is there any way to enable SSL on the grpc endedpo...
# ask-the-communitya
Alex Beach
02/08/2024, 10:00 PMis there any way to enable SSL on the grpc endedpoints?
I am looking at IaP, but I am wondering if its really necessary to run an entire service mesh and proxys to handle ssl instead of just having flyte admin handle ssl
https://github.com/flyteorg/flytekit/tree/master/plugins/flytekit-identity-aware-proxy#configuring-your-flyte-deployment-to-use-iap
s
Samhita Alla
02/12/2024, 4:31 PM
cc @David Espejo (he/him)
d
David Espejo (he/him)
02/12/2024, 4:32 PMI think this question is already covered here: https://flyte-org.slack.com/archives/C05A0JA1CCD/p1707431070174989
a
Alex Beach
02/12/2024, 5:28 PMactually there is a bit more to this:
So the admin grpc client allows for settings custom ca certificate:
https://github.com/flyteorg/flyte/blob/55a67f23f5d8e44bc7d70f738b0fafe954e0bf94/flyteidl/clients/go/admin/client.go#L138
but the admin http client does not:
https://github.com/flyteorg/flyte/blob/55a67f23f5d8e44bc7d70f738b0fafe954e0bf94/flyteidl/clients/go/admin/auth_interceptor.go#L103
I think there is a way around this be mounting the custom CA cert, and installing the CA in the docker container os.
If it was possible to get this in code, and in the admin config map, this wouldn't be require and IaP would work with SSL withouth a proxy
Alex Beach
02/12/2024, 5:30 PMI think this is a pretty easy change:
https://github.com/flyteorg/flyte/blob/55a67f23f5d8e44bc7d70f738b0fafe954e0bf94/flyteidl/clients/go/admin/auth_interceptor.go#L105
The transport just needs a list of RootCA's
Copy code
config := &tls.Config{
InsecureSkipVerify: *insecure,
RootCAs: rootCAs,
}
tr := &http.Transport{TLSClientConfig: config}d
David Espejo (he/him)
02/12/2024, 5:49 PMthis wouldn't be require and IaP would work with SSL withouth a proxythat'd be great. Would you like to contribute?
a
Alex Beach
02/12/2024, 6:44 PMyeah sure. I was planning on testing this this week. i can just create a pr
2 Views