Skip to content

Commit

Permalink
Add Auth support to Helm chart
Browse files Browse the repository at this point in the history
- Move grpc routes into template function

Based on
- 840f250 Add Auth Ingress endpoints (#982)
- 1ede375 Authentication Config Examples (#970)
- 77941a3 explicitly grant flyteworkflow finalizer permissions to flytepropeller (#930)

Signed-off-by: Sören Brunk <soeren@brunk.io>
  • Loading branch information
sbrunk committed May 7, 2021
1 parent 648c2cc commit f3e3388
Show file tree
Hide file tree
Showing 6 changed files with 200 additions and 126 deletions.
143 changes: 82 additions & 61 deletions helm/templates/admin/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,57 +18,73 @@ spec:
labels: {{ include "flyteadmin.labels" . | nindent 8 }}
spec:
initContainers:
{{- if .Values.postgres.enabled }}
- name: check-db-ready
image: postgres:10.16-alpine
command:
- sh
- -c
- until pg_isready -h postgres -p 5432; do echo waiting for database; sleep 2; done;
{{- end }}
- command:
- flyteadmin
- --config
- {{ .Values.flyteadmin.configPath }}
- migrate
- run
image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}"
imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}"
name: run-migrations
volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }}
- mountPath: /etc/flyte/config
name: config-volume
- command:
- flyteadmin
- --config
- {{ .Values.flyteadmin.configPath }}
- migrate
- seed-projects
- flytesnacks
- flytetester
- flyteexamples
image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}"
imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}"
name: seed-projects
volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }}
- mountPath: /etc/flyte/config
name: config-volume
{{- if .Values.cluster_resource_manager.enabled }}
- command:
- flyteadmin
- --config
- {{ .Values.flyteadmin.configPath }}
- clusterresource
- sync
image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}"
imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}"
name: sync-cluster-resources
volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }}
- mountPath: /etc/flyte/clusterresource/templates
name: resource-templates
- mountPath: /etc/flyte/config
name: config-volume
{{- end }}
{{- if .Values.postgres.enabled }}
- name: check-db-ready
image: postgres:10.16-alpine
command:
- sh
- -c
- until pg_isready -h postgres -p 5432; do echo waiting for database; sleep 2; done;
{{- end }}
- command:
- flyteadmin
- --config
- {{ .Values.flyteadmin.configPath }}
- migrate
- run
image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}"
imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}"
name: run-migrations
volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }}
- mountPath: /etc/flyte/config
name: config-volume
- command:
- flyteadmin
- --config
- {{ .Values.flyteadmin.configPath }}
- migrate
- seed-projects
- flytesnacks
- flytetester
- flyteexamples
image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}"
imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}"
name: seed-projects
volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }}
- mountPath: /etc/flyte/config
name: config-volume
{{- if .Values.cluster_resource_manager.enabled }}
- command:
- flyteadmin
- --config
- {{ .Values.flyteadmin.configPath }}
- clusterresource
- sync
image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}"
imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}"
name: sync-cluster-resources
volumeMounts: {{- include "databaseSecret.volumeMount" . | nindent 8 }}
- mountPath: /etc/flyte/clusterresource/templates
name: resource-templates
- mountPath: /etc/flyte/config
name: config-volume
{{- end }}
- name: generate-secrets
image: "{{ .Values.flyteadmin.image.repository }}:{{ .Values.flyteadmin.image.tag }}"
imagePullPolicy: "{{ .Values.flyteadmin.image.pullPolicy }}"
command: ["/bin/sh", "-c"]
args:
[
"flyteadmin --config={{ .Values.flyteadmin.configPath }} secrets init --localPath /etc/secrets/auth && flyteadmin --config=/etc/flyte/config/*.yaml secrets create --fromPath /etc/secrets/auth",
]
volumeMounts:
- name: config-volume
mountPath: /etc/flyte/config
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
containers:
- command:
- flyteadmin
Expand All @@ -90,6 +106,8 @@ spec:
name: shared-data
- mountPath: /etc/flyte/config
name: config-volume
- name: auth
mountPath: /etc/secrets/
- command:
- sh
- -c
Expand All @@ -112,16 +130,19 @@ spec:
memory: 200Mi
serviceAccountName: {{ template "flyteadmin.name" . }}
volumes: {{- include "databaseSecret.volume" . | nindent 6 }}
- emptyDir: {}
name: shared-data
- configMap:
name: flyte-admin-config
name: config-volume
{{- if .Values.cluster_resource_manager.enabled }}
- configMap:
name: clusterresource-template
name: resource-templates
{{- end }}
- emptyDir: {}
name: shared-data
- configMap:
name: flyte-admin-config
name: config-volume
{{- if .Values.cluster_resource_manager.enabled }}
- configMap:
name: clusterresource-template
name: resource-templates
{{- end }}
- name: auth
secret:
secretName: flyte-admin-auth
{{- with .Values.flyteadmin.nodeSelector }}
nodeSelector: {{ toYaml . | nindent 8 }}
{{- end }}
Expand Down
102 changes: 40 additions & 62 deletions helm/templates/common/ingress.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,36 @@
{{- define "grpcRoutes" -}}
# NOTE: Port 81 in flyteadmin is the GRPC server port for FlyteAdmin.
- path: /flyteidl.service.AdminService
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 81
- path: /flyteidl.service.AdminService/*
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 81
- path: /flyteidl.service.AuthMetadataService
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 81
- path: /flyteidl.service.AuthMetadataService/*
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 81
- path: /flyteidl.service.IdentityService
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 81
- path: /flyteidl.service.IdentityService/*
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 81
{{- end }}
{{- if .Values.common.ingress.enabled }}
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
Expand Down Expand Up @@ -69,6 +102,11 @@ spec:
backend:
serviceName: flyteadmin
servicePort: 80
- path: /.well-known
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 80
- path: /.well-known/*
pathType: ImplementationSpecific
backend:
Expand Down Expand Up @@ -120,37 +158,7 @@ spec:
serviceName: flyteadmin
servicePort: 80
{{- if not .Values.common.ingress.separateGrpcIngress }}
# NOTE: Port 81 in flyteadmin is the GRPC server port for FlyteAdmin.
- path: /flyteidl.service.AdminService
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 81
- path: /flyteidl.service.AdminService/*
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 81
- path: /flyteidl.service.AuthMetadataService
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 81
- path: /flyteidl.service.AuthMetadataService/*
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 81
- path: /flyteidl.service.IdentityService
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 81
- path: /flyteidl.service.IdentityService/*
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 81
{{- include "grpcRoutes" . | nindent 10 -}}
{{- end }}
{{- with .Values.common.ingress.host }}
host: {{ . }}
Expand Down Expand Up @@ -190,37 +198,7 @@ spec:
path: /*
pathType: ImplementationSpecific
{{- end }}
# NOTE: Port 81 in flyteadmin is the GRPC server port for FlyteAdmin.
- path: /flyteidl.service.AdminService
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 81
- path: /flyteidl.service.AdminService/*
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 81
- path: /flyteidl.service.AuthMetadataService
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 81
- path: /flyteidl.service.AuthMetadataService/*
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 81
- path: /flyteidl.service.IdentityService
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 81
- path: /flyteidl.service.IdentityService/*
pathType: ImplementationSpecific
backend:
serviceName: flyteadmin
servicePort: 81
{{- include "grpcRoutes" . | nindent 10 -}}
{{- with .Values.common.ingress.host }}
host: {{ . }}
{{- end }}
Expand Down
9 changes: 7 additions & 2 deletions helm/templates/propeller/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37,13 +37,18 @@ spec:
- containerPort: 10254
resources: {{ toYaml .Values.flytepropeller.resources | nindent 10 }}
volumeMounts:
- mountPath: /etc/flyte/config
name: config-volume
- name: config-volume
mountPath: /etc/flyte/config
- name: auth
mountPath: /etc/secrets/
serviceAccountName: {{ template "flytepropeller.name" . }}
volumes:
- configMap:
name: flyte-propeller-config
name: config-volume
- name: auth
secret:
secretName: flyte-propeller-auth
{{- with .Values.flytepropeller.nodeSelector }}
nodeSelector: {{ toYaml . | nindent 8 }}
{{- end }}
Expand Down
6 changes: 6 additions & 0 deletions helm/templates/propeller/rbac.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ metadata:
name: {{ template "flytepropeller.name" . }}
labels: {{ include "flytepropeller.labels" . | nindent 4 }}
rules:
# Allow RO access to PODS
- apiGroups:
- ""
resources:
Expand All @@ -26,6 +27,7 @@ rules:
- get
- list
- watch
# Allow Event recording access
- apiGroups:
- ""
resources:
Expand All @@ -35,6 +37,7 @@ rules:
- update
- delete
- patch
# Allow Access All plugin objects
- apiGroups:
- '*'
resources:
Expand All @@ -47,6 +50,7 @@ rules:
- update
- delete
- patch
# Allow Access to CRD
- apiGroups:
- apiextensions.k8s.io
resources:
Expand All @@ -58,10 +62,12 @@ rules:
- create
- delete
- update
# Allow Access to all resources under flyte.lyft.com
- apiGroups:
- flyte.lyft.com
resources:
- flyteworkflows
- flyteworkflows/finalizers
verbs:
- get
- list
Expand Down
20 changes: 20 additions & 0 deletions helm/values-gcp.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,31 @@ common:
databaseSecret: {}
ingress:

# -----------------------------------------------------
# Core dependencies that should be configured for Flyte to work on any platform
# Specifically 2 - Storage (s3, gcs etc), Production RDBMS - Aurora, CloudSQL etc
# ------------------------------------------------------
#
# STORAGE SETTINGS
#

storage:
# -- Sets the storage type. Supported values are sandbox, s3, gcs and custom.
type: gcs
# -- bucketName defines the storage bucket flyte will use. Required for all types except for sandbox.
bucketName: <BUCKET_NAME>
gcs:
projectId: <GOOGLE_PROJECT_ID>

#
# CONFIGMAPS
#

configmap:
remoteData:
remoteData:
scheme: "gcp"

tasks:
max-plugin-phase-versions: 1000000
task-plugins:
Expand Down
Loading

0 comments on commit f3e3388

Please sign in to comment.