[V2] Add AuthMetadataService + wire external OAuth2 auth into runs service

charts/flyte-binary/templates/_helpers.tpl

@@ -113,6 +113,35 @@ templates: {{- toYaml .custom | nindent 2 -}}
 {{- end -}}
 {{- end -}}
 
+{{/*
+Selector labels for Console
+*/}}
+{{ define "flyte-binary.consoleSelectorLabels" -}}
+{{ include "flyte-binary.selectorLabels" . }}
+app.kubernetes.io/component: console
+{{- end }}
+
+{{/*
+Get the Secret name for Run service authentication secrets. When a user
+supplies `configuration.auth.runServiceAuthSecretRef`, that existing Secret is
+referenced directly (no template is rendered); otherwise a new Secret named
+`<fullname>-admin-auth` is used.
+*/}}
+{{ define "flyte-binary.configuration.auth.runServiceAuthSecretName" -}}
+{{- if .Values.configuration.auth.runServiceAuthSecretRef -}}
+{{ tpl .Values.configuration.auth.runServiceAuthSecretRef . }}
+{{- else -}}
+{{ printf "%s-admin-auth" (include "flyte-binary.fullname" .) }}
+{{- end -}}
+{{ end -}}
+
+{{/*
+Get the Secret name for Flyte authentication client secrets.
+*/}}
+{{ define "flyte-binary.configuration.auth.clientSecretName" -}}
+{{ printf "%s-client-secrets" (include "flyte-binary.fullname" .) }}
+{{ end -}}
+
 {{/*
 Get the Flyte cluster resource templates ConfigMap name.
 */}}
@@ -131,14 +160,14 @@ Get the Flyte HTTP service name
 Get the Flyte service HTTP port.
 */}}
 {{- define "flyte-binary.service.http.port" -}}
-{{- default 8090 .Values.service.ports.http -}}
+{{- default 8080 .Values.service.ports.http -}}
 {{- end -}}
 
 {{/*
 Get the Flyte gRPC service name
 */}}
 {{- define "flyte-binary.service.grpc.name" -}}
-{{- printf "%s-http" (include "flyte-binary.fullname" .) -}}
+{{- printf "%s-grpc" (include "flyte-binary.fullname" .) -}}
 {{- end -}}
 
 {{/*
@@ -149,7 +178,11 @@ Get the Flyte service gRPC port.
 {{- end -}}
 
 {{/*
-Get the Flyte API paths for ingress.
+Get the Flyte API paths for ingress. Services whose names start with
+"Internal" (e.g. InternalRunService) plus ActionsService are intended for
+intra-cluster traffic from task pods only; they are deliberately NOT exposed
+via the external ALB ingress here. The Go auth middleware allowlists them so
+cluster-internal ClusterIP calls reach them without credentials.
 */}}
 {{- define "flyte-binary.ingress.grpcPaths" -}}
 - /flyteidl2.workflow.RunService
@@ -158,12 +191,20 @@ Get the Flyte API paths for ingress.
 - /flyteidl2.task.TaskService/*
 - /flyteidl2.workflow.TranslatorService
 - /flyteidl2.workflow.TranslatorService/*
-- /flyteidl2.actions.ActionsService
-- /flyteidl2.actions.ActionsService/*
 - /flyteidl2.dataproxy.DataProxyService
 - /flyteidl2.dataproxy.DataProxyService/*
 - /flyteidl2.secret.SecretService
 - /flyteidl2.secret.SecretService/*
+- /flyteidl2.project.ProjectService
+- /flyteidl2.project.ProjectService/*
+- /flyteidl2.app.AppService
+- /flyteidl2.app.AppService/*
+- /flyteidl2.trigger.TriggerService
+- /flyteidl2.trigger.TriggerService/*
+- /flyteidl2.auth.AuthMetadataService
+- /flyteidl2.auth.AuthMetadataService/*
+- /flyteidl2.auth.IdentityService
+- /flyteidl2.auth.IdentityService/*
 {{- end -}}
 
 {{/*

charts/flyte-binary/templates/clusterrole.yaml

@@ -19,6 +19,15 @@ metadata:
     {{- tpl ( .Values.rbac.annotations | toYaml ) . | nindent 4 }}
     {{- end }}
 rules:
+  - apiGroups:
+    - ""
+    resources:
+    - namespaces
+    verbs:
+    - create
+    - get
+    - list
+    - watch
   - apiGroups:
     - ""
     resources:
@@ -33,17 +42,23 @@ rules:
     - watch
   - apiGroups:
     - ""
+    - events.k8s.io
     resources:
     - events
     verbs:
     - create
     - delete
+    - get
+    - list
     - patch
     - update
+    - watch
   - apiGroups:
     - flyte.org
     resources:
     - taskactions
+    - taskactions/status
+    - taskactions/finalizers
     verbs:
     - create
     - delete
@@ -69,8 +84,12 @@ rules:
     - secrets
     verbs:
     - create
+    - delete
     - get
+    - list
+    - patch
     - update
+    - watch
   {{- if .Values.rbac.extraRules }}
   {{- toYaml .Values.rbac.extraRules | nindent 2 }}
   {{- end }}

charts/flyte-binary/templates/config-secret.yaml

@@ -4,19 +4,19 @@ kind: Secret
 metadata:
   name: {{ include "flyte-binary.configuration.configSecretName" . }}
   namespace: {{ .Release.Namespace | quote }}
-  labels: {{- include "flyte-binary.labels" . | nindent 4 }}
+  labels: {{ include "flyte-binary.labels" . | nindent 4 }}
     {{- if .Values.commonLabels }}
-    {{- tpl ( .Values.commonLabels | toYaml ) . | nindent 4 }}
+    {{ tpl ( .Values.commonLabels | toYaml ) . | nindent 4 }}
     {{- end }}
     {{- if .Values.configuration.labels }}
-    {{- tpl ( .Values.configuration.labels | toYaml ) . | nindent 4 }}
+    {{ tpl ( .Values.configuration.labels | toYaml ) . | nindent 4 }}
     {{- end }}
   annotations:
     {{- if .Values.commonAnnotations }}
-    {{- tpl ( .Values.commonAnnotations | toYaml ) . | nindent 4 }}
+    {{ tpl ( .Values.commonAnnotations | toYaml ) . | nindent 4 }}
     {{- end }}
     {{- if .Values.configuration.annotations }}
-    {{- tpl ( .Values.configuration.annotations | toYaml ) . | nindent 4 }}
+    {{ tpl ( .Values.configuration.annotations | toYaml ) . | nindent 4 }}
     {{- end }}
 type: Opaque
 stringData:
@@ -25,6 +25,10 @@ stringData:
     database:
       postgres:
         password: {{ .Values.configuration.database.password | quote }}
+    runs:
+      database:
+        postgres:
+          password: {{ .Values.configuration.database.password | quote }}
   {{- end }}
   {{- if eq "s3" .Values.configuration.storage.provider }}
   {{- if eq "accesskey" .Values.configuration.storage.providerConfig.s3.authType }}
@@ -44,7 +48,7 @@ stringData:
       appAuth:
         selfAuthServer:
           staticClients:
-            flytepropeller:
+            executor:
               client_secret: {{ .Values.configuration.auth.internal.clientSecretHash | quote }}
   {{- end }}
   {{- end }}

charts/flyte-binary/templates/configmap.yaml

@@ -105,6 +105,54 @@ data:
         {{- end }}
       container: {{ required "Metadata container required" .metadataContainer }}
     {{- end }}
+  {{- if .Values.configuration.auth.enabled }}
+  004-auth.yaml: |
+    auth:
+      appAuth:
+        {{- if .Values.configuration.auth.enableAuthServer }}
+        authServerType: Self
+        {{- else }}
+        authServerType: External
+        {{- end }}
+        {{- with .Values.configuration.auth.externalAuthServer }}
+        externalAuthServer:
+          baseUrl: {{ tpl (default "" .baseUrl) $ | quote }}
+          {{- if .metadataUrl }}
+          metadataUrl: {{ .metadataUrl | quote }}
+          {{- end }}
+          allowedAudience:
+            {{- range .allowedAudience }}
+            - {{ tpl . $ | quote }}
+            {{- end }}
+        {{- end }}
+        {{- with .Values.configuration.auth.flyteClient }}
+        thirdPartyConfig:
+          flyteClient:
+            clientId: {{ .clientId | quote }}
+            redirectUri: {{ .redirectUri | quote }}
+            {{- if .audience }}
+            audience: {{ .audience | quote }}
+            {{- end }}
+            scopes:
+              {{- range .scopes }}
+              - {{ . | quote }}
+              {{- end }}
+        {{- end }}
+      authorizedUris:
+        {{- range .Values.configuration.auth.authorizedUris }}
+        - {{ tpl . $ | quote }}
+        {{- end }}
+      userAuth:
+        openId:
+          baseUrl: {{ .Values.configuration.auth.oidc.baseUrl | quote }}
+          clientId: {{ .Values.configuration.auth.oidc.clientId | quote }}
+          scopes:
+            - openid
+            - profile
+    runs:
+      security:
+        useAuth: true
+  {{- end }}
   {{- if .Values.configuration.inline }}
   100-inline-config.yaml: |
     {{- tpl ( .Values.configuration.inline | toYaml ) . | nindent 4 }}

charts/flyte-binary/templates/console/deployment.yaml

@@ -0,0 +1,46 @@
+{{- if .Values.console.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "flyte-binary.fullname" . }}-console
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{ include "flyte-binary.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels: {{ include "flyte-binary.consoleSelectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels: {{ include "flyte-binary.consoleSelectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.console.imagePullSecrets }}
+      imagePullSecrets:
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.deployment.extraPodSpec.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: console
+          {{- with .Values.console.image }}
+          image: {{ printf "%s:%s" .repository .tag | quote }}
+          imagePullPolicy: {{ .pullPolicy | quote }}
+          {{- end }}
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /v2
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /v2
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 30
+{{- end }}

charts/flyte-binary/templates/console/service.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.console.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "flyte-binary.fullname" . }}-console
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{ include "flyte-binary.labels" . | nindent 4 }}
+  {{- with .Values.console.service.annotations }}
+  annotations:
+    {{ toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.console.service.type | default "ClusterIP" }}
+  ports:
+    - name: http
+      port: {{ .Values.console.service.port | default 80 }}
+      targetPort: http
+      protocol: TCP
+  selector: {{ include "flyte-binary.consoleSelectorLabels" . | nindent 4 }}
+{{- end }}