Mark Waylonis
03/18/2024, 3:32 PMpanic: rpc error: code = Unauthenticated desc = token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken
I've triple checked the flytepropeller setup for auth with client credentials in Okta and haven't been able to resolve the issue. I figured i'd ask if anyone has any pointers for troubleshooting this. Thanks!David Espejo (he/him)
03/18/2024, 4:04 PMMark Waylonis
03/18/2024, 5:35 PMadminOauthClientCredentials:
enabled: true
So i don't think this change should impact my configuration (I may be misunderstanding something)? I don't have the same issue that PR links to. I've also confirmed that the flyte-secret-auth
secret is created correctly with the correct flytpropeller client_secret
, and it looks like the init container also has it mounted from describing the flytescheduler pod
Mounts:
/etc/db from db-pass (rw)
/etc/flyte/config from config-volume (rw)
/etc/secrets/ from auth (rw)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-m4qwb (ro)
David Espejo (he/him)
03/18/2024, 5:36 PMflytescheduler
Pod?Mark Waylonis
03/18/2024, 5:41 PMMark Waylonis
03/18/2024, 5:42 PMDavid Espejo (he/him)
03/18/2024, 5:44 PMflytescheduler
deployment?
kubectl rollout restart deployment/flytescheduler -n <your-namespace>
Mark Waylonis
03/18/2024, 5:46 PMMark Waylonis
03/18/2024, 6:21 PMDavid Espejo (he/him)
03/18/2024, 6:34 PMMark Waylonis
03/18/2024, 6:36 PMMark Waylonis
03/26/2024, 5:23 PM<http://flyteadmin:80>
. Therefore when validating the JWT audience, it expects <http://flyteadmin:80>
to be the audience instead of the external-facing domain name. This was easily fixed by setting the allowedAudience
in the values file, which added external-facing domain name to the expected audiences.David Espejo (he/him)
03/26/2024, 8:16 PMallowedAudience
?Mark Waylonis
03/26/2024, 8:42 PMMark Waylonis
03/26/2024, 8:44 PMappAuth:
authServerType: External
externalAuthServer:
allowedAudience: [<https://flyte>.<DOMAIN>.com]
Mark Waylonis
03/26/2024, 8:54 PMDavid Espejo (he/him)
03/26/2024, 8:56 PMMark Waylonis
03/26/2024, 9:04 PMMark Waylonis
03/27/2024, 12:01 AM