quaint-byte-23550
08/16/2022, 7:30 PMquaint-byte-23550
08/16/2022, 7:30 PM/etc/resolver/company_vpn_resolver
and paste it as the first nameserver in /etc/resolve.conf
. Building the flytectl
binary ourselves on a MacOS (not cross-compiling) should allow it to use the system name resolver. Have people in flyte used flytectl
and auth on MacOS? Hoping to learn more about there experiences.quaint-byte-23550
08/16/2022, 7:34 PMflytectl
in a container has two problems: attempting to open a browser and storing the secret locally.
• Browser Problem: flytctl in a container tries to open a browser with xdg-open
. This fails. Ideally flytectl
would have an option to only print the URI and not try to open it. Is it worthwhile to create a github issue for flytectl to output a URL for authentication instead of trying to open the URL ? flytectl
running in containers would really benefit from this by mounting a browser port onto the container and opening the URL by just copying and pasting the URL
• Storing Local Secret: The secret produced during authentication needs to be stored somewhere. flytectl
stores the key using GitHub - zalando/go-keyring: Cross-platform keyring interface for Go which on linux relies on dbus and GNOME keyring. I’m unsure if we should install GNOME keyring itself in the container or if we can implement the parts of the Secret Service API that flytectl needs in a python program and store the secret only in memory, not in a file.quaint-byte-23550
08/16/2022, 7:36 PMfreezing-airport-6809
Browser Problem: flytctl in a container tries to open a browser with xdg-open. This fails. Ideally flytectl would have an option to only print the URI and not try to open it. Is it worthwhile to create a github issue for flytectl to output a URL for authentication instead of trying to open the URL ? flytectl running in containers would really benefit from this by mounting a browser port onto the container and opening the URL by just copying and pasting the URL
@quaint-byte-23550 we recommend you use the client secrets
flow instead of browser based authenticationfreezing-airport-6809
. Have people in flyte usedWe use this all the time, infact just used it. It works fine.and auth on MacOSflytectl
freezing-airport-6809
icy-agent-73298
08/17/2022, 5:52 AMquaint-byte-23550
08/17/2022, 2:43 PMquaint-byte-23550
08/17/2022, 2:47 PMcurl -s https://raw.githubusercontent.com/lyft/flytectl/master/install.sh |bashFor problem 1: When we install flytectl binary as mentioned, and a flyte dev deployment is running inside our VPN on AWS EKS. Flytectl is not able to resolve the IP addresses to flyte dev deployment inside the VPN. Flytectl does not use MacOS’s system name resolver, so they it not send the DNS request for flyte deployment url through our VPN
icy-agent-73298
08/17/2022, 2:48 PMquaint-byte-23550
08/17/2022, 2:51 PMYou can use client_secret method of auth to not use the default method which uses browser based authenticationWhile this suggestion can be useful for a machine-to-machine communication such as a CI/CD workflow to authenticate itself. Having generated a client secret for every user of our flyte deployment and distributing those secrets to each client is not recommended according to our company. We were hoping to see if these issues with Pkce could be resolved. Instead of opening a link in browser, is it easier to make a change that spits out a URL for the user to open however they please? Curious, How is flytectl auth tested within a container?
quaint-byte-23550
08/17/2022, 2:52 PMCould you try this one aswell curl -s https://raw.githubusercontent.com/flyteorg/flytectl/master/install.sh |bashI think tried this one already like I said above, did you mean something else? 😛
icy-agent-73298
08/17/2022, 2:53 PMicy-agent-73298
08/17/2022, 2:54 PMquaint-byte-23550
08/17/2022, 2:55 PMicy-agent-73298
08/17/2022, 2:56 PMicy-agent-73298
08/17/2022, 2:58 PMquaint-byte-23550
08/17/2022, 2:59 PMthankful-dress-89577
08/17/2022, 3:01 PMGODEBUG=netdns=2 flytectl get projects
...
go package net: built with netgo build tag; using Go's DNS resolver
...
I believe the binary needs to be compiled on a mac to allow it to use the system’s dns resolver.thankful-dress-89577
08/17/2022, 3:01 PMicy-agent-73298
08/17/2022, 3:05 PMthankful-dress-89577
08/17/2022, 3:07 PMicy-agent-73298
08/17/2022, 3:11 PMfreezing-airport-6809
thankful-dress-89577
08/17/2022, 3:50 PMicy-agent-73298
08/17/2022, 4:00 PM• Problem 2
◦ part 1: Browser issue : You can use client_secret method of auth to not use the default method which uses browser based authentication .We use the following way in our CI by reusing the flypropeller secret https://github.com/flyteorg/flytetools/blob/master/functional-tests/config.yaml
▪︎ Also after this change you can pass the secret as env variable https://github.com/flyteorg/flyteidl/pull/312 . Latest flytectl has this option
◦ part 2: Local secret : zaloando keyring is used more as a token cache and not for secret storage and hence if you don’t have GNOME keyring installed then it would just bypass the cache layer and always fetch the token by reauthenticating with the client_secret . Client_secret is stored in your filesystem eg in the functional test example its stored in /home/runner/secret_location or ENV variable
thankful-dress-89577
08/17/2022, 4:04 PMicy-agent-73298
08/18/2022, 6:27 AMquaint-byte-23550
08/18/2022, 2:51 PMquaint-byte-23550
08/18/2022, 3:28 PMthankful-dress-89577
08/18/2022, 8:29 PMthankful-dress-89577
08/18/2022, 8:32 PMicy-agent-73298
08/19/2022, 5:16 AMthankful-dress-89577
08/19/2022, 1:42 PMicy-agent-73298
08/23/2022, 4:51 PMicy-agent-73298
08/24/2022, 3:26 PMquaint-byte-23550
08/24/2022, 3:31 PM