Hi, I'm running Flyte on a single cluster deployme...
# ask-the-community
e
Hi, I'm running Flyte on a single cluster deployment (GCP), using helm (https://flyteorg.github.io/flyte v1.3.0) and trying to set up auth using OpenId Connect. I've followed the instructions here: https://docs.flyte.org/en/v1.0.0/deployment/cluster_config/auth_setup.html#openid-connect and managed to set up user authentication with browser and flytectl (i.e. I'm able to log in and list projects). However I'm unable to start workflows; I see errors in
flytescheduler
and
flytepropeller
logs. Logs from
flytescheduler
:
Copy code
flytescheduler-check panic: rpc error: code = Unauthenticated desc = transport: per-RPC creds failed due to error: oauth2: cannot fetch token: 401 Unauthorized                                           
flytescheduler-check Response: {"error":"invalid_client","error_description":"Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)."}                                                                                                                                                                                                        │
flytescheduler-check                                                                                                                                                                                      
flytescheduler-check goroutine 1 [running]:                                                                                                                                                               
flytescheduler-check main.main()                                                                                                                                                                          
flytescheduler-check     /go/src/github.com/flyteorg/flyteadmin/cmd/scheduler/main.go:12 +0x85
My current setup is:
Copy code
configmap:
  adminServer:
    auth:
      authorizedUris:
        - <internal domain>
        - <https://localhost:30081>
        - <http://flyteadmin:80>
        - <http://flyteadmin.flyte.svc.cluster.local:80>
      userAuth:
        openId:
          baseUrl: <https://accounts.google.com>
          clientId: <id>.<http://apps.googleusercontent.com|apps.googleusercontent.com>
          scopes:
            - profile
            - openid
    server:
      httpPort: 8088
      grpcPort: 8089
      security:
        secure: false
        useAuth: true
        allowCors: true
        allowedOrigins:
          # Accepting all domains for Sandbox installation
          - "*"
        allowedHeaders:
          - "Content-Type"
I've tried adding
appAuth
(same level as
userAuth
) but can't seem to figure out a proper configuration. Any help on what to do next would be much appreciated.
f
Take a look at this thread. My debugging process to get it to work 🙂 (I tagged you in the thread since when I click on this link, it doesn’t bring me to the thread even though the link was created with
Copy link
on the first message 🤔)
Assuming you use Google as auth provider.
d
Thanks @Fabio Grätz! @Ena Škopelja Please let us know any further question you may have in this regard
e
Thanks @Fabio Grätz that's exactly what I needed!
a
@Fabio Grätz Could you tag me as well? I’m not able to click through to the thread
d
@Alex Papanicolaou that thread is lost on Slack due to the 90 days limit for non-pro accounts. But gladly is captured on discuss: https://discuss.flyte.org/t/3156427/Hey-everyone-slightly-smiling-face-I-m-currently-deploying-a
a
awesome. Thanks!
After reading that thread, the docs in this PR helped a ton. https://github.com/flyteorg/flyte/pull/3363 They’re technically not correct because you don’t need to do that encoding stuff. The
client_secret
is put into this K8s secret:
Copy code
{{- if .Values.secrets.adminOauthClientCredentials.enabled }}
apiVersion: v1
kind: Secret
metadata:
  name: flyte-secret-auth
  namespace: {{ template "flyte.namespace" . }}
type: Opaque
stringData:
  {{- with .Values.secrets.adminOauthClientCredentials.clientSecret }}
  client_secret: {{  tpl (toYaml .) $ }}
  {{- end }}
{{- end }}
I spoke too soon. The contents in this message were critical to making this work and was not in that PR. I have another thread that covers a lot of deployment stuff. We’ll definitely get our repo showing deployment steps put onto github.
d
@Alex Papanicolaou thanks for confirming! any chance you could contribute your findings to #3363 to make it more accurate?
a
Sure!
110 Views