https://flyte.org logo
Join Slack
Powered by
My company has policies for domain names for certi...
# flyte-deployment
s
My company has policies for domain names for certificate creation. How can I customize the "Address" generated by Flyte core? Should that go in the ingress configuration?
âś… 1
I am trying to connect to Flyte EKS Deployment and I am getting this error when trying to create a project:
Copy code
root@60d7613e13ff:/workflows# flytectl create project --name flyte-project --id flyte-project --description "example flyte-project description" --labels app=flyte
Error: rpc error: code = Unavailable desc = connection closed
My flyte/config.yaml points to latest endpoint for my deployment.
k
cc @Haytham Abuelfutuh @Ketan (kumare3)
k
Yeah digging into my logs, I also have an issue with the SSL cert; I must be missing some config maybe somewhere...
@Shahwar Saleem on the office hours just now, I jumped in when you were adding logging level to your admin; where did you do that?
k
hey @Katrina P you can add a logger.yaml block to your config map like so:
Copy code
logger.yaml: |
    logger:
      show-source: true
      level: 6  # Debug
🙏 1
k
Thanks!
h
@Shahwar Saleem, so this address you referenced (e.g. 
<http://k8s-flyte-8699360f2e-1590325550.us-east-2.elb.amazonaws.com|k8s-flyte-8699360f2e-1590325550.us-east-2.elb.amazonaws.com>
) is generated by the ingress controller (which ingress controller are you using)? If you want to use your own SSL certs, you need to fill in this host field 
<https://github.com/flyteorg/flyte/blob/master/charts/flyte-core/values.yaml#L343>
and setup SSL issuance to properly do that (if you use cert-manager operator, it should happen automatically)…
s
I am using a cert manager but I can try filling that host field with domain name requirements...
@Haytham Abuelfutuh I did try adding that host field. What is the difference in HOSTS and ADDRESS when we do 
kubectl -n ssaleem-flyte get ingress
?
h
host is what you manually enter which. Address is what the ingress controller generates… If you delete and recreate the ingress, you will get a different address everytime but the host can remain the same (since it’s a user managed property)…
you are responsible for configuring DNS correctly for that host to point to that address (usually a CNAME)
s
I guessed the same. So I filled out the host field. I am trying
Copy code
flytectl create project --name flyte-project --id flyte-project --description "example flyte-project description" --labels app=flyte
And getting :
Copy code
Error: rpc error: code = Unavailable desc = name resolver error: produced zero addresses
My hosts in 
kubectl -n ssaleem-flyte get ingress
command are:
Copy code
<http://flytedev.x.y.z.io|flytedev.x.y.z.io>
@Haytham Abuelfutuh After pointing out a 
host
value according to what my certificate allows: I am now not even able to access console on the supposed host value. say 
<http://flytedev.x.y.z.io|flytedev.x.y.z.io>
h
Have you configured the host to point to that load balancer in DNS records?
s
Hmm, I am not sure how to do that. Does this have to be configured in my config files?
h
nope, this is purely a domain config… who owns the flytedev.x.y.z.io domain? This is an optional step, you totally don’t have to use your own domain hence why these steps are not in the guide…
but I thought that’s what your question is about… you wanted a custom domain for flyte, right?
s
My company owns this, and certificates are issued only to those domain names. There is a format of domain names that we have to follow.
h
np… so you will need to have someone who controls DNS records to be able to add a CNAME record for that domain
and the value of the record need to be the load balancer (The ADDRESS field from ingress)
s
I see and after doing that the certificate would be validated for 
<http://flytedev.x.y.z.io|flytedev.x.y.z.io>
?
h
Depending on how you generated the cert, if you have used cert-manager or have manually issued a cert, you will have to update the TLS section: https://github.com/flyteorg/flyte/blob/master/charts/flyte-core/values.yaml#L343-L347 (specifically the 
secretName
)
if you used ALB & AWS Cert Manager, you will just have to add the cert arn annotation on the ingress object
networking/ingress is one of those things that every company does differently, unfortunately… so most of that exercise is not Flyte-specific but rather ingress controller/LB/SSL specific
s
My problem for the flytectl was solved by changing this line:
Copy code
separateGrpcIngressAnnotations:
      <http://alb.ingress.kubernetes.io/backend-protocol-version|alb.ingress.kubernetes.io/backend-protocol-version>: HTTP2
To:
Copy code
separateGrpcIngressAnnotations:
      <http://alb.ingress.kubernetes.io/backend-protocol-version|alb.ingress.kubernetes.io/backend-protocol-version>: GRPC
These annotations do nothing and can be removed:
Copy code
<http://nginx.ingress.kubernetes.io/app-root|nginx.ingress.kubernetes.io/app-root>: /console
    <http://nginx.ingress.kubernetes.io/backend-protocol|nginx.ingress.kubernetes.io/backend-protocol>: GRPC
h
Oh, thank you @Shahwar Saleem! Do you mind upstreaming that change? Regarding:
``` nginx.ingress.kubernetes.io/app-root: /console
nginx.ingress.kubernetes.io/backend-protocol: GRPC```
These are only respected when you deploy nginx… we tried to set the default annotations to work with either so they require less after-deployment changes. CC @Yee @Yuvraj @Brian Connolly
s
Hi @Haytham Abuelfutuh, I will do that, shortly.
k
@Shahwar Saleem thank you
167 Views
Open in Slack
PreviousNext
Powered by