feat(flyte-binary): add optional JWT and auth-discovery ingresses (#7546)

Signed-off-by: Kevin Su <pingsutw@apache.org>
Signed-off-by: Kevin Su <pingsutw@gmail.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

Author: pingsutw

charts/flyte-binary/README.md

@@ -150,6 +150,10 @@ Chart for basic single Flyte executable deployment
 | flyte-core-components.secret.kubernetes.timeout | string | `"30s"` |  |
 | flyteconnector.enabled | bool | `false` |  |
 | fullnameOverride | string | `""` |  |
+| ingress.apiJwtIngress.annotations | object | `{}` |  |
+| ingress.apiJwtIngress.enabled | bool | `false` |  |
+| ingress.apiJwtIngress.ingressClassName | string | `""` |  |
+| ingress.apiJwtIngress.tls | list | `[]` |  |
 | ingress.commonAnnotations | object | `{}` |  |
 | ingress.create | bool | `false` |  |
 | ingress.host | string | `""` |  |
@@ -161,6 +165,10 @@ Chart for basic single Flyte executable deployment
 | ingress.ingressClassName | string | `""` |  |
 | ingress.labels | object | `{}` |  |
 | ingress.tls | list | `[]` |  |
+| ingress.wellknownIngress.annotations | object | `{}` |  |
+| ingress.wellknownIngress.enabled | bool | `false` |  |
+| ingress.wellknownIngress.ingressClassName | string | `""` |  |
+| ingress.wellknownIngress.tls | list | `[]` |  |
 | nameOverride | string | `""` |  |
 | rbac.annotations | object | `{}` |  |
 | rbac.create | bool | `true` |  |

charts/flyte-binary/templates/_helpers.tpl

@@ -193,6 +193,22 @@ Get the Flyte API paths for ingress.
 - /flyteidl2.app.AppService/*
 - /flyteidl2.trigger.TriggerService
 - /flyteidl2.trigger.TriggerService/*
+- /flyteidl2.auth.IdentityService
+- /flyteidl2.auth.IdentityService/*
+- /flyteidl2.settings.SettingsService
+- /flyteidl2.settings.SettingsService/*
+{{- end -}}
+
+{{/*
+Get the Flyte auth-discovery paths for ingress. These are unauthenticated:
+clients must reach them before they hold a token (OAuth server metadata and the
+auth metadata service). IdentityService and SettingsService require auth and live
+in apiPaths instead.
+*/}}
+{{- define "flyte-binary.ingress.wellknownPaths" -}}
+- /.well-known/oauth-authorization-server
+- /flyteidl2.auth.AuthMetadataService
+- /flyteidl2.auth.AuthMetadataService/*
 {{- end -}}
 
 {{/*

charts/flyte-binary/templates/ingress/api-jwt.yaml

@@ -0,0 +1,58 @@
+{{- if and .Values.ingress.create .Values.ingress.apiJwtIngress.enabled }}
+{{- $paths := (include "flyte-binary.ingress.apiPaths" .) | fromYamlArray }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "flyte-binary.fullname" . }}-api-jwt
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "flyte-binary.labels" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- tpl ( .Values.commonLabels | toYaml ) . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.ingress.labels }}
+    {{- tpl ( .Values.ingress.labels | toYaml ) . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- if .Values.commonAnnotations }}
+    {{- tpl ( .Values.commonAnnotations | toYaml ) . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.ingress.commonAnnotations }}
+    {{- tpl ( .Values.ingress.commonAnnotations | toYaml ) . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.ingress.apiJwtIngress.annotations }}
+    {{- tpl ( .Values.ingress.apiJwtIngress.annotations | toYaml ) . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- if .Values.ingress.apiJwtIngress.ingressClassName }}
+  ingressClassName: {{ .Values.ingress.apiJwtIngress.ingressClassName | quote }}
+  {{- else if .Values.ingress.ingressClassName }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  {{- end }}
+  {{- if .Values.ingress.apiJwtIngress.tls }}
+  tls: {{- tpl ( .Values.ingress.apiJwtIngress.tls | toYaml ) . | nindent 2 }}
+  {{- else if .Values.ingress.tls }}
+  tls: {{- tpl ( .Values.ingress.tls | toYaml ) . | nindent 2 }}
+  {{- end }}
+  rules:
+  - http:
+      paths:
+      {{- range $path := $paths }}
+        - path: {{ $path }}
+          {{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
+          pathType: ImplementationSpecific
+          {{- end }}
+          backend:
+            {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+            service:
+              name: {{ include "flyte-binary.service.http.name" $ }}
+              port:
+                number: {{ include "flyte-binary.service.http.port" $ }}
+            {{- else }}
+            serviceName: {{ include "flyte-binary.service.http.name" $ }}
+            servicePort: {{ include "flyte-binary.service.http.port" $ }}
+            {{- end }}
+      {{- end }}
+    {{- if .Values.ingress.host }}
+    host: {{ tpl .Values.ingress.host . | quote }}
+    {{- end }}
+{{- end }}

charts/flyte-binary/templates/ingress/wellknown.yaml

@@ -0,0 +1,58 @@
+{{- if and .Values.ingress.create .Values.ingress.wellknownIngress.enabled }}
+{{- $paths := (include "flyte-binary.ingress.wellknownPaths" .) | fromYamlArray }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "flyte-binary.fullname" . }}-wellknown
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "flyte-binary.labels" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- tpl ( .Values.commonLabels | toYaml ) . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.ingress.labels }}
+    {{- tpl ( .Values.ingress.labels | toYaml ) . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- if .Values.commonAnnotations }}
+    {{- tpl ( .Values.commonAnnotations | toYaml ) . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.ingress.commonAnnotations }}
+    {{- tpl ( .Values.ingress.commonAnnotations | toYaml ) . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.ingress.wellknownIngress.annotations }}
+    {{- tpl ( .Values.ingress.wellknownIngress.annotations | toYaml ) . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- if .Values.ingress.wellknownIngress.ingressClassName }}
+  ingressClassName: {{ .Values.ingress.wellknownIngress.ingressClassName | quote }}
+  {{- else if .Values.ingress.ingressClassName }}
+  ingressClassName: {{ .Values.ingress.ingressClassName | quote }}
+  {{- end }}
+  {{- if .Values.ingress.wellknownIngress.tls }}
+  tls: {{- tpl ( .Values.ingress.wellknownIngress.tls | toYaml ) . | nindent 2 }}
+  {{- else if .Values.ingress.tls }}
+  tls: {{- tpl ( .Values.ingress.tls | toYaml ) . | nindent 2 }}
+  {{- end }}
+  rules:
+  - http:
+      paths:
+      {{- range $path := $paths }}
+        - path: {{ $path }}
+          {{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
+          pathType: ImplementationSpecific
+          {{- end }}
+          backend:
+            {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+            service:
+              name: {{ include "flyte-binary.service.http.name" $ }}
+              port:
+                number: {{ include "flyte-binary.service.http.port" $ }}
+            {{- else }}
+            serviceName: {{ include "flyte-binary.service.http.name" $ }}
+            servicePort: {{ include "flyte-binary.service.http.port" $ }}
+            {{- end }}
+      {{- end }}
+    {{- if .Values.ingress.host }}
+    host: {{ tpl .Values.ingress.host . | quote }}
+    {{- end }}
+{{- end }}

charts/flyte-binary/values.yaml

@@ -401,6 +401,36 @@ ingress:
   httpExtraPaths:
     prepend: []
     append: []
+  # apiJwtIngress Optional separate ingress that JWT-validates the flyteidl2 API
+  # paths for requests carrying an `Authorization: Bearer` token (SDK/machine
+  # clients). Needed on controllers like AWS ALB where a single ingress cannot
+  # combine cookie-OIDC (browser) and JWT (token) auth. It renders the shared API
+  # paths backed by the http service; supply the controller/JWT config (e.g. ALB
+  # cert-arn, jwt-validation, the `Authorization: Bearer*` match condition, and a
+  # group.order lower than the http ingress (but higher than the wellknown ingress)) via `annotations`.
+  apiJwtIngress:
+    # enabled Create the JWT (Bearer) API ingress
+    enabled: false
+    # annotations Annotations for the JWT API ingress (controller/JWT config)
+    annotations: {}
+    # ingressClassName Ingress class for the JWT API ingress. Overrides `ingressClassName`
+    ingressClassName: ""
+    # tls Add TLS configuration to the JWT API ingress. Overrides `tls`
+    tls: []
+  # wellknownIngress Optional separate ingress for the unauthenticated
+  # auth-discovery endpoints (`/.well-known/oauth-authorization-server`,
+  # AuthMetadataService) — clients must reach these before they hold a token. Give it the highest controller precedence
+  # (e.g. ALB group.order lower than the JWT/http ingresses) so these paths bypass
+  # auth. Supply controller config via `annotations`.
+  wellknownIngress:
+    # enabled Create the unauthenticated auth-discovery ingress
+    enabled: false
+    # annotations Annotations for the auth-discovery ingress (controller config)
+    annotations: {}
+    # ingressClassName Ingress class for the auth-discovery ingress. Overrides `ingressClassName`
+    ingressClassName: ""
+    # tls Add TLS configuration to the auth-discovery ingress. Overrides `tls`
+    tls: []
 
 # rbac Configure Kubernetes RBAC for Flyte
 rbac: