gifted-raincoat-59712
09/09/2022, 2:50 PMflytectl register
from a CI workflow, with Flyte auth enabled.
We’re on GCP/GKE.
Ideally, I’d like to register files from a pod running on the GKE cluster. I think this would use the OAuth2 flow that flyte components use?
Alternatively, we could run flytectl register
from the CI runner, as this doc implies. I’d love to find an example of doing this.gifted-raincoat-59712
09/09/2022, 2:50 PMadminServer:
server:
httpPort: 8088
grpcPort: 8089
security:
useAuth: true
auth:
appAuth:
thirdPartyConfig:
flyteClient:
clientId: flytectl
redirectUri: <http://localhost:53593/callback>
scopes:
- offline
- all
authorizedUris:
- https://{{ .Values.userSettings.hostName }}:443
- <http://flyteadmin:80>
- <http://flyteadmin.flyte.svc.cluster.local:80>
userAuth:
openId:
baseUrl: <https://accounts.google.com>
clientId: "{{ .Values.userSettings.oauthClientId }}"
scopes:
- profile
- openid
thankful-minister-83577
thankful-minister-83577
thankful-minister-83577
flytectl --admin.authType ClientSecret --config ~/.flyte/dev-uniondemo.yaml --admin.clientId flytepropeller --admin.clientSecretLocation /tmp/p get workflow -p flytesnacks -d development
where foobar
is in /tmp/p
This isn’t really recommended though. It’s complicated to specify the client structure in yaml, and also you have a password effectively in cleartext stored in config (hashed), and you have to hash it in a special way (not sure will need to ask around more). Assuming you have an IDP hooked up, what you should do is just create a client credentials application (like in okta), and just call flytectl the same way.thankful-minister-83577
gifted-raincoat-59712
09/10/2022, 12:08 AMthankful-minister-83577
gifted-raincoat-59712
09/10/2022, 12:09 AMthankful-minister-83577
thankful-minister-83577
gifted-raincoat-59712
09/10/2022, 12:10 AMgifted-raincoat-59712
09/10/2022, 12:11 AMgifted-raincoat-59712
09/10/2022, 12:11 AMthankful-minister-83577
thankful-minister-83577
gifted-raincoat-59712
09/10/2022, 12:16 AMGoogle IdP does not offer an OAuth2 Authorization Server that could be used to protect external services (For example Flyte). In this case, Google offers a separate Cloud Product called Google Cloud Identity. Configuration for Cloud Identity is not included in this guide. If unavailable, setup can stop here and FlyteAdmin BuiltIn OAuth2 Authorization Server can be used instead.
thankful-minister-83577
gifted-raincoat-59712
09/10/2022, 12:16 AMgifted-raincoat-59712
09/10/2022, 12:21 AM