boundless-pizza-95864
02/16/2022, 2:34 PMvalues-gcp.yaml
. All components are running and I can access flyteconsole already via GKE ingress. No auth enabled yet.
But accessing flyteadmin from the outside fails with a 502
with a failed_to_pick_backend
message in the logs. Accessing flyteadmin via portforwarding works fine though. Has anyone seen s.th. like this?
@freezing-boots-56761 @gifted-raincoat-59712 could this be related to health check/firewall config you were talking about?
What's weird is that serving flyteconsole works but access to flyteadmin fails.gifted-raincoat-59712
02/16/2022, 2:36 PMBut accessing flyteadmin from the outsidedo you mean using
flytectl
?boundless-pizza-95864
02/16/2022, 2:37 PMgifted-raincoat-59712
02/16/2022, 2:45 PMgifted-raincoat-59712
02/16/2022, 2:48 PMgifted-raincoat-59712
02/16/2022, 2:49 PMboundless-pizza-95864
02/16/2022, 2:49 PMboundless-pizza-95864
02/16/2022, 2:50 PMboundless-pizza-95864
02/16/2022, 2:51 PMboundless-pizza-95864
02/16/2022, 2:52 PMboundless-pizza-95864
02/16/2022, 2:54 PMgifted-raincoat-59712
02/16/2022, 2:56 PM/healthcheck
and get OK 200, but it’s an empty response?gifted-raincoat-59712
02/16/2022, 2:57 PMgifted-raincoat-59712
02/16/2022, 2:57 PMgifted-raincoat-59712
02/16/2022, 2:58 PM/
as the health check pathgifted-raincoat-59712
02/16/2022, 2:58 PMgifted-raincoat-59712
02/16/2022, 2:59 PMapiVersion: <http://cloud.google.com/v1|cloud.google.com/v1>
kind: BackendConfig
metadata:
name: bec-flyteadmin
namespace: flyte
spec:
healthCheck:
type: HTTP
requestPath: /healthcheck
iap:
enabled: true
oauthclientCredentials:
secretName: oauth-secret
gifted-raincoat-59712
02/16/2022, 2:59 PMgifted-raincoat-59712
02/16/2022, 3:00 PMflyteadmin:80
is healthy, but the grpc service flyteadmin:81
is notgifted-raincoat-59712
02/16/2022, 3:04 PMgifted-raincoat-59712
02/16/2022, 3:06 PMflyteadmin:
deployRedoc: false
replicaCount: 1
serviceAccount:
# -- If the service account is created by you, make this false, else a new service account will be created and the flyteadmin role will be added
# you can change the name of this role
create: false
service:
annotations:
# Required for the ingress to properly route grpc traffic to grpc port
<http://cloud.google.com/app-protocols|cloud.google.com/app-protocols>: '{"grpc":"HTTP2"}'
<http://beta.cloud.google.com/backend-config|beta.cloud.google.com/backend-config>: '{"ports": {
"80":"bec-flyteadmin",
"81":"bec-flyteadmin-grpc",
"87":"bec-default"
}}'
<http://cloud.google.com/neg|cloud.google.com/neg>: '{"ingress": true}'
type: ClusterIP
gifted-raincoat-59712
02/16/2022, 3:08 PM/api/v1/projects
{
"projects": [
{
"id": "flytedefault",
"name": "flytedefault",
"domains": [
{
"id": "dev",
"name": "dev"
}
],
"description": "flytedefault description"
}
]
}
boundless-pizza-95864
02/16/2022, 3:09 PMgifted-raincoat-59712
02/16/2022, 3:09 PMgifted-raincoat-59712
02/16/2022, 3:09 PMboundless-pizza-95864
02/16/2022, 3:11 PMboundless-pizza-95864
02/16/2022, 3:12 PMgifted-raincoat-59712
02/16/2022, 3:12 PMgifted-raincoat-59712
02/16/2022, 3:12 PMgifted-raincoat-59712
02/16/2022, 3:13 PMgifted-raincoat-59712
02/16/2022, 3:16 PMboundless-pizza-95864
02/16/2022, 3:21 PMgifted-raincoat-59712
02/16/2022, 3:21 PM/api/v1/projects
should work too - from the browserboundless-pizza-95864
02/16/2022, 3:21 PMgifted-raincoat-59712
02/16/2022, 3:22 PMflytectl
uses flyteadmin:81
, no workie for megifted-raincoat-59712
02/16/2022, 3:41 PM• For backend services that use the gRPC protocol, use only gRPC or TCP health checks. Do not use HTTP(S) or HTTP/2 health checks.GKE ingress: you can only use HTTP, HTTPS, or HTTP/2 for health checks
`PROTOCOL`: Specify a protocol used by probe systems for health checking. Theonly supports creating health checks using the HTTP, HTTPS, or HTTP2 protocols.BackendConfig