Shahwar Saleem08/16/2022, 7:30 PM
and paste it as the first nameserver in
. Building the
binary ourselves on a MacOS (not cross-compiling) should allow it to use the system name resolver. Have people in flyte used
and auth on MacOS? Hoping to learn more about there experiences.
in a container has two problems: attempting to open a browser and storing the secret locally. • Browser Problem: flytctl in a container tries to open a browser with
. This fails. Ideally
would have an option to only print the URI and not try to open it. Is it worthwhile to create a github issue for flytectl to output a URL for authentication instead of trying to open the URL ?
running in containers would really benefit from this by mounting a browser port onto the container and opening the URL by just copying and pasting the URL • Storing Local Secret: The secret produced during authentication needs to be stored somewhere.
stores the key using GitHub - zalando/go-keyring: Cross-platform keyring interface for Go which on linux relies on dbus and GNOME keyring. I’m unsure if we should install GNOME keyring itself in the container or if we can implement the parts of the Secret Service API that flytectl needs in a python program and store the secret only in memory, not in a file.
@Shahwar Saleem we recommend you use the
Browser Problem: flytctl in a container tries to open a browser with xdg-open. This fails. Ideally flytectl would have an option to only print the URI and not try to open it. Is it worthwhile to create a github issue for flytectl to output a URL for authentication instead of trying to open the URL ? flytectl running in containers would really benefit from this by mounting a browser port onto the container and opening the URL by just copying and pasting the URL
flow instead of browser based authentication
. Have people in flyte usedWe use this all the time, infact just used it. It works fine.and auth on MacOS
Prafulla Mahindrakar08/17/2022, 5:52 AM
Shahwar Saleem08/17/2022, 2:43 PM
Prafulla Mahindrakar08/17/2022, 2:48 PM
Shahwar Saleem08/17/2022, 2:51 PM
You can use client_secret method of auth to not use the default method which uses browser based authenticationWhile this suggestion can be useful for a machine-to-machine communication such as a CI/CD workflow to authenticate itself. Having generated a client secret for every user of our flyte deployment and distributing those secrets to each client is not recommended according to our company. We were hoping to see if these issues with Pkce could be resolved. Instead of opening a link in browser, is it easier to make a change that spits out a URL for the user to open however they please? Curious, How is flytectl auth tested within a container?
Prafulla Mahindrakar08/17/2022, 2:53 PM
Shahwar Saleem08/17/2022, 2:55 PM
Prafulla Mahindrakar08/17/2022, 2:56 PM
Shahwar Saleem08/17/2022, 2:59 PM
Andrew Achkar08/17/2022, 3:01 PM
I believe the binary needs to be compiled on a mac to allow it to use the system’s dns resolver.
GODEBUG=netdns=2 flytectl get projects ... go package net: built with netgo build tag; using Go's DNS resolver ...
Prafulla Mahindrakar08/17/2022, 3:05 PM
Andrew Achkar08/17/2022, 3:07 PM
Prafulla Mahindrakar08/17/2022, 3:11 PM
Andrew Achkar08/17/2022, 3:50 PM
Prafulla Mahindrakar08/17/2022, 4:00 PM
• Problem 2
◦ part 1: Browser issue : You can use client_secret method of auth to not use the default method which uses browser based authentication .We use the following way in our CI by reusing the flypropeller secret https://github.com/flyteorg/flytetools/blob/master/functional-tests/config.yaml
▪︎ Also after this change you can pass the secret as env variable https://github.com/flyteorg/flyteidl/pull/312 . Latest flytectl has this option
◦ part 2: Local secret : zaloando keyring is used more as a token cache and not for secret storage and hence if you don’t have GNOME keyring installed then it would just bypass the cache layer and always fetch the token by reauthenticating with the client_secret . Client_secret is stored in your filesystem eg in the functional test example its stored in /home/runner/secret_location or ENV variable
Andrew Achkar08/17/2022, 4:04 PM
Prafulla Mahindrakar08/18/2022, 6:27 AM
Shahwar Saleem08/18/2022, 2:51 PM
Andrew Achkar08/18/2022, 8:29 PM
Prafulla Mahindrakar08/19/2022, 5:16 AM
Andrew Achkar08/19/2022, 1:42 PM
Prafulla Mahindrakar08/23/2022, 4:51 PM
Shahwar Saleem08/24/2022, 3:31 PM