powerful-river-97803
06/07/2023, 11:25 AMconfiguration:
database:
host: postgresql.mlops.svc.cluster.local
dbname: flyteadmindb
username: flyteuser
password: "..."
options: sslmode=disable
storage:
type: minio
metadataContainer: "flyte-container"
userDataContainer: "flyte-container"
provider: s3
providerConfig:
# s3 Provider configuration for S3 object store
s3:
# disableSSL Switch to disable SSL for communicating with S3-compatible service
disableSSL: true
# v2Signing Flag to sign requests with v2 signature
# Useful for s3-compatible blob stores (e.g. minio)
v2Signing: false
# endpoint URL of S3-compatible service
endpoint: <http://mls3api.corp.intern:9000/>
# authType Type of authentication to use for connecting to S3-compatible service (Supported values: iam, accesskey)
authType: accesskey
# accessKey Access key for authenticating with S3-compatible service
accessKey: "..."
# secretKey Secret key for authenticating with S3-compatible service
secretKey: "..."
logging:
level: 5
auth:
enabled: true
oidc:
baseUrl: "<https://login.microsoftonline.com/tenant_id/v2.0>"
clientId: "..."
clientSecret: "..."
scopes:
- openid
- email
- profile
internal:
clientSecret: "..."
clientSecretHash: ".."
flyteClient:
# clientId Client ID for Flyte client authentication
clientId: "..."
# redirectUri Redirect URI for Flyte client authentication
redirectUri: "<http://localhost:53593/callback>"
# scopes Scopes for Flyte client authentication
scopes:
- all
authorizedUris:
- <https://login.microsoftonline.com/tenant_id/oauth2/v2.0>
- <https://mlflyte.corp.intern>
inline:
plugins:
k8s:
inject-finalizer: true
default-env-vars:
- AWS_METADATA_SERVICE_TIMEOUT: 5
- AWS_METADATA_SERVICE_NUM_ATTEMPTS: 20
storage:
cache:
max_size_mbs: 100
target_gc_percent: 100
serviceAccount:
create: true
annotations: {}
ingress:
create: true
commonAnnotations:
<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: nginx
httpAnnotations:
<http://nginx.ingress.kubernetes.io/app-root|nginx.ingress.kubernetes.io/app-root>: /console
grpcAnnotations:
<http://nginx.ingress.kubernetes.io/backend-protocol|nginx.ingress.kubernetes.io/backend-protocol>: GRPC
deployment:
extraEnvVars:
- name: HTTP_PROXY
value: "..."
- name: HTTPS_PROXY
value: "..."
- name: NO_PROXY
value: "..."
- name: no_proxy
value: "..."
faint-activity-87590
06/07/2023, 12:03 PMauthorizedUris
should be the domain record where you are running flyte f.e. https://flyte.somedomain.comfaint-activity-87590
06/07/2023, 12:04 PM<https://login.microsoftonline.com/tenant_id/oauth2/v2.0>
powerful-river-97803
06/07/2023, 6:56 PMper-RPC creds failed due to error: failed to get token: Post \"<https://mlflyte.accounts.intern/oauth2/token>\": x509: certificate signed by unknown authority]. If it's an unauthenticated error, we will attempt to establish an authenticated context."
I'd prefer to use AzureAD as an external authorization service like it's described here. But I don't understand how to apply this configuration in flyte-binary.faint-activity-87590
06/07/2023, 7:04 PMfaint-activity-87590
06/07/2023, 7:05 PMpowerful-river-97803
06/07/2023, 8:17 PM<https://mlflyte.corp.intern/>
. The redirect URLs are <https://mlflyte.corp.intern/callback>
and <http://localhost:53593/callback>
faint-activity-87590
06/07/2023, 8:37 PMpowerful-river-97803
06/09/2023, 6:19 AM