delightful-lion-57360
10/17/2022, 10:30 PMpanic: rpc error: code = Unauthenticated desc = transport: per-RPC creds failed due to error: oauth2: cannot fetch token: 400 Bad Request
Response: {"errorCode":"invalid_client","errorSummary":"Invalid value for 'client_id' parameter.","errorLink":"invalid_client","errorId":"oae4BTFncguRFCNZUfFEpIFhA","errorCauses":[]}
goroutine 1 [running]:
main.main()
/go/src/github.com/flyteorg/flyteadmin/cmd/scheduler/main.go:12 +0x85
This is my sample configmap for this.
configmap:
auth:
appAuth:
authServerType: External
externalAuthServer:
baseUrl: <https://www.oktadev.com/oauth2/default>
thirdPartyConfig:
flyteClient:
clientId: "a1b2c3xxxxyz9N3"
redirectUri: <https://flytedev.myapp.com/callback>
scopes:
- offline
- all
userAuth:
openId:
baseUrl: <https://www.oktadev.com/oauth2/default>
scopes:
- profile
- openid
clientId: "a1b2c3xxxxyz9N3"
authorizedUris:
- <https://flytedev.myapp.com>
- <http://flyteadmin:80>
- <http://flyteadmin.flyte.svc.cluster.local:80>
wonderful-afternoon-77766
10/17/2022, 11:16 PMdelightful-lion-57360
10/18/2022, 1:31 AMtall-lock-23197
icy-agent-73298
10/18/2022, 5:52 AMYou should have three integrations total - one for the web interface, one for Flytectl, and one for Flytepropeller.
Flytepropeller shares the secrets currently with flytescheduler. (and cluster-resource manager)
Configuration under appAuth controls propeller,scheduler , flytectl
thirdPartConfig controls specifically flytectl config.
This is the section which loads the flyte-secret-auth which gets mounted on both scheduler and propeller for doing auth with flyteadmin pod
https://github.com/flyteorg/flyte/blob/master/charts/flyte-core/values.yaml#L290-L297
I think you have misconfigured clientId here or you have not created this clientId in your auth provider. This paricular clientId needs to use clientsecret auth flow.delightful-lion-57360
10/18/2022, 11:03 PMdelightful-lion-57360
10/19/2022, 3:21 AMpanic: rpc error: code = Unauthenticated desc = transport: per-RPC creds failed due to error: oauth2: cannot fetch token: 400 Bad Request
Response: {"error":"unauthorized_client","error_description":"The client is not authorized to use the provided grant type. Configured grant types: [authorization_code]."}
goroutine 1 [running]:
main.main()
/go/src/github.com/flyteorg/flyteadmin/cmd/scheduler/main.go:12 +0x85
icy-agent-73298
10/19/2022, 3:36 AMkubectl get configmap -n flyte flytescheduler -o yaml
and check the admin section . This should be third one shared amongst propeller and scheduler. You need 3 clientId’s. Two of them are configured in the admin config and the third one is used directly in client configs of the respective apps (propeller and scheduler)icy-agent-73298
10/19/2022, 3:37 AMdelightful-lion-57360
10/19/2022, 3:44 AMicy-agent-73298
10/19/2022, 4:13 AMdelightful-lion-57360
10/27/2022, 12:42 AMauth:
appAuth:
authServerType: External
externalAuthServer:
baseUrl: <BASE_URL FROM POINT 1-6> #####POINT 1-6
thirdPartyConfig:
flyteClient:
clientId: <CLIENT_ID FROM POINT 7-10> #####POINT 7-10
redirectUri: <REDIRECT_URI FROM POINT 7-10> #####POINT 7-10
scopes:
- offline
- all
userAuth:
openId:
baseUrl: <BASE_URL FROM POINT 1-6> #####POINT 1-6
scopes:
- profile
- openid
clientId: <CLIENT_ID FROM POINT 11-14> #####POINT 11-14
• I have verified that flyte-secret-auth is created with the credentials from point 11-14 and it is shared between sched&propeller by setting the values in adminOauthClientCredentials (here)
Please tell me if my understanding is correct?
As per your message, Which are three client ids as I could see only two from the points?icy-agent-73298
10/27/2022, 6:44 AMdelightful-lion-57360
10/31/2022, 1:53 AMdelightful-lion-57360
11/01/2022, 6:34 AMdelightful-lion-57360
11/02/2022, 12:43 PMicy-agent-73298
11/02/2022, 12:45 PMicy-agent-73298
11/02/2022, 12:47 PMdelightful-lion-57360
11/02/2022, 12:48 PMdelightful-lion-57360
11/03/2022, 1:21 AMdelightful-lion-57360
11/04/2022, 2:09 AMicy-agent-73298
11/04/2022, 2:41 AMdelightful-lion-57360
11/04/2022, 1:47 PMicy-agent-73298
11/04/2022, 1:48 PMdelightful-lion-57360
11/04/2022, 2:05 PMdelightful-lion-57360
11/04/2022, 2:52 PMicy-agent-73298
11/04/2022, 2:54 PMdelightful-lion-57360
11/04/2022, 3:21 PMdelightful-lion-57360
11/21/2022, 12:02 AMpanic: rpc error: code = Unauthenticated desc = transport: per-RPC creds failed due to error: oauth2: cannot fetch token: 400 Bad Request
Response: {"error":"unauthorized_client","error_description":"The client is not authorized to use the provided grant type. Configured grant types: [authorization_code]."}
icy-agent-73298
11/21/2022, 6:05 PMdelightful-lion-57360
11/21/2022, 8:35 PMpanic: rpc error: code = Unauthenticated desc = token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken
icy-agent-73298
11/22/2022, 5:21 AMicy-agent-73298
11/22/2022, 5:24 AMdelightful-lion-57360
11/22/2022, 3:01 PM]$ kubectl logs flyteadmin-f884d7f97-b99mb -n flyte
time="2022-11-20T23:58:22Z" level=info msg="Using config file: [/etc/flyte/config/cluster_resources.yaml /etc/flyte/config/clusters.yaml /etc/flyte/config/db.yaml /etc/flyte/config/domain.yaml /etc/flyte/config/remoteData.yaml /etc/flyte/config/server.yaml /etc/flyte/config/storage.yaml /etc/flyte/config/task_resource_defaults.yaml]"
{"json":{},"level":"warning","msg":"stow configuration section missing, defaulting to legacy s3/minio connection config","ts":"2022-11-20T23:58:23Z"}
icy-agent-73298
11/22/2022, 3:03 PMdelightful-lion-57360
11/22/2022, 3:06 PMdelightful-lion-57360
11/22/2022, 3:07 PMdelightful-lion-57360
11/22/2022, 5:00 PMdelightful-lion-57360
11/22/2022, 5:00 PMdelightful-lion-57360
11/22/2022, 9:36 PMadmin:
endpoint: dns:///flyte.dev.xxx.xxx.com
authType: ClientSecret
clientId: <id>
clientSecretLocation: /home/kkanagar/.flyte/client_secret
insecure: false
scopes: [ "all" ]
The workflow is registered in the Flyte and able to see the workflow in the console but the status is showing UNKNOWN.delightful-lion-57360
11/22/2022, 9:36 PM{"json":{"exec_id":"fb21c31a2c48148b4b51","src":"execution_manager.go:381"},"level":"warning","msg":"Failed to fetch override values when assigning task resource default values for [resource_type:WORKFLOW project:\"examples\" domain:\"hbomax\" name:\"flyte.workflows.hi_world.my_wf\" version:\"3PMLBzY2tBl5bHSxXauKHQ==\" ]: Resource [{Project:examples Domain:hbomax Workflow:flyte.workflows.hi_world.my_wf LaunchPlan: ResourceType:TASK_RESOURCE}] not found","ts":"2022-11-22T21:27:44Z"}
{"json":{"exec_id":"fb21c31a2c48148b4b51","src":"execution_manager.go:385"},"level":"debug","msg":"Assigning task requested resources for [resource_type:WORKFLOW project:\"examples\" domain:\"hbomax\" name:\"flyte.workflows.hi_world.my_wf\" version:\"3PMLBzY2tBl5bHSxXauKHQ==\" ]","ts":"2022-11-22T21:27:44Z"}
{"json":{"src":"queues.go:43"},"level":"debug","msg":"refreshing execution queues","ts":"2022-11-22T21:27:44Z"}
{"json":{"exec_id":"fb21c31a2c48148b4b51","src":"queues.go:73"},"level":"warning","msg":"Failed to fetch override values when assigning execution queue for [{ResourceType:WORKFLOW Project:examples Domain:hbomax Name:flyte.workflows.hi_world.my_wf Version:3PMLBzY2tBl5bHSxXauKHQ== XXX_NoUnkeyedLiteral:{} XXX_unrecognized:[] XXX_sizecache:0}] with err: Resource [{Project:examples Domain:hbomax Workflow:flyte.workflows.hi_world.my_wf LaunchPlan: ResourceType:EXECUTION_QUEUE}] not found","ts":"2022-11-22T21:27:44Z"}
{"json":{"exec_id":"fb21c31a2c48148b4b51","src":"queues.go:109"},"level":"info","msg":"found no matching queue for [{ResourceType:WORKFLOW Project:examples Domain:hbomax Name:flyte.workflows.hi_world.my_wf Version:3PMLBzY2tBl5bHSxXauKHQ== XXX_NoUnkeyedLiteral:{} XXX_unrecognized:[] XXX_sizecache:0}]","ts":"2022-11-22T21:27:44Z"}
{"json":{"exec_id":"fb21c31a2c48148b4b51","src":"execution_manager.go:529"},"level":"info","msg":"getting the workflow execution config from application configuration","ts":"2022-11-22T21:27:44Z"}
{"json":{"src":"handlers.go:209"},"level":"debug","msg":"Found existing metadata Bearer eyJraWQiOiJPcTYzbzFRWUlDaDJVTExmTFM4bDRyRlRRbFQzcTRxNGljcW0xZVVDS1JFIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULi1jdUwwMGl4eWRLNVFNZzNqSWJwbGZOakdRd2g0aGJtUTF1bzVEY1RaLWMiLCJpc3MiOiJodHRwczovL3R3ZGV2Lm9rdGFwcmV2aWV3LmNvbS9vYXV0aDIvZGVmYXVsdCIsImF1ZCI6ImFwaTovL2RlZmF1bHQiLCJpYXQiOjE2NjkxNTI0NjMsImV4cCI6MTY2OTE1NjA2MywiY2lkIjoiMG9hMWY0djhvZGs5OE5peFUwaDgiLCJzY3AiOlsiYWxsIl0sInN1YiI6IjBvYTFmNHY4b2RrOThOaXhVMGg4In0.Lw6aEcITlfkkul3zTbkeM0N27s3dmIA8JcDrheQ1iruBNsIVLzoIB_L7ezeSlzK0yDlh43RUbX1gGEQc_ELOuveeCv1iU-GOR5UoiaacdF4t5c7aOm5SGX5Hchmdh-MIe4dAsiUOIN1nABNrN8E44I9FsEB0HxWd-JsQx7W7-vs_KSf8aB0orooupN9xFEOlPImMyjNZpdFBzbTmRAVgxpmbaPk4-4nUy4CjejVFi1jUsD_t4Q-84fuhctzm0XdSUUnPGgUnFOId95nH_N3VGLRyhQd_a9Z2nskwLCA-_Er_gupQJfksFEC-kZbr9Yql0Z4ITauL5zE0OpKiH18RHQ","ts":"2022-11-22T21:27:44Z"}
{"json":{"src":"handlers.go:237"},"level":"debug","msg":"Running authentication gRPC interceptor","ts":"2022-11-22T21:27:44Z"}
{"json":{"src":"handlers.go:193"},"level":"debug","msg":"gRPC server info in logging interceptor [0oa1f4v8odk98NixU0h8]method [/flyteidl.service.AdminService/GetExecution]\n","ts":"2022-11-22T21:27:44Z"}
{"json":{"src":"handlers.go:237"},"level":"debug","msg":"Running authentication gRPC interceptor","ts":"2022-11-22T21:27:49Z"}
{"json":{"src":"token.go:84"},"level":"debug","msg":"Could not retrieve bearer token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2022-11-22T21:27:49Z"}
{"json":{"src":"handlers.go:247"},"level":"info","msg":"Failed to parse Access Token from context. Will attempt to find IDToken. Error: [JWT_VERIFICATION_FAILED] Could not retrieve bearer token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2022-11-22T21:27:49Z"}
{"json":{"src":"token.go:104"},"level":"debug","msg":"Could not retrieve id token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2022-11-22T21:27:49Z"}
{"json":{"src":"handlers.go:237"},"level":"debug","msg":"Running authentication gRPC interceptor","ts":"2022-11-22T21:27:49Z"}
{"json":{"src":"token.go:84"},"level":"debug","msg":"Could not retrieve bearer token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2022-11-22T21:27:49Z"}
{"json":{"src":"handlers.go:247"},"level":"info","msg":"Failed to parse Access Token from context. Will attempt to find IDToken. Error: [JWT_VERIFICATION_FAILED] Could not retrieve bearer token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2022-11-22T21:27:49Z"}
{"json":{"src":"token.go:104"},"level":"debug","msg":"Could not retrieve id token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken","ts":"2022-11-22T21:27:49Z"}
{"json":{"src":"handlers.go:237"},"level":"debug","msg":"Running authentication gRPC interceptor","ts":"2022-11-22T21:27:59Z"}
{"json":{"src":"token.go:84"},"level":"debug","msg":"Could not retrieve bearer token from metadata rpc error: code = Unauthenticated desc = Request unauthenticated with Bearer","ts":"2022-11-22T21:27:59Z"}
icy-agent-73298
11/23/2022, 6:16 AMall
not provided in the propeller config map.
If you have configured the scopes in the admin configmap then we don’t have to explicity set it .
thirdPartyConfig:
flyteClient:
clientId: <flytectl-client-id>
redirectUri: <http://localhost:53593/callback>
scopes:
- all
icy-agent-73298
11/23/2022, 6:21 AMdelightful-lion-57360
11/23/2022, 5:03 PME1123 17:01:25.016586 1 workers.go:102] error syncing 'examples-hbomax/f91bb33abf49a4eada70': Workflow[] failed. ErrorRecordingError: failed to publish event, caused by: EventSinkError: Error sending event, caused by [rpc error: code = Unauthenticated desc = token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken]
E1123 17:01:25.017858 1 workers.go:102] error syncing 'examples-hbomax/f8ef2c9513b334b17b45': Workflow[] failed. ErrorRecordingError: failed to publish event, caused by: EventSinkError: Error sending event, caused by [rpc error: code = Unauthenticated desc = token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken]
delightful-lion-57360
11/23/2022, 5:08 PMdelightful-lion-57360
11/23/2022, 9:00 PMabundant-hamburger-66584
01/04/2023, 5:42 PM