feat: Upgrade retool, fix dagster oidc setup (#891)

michaeljguarino · web-flow · commit 42c4ab1fd933 · 2023-12-18T16:28:05.000-05:00
* Upgrade retool, fix dagster oidc setup

We need to get retool onto latest, and realized dagster isn't using the current reusable oidc config (which makes basic auth nontrivial to configure), so fixing that as well.

* add basic auth docs
diff --git a/dagster/helm/dagster/Chart.lock b/dagster/helm/dagster/Chart.lock
@@ -2,6 +2,9 @@ dependencies:
 - name: postgres
   repository: https://pluralsh.github.io/module-library
   version: 0.1.16
+- name: oidc-config
+  repository: https://pluralsh.github.io/module-library
+  version: 0.1.6
 - name: dagster
   repository: https://dagster-io.github.io/helm
   version: 1.5.4
@@ -11,5 +14,5 @@ dependencies:
 - name: test-base
   repository: https://pluralsh.github.io/module-library
   version: 0.1.10
-digest: sha256:429db54a06ff1d43d546fb5b8da1534e7f06f12a0e408a83e146222eb2585cbb
-generated: "2023-10-20T10:53:15.243597+02:00"
+digest: sha256:711eb99a3aa598dc5755698003710c6e4f175f99cfbf68589e27fbb19ef1a6b0
+generated: "2023-12-18T10:52:48.079022-05:00"
diff --git a/dagster/helm/dagster/Chart.yaml b/dagster/helm/dagster/Chart.yaml
@@ -2,12 +2,16 @@ apiVersion: v2
 name: dagster
 description: A Helm chart for Kubernetes
 type: application
-version: 0.1.46
+version: 0.1.47
 appVersion: 1.5.4
 dependencies:
 - name: postgres
   version: 0.1.16
   repository: https://pluralsh.github.io/module-library
+- name: oidc-config
+  version: 0.1.6
+  repository: https://pluralsh.github.io/module-library
+  condition: oidc-config.enabled
 - name: dagster
   version: 1.5.4
   repository: https://dagster-io.github.io/helm
diff --git a/dagster/helm/dagster/charts/oidc-config-0.1.6.tgz b/dagster/helm/dagster/charts/oidc-config-0.1.6.tgz
diff --git a/dagster/helm/dagster/templates/oidc.yaml b/dagster/helm/dagster/templates/oidc.yaml
diff --git a/dagster/helm/dagster/values.yaml b/dagster/helm/dagster/values.yaml
@@ -1,6 +1,18 @@
 global:
   serviceAccountName: dagster
 
+oidc-config:
+  enabled: false
+  service:
+    name: dagster-oauth2-proxy
+    selector:
+      app.kubernetes.io/instance: dagster
+      component: dagster-webserver
+  secret:
+    env:
+      OAUTH2_PROXY_UPSTREAM_TIMEOUT: '120s'
+
+
 postgres:
   team: plural
   user: dagster
diff --git a/dagster/helm/dagster/values.yaml.tpl b/dagster/helm/dagster/values.yaml.tpl
@@ -12,13 +12,19 @@ postgres:
   password: {{ $postgresPwd }}
 
 {{ if .OIDC }}
-oidcProxy:
+{{ $prevSecret := dedupe . "dagster.oidcProxy.cookieSecret" (randAlphaNum 32) }}
+oidc-config:
   enabled: true
-  upstream: http://localhost:80
-  issuer: {{ .OIDC.Configuration.Issuer }}
-  clientID: {{ .OIDC.ClientId }}
-  clientSecret: {{ .OIDC.ClientSecret }}
-  cookieSecret: {{ dedupe . "dagster.oidcProxy.cookieSecret" (randAlphaNum 32) }}
+  secret:
+    name: dagster-proxy-config
+    issuer: {{ .OIDC.Configuration.Issuer }}
+    clientID: {{ .OIDC.ClientId }}
+    clientSecret: {{ .OIDC.ClientSecret }}
+    cookieSecret: {{ dedupe . "dagster.oidc-config.secret.cookieSecret" $prevSecret }}
+  {{ if .Values.users }}
+  users:
+  {{ toYaml .Values.users | nindent 4 }}
+  {{ end }}
 {{ end }}
 
 dagster:
diff --git a/dagster/plural/docs/basic-auth.md b/dagster/plural/docs/basic-auth.md
@@ -0,0 +1,30 @@
+## Configuring Basic Auth
+
+Dagster's api and web interface is not authenticated by default.  We provide an oauth proxy by default to grant some security to your dagster install, but in order to integrate with tools like airflow, you'll likely want a means to authenticate with static creds.  That's where basic auth can be very useful.  The process is very simple.
+
+### modify context.yaml
+
+in the `context.yaml` file at the root of your repo, simply add:
+
+```yaml
+configuration:
+  dagster:
+    users:
+      <name>: <password>
+      <name2>: <password2>
+```
+you can use `plural crypto random` to generate a high-entropy password if that is helpful as well.
+
+### redeploy
+
+Simply run `plural build --only dagster && plural deploy --commit "enabling basic auth"` to wire in the credentials to our oauth proxy.  Occasionally you need to restart the web pods to get it to take, you can find them with:
+
+```sh
+kubectl get pods -n dagster | grep dagster-webserver
+```
+
+then delete them (allowing k8s to restart) with:
+
+```sh
+kubectl delete pod <name> -n dagster
+```
diff --git a/retool/helm/retool/Chart.lock b/retool/helm/retool/Chart.lock
@@ -4,6 +4,6 @@ dependencies:
   version: 0.1.5
 - name: retool
   repository: https://charts.retool.com
-  version: 6.0.2
-digest: sha256:64e43f4c30b1d885101d9c50fe2f314e54f86d33e555ba6df3d9b90dda8784d4
-generated: "2023-09-26T12:08:59.73891-04:00"
+  version: 6.0.11
+digest: sha256:c182bac59d78a9f260acb187063a7ffbfff0b887fc81a383959c88b22a03e337
+generated: "2023-12-18T10:33:05.569756-05:00"
diff --git a/retool/helm/retool/Chart.yaml b/retool/helm/retool/Chart.yaml
@@ -2,12 +2,12 @@ apiVersion: v2
 name: retool
 description: helm chart for retool
 type: application
-version: 0.1.7
-appVersion: "v3.12.2"
+version: 0.1.8
+appVersion: "v3.24.1"
 dependencies:
 - name: postgres
   version: 0.1.5
   repository: https://pluralsh.github.io/module-library
 - name: retool
-  version: 6.0.2
+  version: 6.0.11
   repository: https://charts.retool.com
diff --git a/retool/helm/retool/charts/retool-6.0.11.tgz b/retool/helm/retool/charts/retool-6.0.11.tgz
diff --git a/retool/helm/retool/charts/retool-6.0.2.tgz b/retool/helm/retool/charts/retool-6.0.2.tgz
diff --git a/retool/helm/retool/values.yaml b/retool/helm/retool/values.yaml
@@ -19,7 +19,7 @@ retool:
 
   image:
     repository: tryretool/backend
-    tag: 3.12.2
+    tag: 3.24.1
   
   workflows:
     temporal:
