Hi All, i am trying to deploy flyte in single clus...
# flyte-supportb
bright-cartoon-85041
03/11/2024, 3:21 PMHi All, i am trying to deploy flyte in single cluster deployment. In our env, we create ALB outside of EKS. The env mandates ssl needs to be terminated at pod. If i add config map with certificate and keys. Can i use ssl options in ServerSecurityConfig to run flyte binary pods with ssl? has anyone tried it?
t
thankful-minister-83577
03/11/2024, 9:53 PM
you should be able to. we typically don’t do that but the code is in place. the one thing to note is that if you’re doing termination in flyte itself, the grpc port and the http port are shared
thankful-minister-83577
03/11/2024, 9:53 PM
only in the case when you’re serving insecure are the http and grpc ports different
b
bright-cartoon-85041
03/12/2024, 10:43 PM@thankful-minister-83577. Thanks I tried giving configuration as below. I am using 1.10.1 version
configuration:
server:
security:
ssl:
certificateFile: “/ssl/cert.pem”
keyFile: “/ssl/key.pem”
It didn’t work. I still see http and gprc services running on port 8088 and 8089 respectively. Should I expect only one service ?
Can you share an example how I can confifuge Flyte pods to use certificate?
t
thankful-minister-83577
03/13/2024, 6:35 PM
and you configured insecure to false? https://github.com/flyteorg/flyte/blob/44914b138002a54770ee61fc202ee518e2960f39/charts/flyte-binary/templates/configmap.yaml#L31
b
bright-cartoon-85041
03/13/2024, 8:08 PM@thankful-minister-83577 yes i tried. I looked at the code for flyte-admin. I used below
admin:
{{- if .Values.configuration.auth.enabled }}
clientId: {{ .Values.configuration.auth.internal.clientId }}
{{- if .Values.configuration.auth.internal.audience }}
audience: {{ .Values.configuration.auth.internal.audience }}
{{- end }}
{{- end }}
endpoint: localhost:8089
insecure: true
server:
security:
secure: true
ssl:
certificateFile: “/ssl/cert.pem”
keyFile: “/ssl/key.pem”
With above pod fails to come up with error “failed to get future value for catchup due to async future was cancelled”.
If I remove “secure: true” then pod comes up but services are running on port 8088 and 8089 with no ssl conf.
t
thankful-minister-83577
03/13/2024, 8:09 PM
is there an error you can share?
thankful-minister-83577
03/13/2024, 8:09 PM
cc @average-finland-92144 who’s probably tried to set up ssl more recently than me.
b
bright-cartoon-85041
03/13/2024, 8:16 PMbelow is the error message. I am using flyte binary v1.10.1
{“json”{“src””scheduler_executor.go”:87}, “level”:”error”, “msg”:”failed to get future value for catchup due to async future was cancelled”, “ts””2024 03 13T1924:36Z”}
{“json”{“src””scheduler_executor.go”:88}, “level”:”info”, “msg”:”Flyte native scheduler shutdown”, “ts””2024 03 13T1924:36Z”}
t
thankful-minister-83577
03/13/2024, 8:28 PM
can you change the admin block to insecure: false?
b
bright-cartoon-85041
03/13/2024, 8:30 PMtried again. failed with same error
19 Views