[Feat] add user annotations to k8s objects

charts/flyte-core/README.md

@@ -103,7 +103,7 @@ helm install gateway bitnami/contour -n flyte
 | common.ingress.tls | object | `{"enabled":false}` | - Ingress hostname host: |
 | common.ingress.webpackHMR | bool | `false` | - Enable or disable HMR route to flyteconsole. This is useful only for frontend development. |
 | configmap.admin | object | `{"admin":{"clientId":"{{ .Values.secrets.adminOauthClientCredentials.clientId }}","clientSecretLocation":"/etc/secrets/client_secret","endpoint":"flyteadmin:81","insecure":true},"event":{"capacity":1000,"rate":500,"type":"admin"}}` | Admin Client configuration [structure](https://pkg.go.dev/github.com/flyteorg/flytepropeller/pkg/controller/nodes/subworkflow/launchplan#AdminConfig) |
-| configmap.adminServer | object | `{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"}},"server":{"grpc":{"port":8089},"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}}` | FlyteAdmin server configuration |
+| configmap.adminServer | object | `{"auth":{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}},"flyteadmin":{"eventVersion":2,"injectUserAnnotations":false,"metadataStoragePrefix":["metadata","admin"],"metricsScope":"flyte:","profilerPort":10254,"roleNameKey":"iam.amazonaws.com/role","testing":{"host":"http://flyteadmin"},"userAnnotationPrefix":"flyte.ai"},"server":{"grpc":{"port":8089},"httpPort":8088,"security":{"allowCors":true,"allowedHeaders":["Content-Type","flyte-authorization"],"allowedOrigins":["*"],"secure":false,"useAuth":false}}}` | FlyteAdmin server configuration |
 | configmap.adminServer.auth | object | `{"appAuth":{"thirdPartyConfig":{"flyteClient":{"clientId":"flytectl","redirectUri":"http://localhost:53593/callback","scopes":["offline","all"]}}},"authorizedUris":["https://localhost:30081","http://flyteadmin:80","http://flyteadmin.flyte.svc.cluster.local:80"],"userAuth":{"openId":{"baseUrl":"https://accounts.google.com","clientId":"657465813211-6eog7ek7li5k7i7fvgv2921075063hpe.apps.googleusercontent.com","scopes":["profile","openid"]}}}` | Authentication configuration |
 | configmap.adminServer.server.security.secure | bool | `false` | Controls whether to serve requests over SSL/TLS. |
 | configmap.adminServer.server.security.useAuth | bool | `false` | Controls whether to enforce authentication. Follow the guide in https://docs.flyte.org/ on how to setup authentication. |

charts/flyte-core/values.yaml

@@ -975,6 +975,8 @@ configmap:
         - "metadata"
         - "admin"
       eventVersion: 2
+      injectUserAnnotations: false
+      userAnnotationPrefix: "flyte.ai"
       testing:
         host: http://flyteadmin
 

deployment/eks/flyte_aws_scheduler_helm_generated.yaml

@@ -166,6 +166,7 @@ data:
           - openid
     flyteadmin:
       eventVersion: 2
+      injectUserAnnotations: false
       metadataStoragePrefix:
       - metadata
       - admin
@@ -174,6 +175,7 @@ data:
       roleNameKey: iam.amazonaws.com/role
       testing:
         host: http://flyteadmin
+      userAnnotationPrefix: flyte.ai
     server:
       grpc:
         port: 8089
@@ -886,7 +888,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "6fd4bb5460f260b492db7ddd34b6011581292e88b28c2e4514b7da75673cd4d"
+        configChecksum: "71783b5be9ab6a2bbb2fa40b936c74b39c6dcf60d70979daede4d9449ce944d"
       labels: 
         app.kubernetes.io/name: flyteadmin
         app.kubernetes.io/instance: flyte

deployment/eks/flyte_helm_controlplane_generated.yaml

@@ -147,6 +147,7 @@ data:
           - openid
     flyteadmin:
       eventVersion: 2
+      injectUserAnnotations: false
       metadataStoragePrefix:
       - metadata
       - admin
@@ -155,6 +156,7 @@ data:
       roleNameKey: iam.amazonaws.com/role
       testing:
         host: http://flyteadmin
+      userAnnotationPrefix: flyte.ai
     server:
       grpc:
         port: 8089
@@ -583,7 +585,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "b1a6f6afb902bd1384515a97c5bad38985c0799ca8173efb0e664bda8eb9ca1"
+        configChecksum: "92eb8185e329f235bc30c58f192a9ab6a2840f64a379ef53fe2571bc468ab22"
       labels: 
         app.kubernetes.io/name: flyteadmin
         app.kubernetes.io/instance: flyte
@@ -1009,7 +1011,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "b1a6f6afb902bd1384515a97c5bad38985c0799ca8173efb0e664bda8eb9ca1"
+        configChecksum: "92eb8185e329f235bc30c58f192a9ab6a2840f64a379ef53fe2571bc468ab22"
       labels: 
         app.kubernetes.io/name: flytescheduler
         app.kubernetes.io/instance: flyte

deployment/eks/flyte_helm_generated.yaml

@@ -178,6 +178,7 @@ data:
           - openid
     flyteadmin:
       eventVersion: 2
+      injectUserAnnotations: false
       metadataStoragePrefix:
       - metadata
       - admin
@@ -186,6 +187,7 @@ data:
       roleNameKey: iam.amazonaws.com/role
       testing:
         host: http://flyteadmin
+      userAnnotationPrefix: flyte.ai
     server:
       grpc:
         port: 8089
@@ -917,7 +919,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "b1a6f6afb902bd1384515a97c5bad38985c0799ca8173efb0e664bda8eb9ca1"
+        configChecksum: "92eb8185e329f235bc30c58f192a9ab6a2840f64a379ef53fe2571bc468ab22"
       labels: 
         app.kubernetes.io/name: flyteadmin
         app.kubernetes.io/instance: flyte
@@ -1343,7 +1345,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "b1a6f6afb902bd1384515a97c5bad38985c0799ca8173efb0e664bda8eb9ca1"
+        configChecksum: "92eb8185e329f235bc30c58f192a9ab6a2840f64a379ef53fe2571bc468ab22"
       labels: 
         app.kubernetes.io/name: flytescheduler
         app.kubernetes.io/instance: flyte

deployment/gcp/flyte_helm_controlplane_generated.yaml

@@ -147,6 +147,7 @@ data:
           - openid
     flyteadmin:
       eventVersion: 2
+      injectUserAnnotations: false
       metadataStoragePrefix:
       - metadata
       - admin
@@ -155,6 +156,7 @@ data:
       roleNameKey: iam.amazonaws.com/role
       testing:
         host: http://flyteadmin
+      userAnnotationPrefix: flyte.ai
     server:
       grpc:
         port: 8089
@@ -600,7 +602,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "e952d320a403549f597a6e5c264a4284fb2ae2e33b57c54e70975bf4f0f4f9a"
+        configChecksum: "20b338538d7cb4f2b765e3d06619b7ecb2cfc5730dd8ae986568c6e3ef303a1"
       labels: 
         app.kubernetes.io/name: flyteadmin
         app.kubernetes.io/instance: flyte
@@ -1026,7 +1028,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "e952d320a403549f597a6e5c264a4284fb2ae2e33b57c54e70975bf4f0f4f9a"
+        configChecksum: "20b338538d7cb4f2b765e3d06619b7ecb2cfc5730dd8ae986568c6e3ef303a1"
       labels: 
         app.kubernetes.io/name: flytescheduler
         app.kubernetes.io/instance: flyte

deployment/gcp/flyte_helm_generated.yaml

@@ -178,6 +178,7 @@ data:
           - openid
     flyteadmin:
       eventVersion: 2
+      injectUserAnnotations: false
       metadataStoragePrefix:
       - metadata
       - admin
@@ -186,6 +187,7 @@ data:
       roleNameKey: iam.amazonaws.com/role
       testing:
         host: http://flyteadmin
+      userAnnotationPrefix: flyte.ai
     server:
       grpc:
         port: 8089
@@ -942,7 +944,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "e952d320a403549f597a6e5c264a4284fb2ae2e33b57c54e70975bf4f0f4f9a"
+        configChecksum: "20b338538d7cb4f2b765e3d06619b7ecb2cfc5730dd8ae986568c6e3ef303a1"
       labels: 
         app.kubernetes.io/name: flyteadmin
         app.kubernetes.io/instance: flyte
@@ -1368,7 +1370,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "e952d320a403549f597a6e5c264a4284fb2ae2e33b57c54e70975bf4f0f4f9a"
+        configChecksum: "20b338538d7cb4f2b765e3d06619b7ecb2cfc5730dd8ae986568c6e3ef303a1"
       labels: 
         app.kubernetes.io/name: flytescheduler
         app.kubernetes.io/instance: flyte

deployment/sandbox/flyte_helm_generated.yaml

@@ -298,6 +298,7 @@ data:
           - openid
     flyteadmin:
       eventVersion: 2
+      injectUserAnnotations: false
       metadataStoragePrefix:
       - metadata
       - admin
@@ -306,6 +307,7 @@ data:
       roleNameKey: iam.amazonaws.com/role
       testing:
         host: http://flyteadmin
+      userAnnotationPrefix: flyte.ai
     server:
       grpc:
         port: 8089
@@ -710,6 +712,7 @@ data:
   resource_manager.yaml: | 
     propeller:
       resourcemanager:
+        redis: null
         type: noop
   storage.yaml: | 
     storage:
@@ -6730,7 +6733,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "29b249082ba3f15e213daf85d53d386f968925a8aeab291c585078d59680378"
+        configChecksum: "fe83495c82ad870691613547d3dcb8acaaec70e61a501843703aba7462d0afe"
       labels: 
         app.kubernetes.io/name: flyteadmin
         app.kubernetes.io/instance: flyte
@@ -7127,7 +7130,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "29b249082ba3f15e213daf85d53d386f968925a8aeab291c585078d59680378"
+        configChecksum: "fe83495c82ad870691613547d3dcb8acaaec70e61a501843703aba7462d0afe"
       labels: 
         app.kubernetes.io/name: flytescheduler
         app.kubernetes.io/instance: flyte
@@ -7222,7 +7225,7 @@ spec:
   template:
     metadata:
       annotations:
-        configChecksum: "671959f1f31dcfd1a93c1a484be7c7264f05b66de43df1a770f331d389787a4"
+        configChecksum: "ea603a73ffb9754ac5c6d9bab9a8e868050e0e7b118399be9c8b1cd4ce86cf1"
         prometheus.io/path: "/metrics"
         prometheus.io/port: "10254"
       labels: 
@@ -7300,7 +7303,7 @@ spec:
         app.kubernetes.io/name: flyte-pod-webhook
         app.kubernetes.io/version: v1.16.0
       annotations:
-        configChecksum: "671959f1f31dcfd1a93c1a484be7c7264f05b66de43df1a770f331d389787a4"
+        configChecksum: "ea603a73ffb9754ac5c6d9bab9a8e868050e0e7b118399be9c8b1cd4ce86cf1"
         prometheus.io/path: "/metrics"
         prometheus.io/port: "10254"
     spec:

docker/sandbox-bundled/manifests/complete-connector.yaml

@@ -822,7 +822,7 @@ type: Opaque
 ---
 apiVersion: v1
 data:
-  haSharedSecret: NUFZSjlMb000dURTeFRHcA==
+  haSharedSecret: NjlZbm9Bdmdjc2RIOVV6RA==
   proxyPassword: ""
   proxyUsername: ""
 kind: Secret
@@ -1419,7 +1419,7 @@ spec:
     metadata:
       annotations:
         checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81
-        checksum/secret: 70ab3a722bbba034ed7344ef07a16053252026dfe34e71c2448c980ff47a6181
+        checksum/secret: bcb59e2e39c2a39cd92acf4a6d1e1798831a8acbe0239e2ca35a09ad73aeccbd
       labels:
         app: docker-registry
         release: flyte-sandbox

docker/sandbox-bundled/manifests/complete.yaml

@@ -803,7 +803,7 @@ type: Opaque
 ---
 apiVersion: v1
 data:
-  haSharedSecret: UUltSk9iWTdxVzlNTGZPaQ==
+  haSharedSecret: c1JIT3FrYjd5VzEwZm5Kag==
   proxyPassword: ""
   proxyUsername: ""
 kind: Secret
@@ -1367,7 +1367,7 @@ spec:
     metadata:
       annotations:
         checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81
-        checksum/secret: 809f2778eadd51c6c0289457a88bedac6de365127677a48c24dba5611799c3b2
+        checksum/secret: 76562a1293dc5289634fb1e2c6f8ff003a927fb6a82c4a0d952f3dd5869b9f87
       labels:
         app: docker-registry
         release: flyte-sandbox

docker/sandbox-bundled/manifests/dev.yaml

@@ -499,7 +499,7 @@ metadata:
 ---
 apiVersion: v1
 data:
-  haSharedSecret: aHlIMkgzdHluSUU0T2t2bA==
+  haSharedSecret: a0R1QmhNY0V2b3k5UUtzNA==
   proxyPassword: ""
   proxyUsername: ""
 kind: Secret
@@ -934,7 +934,7 @@ spec:
     metadata:
       annotations:
         checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81
-        checksum/secret: 5f9abc8cd74e0ef31cadbf5c8d52979e5fa091a0361f51dd898422abaeca6ed6
+        checksum/secret: 300c4e683a97067435b018fa67798a7f44bae98404bd2538f816d97519ff0505
       labels:
         app: docker-registry
         release: flyte-sandbox

flyteadmin/flyteadmin_config.yaml

@@ -61,6 +61,8 @@ flyteadmin:
     - "metadata"
     - "admin"
   useOffloadedWorkflowClosure: false
+  injectUserAnnotations: false
+  userAnnotationPrefix: "flyte.ai"
 database:
   postgres:
     port: 30001

flyteadmin/pkg/manager/impl/execution_manager.go

@@ -590,6 +590,8 @@ func (m *ExecutionManager) launchSingleTaskExecution(
 		annotations = executionConfig.GetAnnotations().GetValues()
 	}
 
+	annotations = m.addUserAnnotations(ctx, annotations)
+
 	var rawOutputDataConfig *admin.RawOutputDataConfig
 	if executionConfig.GetRawOutputDataConfig() != nil {
 		rawOutputDataConfig = executionConfig.GetRawOutputDataConfig()
@@ -1025,6 +1027,9 @@ func (m *ExecutionManager) launchExecution(
 	if err != nil {
 		return nil, nil, nil, err
 	}
+
+	annotations = m.addUserAnnotations(ctx, annotations)
+
 	var rawOutputDataConfig *admin.RawOutputDataConfig
 	if executionConfig.GetRawOutputDataConfig() != nil {
 		rawOutputDataConfig = executionConfig.GetRawOutputDataConfig()
@@ -2050,6 +2055,41 @@ func (m *ExecutionManager) addProjectLabels(ctx context.Context, projectName str
 	return initialLabels, nil
 }
 
+// addUserAnnotations automatically injects user identity information as annotations when enabled in config.
+// This allows tracking which user submitted each workflow execution and enables user-based authorization.
+func (m *ExecutionManager) addUserAnnotations(ctx context.Context, initialAnnotations map[string]string) map[string]string {
+	// Check if user annotation injection is enabled
+	if !m.config.ApplicationConfiguration().GetTopLevelConfig().GetInjectUserAnnotations() {
+		return initialAnnotations
+	}
+
+	// Get user identity from authentication context
+	identityContext := auth.IdentityContextFromContext(ctx)
+	var principal string
+	if identityContext.UserInfo() != nil {
+		principal = identityContext.UserInfo().GetEmail()
+	}
+
+	if principal == "" {
+		// If no email is available, skip annotation injection
+		logger.Debugf(ctx, "No user email found in context, skipping user annotation injection")
+		return initialAnnotations
+	}
+
+	if initialAnnotations == nil {
+		initialAnnotations = make(map[string]string)
+	}
+
+	prefix := m.config.ApplicationConfiguration().GetTopLevelConfig().GetUserAnnotationPrefix()
+	userKey := prefix + "/user"
+	if _, exists := initialAnnotations[userKey]; !exists {
+		initialAnnotations[userKey] = principal
+		logger.Debugf(ctx, "Injected user annotation %s=%s", userKey, principal)
+	}
+
+	return initialAnnotations
+}
+
 func addStateFilter(filters []common.InlineFilter) ([]common.InlineFilter, error) {
 	var stateFilterExists bool
 	for _, inlineFilter := range filters {