Add allowedAudience to flyte-core external auth deployment documentation

[mwaylonis]

Why are the changes needed?

This adds documentation to the auth config for flyte-core deployments with Okta. In the case where flyteadmin is running in the same cluster as flytepropeller/flytescheduler, the authentication request from flytescheduler to flyteadmin is made using http://flyteadmin:80. flyteadmin uses the domain in the request to validate the audience in the JWT returned by okta (code reference). This causes a mismatch between the JWT audience and the expectedAudience when the auth request originates from flytescheduler within the same cluster. The allowedAudience setting takes precedence over the URL extracted from the request, so setting this property in the values file fixes the issue.

What changes were proposed in this pull request?

This is only a documentation change

How was this patch tested?

Tested with the latest helm chart

Check all the applicable boxes

• I updated the documentation accordingly.
• All new and existing tests passed.
• All commits are signed-off.

Docs link

Summary by Bito

This PR updates deployment documentation for flyte-core, adding specific Okta authentication configuration details. It provides guidance on setting allowedAudience parameters and modifying deployment URLs for proper token validation, addressing JWT audience mismatch issues when components are co-deployed.

Unit tests added: False

Estimated effort to review (1-5, lower is better): 1

[welcome]

Thank you for opening this pull request! 🙌

These tips will help get your PR across the finish line:

• Most of the repos have a PR template; if not, fill it out to the best of your knowledge.
• Sign off your commits (Reference: DCO Guide).

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 33.82%. Comparing base (2842e5d) to head (fbc09e3).
Report is 938 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (2842e5d) and HEAD (fbc09e3). Click for more details.

HEAD has 13 uploads less than BASE

Flag	BASE (2842e5d)	HEAD (fbc09e3)
	6	0
unittests	7	0

Additional details and impacted files

@@             Coverage Diff             @@
##           master    #5124       +/-   ##
===========================================
- Coverage   59.00%   33.82%   -25.19%     
===========================================
  Files         645     1329      +684     
  Lines       55672   147814    +92142     
===========================================
+ Hits        32850    49994    +17144     
- Misses      20226    92978    +72752     
- Partials     2596     4842     +2246     

Flag	Coverage Δ
unittests	?
unittests-datacatalog	48.01% <ø> (?)
unittests-flyteadmin	50.09% <ø> (?)
unittests-flytecopilot	30.99% <ø> (?)
unittests-flytectl	58.09% <ø> (?)
unittests-flyteidl	6.78% <ø> (?)
unittests-flyteplugins	49.01% <ø> (?)
unittests-flytepropeller	36.52% <ø> (?)
unittests-flytestdlib	50.38% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[welcome]

Congrats on merging your first pull request! 🎉

[flyte-bot]

Code Review Agent Run #d75807

Actionable Suggestions - 0

Review Details

• Files reviewed - 1 · Commit Range: e31eee0..fbc09e3

  • docs/deployment/configuration/auth_setup.rst
• Files skipped - 0
• Tools

  • Golangci-lint (Linter) - ✖︎ Failed
  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful

---

AI Code Review powered by

[flyte-bot]

Changelist by Bito

This pull request implements the following key changes.

Key Change	Files Impacted
Documentation - External Auth Documentation Update	- auth_setup.rst - Introduced new instructions to configure allowedAudience for external auth and provided guidance to replace the deployment URL, ensuring proper JWT token validation.