Skip to content

Commit

Permalink
Admin secrets notes (flyteorg#577)
Browse files Browse the repository at this point in the history
  • Loading branch information
wild-endeavor authored Oct 31, 2020
1 parent cb77e4a commit 34c93b5
Showing 1 changed file with 21 additions and 0 deletions.
21 changes: 21 additions & 0 deletions rsts/administrator/install/configure/admin.rst
Original file line number Diff line number Diff line change
Expand Up @@ -119,3 +119,24 @@ Example config
==============

.. literalinclude:: ../../../../kustomize/overlays/sandbox/admindeployment/flyteadmin_config.yaml


FlyteAdmin Remote Cluster Access
================================

Some deployments of Flyte may choose to run the control plane separate from the data plane. Flyte Admin is designed to create kubernetes resources in one or more Flyte data plane clusters. For Admin to access remote clusters, it needs credentials to each cluster. In kubernetes, scoped service credentials are created by configuring a “Role” resource in a Kubernetes cluster. When you attach that role to a “ServiceAccount”, Kubernetes generates a bearer token that permits access. We create a flyteadmin `ServiceAccount <https://github.com/lyft/flyte/blob/c0339e7cc4550a9b7eb78d6fb4fc3884d65ea945/artifacts/base/adminserviceaccount/adminserviceaccount.yaml>`_ in each data plane cluster to generate these tokens.

When you first create the Flyte Admin ServiceAccount in a new cluster, a bearer token is generated, and will continue to allow access unless the ServiceAccount is deleted. Once we create the Flyte Admin ServiceAccount on a cluster, we should never delete it. In order to feed the credentials to Flyte Admin, you must retrieve them from your new data plane cluster, and upload them to Admin somehow (within Lyft, we use Confidant for example).

The credentials have two parts (ca cert, bearer token). Find the generated secret via ::

kubectl get secrets -n flyte | grep flyteadmin-token

Once you have the name of the secret, you can copy the ca cert to your clipboard with ::

kubectl get secret -n flyte {secret-name} -o jsonpath='{.data.ca\.crt}' | base64 -D | pbcopy

You can copy the bearer token to your clipboard with ::

kubectl get secret -n flyte {secret-name} -o jsonpath='{.data.token}’ | base64 -D | pbcopy

0 comments on commit 34c93b5

Please sign in to comment.