uctl update workflow-execution-config#
Updates matchable resources of workflow execution config
Synopsis#
Updates the workflow execution config for the given project and domain combination or additionally with workflow name.
Updating the workflow execution config is only available from a generated file. See the get section for generating this file. This will completely overwrite any existing custom project and domain and workflow combination execution config. It is preferable to do get and generate a config file if there is an existing execution config already set and then update it to have new values. Refer to get workflow-execution-config section on how to generate this file. It takes input for workflow execution config from the config file wec.yaml, Example: content of wec.yaml:
domain: development
project: flytesnacks
max_parallelism: 5
security_context:
run_as:
k8s_service_account: demo
flytectl update workflow-execution-config --attrFile wec.yaml
Update workflow execution config for project, domain, and workflow combination. This will take precedence over any other execution config defined at project domain level. For workflow ‘core.control_flow.merge_sort.merge_sort’ in flytesnacks project, development domain, it is:
domain: development
project: flytesnacks
workflow: core.control_flow.merge_sort.merge_sort
max_parallelism: 5
security_context:
run_as:
k8s_service_account: mergesortsa
flytectl update workflow-execution-config --attrFile wec.yaml
Usage
uctl update workflow-execution-config [flags]
Options#
Option |
Type |
Description |
---|---|---|
|
string |
attribute file name to be used for updating attribute for the resource type. |
|
execute command without making any modifications. |
|
|
do not ask for an acknowledgement during updates. |
|
|
help for workflow-execution-config |
Options inherited from parent commands#
Option |
Type |
Description |
---|---|---|
|
string |
Audience to use when initiating OAuth2 authorization requests. |
|
string |
Type of OAuth2 flow used for communicating with admin.ClientSecret, Pkce, ExternalCommand are valid values (default “ClientSecret”) |
|
string |
Custom metadata header to pass JWT |
|
string |
This is the URL to your IdP’s authorization server. It’ll default to Endpoint |
|
string |
Use specified certificate file to verify the admin server peer. |
|
string |
Client ID (default “flytepropeller”) |
|
string |
Environment variable containing the client secret |
|
string |
File containing the client secret (default “/etc/secrets/client_secret”) |
|
strings |
Command for external authentication token generation |
|
string |
OPTIONAL: Default org to use to support non-org based cli’s.’. |
|
string |
|
|
string |
amount of time the device flow would poll the token endpoint if auth server doesn’t return a polling interval. Okta and google IDP do return an interval’ (default “5s”) |
|
string |
grace period from the token expiry after which it would refresh the token. (default “5m0s”) |
|
string |
amount of time the device flow should complete or else it will be cancelled. (default “10m0s”) |
|
string |
For admin types, specify where the uri of the service is located. |
|
string |
OPTIONAL: HTTP Proxy to be used for OAuth requests. |
|
Use insecure connection. |
|
|
InsecureSkipVerify controls whether a client verifies the server’s certificate chain and host name. Caution : shouldn’t be use for production usecases’ |
|
|
string |
Max delay for grpc backoff (default “8s”) |
|
int |
The max size in bytes for incoming gRPC messages |
|
int |
Max number of gRPC retries (default 4) |
|
string |
gRPC per retry timeout (default “15s”) |
|
string |
grace period from the token expiry after which it would refresh the token. (default “5m0s”) |
|
string |
Amount of time the browser session would be active for authentication from client app. (default “2m0s”) |
|
strings |
Command for external proxy-authorization token generation |
|
strings |
List of scopes to request |
|
string |
Max duration between token refresh attempt and token expiry. (default “0s”) |
|
string |
OPTIONAL: Your IdP’s token endpoint. It’ll be discovered from flyte admin’s OAuth Metadata endpoint if not provided. |
|
Use Audience configured from admins public endpoint config. |
|
|
Deprecated: Auth will be enabled/disabled based on admin’s dynamically discovered information. |
|
|
strings |
Optional: A list of allowed audiences. If not provided, the audience is expected to be the public Uri of the service. |
|
string |
This should be the base url of the authorization server that you are trying to hit. With Okta for instance, it will look something like https://company.okta.com/oauth2/abcdef123456789/ |
|
string |
OPTIONAL: HTTP Proxy to be used for OAuth requests. |
|
string |
Optional: If the server doesn’t support /.well-known/oauth-authorization-server, you can set a custom metadata url here.’ |
|
int |
Optional: The number of attempted retries on a transient failure to get the OAuth metadata (default 5) |
|
string |
Optional, Duration to wait between retries (default “1s”) |
|
string |
Defines the lifespan of issued access tokens. (default “30m0s”) |
|
string |
Defines the lifespan of issued access tokens. (default “5m0s”) |
|
string |
OPTIONAL: Secret name to use to encrypt claims in authcode token. (default “claim_symmetric_key”) |
|
string |
Defines the issuer to use when issuing and validating tokens. The default value is https://<requestUri.HostAndPort>/ |
|
string |
OPTIONAL: Secret name to use to retrieve Old RSA Signing Key. This can be useful during key rotation to continue to accept older tokens. (default “token_rsa_key_old.pem”) |
|
string |
Defines the lifespan of issued access tokens. (default “1h0m0s”) |
|
string |
OPTIONAL: Secret name to use to retrieve RSA Signing Key. (default “token_rsa_key.pem”) |
|
string |
Audience to use when initiating OAuth2 authorization requests. |
|
string |
public identifier for the app which handles authorization for a Flyte deployment (default “flytectl”) |
|
string |
This is the callback uri registered with the app which handles authorization for a Flyte deployment (default “http://localhost:53593/callback”) |
|
strings |
Recommended scopes for the client to request. (default [all,offline]) |
|
Disables auth enforcement on Grpc Endpoints. |
|
|
Disables auth enforcement on HTTP Endpoints. |
|
|
string |
(default “flyte-authorization”) |
|
string |
(default “flyte-authorization”) |
|
string |
OPTIONAL: HTTP Proxy to be used for OAuth requests. |
|
string |
The path used to proxy calls to the TokenURL |
|
string |
OPTIONAL: Secret name to use for cookie block key. (default “cookie_block_key”) |
|
string |
OPTIONAL: Secret name to use for cookie hash key. (default “cookie_hash_key”) |
|
string |
OPTIONAL: Allows you to set the domain attribute on the auth cookies. |
|
string |
OPTIONAL: Allows you to declare if your cookie should be restricted to a first-party or same-site context.Wrapper around http.SameSite. (default “DefaultMode”) |
|
string |
OPTIONAL: HTTP Proxy to be used for OAuth requests. |
|
string |
idp query parameter used for selecting a particular IDP for doing user authentication. Eg: for Okta passing idp= |
|
string |
|
|
string |
|
|
string |
|
|
string |
(default “oidc_client_secret”) |
|
strings |
(default [openid,profile]) |
|
string |
(default “/console”) |
|
Enables authorization decisions for internal communication. (default true) |
|
|
string |
IngressIdentity used in the cluster. Needed to exclude the communication coming from ingress. (default “ingress-nginx.ingress-nginx.serviceaccount.identity.linkerd.cluster.local”) |
|
string |
UrlPatternIdentity of the internal tenant service endpoint identities. (default “{{ service }}.{{ org }}.serviceaccount.identity.linkerd.cluster.local”) |
|
string |
UrlPatternIdentity of the internal service endpoint identities. (default “{{ service }}-helmchart.{{ service }}.serviceaccount.identity.linkerd.cluster.local”) |
|
string |
(default “Active”) |
|
string |
description for the boilerplate admin policy (default “Contributor permissions and full admin permissions to manage users and view usage dashboards”) |
|
string |
description for the boilerplate contributor policy (default “Viewer permissions and permissions to create workflows, tasks, launch plans, and executions”) |
|
string |
name of the role type to determine which default policy new users added to the organization should be assigned (default “Viewer”) |
|
string |
description for the boilerplate serverless contributor policy (default “Viewer permissions and permissions to create workflows, tasks, launch plans, and executions”) |
|
string |
description for the boilerplate serverless viewer policy (default “Permissions to view Flyte entities”) |
|
string |
description for the boilerplate viewer policy (default “Permissions to view Flyte entities”) |
|
string |
Cache entry duration for the store of the default policy per organization (default “10m0s”) |
|
string |
(default “1m0s”) |
|
string |
(default “UserClouds”) |
|
string |
Specifies how long edge types remain in the cache.. (default “30m0s”) |
|
string |
Specifies how long edges remain in the cache. (default “30m0s”) |
|
string |
Specifies how long object types remain in the cache. (default “30m0s”) |
|
string |
Specifies how long objects remain in the cache. (default “30m0s”) |
|
string |
Cache type to use. (default “none”) |
|
string |
UserClouds client id |
|
string |
UserCloud client secret name to read from the secret manager. (default “userclouds-client-secret”) |
|
Enable userclouds client’s internal logging. Calls to post logs take 250-350 ms and will impact p99 latency, enable with caution. |
|
|
string |
UserClouds tenant id. Should be a UUID. |
|
string |
Something like https:// |
|
string |
config file (default is /Users/andrew/.union/config.yaml) |
|
string |
|
|
string |
|
|
string |
Pattern for tenant url. (default “dns:///{{ organization }}.cloud-staging.union.ai”) |
|
string |
Endpoint of console, if different than flyte admin |
|
string |
sets the maximum amount of time a connection may be reused (default “1h0m0s”) |
|
Whether to enable gorm foreign keys when migrating the db |
|
|
int |
maxIdleConnections sets the maximum number of connections in the idle connection pool. (default 10) |
|
int |
maxOpenConnections sets the maximum number of open connections to the database. (default 100) |
|
string |
The database name (default “postgres”) |
|
||
|
string |
The host name of the database server (default “localhost”) |
|
string |
See http://gorm.io/docs/connecting_to_the_database.html for available options passed, in addition to the above. (default “sslmode=disable”) |
|
string |
The database password. (default “postgres”) |
|
string |
Points to the file containing the database password. |
|
int |
The port name of the database server (default 30001) |
|
string |
The host name of the read replica database server (default “localhost”) |
|
string |
The database user who is connecting to the server. (default “postgres”) |
|
string |
The path to the file (existing or new) where the DB should be created / stored. If existing, then this will be re-used, else a new will be created |
|
string |
(default “0s”) |
|
int |
|
|
int |
|
|
string |
(default “postgres”) |
|
||
|
string |
(default “postgres”) |
|
int |
(default 4) |
|
string |
(default “sslmode=disable”) |
|
string |
|
|
string |
|
|
int |
(default 5432) |
|
string |
(default “postgres”) |
|
string |
Specifies the Flyte project’s domain. |
|
Pass in archive file either an http link or local path. |
|
|
string |
Custom assumable iam auth role to register launch plans with. |
|
Continue on error when registering files. |
|
|
string |
Location of source code in container. |
|
Execute command without making any modifications. |
|
|
Enable the schedule if the files contain schedulable launchplan. |
|
|
Force use of version number on entities registered with flyte. |
|
|
string |
Deprecated. Please use –K8sServiceAccount |
|
string |
Custom kubernetes service account auth role to register launch plans with. |
|
string |
Custom output location prefix for offloaded types (files/schemas). |
|
string |
Deprecated: Update flyte admin to avoid having to configure storage access from flytectl. |
|
string |
Version of the entity to be registered with flyte which are un-versioned after serialization. |
|
string |
Sets logging format type. (default “json”) |
|
int |
Sets the minimum logging level. (default 3) |
|
Mutes all logs regardless of severity. Intended for benchmarks/tests only. |
|
|
Includes source code location in logs. |
|
|
string |
Organization to work on. If not set, default to user’s org. |
|
string |
Filename to store exported telemetry traces (default “/tmp/trace.txt”) |
|
string |
Endpoint for the jaeger telemetry trace ingestor (default “http://localhost:14268/api/traces”) |
|
string |
Endpoint for the OTLP telemetry trace collector (default “http://localhost:4317”) |
|
string |
Endpoint for the OTLP telemetry trace collector (default “http://localhost:4318/v1/traces”) |
|
string |
Sets the parent sampler to use for the tracer (default “always”) |
|
string |
Sets the type of exporter to configure [noop/file/jaeger/otlpgrpc/otlphttp]. (default “noop”) |
|
string |
Specifies the output type - supported formats [TABLE JSON YAML DOT DOTURL]. NOTE: dot, doturl are only supported for Workflow (default “table”) |
|
int |
Maximum number of entries to keep in the index. (default 10000) |
|
int |
Maximum number of retries per item. (default 3) |
|
int |
Number of concurrent workers to start processing the queue. (default 10) |
|
int |
Maximum number of entries to keep in the index. (default 10000) |
|
int |
Maximum number of retries per item. (default 3) |
|
int |
Number of concurrent workers to start processing the queue. (default 10) |
|
string |
Specifies the Flyte project. |
|
string |
Name of secret with Redis password. |
|
string |
Primary endpoint for the redis cache that can be used for both reads and writes. |
|
string |
Replica endpoint for the redis cache that can be used for reads. |
|
string |
Prefix for environment variables (default “FLYTE_SECRET_”) |
|
string |
Prefix where to look for secrets file (default “/etc/secrets”) |
|
string |
Sets the type of storage to configure [local]. (default “local”) |
|
string |
Maximum allowed expiration duration. (default “1h0m0s”) |
|
int |
Default length for the generated file name if not provided in the request. (default 20) |
|
string |
Maximum allowed expiration duration. (default “1h0m0s”) |
|
string |
Maximum allowed upload size. (default “6Mi”) |
|
string |
Storage prefix to use for all upload requests. |
|
Enable grpc latency metrics. Note Histograms metrics can be expensive on Prometheus servers. |
|
|
int |
The max size in bytes for incoming gRPC messages |
|
int |
On which grpc port to serve admin (default 8089) |
|
Enable GRPC Server Reflection (default true) |
|
|
int |
deprecated |
|
deprecated |
|
|
int |
On which http port to serve admin (default 8088) |
|
string |
Path to kubernetes client config file, default is empty, useful for incluster config. |
|
int |
Max burst rate for throttle. 0 defaults to 10 (default 25) |
|
int32 |
Max QPS to the master for requests to KubeAPI. 0 defaults to 5. (default 100) |
|
string |
Max duration allowed for every request to KubeAPI before giving up. 0 implies no timeout. (default “30s”) |
|
string |
The address of the Kubernetes API server. |
|
int |
The amount of time allowed to read request headers. (default 32) |
|
(default true) |
|
|
strings |
(default [Content-Type,flyte-authorization]) |
|
strings |
(default [*]) |
|
||
|
||
|
string |
|
|
string |
|
|
||
|
string |
Audience to use when initiating OAuth2 authorization requests. |
|
string |
public identifier for the app which handles authorization for a Flyte deployment |
|
string |
This is the callback uri registered with the app which handles authorization for a Flyte deployment |
|
strings |
Recommended scopes for the client to request. |
|
int |
(default 5) |
|
int |
(default 50000) |
|
string |
(default “1m0s”) |
|
string |
(default “1s”) |
|
string |
On which connect port to serve admin (default “8080”) |
|
int32 |
specifies the maximum (uncompressed) size of header list that the client is prepared to accept on grpc calls (default 32000) |
|
int |
Limit on the number of concurrent streams to each ServerTransport. (default 100) |
|
int |
Limit on the size of message that can be received on the server. (default 10485760) |
|
Enable GRPC Server Reflection (default true) |
|
|
string |
On which http port to serve admin (default “8089”) |
|
string |
Path to kubernetes client config file. |
|
string |
The address of the Kubernetes API server. |
|
Enable client grpc histograms (default true) |
|
|
Enable grpc histograms (default true) |
|
|
string |
Scope to emit metrics under (default “service:”) |
|
string |
On which grpc port to serve admin (default “8080”) |
|
Enable Profiler on server |
|
|
string |
Profile port to start listen for pprof and metric handlers on. (default “10254”) |
|
||
|
Whether to permit localhost unauthenticated access to the server |
|
|
strings |
|
|
strings |
|
|
||
|
string |
Override org in identity context if localhost access enabled |
|
||
|
string |
|
|
string |
|
|
string |
|
|
||
|
string |
Time interval to sync (default “5m0s”) |
|
int |
Maximum size of the cache where the Blob store data is cached in-memory. If not specified or set to 0, cache is not used |
|
int |
Sets the garbage collection target percentage. |
|
string |
Access key to use. Only required when authtype is set to accesskey. |
|
string |
Auth Type to use [iam, accesskey]. (default “iam”) |
|
Disables SSL connection. Should only be used for development. |
|
|
string |
URL for storage client to connect to. |
|
string |
Region to connect to. (default “us-east-1”) |
|
string |
Secret to use when accesskey is set. |
|
string |
Initial container (in s3 a bucket) to create -if it doesn’t exist-.’ |
|
string |
Sets time out on the http client. (default “0s”) |
|
If this is true, then the container argument is overlooked and redundant. This config will automatically open new connections to new containers/buckets as they are encountered |
|
|
int |
Maximum allowed download size (in MBs) per call. (default 2) |
|
stringToString |
Configuration for stow backend. Refer to github/flyteorg/stow (default []) |
|
string |
Kind of Stow backend to use. Refer to github/flyteorg/stow |
|
string |
Sets the type of storage to configure [s3/minio/local/mem/stow]. (default “s3”) |
|
string |
Authorization Header to use when passing Access Tokens to the server (default “flyte-authorization”) |
|
string |
Client ID |
|
string |
Environment variable containing the client secret |
|
string |
File containing the client secret |
|
string |
amount of time the device flow would poll the token endpoint if auth server doesn’t return a polling interval. Okta and google IDP do return an interval’ (default “5s”) |
|
string |
grace period from the token expiry after which it would refresh the token. (default “5m0s”) |
|
string |
amount of time the device flow should complete or else it will be cancelled. (default “10m0s”) |
|
Whether to enable an authenticated conenction when communicating with admin. (default true) |
|
|
strings |
Command for external authentication token generation |
|
string |
grace period from the token expiry after which it would refresh the token. (default “5m0s”) |
|
string |
Amount of time the browser session would be active for authentication from client app. (default “15s”) |
|
strings |
List of scopes to request |
|
string |
Max duration between token refresh attempt and token expiry. (default “1h0m0s”) |
|
string |
OPTIONAL: Your IdP’s token endpoint. It’ll be discovered from flyte admin’s OAuth Metadata endpoint if not provided. |
|
string |
Type of OAuth2 flow used for communicating with admin. (default “Pkce”) |
|
int |
Maximum number of items to keep in the cache before evicting. (default 1000) |
|
string |
Host to connect to (default “dns:///utt-mgdp-stg-us-east-2.cloud-staging.union.ai”) |
|
Whether to connect over insecure channel |
|
|
InsecureSkipVerify controls whether a client verifies the server’s certificate chain and host name. Caution : shouldn’t be use for production usecases’ |
|
|
If true, client sends keepalive pings even with no active RPCs. |
|
|
string |
After a duration of this time if the client doesn’t see any activity it pings the server to see if the transport is still alive. (default “20s”) |
|
string |
After having pinged for keepalive check, the client waits for a duration of Timeout and if no activity is seen even after that the connection is closed. (default “2m0s”) |
|
string |
Max delay for grpc backoff (default “8s”) |
|
int |
Maximum size of a message in bytes of a gRPC message (default 10485760) |
|
int |
Max number of gRPC retries (default 4) |
|
string |
Minimum timeout for establishing a connection (default “20s”) |
|
string |
gRPC per retry timeout (default “15s”) |
|
string |
Defines gRPC experimental JSON Service Config (default “{“loadBalancingConfig”: [{“round_robin”:{}}]}”) |
|
Enables passing of trusted claims while making inter service calls |
|
|
string |
External identity claim of the service which is authorized to make internal service call. These are verified against userclouds actions |
|
string |
External identity type claim of app or user to use for the current service identity. It should be an ‘app’ for inter service communication |
|
stringToString |
(default []) |
|
Enables internal service to service communication instead of going through ingress. |
|
|
string |
UrlPattern of the internal service endpoints. (default “{{ service }}-helmchart.{{ service }}.svc.cluster.local:80”) |
|
string |
Specifies the sidecar docker image to use (default “docker.io/amazon/aws-secrets-manager-secret-sidecar:v0.1.4”) |
|
string |
Certificate directory to use to write generated certs. Defaults to /etc/webhook/certs/ (default “/etc/webhook/certs”) |
|
string |
AWS region |
|
string |
Specifies init container image to use for mounting secrets as files. (default “busybox:1.28”) |
|
string |
GCP project to be used for secret manager |
|
string |
(default “AWS”) |
|
string |
Specifies the sidecar docker image to use (default “gcr.io/google.com/cloudsdktool/cloud-sdk:alpine”) |
|
int |
The port to use to listen to webhook calls. Defaults to 9443 (default 9443) |
|
write certs locally. Defaults to false |
|
|
string |
An optional prefix for all published metrics. (default “flyte:”) |
|
string |
Secret name to write generated certs to. (default “flyte-pod-webhook”) |
|
string |
The name of the webhook service. (default “flyte-pod-webhook”) |
|
int32 |
The port on the service that hosting webhook. (default 443) |
|
string |
Specifies the vault role to use (default “flyte”) |