Hi <@U017K8AJBAN> <@U0165SDP3BQ> <@UP4PLM3F0> are ...
# flyte-deploymentr
rough-rose-81585
02/14/2022, 7:37 PMHi @freezing-boots-56761 @boundless-pizza-95864 @better-air-29727 are any of you using Identity Aware Proxy (IAP) with GCP?
cc: @gifted-raincoat-59712
f
freezing-boots-56761
02/14/2022, 7:37 PM
we (freenome) are. everything is behind IAP
🙏 1
freezing-boots-56761
02/14/2022, 7:40 PM
notably though we dont have it correctly plugged into flyte's auth system
g
gifted-raincoat-59712
02/14/2022, 7:40 PMHi @freezing-boots-56761. I work with Nick. I’m curious about your set up.
1. Are you using Google external HTTPS load balancer as the ingress controller? Did you replace contour?
2. Do you have flyte auth disabled?
f
freezing-boots-56761
02/14/2022, 7:41 PM
we've basically disabled auth on flyte and depend on IAP to protect the frontend
👍 1
g
gifted-raincoat-59712
02/14/2022, 7:41 PMthat’s what i figured
gifted-raincoat-59712
02/14/2022, 7:41 PMare you using google’s load balancer?
f
freezing-boots-56761
02/14/2022, 7:41 PM
yes we are
👍 1
g
gifted-raincoat-59712
02/14/2022, 7:41 PMor still contour?
f
freezing-boots-56761
02/14/2022, 7:41 PM
not contour
g
gifted-raincoat-59712
02/14/2022, 7:42 PMgreat. and did you have to configure BackendConfigs for each flyte service, with health checks, etc.?
gifted-raincoat-59712
02/14/2022, 7:42 PMand change the flyte services to
NodePortgifted-raincoat-59712
02/14/2022, 7:44 PMi started down this path,
• allow GCP to spin up an external load balancer for the flyte ingress
• switched the flyte services to
NodePortf
freezing-boots-56761
02/14/2022, 7:46 PM
we define backend services via terraform that are 1:1 with k8s services
freezing-boots-56761
02/14/2022, 7:46 PM
and yes, nodeport for all "external" services
freezing-boots-56761
02/14/2022, 7:48 PM
we did have to open up firewall to allow googleHC to hit our backends
freezing-boots-56761
02/14/2022, 7:49 PM
does the k8s hc pass?
g
gifted-raincoat-59712
02/14/2022, 7:49 PMright. and did you need custom health checks for the backend configs? or was the load balancer able to figure it out?
gifted-raincoat-59712
02/14/2022, 7:50 PMwell, it passed for 2/5 services
gifted-raincoat-59712
02/14/2022, 7:52 PMi hit the brakes after running into the health check issue. i need to spin this config up again.
but it’s good to know that someone has got this working
f
freezing-boots-56761
02/14/2022, 7:52 PM
we do have a health checks defined in terraform. but this is kinda specific to how we expose our services
freezing-boots-56761
02/14/2022, 7:52 PM
we had it working before with just gke ingress, which infers from the deployment
g
gifted-raincoat-59712
02/14/2022, 7:53 PMok. maybe i don’t have enough fw ports open for all the flyte service ports
f
freezing-boots-56761
02/14/2022, 7:53 PM
if k8s hcs pass, but google's fail, it should be telling
g
gifted-raincoat-59712
02/14/2022, 7:55 PMyeah. let me keep going down this path. i was worried that if we put IAP in front of every flyte service, then somehow they would not be able to communicate.
f
freezing-boots-56761
02/14/2022, 7:55 PM
freezing-boots-56761
02/14/2022, 7:55 PM
r
rough-rose-81585
02/14/2022, 7:56 PMThanks Jeev! that’s great to hear you have it working, and I appreciate the insights. Helps to know we’re not going down the wrong path
f
freezing-boots-56761
02/14/2022, 7:58 PM
we use this now though: https://github.com/GoogleCloudPlatform/gke-autoneg-controller
but we had it working before with just gke ingress
👀 1
freezing-boots-56761
02/14/2022, 8:05 PM
i cant try to find the config
g
gifted-raincoat-59712
02/14/2022, 8:09 PMthat would be awesome
f
freezing-airport-6809
02/14/2022, 8:09 PM
cc @freezing-boots-56761 / @gifted-raincoat-59712 would either of you please summarize and add this to github discussions - might help some folks
g
gifted-raincoat-59712
02/14/2022, 8:10 PMsure. once i get it working, i’d be happy to share
❤️ 1
f
freezing-boots-56761
02/14/2022, 8:11 PM
we def dont have a "reference" setup for GKE, but i think that would be super helpful. happy to help contribute to that.
g
gifted-raincoat-59712
02/15/2022, 8:30 PMso i’ve made some progress using GCP Identity Aware Proxy for authorization to flyte.
for context…
• we’re trying to spin up multiple GKE clusters running flyte,
• we don’t want to configure OAuth for each flyte cluster (configure domains and redirect URIs, etc).
• we’d rather use GCP load balancer (in favor of contour) and push TLS termination and auth to the load balancer. the idea is just let GCP and IAP do its thing.
my set up
• no contour component
• GCP external HTTPS load balancer, created by GKE using the flyte ingress
• flyteadmin and flyteconsole services point to backend configs that enable IAP
• flyte auth disabled,
common.adminServer.server.security.useAuth: falsegifted-raincoat-59712
02/15/2022, 8:30 PMi was able to get the browser authentication working. IAP authenticates me because i’m in the google org. i can get to the flyte console.
gifted-raincoat-59712
02/15/2022, 8:35 PMhowever,
flytectl Copy code
flytectl get projects
{"json":{"src":"client.go:193"},"level":"warning","msg":"Starting an unauthenticated client because: can't create authenticated channel without a TokenSourceProvider","ts":"2022-02-15T15:24:31-05:00"}
{"json":{"src":"client.go:66"},"level":"info","msg":"Initialized Admin client","ts":"2022-02-15T15:24:31-05:00"}
Error: rpc error: code = Unavailable desc = Bad Gateway: HTTP status code 502; transport: received the unexpected content-type "text/html; charset=UTF-8"
{"json":{"src":"main.go:13"},"level":"error","msg":"rpc error: code = Unavailable desc = Bad Gateway: HTTP status code 502; transport: received the unexpected content-type \"text/html; charset=UTF-8\"","ts":"2022-02-15T15:24:31-05:00"}gifted-raincoat-59712
02/15/2022, 8:37 PMi’m looking at the flyte auth appendix now
gifted-raincoat-59712
02/15/2022, 8:37 PMto see what the load balancer is trying to hit
201 Views