https://flyte.org logo
#flyte-deployment
Title
# flyte-deployment
a

Alex Beach

01/24/2024, 1:07 AM
I'm having issues with enabling Auth with GCP. I have set
Copy code
useAuth: true
per docs for flyte-core, but the UI does not prompt for a login. https://docs.flyte.org/en/latest/deployment/configuration/auth_setup.html
is there a way to validate the config for the admin?
d

David Espejo (he/him)

01/24/2024, 3:21 PM
I'm assuming you have completed all the steps to enable auth? Just setting this flag is not enough What's your IdP?
a

Alex Beach

01/24/2024, 5:24 PM
GCP
yeah i have the oidc setup, with baseurl, i setup everythign in the docs
d

David Espejo (he/him)

01/24/2024, 5:57 PM
great. can you share the -anonymized version- configmap? like
kubectl describe cm flyteadmin-base-config -n <>flyte-namespace
a

Alex Beach

01/24/2024, 9:21 PM
Copy code
Name:         flyte-admin-base-config
Namespace:    flyte
Labels:       <http://app.kubernetes.io/instance=flyte-core|app.kubernetes.io/instance=flyte-core>
              <http://app.kubernetes.io/managed-by=Helm|app.kubernetes.io/managed-by=Helm>
              <http://app.kubernetes.io/name=flyteadmin|app.kubernetes.io/name=flyteadmin>
              <http://helm.sh/chart=flyte-core-v1.10.6|helm.sh/chart=flyte-core-v1.10.6>
Annotations:  <http://meta.helm.sh/release-name|meta.helm.sh/release-name>: flyte-core
              <http://meta.helm.sh/release-namespace|meta.helm.sh/release-namespace>: flyte

Data
====
db.yaml:
----
database:
  dbname: flyteadmin
  host: '10.207.0.5'
  passwordPath: /etc/db/pass.txt
  port: 5432
  username: flyteadmin

domain.yaml:
----
domains:
- id: development
  name: development
- id: staging
  name: staging
- id: production
  name: production

remoteData.yaml:
----
remoteData:
  scheme: gcs
  signedUrls:
    durationMinutes: 3

server.yaml:
----
auth:
  appAuth:
    selfAuthServer:
      staticClients:
        flyte-cli:
          grant_types:
          - refresh_token
          - authorization_code
          id: flyte-cli
          public: true
          redirect_uris:
          - <http://localhost:53593/callback>
          - <http://localhost:12345/callback>
          response_types:
          - code
          - token
          scopes:
          - all
          - offline
          - access_token
        flytectl:
          grant_types:
          - refresh_token
          - authorization_code
          id: flytectl
          public: true
          redirect_uris:
          - <http://localhost:53593/callback>
          - <http://localhost:12345/callback>
          response_types:
          - code
          - token
          scopes:
          - all
          - offline
          - access_token
        flytepropeller:
          client_secret: xxxxxxxxxxxxxxxxxxxxxxxxxx
          grant_types:
          - refresh_token
          - client_credentials
          id: flytepropeller
          public: false
          redirect_uris:
          - <http://localhost:3846/callback>
          response_types:
          - token
          scopes:
          - all
          - offline
          - access_token
    thirdPartyConfig:
      flyteClient:
        clientId: flytectl
        redirectUri: <http://localhost:53593/callback>
        scopes:
        - offline
        - all
  authorizedUris:
  - <https://flyte.mydomain.com>
  - <http://flyteadmin:80>
  - <http://flyteadmin.flyte.svc.cluster.local:80>
  userAuth:
    openId:
      baseUrl: <https://accounts.google.com>
      clientId: <http://xxxxxxxxx-xxxxxxxxxxx.apps.googleusercontent.com|xxxxxxxxx-xxxxxxxxxxx.apps.googleusercontent.com>
      scopes:
      - profile
      - openid
flyteadmin:
  eventVersion: 2
  metadataStoragePrefix:
  - metadata
  - admin
  metricsScope: 'flyte:'
  profilerPort: 10254
  roleNameKey: <http://iam.amazonaws.com/role|iam.amazonaws.com/role>
  testing:
    host: <http://flyteadmin>
security:
  allowCors: true
  allowedHeaders:
  - Content-Type
  allowedOrigins:
  - '*'
  secure: false
  useAuth: true
server:
  grpcPort: 8089
  httpPort: 8088
  security:
    allowCors: true
    allowedHeaders:
    - Content-Type
    - flyte-authorization
    allowedOrigins:
    - '*'
    secure: false
    useAuth: false

storage.yaml:
----
storage:
  type: stow
  stow:
    kind: google
    config:
      json: ""
      project_id: nonprod-workspace
      scopes: <https://www.googleapis.com/auth/cloud-platform>
  container: "flyte-gcp-data-177403122955"
  enable-multicontainer: false
  limits:
    maxDownloadMBs: 10

task_resource_defaults.yaml:
----
task_resources:
  defaults:
    cpu: 1000m
    memory: 1000Mi
    storage: 1000Mi
  limits:
    cpu: 2
    gpu: 1
    memory: 1Gi
    storage: 2000Mi

cluster_resources.yaml:
----
cluster_resources:
  customData:
  - production:
    - projectQuotaCpu:
        value: "5"
    - projectQuotaMemory:
        value: 4000Mi
    - gsa:
        value: '<mailto:flyte-gcp-flyteworkers@nonprod-workspace.iam.gserviceaccount.com|flyte-gcp-flyteworkers@nonprod-workspace.iam.gserviceaccount.com>'
  - staging:
    - projectQuotaCpu:
        value: "2"
    - projectQuotaMemory:
        value: 3000Mi
    - gsa:
        value: '<mailto:flyte-gcp-flyteworkers@nonprod-workspace.iam.gserviceaccount.com|flyte-gcp-flyteworkers@nonprod-workspace.iam.gserviceaccount.com>'
  - development:
    - projectQuotaCpu:
        value: "2"
    - projectQuotaMemory:
        value: 3000Mi
    - gsa:
        value: '<mailto:flyte-gcp-flyteworkers@nonprod-workspace.iam.gserviceaccount.com|flyte-gcp-flyteworkers@nonprod-workspace.iam.gserviceaccount.com>'
  refreshInterval: 5m
  standaloneDeployment: false
  templatePath: /etc/flyte/clusterresource/templates


BinaryData
====

Events:  <none>
is security supposed to be nested under server?
Copy code
configmap:
  adminServer:
    server:
      httpPort: 8088
      grpcPort: 8089
      security:
        secure: false
        useAuth: true
        allowCors: true
        allowedOrigins:
it should be:
Copy code
configmap:
  adminServer:
    server:
      httpPort: 8088
      grpcPort: 8089
      security:
        secure: false
        useAuth: false
        allowCors: true
        allowedOrigins:
          # Accepting all domains for Sandbox installation
          - "*"
        allowedHeaders:
          - "Content-Type"
not
Copy code
configmap:
  adminServer:
    server:
      httpPort: 8088
      grpcPort: 8089
    security:
      secure: false
      useAuth: false
      allowCors: true
      allowedOrigins:
        # Accepting all domains for Sandbox installation
        - "*"
      allowedHeaders:
        - "Content-Type"
that fixed it!
d

David Espejo (he/him)

01/24/2024, 9:59 PM
@Alex Beach you're right! (source https://docs.flyte.org/en/latest/deployment/configuration/generated/flyteadmin_config.html#security-config-serversecurityoptions) Would you mind creating an Issue, or even better a PR?
a

Alex Beach

01/24/2024, 10:08 PM
sure
4 Views