uctl update plugin-override#

Update matchable resources of plugin overrides

Synopsis#

Update plugin overrides for given project and domain combination or additionally with workflow name.

Updating to the plugin override is only available from a generated file. See the get section for generating this file. This will completely overwrite any existing plugins overrides on custom project, domain, and workflow combination. It is preferable to do get and generate a plugin override file if there is an existing override already set and then update it to have new values. Refer to get plugin-override section on how to generate this file It takes input for plugin overrides from the config file po.yaml, Example: content of po.yaml:

domain: development
project: flytesnacks
overrides:
   - task_type: python_task # Task type for which to apply plugin implementation overrides
     plugin_id:             # Plugin id(s) to be used in place of the default for the task type.
       - plugin_override1
       - plugin_override2
     missing_plugin_behavior: 1 # Behavior when no specified plugin_id has an associated handler. 0 : FAIL , 1: DEFAULT
flytectl update plugin-override --attrFile po.yaml

Update plugin override for project, domain, and workflow combination. This will take precedence over any other plugin overrides defined at project domain level. For workflow ‘core.control_flow.merge_sort.merge_sort’ in flytesnacks project, development domain, it is:

domain: development
project: flytesnacks
workflow: core.control_flow.merge_sort.merge_sort
overrides:
   - task_type: python_task # Task type for which to apply plugin implementation overrides
     plugin_id:             # Plugin id(s) to be used in place of the default for the task type.
       - plugin_override1
       - plugin_override2
     missing_plugin_behavior: 1 # Behavior when no specified plugin_id has an associated handler. 0 : FAIL , 1: DEFAULT
flytectl update plugin-override --attrFile po.yaml

Usage

uctl update plugin-override [flags]

Options#

Option

Type

Description

--attrFile

string

attribute file name to be used for updating attribute for the resource type.

--dryRun

execute command without making any modifications.

--force

do not ask for an acknowledgement during updates.

-h, --help

help for plugin-override

Options inherited from parent commands#

Option

Type

Description

--admin.audience

string

Audience to use when initiating OAuth2 authorization requests.

--admin.authType

string

Type of OAuth2 flow used for communicating with admin.ClientSecret, Pkce, ExternalCommand are valid values (default “ClientSecret”)

--admin.authorizationHeader

string

Custom metadata header to pass JWT

--admin.authorizationServerUrl

string

This is the URL to your IdP’s authorization server. It’ll default to Endpoint

--admin.caCertFilePath

string

Use specified certificate file to verify the admin server peer.

--admin.clientId

string

Client ID (default “flytepropeller”)

--admin.clientSecretEnvVar

string

Environment variable containing the client secret

--admin.clientSecretLocation

string

File containing the client secret (default “/etc/secrets/client_secret”)

--admin.command

strings

Command for external authentication token generation

--admin.defaultOrg

string

OPTIONAL: Default org to use to support non-org based cli’s.’.

--admin.defaultServiceConfig

string

--admin.deviceFlowConfig.pollInterval

string

amount of time the device flow would poll the token endpoint if auth server doesn’t return a polling interval. Okta and google IDP do return an interval’ (default “5s”)

--admin.deviceFlowConfig.refreshTime

string

grace period from the token expiry after which it would refresh the token. (default “5m0s”)

--admin.deviceFlowConfig.timeout

string

amount of time the device flow should complete or else it will be cancelled. (default “10m0s”)

--admin.endpoint

string

For admin types, specify where the uri of the service is located.

--admin.httpProxyURL

string

OPTIONAL: HTTP Proxy to be used for OAuth requests.

--admin.insecure

Use insecure connection.

--admin.insecureSkipVerify

InsecureSkipVerify controls whether a client verifies the server’s certificate chain and host name. Caution : shouldn’t be use for production usecases’

--admin.maxBackoffDelay

string

Max delay for grpc backoff (default “8s”)

--admin.maxMessageSizeBytes

int

The max size in bytes for incoming gRPC messages

--admin.maxRetries

int

Max number of gRPC retries (default 4)

--admin.perRetryTimeout

string

gRPC per retry timeout (default “15s”)

--admin.pkceConfig.refreshTime

string

grace period from the token expiry after which it would refresh the token. (default “5m0s”)

--admin.pkceConfig.timeout

string

Amount of time the browser session would be active for authentication from client app. (default “2m0s”)

--admin.proxyCommand

strings

Command for external proxy-authorization token generation

--admin.scopes

strings

List of scopes to request

--admin.tokenRefreshWindow

string

Max duration between token refresh attempt and token expiry. (default “0s”)

--admin.tokenUrl

string

OPTIONAL: Your IdP’s token endpoint. It’ll be discovered from flyte admin’s OAuth Metadata endpoint if not provided.

--admin.useAudienceFromAdmin

Use Audience configured from admins public endpoint config.

--admin.useAuth

Deprecated: Auth will be enabled/disabled based on admin’s dynamically discovered information.

--auth.appAuth.externalAuthServer.allowedAudience

strings

Optional: A list of allowed audiences. If not provided, the audience is expected to be the public Uri of the service.

--auth.appAuth.externalAuthServer.baseUrl

string

This should be the base url of the authorization server that you are trying to hit. With Okta for instance, it will look something like https://company.okta.com/oauth2/abcdef123456789/

--auth.appAuth.externalAuthServer.httpProxyURL

string

OPTIONAL: HTTP Proxy to be used for OAuth requests.

--auth.appAuth.externalAuthServer.metadataUrl

string

Optional: If the server doesn’t support /.well-known/oauth-authorization-server, you can set a custom metadata url here.’

--auth.appAuth.externalAuthServer.retryAttempts

int

Optional: The number of attempted retries on a transient failure to get the OAuth metadata (default 5)

--auth.appAuth.externalAuthServer.retryDelay

string

Optional, Duration to wait between retries (default “1s”)

--auth.appAuth.selfAuthServer.accessTokenLifespan

string

Defines the lifespan of issued access tokens. (default “30m0s”)

--auth.appAuth.selfAuthServer.authorizationCodeLifespan

string

Defines the lifespan of issued access tokens. (default “5m0s”)

--auth.appAuth.selfAuthServer.claimSymmetricEncryptionKeySecretName

string

OPTIONAL: Secret name to use to encrypt claims in authcode token. (default “claim_symmetric_key”)

--auth.appAuth.selfAuthServer.issuer

string

Defines the issuer to use when issuing and validating tokens. The default value is https://<requestUri.HostAndPort>/

--auth.appAuth.selfAuthServer.oldTokenSigningRSAKeySecretName

string

OPTIONAL: Secret name to use to retrieve Old RSA Signing Key. This can be useful during key rotation to continue to accept older tokens. (default “token_rsa_key_old.pem”)

--auth.appAuth.selfAuthServer.refreshTokenLifespan

string

Defines the lifespan of issued access tokens. (default “1h0m0s”)

--auth.appAuth.selfAuthServer.tokenSigningRSAKeySecretName

string

OPTIONAL: Secret name to use to retrieve RSA Signing Key. (default “token_rsa_key.pem”)

--auth.appAuth.thirdPartyConfig.flyteClient.audience

string

Audience to use when initiating OAuth2 authorization requests.

--auth.appAuth.thirdPartyConfig.flyteClient.clientId

string

public identifier for the app which handles authorization for a Flyte deployment (default “flytectl”)

--auth.appAuth.thirdPartyConfig.flyteClient.redirectUri

string

This is the callback uri registered with the app which handles authorization for a Flyte deployment (default “http://localhost:53593/callback”)

--auth.appAuth.thirdPartyConfig.flyteClient.scopes

strings

Recommended scopes for the client to request. (default [all,offline])

--auth.disableForGrpc

Disables auth enforcement on Grpc Endpoints.

--auth.disableForHttp

Disables auth enforcement on HTTP Endpoints.

--auth.grpcAuthorizationHeader

string

(default “flyte-authorization”)

--auth.httpAuthorizationHeader

string

(default “flyte-authorization”)

--auth.httpProxyURL

string

OPTIONAL: HTTP Proxy to be used for OAuth requests.

--auth.tokenEndpointProxyPath

string

The path used to proxy calls to the TokenURL

--auth.userAuth.cookieBlockKeySecretName

string

OPTIONAL: Secret name to use for cookie block key. (default “cookie_block_key”)

--auth.userAuth.cookieHashKeySecretName

string

OPTIONAL: Secret name to use for cookie hash key. (default “cookie_hash_key”)

--auth.userAuth.cookieSetting.domain

string

OPTIONAL: Allows you to set the domain attribute on the auth cookies.

--auth.userAuth.cookieSetting.sameSitePolicy

string

OPTIONAL: Allows you to declare if your cookie should be restricted to a first-party or same-site context.Wrapper around http.SameSite. (default “DefaultMode”)

--auth.userAuth.httpProxyURL

string

OPTIONAL: HTTP Proxy to be used for OAuth requests.

--auth.userAuth.idpQueryParameter

string

idp query parameter used for selecting a particular IDP for doing user authentication. Eg: for Okta passing idp= forces the authentication to happen with IDP-ID

--auth.userAuth.openId.baseUrl

string

--auth.userAuth.openId.clientId

string

--auth.userAuth.openId.clientSecretFile

string

--auth.userAuth.openId.clientSecretName

string

(default “oidc_client_secret”)

--auth.userAuth.openId.scopes

strings

(default [openid,profile])

--auth.userAuth.redirectUrl

string

(default “/console”)

--authorizer.internalCommunicationConfig.enabled

Enables authorization decisions for internal communication. (default true)

--authorizer.internalCommunicationConfig.ingressIdentity

string

IngressIdentity used in the cluster. Needed to exclude the communication coming from ingress. (default “ingress-nginx.ingress-nginx.serviceaccount.identity.linkerd.cluster.local”)

--authorizer.internalCommunicationConfig.tenantUrlPatternIdentity

string

UrlPatternIdentity of the internal tenant service endpoint identities. (default “{{ service }}.{{ org }}.serviceaccount.identity.linkerd.cluster.local”)

--authorizer.internalCommunicationConfig.urlPatternIdentity

string

UrlPatternIdentity of the internal service endpoint identities. (default “{{ service }}-helmchart.{{ service }}.serviceaccount.identity.linkerd.cluster.local”)

--authorizer.mode

string

(default “Active”)

--authorizer.organizationConfig.PolicyConfig.adminPolicyDescription

string

description for the boilerplate admin policy (default “Contributor permissions and full admin permissions to manage users and view usage dashboards”)

--authorizer.organizationConfig.PolicyConfig.contributorPolicyDescription

string

description for the boilerplate contributor policy (default “Viewer permissions and permissions to create workflows, tasks, launch plans, and executions”)

--authorizer.organizationConfig.PolicyConfig.defaultUserPolicyRoleType

string

name of the role type to determine which default policy new users added to the organization should be assigned (default “Viewer”)

--authorizer.organizationConfig.PolicyConfig.serverlessContributorPolicyDescription

string

description for the boilerplate serverless contributor policy (default “Viewer permissions and permissions to create workflows, tasks, launch plans, and executions”)

--authorizer.organizationConfig.PolicyConfig.serverlessViewerPolicyDescription

string

description for the boilerplate serverless viewer policy (default “Permissions to view Flyte entities”)

--authorizer.organizationConfig.PolicyConfig.viewerPolicyDescription

string

description for the boilerplate viewer policy (default “Permissions to view Flyte entities”)

--authorizer.organizationConfig.defaultPolicyCacheDuration

string

Cache entry duration for the store of the default policy per organization (default “10m0s”)

--authorizer.syncRuleRefreshInterval

string

(default “1m0s”)

--authorizer.type

string

(default “UserClouds”)

--authorizer.userCloudsClient.cache.redis.ttl.edgeTypes

string

Specifies how long edge types remain in the cache.. (default “30m0s”)

--authorizer.userCloudsClient.cache.redis.ttl.edges

string

Specifies how long edges remain in the cache. (default “30m0s”)

--authorizer.userCloudsClient.cache.redis.ttl.objectTypes

string

Specifies how long object types remain in the cache. (default “30m0s”)

--authorizer.userCloudsClient.cache.redis.ttl.objects

string

Specifies how long objects remain in the cache. (default “30m0s”)

--authorizer.userCloudsClient.cache.type

string

Cache type to use. (default “none”)

--authorizer.userCloudsClient.clientID

string

UserClouds client id

--authorizer.userCloudsClient.clientSecretName

string

UserCloud client secret name to read from the secret manager. (default “userclouds-client-secret”)

--authorizer.userCloudsClient.enableLogging

Enable userclouds client’s internal logging. Calls to post logs take 250-350 ms and will impact p99 latency, enable with caution.

--authorizer.userCloudsClient.tenantID

string

UserClouds tenant id. Should be a UUID.

--authorizer.userCloudsClient.tenantUrl

string

Something like https://.tenant.userclouds.com

--config

string

config file (default is /Users/andrew/.union/config.yaml)

--connection.environment

string

--connection.region

string

--connection.rootTenantURLPattern

string

Pattern for tenant url. (default “dns:///{{ organization }}.cloud-staging.union.ai”)

--console.endpoint

string

Endpoint of console, if different than flyte admin

--database.connMaxLifeTime

string

sets the maximum amount of time a connection may be reused (default “1h0m0s”)

--database.enableForeignKeyConstraintWhenMigrating

Whether to enable gorm foreign keys when migrating the db

--database.maxIdleConnections

int

maxIdleConnections sets the maximum number of connections in the idle connection pool. (default 10)

--database.maxOpenConnections

int

maxOpenConnections sets the maximum number of open connections to the database. (default 100)

--database.postgres.dbname

string

The database name (default “postgres”)

--database.postgres.debug

--database.postgres.host

string

The host name of the database server (default “localhost”)

--database.postgres.options

string

See http://gorm.io/docs/connecting_to_the_database.html for available options passed, in addition to the above. (default “sslmode=disable”)

--database.postgres.password

string

The database password. (default “postgres”)

--database.postgres.passwordPath

string

Points to the file containing the database password.

--database.postgres.port

int

The port name of the database server (default 30001)

--database.postgres.readReplicaHost

string

The host name of the read replica database server (default “localhost”)

--database.postgres.username

string

The database user who is connecting to the server. (default “postgres”)

--database.sqlite.file

string

The path to the file (existing or new) where the DB should be created / stored. If existing, then this will be re-used, else a new will be created

--db.connectionPool.maxConnectionLifetime

string

(default “0s”)

--db.connectionPool.maxIdleConnections

int

--db.connectionPool.maxOpenConnections

int

--db.dbname

string

(default “postgres”)

--db.debug

--db.host

string

(default “postgres”)

--db.log_level

int

(default 4)

--db.options

string

(default “sslmode=disable”)

--db.password

string

--db.passwordPath

string

--db.port

int

(default 5432)

--db.username

string

(default “postgres”)

-d, --domain

string

Specifies the Flyte project’s domain.

--files.archive

Pass in archive file either an http link or local path.

--files.assumableIamRole

string

Custom assumable iam auth role to register launch plans with.

--files.continueOnError

Continue on error when registering files.

--files.destinationDirectory

string

Location of source code in container.

--files.dryRun

Execute command without making any modifications.

--files.enableSchedule

Enable the schedule if the files contain schedulable launchplan.

--files.force

Force use of version number on entities registered with flyte.

--files.k8ServiceAccount

string

Deprecated. Please use –K8sServiceAccount

--files.k8sServiceAccount

string

Custom kubernetes service account auth role to register launch plans with.

--files.outputLocationPrefix

string

Custom output location prefix for offloaded types (files/schemas).

--files.sourceUploadPath

string

Deprecated: Update flyte admin to avoid having to configure storage access from flytectl.

--files.version

string

Version of the entity to be registered with flyte which are un-versioned after serialization.

--logger.formatter.type

string

Sets logging format type. (default “json”)

--logger.level

int

Sets the minimum logging level. (default 3)

--logger.mute

Mutes all logs regardless of severity. Intended for benchmarks/tests only.

--logger.show-source

Includes source code location in logs.

--org

string

Organization to work on. If not set, default to user’s org.

--otel.file.filename

string

Filename to store exported telemetry traces (default “/tmp/trace.txt”)

--otel.jaeger.endpoint

string

Endpoint for the jaeger telemetry trace ingestor (default “http://localhost:14268/api/traces”)

--otel.otlpgrpc.endpoint

string

Endpoint for the OTLP telemetry trace collector (default “http://localhost:4317”)

--otel.otlphttp.endpoint

string

Endpoint for the OTLP telemetry trace collector (default “http://localhost:4318/v1/traces”)

--otel.sampler.parentSampler

string

Sets the parent sampler to use for the tracer (default “always”)

--otel.type

string

Sets the type of exporter to configure [noop/file/jaeger/otlpgrpc/otlphttp]. (default “noop”)

-o, --output

string

Specifies the output type - supported formats [TABLE JSON YAML DOT DOTURL]. NOTE: dot, doturl are only supported for Workflow (default “table”)

--plugins.catalogcache.reader.maxItems

int

Maximum number of entries to keep in the index. (default 10000)

--plugins.catalogcache.reader.maxRetries

int

Maximum number of retries per item. (default 3)

--plugins.catalogcache.reader.workers

int

Number of concurrent workers to start processing the queue. (default 10)

--plugins.catalogcache.writer.maxItems

int

Maximum number of entries to keep in the index. (default 10000)

--plugins.catalogcache.writer.maxRetries

int

Maximum number of retries per item. (default 3)

--plugins.catalogcache.writer.workers

int

Number of concurrent workers to start processing the queue. (default 10)

-p, --project

string

Specifies the Flyte project.

--rediscache.passwordSecretName

string

Name of secret with Redis password.

--rediscache.primaryEndpoint

string

Primary endpoint for the redis cache that can be used for both reads and writes.

--rediscache.replicaEndpoint

string

Replica endpoint for the redis cache that can be used for reads.

--secrets.env-prefix

string

Prefix for environment variables (default “FLYTE_SECRET_”)

--secrets.secrets-prefix

string

Prefix where to look for secrets file (default “/etc/secrets”)

--secrets.type

string

Sets the type of storage to configure [local]. (default “local”)

--server.dataProxy.download.maxExpiresIn

string

Maximum allowed expiration duration. (default “1h0m0s”)

--server.dataProxy.upload.defaultFileNameLength

int

Default length for the generated file name if not provided in the request. (default 20)

--server.dataProxy.upload.maxExpiresIn

string

Maximum allowed expiration duration. (default “1h0m0s”)

--server.dataProxy.upload.maxSize

string

Maximum allowed upload size. (default “6Mi”)

--server.dataProxy.upload.storagePrefix

string

Storage prefix to use for all upload requests.

--server.grpc.enableGrpcLatencyMetrics

Enable grpc latency metrics. Note Histograms metrics can be expensive on Prometheus servers.

--server.grpc.maxMessageSizeBytes

int

The max size in bytes for incoming gRPC messages

--server.grpc.port

int

On which grpc port to serve admin (default 8089)

--server.grpc.serverReflection

Enable GRPC Server Reflection (default true)

--server.grpcPort

int

deprecated

--server.grpcServerReflection

deprecated

--server.httpPort

int

On which http port to serve admin (default 8088)

--server.kube-config

string

Path to kubernetes client config file, default is empty, useful for incluster config.

--server.kubeClientConfig.burst

int

Max burst rate for throttle. 0 defaults to 10 (default 25)

--server.kubeClientConfig.qps

int32

Max QPS to the master for requests to KubeAPI. 0 defaults to 5. (default 100)

--server.kubeClientConfig.timeout

string

Max duration allowed for every request to KubeAPI before giving up. 0 implies no timeout. (default “30s”)

--server.master

string

The address of the Kubernetes API server.

--server.readHeaderTimeoutSeconds

int

The amount of time allowed to read request headers. (default 32)

--server.security.allowCors

(default true)

--server.security.allowedHeaders

strings

(default [Content-Type,flyte-authorization])

--server.security.allowedOrigins

strings

(default [*])

--server.security.auditAccess

--server.security.secure

--server.security.ssl.certificateFile

string

--server.security.ssl.keyFile

string

--server.security.useAuth

--server.thirdPartyConfig.flyteClient.audience

string

Audience to use when initiating OAuth2 authorization requests.

--server.thirdPartyConfig.flyteClient.clientId

string

public identifier for the app which handles authorization for a Flyte deployment

--server.thirdPartyConfig.flyteClient.redirectUri

string

This is the callback uri registered with the app which handles authorization for a Flyte deployment

--server.thirdPartyConfig.flyteClient.scopes

strings

Recommended scopes for the client to request.

--server.watchService.maxActiveClusterConnections

int

(default 5)

--server.watchService.maxPageSize

int

(default 50000)

--server.watchService.nonTerminalStatusUpdatesInterval

string

(default “1m0s”)

--server.watchService.pollInterval

string

(default “1s”)

--sharedservice.connectPort

string

On which connect port to serve admin (default “8080”)

--sharedservice.grpc.grpcMaxResponseStatusBytes

int32

specifies the maximum (uncompressed) size of header list that the client is prepared to accept on grpc calls (default 32000)

--sharedservice.grpc.maxConcurrentStreams

int

Limit on the number of concurrent streams to each ServerTransport. (default 100)

--sharedservice.grpc.maxMessageSizeBytes

int

Limit on the size of message that can be received on the server. (default 10485760)

--sharedservice.grpcServerReflection

Enable GRPC Server Reflection (default true)

--sharedservice.httpPort

string

On which http port to serve admin (default “8089”)

--sharedservice.kubeConfig

string

Path to kubernetes client config file.

--sharedservice.master

string

The address of the Kubernetes API server.

--sharedservice.metrics.enableClientGrpcHistograms

Enable client grpc histograms (default true)

--sharedservice.metrics.enableGrpcHistograms

Enable grpc histograms (default true)

--sharedservice.metrics.scope

string

Scope to emit metrics under (default “service:”)

--sharedservice.port

string

On which grpc port to serve admin (default “8080”)

--sharedservice.profiler.enabled

Enable Profiler on server

--sharedservice.profilerPort

string

Profile port to start listen for pprof and metric handlers on. (default “10254”)

--sharedservice.security.allowCors

--sharedservice.security.allowLocalhostAccess

Whether to permit localhost unauthenticated access to the server

--sharedservice.security.allowedHeaders

strings

--sharedservice.security.allowedOrigins

strings

--sharedservice.security.auditAccess

--sharedservice.security.orgOverride

string

Override org in identity context if localhost access enabled

--sharedservice.security.secure

--sharedservice.security.ssl.certificateAuthorityFile

string

--sharedservice.security.ssl.certificateFile

string

--sharedservice.security.ssl.keyFile

string

--sharedservice.security.useAuth

--sharedservice.sync.syncInterval

string

Time interval to sync (default “5m0s”)

--storage.cache.max_size_mbs

int

Maximum size of the cache where the Blob store data is cached in-memory. If not specified or set to 0, cache is not used

--storage.cache.target_gc_percent

int

Sets the garbage collection target percentage.

--storage.connection.access-key

string

Access key to use. Only required when authtype is set to accesskey.

--storage.connection.auth-type

string

Auth Type to use [iam, accesskey]. (default “iam”)

--storage.connection.disable-ssl

Disables SSL connection. Should only be used for development.

--storage.connection.endpoint

string

URL for storage client to connect to.

--storage.connection.region

string

Region to connect to. (default “us-east-1”)

--storage.connection.secret-key

string

Secret to use when accesskey is set.

--storage.container

string

Initial container (in s3 a bucket) to create -if it doesn’t exist-.’

--storage.defaultHttpClient.timeout

string

Sets time out on the http client. (default “0s”)

--storage.enable-multicontainer

If this is true, then the container argument is overlooked and redundant. This config will automatically open new connections to new containers/buckets as they are encountered

--storage.limits.maxDownloadMBs

int

Maximum allowed download size (in MBs) per call. (default 2)

--storage.stow.config

stringToString

Configuration for stow backend. Refer to github/flyteorg/stow (default [])

--storage.stow.kind

string

Kind of Stow backend to use. Refer to github/flyteorg/stow

--storage.type

string

Sets the type of storage to configure [s3/minio/local/mem/stow]. (default “s3”)

--union.auth.authorizationMetadataKey

string

Authorization Header to use when passing Access Tokens to the server (default “flyte-authorization”)

--union.auth.clientId

string

Client ID

--union.auth.clientSecretEnvVar

string

Environment variable containing the client secret

--union.auth.clientSecretLocation

string

File containing the client secret

--union.auth.deviceFlow.pollInterval

string

amount of time the device flow would poll the token endpoint if auth server doesn’t return a polling interval. Okta and google IDP do return an interval’ (default “5s”)

--union.auth.deviceFlow.refreshTime

string

grace period from the token expiry after which it would refresh the token. (default “5m0s”)

--union.auth.deviceFlow.timeout

string

amount of time the device flow should complete or else it will be cancelled. (default “10m0s”)

--union.auth.enable

Whether to enable an authenticated conenction when communicating with admin. (default true)

--union.auth.externalAuth.command

strings

Command for external authentication token generation

--union.auth.pkce.refreshTime

string

grace period from the token expiry after which it would refresh the token. (default “5m0s”)

--union.auth.pkce.timeout

string

Amount of time the browser session would be active for authentication from client app. (default “15s”)

--union.auth.scopes

strings

List of scopes to request

--union.auth.tokenRefreshWindow

string

Max duration between token refresh attempt and token expiry. (default “1h0m0s”)

--union.auth.tokenUrl

string

OPTIONAL: Your IdP’s token endpoint. It’ll be discovered from flyte admin’s OAuth Metadata endpoint if not provided.

--union.auth.type

string

Type of OAuth2 flow used for communicating with admin. (default “Pkce”)

--union.cache.maxItemsCount

int

Maximum number of items to keep in the cache before evicting. (default 1000)

--union.connection.host

string

Host to connect to (default “dns:///utt-mgdp-stg-us-east-2.cloud-staging.union.ai”)

--union.connection.insecure

Whether to connect over insecure channel

--union.connection.insecureSkipVerify

InsecureSkipVerify controls whether a client verifies the server’s certificate chain and host name. Caution : shouldn’t be use for production usecases’

--union.connection.keepAliveConfig.permitWithoutStream

If true, client sends keepalive pings even with no active RPCs.

--union.connection.keepAliveConfig.time

string

After a duration of this time if the client doesn’t see any activity it pings the server to see if the transport is still alive. (default “20s”)

--union.connection.keepAliveConfig.timeout

string

After having pinged for keepalive check, the client waits for a duration of Timeout and if no activity is seen even after that the connection is closed. (default “2m0s”)

--union.connection.maxBackoffDelay

string

Max delay for grpc backoff (default “8s”)

--union.connection.maxRecvMsgSize

int

Maximum size of a message in bytes of a gRPC message (default 10485760)

--union.connection.maxRetries

int

Max number of gRPC retries (default 4)

--union.connection.minConnectTimeout

string

Minimum timeout for establishing a connection (default “20s”)

--union.connection.perRetryTimeout

string

gRPC per retry timeout (default “15s”)

--union.connection.serviceConfig

string

Defines gRPC experimental JSON Service Config (default “{“loadBalancingConfig”: [{“round_robin”:{}}]}”)

--union.connection.trustedIdentityClaims.enabled

Enables passing of trusted claims while making inter service calls

--union.connection.trustedIdentityClaims.externalIdentityClaim

string

External identity claim of the service which is authorized to make internal service call. These are verified against userclouds actions

--union.connection.trustedIdentityClaims.externalIdentityTypeClaim

string

External identity type claim of app or user to use for the current service identity. It should be an ‘app’ for inter service communication

--union.internalConnectionConfig.-

stringToString

(default [])

--union.internalConnectionConfig.enabled

Enables internal service to service communication instead of going through ingress.

--union.internalConnectionConfig.urlPattern

string

UrlPattern of the internal service endpoints. (default “{{ service }}-helmchart.{{ service }}.svc.cluster.local:80”)

--webhook.awsSecretManager.sidecarImage

string

Specifies the sidecar docker image to use (default “docker.io/amazon/aws-secrets-manager-secret-sidecar:v0.1.4”)

--webhook.certDir

string

Certificate directory to use to write generated certs. Defaults to /etc/webhook/certs/ (default “/etc/webhook/certs”)

--webhook.embeddedSecretManagerConfig.awsConfig.region

string

AWS region

--webhook.embeddedSecretManagerConfig.fileMountInitContainer.image

string

Specifies init container image to use for mounting secrets as files. (default “busybox:1.28”)

--webhook.embeddedSecretManagerConfig.gcpConfig.project

string

GCP project to be used for secret manager

--webhook.embeddedSecretManagerConfig.type

string

(default “AWS”)

--webhook.gcpSecretManager.sidecarImage

string

Specifies the sidecar docker image to use (default “gcr.io/google.com/cloudsdktool/cloud-sdk:alpine”)

--webhook.listenPort

int

The port to use to listen to webhook calls. Defaults to 9443 (default 9443)

--webhook.localCert

write certs locally. Defaults to false

--webhook.metrics-prefix

string

An optional prefix for all published metrics. (default “flyte:”)

--webhook.secretName

string

Secret name to write generated certs to. (default “flyte-pod-webhook”)

--webhook.serviceName

string

The name of the webhook service. (default “flyte-pod-webhook”)

--webhook.servicePort

int32

The port on the service that hosting webhook. (default 443)

--webhook.vaultSecretManager.role

string

Specifies the vault role to use (default “flyte”)