Hi,
I'm running Flyte on a single cluster deployme...
# flyte-supports
salmon-stone-89503
02/20/2023, 4:21 PMHi,
I'm running Flyte on a single cluster deployment (GCP), using helm (https://flyteorg.github.io/flyte v1.3.0) and trying to set up auth using OpenId Connect. I've followed the instructions here: https://docs.flyte.org/en/v1.0.0/deployment/cluster_config/auth_setup.html#openid-connect and managed to set up user authentication with browser and flytectl (i.e. I'm able to log in and list projects). However I'm unable to start workflows; I see errors in
flyteschedulerflytepropellerflytescheduler Copy code
flytescheduler-check panic: rpc error: code = Unauthenticated desc = transport: per-RPC creds failed due to error: oauth2: cannot fetch token: 401 Unauthorized
flytescheduler-check Response: {"error":"invalid_client","error_description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)."} │
flytescheduler-check
flytescheduler-check goroutine 1 [running]:
flytescheduler-check main.main()
flytescheduler-check /go/src/github.com/flyteorg/flyteadmin/cmd/scheduler/main.go:12 +0x85 Copy code
configmap:
adminServer:
auth:
authorizedUris:
- <internal domain>
- <https://localhost:30081>
- <http://flyteadmin:80>
- <http://flyteadmin.flyte.svc.cluster.local:80>
userAuth:
openId:
baseUrl: <https://accounts.google.com>
clientId: <id>.<http://apps.googleusercontent.com|apps.googleusercontent.com>
scopes:
- profile
- openid
server:
httpPort: 8088
grpcPort: 8089
security:
secure: false
useAuth: true
allowCors: true
allowedOrigins:
# Accepting all domains for Sandbox installation
- "*"
allowedHeaders:
- "Content-Type"appAuthuserAuthc
cool-lifeguard-49380
02/20/2023, 5:16 PMTake a look at this thread. My debugging process to get it to work 🙂 (I tagged you in the thread since when I click on this link, it doesn’t bring me to the thread even though the link was created with
Copy link🙏 2
cool-lifeguard-49380
02/20/2023, 5:16 PMAssuming you use Google as auth provider.
a
average-finland-92144
02/20/2023, 8:04 PMThanks @cool-lifeguard-49380!
@salmon-stone-89503 Please let us know any further question you may have in this regard
s
salmon-stone-89503
02/21/2023, 2:08 PMThanks @cool-lifeguard-49380 that's exactly what I needed!
🙂 1
h
hallowed-doctor-67759
02/28/2023, 6:47 PM@cool-lifeguard-49380 Could you tag me as well? I’m not able to click through to the thread
a
average-finland-92144
02/28/2023, 7:25 PM@hallowed-doctor-67759 that thread is lost on Slack due to the 90 days limit for non-pro accounts.
But gladly is captured on discuss:
https://discuss.flyte.org/t/3156427/Hey-everyone-slightly-smiling-face-I-m-currently-deploying-a
h
hallowed-doctor-67759
02/28/2023, 7:30 PMawesome. Thanks!
hallowed-doctor-67759
02/28/2023, 11:17 PMAfter reading that thread, the docs in this PR helped a ton.
https://github.com/flyteorg/flyte/pull/3363
They’re technically not correct because you don’t need to do that encoding stuff. The
client_secret Copy code
{{- if .Values.secrets.adminOauthClientCredentials.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: flyte-secret-auth
namespace: {{ template "flyte.namespace" . }}
type: Opaque
stringData:
{{- with .Values.secrets.adminOauthClientCredentials.clientSecret }}
client_secret: {{ tpl (toYaml .) $ }}
{{- end }}
{{- end }}hallowed-doctor-67759
03/01/2023, 3:38 PMI spoke too soon. The contents in this message were critical to making this work and was not in that PR. I have another thread that covers a lot of deployment stuff. We’ll definitely get our repo showing deployment steps put onto github.
a
average-finland-92144
03/01/2023, 4:14 PM@hallowed-doctor-67759 thanks for confirming!
any chance you could contribute your findings to #3363 to make it more accurate?
h
hallowed-doctor-67759
03/01/2023, 5:19 PMSure!
157 Views