[BUG] Necessary configuration values not exposed in Helm for working Auth0 - Flyte-Binary deployment

[PudgyPigeon]

Related issues

#3661 #3659

Describe the bug

With the current Flyte-binary Helm chart, the values.yaml file and chart templates do not allow the end-user to manually configure the settings for auth.appAuth.authServerType: External and auth.appAuth.exernalAuthServer.baseUrl & metadataUrl & allowedAudience - during a helm install or helm upgrade --values values.yaml command. These settings are necessary for a working auth0 integration.

We may potentially be misguided about the procedure, but we found that we had to retrieve the configmap.yaml with kubectl; parse some fields with yq and sed; and then reapply with kubectl and then do kubectl rollout restart in order to get auth working on our EKS cluster with this flyte-binary chart.

It would be highly appreciated if these values were exposed within the helm/template/values flows for easier end-user configuration.

Expected behavior

Flyte-binary exposes these configuration values:

    appAuth:  
      authServerType: External
      externalAuthServer:
        baseUrl: AUTH0_BASE_URL
        metadataUrl: .well-known/openid-configuration
        allowedAudience: AUTH0_AUDIENCE
      thirdPartyConfig:
        flyteClient:
          clientId: AUTH0_CLIENT_ID
          redirectUri: http://localhost:53593/callback
          audience: AUTH0_AUDIENCE
          scopes:
            - read:client_grants

within values.yaml as well as the templates/configmap.yaml # 004-auth.yaml

Addendum: would also be nice to expose server.security.secure as well for easy deployments

Necessary to set these values for working auth0 deployment at the moment.

Additional context to reproduce

Apply this values.yaml block to helm deployment

  auth: 
    enabled: true
    enableAuthServer: false
    internal:
      clientId: <>
      clientSecret: <>
      clientSecretHash: <>
    oidc:
      baseUrl: <>
      clientId: <>
      clientSecret: <> 
    flyteClient:
      clientId: <>
      redirectUri: http://localhost:53593/callback
      scopes:
        - read:client_grants
      audience: <>
    authorizedUris:
      - authorizedURIs go here

Results in failed deployment when using Auth0

The following block is the Rrequired 004-auth.yaml to pipe into flyte-binary in order to make auth0 work.

Filling in the provided Helm values without changing the template results in failed deployment with CrashLoopBackOff due to misconfiguration.

data: |
  auth:
    userAuth:
      openId:
        clientId: AUTH0_CLIENT_ID
        baseUrl: AUTH0_BASE_URL
        scopes:
          - profile
          - openid
          - offline_access
    appAuth:  
      authServerType: External
      externalAuthServer:
        baseUrl: AUTH0_BASE_URL
        metadataUrl: .well-known/openid-configuration
        allowedAudience: AUTH0_AUDIENCE
      thirdPartyConfig:
        flyteClient:
          clientId: AUTH0_CLIENT_ID
          redirectUri: http://localhost:53593/callback
          audience: AUTH0_AUDIENCE
          scopes:
            - read:client_grants
    authorizedUris:
      - AUTH0_AUDIENCE
      - LOADBALANCER_URL
      - AUTH0_BASE_URL
      - http://LOADBALANCER_GRPC_URL.svc.aiq-index.com
      - https://LOADBALANCER_GRPC_URL.svc.aiq-index.com
      - http://flyteadmin:80
      - http://flyteadmin.flyte.svc.cluster.local:80
      - http://flyteadmin.mlops-services.svc.cluster.local:80
      - http://HELM_NAME-flyte-binary.flyte.svc.cluster.local:80
      - http://HELM_NAME-flyte-binary.flyte.svc:80
      - http://HELM_NAME-flyte-binary.flyte:80
      - http://HELM_NAME-flyte-binary:80
      - http://localhost:8089
  server: 
    security:
      secure: false
      useAuth: true

Screenshots

No response

Are you sure this issue hasn't been raised already?

• Yes

Have you read the Code of Conduct?

• Yes