Ashika UMAGILIYA
09/11/2023, 1:42 AMKetan (kumare3)
Ashika UMAGILIYA
09/11/2023, 4:45 AMFabio Grätz
09/11/2023, 11:08 AMkind: ManagedCertificate
but instead install cert manager which is documented right below.Ashika UMAGILIYA
09/12/2023, 5:44 AMFabio Grätz
09/12/2023, 7:29 AMAshika UMAGILIYA
09/12/2023, 7:45 AMFabio Grätz
09/12/2023, 7:52 AMAshika UMAGILIYA
09/12/2023, 7:54 AMFabio Grätz
09/12/2023, 7:54 AM~/.flyte/config.yaml
Ashika UMAGILIYA
09/12/2023, 7:55 AMFabio Grätz
09/12/2023, 7:56 AMAshika UMAGILIYA
09/12/2023, 7:57 AMadmin:
# For GRPC endpoints you might want to use dns:///flyte.myexample.com
endpoint: dns:///127.0.0.1:8088
authType: Pkce
insecure: true
logger:
show-source: true
level: 0
Fabio Grätz
09/12/2023, 7:59 AMAshika UMAGILIYA
09/12/2023, 7:59 AMFabio Grätz
09/12/2023, 8:00 AMAshika UMAGILIYA
09/12/2023, 8:00 AMFabio Grätz
09/12/2023, 8:01 AMAshika UMAGILIYA
09/12/2023, 8:03 AMflyte-backend-flyte-binary-5876c5745b-hhtrd 1/1 Running 0 17h
Fabio Grätz
09/12/2023, 8:04 AMAshika UMAGILIYA
09/12/2023, 8:04 AMFabio Grätz
09/12/2023, 8:05 AMAshika UMAGILIYA
09/12/2023, 8:05 AMFabio Grätz
09/12/2023, 8:05 AMAshika UMAGILIYA
09/12/2023, 8:07 AMFabio Grätz
09/12/2023, 8:07 AMAshika UMAGILIYA
09/12/2023, 8:09 AMFabio Grätz
09/12/2023, 8:09 AMAshika UMAGILIYA
09/12/2023, 8:09 AMFabio Grätz
09/12/2023, 8:10 AMAshika UMAGILIYA
09/12/2023, 8:11 AMFabio Grätz
09/12/2023, 8:11 AM"iam.serviceAccounts.signBlob"
to the respective sa and it should workAshika UMAGILIYA
09/12/2023, 8:52 AMFabio Grätz
09/12/2023, 8:55 AMkubectl -n flyte get sa
?get sa <name> -o yaml
.Ashika UMAGILIYA
09/12/2023, 8:57 AMapiVersion: v1
kind: ServiceAccount
metadata:
annotations:
<http://iam.gke.io/gcp-service-account|iam.gke.io/gcp-service-account>: <mailto:dev01-flyte-poc-iam@fr-stg-datalake-k8s.iam.gserviceaccount.com|dev01-flyte-poc-iam@fr-stg-datalake-k8s.iam.gserviceaccount.com>
<http://meta.helm.sh/release-name|meta.helm.sh/release-name>: flyte-backend
<http://meta.helm.sh/release-namespace|meta.helm.sh/release-namespace>: flyte
creationTimestamp: "2023-09-11T14:31:45Z"
labels:
<http://app.kubernetes.io/instance|app.kubernetes.io/instance>: flyte-backend
<http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>: Helm
<http://app.kubernetes.io/name|app.kubernetes.io/name>: flyte-binary
<http://app.kubernetes.io/version|app.kubernetes.io/version>: 1.16.0
<http://helm.sh/chart|helm.sh/chart>: flyte-binary-v1.9.1
managedFields:
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:<http://meta.helm.sh/release-name|meta.helm.sh/release-name>: {}
f:<http://meta.helm.sh/release-namespace|meta.helm.sh/release-namespace>: {}
f:labels:
.: {}
f:<http://app.kubernetes.io/instance|app.kubernetes.io/instance>: {}
f:<http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>: {}
f:<http://app.kubernetes.io/name|app.kubernetes.io/name>: {}
f:<http://app.kubernetes.io/version|app.kubernetes.io/version>: {}
f:<http://helm.sh/chart|helm.sh/chart>: {}
manager: helm
operation: Update
time: "2023-09-11T14:31:45Z"
- apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
f:<http://iam.gke.io/gcp-service-account|iam.gke.io/gcp-service-account>: {}
manager: kubectl-annotate
operation: Update
time: "2023-09-11T14:32:02Z"
name: dev01-flyte-gke-sa
namespace: flyte
resourceVersion: "227723"
uid: f0b5b2bd-b98f-43d8-8f90-bdf0e0ecf66d
Fabio Grätz
09/12/2023, 9:02 AMkubectl get role <name> -o yaml
Ashika UMAGILIYA
09/12/2023, 9:08 AMFabio Grätz
09/12/2023, 9:08 AMAshika UMAGILIYA
09/12/2023, 9:11 AMFabio Grätz
09/12/2023, 9:12 AMAshika UMAGILIYA
09/12/2023, 9:13 AMFabio Grätz
09/12/2023, 9:15 AMkubectl get sa <service account name> -o yaml
Ashika UMAGILIYA
09/12/2023, 11:07 AMFabio Grätz
09/12/2023, 11:37 AMdefault
kubernetes service account in the respective namespace the task pod runs in is used.Ashika UMAGILIYA
09/12/2023, 11:40 AMgcloud iam service-accounts add-iam-policy-binding <mailto:dev01-flyte-poc-iam@fr-stg-datalake-k8s.iam.gserviceaccount.com|dev01-flyte-poc-iam@fr-stg-datalake-k8s.iam.gserviceaccount.com> \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:fr-stg-datalake-k8s.svc.id.goog[flyte/default]"
Fabio Grätz
09/12/2023, 11:40 AMAshika UMAGILIYA
09/12/2023, 11:45 AMkubectl annotate serviceaccount default \
--namespace flyte \
<http://iam.gke.io/gcp-service-account=dev01-flyte-poc-iam@fr-stg-datalake-k8s.iam.gserviceaccount.com|iam.gke.io/gcp-service-account=dev01-flyte-poc-iam@fr-stg-datalake-k8s.iam.gserviceaccount.com>
where "dev01-flyte-poc-iam" is the GCP IAM Service accountFabio Grätz
09/12/2023, 11:48 AMAshika UMAGILIYA
09/12/2023, 11:48 AMFabio Grätz
09/12/2023, 11:49 AMAshika UMAGILIYA
09/12/2023, 11:49 AMDavid Espejo (he/him)
09/12/2023, 8:17 PMFabio Grätz
09/13/2023, 6:49 AM