Upstream revert revert auth token fix

.github/workflows/flytectl-install.yml

@@ -0,0 +1,33 @@
+name: Flytectl-specific checks
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+on:
+  pull_request:
+    paths:
+      - flytectl/**
+  push:
+    branches:
+      - master
+
+jobs:
+  install-script:
+    name: Install script
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        version:
+          - v0.8.20
+          - latest
+          # Test the case where no version is specified
+          - " "
+    steps:
+      - uses: actions/checkout@v4
+      - run: |
+          chmod +x ./flytectl/install.sh
+          ./flytectl/install.sh ${{ matrix.version }}
+          ./bin/flytectl version
+

charts/flyte-core/README.md

@@ -195,8 +195,11 @@ helm install gateway bitnami/contour -n flyte
 | flyteadmin.serviceMonitor.scrapeTimeout | string | `"30s"` | Sets the timeout after which request to scrape metrics will time out |
 | flyteadmin.tolerations | list | `[]` | tolerations for Flyteadmin deployment |
 | flyteagent.enabled | bool | `false` |  |
-| flyteagent.plugin_config.plugins.agentService.defaultAgent.endpoint | string | `"dns:///flyteagent.flyte.svc.cluster.local:8000"` |  |
-| flyteagent.plugin_config.plugins.agentService.defaultAgent.insecure | bool | `true` |  |
+| flyteagent.plugin_config.plugins.agent-service | object | `{"defaultAgent":{"endpoint":"dns:///flyteagent.flyte.svc.cluster.local:8000","insecure":true},"supportedTaskTypes":["sensor"]}` | Agent service configuration for propeller. |
+| flyteagent.plugin_config.plugins.agent-service.defaultAgent | object | `{"endpoint":"dns:///flyteagent.flyte.svc.cluster.local:8000","insecure":true}` | The default agent service to use for plugin tasks. |
+| flyteagent.plugin_config.plugins.agent-service.defaultAgent.endpoint | string | `"dns:///flyteagent.flyte.svc.cluster.local:8000"` | The agent service endpoint propeller should connect to. |
+| flyteagent.plugin_config.plugins.agent-service.defaultAgent.insecure | bool | `true` | Whether the connection from propeller to the agent service should use TLS. |
+| flyteagent.plugin_config.plugins.agent-service.supportedTaskTypes | list | `["sensor"]` | The task types supported by the default agent. |
 | flyteagent.podLabels | object | `{}` | Labels for flyteagent pods |
 | flyteconsole.affinity | object | `{}` | affinity for Flyteconsole deployment |
 | flyteconsole.enabled | bool | `true` |  |

charts/flyte-core/values.yaml

@@ -279,10 +279,19 @@ flyteagent:
   enabled: false
   plugin_config:
     plugins:
-      agentService:
+      # -- Agent service configuration for propeller.
+      agent-service:
+        # -- The default agent service to use for plugin tasks.
         defaultAgent:
+          # -- The agent service endpoint propeller should connect to.
           endpoint: "dns:///flyteagent.flyte.svc.cluster.local:8000"
+          # -- Whether the connection from propeller to the agent service should use TLS.
           insecure: true
+        # -- The task types supported by the default agent.
+        supportedTaskTypes:
+        - sensor
+        # -- Uncomment to enable task type that uses Flyte Agent
+        # - bigquery_query_job_task
   # -- Labels for flyteagent pods
   podLabels: {}
 

docs/deployment/configuration/auth_setup.rst

@@ -172,7 +172,7 @@ Apply OIDC Configuration
           oidc:
             # baseUrl: https://accounts.google.com # Uncomment for Google
             # baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
-            # baseUrl: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize # Uncomment for Azure AD
+            # baseUrl: https://login.microsoftonline.com/<tenant-id>/v2.0 # Uncomment for Azure AD
             # For Okta use the Issuer URI from Okta's default auth server
             baseUrl: https://dev-<org-id>.okta.com/oauth2/default
             # Replace with the client ID and secret created for Flyte in your IdP
@@ -488,7 +488,7 @@ Follow the steps in this section to configure `flyteadmin` to use an external au
            enabled: true
            oidc:
            # baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
-           # baseUrl: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize # Uncomment for Azure AD
+           # baseUrl: https://login.microsoftonline.com/<tenant-id>/v2.0 # Uncomment for Azure AD
            # For Okta, use the Issuer URI of the custom auth server:
              baseUrl: https://dev-<org-id>.okta.com/oauth2/<auth-server-id>
            # Use the client ID and secret generated by your IdP for the first OIDC registration in the "Identity Management layer : OIDC" section of this guide
@@ -516,7 +516,7 @@ Follow the steps in this section to configure `flyteadmin` to use an external au
                authServerType: External
                externalAuthServer:
                # baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
-               # baseUrl: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize # Uncomment for Azure AD
+               # baseUrl: https://login.microsoftonline.com/<tenant-id>/v2.0 # Uncomment for Azure AD
                # For Okta, use the Issuer URI of the custom auth server:
                  baseUrl: https://dev-<org-id>.okta.com/oauth2/<auth-server-id>
                  metadataUrl: .well-known/oauth-authorization-server
@@ -531,8 +531,8 @@ Follow the steps in this section to configure `flyteadmin` to use an external au
              userAuth:
                openId:
                # baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
-               # baseUrl: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize # Uncomment for Azure AD
-               # For Okta, use the Issuer URI of the custom auth server:
+               # baseUrl: https://login.microsoftonline.com/<tenant-id>/v2.0 # Uncomment for Azure AD
+               # For Okta, use the Issuer URI of the custom auth server:  
                  baseUrl: https://dev-<org-id>.okta.com/oauth2/<auth-server-id>
                  scopes:
                  - profile
@@ -568,39 +568,29 @@ Follow the steps in this section to configure `flyteadmin` to use an external au
 
                  authServerType: External
 
-                 # 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl.
-                 externalAuthServer:
-                 # baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
-                 # baseUrl: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize # Uncomment for Azure AD
-                 # For Okta, use the Issuer URI of the custom auth server:
-                   baseUrl: https://dev-<org-id>.okta.com/oauth2/<auth-server-id>
-
-                   metadataUrl: .well-known/openid-configuration
-
-                 thirdPartyConfig:
-                    flyteClient:
-                       # 3. Replace with a new Native/Public Client ID provisioned in the custom authorization server.
-                       clientId: flytectl
-                       # This should not change
-                       redirectUri: http://localhost:53593/callback
-                       # 4. "all" is a required scope and must be configured in the custom authorization server.
-                       scopes:
-                       - offline
-                       - all
-
-               userAuth:
-                 openId:
-                 # baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
-                 # baseUrl: https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize # Uncomment for Azure AD
-                 # For Okta, use the Issuer URI of the custom auth server:
-                   baseUrl: https://dev-<org-id>.okta.com/oauth2/<auth-server-id>
-                   scopes:
-                   - profile
-                   - openid
-                   # - offline_access # Uncomment if OIdC supports issuing refresh tokens.
-                   clientId: <client id>
+               # 2. Optional: Set external auth server baseUrl if different from OpenId baseUrl.
+               externalAuthServer:
+               # baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
+               # baseUrl: https://login.microsoftonline.com/<tenant-id>/v2.0 # Uncomment for Azure AD
+               # For Okta, use the Issuer URI of the custom auth server:  
+                 baseUrl: https://dev-<org-id>.okta.com/oauth2/<auth-server-id>
+
+                 metadataUrl: .well-known/openid-configuration
 
 
+             userAuth:
+               openId:
+               # baseUrl: https://<keycloak-url>/auth/realms/<keycloak-realm> # Uncomment for Keycloak and update with your installation host and realm name
+               # baseUrl: https://login.microsoftonline.com/<tenant-id>/v2.0 # Uncomment for Azure AD
+               # For Okta, use the Issuer URI of the custom auth server:  
+                 baseUrl: https://dev-<org-id>.okta.com/oauth2/<auth-server-id>
+                 scopes:
+                 - profile
+                 - openid
+                 # - offline_access # Uncomment if OIdC supports issuing refresh tokens.
+                 clientId: <client id>
+
+
          secrets:
            adminOauthClientCredentials:
              enabled: true # see the section "Disable Helm secret management" if you require to do so

docs/deployment/plugins/k8s/index.rst

@@ -17,11 +17,11 @@ Select the integration you need and follow the steps to install the correspondin
 
   .. group-tab:: PyTorch/TensorFlow/MPI
 
-    1. Install the `Kubeflow training-operator <https://github.com/kubeflow/training-operator?tab=readme-ov-file#kubeflow-training-operator>`__:
+    1. Install the `Kubeflow training-operator <https://github.com/kubeflow/training-operator?tab=readme-ov-file#stable-release>`__ (Please install the stable release):
 
     .. code-block:: bash
 
-      kubectl apply -k "github.com/kubeflow/training-operator/manifests/overlays/standalone"
+      kubectl apply -k "github.com/kubeflow/training-operator/manifests/overlays/standalone?ref=v1.7.0"
 
     **Optional: Using a gang scheduler**
 

docs/flyte_agents/developing_agents.md

@@ -140,14 +140,13 @@ You can test your agent in a {ref}`local Python environment <testing_agents_loca
 The following is a sample Dockerfile for building an image for a Flyte agent:
 
 ```Dockerfile
-FROM python:3.9-slim-buster
+FROM python:3.10-slim-bookworm
 
 MAINTAINER Flyte Team <[email protected]>
 LABEL org.opencontainers.image.source=https://github.com/flyteorg/flytekit
 
-WORKDIR /root
-ENV PYTHONPATH /root
-
+# additional dependencies for running in k8s
+RUN pip install prometheus-client grpcio-health-checking
 # flytekit will autoload the agent if package is installed.
 RUN pip install flytekitplugins-bigquery
 CMD pyflyte serve agent --port 8000
@@ -193,7 +192,7 @@ By running agents independently, you can thoroughly test and validate your agent
 controlled environment before deploying them to the production cluster.
 
 By default, all agent requests will be sent to the default agent service. However,
-you can route particular task requests to designated agent services by adjusting the FlytePropeller configuration. 
+you can route particular task requests to designated agent services by adjusting the FlytePropeller configuration.
 
 ```yaml
  plugins:

flytectl/cmd/core/cmd.go

@@ -73,10 +73,10 @@ func generateCommandFunc(cmdEntry CommandEntry) func(cmd *cobra.Command, args []
 		cmdCtx := NewCommandContextNoClient(cmd.OutOrStdout())
 		if !cmdEntry.DisableFlyteClient {
 			clientSet, err := admin.ClientSetBuilder().WithConfig(admin.GetConfig(ctx)).
-				WithTokenCache(pkce.TokenCacheKeyringProvider{
-					ServiceUser: fmt.Sprintf("%s:%s", adminCfg.Endpoint.String(), pkce.KeyRingServiceUser),
-					ServiceName: pkce.KeyRingServiceName,
-				}).Build(ctx)
+				WithTokenCache(pkce.NewTokenCacheKeyringProvider(
+					pkce.KeyRingServiceName,
+					fmt.Sprintf("%s:%s", adminCfg.Endpoint.String(), pkce.KeyRingServiceUser),
+				)).Build(ctx)
 			if err != nil {
 				return err
 			}