Dear flyte team we are about to POC an on premise full no sa

Question

Dear flyte team we are about to POC an on premise full no sandbox installation in a local kubernetes cluster However in the documentation we cant find the sequence of which helm values yamls are supposed to be used when the target is not AWS and not GCP It would be very helpful to have a section for non cloud installation setup without sandbox 1 Can someone post an easy installation script for minikube or bare metal kubernetes without external iDP provider 2 Is there a build in user management where we can create users 3 is there a default user and password Some blogs are mentioning foobar 4 it would be great to have 1 installation yaml for keycloak and the setup values documented which needs to be changed to get it running Thank you in advance

Felix Ruess · Answer

< sapcode> I don t have an easy installation script but I just also installed Flyte on my local k3s cluster for testing I installed via helm and provided my custom override values to configure it You ll have to take care of some dependencies yourself first though or use the flyte deps chart In my case I already had a load balancer ingress traefik and persistent storage setup in my cluster as well as a separate minio cluster for object storage So I just needed to adapt the postgres manifests from flyte deps to use a persistentVolumeClaim And I skipped auth for this test phase

sapcode · Answer

Are all components working without authorization setup What happens if you click the login button in the flyte console UI

Felix Ruess · Answer

yes works with auth disabled login page is not found then but you don t need it with auth disabled

Felix Ruess · Answer

If you don t already have an ingress and object store setup you can pretty much go with the sandbox deployment If you want to use existing storage and ingress here is basically what I used after taking care of dependencies ```helm repo add flyteorg <https helm flyte org> helm repo update helm install flyte flyteorg flyte core n flyte f values k3s yaml```

Felix Ruess · Answer

there are a few more things you might need to take care of for GPU viewing logs etc

Felix Ruess · Answer

ah and I forgot to remove `default pod template name flyte nvidia template ` from these example values that is my custom pod template which sets the nvidia runtime

sapcode · Answer

Thank you for all the information i will try this out Just to clarify with auth disabled there is no user and the flyte console runs in admin mode Also where did you find the values k3s yaml

sapcode · Answer

For the auth setup We found the following information from Sören Brunk 10 19 2022 12 29 PM I found the relevant section to overwrite the default flyteadmin auth server config via helm configmap adminServer server httpPort 8088 grpcPort 8089 dataProxy upload storagePrefix upload security secure false useAuth true allowCors true allowedOrigins Accepting all domains for Sandbox installation allowedHeaders Content Type auth appAuth authServerType Self selfAuthServer accessTokenLifespan 30m0s authorizationCodeLifespan 5m0s claimSymmetricEncryptionKeySecretName claim symmetric key issuer oldTokenSigningRSAKeySecretName token rsa key old pem refreshTokenLifespan 1h0m0s staticClients flyte cli audience null grant types refresh token authorization code id flyte cli public true redirect uris lt gt lt gt response types code token scopes all offline access token flytectl audience null grant types refresh token authorization code id flytectl public true redirect uris lt gt lt gt response types code token scopes all offline access token flytepropeller audience null client secret lt your client secret hashed and base64 encoded gt grant types refresh token client credentials id flytepropeller public false redirect uris lt gt response types token scopes all offline access token flyterpropeller client secret is the relevant change Unfortunately it requires the secret as a base64 encoded hash I ll try to find how we did that hashing I think I had to run it through bcrypt pip install bcrypt python gt gt gt import bcrypt gt gt gt bcrypt hashpw b foobar bcrypt gensalt prefix=b 2a The resulting hash should look something like this b $2a$12$d3mGDJwq9F5TiQA1YYm0TOVzvEvcBX5VEw2AW0gqrn7Mvh2InuiCS then base64 encode it and use that as client secret in the config I hope I remember it correctly I should have documented the steps properly Perhaps someone from the flyte team familiar with the internal auth server can verify if this is the right way or not Here we need the matching secret still in cleartext i e secrets adminOauthClientCredentials enabled true clientSecret foobar clientId flytepropeller

sapcode · Answer

python c import bcrypt import base64 print base64 b64encode bcrypt hashpw mypassword encode utf 8 bcrypt gensalt 6

sapcode · Answer

Check the sections selfAuthServer and allowedOrigins = appAuth thirdPartyConfig flyteClient clientId flytectl redirectUri lt gt scopes offline all selfAuthServer staticClients flyte cli id flyte cli redirect uris lt gt lt gt grant types refresh token authorization code response types code token scopes all offline access token public true flytectl id flytectl redirect uris lt gt lt gt grant types refresh token authorization code response types code token scopes all offline access token public true flytepropeller id flytepropeller client secret JDJhJDA2JGd3N0pNUno1OXpCSzFk43DJkYlUxTHV2MGxRMlFWHNlTkczcElyU3V1TzhZai95ODJsQ2dh redirect uris lt gt grant types refresh token client credentials response types token scopes all offline access token

Felix Ruess · Answer

I just put the values k3s yaml together myself from looking at the main helm chart values sandbox values and by finding out what I still needed to change to get it to work with my existing external s3 minio storage especially the config core propeller rawoutput prefix took me a while to find

Felix Ruess · Answer

If you also have traefik running as ingress I can also share my ingress config for that

Felix Ruess · Answer

and task resource limits I just adjusted to my workload