https://flyte.org logo
Join Slack
Powered by
TLDR; Trying to configure flytectl CLI with SSO wh...
# flyte-deployment
a
TLDR; Trying to configure flytectl CLI with SSO whatever? Hello everyone! I deployed Flyte on our GKE cluster using Helm. I followed the documentation about Authenticating and the console works perfectly with our IdP (Okta) using OIDC and OAuth2. Next step is working with the CLI, but the configuration for flytectl is very confusing and I keep getting this error: 
Error: rpc error: code = PermissionDenied desc = unexpected HTTP status code received from server: 403 (Forbidden); malformed header: missing HTTP content-type
Flyte’s `config.yaml`:
Copy code
admin:
  endpoint: dns:///flyte.mydomain
  authType: Pkce
  insecure: false
What am I missing? Thanks in advanced 🙂 Ariel
k
They can simply use pkce auth, it will automatically prompt
Also if you are using Okta you can use device flow
a
Thank you @Ketan (kumare3) So using pkce auth, should I change something in Okta application configuration? This is how it is set right now
k
You always have pkce, for device flow there are some options
a
ok so I guess my config.yaml should look like that:
Copy code
admin:
  endpoint: dns:///flyte.mydomain
  authType: Pkce
  insecure: false
Correct? What’s the next steps? Since I keep getting this error: 
PermissionDenied desc = unexpected HTTP status code received from server: 403 (Forbidden); malformed header: missing HTTP content-type
@Ketan (kumare3) I added also my auth config if that’s helpful… I followed the documentation for Flyte Authentication, so we have in Okta 3 applications: Flyte (Flyteadmin), Flytectl and Flytepropeller. The auth config (from 
flyte-admin-base-config
configmap):
Copy code
server.yaml: |
    auth:
      appAuth:
        authServerType: External
        externalAuthServer:
          allowedAudience: <https://flyte.my.domain>
          baseUrl: <https://xxx.okta.com/oauth2/xxx>
          metadataUrl: .well-known/oauth-authorization-server
        thirdPartyConfig:
          flyteClient:
            clientId: xxx
            redirectUri: <http://localhost:53593/callback>
            scopes:
            - offline
            - all
      authorizedUris:
      - <https://flyte.my.domain>
      - <http://flyteadmin:80>
      - <http://flyteadmin.flyte.svc.cluster.local:80>
      userAuth:
        openId:
          baseUrl: <https://xxx.okta.com/oauth2/xxx>
          clientId: xxx
          scopes:
          - profile
          - openid
          - offline_access
By the way, I added these following specs 
allowedAudience
and 
metadataUrl
to my auth configuration although it wasn’t specified in Flyte documentation. Otherwise I got JWT authentication errors in the admin and the scheduler was failing (crashloopback status)…
s
cc @David Espejo (he/him)
d
discussion moved to #flyte-on-gcp
170 Views
Open in Slack
PreviousNext
Powered by