quaint-byte-23550
09/28/2022, 9:09 PMUNKNOWN
state. I was wondering what could be possible cause for this?
Do we need to inform any service other than Flyte Admin about the Auth? For Example Flyte Propeller?
CC: @icy-agent-73298thankful-minister-83577
thankful-minister-83577
thankful-minister-83577
thankful-minister-83577
quaint-byte-23550
09/28/2022, 9:15 PMthankful-minister-83577
freezing-airport-6809
freezing-airport-6809
freezing-airport-6809
quaint-byte-23550
09/29/2022, 2:20 PMfreezing-airport-6809
freezing-airport-6809
quaint-byte-23550
10/05/2022, 6:27 PMrpc error: code = Unauthenticated desc = transport: per-RPC creds failed due to error: oauth2: cannot fetch token: 403 Forbidden\nResponse: {\"error\":\"access_denied\",\"error_description\":\"No audience parameter was provided, and no default audience has been configured\"
So just like @icy-agent-73298 helped with Audience being set within FlyteAdmin
in the image:
repository: <http://ghcr.io/flyteorg/flyteadmin|ghcr.io/flyteorg/flyteadmin>
tag: v1.1.37-deviceauth
We need Audience variations of these images for scheduler and propeller.
Please correct me if I am wrong.
CC: @thankful-minister-83577 @nutritious-london-39005 @icy-agent-73298thankful-minister-83577
thankful-minister-83577
quaint-byte-23550
10/05/2022, 6:32 PMcan you try with flytectl?I just confirmed with my team that our Auth0 server does require an
Audience
even from clientSecret
flow. So, I believe to make this work with the Auth server we do need Audience properly set.thankful-minister-83577
thankful-minister-83577
thankful-minister-83577
thankful-dress-89577
10/06/2022, 4:16 PMquaint-byte-23550
10/06/2022, 4:18 PMthankful-dress-89577
10/06/2022, 5:21 PMhigh-park-82026
high-park-82026
high-park-82026
thankful-dress-89577
10/06/2022, 5:29 PMthankful-dress-89577
10/06/2022, 5:30 PMhigh-park-82026
thankful-dress-89577
10/06/2022, 5:31 PMhigh-park-82026
thankful-minister-83577
quaint-byte-23550
10/06/2022, 5:55 PMpropeller
, scheduler
, and flytectl
.thankful-minister-83577
thankful-minister-83577
quaint-byte-23550
10/12/2022, 6:40 PMflyteadmin
and flyteidl
for providing Audience.
I was successfully able to create flytescheduler and propeller images.
After I supply audience value, propeller is created fine. But scheduler is continuously in PodInitialization, unable to debug it further
I have supplied the values to audience in my config maps like:
admin.yaml: |
admin:
clientId: <clientId>
clientSecretLocation: /etc/secrets/client_secret
audience: <audience_value>
endpoint: flyteadmin:81
insecure: true
CC: @thankful-minister-83577 please let me know what could I be doing wrongthankful-minister-83577
quaint-byte-23550
10/12/2022, 6:44 PMflytescheduler-check
is in CrashLoopBackOff state:
terminated
Reason: Error - exit code: 2
Started at: 2022-10-12T14:39:43-04:00
Finished at: 2022-10-12T14:39:44-04:00
thankful-minister-83577
thankful-minister-83577
quaint-byte-23550
10/12/2022, 6:44 PMAudience
error anymore.thankful-minister-83577
thankful-minister-83577
thankful-minister-83577
quaint-byte-23550
10/12/2022, 6:46 PMthankful-minister-83577
thankful-minister-83577
quaint-byte-23550
10/12/2022, 6:49 PMtoken_source_provider
file to return EndPointParams
. Which are then going to be used to return Audience parameter.thankful-minister-83577
thankful-minister-83577
thankful-minister-83577
thankful-minister-83577
quaint-byte-23550
10/12/2022, 6:51 PMaudienceValue := cfg.Audience
if len(audienceValue) == 0 {
audienceValue = clientMetadata.Audience
}
tokenProvider, err = NewClientCredentialsTokenSourceProvider(ctx, cfg, scopes, tokenURL, audienceValue)
thankful-minister-83577
quaint-byte-23550
10/12/2022, 6:52 PMEndPointParams
to be passed.quaint-byte-23550
10/12/2022, 6:52 PMthankful-minister-83577
thankful-minister-83577
quaint-byte-23550
10/12/2022, 6:53 PMflyteadmin
flytepropeller
flytescheduler
thankful-minister-83577
quaint-byte-23550
10/12/2022, 6:55 PMthankful-minister-83577
quaint-byte-23550
10/12/2022, 6:57 PMNo audience parameter was provided, and no default audience has been configured
thankful-minister-83577
quaint-byte-23550
10/12/2022, 6:58 PMthankful-minister-83577
quaint-byte-23550
10/12/2022, 7:12 PMthankful-minister-83577
thankful-minister-83577
quaint-byte-23550
10/12/2022, 7:20 PMthankful-minister-83577
quaint-byte-23550
10/12/2022, 7:20 PMquaint-byte-23550
10/12/2022, 7:21 PMthankful-minister-83577
thankful-minister-83577
thankful-minister-83577
quaint-byte-23550
10/20/2022, 5:41 PMfreezing-airport-6809
quaint-byte-23550
10/20/2022, 9:43 PMfreezing-airport-6809
freezing-airport-6809
mammoth-church-8767
12/18/2022, 5:38 PMfreezing-airport-6809
freezing-airport-6809
mammoth-church-8767
12/20/2022, 2:44 PMNo audience parameter was provided, and no default audience has been configured
and this on the admin side:
{"json":{"src":"cookie.go:88"},"level":"debug","msg":"Existing [flyte_idt] cookie found","ts":"2022-12-20T14:30:01Z"}
{"json":{"src":"cookie.go:88"},"level":"debug","msg":"Existing [flyte_at] cookie found","ts":"2022-12-20T14:30:01Z"}
{"json":{"src":"cookie.go:88"},"level":"debug","msg":"Existing [flyte_rt] cookie found","ts":"2022-12-20T14:30:01Z"}
{"json":{"src":"cookie.go:88"},"level":"debug","msg":"Existing [flyte_user_info] cookie found","ts":"2022-12-20T14:30:01Z"}
{"json":{"src":"handlers.go:235"},"level":"debug","msg":"Running authentication gRPC interceptor","ts":"2022-12-20T14:30:01Z"}
{"json":{"src":"token.go:83"},"level":"debug","msg":"Could not retrieve bearer token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2022-12-20T14:30:01Z"}
{"json":{"src":"handlers.go:245"},"level":"info","msg":"Failed to parse Access Token from context. Will attempt to find IDToken. Error: [JWT_VERIFICATION_FAILED] Could not retrieve bearer token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2022-12-20T14:30:01Z"}
I’m using the v1.2.1
images and added the audience conf as below
thirdPartyConfig:
flyteClient:
clientId: clientId
redirectUri: <https://xxxx.auth0.com/callback>
scopes:
- offline
- all
audience: <https://xxxx.auth0.com/api/v2/>
And the audience is correctly return by is correctly return by the admin endpoint /config/v1/flyte_client
I’m not sure what I’m doing wrong therefreezing-airport-6809
icy-agent-73298
12/20/2022, 4:26 PMmammoth-church-8767
12/20/2022, 4:34 PMicy-agent-73298
12/20/2022, 5:44 PMmammoth-church-8767
12/23/2022, 3:05 PMError: unknown command "RedisClient" for "mockery"
Error: unknown command "HandlerFactory" for "mockery"
I’m not a go dev, so it surely is an issue on my setup 😅freezing-airport-6809
icy-agent-73298
12/23/2022, 8:11 PMgo get <http://github.com/flyteorg/flyteidl|github.com/flyteorg/flyteidl>
<http://github.com/flyteorg/flyteidl@956c7a259b50a6607aa82a9d3cc0bcbe51919f84|github.com/flyteorg/flyteidl@956c7a259b50a6607aa82a9d3cc0bcbe51919f84>
which uses the commit from the PR
• go mod tidy
• make docker_build
. this will build the propeller image with the idl changes
• Push the built image to your local image repo and use the same in your flyte deployment. With the change you can now configure flytepropeller to send the audience field when having flyteadmin relay auth with auth0 provider. In your propeller config map you should be able add the audience key and value https://github.com/flyteorg/flyteidl/pull/329/files#diff-91f1e2cdbc64e0a780abe3c3eddfeb4bc61a1e099e7393a1331ff7f27be30c5cR56 in the admin sectionmammoth-church-8767
01/03/2023, 2:41 PMicy-agent-73298
01/03/2023, 5:47 PMmammoth-church-8767
01/03/2023, 7:32 PMicy-agent-73298
01/03/2023, 9:03 PMfreezing-airport-6809
icy-agent-73298
01/04/2023, 3:46 AM