@ancient-wolf-19325 I want to run machine-to-machine auth with flytectl. I got error stating that dbus-launch is not available in my container. Is there any workaround to use flytectl without dbus-launch or do I have to install it inside my k8s container?

The Flyte's documentation I have ingested does not mention how to run machine-to-machine authentication with flytectl specifically without requiring dbus-launch, nor does it provide guidance on workarounds for the dbus-launch error in containerized environments. If you can provide more details about your authentication setup (e.g., which auth flow you are using, or the specific error message), it may help in identifying a solution. If this doesn't help, please reach out to the Flyte support team for further assistance. 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 I am using default authType (which is clientSecret - and I provide keycloak URL, client id and client secret (using env variable).

It seems likely that for the default

authType

of

clientSecret

, you do not need dbus-launch or a browser, as this flow is designed for machine-to-machine authentication and works by passing the client ID and client secret directly—often via environment variables or mounted files—without any interactive login or browser-based flow. The dbus-launch/browser requirement is typically associated with PKCE or device code flows, not client credentials flow. So, you should not need to install dbus-launch in your container for this use case, as long as your config and secrets are set up correctly and your Keycloak client is configured for the client credentials grant type (source, source). If you are still seeing dbus-launch errors, it may indicate that the CLI is defaulting to a different auth flow (like PKCE) due to a misconfiguration. Double-check that your config explicitly sets

authType: clientSecret

and that the client secret is provided via the correct environment variable or file. If the error persists, please share your flytectl config and the exact error message for further troubleshooting. Sources: - https://github.com/flyteorg/flyte/issues/4955 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 I did configm I am using ClientSecret, But im still getting error: Error: exec: \"dbus-launch\": executable file not found in $PATH from the pod

It could be possible that, even with

authType: ClientSecret

, flytectl is still attempting to use a browser-based flow (which requires dbus-launch) if the configuration is incomplete or if the client secret is not being picked up correctly. This behavior is not explicitly documented in the available data sources, but similar issues have been reported where flytectl falls back to interactive authentication if the client secret is missing or misconfigured (source). Though I'm not entirely certain, it might be that you need to ensure the client secret is provided via the

clientSecretLocation

field in your config, pointing to a file inside the container, or as an environment variable that flytectl can read. If the secret is not found, flytectl may default to PKCE, triggering the dbus-launch error. Double-check your config and secret mounting, and ensure the client secret is accessible at runtime. Would you like more detail on how to structure the config or mount secrets in Kubernetes? Sources: - https://github.com/flyteorg/flyte/issues/4955 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 I think Im getting somewhere - Now I have the following error: authenticated user doesn't have required scope Ive added in the config of admin the following scopes: scopes: - openid - profile - offline_access do I miss anything?

Yes, for Flyte with Keycloak, you must also include the custom

all

scope in addition to

offline_access

, as Flyte expects both. In Keycloak, ensure you add the

all

client scope and make it available to the relevant clients. Also, note that

offline

should be

offline_access

in Keycloak (source, source). Your scopes should look like:

scopes:
  - openid
  - profile
  - offline_access
  - all

Would you like more detail on how to configure these scopes in Keycloak and Flyte? Sources: - https://github.com/flyteorg/flyte/issues/4955 - https://github.com/flyteorg/flyte/issues/2606 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 can I somehow combine so that all 3 domains in a single project run in the same K8s namespace? Im using flyte-core deployment btw

Yes, you can configure Flyte so that all domains within a single project share the same Kubernetes namespace by customizing the namespace mapping in your Flyte deployment. Instead of the default

{project}-{domain}

pattern, set the namespace mapping template to use only the project name (e.g.,

myproject

). This is done in the Flyte configuration under

namespace_mapping.template

(source). Example config:

configuration:
  inline:
    namespace_mapping:
      template: "myproject"

This will direct all executions for all domains of

myproject

to the same namespace. Would you like more detail on where to place this configuration or how it interacts with cluster resource templates? Sources: - https://github.com/flyteorg/flyte/issues/1583 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 I couldnt find any documentation of namespace_mapping in the flyte helmchart. can you point me to the code or where should I look?

The

namespace_mapping

configuration is not documented directly in the Flyte Helm chart, but it is supported in Flyte's core configuration. You can find examples and references in the Flyte deployment YAMLs, such as

namespace_config.yaml

in the generated Helm manifests (see flyte_helm_generated.yaml, search for

namespace_mapping

). The relevant config is typically injected via a ConfigMap and picked up by FlyteAdmin. For the code, see the FlyteAdmin config provider, which parses the

namespace_mapping

field (namespace_config_provider.go). You can set this in your Helm values by using the

inline

config block or by mounting a custom config file. Sources: - flyte_helm_generated.yaml 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 is there a way to not create all the namespaces in all the propeller clusters upfront? If I set up project so it only sends workflows to 1 propeller, I dont need namespace on the other propeller

It seems likely that Flyte's default behavior is to create a namespace for each project-domain combination in every data plane (propeller) cluster, but this is configurable. According to discussions, you can control which projects/domains are assigned to which propeller instances using sharding strategies (e.g., by project or domain) in the FlytePropeller manager config, so only the relevant propeller(s) will process workflows for a given project/domain (flytepropeller/manager/doc.go). However, the cluster resource manager (which creates namespaces) does not natively support conditional namespace creation based on sharding; it creates namespaces for all project-domain pairs by default (github issue #3df37ae2). So, while you can route workflows to a single propeller, you may still need to manually manage or prune namespaces in other clusters, as there is no built-in mechanism to avoid their creation entirely. Would you like more detail on sharding configuration or possible workarounds? Sources: - flytepropeller/manager/doc.go - GitHub Issue: syncresources deployment does not handle multicluster configuration 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 question about setting up ecl (Execution cluster labels) Documentation tells me to only use 1 domain/project/value per ecl.yaml file when I apply --attrFile to execution-cluster-label command. but can I use more cluster labels in the same file and apply it at once? give me some source of documentation for that

My understanding is that you cannot set multiple execution cluster labels for different project/domain/value combinations in a single ecl.yaml file when using the flytectl update execution-cluster-label --attrFile command. The documentation and code examples indicate that each ecl.yaml should contain only one mapping, and you must apply them one at a time (source, source). There is a feature request to support applying multiple configurations at once, but this is not currently supported. Sources: - https://github.com/flyteorg/flyte/issues/6237 - https://github.com/flyteorg/flyte/issues/4029 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 Is there any way to tell flyte binary or flyte propeller to only look for flyteWorkflow CRDs in specific namespace? Ive noticed by default it looks everywhere

Yes, you can configure FlytePropeller (and thus flyte-binary) to watch only specific namespaces for FlyteWorkflow CRDs. This is done by setting the

namespace

or

watched_namespaces

field in the FlytePropeller configuration. By default, FlytePropeller watches all namespaces, but you can restrict it to a single namespace or a list of namespaces (source, source). Example config for a single namespace:

propeller:
  namespace: my-namespace

Or for multiple namespaces:

propeller:
  watched_namespaces:
    - my-namespace-1
    - my-namespace-2

Would you like more detail on where to place this configuration in your deployment? Sources: - https://github.com/flyteorg/flyte/issues/6533 - https://github.com/flyteorg/flyte/issues/3827 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 I grepped entire repo for watched_namespaces and didnt find anything.

It seems likely that the correct configuration key for restricting FlytePropeller to a specific namespace is

limit-namespace

, not

watched_namespaces

. In the FlytePropeller config, you can set:

propeller:
  limit-namespace: "my-namespace"

This will cause FlytePropeller to only watch for FlyteWorkflow CRDs in the specified namespace. By default,

limit-namespace

is set to

"all"

, which means it watches all namespaces (source, source). Would you like more detail on how to use this in your deployment? Sources: - flytepropeller/propeller-config.yaml - https://github.com/flyteorg/flyte/pull/5238 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 can I use that propeller: limit-namespaces in flyte-binary also? additional question: can I limit it to multiple namespaces?

It seems likely that you can use the

limit-namespace

configuration in both FlytePropeller and flyte-binary to restrict watching FlyteWorkflow CRDs to a specific namespace. However, as of now, only a single namespace is supported—`limit-namespace` does not accept a list of namespaces. There is an open feature request to support multiple namespaces via

limit-namespaces

, but this is not yet available (source, source). So, you can limit to one namespace, but not multiple, in current releases. Sources: - https://github.com/flyteorg/flyte/issues/5181 - https://github.com/flyteorg/flyte/issues/5087 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 so for binary, should it be configuration: propeller or just propeller:

For flyte-binary, you should place the propeller configuration under the top-level configuration block, like this:

configuration:
  propeller:
    limit-namespace: "my-namespace"

This matches the structure used in the flyte-binary Helm chart and deployment manifests (source, source). Sources: - flyte_helm_generated.yaml - https://github.com/flyteorg/flyte/blob/master/charts/flyte-binary/values.yaml 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 question about

namespace_mapping

: I want to set up different namespaces based on the project selected, but I do not want to use projec tnames. I want to do something like: if project name == a: namespace = x else namespace = y how to achieve that

Flyte supports customizing the namespace mapping using a template, but it does not natively support conditional logic (like if/else) in the

namespace_mapping

configuration. The template only allows static substitution of

{{ project }}

and

{{ domain }}

(source). There is a deprecated

mapping

field that allowed explicit project-to-namespace mapping, but current documentation and code recommend using the template string only (source). So, you cannot directly express "if project == a then x else y" in the current config. You would need to use the template for static patterns, or manage custom mappings outside of Flyte (e.g., by naming your projects to match the desired namespace pattern). Sources: - https://github.com/flyteorg/flyte/issues/5189 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 can you give more info about this mapping field tho?

It seems likely that the

mapping

field in Flyte's

namespace_mapping

config was previously used to explicitly map project (and optionally domain) names to specific Kubernetes namespaces, allowing you to define custom mappings like

{ "a": "x", "b": "y" }

. However, this field is now deprecated in favor of the

template

field, which uses string substitution for

{{ project }}

and

{{ domain }}

(source, source). If you still use the

mapping

field, Flyte will log a warning and recommend switching to the template approach. The mapping field is a simple key-value map, but its use is discouraged and may be removed in future releases. Would you like more detail on how to use the template field or examples of legacy mapping usage? Sources: - https://github.com/flyteorg/flyte/issues/2927 - https://github.com/flyteorg/flyte/blob/master/flyteadmin/pkg/runtime/namespace_config_provider.go 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 so If I have multi-cluster setup, I have to use project name in the namespace or I have to ahrdcode entire namespace on all the clusters? theres no other option?

Yes, in a multi-cluster Flyte setup, you generally have two options for namespace mapping: 1. Use the

template

field to generate namespaces based on project and/or domain (e.g.,

{{ project }}-{{ domain }}

), which ensures consistent namespace naming across clusters. 2. Hardcode the entire namespace name in the

template

(e.g.,

my-custom-namespace

), but this means all projects/domains will use the same namespace unless you deploy different configs per cluster or project. There is no built-in support for conditional or per-project mapping logic beyond these options, and the deprecated

mapping

field is not recommended for new deployments (source). Would you like more detail on best practices for multi-cluster namespace management? Sources: - https://github.com/flyteorg/flyte/blob/master/flyteadmin/pkg/runtime/namespace_config_provider.go 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 Given I want to use ray plugin - and I have multi-cluster setup. In which cluster do I have to install ray plugin on kubernetes, is it admin cluster or propeller cluster?

You must install the Ray plugin (specifically, the KubeRay operator and related CRDs) on the propeller (data plane) cluster(s), not the admin (control plane) cluster. The Ray plugin enables FlytePropeller to launch and manage Ray clusters and jobs within the Kubernetes environment where tasks are executed (source, source). The admin cluster only manages workflow metadata and does not execute tasks. Sources: - https://flyte.org/blog/ray-and-flyte#starCount - https://github.com/flyteorg/flytesnacks/blob/master/examples/ray_plugin/README.md 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 so how does it work? admin is creating flyteworkflow CRD and what happens next with ray plugin

When you launch a workflow, FlyteAdmin (in the control plane) creates a FlyteWorkflow CRD in the Kubernetes cluster managed by FlytePropeller (the data plane). FlytePropeller detects this CRD and, for Ray tasks, uses the Ray plugin to create RayCluster and RayJob CRDs via the KubeRay operator in the same cluster. The KubeRay operator then manages the Ray cluster lifecycle and job execution. Thus, all Ray-related resources are created and managed in the propeller/data plane cluster, not the admin cluster (source, source). Would you like a step-by-step breakdown of the resource flow or a code example? Sources: - https://flyte.org/blog/ray-and-flyte#starCount - https://github.com/flyteorg/flytesnacks/blob/master/examples/ray_plugin/README.md 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 how do I find out if I installed ray plugin?

To check if the Ray plugin is installed in your Flyte environment, verify two things: 1. The KubeRay operator and Ray CRDs (like RayCluster, RayJob) are present in your Kubernetes cluster. You can check this with:

kubectl get crds | grep ray
kubectl get pods -A | grep ray

2. The

flytekitplugins-ray

Python package is installed in your Flyte task image or environment:

pip show flytekitplugins-ray

If both are present, the Ray plugin is installed and available for use (source, source). Would you like more detail on troubleshooting or verifying plugin functionality? Sources: - https://github.com/flyteorg/flytesnacks/blob/master/examples/ray_plugin/README.md - https://github.com/flyteorg/flytekit/blob/master/plugins/flytekit-ray/README.md 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 how to enable ray plugin? Is it just by installing ray CRDs? Or there is some setting for flyte propeller I need to set to enable it

Enabling the Ray plugin in Flyte requires two steps: 1. Install the KubeRay operator and Ray CRDs in your Kubernetes cluster, as these are needed to manage Ray clusters and jobs (source). 2. Enable the Ray plugin in FlytePropeller by adding

"ray"

to the

enabled-plugins

list in the FlytePropeller configuration. This ensures FlytePropeller recognizes and schedules Ray tasks (source). So, both installing the CRDs/operator and updating the FlytePropeller config are required. Would you like more detail on the exact config changes or installation steps? Sources: - https://github.com/flyteorg/flytesnacks/blob/master/examples/ray_plugin/README.md - https://github.com/flyteorg/flytesnacks/blob/master/docs/integrations/index.md 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 In resource manager I can set per-domain (development/produciton) quotas. Can I define them also per project? so specific proejcts have specific quotas?

Yes, you can define resource quotas per project in Flyte's resource manager. The configuration supports setting quotas at the project, domain, and project-domain levels, allowing specific projects to have their own CPU, memory, or other resource limits (source, source). For example, in your cluster resource manager config:

cluster_resource_manager:
  config:
    cluster_resources:
      customData:
        - myproject:
            - projectQuotaCpu:
                value: "8"
            - projectQuotaMemory:
                value: "16Gi"

This sets quotas specifically for

myproject

. You can also combine this with domain-level quotas as needed. Sources: - https://github.com/flyteorg/flyte/blob/master/charts/flyte-core/values-sandbox.yaml - https://github.com/flyteorg/flyte/blob/master/charts/flyte-core/values-eks.yaml 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.

@ancient-wolf-19325 2 examples you have above do not include per-project settings. can you give me other reasons to believe this is true?

Yes, Flyte supports per-project resource quotas. This is confirmed by the structure of the

customData

field in the cluster resource manager configuration, which allows you to specify quotas for a project alone (without a domain), for a domain, or for a project-domain pair. The Flyte Helm chart and deployment manifests show that you can define entries like:

customData:
  - myproject:
      - projectQuotaCpu:
          value: "8"
      - projectQuotaMemory:
          value: "16Gi"
  - production:
      - projectQuotaCpu:
          value: "5"
      - projectQuotaMemory:
          value: "4000Mi"
  - myproject-production:
      - projectQuotaCpu:
          value: "10"
      - projectQuotaMemory:
          value: "32Gi"

This structure is documented in the Flyte Helm chart README and is present in the default values files, which describe how to set quotas at different specificity levels. Would you like more detail on how Flyte resolves which quota to use when multiple levels are defined? Sources: - https://github.com/flyteorg/flyte/blob/master/charts/flyte/README.md - https://github.com/flyteorg/flyte/blob/master/charts/flyte-core/values-eks.yaml 👍 0 button 👎 0 button 💡 Hint: Mention @runllm in the thread for followups.