Skip to content

Add OIDC auth support and documentation migration notices#244

Merged
mhotan merged 4 commits intomainfrom
mike/selfhosted-auth
Mar 3, 2026
Merged

Add OIDC auth support and documentation migration notices#244
mhotan merged 4 commits intomainfrom
mike/selfhosted-auth

Conversation

@mhotan
Copy link
Contributor

@mhotan mhotan commented Feb 19, 2026
edited by github-actions bot
Loading

Summary

Adds OIDC authentication configuration and documentation updates for self-hosted intra-cluster deployments.

OIDC Auth

  • Configure flyteadmin OIDC auth settings (useAuth, allowedAudience, issuer, client IDs) for both AWS and GCP selfhosted-intracluster values
  • Add service-to-service auth for Union CP services (executions, cluster, identity) via sharedService.auth
  • Add protected ingress annotations for nginx auth-subrequest validation
  • Route gRPC auth-url subrequests to cluster-internal flyteadmin (avoids external DNS dependency)
  • Add Kubernetes secrets configuration for flyteadmin, flyte-scheduler, and CP services

Documentation

  • Add consolidation comments to values overlay files noting common config migration to values.yaml
  • Add deprecation notices to all 4 SELFHOSTED_INTRA_CLUSTER_*.md files pointing to unionai-docs
  • Update controlplane/README.md selfhosted section to reference docs site

Related PRs

Test plan

  • helm template with auth globals produces correct flyteadmin config
  • Verify protectedIngressAnnotationsGrpc auth-url points to cluster-internal flyteadmin
  • Deploy to mike-test and verify /login, /callback, /me endpoints work
  • Verify CLI login via uctl config init + uctl get project

@mhotan mhotan mentioned this pull request Feb 19, 2026
Closed
5 tasks
@mhotan mhotan force-pushed the mike/selfhosted-controlplane branch from adc5dca to a8ab8ef Compare February 20, 2026 00:18
@mhotan mhotan force-pushed the mike/selfhosted-auth branch from 37809c4 to 7d5bb10 Compare February 20, 2026 00:18
@mhotan mhotan force-pushed the mike/selfhosted-controlplane branch from a8ab8ef to 5826315 Compare February 20, 2026 06:06
@github-actions github-actions bot mentioned this pull request Feb 20, 2026
Merged
3 tasks
@mhotan mhotan force-pushed the mike/selfhosted-auth branch from 8739e57 to 0560ee9 Compare February 20, 2026 06:08
@mhotan mhotan force-pushed the mike/selfhosted-controlplane branch from 5826315 to a8ab8ef Compare February 21, 2026 18:38
@mhotan mhotan force-pushed the mike/selfhosted-auth branch from 0560ee9 to 5341cd7 Compare February 21, 2026 18:54
@mhotan mhotan force-pushed the mike/selfhosted-controlplane branch from a8ab8ef to 0820357 Compare February 21, 2026 18:54
@github-actions github-actions bot mentioned this pull request Feb 22, 2026
Closed
3 tasks
@mhotan mhotan force-pushed the mike/selfhosted-controlplane branch from 0820357 to f102b2b Compare February 27, 2026 02:05
@mhotan mhotan force-pushed the mike/selfhosted-auth branch 2 times, most recently from b3c9d83 to ee5c015 Compare February 28, 2026 00:56
@mhotan mhotan force-pushed the mike/selfhosted-controlplane branch from f102b2b to 59e6b8b Compare February 28, 2026 00:56
@mhotan mhotan changed the title Add OIDC auth support to selfhosted-intracluster values Add OIDC auth support and documentation migration notices Feb 28, 2026
@mhotan mhotan force-pushed the mike/selfhosted-auth branch from 04fb019 to e454af1 Compare February 28, 2026 02:20
@mhotan mhotan force-pushed the mike/selfhosted-controlplane branch from e45fc2e to e1c98e2 Compare March 3, 2026 01:24
@mhotan mhotan force-pushed the mike/selfhosted-auth branch from e454af1 to 0265d61 Compare March 3, 2026 01:24
Base automatically changed from mike/selfhosted-controlplane to main March 3, 2026 01:30
@aviator-app
Copy link
Contributor

aviator-app bot commented Mar 3, 2026
edited
Loading

Current Aviator status

Aviator will automatically update this comment as the status of the PR changes.
Comment /aviator refresh to force Aviator to re-examine your PR (or learn about other /aviator commands).

This PR was merged manually (without Aviator). Merging manually can negatively impact the performance of the queue. Consider using Aviator next time.

See the real-time status of this PR on the Aviator webapp.
Use the Aviator Chrome Extension to see the status of your PR within GitHub.

mhotan and others added 4 commits March 2, 2026 17:33
@mhotan @claude
Add OIDC auth config to selfhosted-intracluster values
74f47c2 
Enable full gRPC auth enforcement:
- configMap.union.auth.enable: true (service-to-service OAuth2)
- flyte.configmap.adminServer.auth.disableForGrpc: false
- Scheduler auth secret mount (clientSecret: "placeholder", overwritten by ExternalSecret)
- Dataplane operator/propeller/CRS auth enabled
- Protected ingress annotations for nginx auth subrequest

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@mhotan @claude
Add OIDC auth to GCP selfhosted configs and update all selfhosted docs
379e23a 
- Add full OIDC/OAuth2 auth config to GCP controlplane values
  (globals, flyteadmin OIDC, service-to-service auth, ingress
  annotations, scheduler secrets, executions auth)
- Add OAuth2 auth config to GCP dataplane values (CRS, operator,
  propeller, secrets, executor)
- Add Authentication (OIDC/OAuth2) sections to all 4 SELFHOSTED
  intra-cluster docs (AWS/GCP x controlplane/dataplane)
- Remove disableForGrpc from all values files
- Use generic OIDC/OAuth2 language throughout (no provider-specific
  references)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@mhotan @claude
Route gRPC auth-url subrequests to cluster-internal flyteadmin
42b4070 
Change protectedIngressAnnotationsGrpc auth-url from
https://$host/me to http://flyteadmin.<namespace>.svc.cluster.local/me
so the nginx auth subrequest stays within the cluster network. This
avoids potential interference from corporate proxies, VPNs, or WAFs
that may intercept outbound HTTPS requests to the external hostname.

Also enable tpl rendering for protectedIngressAnnotationsGrpc
annotations so helm template expressions resolve correctly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@mhotan @claude
Add consolidation comments and deprecation notices
de2e96c 
Add notes to selfhosted-intracluster values overlay files indicating
that common (non-cloud-specific) configuration is being migrated to
values.yaml over time.

Add deprecation notices to SELFHOSTED_INTRA_CLUSTER docs pointing
to the new canonical docs on the Union documentation site. Update
controlplane README.md to reference the docs site.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@mhotan mhotan force-pushed the mike/selfhosted-auth branch from 0265d61 to de2e96c Compare March 3, 2026 01:34
@mhotan mhotan mentioned this pull request Mar 3, 2026
Draft
3 tasks
@mhotan mhotan merged commit a732c05 into main Mar 3, 2026
4 checks passed
@mhotan mhotan deleted the mike/selfhosted-auth branch March 3, 2026 01:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ctxswitch ctxswitch ctxswitch approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mhotan @ctxswitch