https://flyte.org logo
Powered by
#flyte-deployment
Title
# flyte-deployment
g

Gopal Vashishtha

08/09/2023, 6:43 PM
Is there anything else I need to do to pull private images with flyte-binary besides specifying 
serviceAccount.imagePullSecrets[0].name
? Here's what I see when describing the service account (it would show "not found" if the secret didn't exist):
Copy code
kubectl describe sa flyte-flyte-binary -n flyte
Name:                flyte-flyte-binary
Namespace:           flyte
Labels:              <http://app.kubernetes.io/instance=flyte|app.kubernetes.io/instance=flyte>
                     <http://app.kubernetes.io/managed-by=Helm|app.kubernetes.io/managed-by=Helm>
                     <http://app.kubernetes.io/name=flyte-binary|app.kubernetes.io/name=flyte-binary>
                     <http://app.kubernetes.io/version=1.16.0|app.kubernetes.io/version=1.16.0>
                     <http://argocd.argoproj.io/instance=flyte|argocd.argoproj.io/instance=flyte>
                     <http://helm.sh/chart=flyte-binary-v1.8.1|helm.sh/chart=flyte-binary-v1.8.1>
Annotations:         <none>
Image pull secrets:  ecr-image-pull-secret
s

Samhita Alla

08/10/2023, 6:49 AM
Isn't this config working for you?
g

Gopal Vashishtha

08/10/2023, 1:14 PM
The task pods get created in the flyte-development namespace and the ecr-image-pull-secret only exists in the Flyte namespace. I was hoping you did some magic for me to enable the task pods to use the service account in Flyte namespace to read secrets. But doesn’t look like that actually works
So it looks like I will have to: 1. Create all the secrets I need (ECR image pull and other task secrets) in 
flyte-development
2. Update the default service account in the development namespace to have access to those secrets I don't love this solution since it means if the people using Flyte ever want to create a project that is not called "flyte" I will need to update all my terraform templates to populate secrets for them
s

Samhita Alla

08/11/2023, 5:22 AM
Um, that's how it should be done for the time being. cc @jeev @Eduardo Apolinario (eapolinario)
j

jeev

08/11/2023, 5:29 AM
@Gopal Vashishtha: is this running outside of AWS? could you configure nodes with the necessary permissions to pull from ECR?
there is also a way to use cluster-resource-templates to propagate the secrets to new projects
g

Gopal Vashishtha

08/11/2023, 3:41 PM
It's running in Azure! I'm not familiar with cluster-resource-templates can you elaborate?
j

jeev

08/12/2023, 1:35 AM
notice how namespaces are created by default when you create a new project. the namespace is basically specified as a cluster-resource-template. See here for the default template shipped with flyte-binary: https://github.com/flyteorg/flyte/tree/master/charts/flyte-binary/defaults/cluster-resource-templates
you can also pass in template variables from your flyte config.
Also does azure not have a container registry?
g

Gopal Vashishtha

08/13/2023, 8:58 PM
Azure does have a container registry. I still don't understand how the cluster resource template relates to this problem, can you elaborate? By the way I'm not blocked here, I just created the secrets in both namespaces
j

jeev

08/13/2023, 11:09 PM
cluster resource templates can be set up so that flyte’s internal controller can automatically bootstrap the secret in the new project namespace when a new project is created in Flyte
g

Gopal Vashishtha

08/14/2023, 12:24 AM
Do you have examples of using the cluster resource template in this way?
j

jeev

08/14/2023, 2:50 AM
i don’t have one but i can create one on monday
Powered by