https://flyte.org logo
#flyte-deployment
Title
# flyte-deployment
a

Ariel Kaspit

05/28/2023, 9:54 AM
TLDR; Trying to configure flytectl CLI with SSO whatever? Hello everyone! I deployed Flyte on our GKE cluster using Helm. I followed the documentation about Authenticating and the console works perfectly with our IdP (Okta) using OIDC and OAuth2. Next step is working with the CLI, but the configuration for flytectl is very confusing and I keep getting this error:
Error: rpc error: code = PermissionDenied desc = unexpected HTTP status code received from server: 403 (Forbidden); malformed header: missing HTTP content-type
Flyte’s `config.yaml`:
Copy code
admin:
  endpoint: dns:///flyte.mydomain
  authType: Pkce
  insecure: false
What am I missing? Thanks in advanced 🙂 Ariel
k

Ketan (kumare3)

05/28/2023, 2:04 PM
They can simply use pkce auth, it will automatically prompt
Also if you are using Okta you can use device flow
a

Ariel Kaspit

05/28/2023, 2:59 PM
Thank you @Ketan (kumare3) So using pkce auth, should I change something in Okta application configuration? This is how it is set right now
k

Ketan (kumare3)

05/28/2023, 3:02 PM
You always have pkce, for device flow there are some options
a

Ariel Kaspit

05/28/2023, 3:15 PM
ok so I guess my config.yaml should look like that:
Copy code
admin:
  endpoint: dns:///flyte.mydomain
  authType: Pkce
  insecure: false
Correct? What’s the next steps? Since I keep getting this error:
PermissionDenied desc = unexpected HTTP status code received from server: 403 (Forbidden); malformed header: missing HTTP content-type
@Ketan (kumare3) I added also my auth config if that’s helpful… I followed the documentation for Flyte Authentication, so we have in Okta 3 applications: Flyte (Flyteadmin), Flytectl and Flytepropeller. The auth config (from
flyte-admin-base-config
configmap):
Copy code
server.yaml: |
    auth:
      appAuth:
        authServerType: External
        externalAuthServer:
          allowedAudience: <https://flyte.my.domain>
          baseUrl: <https://xxx.okta.com/oauth2/xxx>
          metadataUrl: .well-known/oauth-authorization-server
        thirdPartyConfig:
          flyteClient:
            clientId: xxx
            redirectUri: <http://localhost:53593/callback>
            scopes:
            - offline
            - all
      authorizedUris:
      - <https://flyte.my.domain>
      - <http://flyteadmin:80>
      - <http://flyteadmin.flyte.svc.cluster.local:80>
      userAuth:
        openId:
          baseUrl: <https://xxx.okta.com/oauth2/xxx>
          clientId: xxx
          scopes:
          - profile
          - openid
          - offline_access
By the way, I added these following specs
allowedAudience
and
metadataUrl
to my auth configuration although it wasn’t specified in Flyte documentation. Otherwise I got JWT authentication errors in the admin and the scheduler was failing (crashloopback status)…
s

Samhita Alla

05/30/2023, 3:59 PM
cc @David Espejo (he/him)
d

David Espejo (he/him)

05/30/2023, 5:55 PM
discussion moved to #flyte-on-gcp
89 Views