I’m also trying to get flyte setup on GCP. My comp...
# flyte-on-gcpc
Chris Green
07/31/2023, 5:41 PMI’m also trying to get flyte setup on GCP. My company has a strict requirement to use IAP everywhere. We’ve been able to get authentication to work on the console but I can’t get access via the flytectl to work. Any tips here? recent thread https://flyte-org.slack.com/archives/CP2HDHKE1/p1690818970921269
f
Fabio Grätz
07/31/2023, 6:21 PMHey,
I’m working on an RFC to propose changes to flytectl and flytekit to make IAP work. We also plan to upstream a reference deployment with IAP on GCP. Will be 2 weeks until the rfc though, currently on a holiday
c
Chris Green
07/31/2023, 6:29 PMCan I ask anyone else for help in the interim?
f
Fabio Grätz
08/15/2023, 5:06 PMCreated a tracking issue
https://github.com/flyteorg/flyte/issues/3965
Fabio Grätz
08/15/2023, 5:06 PMAnd opened the first 3 PRs (not yet polished):
• https://github.com/flyteorg/flytekit/pull/1795
• https://github.com/flyteorg/flytekit/pull/1787
• https://github.com/flyteorg/flyte/pull/3964
Fabio Grätz
08/15/2023, 5:07 PM1 PR missing that documents how to configure the helm chart. Will work on that one next.
Fabio Grätz
08/15/2023, 5:07 PM@Matthew Corley
m
Mohd Shahid Khan Afridi
09/11/2023, 12:11 PMHi @Fabio Grätz, I have pulled your changes installed
flytekitidentity_aware_proxy Copy code
admin:
authType: pkce
insecure: false
endpoint: dns:///<url>.com
proxyCommand: [ "sh","-c","curl --silent --data client_id=<hash>.<http://apps.googleusercontent.com|apps.googleusercontent.com> --data client_secret=<hash> --data refresh_token=<token> --data grant_type=refresh_token <https://oauth2.googleapis.com/token> | gcloud auth print-identity-token" ] Copy code
_InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNAUTHENTICATED
details = "Invalid IAP credentials: empty token"
debug_error_string = "UNKNOWN:Error received from peer ipv4:34.98.102.88:443 {created_time:"2023-09-07T19:15:56.354327+05:30", grpc_status:16,
grpc_message:"Invalid IAP credentials: empty token"}"
>Mohd Shahid Khan Afridi
09/11/2023, 12:11 PMThe client_id and secret are of a desktop_app client created in gcp credentials
f
Fabio Grätz
09/11/2023, 12:13 PM"Invalid IAP credentials: empty token"Fabio Grätz
09/11/2023, 12:13 PMIn which order did you install flytekit and the plugin?
m
Mohd Shahid Khan Afridi
09/11/2023, 12:13 PMYes
f
Fabio Grätz
09/11/2023, 12:14 PMIt matters because the plugin depends on flytekit and I was in a situation where I thought I had installed flytekit from local dir but actually the plugin uninstalled it again and installed from pypi.
Fabio Grätz
09/11/2023, 12:14 PMSo the proxy-auth header logic wasn’t actually there.
m
Mohd Shahid Khan Afridi
09/11/2023, 12:14 PMI installed flytekit first and then plugin
f
Fabio Grätz
09/11/2023, 12:14 PMPls try the other way round, I think i ran into exactly this before
m
Mohd Shahid Khan Afridi
09/11/2023, 12:15 PMooh okay let me try
Mohd Shahid Khan Afridi
09/11/2023, 12:37 PMStill same 😞 , is my configuration looks fine. Anything else i need for this follow to be tirggered?
Mohd Shahid Khan Afridi
09/11/2023, 12:39 PMcode I am trying to run
Copy code
from flytekit.remote import FlyteRemote
from flytekit.configuration import Config
# FlyteRemote object is the main entrypoint to API
remote = FlyteRemote(config=Config.auto())
# Fetch launch plan
flyte_lp = remote.fetch_launch_plan(
project="moj-ml-workflows-flyte-example",
domain="development",
name="hello_world_ui_initiatable_lp",
version="f2534dc8747d2f604736ab1a93f6891c4bee7bab",
)
print(flyte_lp)Mohd Shahid Khan Afridi
09/11/2023, 12:39 PMI can see your changes in the flytekit package installed in my venv
f
Fabio Grätz
09/11/2023, 1:09 PMCould you pls put a breakpoint in the external command authenticator here (just in my branch) to make sure the external command is acutally run and that a correct token is obtained?
Fabio Grätz
09/11/2023, 1:10 PMString should start with “eY…”
m
Mohd Shahid Khan Afridi
09/11/2023, 1:30 PM(Pdb) p output
Copy code
CompletedProcess(args=['sh', '-c', 'curl --silent --data client_id=... --data client_secret=... --data refresh_token=... --data grant_type=refresh_token <https://oauth2.googleapis.com/token> | gcloud auth print-identity-token'], returncode=0, stdout='eyJhbGciOiJ...\n', stderr='')f
Fabio Grätz
09/11/2023, 1:45 PM Copy code
decode_jwt() {
jq -R 'split(".") | select(length > 0) | .[0],.[1] | @base64d | fromjson' <<< "$1"
}Fabio Grätz
09/11/2023, 1:46 PMCan you pls check:
1. That the audience is the webapp client id
2. That the email is set in the token
Fabio Grätz
09/11/2023, 1:46 PMAlso, can you please check that the respective email has “IAP secured webapp user” permissions?
Fabio Grätz
09/11/2023, 1:47 PMAlso which time zone are you in? Happy to jump on a call to debug (before wednesday I have little time though :/)
m
Mohd Shahid Khan Afridi
09/11/2023, 1:48 PMI am working in IST but no such constrain I can manage
Mohd Shahid Khan Afridi
09/11/2023, 1:48 PMlet me know when you are available?
f
Fabio Grätz
09/11/2023, 2:40 PMAround noon on Wednsday your time would work for me
Fabio Grätz
09/11/2023, 2:41 PMCan you pls check the questions above? Maybe we can solve it async even beforehand 🙂
m
Mohd Shahid Khan Afridi
09/11/2023, 2:46 PMYeah I am looking into it
Mohd Shahid Khan Afridi
09/12/2023, 6:10 AM> Can you pls check:
1. That the audience is the webapp client id
2. That the email is set in the token1. By audience client id you mean the one used on the flyte backend? thats already webapp. The one thats provided as client_id is desktop client 2. The decoded token does contain the email address, and its the same email I am able to authenticate while accessing the webapp using browser
Mohd Shahid Khan Afridi
09/12/2023, 6:11 AMOne thing I noticed in my decoded JWT is that both the azp and aud has same value which is client_id
Can you share the
proxyCommandf
Fabio Grätz
09/12/2023, 7:31 AM Copy code
admin:
endpoint: dns:///my-flyte-domain.com
insecure: false
insecureSkipVerify: true
authType: Pkce
proxyCommand: ["flyte-iap", "generate-user-id-token", "--desktop_client_id", "<fill>", "--desktop_client_secret_gcp_secret_name", "<fill>", "--webapp_client_id", "<"fill web app client id used by IAP>, "--project", "fill"]
logger:
show-source: true
level: 0
storage:
type: stow
stow:
kind: google
config:
json: ""
project_id: <fill project id>
scopes: <https://www.googleapis.com/auth/devstorage.read_write>Fabio Grätz
09/12/2023, 7:31 AMThis is how my client config looks like
Fabio Grätz
09/12/2023, 7:32 AMboth the azp and aud has same value which is client_idThe audience definitely should be the webapp client id used by IAP, not the desktop client id.
Fabio Grätz
09/12/2023, 7:38 AMOk checked in my token. azp is the desktop client id, aud is the webapp client id.
m
Mohd Shahid Khan Afridi
09/12/2023, 7:44 AMDo I need some additional step to install
flyte-iap Copy code
ERROR:root:Failed to generate token from command ['flyte-iap', 'generate-user-id-token', '--desktop_client_id', '978053777....<http://apps.googleusercontent.com|apps.googleusercontent.com>', '--desktop_client_secret_gcp_secret_name', 'GOCSPX-ES...UMtExBw', '--webapp_client_id', '978053777608-noce0....<http://apps.googleusercontent.com|apps.googleusercontent.com>', '--project', 'prj-...']f
Fabio Grätz
09/12/2023, 7:44 AMIf you installed the flytekit-iap plugin the command should be there
Fabio Grätz
09/12/2023, 7:45 AMTry running the command in your cli directly, not via the task config, to see whether it works there and how the token looks like.
Fabio Grätz
09/12/2023, 7:45 AMDid you create the GCP secret with the desktop client secret? (See readme in the plugin)
m
Mohd Shahid Khan Afridi
09/12/2023, 7:55 AMAah I completely missed this guide, sorry 😞
f
Fabio Grätz
09/12/2023, 7:56 AMNo worries 🙂
m
Mohd Shahid Khan Afridi
09/12/2023, 1:35 PMUPDATE: Some work pending on the user-id-token side to be done but able to make some progress with service account
1. Below command successfully generated token
Copy code
flyte-iap generate-service-account-id-token --webapp_client_id $AUDIENCE --service_account_key /Users/mohd.afridi/Downloads/sa.json Copy code
curl --verbose --header 'Authorization: Bearer $TOKEN' https://$DNS/api/v1/projectsMohd Shahid Khan Afridi
09/12/2023, 1:36 PMBut same command in config is still not working
Mohd Shahid Khan Afridi
09/12/2023, 1:41 PMError:
Copy code
╭────────────────────────────────────────────────────────────── Traceback (most recent call last) ───────────────────────────────────────────────────────────────╮
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:274 in continuation │
│ │
│ ❱ 274 │ │ │ │ response, call = self._thunk(new_method).with_call( │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:301 in with_call │
│ │
│ ❱ 301 │ │ return self._with_call(request, │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:287 in _with_call │
│ │
│ ❱ 287 │ │ call = self._interceptor.intercept_unary_unary(continuation, │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/flytekit/clients/grpc_utils/auth_interceptor.py:64 in intercept_unary_unary │
│ │
│ ❱ 64 │ │ │ if e.code() == grpc.StatusCode.UNAUTHENTICATED or e.code() == grpc.StatusCod │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
AttributeError: 'AuthenticationError' object has no attribute 'code'f
Fabio Grätz
09/12/2023, 1:42 PMCan you pls put a breakpoint into the CommandAuthenticator to check what the result of the shell call is? 🤔
m
Mohd Shahid Khan Afridi
09/12/2023, 2:05 PMFinally 403 error gone ...atleast progressed to a new error 🙂
Copy code
E0912 19:33:14.174233000 140704355395328 <http://hpack_parser.cc:853]|hpack_parser.cc:853]> Error parsing metadata: error=invalid value key=content-type value=text/plain; charset=utf-8
╭────────────────────────────────────────────────────────────── Traceback (most recent call last) ───────────────────────────────────────────────────────────────╮
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:274 in continuation │
│ │
│ ❱ 274 │ │ │ │ response, call = self._thunk(new_method).with_call( │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:301 in with_call │
│ │
│ ❱ 301 │ │ return self._with_call(request, │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:290 in _with_call │
│ │
│ ❱ 290 │ │ return call.result(), call │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_channel.py:379 in result │
│ │
│ ❱ 379 │ │ raise self │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:274 in continuation │
│ │
│ ❱ 274 │ │ │ │ response, call = self._thunk(new_method).with_call( │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:301 in with_call │
│ │
│ ❱ 301 │ │ return self._with_call(request, │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:290 in _with_call │
│ │
│ ❱ 290 │ │ return call.result(), call │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_channel.py:379 in result │
│ │
│ ❱ 379 │ │ raise self │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:274 in continuation │
│ │
│ ❱ 274 │ │ │ │ response, call = self._thunk(new_method).with_call( │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_channel.py:1043 in with_call │
│ │
│ ❱ 1043 │ │ return _end_unary_response_blocking(state, call, True, None) │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_channel.py:910 in _end_unary_response_blocking │
│ │
│ ❱ 910 │ │ raise _InactiveRpcError(state) # pytype: disable=not-instantiable │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
_InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNIMPLEMENTED
details = "Received http2 header with status: 404"
debug_error_string = "UNKNOWN:Error received from peer ipv4:34.98.102.88:443 {grpc_message:"Received http2 header with status: 404", grpc_status:12,
created_time:"2023-09-12T19:33:15.813448+05:30"}"f
Fabio Grätz
09/12/2023, 2:06 PMMaybe the routing of your ingress don’t expose some endpoints of admin? 🤔
Fabio Grätz
09/12/2023, 2:06 PMYou seem to be past the iap
m
Mohd Shahid Khan Afridi
09/12/2023, 2:08 PMyes It looks I am past IAP now, need to look into my GKE ingress now I guess
f
Fabio Grätz
09/12/2023, 2:08 PMTake a look at the deployment section in my readme
Fabio Grätz
09/12/2023, 2:09 PMLet me know if any step doesn’t work in there. Tried to be detailed but maybe sth still isn’t clear
m
Mohd Shahid Khan Afridi
09/12/2023, 2:11 PMSure, for now we configured GKE ingress manually looking at all the paths from ngnix ingress helm created. Will see if your deployment steps can help
f
Fabio Grätz
09/12/2023, 4:49 PMYou can’t put flyteadmin behind GCE ingress without using TLS between load balancer and backend.
m
Mohd Shahid Khan Afridi
09/12/2023, 4:53 PMThis works for me for the REST( tested via curl as stated here), I am still waiting for some inputs from devops team to get the exact routing and will test by adding grpc route for experimentation
Mohd Shahid Khan Afridi
09/21/2023, 8:06 AMAfter following the deployment doc(slightly modified in the last part as I already had the domain name and all set) and setting up istio. Now facing below error, It looks like the request has reached the server side
Mohd Shahid Khan Afridi
09/21/2023, 8:06 AM Copy code
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:274 in continuation │
│ │
│ ❱ 274 │ │ │ │ response, call = self._thunk(new_method).with_call( │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:301 in with_call │
│ │
│ ❱ 301 │ │ return self._with_call(request, │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:287 in _with_call │
│ │
│ ❱ 287 │ │ call = self._interceptor.intercept_unary_unary(continuation, │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/flytekit/clients/grpc_utils/auth_interceptor.py:65 in intercept_unary_unary │
│ │
│ ❱ 65 │ │ │ │ self._authenticator.refresh_credentials() │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/flytekit/clients/auth/authenticator.py:141 in refresh_credentials │
│ │
│ ❱ 141 │ │ self._initialize_auth_client() │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/flytekit/clients/auth/authenticator.py:117 in _initialize_auth_client │
│ │
│ ❱ 117 │ │ │ cfg = self._cfg_store.get_client_config() │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/flytekit/clients/auth_helper.py:39 in get_client_config │
│ │
│ ❱ 39 │ │ public_client_config = metadata_service.GetPublicClientConfig(PublicClientAuthCo │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:247 in __call__ │
│ │
│ ❱ 247 │ │ response, ignored_call = self._with_call(request, │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:290 in _with_call │
│ │
│ ❱ 290 │ │ return call.result(), call │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_channel.py:379 in result │
│ │
│ ❱ 379 │ │ raise self │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:274 in continuation │
│ │
│ ❱ 274 │ │ │ │ response, call = self._thunk(new_method).with_call( │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_channel.py:1043 in with_call │
│ │
│ ❱ 1043 │ │ return _end_unary_response_blocking(state, call, True, None) │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_channel.py:910 in _end_unary_response_blocking │
│ │
│ ❱ 910 │ │ raise _InactiveRpcError(state) # pytype: disable=not-instantiable │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
_InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNIMPLEMENTED
details = "unknown service flyteidl.service.AuthMetadataService"
debug_error_string = "UNKNOWN:Error received from peer ipv4:34.98.102.88:443 {grpc_message:"unknown service flyteidl.service.AuthMetadataService",
grpc_status:12, created_time:"2023-09-21T13:23:14.795652+05:30"}"Mohd Shahid Khan Afridi
09/21/2023, 8:07 AM@Fabio Grätz ^^
f
Fabio Grätz
09/21/2023, 8:34 AMTo me it looks like the request reached the istio ingress but that the forwarding from there to flyteadmin isn’t working as it should.
Fabio Grätz
09/21/2023, 8:34 AMCan you please paste the state of your virtual service?
m
Mohd Shahid Khan Afridi
09/21/2023, 8:34 AMimage.png
Mohd Shahid Khan Afridi
09/21/2023, 8:35 AM Copy code
Name: flyte-virtualservice
Namespace: flyte
Labels: <none>
Annotations: <none>
API Version: <http://networking.istio.io/v1beta1|networking.istio.io/v1beta1>
Kind: VirtualService
Metadata:
Creation Timestamp: 2023-09-21T06:25:01Z
Generation: 2
Managed Fields:
API Version: <http://networking.istio.io/v1beta1|networking.istio.io/v1beta1>
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:<http://kubectl.kubernetes.io/last-applied-configuration|kubectl.kubernetes.io/last-applied-configuration>:
f:spec:
.:
f:gateways:
f:hosts:
f:http:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2023-09-21T08:00:48Z
Resource Version: 287301262
UID: eb6ea899-f990-4f23-88f4-8e0687fc1d5e
Spec:
Gateways:
istio-system/default-gateway
Hosts:
<http://flyte-moj-ml-workflows.sharechat.com|flyte-moj-ml-workflows.sharechat.com>
Http:
Match:
Uri:
Prefix: /console
Name: console-routes
Route:
Destination:
Host: flyteconsole
Port:
Number: 80
Match:
Uri:
Prefix: /api
Uri:
Prefix: /healthcheck
Uri:
Prefix: /v1/*
Uri:
Prefix: /.well-known
Uri:
Prefix: /login
Uri:
Prefix: /logout
Uri:
Prefix: /callback
Uri:
Prefix: /me
Uri:
Prefix: /config
Uri:
Prefix: /oauth2
Name: admin-routes
Route:
Destination:
Host: flyteadmin
Port:
Number: 80
Match:
Uri:
Prefix: /flyteidl.service.SignalService
Uri:
Prefix: /flyteidl.service.AdminService
Uri:
Prefix: /flyteidl.service.DataProxyService
Uri:
Prefix: /flyteidl.service.AuthMetadataService
Uri:
Prefix: /flyteidl.service.AuthMetadataService/*
Uri:
Prefix: /flyteidl.service.IdentityService
Uri:
Prefix: /grpc.health.v1.Health
Name: admin-grpc-routes
Route:
Destination:
Host: flyteadmin
Port:
Number: 81Mohd Shahid Khan Afridi
09/21/2023, 8:36 AMI added
flyteidl.service.AuthMetadataService/*f
Fabio Grätz
09/21/2023, 8:36 AM Copy code
spec:
rules:
- http:
paths:
- backend:
service:
name: istio-ingress
port:
number: 443
path: /
pathType: Prefixm
Mohd Shahid Khan Afridi
09/21/2023, 8:38 AMThis backend service we created from console and loadbalancer rules are created from console in my case
Mohd Shahid Khan Afridi
09/21/2023, 8:39 AMWould you like to have a quick look?
f
Fabio Grätz
09/21/2023, 8:39 AMThere are two points where the traffic could fail:
•
flyteidl.service.AuthMetadataServiceFabio Grätz
09/21/2023, 8:39 AMCan you check in cloud logging please? Write “http_loadbalancer”
Fabio Grätz
09/21/2023, 8:40 AMYou can see all requests there
Fabio Grätz
09/21/2023, 8:40 AMMaybe this gives us a hint
m
Mohd Shahid Khan Afridi
09/21/2023, 8:40 AMLet me check
Mohd Shahid Khan Afridi
09/21/2023, 9:40 AMcloud logging isn't capturing request logs in my case, may b i need to enable it somewhere
Mohd Shahid Khan Afridi
09/21/2023, 9:40 AMmeanwhile snapshot of load-balancer montioring
f
Fabio Grätz
09/21/2023, 9:41 AMresource.type=“http_load_balancer”This is the query I use
Fabio Grätz
09/21/2023, 9:41 AMSomething I could imagine is also that only exact matches but not prefix are routed?
Fabio Grätz
09/21/2023, 9:45 AMMine looks like this
m
Mohd Shahid Khan Afridi
09/21/2023, 9:45 AMOkay let me make it / only
Mohd Shahid Khan Afridi
09/21/2023, 9:49 AMatleast for the REST call as used in below code...its working fine. Will update path to
/f
Fabio Grätz
09/21/2023, 11:49 AMIf TLS is not working correctly between lb and backend, the load balancer will not deliver any grpc traffic to the istio ingress. In the lp logs, in this case, I see something like “Failed to deliver to backend”.
m
Mohd Shahid Khan Afridi
10/05/2023, 12:02 PMHi @Fabio Grätz, I see that the changes for IAP are out in
Version: 1.10.0b0Mohd Shahid Khan Afridi
10/05/2023, 12:03 PMI started getting below error
Copy code
_InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNKNOWN
details = "Stream removed"
debug_error_string = "UNKNOWN:Error received from peer {created_time:"2023-10-05T17:15:29.44161+05:30", grpc_status:2,
grpc_message:"Stream removed"}"Mohd Shahid Khan Afridi
10/05/2023, 12:03 PMWhile same thing is working with your PR changes being installed locally
Mohd Shahid Khan Afridi
10/06/2023, 11:59 AMEnabled logging on LB it seems the request is succeeding well, after first 401 all are 200 on LB side but failing on client side, while with your PR changes the single 200 after first 401 result in success on client side
Mohd Shahid Khan Afridi
10/06/2023, 12:01 PM@Fabio Grätz ^
f
Fabio Grätz
10/06/2023, 12:10 PMHey 🙂
I will test with the beta release later today
Fabio Grätz
10/06/2023, 12:10 PMTil then, can you please sanity check that
pip show flytekitFabio Grätz
10/06/2023, 12:11 PMThe iap plugin simply requires flytekit as there is no released version with the new logic yet.
m
Mohd Shahid Khan Afridi
10/06/2023, 12:11 PM Copy code
(venv) mohd.afridi@MTPL-5642 moj-ml-workflows % pip show flytekit
Name: flytekit
Version: 1.10.0b0
Summary: Flyte SDK for Python
Home-page: <https://github.com/flyteorg/flytekit>
Author: Nonef
Fabio Grätz
10/06/2023, 12:11 PMSo maybe when installing the iap plugin after the flytekit beta, it installed the latest release again?
Fabio Grätz
10/06/2023, 12:11 PMOk 👍
Fabio Grätz
10/06/2023, 12:11 PM“Stream removed” definitely means that no valid
"proxy-authorization"Fabio Grätz
10/06/2023, 12:12 PMCan you pls also test whether the proxy command in the flyte config works when executed manually in the cli?
m
Mohd Shahid Khan Afridi
10/06/2023, 12:13 PMI am using service account one, its working file when run in terminal to generate token
Copy code
flyte-iap generate-service-account-id-token --webapp_client_id .....Mohd Shahid Khan Afridi
10/06/2023, 12:14 PMsame config is used in an environment where flytekit is installed using the PR, its working fine as well
f
Fabio Grätz
10/06/2023, 12:18 PMOk I will try to later test the beta 👍
Fabio Grätz
10/06/2023, 12:18 PMCan’t tell what could be the reason but I need to investigate this
Fabio Grätz
10/06/2023, 12:18 PMWhich commit are you using from my PR?
m
Mohd Shahid Khan Afridi
10/06/2023, 12:19 PMflytekit % git log -n 1
commit a713c56f10d36d99d900c671dc094acb84cf80a8 (HEAD -> fg91/feat/proxy-authentication, origin/fg91/feat/proxy-authentication)
Author: Fabio Grätz <fabiogratz@googlemail.com>
Date: Sun Sep 10 110331 2023 +0200
Document usage of generate-service-account-id-token subcommand
Mohd Shahid Khan Afridi
10/06/2023, 12:32 PMFound the issue, the order still matters 🥲..
below is working
Copy code
pip install flytekitplugins-identity-aware-proxy==v1.10.0b0
pip install flytekit==v1.10.0b0Mohd Shahid Khan Afridi
10/06/2023, 12:33 PMpreviously I was setting up like below and it wasn't working though it was showing correct version
Copy code
pip install flytekit==v1.10.0b0
pip install flytekitplugins-identity-aware-proxy==v1.10.0b0f
Fabio Grätz
10/06/2023, 1:24 PMI can confirm that the order matters and that it doesn’t work if first installing the plugin then flytekit even though
pip show flytekitFabio Grätz
10/06/2023, 1:31 PMFabio Grätz
10/06/2023, 1:32 PMThat reminds me we need to pin flytekit>=1.10 here which will be the first release to contain the changes to auth helpers.
Fabio Grätz
10/06/2023, 1:32 PMWonder whether there is a chicken-egg problem though where CI will fail before this version actually exists 🤔
Fabio Grätz
10/06/2023, 1:54 PMNo chicken egg problem.
m
Mohd Shahid Khan Afridi
10/06/2023, 3:07 PMThanks for the changes
Mohd Shahid Khan Afridi
10/06/2023, 3:08 PMIs there any guide to pull your changes for flytectl using proxycommand-> https://github.com/flyteorg/flyteidl/pull/437 in my local setup ?
f
Fabio Grätz
10/06/2023, 9:44 PMCheckout the flytectl repo, checkout the flyteidl repo, in the
go.modreplace <http://github.com/flyteorg/flyteidl|github.com/flyteorg/flyteidl> => ../<path to flyteidl>go mod tidymake compilem
Mohd Shahid Khan Afridi
10/25/2023, 9:30 AM@Fabio Grätz did you get a chance to try your IAP changes published in
v1.10.0 Copy code
_InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNKNOWN
details = "Stream removed"
debug_error_string = "UNKNOWN:Error received from peer {grpc_message:"Stream removed", grpc_status:2,
created_time:"2023-10-25T14:59:04.485449+05:30"}"
>f
Fabio Grätz
10/26/2023, 4:20 PMHey @Mohd Shahid Khan Afridi,
got back from a holiday today, I will test this tomorrow and get back to you 🙂
m
Mohd Shahid Khan Afridi
10/30/2023, 8:44 AM@Fabio Grätz , were you able to give it a try ?
12 Views