Is there anything else I need to do to pull private images w Flyte #flyte-deployment

Is there anything else I need to do to pull privat...

calm-zoo-68637

08/09/2023, 6:43 PM

Is there anything else I need to do to pull private images with flyte-binary besides specifying

serviceAccount.imagePullSecrets[0].name

? Here's what I see when describing the service account (it would show "not found" if the secret didn't exist):

Copy code

kubectl describe sa flyte-flyte-binary -n flyte
Name:                flyte-flyte-binary
Namespace:           flyte
Labels:              <http://app.kubernetes.io/instance=flyte|app.kubernetes.io/instance=flyte>
                     <http://app.kubernetes.io/managed-by=Helm|app.kubernetes.io/managed-by=Helm>
                     <http://app.kubernetes.io/name=flyte-binary|app.kubernetes.io/name=flyte-binary>
                     <http://app.kubernetes.io/version=1.16.0|app.kubernetes.io/version=1.16.0>
                     <http://argocd.argoproj.io/instance=flyte|argocd.argoproj.io/instance=flyte>
                     <http://helm.sh/chart=flyte-binary-v1.8.1|helm.sh/chart=flyte-binary-v1.8.1>
Annotations:         <none>
Image pull secrets:  ecr-image-pull-secret

tall-lock-23197

08/10/2023, 6:49 AM

Isn't this config working for you?

calm-zoo-68637

08/10/2023, 1:14 PM

The task pods get created in the flyte-development namespace and the ecr-image-pull-secret only exists in the Flyte namespace. I was hoping you did some magic for me to enable the task pods to use the service account in Flyte namespace to read secrets. But doesn’t look like that actually works

calm-zoo-68637

08/10/2023, 1:43 PM

So it looks like I will have to: 1. Create all the secrets I need (ECR image pull and other task secrets) in

flyte-development

2. Update the default service account in the development namespace to have access to those secrets I don't love this solution since it means if the people using Flyte ever want to create a project that is not called "flyte" I will need to update all my terraform templates to populate secrets for them

tall-lock-23197

08/11/2023, 5:22 AM

Um, that's how it should be done for the time being. cc @freezing-boots-56761 @high-accountant-32689

freezing-boots-56761

08/11/2023, 5:29 AM

@calm-zoo-68637: is this running outside of AWS? could you configure nodes with the necessary permissions to pull from ECR?

freezing-boots-56761

08/11/2023, 5:31 AM

there is also a way to use cluster-resource-templates to propagate the secrets to new projects

calm-zoo-68637

08/11/2023, 3:41 PM

It's running in Azure! I'm not familiar with cluster-resource-templates can you elaborate?

freezing-boots-56761

08/12/2023, 1:35 AM

notice how namespaces are created by default when you create a new project. the namespace is basically specified as a cluster-resource-template. See here for the default template shipped with flyte-binary: https://github.com/flyteorg/flyte/tree/master/charts/flyte-binary/defaults/cluster-resource-templates

freezing-boots-56761

08/12/2023, 1:36 AM

you can also pass in template variables from your flyte config.

freezing-boots-56761

08/12/2023, 1:44 AM

Also does azure not have a container registry?

calm-zoo-68637

08/13/2023, 8:58 PM

Azure does have a container registry. I still don't understand how the cluster resource template relates to this problem, can you elaborate? By the way I'm not blocked here, I just created the secrets in both namespaces

freezing-boots-56761

08/13/2023, 11:09 PM

cluster resource templates can be set up so that flyte’s internal controller can automatically bootstrap the secret in the new project namespace when a new project is created in Flyte

calm-zoo-68637

08/14/2023, 12:24 AM

Do you have examples of using the cluster resource template in this way?

freezing-boots-56761

08/14/2023, 2:50 AM

i don’t have one but i can create one on monday

85 Views

Open in Slack

Previous Next