https://flyte.org logo
Join Slack
Powered by
Hello all, I've deployed a flyte cluster in AWS EK...
# flyte-deployment
c
Hello all, I've deployed a flyte cluster in AWS EKS following the current documentation with some help from David's "Flyte the hard way.." guide. The cluster is behind an AWS load balancer and secure domain, i.e., available at 
<https://xxxx-apps.com/console>
I am following the guide here for adding Azure openID auth, but it does not look like I have the same secrets, nor configmap available.
k
the azure ad guide was added by @Byron Hsu
b
hi what issue you met?
hmm i am not sure 
clientSecretLocation
is in use for us. I think only 
clientID
matters
c
Thanks @Byron Hsu, I think my issues may be more fundamental. My deployment has the following ns
Copy code
NAME                           STATUS   AGE
default                        Active   38d
flyte                          Active   38d
flytesnacks-development        Active   36d
flytesnacks-production         Active   36d
flytesnacks-staging            Active   36d
kube-node-lease                Active   38d
kube-public                    Active   38d
kube-system                    Active   38d
And the flyte ns has the following resources.
Copy code
NAME                                              READY   STATUS    RESTARTS   AGE
pod/flyte-backend-flyte-binary-5f5465b4f7-7hmt7   1/1     Running   0          22d

NAME                                         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
service/flyte-backend-flyte-binary-grpc      ClusterIP   10.100.27.200   <none>        8089/TCP   22d
service/flyte-backend-flyte-binary-http      ClusterIP   10.100.55.136   <none>        8088/TCP   22d
service/flyte-backend-flyte-binary-webhook   ClusterIP   10.100.41.202   <none>        443/TCP    22d

NAME                                         READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/flyte-backend-flyte-binary   1/1     1            1           22d

NAME                                                    DESIRED   CURRENT   READY   AGE
replicaset.apps/flyte-backend-flyte-binary-5f5465b4f7   1         1         1       22d
The flyte ns has the following configmaps
Copy code
NAME                                                    DATA   AGE
flyte-backend-flyte-binary-cluster-resource-templates   1      22d
flyte-backend-flyte-binary-config                       5      22d
kube-root-ca.crt                                        1      38d
propeller-leader                                        0      37d
I don't see the 
flyte-admin-base-config
listed here
Copy code
kubectl edit configmap -n flyte flyte-admin-base-config
d
@Cody Scandore yeah, we plan to extend the docs because what's written there assumes you're using the 
flyte-core
chart. For 
flyte-binary
the CM is 
flyte-backend-flyte-binary-config
and I don't think you longer need to edit the secret nor the CM any more. To confirm please run 
kubectl describe cm flyte-backend-flyte-binary-config -n flyte
c
Copy code
Name:         flyte-backend-flyte-binary-config
Namespace:    flyte
Labels:       <http://app.kubernetes.io/instance=flyte-backend|app.kubernetes.io/instance=flyte-backend>
              <http://app.kubernetes.io/managed-by=Helm|app.kubernetes.io/managed-by=Helm>
              <http://app.kubernetes.io/name=flyte-binary|app.kubernetes.io/name=flyte-binary>
              <http://app.kubernetes.io/version=1.16.0|app.kubernetes.io/version=1.16.0>
              <http://helm.sh/chart=flyte-binary-v1.5.0|helm.sh/chart=flyte-binary-v1.5.0>
Annotations:  <http://meta.helm.sh/release-name|meta.helm.sh/release-name>: flyte-backend
              <http://meta.helm.sh/release-namespace|meta.helm.sh/release-namespace>: flyte

Data
====
000-core.yaml:
----
admin:
  endpoint: localhost:8089
  insecure: true
catalog-cache:
  endpoint: localhost:8081
  insecure: true
  type: datacatalog
cluster_resources:
  standaloneDeployment: false
  templatePath: /etc/flyte/cluster-resource-templates
logger:
  show-source: true
  level: 5
propeller:
  create-flyteworkflow-crd: true
webhook:
  certDir: /var/run/flyte/certs
  localCert: true
  secretName: flyte-backend-flyte-binary-webhook-secret
  serviceName: flyte-backend-flyte-binary-webhook
  servicePort: 443

001-plugins.yaml:
----
tasks:
  task-plugins:
    enabled-plugins:
      - container
      - sidecar
      - K8S-ARRAY
    default-for-task-types:
      - container: container
      - container_array: K8S-ARRAY
plugins:
  logs:
    kubernetes-enabled: false
    cloudwatch-enabled: false
    stackdriver-enabled: false
  k8s:
    co-pilot:
      image: "<http://cr.flyte.org/flyteorg/flytecopilot-release:v1.5.0|cr.flyte.org/flyteorg/flytecopilot-release:v1.5.0>"
  k8s-array:
    logs:
      config:
        kubernetes-enabled: false
        cloudwatch-enabled: false
        stackdriver-enabled: false

002-database.yaml:
----
database:
  postgres:
    username: xxxxx
    passwordPath: /var/run/secrets/flyte/db-pass
    host: <http://xxxxxxxxxrds.amazonaws.com|xxxxxxxxxrds.amazonaws.com>
    port: 5432
    dbname: xxxxxx
    options: "sslmode=disable"

003-storage.yaml:
----
propeller:
  rawoutput-prefix: <s3://xxxx-flyte-userdata/data>
storage:
  type: stow
  stow:
    kind: s3
    config:
      region: us-west-2
      disable_ssl: false
      v2_signing: false
      auth_type: iam
  container: xxxxx-flyte-metadata

010-inline-config.yaml:
----
cluster_resources:
  customData: null
plugins:
  k8s:
    default-env-vars:
    - AWS_METADATA_SERVICE_TIMEOUT: 5
    - AWS_METADATA_SERVICE_NUM_ATTEMPTS: 20
    inject-finalizer: true
storage:
  cache:
    max_size_mbs: 10
    target_gc_percent: 100
task_resources:
  defaults:
    cpu: 100m
    memory: 100Mi
    storage: 100Mi
  limits:
    memory: 2Gi
tasks:
  task-plugins:
    default-for-task-types:
    - container: container
    - container_array: K8S-ARRAY
    enabled-plugins:
    - container
    - sidecar
    - K8S-ARRAY


BinaryData
====

Events:  <none>
d
isn't there a 
004-auth.yaml
section? Did you have a chance to enable 
auth
in the Helm values file?
c
Copy code
Error: INSTALLATION FAILED: execution error at (flyte-binary/templates/deployment.yaml:37:35): Internal client secret hash required when built-in authentication server is enabled
From The Hard Way guide.. it looks like this is required.
Copy code
auth:
    enabled: false
    oidc:
      baseUrl: <https://signin.hosted.unionai.cloud/oauth2/default>
      clientId: <IDP_CLIENT_ID>
      clientSecret: <IDP_CLIENT_SECRET>
    internal:
      clientSecret: <CC_PASSWD>
      clientSecretHash: <HASHED_CC_PASSWD>
    authorizedUris:
    - <https://flyte.company.com>
I can fill out the oidc section with my azure app information, but what is the internal section referencing? Are those k8s cluster secrets? [Resolved]. In Azure, go to the portal -> Certificates & Secrets -> Add a new secret. The 
oidc.clientSecret
refers to the 
Secret ID
while the 
internal.clientSecret
refers to the 
Value
field. Base64 encode the password to produce the 
internal.clientSecretHash
.
d
The FTHW guide doesn't include auth yet (coming soon) 
internal
is there if you're going to use the authorization server that ships with flyteadmin (hence 'internal') as opposed your IdP's authorization server
c
Okay, sorry just found the thread a few lines above. Leaving off internal produces errors on 
helm install
..
d
so, regarding the 
auth
parameters: `enabled`: 
true
`baseUrl`: you should obtain this from Azure AD (probably @Byron Hsu knows how?) `clientId`: from Azure AD's registered app `clienteSecret`: generate it in Azure AD for `internal`: `clientId`: 
flytepropeller
clientSecret: <generate a random password and add it here>
clientSecretHash
Use the following command to produce the hash:
Copy code
pip install bcrypt && python -c 'import bcrypt; import base64; print(base64.b64encode(bcrypt.hashpw("<your_client-secret>".encode("utf-8"), bcrypt.gensalt(6))))'
I'm working on reproducing this in my environment and adding docs
also 
authorizedUris
would be the FQDN for your Ingress
157 Views
Open in Slack
PreviousNext
Powered by