https://linen.dev logo
Join Slack
Powered by
<@U04SE163WC8> Question regarding values file and...
# ask-ai
m
@kapa.ai Question regarding values file and EKS deploy. How do I configure authentication? When I leave everything as default and setup an Ingress I’m just printed for my email, that’s it
k
To configure authentication for your Airbyte deployment on EKS, you need to modify your 
values.yaml
file and set up an Ingress. 1. Configure Authentication in 
values.yaml
file: You need to add instance admin details and SSO auth details to your 
values.yaml
file, under 
global
. Here is an example of how to do it:
Copy code
yaml    auth:        instanceAdmin:          firstName: ## First name of admin user.          lastName: ## Last name of admin user.        identityProvider:          type: oidc          secretName: airbyte-config-secrets ## Name of your Kubernetes secret.          oidc:            domain: ## e.g. company.example            app-name: ## e.g. airbyte            clientIdSecretKey: client-id            clientSecretSecretKey: client-secret
You can find more details on how to collect this information for various IDPs, such as Okta and Azure Entra ID, in the [SSO auth details guide](https://docs.airbyte.com/access-management/sso#set-up) ([source](https://docs.airbyte.com/enterprise-setup/implementation-guide#step-2-configure-your-deployment)). 2. Configure Ingress: You need to upgrade your ingress to include the new 
/auth
path. Here is an example of how to do it:
Copy code
yaml    apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>      kind: Ingress      metadata:        name: # ingress name, example: enterprise-demo        annotations:          <http://ingress.kubernetes.io/ssl-redirect|ingress.kubernetes.io/ssl-redirect>: "false"      spec:        ingressClassName: nginx        rules:          - host: # host, example: <http://enterprise-demo.airbyte.com|enterprise-demo.airbyte.com>            http:              paths:                - backend:                    service:                      # format is ${RELEASE_NAME}-airbyte-webapp-svc                      name: airbyte-enterprise-airbyte-webapp-svc                      port:                        number: 80 # service port, example: 8080                  path: /                  pathType: Prefix                - backend:                    service:                      # format is ${RELEASE_NAME}-airbyte-keycloak-svc                      name: airbyte-enterprise-airbyte-keycloak-svc                      port:                        number: 8180                  path: /auth                  pathType: Prefix                - backend:                    service:                      # format is ${RELEASE_NAME}-airbyte--server-svc                      name: airbyte-enterprise-airbyte-server-svc                      port:                        number: 8001                  path: /api/public                  pathType: Prefix
This configuration will ensure that the authentication path is included in your ingress ([source](https://docs.airbyte.com/enterprise-setup/upgrading-from-community#step-3-deploy-self-managed-enterprise)). After these configurations, when you log in, you should expect all connections, sources, and destinations to be present, and configured as prior.
m
@kapa.ai But can I simply do password and username ? How if so
k
A message from kapa.ai
New message text here
m
@kapa.ai Isn’t is just the following block in the values.yaml auth; instanceAdmin:
k
A message from kapa.ai
Yes, you're correct. For setting up an instance admin with a username and password, you would need to add the following block to your 
values.yaml
file:
Copy code
yaml auth:     instanceAdmin:       firstName: ## First name of admin user.       lastName: ## Last name of admin user.
In this block, 
firstName
and 
lastName
are placeholders for the admin user's first and last names. However, please note that this is part of the SSO (Single Sign-On) configuration and it's not the same as a simple username and password authentication. The 
firstName
and 
lastName
fields here are used to set up the instance admin details for SSO authentication ([source](https://docs.airbyte.com/enterprise-setup/implementation-guide#step-2-configure-your-deployment)). For instance admin email and password, you would need to add them to your Kubernetes secret. Here is an example:
Copy code
yaml apiVersion: v1   kind: Secret   metadata:     name: airbyte-config-secrets   type: Opaque   stringData:     # Instance Admin     instance-admin-email: ## e.g. [[email protected]](<https://docs.airbyte.com/cdn-cgi/l/email-protection>)     instance-admin-password: ## e.g. password
In this block, 
instance-admin-email
and 
instance-admin-password
are placeholders for the admin user's email and password ([source](https://docs.airbyte.com/enterprise-setup/implementation-guide#creating-a-kubernetes-secret)).
m
@kapa.ai Will configuring the email work on OSS?
k
A message from kapa.ai
No, configuring the email for instance admin as part of the SSO (Single Sign-On) setup is not available for the open-source version of Airbyte. The SSO setup is part of the enterprise features of Airbyte and is not included in the open-source version ([source](https://docs.airbyte.com/enterprise-setup/implementation-guide#step-2-configure-your-deployment)). For the open-source version of Airbyte, you can use Basic HTTP authentication which involves a username and password. This is typically done when setting up a source connector ([source](https://docs.airbyte.com/connector-development/connector-builder-ui/authentication#basic-http)).
m
@kapa.ai it says just an email required, no password So this is my only option?
k
A message from kapa.ai
Yes, in some cases, only an email (or username) is required for authentication, and no password is needed. This is often the case with certain APIs, like the [Chargebee API](https://apidocs.chargebee.com/docs/api/auth?prod_cat_ver=2), where you simply leave the password input empty ([source](https://docs.airbyte.com/connector-development/connector-builder-ui/authentication#basic-http)). However, please note that the exact method of authentication can vary depending on the specific source connector you are using in Airbyte. It's always recommended to refer to the documentation of the specific source connector for the most accurate information on how to configure authentication.
m
@kapa.ai No, this is not about connections This is for Airbyte itself
k
A message from kapa.ai
I see, you're referring to the authentication for accessing the Airbyte application itself. In the open-source version of Airbyte, there is no built-in user authentication for accessing the Airbyte UI. Once you've deployed Airbyte, anyone who can access the URL can use it. If you need to secure access to your Airbyte instance, you would have to manage that at the network level. For example, you could restrict access to certain IP addresses, set up a VPN, or put Airbyte behind a proxy that handles authentication. The enterprise version of Airbyte, however, does support user authentication. It allows you to log in to the platform using your email, Google account, or GitHub account ([source](https://docs.airbyte.com/operating-airbyte/security#authentication)). If you're using the enterprise version, you can set the instance admin email in the 
values.yaml
file as part of the SSO setup:
Copy code
yaml auth:     instanceAdmin:       firstName: ## First name of admin user.       lastName: ## Last name of admin user.
And add the instance admin email to your Kubernetes secret:
Copy code
yaml apiVersion: v1   kind: Secret   metadata:     name: airbyte-config-secrets   type: Opaque   stringData:     # Instance Admin     instance-admin-email: ## e.g. [[email protected]](<https://docs.airbyte.com/cdn-cgi/l/email-protection>)     instance-admin-password: ## e.g. password
([source](https://docs.airbyte.com/enterprise-setup/implementation-guide#creating-a-kubernetes-secret)). But again, these features are not available in the open-source version of Airbyte.
j
Heads-up, this is an area Kapa struggles with. When deploying using docker compose or abctl, there's basic auth by default (achieved by it deploying a simple nginx reverse proxy in front of the Airbyte deployment) In Helm/Kubernetes deployments, they assume you probably either have one set up or want to use another more secure option (and don't want to double-proxy everything). For example, I use Google Cloud Identity-Aware Proxy on the GCP side, which lets us auth users with their Google accounts and the API with service account-based tokens. Works great for us, and effectively sits between the Load Balancer and the cluster. I believe you can do something similar on AWS using the Systems Session Manager. (Unfortunately I'm not as familiar with doing this on the AWS stack.) The other option is just to run your own nginx instance, either on EKS or EC2 and only allow Airbyte to connect through that. You can see a sample config on their security page: https://docs.airbyte.com/operating-airbyte/security#network-security
m
I see. Thanks a lot Justin!
👍 1
b
FYI, we are bringing an authentication solution into the product that should land sometime soon. At that time you will not need the nginx reverse proxy to provide basic auth. There will at that time be configuration in the values.yaml file to specify the username/password.
airbyte rocket 1
m
Oh, this is excellent! Appreciate the info 🙏
Open in Slack
PreviousNext
Powered by