elegant-toddler-67101
05/29/2023, 8:07 AMflytectl
I deployed Flyte with Helm on GKE cluster using OIDC and OAuth2 with Okta.
The ingress is flyte.my.domain
exposed by GKE ingress controlle.
The console works perfectly.
This is how the config.yaml
looks like:
admin:
endpoint: dns:///flyte.my.domain
authType: Pkce
insecure: false
I keep getting this error:
PermissionDenied desc = unexpected HTTP status code received from server: 403 (Forbidden); malformed header: missing HTTP content-type
Am I missing something?
Would appreciate your help!
Thanksthankful-minister-83577
thankful-minister-83577
elegant-toddler-67101
05/30/2023, 7:18 AMflyte-admin-base-config
configmap):
server.yaml: |
auth:
appAuth:
authServerType: External
externalAuthServer:
allowedAudience: <https://flyte.my.domain>
baseUrl: <https://xxx.okta.com/oauth2/xxx>
metadataUrl: .well-known/oauth-authorization-server
thirdPartyConfig:
flyteClient:
clientId: xxx
redirectUri: <http://localhost:53593/callback>
scopes:
- offline
- all
authorizedUris:
- <https://flyte.my.domain>
- <http://flyteadmin:80>
- <http://flyteadmin.flyte.svc.cluster.local:80>
userAuth:
openId:
baseUrl: <https://xxx.okta.com/oauth2/xxx>
clientId: xxx
scopes:
- profile
- openid
- offline_access
elegant-toddler-67101
05/30/2023, 7:21 AMallowedAudience
and metadataUrl
to my auth configuration although it wasn’t specified in Flyte documentation. Otherwise I got JWT authentication errors in the admin and the scheduler was failing (crashloopback status)…thankful-minister-83577
thankful-minister-83577
thankful-minister-83577
thankful-minister-83577
thankful-minister-83577
elegant-toddler-67101
05/30/2023, 3:17 PMelegant-toddler-67101
05/30/2023, 3:18 PM➜ ~ flytectl get project
{"json":{"src":"viper.go:398"},"level":"debug","msg":"Config section [storage] updated. No update handler registered.","ts":"2023-05-30T18:17:39+03:00"}
{"json":{"src":"viper.go:398"},"level":"debug","msg":"Config section [root] updated. No update handler registered.","ts":"2023-05-30T18:17:39+03:00"}
{"json":{"src":"viper.go:400"},"level":"debug","msg":"Config section [admin] updated. Firing updated event.","ts":"2023-05-30T18:17:39+03:00"}
{"json":{"src":"client.go:63"},"level":"info","msg":"Initialized Admin client","ts":"2023-05-30T18:17:39+03:00"}
{"json":{"src":"auth_interceptor.go:67"},"level":"debug","msg":"Request failed due to [rpc error: code = PermissionDenied desc = unexpected HTTP status code received from server: 403 (Forbidden); malformed header: missing HTTP content-type]. If it's an unauthenticated error, we will attempt to establish an authenticated context.","ts":"2023-05-30T18:17:41+03:00"}
Error: rpc error: code = PermissionDenied desc = unexpected HTTP status code received from server: 403 (Forbidden); malformed header: missing HTTP content-type
{"json":{"src":"main.go:13"},"level":"error","msg":"rpc error: code = PermissionDenied desc = unexpected HTTP status code received from server: 403 (Forbidden); malformed header: missing HTTP content-type","ts":"2023-05-30T18:17:41+03:00"}
thankful-minister-83577
elegant-toddler-67101
05/30/2023, 3:21 PM{"json":{"src":"handlers.go:248"},"level":"info","msg":"Failed to parse Access Token from context. Will attempt to find IDToken. Error: [JWT_VERIFICATION_FAILED] Could not retrieve bearer token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2023-05-30T15:19:39Z"}
{"json":{"src":"handlers.go:194"},"level":"debug","msg":"gRPC server info in logging interceptor [00uw6098hCJ7P4hXU5d6]method [/flyteidl.service.AdminService/ListProjects]\n","ts":"2023-05-30T15:19:40Z"}
{"json":{"src":"handlers.go:194"},"level":"debug","msg":"gRPC server info in logging interceptor [00uw6098hCJ7P4hXU5d6]method [/flyteidl.service.IdentityService/UserInfo]\n","ts":"2023-05-30T15:19:40Z"}
{"json":{"src":"handlers.go:194"},"level":"debug","msg":"gRPC server info in logging interceptor [00uw6098hCJ7P4hXU5d6]method [/flyteidl.service.AdminService/GetVersion]\n","ts":"2023-05-30T15:19:40Z"}
2023/05/30 15:19:40 /go/pkg/mod/gorm.io/gorm@v1.24.1-0.20221019064659-5dd2bb482755/callbacks.go:134
[44.060ms] [rows:5] SELECT * FROM "projects" WHERE state != 1 ORDER BY identifier asc
thankful-minister-83577
thankful-minister-83577
thankful-minister-83577
pip install --no-deps -U --force-reinstall "<https://github.com/flyteorg/flytekit/archive/><sha>.zip#egg=flytekit"
thankful-minister-83577
$ FLYTE_SDK_LOGGING_LEVEL=10 python
from flyteidl.admin.project_pb2 import ProjectListRequest
from flytekit.remote.remote import FlyteRemote
from flytekit.configuration import Config
rr = FlyteRemote(Config.auto())
rr.client.list_projects(ProjectListRequest())
elegant-toddler-67101
05/30/2023, 5:53 PMelegant-toddler-67101
05/30/2023, 5:53 PM_InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.PERMISSION_DENIED
details = "Received http2 header with status: 403"
debug_error_string = "UNKNOWN:Error received from peer {grpc_message:"Received http2 header with status: 403", grpc_status:7,
created_time:"2023-05-30T20:53:33.194957+03:00"}"
elegant-toddler-67101
05/30/2023, 5:57 PMthankful-minister-83577
thankful-minister-83577
thankful-minister-83577
thankful-minister-83577
thankful-minister-83577
elegant-toddler-67101
05/30/2023, 8:11 PMelegant-toddler-67101
06/01/2023, 4:29 PMthankful-minister-83577