https://flyte.org logo
Join Slack
Powered by
is there any way to enable SSL on the grpc endedpo...
# flyte-support
h
is there any way to enable SSL on the grpc endedpoints? I am looking at IaP, but I am wondering if its really necessary to run an entire service mesh and proxys to handle ssl instead of just having flyte admin handle ssl https://github.com/flyteorg/flytekit/tree/master/plugins/flytekit-identity-aware-proxy#configuring-your-flyte-deployment-to-use-iap
t
cc @average-finland-92144
a
I think this question is already covered here: https://flyte-org.slack.com/archives/C05A0JA1CCD/p1707431070174989
👍 1
h
actually there is a bit more to this: So the admin grpc client allows for settings custom ca certificate: https://github.com/flyteorg/flyte/blob/55a67f23f5d8e44bc7d70f738b0fafe954e0bf94/flyteidl/clients/go/admin/client.go#L138 but the admin http client does not: https://github.com/flyteorg/flyte/blob/55a67f23f5d8e44bc7d70f738b0fafe954e0bf94/flyteidl/clients/go/admin/auth_interceptor.go#L103 I think there is a way around this be mounting the custom CA cert, and installing the CA in the docker container os. If it was possible to get this in code, and in the admin config map, this wouldn't be require and IaP would work with SSL withouth a proxy
I think this is a pretty easy change: https://github.com/flyteorg/flyte/blob/55a67f23f5d8e44bc7d70f738b0fafe954e0bf94/flyteidl/clients/go/admin/auth_interceptor.go#L105 The transport just needs a list of RootCA's
Copy code
config := &tls.Config{
		InsecureSkipVerify: *insecure,
		RootCAs:            rootCAs,
}
tr := &http.Transport{TLSClientConfig: config}
a
this wouldn't be require and IaP would work with SSL withouth a proxy
that'd be great. Would you like to contribute?
h
yeah sure. I was planning on testing this this week. i can just create a pr
gratitude thank you 1
🙌🏽 1
9 Views
Open in Slack
PreviousNext
Powered by