Channels
#ask-the-community
Title
# ask-the-community
h
Haytham Amin
08/01/2023, 4:03 PMHello! I am using Flyte-binary chate with GKE and I am trying to activate auth. Populated the values in chart but receving the following error in logs:
Copy code
2023-07-30 12:52:23.957 PDT time="2023-07-30T19:52:23Z" level=info msg="Using config file: [/etc/flyte/config.d/000-core.yaml /etc/flyte/config.d/001-plugins.yaml /etc/flyte/config.d/002-database.yaml /etc/flyte/config.d/003-storage.yaml /etc/flyte/config.d/004 auth.yaml /etc/flyte/config.d/012-database-secrets.yaml /etc/flyte/config.d/014-auth-secrets.yaml]"
2023-07-30 12:52:24.411 PDT Error:
2023-07-30 12:52:24.411 PDT 1 error(s) decoding:
2023-07-30 12:52:24.411 PDT {}
2023-07-30 12:52:24.411 PDT * error decoding 'appAuth.selfAuthServer.staticClients[flytepropeller].client_secret': illegal base64 data at input byte 0
2023-07-30 12:52:24.415 PDT Usage:
2023-07-30 12:52:24.415 PDT flyte secret init [flags]
2023-07-30 12:52:24.415 PDT {}
2023-07-30 12:52:24.415 PDT Flags:
2023-07-30 12:52:24.415 PDT -h, --help help for init
2023-07-30 12:52:24.415 PDT -p, --localPath string Specifies where the secrets should be written.@Yee any suggestions?
s
Samhita Alla
08/02/2023, 5:28 AM
@Haytham Amin, you need to compute the hash with bcrypt.
https://discuss.flyte.org/t/9524105/hey-guys-trying-to-set-up-auth-with-the-flyte-binary-and-hav#82192706-ae7e-486b-b686-c0fb494ec465
h
Haytham Amin
08/02/2023, 5:35 AMIs this for all internal clientsecret entries or just the hashed one?
Copy code
# auth Specify configuration for Flyte authentication
auth:
# enabled Enable Flyte authentication
enabled: false
# enableAuthServer Enable built-in authentication server
enableAuthServer: true
# oidc OIDC configuration for Flyte authentication
oidc:
# baseUrl URL for OIDC provider
baseUrl: ""
# clientId Flyte application client ID
clientId: ""
# clientSecret Flyte application client secret
clientSecret: ""
# internal Configuration for internal authentication
# The settings for internal still need to be defined if you wish to use an external auth server
# These credentials are used during communication beteween the FlyteAdmin and Propeller microservices
internal:
# clientId Client ID for internal authentication - set to flytepropeller or external auth server
clientId: flytepropeller
# clientSecret Client secret for internal authentication
clientSecret: ""
# clientSecretHash Bcrypt hash of clientSecret
clientSecretHash: ""
# Uncomment next line if needed - set this field if your external Auth server (ex. Auth0) requires an audience parameter
# audience: ""
# flyteClient Configuration for Flyte client authentication
flyteClient:
# clientId Client ID for Flyte client authentication
clientId: flytectl
# redirectUri Redirect URI for Flyte client authentication
redirectUri: <http://localhost:53593/callback>
# scopes Scopes for Flyte client authentication
scopes:
- all
# audience Audience for Flyte client authentication
audience: ""
# authorizedUris Set of URIs that clients are allowed to visit the service on
authorizedUris: []
# clientSecretExternalSecretRef Specify an existing, external Secret containing values for `client_secret` and `oidc_client_secret`.
# If set, a Secret will not be generated by this chart for client secrets.
clientSecretsExternalSecretRef: ""So ClientSecretHash is the hashed version of the clientsecret?
s
Samhita Alla
08/02/2023, 6:15 AM
Yes! Please replace the value you generate with bcrypt in
clientSecretHashh
Haytham Amin
08/02/2023, 3:29 PMI did that and still getting the same error! do I have to hash any other variable?
for example
configuration.auth.internal.clientSecrets
Samhita Alla
08/02/2023, 4:42 PM
Can you give it a shot?
h
Haytham Amin
08/02/2023, 4:44 PMI did! I added the hashed secret in
clientSecretHashinternal.clientSecretI also tried
internal.clientSecrets
Samhita Alla
08/02/2023, 4:45 PM
Hey @David Espejo (he/him), any idea what might be the issue here?
d
David Espejo (he/him)
08/02/2023, 4:55 PM@Haytham Amin are you planning on using Flyte's internal auth server? if so, you just need to hash the secret for
flytepropellerh
Haytham Amin
08/02/2023, 5:02 PMonly if I need it
If I am using external auth do we still need internal enabled? I think the values file say we need both.
d
David Espejo (he/him)
08/02/2023, 5:10 PMYes, even using the external auth server, you still need the internal secret. Find here the relevant section: https://docs.flyte.org/en/latest/deployment/configuration/auth_setup.html#apply-external-auth-server-configuration
h
Haytham Amin
08/02/2023, 7:12 PM@David Espejo (he/him) how do I change the callback uri from http://flyte-flyte-binary:8088/callback to my domain ?
is it being picked up from
configuration.auth.authorizedUrisd
David Espejo (he/him)
08/02/2023, 7:14 PMyou need to specify your domain under
authorizedUrish
Haytham Amin
08/02/2023, 11:15 PMOk! This worked. Now im trying to get flytecli to communicate with cluster. Why am I getting Not Found 404? Should I add
/console Copy code
cat ./flyteconfig.yaml
admin:
endpoint: dns:///<PUBLIC_ACCESSABLE_DOMAIN>
insecure: false
insecureSkipVerify: true
authType: ClientSecret
clientId: flytepropeller
clientSecretEnvVar: FLYTE_CLIENTSECRET
$ flytectl --config=flyteconfig.yaml version
{"json":{},"level":"warning","msg":"using insecureSkipVerify. Server's certificate chain and host name wont be verified. Caution : shouldn't be used for production usecases","ts":"2023-08-02T23:12:21Z"}
{
"App": "flytectl",
"Build": "145bc5c",
"Version": "0.6.45",
"BuildTime": "2023-08-02 23:12:21.162374874 +0000 UTC m=+0.037043299"
}
$ flytectl register files --config=flyteconfig.yaml --project=flytesnacks --domain=development --archive flyte-package.tgz --version=v1
{"json":{},"level":"warning","msg":"using insecureSkipVerify. Server's certificate chain and host name wont be verified. Caution : shouldn't be used for production usecases","ts":"2023-08-02T23:12:26Z"}
--------------------------------------------------------------------------------------------------------------------- -------- ---------------------------------------------------
| NAME | STATUS | ADDITIONAL INFO |
--------------------------------------------------------------------------------------------------------------------- -------- ---------------------------------------------------
| /tmp/register3175681439/0_example_project.house_price_prediction.house_price_predictor.generate_and_split_data_1.pb | Failed | Error registering file due to rpc error: code = |
| | | Unimplemented desc = unexpected HTTP status code |
| | | received from server: 404 (Not Found); transport: |
| | | received unexpected content-type "text/plain; |
| | | charset=utf-8" |
--------------------------------------------------------------------------------------------------------------------- -------- ---------------------------------------------------
1 rows
Error: rpc error: code = Unimplemented desc = unexpected HTTP status code received from server: 404 (Not Found); transport: received unexpected content-type "text/plain; charset=utf-8"
{"json":{},"level":"error","msg":"rpc error: code = Unimplemented desc = unexpected HTTP status code received from server: 404 (Not Found); transport: received unexpected content-type \"text/plain; charset=utf-8\"","ts":"2023-08-02T23:12:26Z"}y
Yee
08/03/2023, 12:59 AM
check your flyte/admin logs. i think maybe the data proxy service isn’t running correctly. best first check something simpler like flytectl get projects, see if that’s working
flytectl register files needs an additional endpoint to upload the local code to a signed url.
4 Views