Hello All, I am trying to use flyteremote to conn...
# ask-the-community
s
Hello All, I am trying to use flyteremote to connect to a flyte cluster. I am able to run flytectl get projects from my terminal without any error. However when I run the flyteremote as given in the example page https://docs.flyte.org/projects/cookbook/en/stable/auto/remote_access/remote_workflow.html, I get SSL verify error E0123 142454.984053964 2564353 ssl_transport_security.cc:1501] Handshake failed with fatal error SSL_ERROR_SSL: error1000007dSSL routinesOPENSSL internalCERTIFICATE_VERIFY_FAILED. {"asctime": "2023-01-23 142454,985", "name": "flytekit.cli", "levelname": "ERROR", "message": "Non-auth RPC error <_InactiveRpcError of RPC that terminated with:\n\tstatus = StatusCode.UNAVAILABLE\n\tdetails = \"failed to connect to all addresses; last error: UNKNOWN: ipv410.183.180.0443: Ssl handshake failed: SSL_ERROR_SSL: error1000007dSSL routinesOPENSSL internalCERTIFICATE_VERIFY_FAILED\"\n\tdebug_error_string = \"UNKNOWN:failed to connect to all addresses; last error: UNKNOWN: ipv410.183.180.0443: Ssl handshake failed: SSL_ERROR_SSL: error1000007dSSL routinesOPENSSL internalCERTIFICATE_VERIFY_FAILED {grpc_status:14, created_time:\"2023-01-23T142454.98558765+02:00\"}\"\n>, sleeping 200ms and retrying"} Kindly help #announcements #flytekit
s
Can you add
insecureSkipVerify: true
to your flyte config.yaml file?
s
I still get the same error.
admin: endpoint: dns:///<> insecure: false insecureSkipVerify: true authType: ClientSecret #command: # Set to the clientId (will be used for both Pkce and ClientSecret flows) # Leave empty to use the value discovered through flyteAdmin's Auth discovery endpoint. clientId: flytepropeller # Set to the location where the client secret is mounted. # Only needed/used for
ClientSecret
flow. clientSecretLocation: /home/<>/.flyte/clientsecret scopes: access_token
This is how it looks like
s
@Yee, what could be the issue?
k
@Sujith Samuel are you saying flytectl works?
d
Hi @Sujith Samuel, is this a sandbox environment? I've seen that same error in the past when the `KUBECONFIG`and
FLYTE_CONFIG
env vars are not exported
s
@Ketan (kumare3) flytectl works and @David Espejo this is from a container environment which is connected to flyte via the .flyte folder in which the clientsecret and flyte_config file is present. Even from a VM external to the cluster with the same .flyte folder, I am able to work with flytectl but when i try the remote workflow execution using python, it fails asking for SSL verification
Could you please let me know which env vars need to be exported so that I can try the same
d
well, this is for sandbox
Copy code
export KUBECONFIG=$KUBECONFIG:$HOME/.kube/config:$HOME/.flyte/k3s/k3s.yaml
export FLYTECTL_CONFIG=$HOME/.flyte/config-sandbox.yaml
s
Same error still
Can you please let me know how to specify the ca certificate location while running the flytekit.remote functionality
k
hmm let me look at the code. this is odd
this is all grpc
the thing is do not have such a setup
happy to hop on a call and work with you?
s
Now i get this error after including the grpc creds grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with: status = StatusCode.UNAUTHENTICATED details = "token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken" debug_error_string = "UNKNOWN:Error received from peer ipv410.183.180.0443 {grpc_message:"token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken", grpc_status:16, created_time:"2023-01-23T194356.291277168+02:00"}"
k
hmm something is odd
s
I was able to cross this by enabling the redirect URL in keycloak. However now the browser is opening in unix terminal and asking me to enter the user and password. How can i enable this to work without this. flytectl get projects does not need me to enter user id and password.
d
@Sujith Samuel current instructions to setup Keycloak as an OiDC provider are available here including configuration that has to be updated on Flyte for auth to work. We can schedule a call to help you with the setup, just give us a couple of options when you're available
k
@Sujith Samuel it should not be needed as you are using cliendId and secret
sorry for the trouble, lets chat?
s
I am fine to set up sometime with someone from your team to show this situation. Some of the use cases that I am catering to require engineers to run the same workflow mutliple times with different input params.
Please help
Can you please send me the format of hte config file to be used for flytekit. Is the format different for flytekit vs flytectl??
s
No it isn't. It's the same for both of them. I'm guessing you've looked at the other possible solutions suggested on Slack by the community. Let's wait for Ketan to respond.
k
I think it’s something to do with self signed and Grpc. I think the new python Grpc channel allows something
Let me take a look into golang and python and see if we can reconcile
s
Trying to import flyteremote, I get the below error from flytekit.remote import FlyteRemote File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/__init__.py", line 262, in <module> load_implicit_plugins() File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/__init__.py", line 256, in load_implicit_plugins discovered_plugins = entry_points(group="flytekit.plugins") TypeError: entry_points() got an unexpected keyword argument 'group'
k
what, it seems you are on some older version of python?
is it?
s
which version is required for this to work?
s
You'll need Python 3.7 at a minimum. Can you also re-install flytekit?
s
I am using 3.8
And the below is the error that I am not getting
{"asctime": "2023-01-25 185604,531", "name": "flytekit.remote", "levelname": "WARNING", "message": "This feature is still in beta. Its interface and UX is subject to change."} {"asctime": "2023-01-25 185604,761", "name": "flytekit.cli", "levelname": "ERROR", "message": "Unauthenticated RPC error <_InactiveRpcError of RPC that terminated with:\n\tstatus = StatusCode.UNAUTHENTICATED\n\tdetails = \"token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken\"\n\tdebug_error_string = \"UNKNOWN:Error received from peer ipv487.254.212.1208080 {created_time:\"2023-01-25T185604.760958564+00:00\", grpc_status:16, grpc_message:\"token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken\"}\"\n>, refreshing credentials and retrying\n"} E0125 185607.795258038 29608 thread_pool.cc:254] Waiting for thread pool to idle before forking E0125 185610.795462808 29608 thread_pool.cc:254] Waiting for thread pool to idle before forking E0125 185613.795641791 29608 thread_pool.cc:254] Waiting for thread pool to idle before forking E0125 185616.795816215 29608 thread_pool.cc:254] Waiting for thread pool to idle before forking
same flytectl doesnt give any issue
I am using clientsecret
k
@Sujith Samuel did the “entry_points” error go away?
I think definitely need to jump on a call to discuss this
i am really confused
s
Yes, i cleaned up my VM and reinstalled from a clean ubuntu image and then now this error
k
ohh this seems to be forking issue
so you always get a failure before retrying to get creds
this again seems to be some python issue
are you using a virtualenv
s
i am running this from a k8s container
k
it seems like the version of grpc
i have seen this too
s
on a direct unix box, i get the below error raise NoKeyringError(msg) keyring.errors.NoKeyringError: No recommended backend was available. Install a recommended 3rd party backend package; or, install the keyrings.alt package if you want to use the non-recommended backends. See https://pypi.org/project/keyring for details.
{"asctime": "2023-01-25 210923,351", "name": "flytekit.remote", "levelname": "WARNING", "message": "This feature is still in beta. Its interface and UX is subject to change."} {"asctime": "2023-01-25 210924,059", "name": "flytekit.cli", "levelname": "ERROR", "message": "Unauthenticated RPC error <_InactiveRpcError of RPC that terminated with:\n\tstatus = StatusCode.UNAUTHENTICATED\n\tdetails = \"token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken\"\n\tdebug_error_string = \"UNKNOWN:Error received from peer ipv410.183.180.0443 {grpc_message:\"token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken\", grpc_status:16, created_time:\"2023-01-25T210924.058945058+02:00\"}\"\n>, refreshing credentials and retrying\n"} Traceback (most recent call last): File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/clients/raw.py", line 150, in handler return fn(*args, **kwargs) File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/clients/raw.py", line 448, in list_workflows_paginated return self._stub.ListWorkflows(resource_list_request, metadata=self._metadata) File "/home/samuel/.local/lib/python3.8/site-packages/grpc/_channel.py", line 946, in call return _end_unary_response_blocking(state, call, False, None) File "/home/samuel/.local/lib/python3.8/site-packages/grpc/_channel.py", line 849, in _end_unary_response_blocking raise _InactiveRpcError(state) grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with: status = StatusCode.UNAUTHENTICATED details = "token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken" debug_error_string = "UNKNOWN:Error received from peer ipv410.183.180.0443 {grpc_message:"token parse error [JWT_VERIFICATION_FAILED] Could not retrieve id token from metadata, caused by: rpc error: code = Unauthenticated desc = Request unauthenticated with IDToken", grpc_status:16, created_time:"2023-01-25T210924.058945058+02:00"}"
During handling of the above exception, another exception occurred: Traceback (most recent call last): File "mul_wf.py", line 15, in <module> workflow = remote.fetch_workflow(name="w2.my_workflow.w2_workflow") File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/remote/remote.py", line 392, in fetch_workflow workflow_id = _get_entity_identifier( File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/remote/remote.py", line 108, in _get_entity_identifier version if version is not None else _get_latest_version(list_entities_method, project, domain, name), File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/remote/remote.py", line 84, in _get_latest_version entity_list, _ = list_entities_method( File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/clients/friendly.py", line 276, in list_workflows_paginated wf_list = super(SynchronousFlyteClient, self).list_workflows_paginated( File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/clients/raw.py", line 159, in handler refresh_handler_fn(args[0]) File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/clients/raw.py", line 44, in _refresh_credentials_standard client = _credentials_access.get_client( File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/clis/auth/credentials.py", line 20, in get_client _authorization_client = AuthorizationClient( File "/home/samuel/.local/lib/python3.8/site-packages/flytekit/clis/auth/auth.py", line 178, in init self._refresh_token = _keyring.get_password(_keyring_service_name, _keyring_refresh_token_storage_key) File "/home/samuel/.local/lib/python3.8/site-packages/keyring/core.py", line 55, in get_password return get_keyring().get_password(service_name, username) File "/home/samuel/.local/lib/python3.8/site-packages/keyring/backends/fail.py", line 25, in get_password raise NoKeyringError(msg) keyring.errors.NoKeyringError: No recommended backend was available. Install a recommended 3rd party backend package; or, install the keyrings.alt package if you want to use the non-recommended backends. See https://pypi.org/project/keyring for details. samuel@nmlprs-dev-vm:~/install/flytenmlp$
if i install the keyrings.alt package, it will try to open a browser on my UNIX machine and ask to enter the user and pass. But I was of the opinion that clientsecret means I dont need all that
k
Yes you are right
@Eduardo Apolinario (eapolinario) can you help here
Also maybe we should move to the new auth flow I have built elsewhere
s
Hello @Ketan (kumare3) Is there any go client to interact with flyte so that workflows can be submitted remotely. If so I can use that in my own microservice???
This issue is still not resolved
k
Ohh yes it is possible
But I need to figure why your python client is not working
s
Any examples of the usage of go client???
We can set up a call to show you the python client.
It would be great to have an example of the usage of this flyteidl client used with the oauth flow.
k
Yea flytectl is an example
And propeller
It should be easy tbh
s
i guessed you will say that... I am looking at that code only but its kind of huge....
s
Looks like the auth will be taken care automatically by the keyring software once I have the config file in place. All i need to do is to declare the client with the correct config file and then use the admin service workflow functionalities...???
Is that right??
k
Yes
But this is the same with python
s
Exactly but when i do the same with python, Its just giving me all these error. It could be issue with my environment. Let me try this go thing and if that works then its just one common microservice for my users
k
Ya but please help us fix the python client
I have a python client now that is just like that golang one
s
Sure... We can have a call next week if that is fine with you
k
I can open a pr with that if you want
And we can try it
Absolutely
Anything to get this right and get you unblocked
s
Sure, please do the pr and I can test it in my system
k
I will do
s
I actually am having one more situation. My flyte workflow execution happens on different resource systems based on the decorators that the user is specifying in his code. e.g. if he says gpu then the execution goes to an external system. In that external system, what I am doing is that I am running the flyte container with pyflyte-execute and its parameters as the arguments
If I delete this workflow from the UI, the workflow on cluster is deleted but since the external system gets no indication, the job continues running
k
Because you actually launch the workflow from python right
This needs a backend plugin
s
Yes right... a backend plugin. That is on our agenda but we are stretching right now. We will be doing this backend plugin thing...
k
But we are making it easier to write backend plugins soon - https://hackmd.io/@pingsutw/B1a_Bnfqi
s
Awesome.
k
Kevin has a prototype - but he had a baby, so out for a few weeks
s
No worries, it will take sometime for us also to move ahead on this. Might be later sometime in February
so the propeller will send message to this backend and then my backed will send signal to the external resource
k
Ya I think flytekit can also capture the kill signal
You are right the python plugin is like the backend go plugin
s
Cool. lets talk about this next month then. I have to look at this go client now. Hopefully I cna finish this one this week. Lets see
Ok. Thanks a lot for your support and please keep up the good work.
k
Thank you for your support Surjith
s
Would it work if i create flyteworkflows based on the user input to my microservices. Once hte workflow is created, then the propeller will automatically take it up and work right???
k
You have to launch an execution
s
generally the controllers would pick up the CRD and then all would be taken care by the CRD processing logic I thought
k
hmm the CRD is only created when an execution is created
this way we do not pollute the cluster, the workflows remain dormant in Flyteadmin and are activated and only remain in k8s for that period
s
Can we please have a call this week to show this flyteremote issue. This is becoming a blocker now to almost all our researchers who want to do multiple parallel workflows
k
Absolutely
When can we get on a call
s
Anytime. Monday or Tuesday this week night or morning. Anytime is we can fix it up prior.
k
Let me dm you
I also am about to create a branch with the new Grpc auth system
s
I can try the branch once it’s available or in beta test if you want me to.
k
It’s almost there do not have self signed certs
Will post something today
112 Views