PrefectHQ · parkedwards · Jan 24, 2025 · Jan 24, 2025 · Jan 24, 2025 · Jan 24, 2025
@@ -24,6 +24,34 @@ kubectl port-forward svc/prefect-server 4200:4200
 
 Note: If you choose to make modifications to either the `server.prefectApiUrl` or `service.port`, make sure to update the other value with the updated port!
 
+### Basic Auth
+
+Prefect documentation on [basic auth](https://docs.prefect.io/v3/develop/settings-and-profiles#security-settings)
+
+Self-hosted Prefect servers can be equipped with a Basic Authentication string for an administrator/password combination.
+
+The format of the auth string is `admin:<my-password>` (no brackets).
+
+```yaml
+server:
+  basicAuth:
+    enabled: true
+    authString: "admin:pass"
+```
+
+Alternatively, you can provide an existing Kubernetes Secret containing the auth string credentials. The secret must contain a key `auth-string` with the value of the auth string.
+
+```sh
+kubectl create secret generic prefect-basic-auth --from-literal=auth-string='admin:my-password'
+```
+
+```yaml
+server:
+  basicAuth:
+    enabled: true
+    existingSecret: prefect-basic-auth
+```
+
 ## Background Services Configuration
 
 The Prefect server includes background services related to scheduling and cleanup. By default, these run in the same deployment as the web server, but they can be separated for better resource management and scalability.
@@ -202,7 +230,7 @@ the HorizontalPodAutoscaler.
 | backgroundServices.resources.limits | object | `{"cpu":"1","memory":"1Gi"}` | the requested limits for the background-services container |
 | backgroundServices.resources.requests | object | `{"cpu":"500m","memory":"512Mi"}` | the requested resources for the background-services container |
 | backgroundServices.revisionHistoryLimit | int | `10` | the number of old ReplicaSets to retain to allow rollback |
-| backgroundServices.runAsSeparateDeployment | bool | `false` | Run background services (like scheduling) in a separate deployment. |
+| backgroundServices.runAsSeparateDeployment | bool | `false` |  |
 | backgroundServices.serviceAccount.annotations | object | `{}` | additional service account annotations (evaluated as a template) |
 | backgroundServices.serviceAccount.create | bool | `true` | specifies whether a service account should be created |
 | backgroundServices.serviceAccount.name | string | `""` | the name of the service account to use. if not set and create is true, a name is generated using the common.names.fullname template with "-background-services" appended |
@@ -253,6 +281,9 @@ the HorizontalPodAutoscaler.
 | server.autoscaling.minReplicas | int | `1` | minimum number of server replicas |
 | server.autoscaling.targetCPU | int | `80` | target CPU utilization percentage |
 | server.autoscaling.targetMemory | int | `80` | target Memory utilization percentage |
+| server.basicAuth.authString | string | `"admin:pass"` | basic auth credentials in the format admin:<your-password> (no brackets) |
+| server.basicAuth.enabled | bool | `false` | enable basic auth for the server, for an administrator/password combination |
+| server.basicAuth.existingSecret | string | `""` | name of existing secret containing basic auth credentials. takes precedence over authString. must contain a key `auth-string` with the value of the auth string |
 | server.containerSecurityContext.allowPrivilegeEscalation | bool | `false` | set server containers' security context allowPrivilegeEscalation |
 | server.containerSecurityContext.capabilities | object | `{}` | set server container's security context capabilities |
 | server.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | set server containers' security context readOnlyRootFilesystem |
@@ -279,6 +310,7 @@ the HorizontalPodAutoscaler.
 | server.podSecurityContext.fsGroup | int | `1001` | set server pod's security context fsGroup |
 | server.podSecurityContext.runAsNonRoot | bool | `true` | set server pod's security context runAsNonRoot |
 | server.podSecurityContext.runAsUser | int | `1001` | set server pod's security context runAsUser |
+| server.podSecurityContext.seccompProfile | object | `{"type":"RuntimeDefault"}` | set server pod's seccomp profile |
 | server.priorityClassName | string | `""` | priority class name to use for the server pods; if the priority class is empty or doesn't exist, the server pods are scheduled without a priority class |
 | server.readinessProbe.config.failureThreshold | int | `3` | The number of consecutive failures allowed before considering the probe as failed. |
 | server.readinessProbe.config.initialDelaySeconds | int | `10` | The number of seconds to wait before starting the first probe. |

@@ -23,6 +23,34 @@ kubectl port-forward svc/prefect-server 4200:4200
 
 Note: If you choose to make modifications to either the `server.prefectApiUrl` or `service.port`, make sure to update the other value with the updated port!
 
+### Basic Auth
+
+Prefect documentation on [basic auth](https://docs.prefect.io/v3/develop/settings-and-profiles#security-settings)
+
+Self-hosted Prefect servers can be equipped with a Basic Authentication string for an administrator/password combination.
+
+The format of the auth string is `admin:<my-password>` (no brackets).
+
+```yaml
+server:
+  basicAuth:
+    enabled: true
+    authString: "admin:pass"
+```
+
+Alternatively, you can provide an existing Kubernetes Secret containing the auth string credentials. The secret must contain a key `auth-string` with the value of the auth string.
+
+```sh
+kubectl create secret generic prefect-basic-auth --from-literal=auth-string='admin:my-password'
+```
+
+```yaml
+server:
+  basicAuth:
+    enabled: true
+    existingSecret: prefect-basic-auth
+```
+
 ## Background Services Configuration
 
 The Prefect server includes background services related to scheduling and cleanup. By default, these run in the same deployment as the web server, but they can be separated for better resource management and scalability.

@@ -110,6 +110,17 @@ spec:
                   name: {{ include "server.postgres-string-secret-name" . }}
                   key: connection-string
               {{- end }}
+            {{- if .Values.server.basicAuth.enabled }}
+            - name: PREFECT_SERVER_API_AUTH_STRING
+            {{- if .Values.server.basicAuth.existingSecret }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.server.basicAuth.existingSecret }}
+                  key: auth-string
+            {{- else }}
+              value: {{ .Values.server.basicAuth.authString | quote }}
+            {{- end }}
+            {{- end }}
             {{- if .Values.global.prefect.env }}
             {{- include "common.tplvalues.render" (dict "value" .Values.global.prefect.env "context" $) | nindent 12 }}
             {{- end }}

@@ -4,6 +4,43 @@ release:
   namespace: prefect
 
 tests:
+  - it: Should not set basic auth by default
+    asserts:
+      - template: server-deployment.yaml
+        notContains:
+          path: .spec.template.spec.containers[0].env
+          content:
+            name: PREFECT_SERVER_API_AUTH_STRING
+
+  - it: Should set basic auth from authString
+    set:
+      server:
+        basicAuth:
+          enabled: true
+          authString: "admin:mypassword"
+    asserts:
+      - template: server-deployment.yaml
+        equal:
+          path: .spec.template.spec.containers[0].env[?(@.name == "PREFECT_SERVER_API_AUTH_STRING")].value
+          value: "admin:mypassword"
+
+  - it: Should set basic auth from existing secret
+    set:
+      server:
+        basicAuth:
+          enabled: true
+          existingSecret: "my-auth-secret"
+    asserts:
+      - template: server-deployment.yaml
+        contains:
+          path: .spec.template.spec.containers[0].env
+          content:
+            name: PREFECT_SERVER_API_AUTH_STRING
+            valueFrom:
+              secretKeyRef:
+                name: my-auth-secret
+                key: auth-string
+
   - it: Should set the correct image and tag
     asserts:
       - template: server-deployment.yaml

@@ -93,6 +93,28 @@
       "description": "server configuration",
       "additionalProperties": false,
       "properties": {
+        "basicAuth": {
+          "type": "object",
+          "title": "Basic Auth",
+          "description": "basic auth configuration",
+          "properties": {
+            "enabled": {
+              "type": "boolean",
+              "title": "Enabled",
+              "description": "enable basic auth for the server, for an administrator/password combination"
+            },
+            "authString": {
+              "type": "string",
+              "title": "Auth String",
+              "description": "basic auth credentials in the format admin:<your-password> (no brackets)"
+            },
+            "existingSecret": {
+              "type": "string",
+              "title": "Existing Secret",
+              "description": "name of existing secret containing basic auth credentials. takes precedence over authString. must contain a key `auth-string` with the value of the auth string"
+            }
+          }
+        },
         "image": {
           "type": "object",
           "title": "Image",

@@ -46,6 +46,15 @@ global:
 
 ## Server Deployment Configuration
 server:
+  # ref: https://docs.prefect.io/v3/develop/settings-and-profiles#security-settings
+  basicAuth:
+    # -- enable basic auth for the server, for an administrator/password combination
+    enabled: false
+    # -- basic auth credentials in the format admin:<your-password> (no brackets)
+    authString: "admin:pass"
+    # -- name of existing secret containing basic auth credentials. takes precedence over authString. must contain a key `auth-string` with the value of the auth string
+    existingSecret: ""
+
   # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass
   # -- priority class name to use for the server pods; if the priority class is empty or doesn't exist, the server pods are scheduled without a priority class
   priorityClassName: ""

@@ -173,7 +173,35 @@ Workers each have a type corresponding to the execution environment to which the
 
     You should see the Prefect worker pod running
 
-## FAQ
+## Additional Worker Configurations
+
+### Basic Auth
+
+Prefect documentation on [basic auth](https://docs.prefect.io/v3/develop/settings-and-profiles#security-settings)
+
+Self-hosted Prefect servers can be equipped with a Basic Authentication string for an administrator/password combination. Assuming you are running a self-hosted server with basic auth enabled, you can authenticate your worker with the same credentials.
+
+The format of the auth string is `admin:<my-password>` (no brackets).
+
+```yaml
+worker:
+  basicAuth:
+    enabled: true
+    authString: "admin:pass"
+```
+
+Alternatively, you can provide an existing Kubernetes Secret containing the auth string credentials. The secret must contain a key `auth-string` with the value of the auth string.
+
+```sh
+kubectl create secret generic prefect-basic-auth --from-literal=auth-string='admin:my-password'
+```
+
+```yaml
+worker:
+  basicAuth:
+    enabled: true
+    existingSecret: prefect-basic-auth
+```
 
 ### Deploying multiple workers to a single namespace
 
@@ -283,6 +311,9 @@ worker:
 | worker.autoscaling.minReplicas | int | `1` | minimum number of replicas to scale down to |
 | worker.autoscaling.targetCPUUtilizationPercentage | int | `80` | target CPU utilization percentage for scaling the worker |
 | worker.autoscaling.targetMemoryUtilizationPercentage | int | `80` | target memory utilization percentage for scaling the worker |
+| worker.basicAuth.authString | string | `"admin:pass"` | basic auth credentials in the format admin:<your-password> (no brackets) |
+| worker.basicAuth.enabled | bool | `false` | enable basic auth for the worker, for an administrator/password combination. must be enabled on the server as well |
+| worker.basicAuth.existingSecret | string | `""` | name of existing secret containing basic auth credentials. takes precedence over authString. must contain a key `auth-string` with the value of the auth string |
 | worker.cloudApiConfig.accountId | string | `""` | prefect account ID |
 | worker.cloudApiConfig.apiKeySecret.key | string | `"key"` | prefect API secret key |
 | worker.cloudApiConfig.apiKeySecret.name | string | `"prefect-api-key"` | prefect API secret name |
@@ -339,6 +370,7 @@ worker:
 | worker.podSecurityContext.fsGroup | int | `1001` | set worker pod's security context fsGroup |
 | worker.podSecurityContext.runAsNonRoot | bool | `true` | set worker pod's security context runAsNonRoot |
 | worker.podSecurityContext.runAsUser | int | `1001` | set worker pod's security context runAsUser |
+| worker.podSecurityContext.seccompProfile | object | `{"type":"RuntimeDefault"}` | set worker pod's seccomp profile |
 | worker.priorityClassName | string | `""` | priority class name to use for the worker pods; if the priority class is empty or doesn't exist, the worker pods are scheduled without a priority class |
 | worker.replicaCount | int | `1` | number of worker replicas to deploy |
 | worker.resources.limits | object | `{"cpu":"1000m","memory":"1Gi"}` | the requested limits for the worker container |

@@ -173,7 +173,35 @@ Workers each have a type corresponding to the execution environment to which the
 
     You should see the Prefect worker pod running
 
-## FAQ
+## Additional Worker Configurations
+
+### Basic Auth
+
+Prefect documentation on [basic auth](https://docs.prefect.io/v3/develop/settings-and-profiles#security-settings)
+
+Self-hosted Prefect servers can be equipped with a Basic Authentication string for an administrator/password combination. Assuming you are running a self-hosted server with basic auth enabled, you can authenticate your worker with the same credentials.
+
+The format of the auth string is `admin:<my-password>` (no brackets).
+
+```yaml
+worker:
+  basicAuth:
+    enabled: true
+    authString: "admin:pass"
+```
+
+Alternatively, you can provide an existing Kubernetes Secret containing the auth string credentials. The secret must contain a key `auth-string` with the value of the auth string.
+
+```sh
+kubectl create secret generic prefect-basic-auth --from-literal=auth-string='admin:my-password'
+```
+
+```yaml
+worker:
+  basicAuth:
+    enabled: true
+    existingSecret: prefect-basic-auth
+```
 
 ### Deploying multiple workers to a single namespace
 

@@ -201,6 +201,17 @@ spec:
             {{- end }}
             - name: PREFECT_DEBUG_MODE
               value: {{ .Values.worker.image.debug | quote }}
+            {{- if .Values.worker.basicAuth.enabled }}
+            - name: PREFECT_API_AUTH_STRING
+            {{- if .Values.worker.basicAuth.existingSecret }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.worker.basicAuth.existingSecret }}
+                  key: auth-string
+            {{- else }}
+              value: {{ .Values.worker.basicAuth.authString | quote }}
+            {{- end }}
+            {{- end }}
             {{- if .Values.worker.extraEnvVars }}
             {{- include "common.tplvalues.render" (dict "value" .Values.worker.extraEnvVars "context" $) | nindent 12 }}
             {{- end }}

@@ -8,6 +8,43 @@ values:
   - ./required_values.yaml
 
 tests:
+  - it: Should not set basic auth by default
+    asserts:
+      - template: deployment.yaml
+        notContains:
+          path: .spec.template.spec.containers[0].env
+          content:
+            name: PREFECT_API_AUTH_STRING
+
+  - it: Should set basic auth from authString
+    set:
+      worker:
+        basicAuth:
+          enabled: true
+          authString: "admin:mypassword"
+    asserts:
+      - template: deployment.yaml
+        equal:
+          path: .spec.template.spec.containers[0].env[?(@.name == "PREFECT_API_AUTH_STRING")].value
+          value: "admin:mypassword"
+
+  - it: Should set basic auth from existing secret
+    set:
+      worker:
+        basicAuth:
+          enabled: true
+          existingSecret: "my-auth-secret"
+    asserts:
+      - template: deployment.yaml
+        contains:
+          path: .spec.template.spec.containers[0].env
+          content:
+            name: PREFECT_API_AUTH_STRING
+            valueFrom:
+              secretKeyRef:
+                name: my-auth-secret
+                key: auth-string
+
   - it: Should set extra init containers
     set:
       worker:

@@ -67,6 +67,28 @@
             }
           }
         },
+        "basicAuth": {
+          "type": "object",
+          "title": "Basic Auth",
+          "description": "basic auth configuration",
+          "properties": {
+            "enabled": {
+              "type": "boolean",
+              "title": "Enabled",
+              "description": "enable basic auth for the worker, for an administrator/password combination. must be enabled on the server as well"
+            },
+            "authString": {
+              "type": "string",
+              "title": "Auth String",
+              "description": "basic auth credentials in the format admin:<your-password> (no brackets)"
+            },
+            "existingSecret": {
+              "type": "string",
+              "title": "Existing Secret",
+              "description": "name of existing secret containing basic auth credentials. takes precedence over authString. must contain a key `auth-string` with the value of the auth string"
+            }
+          }
+        },
         "clusterUid": {
           "type": "string",
           "title": "Cluster UID",