Add default TypeAuthorizer routing for controlplane services#291
Open
Add default TypeAuthorizer routing for controlplane services#291
Conversation
Contributor
Current Aviator status
This pull request is currently open (not queued). How to mergeTo merge this PR, comment
See the real-time status of this PR on the
Aviator webapp.
Use the Aviator Chrome Extension
to see the status of your PR within GitHub.
|
mhotan
force-pushed
the
mike/selfhosted-authz-routing
branch
from
8181474 to
8882661
Compare
mhotan
commented
Mar 19, 2026
charts/controlplane/values.yaml
Outdated
| # enforcement). To enable external authorization, configure TypeExternal on | ||
| # the authorizer service: | ||
| # | ||
| # services.authorizer.configMap.authorizer: |
Contributor
Author
There was a problem hiding this comment.
Why can't we move this comment directly to where authorizer needs to be configured?
Contributor
Author
There was a problem hiding this comment.
Good call — moved the TypeExternal config example to services.authorizer.configMap.authorizer where users actually configure it. The configMap.authorizer comment now just points to that section. See d6df680.
mhotan
force-pushed
the
mike/selfhosted-authz-routing
branch
2 times, most recently
from
d360c78 to
95b786c
Compare
All non-authorizer services now route Authorize() calls to the in-cluster authorizer service by default. The authorizer service itself defaults to Noop (no enforcement). To enable external authorization, override the authorizer service config with TypeExternal pointing to a customer's gRPC authorization server. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Relocates the external authorization configuration comment from configMap.authorizer (where non-authorizer services are configured) to services.authorizer.configMap.authorizer (where users actually configure the authorizer service). Addresses PR review feedback. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The external authorization client now uses apimachinery/grpc.Config (grpcConfig) instead of flat endpoint/timeout/plaintextGrpc fields. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
mhotan
force-pushed
the
mike/selfhosted-authz-routing
branch
from
95b786c to
df456a7
Compare
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Picks up #293 (consolidated ingress auth annotations) which fixes ListRuns 400 on selfhosted — nginx was missing the /me auth subrequest annotations on the gRPC ingress, so browser requests had no identity headers. Conflict resolution: kept TypeAuthorizer routing (our branch) over UserClouds (main), updated authorizerEndpoint to use dns:/// scheme. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
All non-authorizer services now default to TypeAuthorizer, routing authorization calls through the in-cluster authorizer service via nginx. The authorizer service itself defaults to Noop. Documents how to configure the authorizer backend for: - Union Cloud (UserClouds) — with full config example - Selfhosted (External) — customer-provided gRPC authz server Also documents UserClouds override patterns for flyteadmin and cacheservice configs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
mhotan
commented
Mar 25, 2026
| # userCloudsClient: | ||
| # tenantUrl: 'http://{{ .Release.Name }}-union-authz.{{ .Release.Namespace }}.svc.cluster.local:8080' | ||
| # tenantID: '623771e7-ddd6-4575-bedb-7c970ec75b87' | ||
| # clientID: '{{ .Values.union.authz.clientID }}' |
Contributor
Author
There was a problem hiding this comment.
Can we not use the existing internal service to service OAuth App?
mhotan
commented
Mar 25, 2026
| # For Union Cloud deployments, set type to "UserClouds": | ||
| # authorizer: | ||
| # type: "UserClouds" | ||
| # userCloudsClient: |
Contributor
Author
There was a problem hiding this comment.
It would probably make sense and be less confusing for customers to just uncomment config that they should never worry about. It's gated on type: UserClouds
Change authorizerEndpoint from nginx ingress controller to the authorizer service directly. The nginx path applies /me auth subrequests to all protected-grpc routes including internal AuthorizerService calls, causing 401s on service-to-service Authorize() calls that don't carry browser cookies. Direct routing bypasses this — internal services talk to the authorizer over plain gRPC without nginx auth interference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Migrate from bare `authorizerEndpoint` string to structured `authorizerClient` with `grpcConfig` (host, insecure, etc.) and `forwardHeaders`. This matches the ExternalClient config pattern and allows transport settings to be configured via values. Sets `insecure: true` for direct plaintext gRPC to the authorizer service, and explicitly lists forwarded metadata headers. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove the `global.AUTHZ_TYPE` variable and all derived logic: - Remove the forced Noop override in _helpers.tpl that stomped on any authorizer type set via values overlays - Replace AUTHZ_TYPE guards in templates/authz/* with union.authz.enabled (controls UserClouds sidecar pods only) - Remove AUTHZ_TYPE from global defaults Authorization mode is now configured solely through services.authorizer.configMap.authorizer.type and the corresponding client config (authorizerClient, externalClient, userCloudsClient). No global flag needed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace union.authz.enabled with a check on services.authorizer.configMap.authorizer.type == "UserClouds". The union-authz (userclouds-lite) pods now auto-deploy when the authorizer backend is set to UserClouds — no separate enable flag. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
mhotan
force-pushed
the
mike/selfhosted-authz-routing
branch
from
a120b88 to
f16f8f6
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
TypeAuthorizer, routing Authorize() calls to the in-cluster authorizer serviceTypeNoop(no enforcement)TypeExternalfor customer-provided authorization serversfullnameOverride | default "authorizer"for robustnessThis moves generic authorization routing config that was previously injected by Terraform overlays into the helm chart defaults. A follow-up cloud PR will remove the redundant Terraform overrides.
Test plan
helm templaterenders correct authorizer config in all service ConfigMapstype: Noop(not routing to itself)🤖 Generated with Claude Code