Hi All, i am trying to deploy flyte in single cluster deployment. In our env, we create ALB outside of EKS. The env mandates ssl needs to be terminated at pod. If i add config map with certificate and keys. Can i use ssl options in ServerSecurityConfig to run flyte binary pods with ssl? has anyone tried it?
y
Yee
03/11/2024, 9:53 PM
you should be able to. we typically don’t do that but the code is in place. the one thing to note is that if you’re doing termination in flyte itself, the grpc port and the http port are shared
Yee
03/11/2024, 9:53 PM
only in the case when you’re serving insecure are the http and grpc ports different
p
peeyush jain
03/12/2024, 10:43 PM
@Yee. Thanks I tried giving configuration as below. I am using 1.10.1 version
configuration:
server:
security:
ssl:
certificateFile: “/ssl/cert.pem”
keyFile: “/ssl/key.pem”
It didn’t work. I still see http and gprc services running on port 8088 and 8089 respectively. Should I expect only one service ?
Can you share an example how I can confifuge Flyte pods to use certificate?
@Yee yes i tried. I looked at the code for flyte-admin. I used below
admin:
{{- if .Values.configuration.auth.enabled }}
clientId: {{ .Values.configuration.auth.internal.clientId }}
{{- if .Values.configuration.auth.internal.audience }}
audience: {{ .Values.configuration.auth.internal.audience }}
{{- end }}
{{- end }}
endpoint: localhost:8089
insecure: true
server:
security:
secure: true
ssl:
certificateFile: “/ssl/cert.pem”
keyFile: “/ssl/key.pem”
With above pod fails to come up with error “failed to get future value for catchup due to async future was cancelled”.
If I remove “secure: true” then pod comes up but services are running on port 8088 and 8089 with no ssl conf.
y
Yee
03/13/2024, 8:09 PM
is there an error you can share?
Yee
03/13/2024, 8:09 PM
cc @David Espejo (he/him) who’s probably tried to set up ssl more recently than me.
p
peeyush jain
03/13/2024, 8:16 PM
below is the error message. I am using flyte binary v1.10.1
{“json”{“src””scheduler_executor.go”:87}, “level”:”error”, “msg”:”failed to get future value for catchup due to async future was cancelled”, “ts””2024 03 13T1924:36Z”}
{“json”{“src””scheduler_executor.go”:88}, “level”:”info”, “msg”:”Flyte native scheduler shutdown”, “ts””2024 03 13T1924:36Z”}
y
Yee
03/13/2024, 8:28 PM
can you change the admin block to insecure: false?