https://flyte.org logo
#ask-the-community
Title
# ask-the-community
a

Alex Beach

02/08/2024, 10:00 PM
is there any way to enable SSL on the grpc endedpoints? I am looking at IaP, but I am wondering if its really necessary to run an entire service mesh and proxys to handle ssl instead of just having flyte admin handle ssl https://github.com/flyteorg/flytekit/tree/master/plugins/flytekit-identity-aware-proxy#configuring-your-flyte-deployment-to-use-iap
s

Samhita Alla

02/12/2024, 4:31 PM
cc @David Espejo (he/him)
d

David Espejo (he/him)

02/12/2024, 4:32 PM
I think this question is already covered here: https://flyte-org.slack.com/archives/C05A0JA1CCD/p1707431070174989
a

Alex Beach

02/12/2024, 5:28 PM
actually there is a bit more to this: So the admin grpc client allows for settings custom ca certificate: https://github.com/flyteorg/flyte/blob/55a67f23f5d8e44bc7d70f738b0fafe954e0bf94/flyteidl/clients/go/admin/client.go#L138 but the admin http client does not: https://github.com/flyteorg/flyte/blob/55a67f23f5d8e44bc7d70f738b0fafe954e0bf94/flyteidl/clients/go/admin/auth_interceptor.go#L103 I think there is a way around this be mounting the custom CA cert, and installing the CA in the docker container os. If it was possible to get this in code, and in the admin config map, this wouldn't be require and IaP would work with SSL withouth a proxy
I think this is a pretty easy change: https://github.com/flyteorg/flyte/blob/55a67f23f5d8e44bc7d70f738b0fafe954e0bf94/flyteidl/clients/go/admin/auth_interceptor.go#L105 The transport just needs a list of RootCA's
Copy code
config := &tls.Config{
		InsecureSkipVerify: *insecure,
		RootCAs:            rootCAs,
}
tr := &http.Transport{TLSClientConfig: config}
d

David Espejo (he/him)

02/12/2024, 5:49 PM
this wouldn't be require and IaP would work with SSL withouth a proxy
that'd be great. Would you like to contribute?
a

Alex Beach

02/12/2024, 6:44 PM
yeah sure. I was planning on testing this this week. i can just create a pr