I'm having issues with enabling Auth with GCP.
I ...
# flyte-deploymenta
Alex Beach
01/24/2024, 1:07 AMI'm having issues with enabling Auth with GCP.
I have set
Copy code
useAuth: trueAlex Beach
01/24/2024, 1:12 AMis there a way to validate the config for the admin?
d
David Espejo (he/him)
01/24/2024, 3:21 PMI'm assuming you have completed all the steps to enable auth? Just setting this flag is not enough
What's your IdP?
a
Alex Beach
01/24/2024, 5:24 PMGCP
Alex Beach
01/24/2024, 5:25 PMyeah i have the oidc setup, with baseurl, i setup everythign in the docs
d
David Espejo (he/him)
01/24/2024, 5:57 PMgreat. can you share the -anonymized version- configmap?
like
kubectl describe cm flyteadmin-base-config -n <>flyte-namespacea
Alex Beach
01/24/2024, 9:21 PM Copy code
Name: flyte-admin-base-config
Namespace: flyte
Labels: <http://app.kubernetes.io/instance=flyte-core|app.kubernetes.io/instance=flyte-core>
<http://app.kubernetes.io/managed-by=Helm|app.kubernetes.io/managed-by=Helm>
<http://app.kubernetes.io/name=flyteadmin|app.kubernetes.io/name=flyteadmin>
<http://helm.sh/chart=flyte-core-v1.10.6|helm.sh/chart=flyte-core-v1.10.6>
Annotations: <http://meta.helm.sh/release-name|meta.helm.sh/release-name>: flyte-core
<http://meta.helm.sh/release-namespace|meta.helm.sh/release-namespace>: flyte
Data
====
db.yaml:
----
database:
dbname: flyteadmin
host: '10.207.0.5'
passwordPath: /etc/db/pass.txt
port: 5432
username: flyteadmin
domain.yaml:
----
domains:
- id: development
name: development
- id: staging
name: staging
- id: production
name: production
remoteData.yaml:
----
remoteData:
scheme: gcs
signedUrls:
durationMinutes: 3
server.yaml:
----
auth:
appAuth:
selfAuthServer:
staticClients:
flyte-cli:
grant_types:
- refresh_token
- authorization_code
id: flyte-cli
public: true
redirect_uris:
- <http://localhost:53593/callback>
- <http://localhost:12345/callback>
response_types:
- code
- token
scopes:
- all
- offline
- access_token
flytectl:
grant_types:
- refresh_token
- authorization_code
id: flytectl
public: true
redirect_uris:
- <http://localhost:53593/callback>
- <http://localhost:12345/callback>
response_types:
- code
- token
scopes:
- all
- offline
- access_token
flytepropeller:
client_secret: xxxxxxxxxxxxxxxxxxxxxxxxxx
grant_types:
- refresh_token
- client_credentials
id: flytepropeller
public: false
redirect_uris:
- <http://localhost:3846/callback>
response_types:
- token
scopes:
- all
- offline
- access_token
thirdPartyConfig:
flyteClient:
clientId: flytectl
redirectUri: <http://localhost:53593/callback>
scopes:
- offline
- all
authorizedUris:
- <https://flyte.mydomain.com>
- <http://flyteadmin:80>
- <http://flyteadmin.flyte.svc.cluster.local:80>
userAuth:
openId:
baseUrl: <https://accounts.google.com>
clientId: <http://xxxxxxxxx-xxxxxxxxxxx.apps.googleusercontent.com|xxxxxxxxx-xxxxxxxxxxx.apps.googleusercontent.com>
scopes:
- profile
- openid
flyteadmin:
eventVersion: 2
metadataStoragePrefix:
- metadata
- admin
metricsScope: 'flyte:'
profilerPort: 10254
roleNameKey: <http://iam.amazonaws.com/role|iam.amazonaws.com/role>
testing:
host: <http://flyteadmin>
security:
allowCors: true
allowedHeaders:
- Content-Type
allowedOrigins:
- '*'
secure: false
useAuth: true
server:
grpcPort: 8089
httpPort: 8088
security:
allowCors: true
allowedHeaders:
- Content-Type
- flyte-authorization
allowedOrigins:
- '*'
secure: false
useAuth: false
storage.yaml:
----
storage:
type: stow
stow:
kind: google
config:
json: ""
project_id: nonprod-workspace
scopes: <https://www.googleapis.com/auth/cloud-platform>
container: "flyte-gcp-data-177403122955"
enable-multicontainer: false
limits:
maxDownloadMBs: 10
task_resource_defaults.yaml:
----
task_resources:
defaults:
cpu: 1000m
memory: 1000Mi
storage: 1000Mi
limits:
cpu: 2
gpu: 1
memory: 1Gi
storage: 2000Mi
cluster_resources.yaml:
----
cluster_resources:
customData:
- production:
- projectQuotaCpu:
value: "5"
- projectQuotaMemory:
value: 4000Mi
- gsa:
value: '<mailto:flyte-gcp-flyteworkers@nonprod-workspace.iam.gserviceaccount.com|flyte-gcp-flyteworkers@nonprod-workspace.iam.gserviceaccount.com>'
- staging:
- projectQuotaCpu:
value: "2"
- projectQuotaMemory:
value: 3000Mi
- gsa:
value: '<mailto:flyte-gcp-flyteworkers@nonprod-workspace.iam.gserviceaccount.com|flyte-gcp-flyteworkers@nonprod-workspace.iam.gserviceaccount.com>'
- development:
- projectQuotaCpu:
value: "2"
- projectQuotaMemory:
value: 3000Mi
- gsa:
value: '<mailto:flyte-gcp-flyteworkers@nonprod-workspace.iam.gserviceaccount.com|flyte-gcp-flyteworkers@nonprod-workspace.iam.gserviceaccount.com>'
refreshInterval: 5m
standaloneDeployment: false
templatePath: /etc/flyte/clusterresource/templates
BinaryData
====
Events: <none>Alex Beach
01/24/2024, 9:34 PMis security supposed to be nested under server?
Copy code
configmap:
adminServer:
server:
httpPort: 8088
grpcPort: 8089
security:
secure: false
useAuth: true
allowCors: true
allowedOrigins:Alex Beach
01/24/2024, 9:36 PMAlex Beach
01/24/2024, 9:38 PMit should be:
Copy code
configmap:
adminServer:
server:
httpPort: 8088
grpcPort: 8089
security:
secure: false
useAuth: false
allowCors: true
allowedOrigins:
# Accepting all domains for Sandbox installation
- "*"
allowedHeaders:
- "Content-Type" Copy code
configmap:
adminServer:
server:
httpPort: 8088
grpcPort: 8089
security:
secure: false
useAuth: false
allowCors: true
allowedOrigins:
# Accepting all domains for Sandbox installation
- "*"
allowedHeaders:
- "Content-Type"Alex Beach
01/24/2024, 9:39 PMthat fixed it!
d
David Espejo (he/him)
01/24/2024, 9:59 PM@Alex Beach you're right! (source https://docs.flyte.org/en/latest/deployment/configuration/generated/flyteadmin_config.html#security-config-serversecurityoptions)
Would you mind creating an Issue, or even better a PR?
a
Alex Beach
01/24/2024, 10:08 PMsure
12 Views