Is there anything else I need to do to pull private images w Flyte #flyte-deployment

Is there anything else I need to do to pull privat...

Gopal Vashishtha

08/09/2023, 6:43 PM

Is there anything else I need to do to pull private images with flyte-binary besides specifying

serviceAccount.imagePullSecrets[0].name

? Here's what I see when describing the service account (it would show "not found" if the secret didn't exist):

Copy code

kubectl describe sa flyte-flyte-binary -n flyte
Name:                flyte-flyte-binary
Namespace:           flyte
Labels:              <http://app.kubernetes.io/instance=flyte|app.kubernetes.io/instance=flyte>
                     <http://app.kubernetes.io/managed-by=Helm|app.kubernetes.io/managed-by=Helm>
                     <http://app.kubernetes.io/name=flyte-binary|app.kubernetes.io/name=flyte-binary>
                     <http://app.kubernetes.io/version=1.16.0|app.kubernetes.io/version=1.16.0>
                     <http://argocd.argoproj.io/instance=flyte|argocd.argoproj.io/instance=flyte>
                     <http://helm.sh/chart=flyte-binary-v1.8.1|helm.sh/chart=flyte-binary-v1.8.1>
Annotations:         <none>
Image pull secrets:  ecr-image-pull-secret

Samhita Alla

08/10/2023, 6:49 AM

Isn't this config working for you?

Gopal Vashishtha

08/10/2023, 1:14 PM

The task pods get created in the flyte-development namespace and the ecr-image-pull-secret only exists in the Flyte namespace. I was hoping you did some magic for me to enable the task pods to use the service account in Flyte namespace to read secrets. But doesn’t look like that actually works

Gopal Vashishtha

08/10/2023, 1:43 PM

So it looks like I will have to: 1. Create all the secrets I need (ECR image pull and other task secrets) in

flyte-development

2. Update the default service account in the development namespace to have access to those secrets I don't love this solution since it means if the people using Flyte ever want to create a project that is not called "flyte" I will need to update all my terraform templates to populate secrets for them

Samhita Alla

08/11/2023, 5:22 AM

Um, that's how it should be done for the time being. cc @jeev @Eduardo Apolinario (eapolinario)

jeev

08/11/2023, 5:29 AM

@Gopal Vashishtha: is this running outside of AWS? could you configure nodes with the necessary permissions to pull from ECR?

jeev

08/11/2023, 5:31 AM

there is also a way to use cluster-resource-templates to propagate the secrets to new projects

Gopal Vashishtha

08/11/2023, 3:41 PM

It's running in Azure! I'm not familiar with cluster-resource-templates can you elaborate?

jeev

08/12/2023, 1:35 AM

notice how namespaces are created by default when you create a new project. the namespace is basically specified as a cluster-resource-template. See here for the default template shipped with flyte-binary: https://github.com/flyteorg/flyte/tree/master/charts/flyte-binary/defaults/cluster-resource-templates

jeev

08/12/2023, 1:36 AM

you can also pass in template variables from your flyte config.

jeev

08/12/2023, 1:44 AM

Also does azure not have a container registry?

Gopal Vashishtha

08/13/2023, 8:58 PM

Azure does have a container registry. I still don't understand how the cluster resource template relates to this problem, can you elaborate? By the way I'm not blocked here, I just created the secrets in both namespaces

jeev

08/13/2023, 11:09 PM

cluster resource templates can be set up so that flyte’s internal controller can automatically bootstrap the secret in the new project namespace when a new project is created in Flyte

Gopal Vashishtha

08/14/2023, 12:24 AM

Do you have examples of using the cluster resource template in this way?

jeev

08/14/2023, 2:50 AM

i don’t have one but i can create one on monday

6 Views

Open in Slack

Previous Next