[Docs] The GCP deployment docs should fix/remove the instructions to use the GCP Ingress controller

[fg91]

Description

The SSL Certificate section in the GCP deployment guide documents both the use of a GKE ManagedCertificate in combination with the GKE ingress controller as well as the use of cert manager with the nginx ingress controller.

However, when using the GCP ingress, the flyteadmin backend will always be shown as unhealthy (even though it isn't) as the GKE ingress controller cannot interpret probes of type exec.command which flyteadmin uses and which are recommended for gRPC services. Instead, the GKE ingress would need to either get a path + port where the app returns 200 if it is healthy or it needs to be given a TCP port where it will try to open a socket. (The way the GKE ingress checks for health can be customized with a so-called backend config. (In the Flyte Slack, users have reported that they used this mechanism to fix the broken health check.)

The documentation should either provide instructions for using the GKE ingress controller that work out of the box or remove references to it and instead only recommend the nginx ingress controller.

Are you sure this issue hasn't been raised already?

• Yes

Have you read the Code of Conduct?

• Yes

[jeevb]

Flyteadmin does have an HTTP health check that should work: https://github.com/flyteorg/flyteadmin/blob/3379031b05bec09df6b7bb1bd99d499cf900b268/pkg/server/service.go#L175

Unfortunately, it currently doesn't check for much: https://github.com/flyteorg/flyteadmin/blob/3379031b05bec09df6b7bb1bd99d499cf900b268/pkg/server/service.go#L158.

But this should work well with the existing GCP LB health checks, in theory, and we can continue to make it better.

[davidmirror-ops]

Also @fg91 while it's true, the latest version of docs doesn't include those sections, and currently the idea is to update only latest docs

Having said so, there's work in progress to publish a reference implementation for GCP, and we'll incorporate feedback there

[fg91]

Having said so, there's work in progress to publish a reference implementation for GCP, and we'll incorporate feedback there

It would be really great if the reference implementation would use GCP Identity Aware Proxy instead of letting Flyte serve the login screen.

[fg91]

the latest version of docs doesn't include those sections, and currently the idea is to update only latest docs

Ah interesting, I wasn't aware that this guide is not part of the latest docs anymore.

[davidmirror-ops]

The manual instructions were removed from latest and there's currently an effort in progress to consolidate the build process for the documentation site, also exploring how to avoid older docs versions to be indexed.

In terms of the content of that section, the practical experience shows that probably flyteadmin is not prepared yet to meet the requirements from the GKE Ingress Controller for HTTP/2.

The ideal approach on GCP would be to use the work you did to enable IAP support and add it to the docs.

That effort will be tracked here