Add identity injection and header forwarding for selfhosted deployments#263
Draft
Add identity injection and header forwarding for selfhosted deployments#263
Conversation
4 tasks
Contributor
Current Aviator status
This pull request is currently open (not queued). How to mergeTo merge this PR, comment
See the real-time status of this PR on the
Aviator webapp.
Use the Aviator Chrome Extension
to see the status of your PR within GitHub.
|
mhotan
force-pushed
the
mike/selfhosted-identity-injection
branch
3 times, most recently
from
a85eb04 to
ced40bd
Compare
mhotan
changed the base branch from
main
to
mike/run-102-consolidate-namespace-mapping
This was referenced Mar 3, 2026
mhotan
force-pushed
the
mike/selfhosted-identity-injection
branch
from
ced40bd to
6ee27ac
Compare
mhotan
changed the base branch from
mike/run-102-consolidate-namespace-mapping
to
mike/fix-crs-rbac-and-proxy-configmap
mhotan
force-pushed
the
mike/selfhosted-identity-injection
branch
from
6ee27ac to
33d27f6
Compare
mhotan
force-pushed
the
mike/fix-crs-rbac-and-proxy-configmap
branch
from
c280b5f to
404a2d4
Compare
3 tasks
mhotan
force-pushed
the
mike/selfhosted-identity-injection
branch
from
33d27f6 to
1f37114
Compare
mhotan
force-pushed
the
mike/fix-crs-rbac-and-proxy-configmap
branch
from
404a2d4 to
138eb97
Compare
mhotan
force-pushed
the
mike/selfhosted-identity-injection
branch
from
1f37114 to
6402ff6
Compare
mhotan
force-pushed
the
mike/fix-crs-rbac-and-proxy-configmap
branch
from
138eb97 to
a5d2b1e
Compare
mhotan
force-pushed
the
mike/fix-crs-rbac-and-proxy-configmap
branch
from
a5d2b1e to
5bc7b0d
Compare
mhotan
force-pushed
the
mike/selfhosted-identity-injection
branch
from
6402ff6 to
f2f73d6
Compare
mhotan
force-pushed
the
mike/fix-crs-rbac-and-proxy-configmap
branch
from
5bc7b0d to
d0b5db6
Compare
mhotan
force-pushed
the
mike/selfhosted-identity-injection
branch
2 times, most recently
from
1396ca8 to
a3f2d9f
Compare
mhotan
force-pushed
the
mike/fix-crs-rbac-and-proxy-configmap
branch
2 times, most recently
from
1c8ab57 to
c49e3af
Compare
mhotan
force-pushed
the
mike/selfhosted-identity-injection
branch
from
a3f2d9f to
3daef12
Compare
Add `namespace_mapping.template` to aws and fully-selfhosted test values to verify the canonical value cascades correctly to all service configmaps (clusterresourcesync, executor, propeller, operator). Azure test values already set per-service overrides (`config.namespace_config`, `config.operator.org`), which confirms backward compat (overrides take precedence over the top-level value). towards RUN-102 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds commented-out identity injection config that maps OAuth/OIDC claims to pod annotations and environment variables. Uses YAML anchors to define the mapping once and reference it for both flyteadmin and executions configmaps. Includes a new selfhosted-intracluster test with generated golden file so reviewers can inspect the rendered configmap output. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add comments explaining that identity injection reads from the access token, not the ID token. Many IdPs (e.g. Okta) require explicit authorization server configuration to include claims like preferred_username in access tokens. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The V2 UI authenticates via cookies (credentials: 'include'), not Authorization headers. Nginx validates auth by calling /me, which returns X-User-Subject in response headers, but auth-response-headers only forwarded Set-Cookie — identity headers were silently dropped. This caused ResolveCallerSubject to return empty, resulting in "Unknown Owner" for all V2 UI-initiated runs (FAB-92). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
mhotan
force-pushed
the
mike/selfhosted-identity-injection
branch
from
3daef12 to
e696de0
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds identity injection configuration and auth header forwarding for self-hosted deployments.
_identityInjectionYAML anchor with default claim-to-annotation/env-var mappings for both AWS and GCP selfhosted valuesX-User-Subject,X-User-Claim-Identitytype,X-User-Claim-Preferred-Username) from/meauth subrequest to upstream services viaauth-response-headersannotationIdentity injection mappings (commented out, opt-in)
preferred_username→union.ai/created-byannotationemail→union.ai/user-emailannotationsub→UNION_USER_SUBJECTenv varpreferred_username→UNION_USER_EMAILenv varRelated PRs
Test plan
helm templaterenders correctlyX-User-*headers are forwarded through nginx to upstream services🤖 Generated with Claude Code
main