flyteorg · muskan-creates352 · Mar 13, 2026 · Mar 10, 2026 · Mar 10, 2026 · Mar 12, 2026
diff --git a/README.md b/README.md
@@ -4,8 +4,7 @@
 > - **Use Flyte locally?** Head to **[flyte-sdk](https://github.com/flyteorg/flyte-sdk)** — the new Python SDK for Flyte 2.
 > - **Want to contribute to the distributed backend?** See the **[`v2` branch](https://github.com/flyteorg/flyte/tree/v2)** of this repo.
 >
-> **The README below is for Flyte 1.x.**
-
+> Note: The README below is for Flyte 1.x.
 ---
 
 <p align="center">

diff --git a/charts/flyteconnector/README.md b/charts/flyteconnector/README.md
@@ -26,10 +26,13 @@ A Helm chart for Flyte connector
 | podAnnotations | object | `{}` | Annotations for flyteconnector pods |
 | podEnv | object | `{}` | Additional flyteconnector pod container environment variables |
 | podLabels | object | `{}` | Labels for flyteconnector pods |
-| podSecurityContext | object | `{}` | Security context for pod |
+| podSecurityContext | object | `{}` |  |
 | ports.containerPort | int | `8000` |  |
 | ports.name | string | `"connector-grpc"` |  |
 | priorityClassName | string | `""` | Sets priorityClassName for datacatalog pod(s). |
+| rbac | object | `{"enabled":false,"rules":[{"apiGroups":[""],"resources":["secrets"],"verbs":["get"]}]}` | RBAC configuration for flyteconnector Enable to allow the connector to read secrets across namespaces (required for per-project Databricks token authentication) |
+| rbac.enabled | bool | `false` | Should RBAC resources (ClusterRole/ClusterRoleBinding) be created for flyteconnector |
+| rbac.rules | list | `[{"apiGroups":[""],"resources":["secrets"],"verbs":["get"]}]` | Rules for the ClusterRole created for flyteconnector |
 | readinessProbe | object | `{"grpc":{"port":8000},"initialDelaySeconds":1,"periodSeconds":3}` | https://kubernetes.io/blog/2022/05/13/grpc-probes-now-in-beta/#trying-the-feature-out |
 | replicaCount | int | `1` | Replicas count for flyteconnector deployment |
 | resources | object | `{"limits":{"cpu":"500m","ephemeral-storage":"200Mi","memory":"300Mi"},"requests":{"cpu":"500m","ephemeral-storage":"200Mi","memory":"200Mi"}}` | Default resources requests and limits for flyteconnector deployment |

diff --git a/charts/flyteconnector/templates/connector/rbac.yaml b/charts/flyteconnector/templates/connector/rbac.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.rbac.enabled }}
+{{- if $.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+{{- end }}
+kind: ClusterRole
+metadata:
+  name: {{ template "flyte.namespace" . -}}-{{- template "flyteconnector.name" . }}
+  labels: {{ include "flyteconnector.labels" . | nindent 4 }}
+rules:
+  {{- toYaml .Values.rbac.rules | nindent 2 }}
+---
+{{- if $.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: rbac.authorization.k8s.io/v1beta1
+{{- end }}
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "flyte.namespace" . -}}-{{- template "flyteconnector.name" . }}
+  labels: {{ include "flyteconnector.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "flyte.namespace" . -}}-{{- template "flyteconnector.name" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "flyteconnector.name" . }}
+  namespace: {{ template "flyte.namespace" . }}
+{{- end }}
diff --git a/charts/flyteconnector/values.yaml b/charts/flyteconnector/values.yaml
@@ -55,6 +55,20 @@ serviceAccount:
   # -- ImagePullSecrets to automatically assign to the service account
   imagePullSecrets: []
 # -- Security context for pod
+# -- RBAC configuration for flyteconnector
+# Enable to allow the connector to read secrets across namespaces
+# (required for per-project Databricks token authentication)
+rbac:
+  # -- Should RBAC resources (ClusterRole/ClusterRoleBinding) be created for flyteconnector
+  enabled: false
+  # -- Rules for the ClusterRole created for flyteconnector
+  rules:
+    - apiGroups:
+        - ""
+      resources:
+        - secrets
+      verbs:
+        - get
 podSecurityContext: {}
 # -- Readiness probe for flyteconnector. Use readinessProbe: {} if connector doesn't implement grpc-health-checking service.
 # -- https://kubernetes.io/blog/2022/05/13/grpc-probes-now-in-beta/#trying-the-feature-out

diff --git a/docker/sandbox-bundled/manifests/complete-connector.yaml b/docker/sandbox-bundled/manifests/complete-connector.yaml
@@ -818,7 +818,7 @@ type: Opaque
 ---
 apiVersion: v1
 data:
-  haSharedSecret: QVFvWkR6MTFBeWVRWkIzMQ==
+  haSharedSecret: ZFpmeWZLVmZ6ZzhMV0psSQ==
   proxyPassword: ""
   proxyUsername: ""
 kind: Secret
@@ -1411,7 +1411,7 @@ spec:
     metadata:
       annotations:
         checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81
-        checksum/secret: 3dc01bc4d059fe7cfd6ca3f7490d845687c83fed34a3c25125c98f061e144773
+        checksum/secret: 71159d2415422039ebe465274c540ff4c8c0182c7015bd85bb09cc081783a878
       labels:
         app: docker-registry
         release: flyte-sandbox

diff --git a/docker/sandbox-bundled/manifests/complete.yaml b/docker/sandbox-bundled/manifests/complete.yaml
@@ -799,7 +799,7 @@ type: Opaque
 ---
 apiVersion: v1
 data:
-  haSharedSecret: aERjSWllc0lpaXU3TW1ydQ==
+  haSharedSecret: b1lSRHRpdENtdGowWk1ZZw==
   proxyPassword: ""
   proxyUsername: ""
 kind: Secret
@@ -1359,7 +1359,7 @@ spec:
     metadata:
       annotations:
         checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81
-        checksum/secret: c66800633a13747d593cc75f8d34685d393e3ea37247bd50543e62b4e6f4ec30
+        checksum/secret: 8394060dce1922bee28083015f7ba9ec188e2486c8600677a029263d32497a78
       labels:
         app: docker-registry
         release: flyte-sandbox

diff --git a/docker/sandbox-bundled/manifests/dev.yaml b/docker/sandbox-bundled/manifests/dev.yaml
@@ -495,7 +495,7 @@ metadata:
 ---
 apiVersion: v1
 data:
-  haSharedSecret: VFBweDNCTHNtelB4UTBKbQ==
+  haSharedSecret: RkhkcWpPZ21BS1NVNzNYaw==
   proxyPassword: ""
   proxyUsername: ""
 kind: Secret
@@ -926,7 +926,7 @@ spec:
     metadata:
       annotations:
         checksum/config: 8f50e768255a87f078ba8b9879a0c174c3e045ffb46ac8723d2eedbe293c8d81
-        checksum/secret: 095e3fa8df1438e232b708217c8a96adaac9b96414ec6237c31585298db31825
+        checksum/secret: 303a3c79c8841470d592eb349e62fbe5dcce82820f87a3d37d18693159a41799
       labels:
         app: docker-registry
         release: flyte-sandbox

@@ -112,3 +112,15 @@ such as workflow executions. The default values are enough to let you connect an
 
 Now that you have the sandbox cluster running, you can now go to the :ref:`User Guide <cookbook:userguide>` or
 :ref:`Tutorials <cookbook:tutorials>` to run tasks and workflows written in ``flytekit``, the Python SDK for Flyte.
+
+
+Stopping the Sandbox
+====================
+
+After finishing your testing or development work, you can stop the Flyte sandbox by running:
+
+.. prompt:: bash $
+
+   flytectl demo stop
+
+This command stops the running sandbox container on your local machine.
diff --git a/flyteadmin/auth/cookie_manager_test.go b/flyteadmin/auth/cookie_manager_test.go
@@ -315,6 +315,7 @@ func TestExtractAccessTokenFromCookies(t *testing.T) {
 		t.Logf("Cookie 1 raw decoded (first 50 bytes): %s", string(decoded[:50]))
 	}
 	s := securecookie.New(hashKey, blockKey)
+	s.MaxAge(0) // Disable timestamp validation so hardcoded cookies don't expire
 	var firstHalf string
 	err = s.Decode("flyte_at_1", cookieValue1, &firstHalf)
 	if err != nil {
@@ -323,6 +324,7 @@ func TestExtractAccessTokenFromCookies(t *testing.T) {
 		err2 := s2.Decode("flyte_at_1", cookieValue1, &firstHalf)
 		t.Logf("Error with validation enabled: %v", err2)
 	}
+
 	require.NoError(t, err)
 	t.Logf("First half of access token: %s", firstHalf)
 

diff --git a/flyteidl/clients/go/assets/admin.swagger.json b/flyteidl/clients/go/assets/admin.swagger.json
diff --git a/flyteidl/gen/pb-es/flyteidl/core/workflow_pb.ts b/flyteidl/gen/pb-es/flyteidl/core/workflow_pb.ts