I’m also trying to get flyte setup on GCP. My comp...
# flyte-on-gcpa
adorable-australia-90343
07/31/2023, 5:41 PMI’m also trying to get flyte setup on GCP. My company has a strict requirement to use IAP everywhere. We’ve been able to get authentication to work on the console but I can’t get access via the flytectl to work. Any tips here? recent thread https://flyte-org.slack.com/archives/CP2HDHKE1/p1690818970921269
c
cool-lifeguard-49380
07/31/2023, 6:21 PMHey,
I’m working on an RFC to propose changes to flytectl and flytekit to make IAP work. We also plan to upstream a reference deployment with IAP on GCP. Will be 2 weeks until the rfc though, currently on a holiday
a
adorable-australia-90343
07/31/2023, 6:29 PMCan I ask anyone else for help in the interim?
c
cool-lifeguard-49380
08/15/2023, 5:06 PMCreated a tracking issue
https://github.com/flyteorg/flyte/issues/3965
🙌 1
cool-lifeguard-49380
08/15/2023, 5:06 PMAnd opened the first 3 PRs (not yet polished):
• https://github.com/flyteorg/flytekit/pull/1795
• https://github.com/flyteorg/flytekit/pull/1787
• https://github.com/flyteorg/flyte/pull/3964
cool-lifeguard-49380
08/15/2023, 5:07 PM1 PR missing that documents how to configure the helm chart. Will work on that one next.
cool-lifeguard-49380
08/15/2023, 5:07 PM@full-ram-17934
🙏 1
g
gifted-train-81198
09/11/2023, 12:11 PMHi @cool-lifeguard-49380, I have pulled your changes installed
flytekitidentity_aware_proxy Copy code
admin:
authType: pkce
insecure: false
endpoint: dns:///<url>.com
proxyCommand: [ "sh","-c","curl --silent --data client_id=<hash>.<http://apps.googleusercontent.com|apps.googleusercontent.com> --data client_secret=<hash> --data refresh_token=<token> --data grant_type=refresh_token <https://oauth2.googleapis.com/token> | gcloud auth print-identity-token" ] Copy code
_InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNAUTHENTICATED
details = "Invalid IAP credentials: empty token"
debug_error_string = "UNKNOWN:Error received from peer ipv4:34.98.102.88:443 {created_time:"2023-09-07T19:15:56.354327+05:30", grpc_status:16,
grpc_message:"Invalid IAP credentials: empty token"}"
>gifted-train-81198
09/11/2023, 12:11 PMThe client_id and secret are of a desktop_app client created in gcp credentials
c
cool-lifeguard-49380
09/11/2023, 12:13 PM"Invalid IAP credentials: empty token"cool-lifeguard-49380
09/11/2023, 12:13 PMIn which order did you install flytekit and the plugin?
g
gifted-train-81198
09/11/2023, 12:13 PMYes
c
cool-lifeguard-49380
09/11/2023, 12:14 PMIt matters because the plugin depends on flytekit and I was in a situation where I thought I had installed flytekit from local dir but actually the plugin uninstalled it again and installed from pypi.
cool-lifeguard-49380
09/11/2023, 12:14 PMSo the proxy-auth header logic wasn’t actually there.
g
gifted-train-81198
09/11/2023, 12:14 PMI installed flytekit first and then plugin
c
cool-lifeguard-49380
09/11/2023, 12:14 PMPls try the other way round, I think i ran into exactly this before
g
gifted-train-81198
09/11/2023, 12:15 PMooh okay let me try
gifted-train-81198
09/11/2023, 12:37 PMStill same 😞 , is my configuration looks fine. Anything else i need for this follow to be tirggered?
gifted-train-81198
09/11/2023, 12:39 PMcode I am trying to run
Copy code
from flytekit.remote import FlyteRemote
from flytekit.configuration import Config
# FlyteRemote object is the main entrypoint to API
remote = FlyteRemote(config=Config.auto())
# Fetch launch plan
flyte_lp = remote.fetch_launch_plan(
project="moj-ml-workflows-flyte-example",
domain="development",
name="hello_world_ui_initiatable_lp",
version="f2534dc8747d2f604736ab1a93f6891c4bee7bab",
)
print(flyte_lp)gifted-train-81198
09/11/2023, 12:39 PMI can see your changes in the flytekit package installed in my venv
c
cool-lifeguard-49380
09/11/2023, 1:09 PMCould you pls put a breakpoint in the external command authenticator here (just in my branch) to make sure the external command is acutally run and that a correct token is obtained?
cool-lifeguard-49380
09/11/2023, 1:10 PMString should start with “eY…”
g
gifted-train-81198
09/11/2023, 1:30 PM(Pdb) p output
Copy code
CompletedProcess(args=['sh', '-c', 'curl --silent --data client_id=... --data client_secret=... --data refresh_token=... --data grant_type=refresh_token <https://oauth2.googleapis.com/token> | gcloud auth print-identity-token'], returncode=0, stdout='eyJhbGciOiJ...\n', stderr='')c
cool-lifeguard-49380
09/11/2023, 1:45 PM Copy code
decode_jwt() {
jq -R 'split(".") | select(length > 0) | .[0],.[1] | @base64d | fromjson' <<< "$1"
}cool-lifeguard-49380
09/11/2023, 1:46 PMCan you pls check:
1. That the audience is the webapp client id
2. That the email is set in the token
cool-lifeguard-49380
09/11/2023, 1:46 PMAlso, can you please check that the respective email has “IAP secured webapp user” permissions?
cool-lifeguard-49380
09/11/2023, 1:47 PMAlso which time zone are you in? Happy to jump on a call to debug (before wednesday I have little time though :/)
g
gifted-train-81198
09/11/2023, 1:48 PMI am working in IST but no such constrain I can manage
gifted-train-81198
09/11/2023, 1:48 PMlet me know when you are available?
c
cool-lifeguard-49380
09/11/2023, 2:40 PMAround noon on Wednsday your time would work for me
🙌 1
cool-lifeguard-49380
09/11/2023, 2:41 PMCan you pls check the questions above? Maybe we can solve it async even beforehand 🙂
g
gifted-train-81198
09/11/2023, 2:46 PMYeah I am looking into it
🙏 1
gifted-train-81198
09/12/2023, 6:10 AM> Can you pls check:
1. That the audience is the webapp client id
2. That the email is set in the token1. By audience client id you mean the one used on the flyte backend? thats already webapp. The one thats provided as client_id is desktop client 2. The decoded token does contain the email address, and its the same email I am able to authenticate while accessing the webapp using browser
gifted-train-81198
09/12/2023, 6:11 AMOne thing I noticed in my decoded JWT is that both the azp and aud has same value which is client_id
Can you share the
proxyCommandc
cool-lifeguard-49380
09/12/2023, 7:31 AM Copy code
admin:
endpoint: dns:///my-flyte-domain.com
insecure: false
insecureSkipVerify: true
authType: Pkce
proxyCommand: ["flyte-iap", "generate-user-id-token", "--desktop_client_id", "<fill>", "--desktop_client_secret_gcp_secret_name", "<fill>", "--webapp_client_id", "<"fill web app client id used by IAP>, "--project", "fill"]
logger:
show-source: true
level: 0
storage:
type: stow
stow:
kind: google
config:
json: ""
project_id: <fill project id>
scopes: <https://www.googleapis.com/auth/devstorage.read_write>cool-lifeguard-49380
09/12/2023, 7:31 AMThis is how my client config looks like
cool-lifeguard-49380
09/12/2023, 7:32 AMboth the azp and aud has same value which is client_idThe audience definitely should be the webapp client id used by IAP, not the desktop client id.
cool-lifeguard-49380
09/12/2023, 7:38 AMOk checked in my token. azp is the desktop client id, aud is the webapp client id.
g
gifted-train-81198
09/12/2023, 7:44 AMDo I need some additional step to install
flyte-iap Copy code
ERROR:root:Failed to generate token from command ['flyte-iap', 'generate-user-id-token', '--desktop_client_id', '978053777....<http://apps.googleusercontent.com|apps.googleusercontent.com>', '--desktop_client_secret_gcp_secret_name', 'GOCSPX-ES...UMtExBw', '--webapp_client_id', '978053777608-noce0....<http://apps.googleusercontent.com|apps.googleusercontent.com>', '--project', 'prj-...']c
cool-lifeguard-49380
09/12/2023, 7:44 AMIf you installed the flytekit-iap plugin the command should be there
cool-lifeguard-49380
09/12/2023, 7:45 AMTry running the command in your cli directly, not via the task config, to see whether it works there and how the token looks like.
cool-lifeguard-49380
09/12/2023, 7:45 AMDid you create the GCP secret with the desktop client secret? (See readme in the plugin)
g
gifted-train-81198
09/12/2023, 7:55 AMAah I completely missed this guide, sorry 😞
c
cool-lifeguard-49380
09/12/2023, 7:56 AMNo worries 🙂
g
gifted-train-81198
09/12/2023, 1:35 PMUPDATE: Some work pending on the user-id-token side to be done but able to make some progress with service account
1. Below command successfully generated token
Copy code
flyte-iap generate-service-account-id-token --webapp_client_id $AUDIENCE --service_account_key /Users/mohd.afridi/Downloads/sa.json Copy code
curl --verbose --header 'Authorization: Bearer $TOKEN' https://$DNS/api/v1/projectsgifted-train-81198
09/12/2023, 1:36 PMBut same command in config is still not working
gifted-train-81198
09/12/2023, 1:41 PMError:
Copy code
╭────────────────────────────────────────────────────────────── Traceback (most recent call last) ───────────────────────────────────────────────────────────────╮
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:274 in continuation │
│ │
│ ❱ 274 │ │ │ │ response, call = self._thunk(new_method).with_call( │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:301 in with_call │
│ │
│ ❱ 301 │ │ return self._with_call(request, │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:287 in _with_call │
│ │
│ ❱ 287 │ │ call = self._interceptor.intercept_unary_unary(continuation, │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/flytekit/clients/grpc_utils/auth_interceptor.py:64 in intercept_unary_unary │
│ │
│ ❱ 64 │ │ │ if e.code() == grpc.StatusCode.UNAUTHENTICATED or e.code() == grpc.StatusCod │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
AttributeError: 'AuthenticationError' object has no attribute 'code'c
cool-lifeguard-49380
09/12/2023, 1:42 PMCan you pls put a breakpoint into the CommandAuthenticator to check what the result of the shell call is? 🤔
g
gifted-train-81198
09/12/2023, 2:05 PMFinally 403 error gone ...atleast progressed to a new error 🙂
Copy code
E0912 19:33:14.174233000 140704355395328 <http://hpack_parser.cc:853]|hpack_parser.cc:853]> Error parsing metadata: error=invalid value key=content-type value=text/plain; charset=utf-8
╭────────────────────────────────────────────────────────────── Traceback (most recent call last) ───────────────────────────────────────────────────────────────╮
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:274 in continuation │
│ │
│ ❱ 274 │ │ │ │ response, call = self._thunk(new_method).with_call( │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:301 in with_call │
│ │
│ ❱ 301 │ │ return self._with_call(request, │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:290 in _with_call │
│ │
│ ❱ 290 │ │ return call.result(), call │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_channel.py:379 in result │
│ │
│ ❱ 379 │ │ raise self │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:274 in continuation │
│ │
│ ❱ 274 │ │ │ │ response, call = self._thunk(new_method).with_call( │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:301 in with_call │
│ │
│ ❱ 301 │ │ return self._with_call(request, │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:290 in _with_call │
│ │
│ ❱ 290 │ │ return call.result(), call │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_channel.py:379 in result │
│ │
│ ❱ 379 │ │ raise self │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:274 in continuation │
│ │
│ ❱ 274 │ │ │ │ response, call = self._thunk(new_method).with_call( │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_channel.py:1043 in with_call │
│ │
│ ❱ 1043 │ │ return _end_unary_response_blocking(state, call, True, None) │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_channel.py:910 in _end_unary_response_blocking │
│ │
│ ❱ 910 │ │ raise _InactiveRpcError(state) # pytype: disable=not-instantiable │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
_InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNIMPLEMENTED
details = "Received http2 header with status: 404"
debug_error_string = "UNKNOWN:Error received from peer ipv4:34.98.102.88:443 {grpc_message:"Received http2 header with status: 404", grpc_status:12,
created_time:"2023-09-12T19:33:15.813448+05:30"}"c
cool-lifeguard-49380
09/12/2023, 2:06 PMMaybe the routing of your ingress don’t expose some endpoints of admin? 🤔
cool-lifeguard-49380
09/12/2023, 2:06 PMYou seem to be past the iap
g
gifted-train-81198
09/12/2023, 2:08 PMyes It looks I am past IAP now, need to look into my GKE ingress now I guess
c
cool-lifeguard-49380
09/12/2023, 2:08 PMTake a look at the deployment section in my readme
👀 1
cool-lifeguard-49380
09/12/2023, 2:09 PMLet me know if any step doesn’t work in there. Tried to be detailed but maybe sth still isn’t clear
g
gifted-train-81198
09/12/2023, 2:11 PMSure, for now we configured GKE ingress manually looking at all the paths from ngnix ingress helm created. Will see if your deployment steps can help
c
cool-lifeguard-49380
09/12/2023, 4:49 PMYou can’t put flyteadmin behind GCE ingress without using TLS between load balancer and backend.
g
gifted-train-81198
09/12/2023, 4:53 PMThis works for me for the REST( tested via curl as stated here), I am still waiting for some inputs from devops team to get the exact routing and will test by adding grpc route for experimentation
👍 1
gifted-train-81198
09/21/2023, 8:06 AMAfter following the deployment doc(slightly modified in the last part as I already had the domain name and all set) and setting up istio. Now facing below error, It looks like the request has reached the server side
gifted-train-81198
09/21/2023, 8:06 AM Copy code
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:274 in continuation │
│ │
│ ❱ 274 │ │ │ │ response, call = self._thunk(new_method).with_call( │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:301 in with_call │
│ │
│ ❱ 301 │ │ return self._with_call(request, │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:287 in _with_call │
│ │
│ ❱ 287 │ │ call = self._interceptor.intercept_unary_unary(continuation, │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/flytekit/clients/grpc_utils/auth_interceptor.py:65 in intercept_unary_unary │
│ │
│ ❱ 65 │ │ │ │ self._authenticator.refresh_credentials() │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/flytekit/clients/auth/authenticator.py:141 in refresh_credentials │
│ │
│ ❱ 141 │ │ self._initialize_auth_client() │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/flytekit/clients/auth/authenticator.py:117 in _initialize_auth_client │
│ │
│ ❱ 117 │ │ │ cfg = self._cfg_store.get_client_config() │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/flytekit/clients/auth_helper.py:39 in get_client_config │
│ │
│ ❱ 39 │ │ public_client_config = metadata_service.GetPublicClientConfig(PublicClientAuthCo │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:247 in __call__ │
│ │
│ ❱ 247 │ │ response, ignored_call = self._with_call(request, │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:290 in _with_call │
│ │
│ ❱ 290 │ │ return call.result(), call │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_channel.py:379 in result │
│ │
│ ❱ 379 │ │ raise self │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_interceptor.py:274 in continuation │
│ │
│ ❱ 274 │ │ │ │ response, call = self._thunk(new_method).with_call( │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_channel.py:1043 in with_call │
│ │
│ ❱ 1043 │ │ return _end_unary_response_blocking(state, call, True, None) │
│ │
│ /Users/mohd.afridi/tutorials/flyte-wf/IAP/venv/lib/python3.8/site-packages/grpc/_channel.py:910 in _end_unary_response_blocking │
│ │
│ ❱ 910 │ │ raise _InactiveRpcError(state) # pytype: disable=not-instantiable │
╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
_InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNIMPLEMENTED
details = "unknown service flyteidl.service.AuthMetadataService"
debug_error_string = "UNKNOWN:Error received from peer ipv4:34.98.102.88:443 {grpc_message:"unknown service flyteidl.service.AuthMetadataService",
grpc_status:12, created_time:"2023-09-21T13:23:14.795652+05:30"}"gifted-train-81198
09/21/2023, 8:07 AM@cool-lifeguard-49380 ^^
c
cool-lifeguard-49380
09/21/2023, 8:34 AMTo me it looks like the request reached the istio ingress but that the forwarding from there to flyteadmin isn’t working as it should.
cool-lifeguard-49380
09/21/2023, 8:34 AMCan you please paste the state of your virtual service?
g
gifted-train-81198
09/21/2023, 8:34 AMgifted-train-81198
09/21/2023, 8:35 AM Copy code
Name: flyte-virtualservice
Namespace: flyte
Labels: <none>
Annotations: <none>
API Version: <http://networking.istio.io/v1beta1|networking.istio.io/v1beta1>
Kind: VirtualService
Metadata:
Creation Timestamp: 2023-09-21T06:25:01Z
Generation: 2
Managed Fields:
API Version: <http://networking.istio.io/v1beta1|networking.istio.io/v1beta1>
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:<http://kubectl.kubernetes.io/last-applied-configuration|kubectl.kubernetes.io/last-applied-configuration>:
f:spec:
.:
f:gateways:
f:hosts:
f:http:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2023-09-21T08:00:48Z
Resource Version: 287301262
UID: eb6ea899-f990-4f23-88f4-8e0687fc1d5e
Spec:
Gateways:
istio-system/default-gateway
Hosts:
<http://flyte-moj-ml-workflows.sharechat.com|flyte-moj-ml-workflows.sharechat.com>
Http:
Match:
Uri:
Prefix: /console
Name: console-routes
Route:
Destination:
Host: flyteconsole
Port:
Number: 80
Match:
Uri:
Prefix: /api
Uri:
Prefix: /healthcheck
Uri:
Prefix: /v1/*
Uri:
Prefix: /.well-known
Uri:
Prefix: /login
Uri:
Prefix: /logout
Uri:
Prefix: /callback
Uri:
Prefix: /me
Uri:
Prefix: /config
Uri:
Prefix: /oauth2
Name: admin-routes
Route:
Destination:
Host: flyteadmin
Port:
Number: 80
Match:
Uri:
Prefix: /flyteidl.service.SignalService
Uri:
Prefix: /flyteidl.service.AdminService
Uri:
Prefix: /flyteidl.service.DataProxyService
Uri:
Prefix: /flyteidl.service.AuthMetadataService
Uri:
Prefix: /flyteidl.service.AuthMetadataService/*
Uri:
Prefix: /flyteidl.service.IdentityService
Uri:
Prefix: /grpc.health.v1.Health
Name: admin-grpc-routes
Route:
Destination:
Host: flyteadmin
Port:
Number: 81gifted-train-81198
09/21/2023, 8:36 AMI added
flyteidl.service.AuthMetadataService/*c
cool-lifeguard-49380
09/21/2023, 8:36 AM Copy code
spec:
rules:
- http:
paths:
- backend:
service:
name: istio-ingress
port:
number: 443
path: /
pathType: Prefixg
gifted-train-81198
09/21/2023, 8:38 AMThis backend service we created from console and loadbalancer rules are created from console in my case
gifted-train-81198
09/21/2023, 8:39 AMWould you like to have a quick look?
c
cool-lifeguard-49380
09/21/2023, 8:39 AMThere are two points where the traffic could fail:
•
flyteidl.service.AuthMetadataServicecool-lifeguard-49380
09/21/2023, 8:39 AMCan you check in cloud logging please? Write “http_loadbalancer”
cool-lifeguard-49380
09/21/2023, 8:40 AMYou can see all requests there
cool-lifeguard-49380
09/21/2023, 8:40 AMMaybe this gives us a hint
g
gifted-train-81198
09/21/2023, 8:40 AMLet me check
gifted-train-81198
09/21/2023, 9:40 AMcloud logging isn't capturing request logs in my case, may b i need to enable it somewhere
gifted-train-81198
09/21/2023, 9:40 AMmeanwhile snapshot of load-balancer montioring
c
cool-lifeguard-49380
09/21/2023, 9:41 AMresource.type=“http_load_balancer”This is the query I use
cool-lifeguard-49380
09/21/2023, 9:41 AMSomething I could imagine is also that only exact matches but not prefix are routed?
cool-lifeguard-49380
09/21/2023, 9:45 AMMine looks like this
g
gifted-train-81198
09/21/2023, 9:45 AMOkay let me make it / only
gifted-train-81198
09/21/2023, 9:49 AMatleast for the REST call as used in below code...its working fine. Will update path to
/👍 1
c
cool-lifeguard-49380
09/21/2023, 11:49 AMIf TLS is not working correctly between lb and backend, the load balancer will not deliver any grpc traffic to the istio ingress. In the lp logs, in this case, I see something like “Failed to deliver to backend”.
g
gifted-train-81198
10/05/2023, 12:02 PMHi @cool-lifeguard-49380, I see that the changes for IAP are out in
Version: 1.10.0b0gifted-train-81198
10/05/2023, 12:03 PMI started getting below error
Copy code
_InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNKNOWN
details = "Stream removed"
debug_error_string = "UNKNOWN:Error received from peer {created_time:"2023-10-05T17:15:29.44161+05:30", grpc_status:2,
grpc_message:"Stream removed"}"gifted-train-81198
10/05/2023, 12:03 PMWhile same thing is working with your PR changes being installed locally
gifted-train-81198
10/06/2023, 11:59 AMEnabled logging on LB it seems the request is succeeding well, after first 401 all are 200 on LB side but failing on client side, while with your PR changes the single 200 after first 401 result in success on client side
gifted-train-81198
10/06/2023, 12:01 PM@cool-lifeguard-49380 ^
c
cool-lifeguard-49380
10/06/2023, 12:10 PMHey 🙂
I will test with the beta release later today
cool-lifeguard-49380
10/06/2023, 12:10 PMTil then, can you please sanity check that
pip show flytekitcool-lifeguard-49380
10/06/2023, 12:11 PMThe iap plugin simply requires flytekit as there is no released version with the new logic yet.
g
gifted-train-81198
10/06/2023, 12:11 PM Copy code
(venv) mohd.afridi@MTPL-5642 moj-ml-workflows % pip show flytekit
Name: flytekit
Version: 1.10.0b0
Summary: Flyte SDK for Python
Home-page: <https://github.com/flyteorg/flytekit>
Author: Nonec
cool-lifeguard-49380
10/06/2023, 12:11 PMSo maybe when installing the iap plugin after the flytekit beta, it installed the latest release again?
cool-lifeguard-49380
10/06/2023, 12:11 PMOk 👍
cool-lifeguard-49380
10/06/2023, 12:11 PM“Stream removed” definitely means that no valid
"proxy-authorization"cool-lifeguard-49380
10/06/2023, 12:12 PMCan you pls also test whether the proxy command in the flyte config works when executed manually in the cli?
g
gifted-train-81198
10/06/2023, 12:13 PMI am using service account one, its working file when run in terminal to generate token
Copy code
flyte-iap generate-service-account-id-token --webapp_client_id .....gifted-train-81198
10/06/2023, 12:14 PMsame config is used in an environment where flytekit is installed using the PR, its working fine as well
c
cool-lifeguard-49380
10/06/2023, 12:18 PMOk I will try to later test the beta 👍
cool-lifeguard-49380
10/06/2023, 12:18 PMCan’t tell what could be the reason but I need to investigate this
cool-lifeguard-49380
10/06/2023, 12:18 PMWhich commit are you using from my PR?
g
gifted-train-81198
10/06/2023, 12:19 PMflytekit % git log -n 1
commit a713c56f10d36d99d900c671dc094acb84cf80a8 (HEAD -> fg91/feat/proxy-authentication, origin/fg91/feat/proxy-authentication)
Author: Fabio Grätz <fabiogratz@googlemail.com>
Date: Sun Sep 10 110331 2023 +0200
Document usage of generate-service-account-id-token subcommand
gifted-train-81198
10/06/2023, 12:32 PMFound the issue, the order still matters 🥲..
below is working
Copy code
pip install flytekitplugins-identity-aware-proxy==v1.10.0b0
pip install flytekit==v1.10.0b0gifted-train-81198
10/06/2023, 12:33 PMpreviously I was setting up like below and it wasn't working though it was showing correct version
Copy code
pip install flytekit==v1.10.0b0
pip install flytekitplugins-identity-aware-proxy==v1.10.0b0c
cool-lifeguard-49380
10/06/2023, 1:24 PMI can confirm that the order matters and that it doesn’t work if first installing the plugin then flytekit even though
pip show flytekitcool-lifeguard-49380
10/06/2023, 1:31 PMcool-lifeguard-49380
10/06/2023, 1:32 PMThat reminds me we need to pin flytekit>=1.10 here which will be the first release to contain the changes to auth helpers.
cool-lifeguard-49380
10/06/2023, 1:32 PMWonder whether there is a chicken-egg problem though where CI will fail before this version actually exists 🤔
👀 1
cool-lifeguard-49380
10/06/2023, 1:54 PMNo chicken egg problem.
g
gifted-train-81198
10/06/2023, 3:07 PMThanks for the changes
👍 1
gifted-train-81198
10/06/2023, 3:08 PMIs there any guide to pull your changes for flytectl using proxycommand-> https://github.com/flyteorg/flyteidl/pull/437 in my local setup ?
c
cool-lifeguard-49380
10/06/2023, 9:44 PMCheckout the flytectl repo, checkout the flyteidl repo, in the
go.modreplace <http://github.com/flyteorg/flyteidl|github.com/flyteorg/flyteidl> => ../<path to flyteidl>go mod tidymake compile🙏 1
g
gifted-train-81198
10/25/2023, 9:30 AM@cool-lifeguard-49380 did you get a chance to try your IAP changes published in
v1.10.0 Copy code
_InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
status = StatusCode.UNKNOWN
details = "Stream removed"
debug_error_string = "UNKNOWN:Error received from peer {grpc_message:"Stream removed", grpc_status:2,
created_time:"2023-10-25T14:59:04.485449+05:30"}"
>c
cool-lifeguard-49380
10/26/2023, 4:20 PMHey @gifted-train-81198,
got back from a holiday today, I will test this tomorrow and get back to you 🙂
🙌 1
g
gifted-train-81198
10/30/2023, 8:44 AM@cool-lifeguard-49380 , were you able to give it a try ?
16 Views