Hi everyone I need a little help! I am using Flyte...
# ask-the-community
d
Hi everyone I need a little help! I am using Flyte Latest version which is v1.11.1. And In flyte-binary of this version If i am using my values.yaml file to deploy flyte-binary pod. I am using external Authentication by Azure AD. In this version flyteconsole sent request to localhost:30080 instead of the host i setup in ingress. I don't know why only in this version it is happening. When i am trying same with v1.11.0 It works fine. Login Request sent to the host i mentioned in values.yaml file. Can anyone explain what changed in new version for flye-binary. And how can i correct that, Meanwhile flytectl works fine in both versions (I am talking about authentication here)
Also I have to use latest version as it has merged with patched of split cookies which is done by @Yubo Wang
k
you mean v1.11.1b1? we don’t have v1.11.1 yet. https://github.com/flyteorg/flyte/releases/tag/v1.11.1-b1
d
Yeah v1.11.1-b1 sorry for that
Actually I dig a little deeper in that....Currently what happening is the Dockerfile which I am using to build flyte-binary inside the flyteorg latest repo...It consists of pulling flyteconsole latest version which is i guess released few weeks ago. and when i am trying to use that binary with latest flyteconsole image to deploy on k3s cluster it creates the problem i told above. And when i changed the version of flyteconsole to v1.10( any previous version) in Dockerfile and then build problem didn't arrive
d
@Devendra Johari thanks for digging deeper @Kevin Su could it be related to this recent change? https://github.com/flyteorg/flyteconsole/pull/853/files It defaults the admin API URL to
localhost:30080
k
might be related.
d
@Devendra Johari I'll try to reproduce this behavior to see if it's a bug or something else. Are you using the
selfAuthServer
or purely externalAuth? Could you share the -anonymized- config you're using? (if it's external, it'd be also an interesting learning as, just following the docs, I haven't been able to make it work with Entra ID)
d
Yeah sure , here is the values.yaml file that i used for flyte-binary helm chart
Copy code
deployment:
  image:
    repository: <private-registry-url>/flyte-binary
    tag: <image_tag>
  extraEnvVars:
    - name: HTTP_PROXY
      value: "<PROXY_VALUE>"
    - name: HTTPS_PROXY
      value: "<PROXY_VALUE>"
    - name: http_proxy
      value: "<PROXY_VALUE>"
    - name: https_proxy
      value: "<PROXY_VALUE>"
    - name: no_proxy
      value: "<PROXY_VALUE>"
    - name: NO_PROXY
      value: "<PROXY_VALUE>"
    - name: GODEBUG
      value: "<PROXY_VALUE>"

configuration:
  database:
    username: <username>
    host: postgres.flyte.svc.cluster.local
    dbname: <db_name> 
  storage:
    type: minio
    metadataContainer: flyte-bucket #This is the default bucket created with Minio. Controlled by the MINIO_DEFAULT_BUCKETS env var in the local-flyte-resources.yaml manifest
    userDataContainer: flyte-bucket
    provider: s3
    providerConfig:
      s3:
        authType: "accesskey"
        endpoint: "<http://minio.flyte.svc.cluster.local:9000>"
        accessKey: "<access_key>"
        secretKey: "<secret_key>" #If you need to change this parameters, refer to the local-flyte-resources.yaml manifest and adjust the MINIO_ROOT_PASSWORD env var
        disableSSL: "true"
        secure: "false"
        v2Signing: "true"

  logging:
    level: 6
  
  auth:
    enabled: true
    enableAuthServer: true
    oidc:
      baseUrl: <https://login.microsoftonline.com/><tenant_id>/v2.0
      clientId: <client_id>
      clientSecret: <client_secret>
    internal:
      clientId: <client_id>
      clientSecret: '<client_secret>'
      clientSecretHash: <client_secret_hash>
    authorizedUris:
    - https://<ingress_host_url>
  inlineSecretRef: flyte-binary-inline-config-secret-postgres  
  inline:
    auth:
      appAuth:
        authServerType: External
        externalAuthServer:
          baseUrl: <https://login.microsoftonline.com/><tenant_id>/v2.0
          metadataUrl: .well-known/openid-configuration
          AllowedAudience:
            - api://<client_id>
        thirdPartyConfig:
          flyteClient:
            # Use the clientID generated by your IdP for the `flytectl` app registration
            clientId: <client_id>
            redirectUri: <http://localhost:53593/callback>
            scopes:
            - api://<client_id>/Custom.Scope
      userAuth:
        openId:
          baseUrl: <https://login.microsoftonline.com/><tenant_id>/v2.0
          scopes:
          - profile
          - openid
        # - offline_access # Uncomment if your IdP supports issuing refresh tokens (optional)
        # Use the client ID and secret generated by your IdP for the first OIDC registration in the "Identity Management layer : OIDC" section of this guide
          clientId: <client_id>
    plugins:
      k8s:
        inject-finalizer: true
        default-env-vars:
          - FLYTE_AWS_ENDPOINT: "<http://minio.flyte.svc.cluster.local:9000>"
          - FLYTE_AWS_ACCESS_KEY_ID: "<access_key>"
          - FLYTE_AWS_SECRET_ACCESS_KEY: "<secret_key>" #Use the same value as the MINIO_ROOT_PASSWORD

    task_resources:
      defaults: 
        cpu: 100m
        memory: 500Mi #change default requested resources and limits to fit your needs
      limits:
        memory: 2Gi

serviceAccount:
  create: true
  name: "flyte-service-account"
  imagePullSecrets:
    - name: flyte-binary-gdmlops-mlrobot-key


ingress:
 create: true
 ingressClassName: nginx
 commonAnnotations:
    <http://ingress.kubernetes.io/rewrite-target|ingress.kubernetes.io/rewrite-target>: /
    <http://nginx.ingress.kubernetes.io/proxy-buffer-size|nginx.ingress.kubernetes.io/proxy-buffer-size>: "32k"
    <http://nginx.ingress.kubernetes.io/proxy-read-timeout|nginx.ingress.kubernetes.io/proxy-read-timeout>: "600"
    <http://nginx.ingress.kubernetes.io/proxy-send-timeout|nginx.ingress.kubernetes.io/proxy-send-timeout>: "600"
    <http://nginx.ingress.kubernetes.io/ssl-redirect|nginx.ingress.kubernetes.io/ssl-redirect>: "true"
    <http://nginx.ingress.kubernetes.io/affinity|nginx.ingress.kubernetes.io/affinity>: "cookie"
    
 httpAnnotations:
    <http://nginx.ingress.kubernetes.io/app-root|nginx.ingress.kubernetes.io/app-root>: /console
 grpcAnnotations:
    <http://nginx.ingress.kubernetes.io/backend-protocol|nginx.ingress.kubernetes.io/backend-protocol>: GRPC
 host: <host_name>
 tls:
    - hosts:
      -  <host_name>
      secretName: mlflyte
I am also a little unsure for internal section which is present under auth section. I don't know what to put inside clientId as there is no separate clientId i have for the flytepropeller in my Azure Tenant