I have deployed flyte on k8s using the flyte-binary helm chart. I set create=true for ingress in val...

gorgeous-beach-23305

05/17/2023, 7:33 PM

I have deployed flyte on k8s using the flyte-binary helm chart. I set create=true for ingress in values.yaml and it created the dns records and 2 ingresses, one for http and one for grpc.

Copy code

NAME                        CLASS    HOSTS                                       ADDRESS                                                                            PORTS   AGE
orchestrator-grpc   <none>   <http://orchestrator.playground.cloud.abc.com|orchestrator.playground.cloud.abc.com>   <http://b37bbe12aafaf42a7b06f611f91b07bd-7362ba7e14b8b74e.elb.eu-central-1.amazonaws.com|b37bbe12aafaf42a7b06f611f91b07bd-7362ba7e14b8b74e.elb.eu-central-1.amazonaws.com>   80      3h41m
orchestrator-http   <none>   <http://orchestrator.playground.cloud.abc.com|orchestrator.playground.cloud.abc.com>   <http://b37bbe12aafaf42a7b06f611f91b07bd-7362ba7e14b8b74e.elb.eu-central-1.amazonaws.com|b37bbe12aafaf42a7b06f611f91b07bd-7362ba7e14b8b74e.elb.eu-central-1.amazonaws.com>   80      3h41m

1. When I list the ingresses, I get this. As you can see the hostnames for both the ingresses are same. Is this expected? I am told that this could be a problem. Also, is there anything needed to be done for the webhook service? like setting up an ingress or anything to handle https traffic? 2. We are using nginx ingress controller and cert-manager to provision certificates in k8s. To set up nginx to use the certificate provided by cert-manager, 2 things are required - a) annotation specifying the cert-manager / issuer -

<http://cert-manager.io/cluster-issuer|cert-manager.io/cluster-issuer>: "abc-issuer"

and b) in the ingress spec, a tls section needs to be added like so -

Copy code

tls:
  - hosts:
    - <http://echo1.example.com|echo1.example.com>
    - <http://echo2.example.com|echo2.example.com>
    secretName: echo-tls

As shown here in the cert-manager docs. However, the flyte-binary ingress template does not have these elements to be overridden from values.yaml. I tried adding the spec section in values.yaml, but this does not work.

Copy code

spec:
    tls:
      hosts:
        - "${app_name}.${env}.<http://cloud.abc.com|cloud.abc.com>"
      secretName: "${app_name}.${env}.<http://cloud.abc.com|cloud.abc.com>"

At this point, with the dns configured, the UI works, but without setting up SSL, grpc will not work, so we are not able to register workflow. Please let me know if anyone has faced this issue and found a resolution. Thanks!

average-finland-92144

05/17/2023, 7:58 PM

HI @gorgeous-beach-23305 1. Yes, it's expected. If you

describe

each one of the Ingress resources you'll see that, despite using the same host name, the controller will route traffic to the corresponding service depending on the path (multiplexor pattern). I don't think there's anything you need to do for the

webhook

service

average-finland-92144

05/17/2023, 7:59 PM

2. In

values.yaml

under

commonAnnotations

you can add the required annotations for, in this case, Ingress resource:

Copy code

commonAnnotations:
  ingress:
    <http://cert-manager.io/cluster-issuer|cert-manager.io/cluster-issuer>: nameOfClusterIssuer

...

average-finland-92144

05/17/2023, 8:13 PM

regarding the `tls`section, I'm looking at what can be done besides patching the deployed Ingress

average-finland-92144

05/17/2023, 8:15 PM

definitely would be a great addition to Flyte the Hard Way (currently uses only ACM/Route53)

gorgeous-beach-23305

05/17/2023, 8:40 PM

@average-finland-92144 Yes please! That will be helpful. There is a root commonAnnotations and there is an ingress.commonAnnotations. I have added the

<http://cert-manager.io/cluster-issuer|cert-manager.io/cluster-issuer>: nameOfClusterIssuer

in the latter and it did not work. That is why I am thinking it might need the

tls

section because it said so in the cert-manager docs. Should it be added in the root commonAnnotations as you have shown above?

average-finland-92144

05/17/2023, 9:12 PM

I don't think so. Whatever you put as annotation there will be merged with the base config as an annotation, not a new

spec

section

gorgeous-beach-23305

05/18/2023, 5:21 AM

Hi @average-finland-92144 / @freezing-boots-56761, any ideas on how to inject the tls section?

freezing-boots-56761

05/18/2023, 5:34 AM

The cleanest way will be to extend the helm chart with support for specifying the tls block

freezing-boots-56761

05/18/2023, 1:16 PM

@gorgeous-beach-23305 spent a bit more time reading through the thread. are you terminating SSL at the nginx ingress controller instead of ELB?

freezing-boots-56761

05/18/2023, 1:17 PM

if terminating at ELB, you shouldn’t need cert-manager or the TLS block on the ingress object.

freezing-boots-56761

05/18/2023, 1:19 PM

Also, for my own clarity, is the nginx ingress controller just for Flyte, or are there other applications served through the same controller?

gorgeous-beach-23305

05/18/2023, 1:48 PM

We are terminating SSL at nginx ingress controller and the controller serves other applications as well.

👍 1

freezing-boots-56761

05/18/2023, 1:58 PM

Ok then we should add a TLS block to the helm chart ingress template. Would you be open to creating a PR with the change? :)

gorgeous-beach-23305

05/18/2023, 2:41 PM

Sure 🙂 I just did that on our side to get it working!

🙏 1

shy-family-76866

05/31/2023, 1:47 PM

@gorgeous-beach-23305 @freezing-boots-56761 This is a great discussion and I am running into the same issue. Would either of you be able to point me to where this is being worked on or where there is a working version? Also, happy to contribute but still learning Flyte's project structure. 😅

freezing-boots-56761

05/31/2023, 1:51 PM

@shy-family-76866 i haven’t seen a PR for a TLS block in the ingress object. @gorgeous-beach-23305?

164 Views

Open in Slack

Previous Next

Flyte

Flyte enables production-grade orchestration for machine learning workflows and data processing created to accelerate local workflows to production.