How to verify that the grpc service of flyteadmin works as expected (#…

…5958) * add tls config setting related information to troubleshoot doc Signed-off-by: Alex Wu <[email protected]> * fix some information in the doc Signed-off-by: Alex Wu <[email protected]> * fix code block error Signed-off-by: Alex Wu <[email protected]> * minor fix to make the information more clear Signed-off-by: Alex Wu <[email protected]> * highlight the config.yaml Signed-off-by: Alex Wu <[email protected]> --------- Signed-off-by: Alex Wu <[email protected]>
flyteorg · Nov 20, 2024 · ff31a5b · ff31a5b
1 parent bee83e5
commit ff31a5b
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/docs/community/troubleshoot.rst b/docs/community/troubleshoot.rst
@@ -176,3 +176,34 @@ Please add ``spark`` to the list of `enabled-plugins` in the config yaml file. F
       default-for-task-types:
         - container: container
         - container_array: K8S-ARRAY
+
+``authentication handshake failed: x509: "Kubernetes Ingress Controller Fake Certificate" certificate is not trusted"`` when deploying flyte-core to your own kubernetes cluster
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This issue is caused by TLS being disabled in your Kubernetes cluster. You can resolve the problem by following these steps:
+
+- Enable ``tls`` in the ``values.yaml`` ingress configuration of flyte-core in order to expose gRPC service at 443 port:
+
+.. code-block:: yaml
+
+  ingress:
+    host: <http://example.com|example.com>
+    separateGrpcIngress: true
+    separateGrpcIngressAnnotations:
+      <http://ingress.kubernetes.io/backend-protocol|ingress.kubernetes.io/backend-protocol>: "grpc"
+    annotations:
+      <http://ingress.kubernetes.io/app-root|ingress.kubernetes.io/app-root>: "/console"
+      <http://ingress.kubernetes.io/default-backend-redirect|ingress.kubernetes.io/default-backend-redirect>: "/console"
+      <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: haproxy
+    tls:
+      enabled: true # enable tls
+
+- Disable ``insecure`` in your ``flytectl`` client ``config.yaml``:
+
+.. code-block:: yaml
+
+  admin:
+  endpoint: dns:///example.com
+  authType: Pkce
+  insecure: false # disable insecure in flytectl
+  insecureSkipVerify: true