Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix: Set flyteadmin gRPC port to 80 in ingress if using TLS between load balancer and backend #3964

Merged

Conversation

fg91
Copy link
Member

@fg91 fg91 commented Aug 15, 2023

Describe your changes

Flyte can be configured to use TLS between the ingress (or rather load balancer) and the flyteadmin backend.

This is required for instance in GKE clusters when using the GCE ingress controller (instead of nginx) since gRPC requires http2 and http2 between GCE load balancers and backends in GKE clusters requires TLS (source):

Note: To ensure the load balancer can make a correct HTTP2 request to your backend, your backend must be configured with SSL.

Whether flyteadmin uses TLS (and with which certificate) is controlled in the helm values file via:

configmap:
  adminServer:
    security:
      secure: true
      ssl:
        certificateFile: "/etc/tls/cert.pem"
        keyFile: "/etc/tls/key.pem"

(The certificate and key needs to be mounted into flyteadmin e.g. via a secret. Can be self-signed.)

However, in case TLS is enabled, flyteadmin doesn't seve the http server on port 80 and the gRPC server on port 81 but actually a single http(s) server that wraps both of them on port 80!


Details:

In flyteadmin's main serve entrypoint there is a decision gate whether serverConfig.Security.Secure.

  • If no, we go into serveGatewayInsecure
    • In this case, the gRPC server is started in a go-routine here while the separate http server is started afterwards here.
  • If, however, serverConfig.Security.Secure is true, we instead go into serveGatewaySecure

In the second case, all requests for flyteadmin, including gRPC, have to be sent to port 80.


This is not accounted for in the ingress template of the helm chart. Activating TLS for flyteadmin, thus, breaks the deployment.

This PR fixes this.

Check all the applicable boxes

  • I updated the documentation accordingly.
  • All new and existing tests passed.
  • All commits are signed-off.

@fg91 fg91 self-assigned this Aug 15, 2023
@fg91 fg91 added the bug Something isn't working label Aug 15, 2023
@fg91 fg91 requested a review from jeevb August 17, 2023 19:07
@fg91
Copy link
Member Author

fg91 commented Sep 10, 2023

Not needed anymore for #3965 as the recommended deployment with IAP now uses this reference architecture using an istio ingress behind the GCP load balancer.
Still a bug though.

@davidmirror-ops
Copy link
Contributor

@fg91 I haven't reproduce the behavior you describe but the code is clear. I'd say that even if not needed for GKE Ingress controller, it's still a bug.

Thanks

@davidmirror-ops
Copy link
Contributor

@fg91 could you make helm and push again please?

Fabio Grätz added 2 commits November 2, 2023 23:23
Signed-off-by: Fabio Grätz <[email protected]>
@fg91 fg91 force-pushed the fg91/fix/helm-chart-wrong-admin-port branch from 64068eb to bb5196c Compare November 2, 2023 22:28
@fg91
Copy link
Member Author

fg91 commented Nov 2, 2023

@fg91 I haven't reproduce the behavior you describe but the code is clear. I'd say that even if not needed for GKE Ingress controller, it's still a bug.

I wonder whether somebody actually lets flyteadmin handle TLS itself instead of doing this at the ingress. I only tried this because the GCE ingress requires TLS betwenn ingress and backend when http2 is used which in turn is required by grpc.

That being said, when I couldn't reach flyteadmin anymore after having turned on TLS in the flyteadmin config, I would have never guessed that the port changed (not documented) and only realised this happens when stepping through flyteadmin with a debugger. Which was definitely not the first thing I tried 😄
So in case somebody else does in fact need this, let's finish this PR ..

@fg91 could you make helm and push again please?

Done

Copy link
Contributor

@davidmirror-ops davidmirror-ops left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you

@davidmirror-ops davidmirror-ops merged commit 6425a2a into flyteorg:master Nov 3, 2023
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants