Ariel Kaspit
05/29/2023, 8:07 AMflytectl
I deployed Flyte with Helm on GKE cluster using OIDC and OAuth2 with Okta.
The ingress is flyte.my.domain
exposed by GKE ingress controlle.
The console works perfectly.
This is how the config.yaml
looks like:
admin:
endpoint: dns:///flyte.my.domain
authType: Pkce
insecure: false
I keep getting this error:
PermissionDenied desc = unexpected HTTP status code received from server: 403 (Forbidden); malformed header: missing HTTP content-type
Am I missing something?
Would appreciate your help!
ThanksYee
Yee
Ariel Kaspit
05/30/2023, 7:18 AMflyte-admin-base-config
configmap):
server.yaml: |
auth:
appAuth:
authServerType: External
externalAuthServer:
allowedAudience: <https://flyte.my.domain>
baseUrl: <https://xxx.okta.com/oauth2/xxx>
metadataUrl: .well-known/oauth-authorization-server
thirdPartyConfig:
flyteClient:
clientId: xxx
redirectUri: <http://localhost:53593/callback>
scopes:
- offline
- all
authorizedUris:
- <https://flyte.my.domain>
- <http://flyteadmin:80>
- <http://flyteadmin.flyte.svc.cluster.local:80>
userAuth:
openId:
baseUrl: <https://xxx.okta.com/oauth2/xxx>
clientId: xxx
scopes:
- profile
- openid
- offline_access
Ariel Kaspit
05/30/2023, 7:21 AMallowedAudience
and metadataUrl
to my auth configuration although it wasn’t specified in Flyte documentation. Otherwise I got JWT authentication errors in the admin and the scheduler was failing (crashloopback status)…Yee
Yee
Yee
Yee
Yee
Ariel Kaspit
05/30/2023, 3:17 PMAriel Kaspit
05/30/2023, 3:18 PM➜ ~ flytectl get project
{"json":{"src":"viper.go:398"},"level":"debug","msg":"Config section [storage] updated. No update handler registered.","ts":"2023-05-30T18:17:39+03:00"}
{"json":{"src":"viper.go:398"},"level":"debug","msg":"Config section [root] updated. No update handler registered.","ts":"2023-05-30T18:17:39+03:00"}
{"json":{"src":"viper.go:400"},"level":"debug","msg":"Config section [admin] updated. Firing updated event.","ts":"2023-05-30T18:17:39+03:00"}
{"json":{"src":"client.go:63"},"level":"info","msg":"Initialized Admin client","ts":"2023-05-30T18:17:39+03:00"}
{"json":{"src":"auth_interceptor.go:67"},"level":"debug","msg":"Request failed due to [rpc error: code = PermissionDenied desc = unexpected HTTP status code received from server: 403 (Forbidden); malformed header: missing HTTP content-type]. If it's an unauthenticated error, we will attempt to establish an authenticated context.","ts":"2023-05-30T18:17:41+03:00"}
Error: rpc error: code = PermissionDenied desc = unexpected HTTP status code received from server: 403 (Forbidden); malformed header: missing HTTP content-type
{"json":{"src":"main.go:13"},"level":"error","msg":"rpc error: code = PermissionDenied desc = unexpected HTTP status code received from server: 403 (Forbidden); malformed header: missing HTTP content-type","ts":"2023-05-30T18:17:41+03:00"}
Yee
Ariel Kaspit
05/30/2023, 3:21 PM{"json":{"src":"handlers.go:248"},"level":"info","msg":"Failed to parse Access Token from context. Will attempt to find IDToken. Error: [JWT_VERIFICATION_FAILED] Could not retrieve bearer token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2023-05-30T15:19:39Z"}
{"json":{"src":"handlers.go:194"},"level":"debug","msg":"gRPC server info in logging interceptor [00uw6098hCJ7P4hXU5d6]method [/flyteidl.service.AdminService/ListProjects]\n","ts":"2023-05-30T15:19:40Z"}
{"json":{"src":"handlers.go:194"},"level":"debug","msg":"gRPC server info in logging interceptor [00uw6098hCJ7P4hXU5d6]method [/flyteidl.service.IdentityService/UserInfo]\n","ts":"2023-05-30T15:19:40Z"}
{"json":{"src":"handlers.go:194"},"level":"debug","msg":"gRPC server info in logging interceptor [00uw6098hCJ7P4hXU5d6]method [/flyteidl.service.AdminService/GetVersion]\n","ts":"2023-05-30T15:19:40Z"}
2023/05/30 15:19:40 /go/pkg/mod/gorm.io/gorm@v1.24.1-0.20221019064659-5dd2bb482755/callbacks.go:134
[44.060ms] [rows:5] SELECT * FROM "projects" WHERE state != 1 ORDER BY identifier asc
Yee
Yee
Yee
pip install --no-deps -U --force-reinstall "<https://github.com/flyteorg/flytekit/archive/><sha>.zip#egg=flytekit"
Yee
$ FLYTE_SDK_LOGGING_LEVEL=10 python
from flyteidl.admin.project_pb2 import ProjectListRequest
from flytekit.remote.remote import FlyteRemote
from flytekit.configuration import Config
rr = FlyteRemote(Config.auto())
rr.client.list_projects(ProjectListRequest())
Ariel Kaspit
05/30/2023, 5:53 PMAriel Kaspit
05/30/2023, 5:53 PM_InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.PERMISSION_DENIED
details = "Received http2 header with status: 403"
debug_error_string = "UNKNOWN:Error received from peer {grpc_message:"Received http2 header with status: 403", grpc_status:7,
created_time:"2023-05-30T20:53:33.194957+03:00"}"
Ariel Kaspit
05/30/2023, 5:57 PMYee
Yee
Yee
Yee
Yee
Ariel Kaspit
05/30/2023, 8:11 PMAriel Kaspit
06/01/2023, 4:29 PMYee