quaint-byte-23550
08/02/2022, 4:59 PMflytectl get project
Error: rpc error: code = Unavailable desc = connection error: desc = "transport: authentication handshake failed: x509: certificate signed by unknown authority"
quaint-byte-23550
08/02/2022, 5:00 PMtall-lock-23197
icy-agent-73298
08/03/2022, 5:51 AMinsecureSkipVerify
flag
https://github.com/flyteorg/flyteidl/blob/7b1fd01ff429d28755765204f00dea57598d8851/clients/go/admin/config.go#L41
But its not recommended for prod usecases and should be used only for testing.icy-agent-73298
08/03/2022, 5:52 AMicy-agent-73298
08/03/2022, 5:58 AM--admin.insecureSkipVerify true
more flags are available through help
https://docs.flyte.org/projects/flytectl/en/latest/gen/flytectl.htmlquaint-byte-23550
08/03/2022, 2:44 PMicy-agent-73298
08/03/2022, 4:24 PMquaint-byte-23550
08/04/2022, 5:21 PMroot@0d4683ee86d5:/# flytectl get project
Error: rpc error: code = Unauthenticated desc = token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken
quaint-byte-23550
08/04/2022, 5:22 PMPkce
is used within Flyte to talk to FlyteCTL?
I talked to a person who handles Auth within my company, they have never seen Pkce on a Command Line. Could you please advise on this?icy-agent-73298
08/05/2022, 5:57 AMadmin:
# For GRPC endpoints you might want to use dns:///flyte.myexample.com
endpoint: dns:///flyte.org
# Change insecure flag to ensure that you use the right setting for your environment
insecure: false
clientId: *********
authType: ClientSecret
clientSecretLocation: /home/runner/secret_location
logger:
# Logger settings to control logger output. Useful to debug logger:
show-source: true
level: 1
quaint-byte-23550
08/31/2022, 5:52 PMmetadataUrl
to be .well-known/openid-configuration
. This is a suffix to baseURL internally.
◦ Needed to add new clientId which was provided by Auth Server App.
◦ Needed to change the flyteadmin image to a new one corresponding to DeviceFlow changes: <http://ghcr.io/flyteorg/flyteadmin:v1.1.37-deviceauth|ghcr.io/flyteorg/flyteadmin:v1.1.37-deviceauth>
. This change needs to happen in flyteadmin deployment accross all occurrences of the flyteadmin image.
◦ Needed to change FlyteCTL config to something like this:
admin:
endpoint: <URL>
authType: DeviceFlow
insecure: false
caCertFilePath: <certfilepath>
deviceFlowConfig:
deviceFlowTimeout: 200s
logger:
show-source: true
level: 20
After authenticating, I am getting an error which does signify there is an issue with JWT response.
Apparently, for our usecase an audience
needs to be specified while requesting auth from Auth0 server. Currently, flyteadmin
is not using audience field and due to missing Audience, Auth Server is not able to complete the Device Authentication flow, because the token after authorization is a default one, which Auth server is not accepting.
A few things:
• We would need full Auth support including Audience field to fully utilize Authentication with Flytectl.
• The team is now outside POC and implementing a full Flyte Deployment which will need full Authentication capability for Flyteconsole as well as FlyteCTL.
CC: @thankful-dress-89577 @nutritious-london-39005 @high-park-82026quaint-byte-23550
08/31/2022, 5:54 PMhigh-park-82026
icy-agent-73298
09/01/2022, 7:04 AM// EndpointParams specifies additional parameters for requests to the token endpoint.
EndpointParams url.Values
https://github.com/golang/oauth2/blob/master/clientcredentials/clientcredentials.go#L44
which gets used here
https://github.com/golang/oauth2/blob/master/clientcredentials/clientcredentials.go#L97
Sample test with aud https://github.com/golang/oauth2/blob/master/clientcredentials/clientcredentials_test.go#L25
But none of this config is passed from flyteadmin which is why i am uncertain that adding the aud field is going to solve the device flow issue.
Wanted to test this with a custom build and verify before making a configurable change. Let me know what you all think .quaint-byte-23550
09/02/2022, 3:03 PMicy-agent-73298
09/02/2022, 6:38 PMgo mod edit -replace <http://github.com/flyteorg/flyteidl=github.com/flyteorg/flyteidl@4b475700a8df0e7736fed995ee84a4cc22e453fd|github.com/flyteorg/flyteidl=github.com/flyteorg/flyteidl@4b475700a8df0e7736fed995ee84a4cc22e453fd>
go mod tidy
And then run using the audience by passing the right aud field for your app
flytectl get projects --logger.level=6 --admin.authType DeviceFlow --admin.deviceFlowConfig.audience <aud>
Ref used on how to pass aud https://auth0.com/docs/secure/tokens/access-tokens/get-access-tokens