels show "0" instead of "No data" - [ ] `make generate-expected` matches committed snapshots ref FAB-178 🤖 Generated with [Claude Code](https://claude.com/claude-code) - `main` <!-- branch-stack --> - **Update authorizer dashboard: standardized backend metrics** :point\_left: - \#354
Add dedicated templates for flyteadmin and flyteconsole that render identically to the flyte-core subchart output. The subchart is now suppressed by default via `flyte.useDirectTemplates: true`. New templates: - templates/flyteadmin/ — configmap, deployment, hpa, rbac, secret, service, secret-auth (7 files) - templates/flyteconsole/ — configmap, deployment, service (3 files) Absorbed subchart helpers into _flyte-core.tpl: - storage.base, storage (S3/GCS/sandbox/custom) - databaseSecret.volume, databaseSecret.volumeMount - flyteadmin.podLabels, flyteconsole.* helpers - flyte.chart (now uses controlplane chart identity) Values changes: - flyte.useDirectTemplates: true (default on, opt-out with false) - flyte.flyteadmin.enabled: false (subchart suppressed) - flyte.flyteconsole.enabled: false (subchart suppressed) - flyte.secrets.adminOauthClientCredentials.enabled: false **Breaking change — requires `helm upgrade --force`:** Labels on flyteadmin/flyteconsole resources change: - `helm.sh/chart` changes from `flyte-core-v1.16.1` to `controlplane-<version>` - `app.kubernetes.io/managed-by: Helm` is now included (was commented out) Selector labels (`app.kubernetes.io/name`, `app.kubernetes.io/instance`) are unchanged, so pod scheduling is not affected. **Legacy subchart behavior:** Set `flyte.useDirectTemplates: false` and re-enable `flyte.flyteadmin.enabled: true`, `flyte.flyteconsole.enabled: true`, `flyte.secrets.adminOauthClientCredentials.enabled: true`. ref FAB-277 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
mhotan
force-pushed
the
mike/remove-flyte-subchart
branch
from
eaa576f to
9f50667
Compare
Contributor
Current Aviator status
This pull request is currently open (not queued). How to mergeTo merge this PR, comment
See the real-time status of this PR on the
Aviator webapp.
Use the Aviator Chrome Extension
to see the status of your PR within GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
flyte-corev1.16.1 subchart with equivalent direct templates intemplates/flyteadmin/andtemplates/flyteconsole/_flyte-core.tplflyte.useDirectTemplates: true(default on, opt-out withfalse)Stacked on #353 → #352 → #351 → #350 → #349 → #348 → main
Why
The
flyte-coresubchart ships ~40 templates but only ~10 render. It creates coupling problems: values scoped under.Values.flyte.*, helper collisions, can't modify templates without forking. Direct templates give us full control.What Changed
New files (10):
templates/flyteadmin/— configmap, deployment, hpa, rbac, secret, service, secret-authtemplates/flyteconsole/— configmap, deployment, serviceModified:
_flyte-core.tpl— canonical helpers (storage, databaseSecret, labels for flyteadmin/flyteconsole/cacheservice)values.yaml—flyte.useDirectTemplates: true, subchart components disabledMigration Notes
Breaking change — requires
helm upgrade --force:Labels on flyteadmin/flyteconsole resources change:
helm.sh/chart→controlplane-<version>(wasflyte-core-v1.16.1)app.kubernetes.io/managed-by: Helmnow included (was commented out)Selector labels unchanged — no pod scheduling impact.
Legacy fallback: Set
flyte.useDirectTemplates: false+ re-enable subchart flags.Verification
Structured YAML comparison of every rendered resource confirms zero functional diff after normalizing expected label changes and configChecksum. Test snapshots updated (3380+/3380- = reordering + labels only).
Risk Assessment
Medium — Labels change requires
--forceupgrade. Functionally identical output verified by automated comparison.Test Plan
helm templatewith AWS overlay — all resources matchhelm templatewith GCP overlay — renders cleanlymake generate-expected— snapshots updatedmake test— passeshelm upgrade --forceref FAB-277
🤖 Generated with Claude Code
main