Hello! I am using Flyte-binary chate with GKE and ...
# flyte-supportc
creamy-greece-49911
08/01/2023, 4:03 PMHello! I am using Flyte-binary chate with GKE and I am trying to activate auth. Populated the values in chart but receving the following error in logs:
Copy code
2023-07-30 12:52:23.957 PDT time="2023-07-30T19:52:23Z" level=info msg="Using config file: [/etc/flyte/config.d/000-core.yaml /etc/flyte/config.d/001-plugins.yaml /etc/flyte/config.d/002-database.yaml /etc/flyte/config.d/003-storage.yaml /etc/flyte/config.d/004 auth.yaml /etc/flyte/config.d/012-database-secrets.yaml /etc/flyte/config.d/014-auth-secrets.yaml]"
2023-07-30 12:52:24.411 PDT Error:
2023-07-30 12:52:24.411 PDT 1 error(s) decoding:
2023-07-30 12:52:24.411 PDT {}
2023-07-30 12:52:24.411 PDT * error decoding 'appAuth.selfAuthServer.staticClients[flytepropeller].client_secret': illegal base64 data at input byte 0
2023-07-30 12:52:24.415 PDT Usage:
2023-07-30 12:52:24.415 PDT flyte secret init [flags]
2023-07-30 12:52:24.415 PDT {}
2023-07-30 12:52:24.415 PDT Flags:
2023-07-30 12:52:24.415 PDT -h, --help help for init
2023-07-30 12:52:24.415 PDT -p, --localPath string Specifies where the secrets should be written.creamy-greece-49911
08/01/2023, 8:05 PM@thankful-minister-83577 any suggestions?
t
tall-lock-23197
08/02/2023, 5:28 AM
@creamy-greece-49911, you need to compute the hash with bcrypt.
https://discuss.flyte.org/t/9524105/hey-guys-trying-to-set-up-auth-with-the-flyte-binary-and-hav#82192706-ae7e-486b-b686-c0fb494ec465
c
creamy-greece-49911
08/02/2023, 5:35 AMIs this for all internal clientsecret entries or just the hashed one?
creamy-greece-49911
08/02/2023, 5:36 AM Copy code
# auth Specify configuration for Flyte authentication
auth:
# enabled Enable Flyte authentication
enabled: false
# enableAuthServer Enable built-in authentication server
enableAuthServer: true
# oidc OIDC configuration for Flyte authentication
oidc:
# baseUrl URL for OIDC provider
baseUrl: ""
# clientId Flyte application client ID
clientId: ""
# clientSecret Flyte application client secret
clientSecret: ""
# internal Configuration for internal authentication
# The settings for internal still need to be defined if you wish to use an external auth server
# These credentials are used during communication beteween the FlyteAdmin and Propeller microservices
internal:
# clientId Client ID for internal authentication - set to flytepropeller or external auth server
clientId: flytepropeller
# clientSecret Client secret for internal authentication
clientSecret: ""
# clientSecretHash Bcrypt hash of clientSecret
clientSecretHash: ""
# Uncomment next line if needed - set this field if your external Auth server (ex. Auth0) requires an audience parameter
# audience: ""
# flyteClient Configuration for Flyte client authentication
flyteClient:
# clientId Client ID for Flyte client authentication
clientId: flytectl
# redirectUri Redirect URI for Flyte client authentication
redirectUri: <http://localhost:53593/callback>
# scopes Scopes for Flyte client authentication
scopes:
- all
# audience Audience for Flyte client authentication
audience: ""
# authorizedUris Set of URIs that clients are allowed to visit the service on
authorizedUris: []
# clientSecretExternalSecretRef Specify an existing, external Secret containing values for `client_secret` and `oidc_client_secret`.
# If set, a Secret will not be generated by this chart for client secrets.
clientSecretsExternalSecretRef: ""creamy-greece-49911
08/02/2023, 5:37 AMSo ClientSecretHash is the hashed version of the clientsecret?
t
tall-lock-23197
08/02/2023, 6:15 AM
Yes! Please replace the value you generate with bcrypt in
clientSecretHashc
creamy-greece-49911
08/02/2023, 3:29 PMI did that and still getting the same error! do I have to hash any other variable?
creamy-greece-49911
08/02/2023, 3:29 PMfor example
configuration.auth.internal.clientSecrett
tall-lock-23197
08/02/2023, 4:42 PM
Can you give it a shot?
c
creamy-greece-49911
08/02/2023, 4:44 PMI did! I added the hashed secret in
clientSecretHashinternal.clientSecretcreamy-greece-49911
08/02/2023, 4:44 PMI also tried
internal.clientSecrett
tall-lock-23197
08/02/2023, 4:45 PM
Hey @average-finland-92144, any idea what might be the issue here?
a
average-finland-92144
08/02/2023, 4:55 PM@creamy-greece-49911 are you planning on using Flyte's internal auth server? if so, you just need to hash the secret for
flytepropellerc
creamy-greece-49911
08/02/2023, 5:02 PMonly if I need it
creamy-greece-49911
08/02/2023, 5:04 PMIf I am using external auth do we still need internal enabled? I think the values file say we need both.
a
average-finland-92144
08/02/2023, 5:10 PMYes, even using the external auth server, you still need the internal secret. Find here the relevant section: https://docs.flyte.org/en/latest/deployment/configuration/auth_setup.html#apply-external-auth-server-configuration
👍 1
c
creamy-greece-49911
08/02/2023, 7:12 PM@average-finland-92144 how do I change the callback uri from http://flyte-flyte-binary:8088/callback to my domain ?
creamy-greece-49911
08/02/2023, 7:13 PMis it being picked up from
configuration.auth.authorizedUrisa
average-finland-92144
08/02/2023, 7:14 PMyou need to specify your domain under
authorizedUris👍 1
c
creamy-greece-49911
08/02/2023, 11:15 PMOk! This worked. Now im trying to get flytecli to communicate with cluster. Why am I getting Not Found 404? Should I add
/console Copy code
cat ./flyteconfig.yaml
admin:
endpoint: dns:///<PUBLIC_ACCESSABLE_DOMAIN>
insecure: false
insecureSkipVerify: true
authType: ClientSecret
clientId: flytepropeller
clientSecretEnvVar: FLYTE_CLIENTSECRET
$ flytectl --config=flyteconfig.yaml version
{"json":{},"level":"warning","msg":"using insecureSkipVerify. Server's certificate chain and host name wont be verified. Caution : shouldn't be used for production usecases","ts":"2023-08-02T23:12:21Z"}
{
"App": "flytectl",
"Build": "145bc5c",
"Version": "0.6.45",
"BuildTime": "2023-08-02 23:12:21.162374874 +0000 UTC m=+0.037043299"
}
$ flytectl register files --config=flyteconfig.yaml --project=flytesnacks --domain=development --archive flyte-package.tgz --version=v1
{"json":{},"level":"warning","msg":"using insecureSkipVerify. Server's certificate chain and host name wont be verified. Caution : shouldn't be used for production usecases","ts":"2023-08-02T23:12:26Z"}
--------------------------------------------------------------------------------------------------------------------- -------- ---------------------------------------------------
| NAME | STATUS | ADDITIONAL INFO |
--------------------------------------------------------------------------------------------------------------------- -------- ---------------------------------------------------
| /tmp/register3175681439/0_example_project.house_price_prediction.house_price_predictor.generate_and_split_data_1.pb | Failed | Error registering file due to rpc error: code = |
| | | Unimplemented desc = unexpected HTTP status code |
| | | received from server: 404 (Not Found); transport: |
| | | received unexpected content-type "text/plain; |
| | | charset=utf-8" |
--------------------------------------------------------------------------------------------------------------------- -------- ---------------------------------------------------
1 rows
Error: rpc error: code = Unimplemented desc = unexpected HTTP status code received from server: 404 (Not Found); transport: received unexpected content-type "text/plain; charset=utf-8"
{"json":{},"level":"error","msg":"rpc error: code = Unimplemented desc = unexpected HTTP status code received from server: 404 (Not Found); transport: received unexpected content-type \"text/plain; charset=utf-8\"","ts":"2023-08-02T23:12:26Z"}t
thankful-minister-83577
08/03/2023, 12:59 AM
check your flyte/admin logs. i think maybe the data proxy service isn’t running correctly. best first check something simpler like flytectl get projects, see if that’s working
thankful-minister-83577
08/03/2023, 1:00 AM
flytectl register files needs an additional endpoint to upload the local code to a signed url.
7 Views