uctl get clusterconfig

Retrieves cluster config

Synopsis

To fetch default cluster config template:

$ uctl get clusterconfig --configID default

To fetch cluster config template:

$ uctl get clusterconfig --clusterName mycluster123

To fetch cluster config template and save to file:

$ uctl get clusterconfig --clusterName mycluster123 --outputFile spec.yaml

To fetch compiled cluster config:

$ uctl get clusterconfig --clusterName mycluster123 --compiled

Options

Option	Type	Description
`--clusterName`	string	Fetch config of cluster with given name
`--compiled`		fetch compiled config for given cluster
`--configID`	string	Fetch cluster config with given id
`-h`, `--help`	help for clusterconfig
`--outputFile`	string	optional output file

Options inherited from parent commands

Option	Type	Description
`--admin.audience`	string	Audience to use when initiating OAuth2 authorization requests.
`--admin.authType`	string	Type of OAuth2 flow used for communicating with admin.ClientSecret, Pkce, ExternalCommand are valid values (default “ClientSecret”)
`--admin.authorizationHeader`	string	Custom metadata header to pass JWT
`--admin.authorizationServerUrl`	string	This is the URL to your IdP’s authorization server. It’ll default to Endpoint
`--admin.caCertFilePath`	string	Use specified certificate file to verify the admin server peer.
`--admin.clientId`	string	Client ID (default “flytepropeller”)
`--admin.clientSecretEnvVar`	string	Environment variable containing the client secret
`--admin.clientSecretLocation`	string	File containing the client secret (default “/etc/secrets/client_secret”)
`--admin.command`	strings	Command for external authentication token generation
`--admin.defaultOrg`	string	OPTIONAL: Default org to use to support non-org based cli’s.'.
`--admin.defaultServiceConfig`	string
`--admin.deviceFlowConfig.pollInterval`	string	amount of time the device flow would poll the token endpoint if auth server doesn’t return a polling interval. Okta and google IDP do return an interval’ (default “5s”)
`--admin.deviceFlowConfig.refreshTime`	string	grace period from the token expiry after which it would refresh the token. (default “5m0s”)
`--admin.deviceFlowConfig.timeout`	string	amount of time the device flow should complete or else it will be cancelled. (default “10m0s”)
`--admin.endpoint`	string	For admin types, specify where the uri of the service is located.
`--admin.httpProxyURL`	string	OPTIONAL: HTTP Proxy to be used for OAuth requests.
`--admin.insecure`		Use insecure connection.
`--admin.insecureSkipVerify`		InsecureSkipVerify controls whether a client verifies the server’s certificate chain and host name.Caution: shouldn’t be use for production usecases'
`--admin.maxBackoffDelay`	string	Max delay for grpc backoff (default “8s”)
`--admin.maxMessageSizeBytes`	int	The max size in bytes for incoming gRPC messages
`--admin.maxRetries`	int	Max number of gRPC retries (default 4)
`--admin.perRetryTimeout`	string	gRPC per retry timeout (default “15s”)
`--admin.pkceConfig.refreshTime`	string	grace period from the token expiry after which it would refresh the token. (default “5m0s”)
`--admin.pkceConfig.timeout`	string	Amount of time the browser session would be active for authentication from client app. (default “2m0s”)
`--admin.proxyCommand`	strings	Command for external proxy-authorization token generation
`--admin.scopes`	strings	List of scopes to request
`--admin.tokenRefreshWindow`	string	Max duration between token refresh attempt and token expiry. (default “0s”)
`--admin.tokenUrl`	string	OPTIONAL: Your IdP’s token endpoint. It’ll be discovered from flyte admin’s OAuth Metadata endpoint if not provided.
`--admin.useAudienceFromAdmin`		Use Audience configured from admins public endpoint config.
`--admin.useAuth`		Deprecated: Auth will be enabled/disabled based on admin’s dynamically discovered information.
`--auth.appAuth.externalAuthServer.allowedAudience`	strings	Optional: A list of allowed audiences. If not provided, the audience is expected to be the public Uri of the service.
`--auth.appAuth.externalAuthServer.baseUrl`	string	This should be the base url of the authorization server that you are trying to hit. With Okta for instance, it will look something like https://company.okta.com/oauth2/abcdef123456789/
`--auth.appAuth.externalAuthServer.httpProxyURL`	string	OPTIONAL: HTTP Proxy to be used for OAuth requests.
`--auth.appAuth.externalAuthServer.metadataUrl`	string	Optional: If the server doesn’t support /.well-known/oauth-authorization-server, you can set a custom metadata url here.'
`--auth.appAuth.externalAuthServer.retryAttempts`	int	Optional: The number of attempted retries on a transient failure to get the OAuth metadata (default 5)
`--auth.appAuth.externalAuthServer.retryDelay`	string	Optional, Duration to wait between retries (default “1s”)
`--auth.appAuth.selfAuthServer.accessTokenLifespan`	string	Defines the lifespan of issued access tokens. (default “30m0s”)
`--auth.appAuth.selfAuthServer.authorizationCodeLifespan`	string	Defines the lifespan of issued access tokens. (default “5m0s”)
`--auth.appAuth.selfAuthServer.claimSymmetricEncryptionKeySecretName`	string	OPTIONAL: Secret name to use to encrypt claims in authcode token. (default “claim_symmetric_key”)
`--auth.appAuth.selfAuthServer.issuer`	string	Defines the issuer to use when issuing and validating tokens. The default value is https://{requestUri.HostAndPort}/
`--auth.appAuth.selfAuthServer.oldTokenSigningRSAKeySecretName`	string	OPTIONAL: Secret name to use to retrieve Old RSA Signing Key. This can be useful during key rotation to continue to accept older tokens. (default “token_rsa_key_old.pem”)
`--auth.appAuth.selfAuthServer.refreshTokenLifespan`	string	Defines the lifespan of issued access tokens. (default “1h0m0s”)
`--auth.appAuth.selfAuthServer.tokenSigningRSAKeySecretName`	string	OPTIONAL: Secret name to use to retrieve RSA Signing Key. (default “token_rsa_key.pem”)
`--auth.appAuth.thirdPartyConfig.flyteClient.audience`	string	Audience to use when initiating OAuth2 authorization requests.
`--auth.appAuth.thirdPartyConfig.flyteClient.clientId`	string	public identifier for the app which handles authorization for a Flyte deployment (default “uctl”)
`--auth.appAuth.thirdPartyConfig.flyteClient.redirectUri`	string	This is the callback uri registered with the app which handles authorization for a Flyte deployment (default “http://localhost:53593/callback”)
`--auth.appAuth.thirdPartyConfig.flyteClient.scopes`	strings	Recommended scopes for the client to request. (default [all,offline])
`--auth.disableForGrpc`		Disables auth enforcement on Grpc Endpoints.
`--auth.disableForHttp`		Disables auth enforcement on HTTP Endpoints.
`--auth.grpcAuthorizationHeader`	string	(default “flyte-authorization”)
`--auth.httpAuthorizationHeader`	string	(default “flyte-authorization”)
`--auth.httpProxyURL`	string	OPTIONAL: HTTP Proxy to be used for OAuth requests.
`--auth.tokenEndpointProxyPath`	string	The path used to proxy calls to the TokenURL
`--auth.userAuth.cookieBlockKeySecretName`	string	OPTIONAL: Secret name to use for cookie block key. (default “cookie_block_key”)
`--auth.userAuth.cookieHashKeySecretName`	string	OPTIONAL: Secret name to use for cookie hash key. (default “cookie_hash_key”)
`--auth.userAuth.cookieSetting.domain`	string	OPTIONAL: Allows you to set the domain attribute on the auth cookies.
`--auth.userAuth.cookieSetting.sameSitePolicy`	string	OPTIONAL: Allows you to declare if your cookie should be restricted to a first-party or same-site context.Wrapper around http.SameSite. (default “DefaultMode”)
`--auth.userAuth.httpProxyURL`	string	OPTIONAL: HTTP Proxy to be used for OAuth requests.
`--auth.userAuth.idpQueryParameter`	string	idp query parameter used for selecting a particular IDP for doing user authentication. Eg: for Okta passing idp={IDP-ID} forces the authentication to happen with IDP-ID
`--auth.userAuth.openId.baseUrl`	string
`--auth.userAuth.openId.clientId`	string
`--auth.userAuth.openId.clientSecretFile`	string
`--auth.userAuth.openId.clientSecretName`	string	(default “oidc_client_secret”)
`--auth.userAuth.openId.scopes`	strings	(default [openid,profile])
`--auth.userAuth.redirectUrl`	string	(default “/console”)
`--authorizer.internalCommunicationConfig.enabled`		Enables authorization decisions for internal communication. (default true)
`--authorizer.internalCommunicationConfig.ingressIdentity`	string	IngressIdentity used in the cluster. Needed to exclude the communication coming from ingress. (default “ingress-nginx.ingress-nginx.serviceaccount.identity.linkerd.cluster.local”)
`--authorizer.internalCommunicationConfig.tenantUrlPatternIdentity`	string	UrlPatternIdentity of the internal tenant service endpoint identities. (default “{{ service }}.{{ org }}.serviceaccount.identity.linkerd.cluster.local”)
`--authorizer.internalCommunicationConfig.urlPatternIdentity`	string	UrlPatternIdentity of the internal service endpoint identities. (default “{{ service }}-helmchart.{{ service }}.serviceaccount.identity.linkerd.cluster.local”)
`--authorizer.mode`	string	(default “Active”)
`--authorizer.organizationConfig.PolicyConfig.adminPolicyDescription`	string	description for the boilerplate admin policy (default “Contributor permissions and full admin permissions to manage users and view usage dashboards”)
`--authorizer.organizationConfig.PolicyConfig.contributorPolicyDescription`	string	description for the boilerplate contributor policy (default “Viewer permissions and permissions to create workflows, tasks, launch plans, and executions”)
`--authorizer.organizationConfig.PolicyConfig.defaultUserPolicyRoleType`	string	name of the role type to determine which default policy new users added to the organization should be assigned (default “Viewer”)
`--authorizer.organizationConfig.PolicyConfig.serverlessContributorPolicyDescription`	string	description for the boilerplate serverless contributor policy (default “Viewer permissions and permissions to create workflows, tasks, launch plans, and executions”)
`--authorizer.organizationConfig.PolicyConfig.serverlessViewerPolicyDescription`	string	description for the boilerplate serverless viewer policy (default “Permissions to view Flyte entities”)
`--authorizer.organizationConfig.PolicyConfig.viewerPolicyDescription`	string	description for the boilerplate viewer policy (default “Permissions to view Flyte entities”)
`--authorizer.organizationConfig.defaultPolicyCacheDuration`	string	Cache entry duration for the store of the default policy per organization (default “10m0s”)
`--authorizer.syncRuleRefreshInterval`	string	(default “1m0s”)
`--authorizer.type`	string	(default “UserClouds”)
`--authorizer.userCloudsClient.cache.redis.ttl.edgeTypes`	string	Specifies how long edge types remain in the cache.. (default “30m0s”)
`--authorizer.userCloudsClient.cache.redis.ttl.edges`	string	Specifies how long edges remain in the cache. (default “30m0s”)
`--authorizer.userCloudsClient.cache.redis.ttl.objectTypes`	string	Specifies how long object types remain in the cache. (default “30m0s”)
`--authorizer.userCloudsClient.cache.redis.ttl.objects`	string	Specifies how long objects remain in the cache. (default “30m0s”)
`--authorizer.userCloudsClient.cache.type`	string	Cache type to use. (default “none”)
`--authorizer.userCloudsClient.clientID`	string	UserClouds client id
`--authorizer.userCloudsClient.clientSecretName`	string	UserCloud client secret name to read from the secret manager. (default “userclouds-client-secret”)
`--authorizer.userCloudsClient.enableLogging`		Enable userclouds client’s internal logging. Calls to post logs take 250-350 ms and will impact p99 latency, enable with caution.
`--authorizer.userCloudsClient.tenantID`	string	UserClouds tenant id. Should be a UUID.
`--authorizer.userCloudsClient.tenantUrl`	string	Something like https://{yourtenant}.tenant.userclouds.com
`--config`	string	config file (default is /Users/andrew/.union/config.yaml)
`--connection.environment`	string
`--connection.region`	string
`--connection.rootTenantURLPattern`	string	Pattern for tenant url. (default “dns:///{{ organization }}.cloud-staging.union.ai”)
`--console.endpoint`	string	Endpoint of console, if different than flyte admin
`--database.connMaxLifeTime`	string	sets the maximum amount of time a connection may be reused (default “1h0m0s”)
`--database.enableForeignKeyConstraintWhenMigrating`		Whether to enable gorm foreign keys when migrating the db
`--database.maxIdleConnections`	int	maxIdleConnections sets the maximum number of connections in the idle connection pool. (default 10)
`--database.maxOpenConnections`	int	maxOpenConnections sets the maximum number of open connections to the database. (default 100)
`--database.postgres.dbname`	string	The database name (default “postgres”)
`--database.postgres.debug`
`--database.postgres.host`	string	The host name of the database server (default “localhost”)
`--database.postgres.options`	string	See http://gorm.io/docs/connecting_to_the_database.html for available options passed, in addition to the above. (default “sslmode=disable”)
`--database.postgres.password`	string	The database password. (default “postgres”)
`--database.postgres.passwordPath`	string	Points to the file containing the database password.
`--database.postgres.port`	int	The port name of the database server (default 30001)
`--database.postgres.readReplicaHost`	string	The host name of the read replica database server (default “localhost”)
`--database.postgres.username`	string	The database user who is connecting to the server. (default “postgres”)
`--database.sqlite.file`	string	The path to the file (existing or new) where the DB should be created / stored. If existing, then this will be re-used, else a new will be created
`--db.connectionPool.maxConnectionLifetime`	string	(default “0s”)
`--db.connectionPool.maxIdleConnections`	int
`--db.connectionPool.maxOpenConnections`	int
`--db.dbname`	string	(default “postgres”)
`--db.debug`
`--db.host`	string	(default “postgres”)
`--db.log_level`	int	(default 4)
`--db.options`	string	(default “sslmode=disable”)
`--db.password`	string
`--db.passwordPath`	string
`--db.port`	int	(default 5432)
`--db.username`	string	(default “postgres”)
`-d`, `--domain`	string	Specifies the Flyte project’s domain.
`--files.archive`		Pass in archive file either an http link or local path.
`--files.assumableIamRole`	string	Custom assumable iam auth role to register launch plans with.
`--files.continueOnError`		Continue on error when registering files.
`--files.destinationDirectory`	string	Location of source code in container.
`--files.dryRun`		Execute command without making any modifications.
`--files.enableSchedule`		Enable the schedule if the files contain schedulable launchplan.
`--files.force`		Force use of version number on entities registered with flyte.
`--files.k8ServiceAccount`	string	Deprecated. Please use `--K8sServiceAccount`
`--files.k8sServiceAccount`	string	Custom kubernetes service account auth role to register launch plans with.
`--files.outputLocationPrefix`	string	Custom output location prefix for offloaded types (files/schemas).
`--files.sourceUploadPath`	string	Deprecated: Update flyte admin to avoid having to configure storage access from uctl.
`--files.version`	string	Version of the entity to be registered with flyte which are un-versioned after serialization.
`--logger.formatter.type`	string	Sets logging format type. (default “json”)
`--logger.level`	int	Sets the minimum logging level. (default 3)
`--logger.mute`		Mutes all logs regardless of severity. Intended for benchmarks/tests only.
`--logger.show-source`		Includes source code location in logs.
`--org`	string	Organization to work on. If not set, default to user’s org.
`--otel.file.filename`	string	Filename to store exported telemetry traces (default “/tmp/trace.txt”)
`--otel.jaeger.endpoint`	string	Endpoint for the jaeger telemetry trace ingestor (default “http://localhost:14268/api/traces”)
`--otel.otlpgrpc.endpoint`	string	Endpoint for the OTLP telemetry trace collector (default “http://localhost:4317”)
`--otel.otlphttp.endpoint`	string	Endpoint for the OTLP telemetry trace collector (default “http://localhost:4318/v1/traces”)
`--otel.sampler.parentSampler`	string	Sets the parent sampler to use for the tracer (default “always”)
`--otel.type`	string	Sets the type of exporter to configure [noop/file/jaeger/otlpgrpc/otlphttp]. (default “noop”)
`-o`, `--output`	string	Specifies the output type - supported formats [TABLE JSON YAML DOT DOTURL]. NOTE: dot, doturl are only supported for Workflow (default “table”)
`--plugins.catalogcache.reader.maxItems`	int	Maximum number of entries to keep in the index. (default 10000)
`--plugins.catalogcache.reader.maxRetries`	int	Maximum number of retries per item. (default 3)
`--plugins.catalogcache.reader.workers`	int	Number of concurrent workers to start processing the queue. (default 10)
`--plugins.catalogcache.writer.maxItems`	int	Maximum number of entries to keep in the index. (default 10000)
`--plugins.catalogcache.writer.maxRetries`	int	Maximum number of retries per item. (default 3)
`--plugins.catalogcache.writer.workers`	int	Number of concurrent workers to start processing the queue. (default 10)
`-p`, `--project`	string	Specifies the Flyte project.
`--rediscache.passwordSecretName`	string	Name of secret with Redis password.
`--rediscache.primaryEndpoint`	string	Primary endpoint for the redis cache that can be used for both reads and writes.
`--rediscache.replicaEndpoint`	string	Replica endpoint for the redis cache that can be used for reads.
`--secrets.env-prefix`	string	Prefix for environment variables (default “FLYTE_SECRET_”)
`--secrets.secrets-prefix`	string	Prefix where to look for secrets file (default “/etc/secrets”)
`--secrets.type`	string	Sets the type of storage to configure [local]. (default “local”)
`--server.dataProxy.download.maxExpiresIn`	string	Maximum allowed expiration duration. (default “1h0m0s”)
`--server.dataProxy.upload.defaultFileNameLength`	int	Default length for the generated file name if not provided in the request. (default 20)
`--server.dataProxy.upload.maxExpiresIn`	string	Maximum allowed expiration duration. (default “1h0m0s”)
`--server.dataProxy.upload.maxSize`	string	Maximum allowed upload size. (default “6Mi”)
`--server.dataProxy.upload.storagePrefix`	string	Storage prefix to use for all upload requests.
`--server.grpc.enableGrpcLatencyMetrics`		Enable grpc latency metrics. Note Histograms metrics can be expensive on Prometheus servers.
`--server.grpc.maxMessageSizeBytes`	int	The max size in bytes for incoming gRPC messages
`--server.grpc.port`	int	On which grpc port to serve admin (default 8089)
`--server.grpc.serverReflection`		Enable GRPC Server Reflection (default true)
`--server.grpcPort`	int	deprecated
`--server.grpcServerReflection`		deprecated
`--server.httpPort`	int	On which http port to serve admin (default 8088)
`--server.kube-config`	string	Path to kubernetes client config file, default is empty, useful for incluster config.
`--server.kubeClientConfig.burst`	int	Max burst rate for throttle. 0 defaults to 10 (default 25)
`--server.kubeClientConfig.qps`	int32	Max QPS to the master for requests to KubeAPI. 0 defaults to 5. (default 100)
`--server.kubeClientConfig.timeout`	string	Max duration allowed for every request to KubeAPI before giving up. 0 implies no timeout. (default “30s”)
`--server.master`	string	The address of the Kubernetes API server.
`--server.readHeaderTimeoutSeconds`	int	The amount of time allowed to read request headers. (default 32)
`--server.security.allowCors`		(default true)
`--server.security.allowedHeaders`	strings	(default [Content-Type,flyte-authorization])
`--server.security.allowedOrigins`	strings	(default [*])
`--server.security.auditAccess`
`--server.security.secure`
`--server.security.ssl.certificateFile`	string
`--server.security.ssl.keyFile`	string
`--server.security.useAuth`
`--server.thirdPartyConfig.flyteClient.audience`	string	Audience to use when initiating OAuth2 authorization requests.
`--server.thirdPartyConfig.flyteClient.clientId`	string	public identifier for the app which handles authorization for a Flyte deployment
`--server.thirdPartyConfig.flyteClient.redirectUri`	string	This is the callback uri registered with the app which handles authorization for a Flyte deployment
`--server.thirdPartyConfig.flyteClient.scopes`	strings	Recommended scopes for the client to request.
`--server.watchService.maxActiveClusterConnections`	int	(default 5)
`--server.watchService.maxPageSize`	int	(default 50000)
`--server.watchService.nonTerminalStatusUpdatesInterval`	string	(default “1m0s”)
`--server.watchService.pollInterval`	string	(default “1s”)
`--sharedservice.connectPort`	string	On which connect port to serve admin (default “8080”)
`--sharedservice.grpc.grpcMaxResponseStatusBytes`	int32	specifies the maximum (uncompressed) size of header list that the client is prepared to accept on grpc calls (default 32000)
`--sharedservice.grpc.maxConcurrentStreams`	int	Limit on the number of concurrent streams to each ServerTransport. (default 100)
`--sharedservice.grpc.maxMessageSizeBytes`	int	Limit on the size of message that can be received on the server. (default 10485760)
`--sharedservice.grpcServerReflection`		Enable GRPC Server Reflection (default true)
`--sharedservice.httpPort`	string	On which http port to serve admin (default “8089”)
`--sharedservice.kubeConfig`	string	Path to kubernetes client config file.
`--sharedservice.master`	string	The address of the Kubernetes API server.
`--sharedservice.metrics.enableClientGrpcHistograms`		Enable client grpc histograms (default true)
`--sharedservice.metrics.enableGrpcHistograms`		Enable grpc histograms (default true)
`--sharedservice.metrics.scope`	string	Scope to emit metrics under (default “service:”)
`--sharedservice.port`	string	On which grpc port to serve admin (default “8080”)
`--sharedservice.profiler.enabled`		Enable Profiler on server
`--sharedservice.profilerPort`	string	Profile port to start listen for pprof and metric handlers on. (default “10254”)
`--sharedservice.security.allowCors`
`--sharedservice.security.allowLocalhostAccess`		Whether to permit localhost unauthenticated access to the server
`--sharedservice.security.allowedHeaders`	strings
`--sharedservice.security.allowedOrigins`	strings
`--sharedservice.security.auditAccess`
`--sharedservice.security.orgOverride`	string	Override org in identity context if localhost access enabled
`--sharedservice.security.secure`
`--sharedservice.security.ssl.certificateAuthorityFile`	string
`--sharedservice.security.ssl.certificateFile`	string
`--sharedservice.security.ssl.keyFile`	string
`--sharedservice.security.useAuth`
`--sharedservice.sync.syncInterval`	string	Time interval to sync (default “5m0s”)
`--storage.cache.max_size_mbs`	int	Maximum size of the cache where the Blob store data is cached in-memory. If not specified or set to 0, cache is not used
`--storage.cache.target_gc_percent`	int	Sets the garbage collection target percentage.
`--storage.connection.access-key`	string	Access key to use. Only required when authtype is set to accesskey.
`--storage.connection.auth-type`	string	Auth Type to use [iam, accesskey]. (default “iam”)
`--storage.connection.disable-ssl`		Disables SSL connection. Should only be used for development.
`--storage.connection.endpoint`	string	URL for storage client to connect to.
`--storage.connection.region`	string	Region to connect to. (default “us-east-1”)
`--storage.connection.secret-key`	string	Secret to use when accesskey is set.
`--storage.container`	string	Initial container (in s3 a bucket) to create -if it doesn’t exist-.'
`--storage.defaultHttpClient.timeout`	string	Sets time out on the http client. (default “0s”)
`--storage.enable-multicontainer`		If this is true, then the container argument is overlooked and redundant. This config will automatically open new connections to new containers/buckets as they are encountered
`--storage.limits.maxDownloadMBs`	int	Maximum allowed download size (in MBs) per call. (default 2)
`--storage.stow.config`	stringToString	Configuration for stow backend. Refer to github/flyteorg/stow (default [])
`--storage.stow.kind`	string	Kind of Stow backend to use. Refer to github/flyteorg/stow
`--storage.type`	string	Sets the type of storage to configure [s3/minio/local/mem/stow]. (default “s3”)
`--union.auth.authorizationMetadataKey`	string	Authorization Header to use when passing Access Tokens to the server (default “flyte-authorization”)
`--union.auth.clientId`	string	Client ID
`--union.auth.clientSecretEnvVar`	string	Environment variable containing the client secret
`--union.auth.clientSecretLocation`	string	File containing the client secret
`--union.auth.deviceFlow.pollInterval`	string	amount of time the device flow would poll the token endpoint if auth server doesn’t return a polling interval. Okta and google IDP do return an interval’ (default “5s”)
`--union.auth.deviceFlow.refreshTime`	string	grace period from the token expiry after which it would refresh the token. (default “5m0s”)
`--union.auth.deviceFlow.timeout`	string	amount of time the device flow should complete or else it will be cancelled. (default “10m0s”)
`--union.auth.enable`		Whether to enable an authenticated conenction when communicating with admin. (default true)
`--union.auth.externalAuth.command`	strings	Command for external authentication token generation
`--union.auth.pkce.refreshTime`	string	grace period from the token expiry after which it would refresh the token. (default “5m0s”)
`--union.auth.pkce.timeout`	string	Amount of time the browser session would be active for authentication from client app. (default “15s”)
`--union.auth.scopes`	strings	List of scopes to request
`--union.auth.tokenRefreshWindow`	string	Max duration between token refresh attempt and token expiry. (default “1h0m0s”)
`--union.auth.tokenUrl`	string	OPTIONAL: Your IdP’s token endpoint. It’ll be discovered from flyte admin’s OAuth Metadata endpoint if not provided.
`--union.auth.type`	string	Type of OAuth2 flow used for communicating with admin. (default “Pkce”)
`--union.cache.maxItemsCount`	int	Maximum number of items to keep in the cache before evicting. (default 1000)
`--union.connection.host`	string	Host to connect to (default “dns:///utt-mgdp-stg-us-east-2.cloud-staging.union.ai”)
`--union.connection.insecure`		Whether to connect over insecure channel
`--union.connection.insecureSkipVerify`		InsecureSkipVerify controls whether a client verifies the server’s certificate chain and host name.Caution: shouldn’t be use for production usecases'
`--union.connection.keepAliveConfig.permitWithoutStream`		If true, client sends keepalive pings even with no active RPCs.
`--union.connection.keepAliveConfig.time`	string	After a duration of this time if the client doesn’t see any activity it pings the server to see if the transport is still alive. (default “20s”)
`--union.connection.keepAliveConfig.timeout`	string	After having pinged for keepalive check, the client waits for a duration of Timeout and if no activity is seen even after that the connection is closed. (default “2m0s”)
`--union.connection.maxBackoffDelay`	string	Max delay for grpc backoff (default “8s”)
`--union.connection.maxRecvMsgSize`	int	Maximum size of a message in bytes of a gRPC message (default 10485760)
`--union.connection.maxRetries`	int	Max number of gRPC retries (default 4)
`--union.connection.minConnectTimeout`	string	Minimum timeout for establishing a connection (default “20s”)
`--union.connection.perRetryTimeout`	string	gRPC per retry timeout (default “15s”)
`--union.connection.serviceConfig`	string	Defines gRPC experimental JSON Service Config (default “{“loadBalancingConfig”: [{“round_robin”:{}}]}”)
`--union.connection.trustedIdentityClaims.enabled`		Enables passing of trusted claims while making inter service calls
`--union.connection.trustedIdentityClaims.externalIdentityClaim`	string	External identity claim of the service which is authorized to make internal service call. These are verified against userclouds actions
`--union.connection.trustedIdentityClaims.externalIdentityTypeClaim`	string	External identity type claim of app or user to use for the current service identity. It should be an ‘app’ for inter service communication
`--union.internalConnectionConfig.-`	stringToString	(default [])
`--union.internalConnectionConfig.enabled`		Enables internal service to service communication instead of going through ingress.
`--union.internalConnectionConfig.urlPattern`	string	UrlPattern of the internal service endpoints. (default “{{ service }}-helmchart.{{ service }}.svc.cluster.local:80”)
`--webhook.awsSecretManager.sidecarImage`	string	Specifies the sidecar docker image to use (default “docker.io/amazon/aws-secrets-manager-secret-sidecar:v0.1.4”)
`--webhook.certDir`	string	Certificate directory to use to write generated certs. Defaults to /etc/webhook/certs/ (default “/etc/webhook/certs”)
`--webhook.embeddedSecretManagerConfig.awsConfig.region`	string	AWS region
`--webhook.embeddedSecretManagerConfig.fileMountInitContainer.image`	string	Specifies init container image to use for mounting secrets as files. (default “busybox:1.28”)
`--webhook.embeddedSecretManagerConfig.gcpConfig.project`	string	GCP project to be used for secret manager
`--webhook.embeddedSecretManagerConfig.type`	string	(default “AWS”)
`--webhook.gcpSecretManager.sidecarImage`	string	Specifies the sidecar docker image to use (default “gcr.io/google.com/cloudsdktool/cloud-sdk:alpine”)
`--webhook.listenPort`	int	The port to use to listen to webhook calls. Defaults to 9443 (default 9443)
`--webhook.localCert`		write certs locally. Defaults to false
`--webhook.metrics-prefix`	string	An optional prefix for all published metrics. (default “flyte:”)
`--webhook.secretName`	string	Secret name to write generated certs to. (default “flyte-pod-webhook”)
`--webhook.serviceName`	string	The name of the webhook service. (default “flyte-pod-webhook”)
`--webhook.servicePort`	int32	The port on the service that hosting webhook. (default 443)
`--webhook.vaultSecretManager.role`	string	Specifies the vault role to use (default “flyte”)