From ff31a5b2168cb08be7663a3e22e00dc3a7c766b5 Mon Sep 17 00:00:00 2001
From: Alex Wu <66259759+popojk@users.noreply.github.com>
Date: Wed, 20 Nov 2024 22:54:38 +0800
Subject: [PATCH] How to verify that the grpc service of flyteadmin works as
 expected (#5958)

* add tls config setting related information to troubleshoot doc

Signed-off-by: Alex Wu <c.alexwu@gmail.com>

* fix some information in the doc

Signed-off-by: Alex Wu <c.alexwu@gmail.com>

* fix code block error

Signed-off-by: Alex Wu <c.alexwu@gmail.com>

* minor fix to make the information more clear

Signed-off-by: Alex Wu <c.alexwu@gmail.com>

* highlight the config.yaml

Signed-off-by: Alex Wu <c.alexwu@gmail.com>

---------

Signed-off-by: Alex Wu <c.alexwu@gmail.com>
---
 docs/community/troubleshoot.rst | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/docs/community/troubleshoot.rst b/docs/community/troubleshoot.rst
index 692e3c2aed..2a1b620515 100644
--- a/docs/community/troubleshoot.rst
+++ b/docs/community/troubleshoot.rst
@@ -176,3 +176,34 @@ Please add ``spark`` to the list of `enabled-plugins` in the config yaml file. F
       default-for-task-types:
         - container: container
         - container_array: K8S-ARRAY
+
+``authentication handshake failed: x509: "Kubernetes Ingress Controller Fake Certificate" certificate is not trusted"`` when deploying flyte-core to your own kubernetes cluster
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This issue is caused by TLS being disabled in your Kubernetes cluster. You can resolve the problem by following these steps:
+
+- Enable ``tls`` in the ``values.yaml`` ingress configuration of flyte-core in order to expose gRPC service at 443 port:
+
+.. code-block:: yaml
+
+  ingress:
+    host: <http://example.com|example.com>
+    separateGrpcIngress: true
+    separateGrpcIngressAnnotations:
+      <http://ingress.kubernetes.io/backend-protocol|ingress.kubernetes.io/backend-protocol>: "grpc"
+    annotations:
+      <http://ingress.kubernetes.io/app-root|ingress.kubernetes.io/app-root>: "/console"
+      <http://ingress.kubernetes.io/default-backend-redirect|ingress.kubernetes.io/default-backend-redirect>: "/console"
+      <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>: haproxy
+    tls:
+      enabled: true # enable tls
+
+- Disable ``insecure`` in your ``flytectl`` client ``config.yaml``:
+
+.. code-block:: yaml
+
+  admin:
+  endpoint: dns:///example.com
+  authType: Pkce
+  insecure: false # disable insecure in flytectl
+  insecureSkipVerify: true