uctl get clusterconfig
Retrieves cluster config
Synopsis
To fetch default cluster config template:
$ uctl get clusterconfig --configID default
To fetch cluster config template:
$ uctl get clusterconfig --clusterName mycluster123
To fetch cluster config template and save to file:
$ uctl get clusterconfig --clusterName mycluster123 --outputFile spec.yaml
To fetch compiled cluster config:
$ uctl get clusterconfig --clusterName mycluster123 --compiled
Options
Option | Type | Description |
---|---|---|
--clusterName |
string | Fetch config of cluster with given name |
--compiled |
fetch compiled config for given cluster | |
--configID |
string | Fetch cluster config with given id |
-h , --help |
help for clusterconfig | |
--outputFile |
string | optional output file |
Options inherited from parent commands
Option | Type | Description |
---|---|---|
--admin.audience |
string | Audience to use when initiating OAuth2 authorization requests. |
--admin.authType |
string | Type of OAuth2 flow used for communicating with admin.ClientSecret, Pkce, ExternalCommand are valid values (default “ClientSecret”) |
--admin.authorizationHeader |
string | Custom metadata header to pass JWT |
--admin.authorizationServerUrl |
string | This is the URL to your IdP’s authorization server. It’ll default to Endpoint |
--admin.caCertFilePath |
string | Use specified certificate file to verify the admin server peer. |
--admin.clientId |
string | Client ID (default “flytepropeller”) |
--admin.clientSecretEnvVar |
string | Environment variable containing the client secret |
--admin.clientSecretLocation |
string | File containing the client secret (default “/etc/secrets/client_secret”) |
--admin.command |
strings | Command for external authentication token generation |
--admin.defaultOrg |
string | OPTIONAL: Default org to use to support non-org based cli’s.'. |
--admin.defaultServiceConfig |
string | |
--admin.deviceFlowConfig.pollInterval |
string | amount of time the device flow would poll the token endpoint if auth server doesn’t return a polling interval. Okta and google IDP do return an interval’ (default “5s”) |
--admin.deviceFlowConfig.refreshTime |
string | grace period from the token expiry after which it would refresh the token. (default “5m0s”) |
--admin.deviceFlowConfig.timeout |
string | amount of time the device flow should complete or else it will be cancelled. (default “10m0s”) |
--admin.endpoint |
string | For admin types, specify where the uri of the service is located. |
--admin.httpProxyURL |
string | OPTIONAL: HTTP Proxy to be used for OAuth requests. |
--admin.insecure |
Use insecure connection. | |
--admin.insecureSkipVerify |
InsecureSkipVerify controls whether a client verifies the server’s certificate chain and host name.Caution: shouldn’t be use for production usecases' | |
--admin.maxBackoffDelay |
string | Max delay for grpc backoff (default “8s”) |
--admin.maxMessageSizeBytes |
int | The max size in bytes for incoming gRPC messages |
--admin.maxRetries |
int | Max number of gRPC retries (default 4) |
--admin.perRetryTimeout |
string | gRPC per retry timeout (default “15s”) |
--admin.pkceConfig.refreshTime |
string | grace period from the token expiry after which it would refresh the token. (default “5m0s”) |
--admin.pkceConfig.timeout |
string | Amount of time the browser session would be active for authentication from client app. (default “2m0s”) |
--admin.proxyCommand |
strings | Command for external proxy-authorization token generation |
--admin.scopes |
strings | List of scopes to request |
--admin.tokenRefreshWindow |
string | Max duration between token refresh attempt and token expiry. (default “0s”) |
--admin.tokenUrl |
string | OPTIONAL: Your IdP’s token endpoint. It’ll be discovered from flyte admin’s OAuth Metadata endpoint if not provided. |
--admin.useAudienceFromAdmin |
Use Audience configured from admins public endpoint config. | |
--admin.useAuth |
Deprecated: Auth will be enabled/disabled based on admin’s dynamically discovered information. | |
--auth.appAuth.externalAuthServer.allowedAudience |
strings | Optional: A list of allowed audiences. If not provided, the audience is expected to be the public Uri of the service. |
--auth.appAuth.externalAuthServer.baseUrl |
string | This should be the base url of the authorization server that you are trying to hit. With Okta for instance, it will look something like https://company.okta.com/oauth2/abcdef123456789/ |
--auth.appAuth.externalAuthServer.httpProxyURL |
string | OPTIONAL: HTTP Proxy to be used for OAuth requests. |
--auth.appAuth.externalAuthServer.metadataUrl |
string | Optional: If the server doesn’t support /.well-known/oauth-authorization-server, you can set a custom metadata url here.' |
--auth.appAuth.externalAuthServer.retryAttempts |
int | Optional: The number of attempted retries on a transient failure to get the OAuth metadata (default 5) |
--auth.appAuth.externalAuthServer.retryDelay |
string | Optional, Duration to wait between retries (default “1s”) |
--auth.appAuth.selfAuthServer.accessTokenLifespan |
string | Defines the lifespan of issued access tokens. (default “30m0s”) |
--auth.appAuth.selfAuthServer.authorizationCodeLifespan |
string | Defines the lifespan of issued access tokens. (default “5m0s”) |
--auth.appAuth.selfAuthServer.claimSymmetricEncryptionKeySecretName |
string | OPTIONAL: Secret name to use to encrypt claims in authcode token. (default “claim_symmetric_key”) |
--auth.appAuth.selfAuthServer.issuer |
string | Defines the issuer to use when issuing and validating tokens. The default value is https://{requestUri.HostAndPort}/ |
--auth.appAuth.selfAuthServer.oldTokenSigningRSAKeySecretName |
string | OPTIONAL: Secret name to use to retrieve Old RSA Signing Key. This can be useful during key rotation to continue to accept older tokens. (default “token_rsa_key_old.pem”) |
--auth.appAuth.selfAuthServer.refreshTokenLifespan |
string | Defines the lifespan of issued access tokens. (default “1h0m0s”) |
--auth.appAuth.selfAuthServer.tokenSigningRSAKeySecretName |
string | OPTIONAL: Secret name to use to retrieve RSA Signing Key. (default “token_rsa_key.pem”) |
--auth.appAuth.thirdPartyConfig.flyteClient.audience |
string | Audience to use when initiating OAuth2 authorization requests. |
--auth.appAuth.thirdPartyConfig.flyteClient.clientId |
string | public identifier for the app which handles authorization for a Flyte deployment (default “uctl”) |
--auth.appAuth.thirdPartyConfig.flyteClient.redirectUri |
string | This is the callback uri registered with the app which handles authorization for a Flyte deployment (default “http://localhost:53593/callback”) |
--auth.appAuth.thirdPartyConfig.flyteClient.scopes |
strings | Recommended scopes for the client to request. (default [all,offline]) |
--auth.disableForGrpc |
Disables auth enforcement on Grpc Endpoints. | |
--auth.disableForHttp |
Disables auth enforcement on HTTP Endpoints. | |
--auth.grpcAuthorizationHeader |
string | (default “flyte-authorization”) |
--auth.httpAuthorizationHeader |
string | (default “flyte-authorization”) |
--auth.httpProxyURL |
string | OPTIONAL: HTTP Proxy to be used for OAuth requests. |
--auth.tokenEndpointProxyPath |
string | The path used to proxy calls to the TokenURL |
--auth.userAuth.cookieBlockKeySecretName |
string | OPTIONAL: Secret name to use for cookie block key. (default “cookie_block_key”) |
--auth.userAuth.cookieHashKeySecretName |
string | OPTIONAL: Secret name to use for cookie hash key. (default “cookie_hash_key”) |
--auth.userAuth.cookieSetting.domain |
string | OPTIONAL: Allows you to set the domain attribute on the auth cookies. |
--auth.userAuth.cookieSetting.sameSitePolicy |
string | OPTIONAL: Allows you to declare if your cookie should be restricted to a first-party or same-site context.Wrapper around http.SameSite. (default “DefaultMode”) |
--auth.userAuth.httpProxyURL |
string | OPTIONAL: HTTP Proxy to be used for OAuth requests. |
--auth.userAuth.idpQueryParameter |
string | idp query parameter used for selecting a particular IDP for doing user authentication. Eg: for Okta passing idp={IDP-ID} forces the authentication to happen with IDP-ID |
--auth.userAuth.openId.baseUrl |
string | |
--auth.userAuth.openId.clientId |
string | |
--auth.userAuth.openId.clientSecretFile |
string | |
--auth.userAuth.openId.clientSecretName |
string | (default “oidc_client_secret”) |
--auth.userAuth.openId.scopes |
strings | (default [openid,profile]) |
--auth.userAuth.redirectUrl |
string | (default “/console”) |
--authorizer.internalCommunicationConfig.enabled |
Enables authorization decisions for internal communication. (default true) | |
--authorizer.internalCommunicationConfig.ingressIdentity |
string | IngressIdentity used in the cluster. Needed to exclude the communication coming from ingress. (default “ingress-nginx.ingress-nginx.serviceaccount.identity.linkerd.cluster.local”) |
--authorizer.internalCommunicationConfig.tenantUrlPatternIdentity |
string | UrlPatternIdentity of the internal tenant service endpoint identities. (default “{{ service }}.{{ org }}.serviceaccount.identity.linkerd.cluster.local”) |
--authorizer.internalCommunicationConfig.urlPatternIdentity |
string | UrlPatternIdentity of the internal service endpoint identities. (default “{{ service }}-helmchart.{{ service }}.serviceaccount.identity.linkerd.cluster.local”) |
--authorizer.mode |
string | (default “Active”) |
--authorizer.organizationConfig.PolicyConfig.adminPolicyDescription |
string | description for the boilerplate admin policy (default “Contributor permissions and full admin permissions to manage users and view usage dashboards”) |
--authorizer.organizationConfig.PolicyConfig.contributorPolicyDescription |
string | description for the boilerplate contributor policy (default “Viewer permissions and permissions to create workflows, tasks, launch plans, and executions”) |
--authorizer.organizationConfig.PolicyConfig.defaultUserPolicyRoleType |
string | name of the role type to determine which default policy new users added to the organization should be assigned (default “Viewer”) |
--authorizer.organizationConfig.PolicyConfig.serverlessContributorPolicyDescription |
string | description for the boilerplate serverless contributor policy (default “Viewer permissions and permissions to create workflows, tasks, launch plans, and executions”) |
--authorizer.organizationConfig.PolicyConfig.serverlessViewerPolicyDescription |
string | description for the boilerplate serverless viewer policy (default “Permissions to view Flyte entities”) |
--authorizer.organizationConfig.PolicyConfig.viewerPolicyDescription |
string | description for the boilerplate viewer policy (default “Permissions to view Flyte entities”) |
--authorizer.organizationConfig.defaultPolicyCacheDuration |
string | Cache entry duration for the store of the default policy per organization (default “10m0s”) |
--authorizer.syncRuleRefreshInterval |
string | (default “1m0s”) |
--authorizer.type |
string | (default “UserClouds”) |
--authorizer.userCloudsClient.cache.redis.ttl.edgeTypes |
string | Specifies how long edge types remain in the cache.. (default “30m0s”) |
--authorizer.userCloudsClient.cache.redis.ttl.edges |
string | Specifies how long edges remain in the cache. (default “30m0s”) |
--authorizer.userCloudsClient.cache.redis.ttl.objectTypes |
string | Specifies how long object types remain in the cache. (default “30m0s”) |
--authorizer.userCloudsClient.cache.redis.ttl.objects |
string | Specifies how long objects remain in the cache. (default “30m0s”) |
--authorizer.userCloudsClient.cache.type |
string | Cache type to use. (default “none”) |
--authorizer.userCloudsClient.clientID |
string | UserClouds client id |
--authorizer.userCloudsClient.clientSecretName |
string | UserCloud client secret name to read from the secret manager. (default “userclouds-client-secret”) |
--authorizer.userCloudsClient.enableLogging |
Enable userclouds client’s internal logging. Calls to post logs take 250-350 ms and will impact p99 latency, enable with caution. | |
--authorizer.userCloudsClient.tenantID |
string | UserClouds tenant id. Should be a UUID. |
--authorizer.userCloudsClient.tenantUrl |
string | Something like https://{yourtenant}.tenant.userclouds.com |
--config |
string | config file (default is /Users/andrew/.union/config.yaml) |
--connection.environment |
string | |
--connection.region |
string | |
--connection.rootTenantURLPattern |
string | Pattern for tenant url. (default “dns:///{{ organization }}.cloud-staging.union.ai”) |
--console.endpoint |
string | Endpoint of console, if different than flyte admin |
--database.connMaxLifeTime |
string | sets the maximum amount of time a connection may be reused (default “1h0m0s”) |
--database.enableForeignKeyConstraintWhenMigrating |
Whether to enable gorm foreign keys when migrating the db | |
--database.maxIdleConnections |
int | maxIdleConnections sets the maximum number of connections in the idle connection pool. (default 10) |
--database.maxOpenConnections |
int | maxOpenConnections sets the maximum number of open connections to the database. (default 100) |
--database.postgres.dbname |
string | The database name (default “postgres”) |
--database.postgres.debug |
||
--database.postgres.host |
string | The host name of the database server (default “localhost”) |
--database.postgres.options |
string | See http://gorm.io/docs/connecting_to_the_database.html for available options passed, in addition to the above. (default “sslmode=disable”) |
--database.postgres.password |
string | The database password. (default “postgres”) |
--database.postgres.passwordPath |
string | Points to the file containing the database password. |
--database.postgres.port |
int | The port name of the database server (default 30001) |
--database.postgres.readReplicaHost |
string | The host name of the read replica database server (default “localhost”) |
--database.postgres.username |
string | The database user who is connecting to the server. (default “postgres”) |
--database.sqlite.file |
string | The path to the file (existing or new) where the DB should be created / stored. If existing, then this will be re-used, else a new will be created |
--db.connectionPool.maxConnectionLifetime |
string | (default “0s”) |
--db.connectionPool.maxIdleConnections |
int | |
--db.connectionPool.maxOpenConnections |
int | |
--db.dbname |
string | (default “postgres”) |
--db.debug |
||
--db.host |
string | (default “postgres”) |
--db.log_level |
int | (default 4) |
--db.options |
string | (default “sslmode=disable”) |
--db.password |
string | |
--db.passwordPath |
string | |
--db.port |
int | (default 5432) |
--db.username |
string | (default “postgres”) |
-d , --domain |
string | Specifies the Flyte project’s domain. |
--files.archive |
Pass in archive file either an http link or local path. | |
--files.assumableIamRole |
string | Custom assumable iam auth role to register launch plans with. |
--files.continueOnError |
Continue on error when registering files. | |
--files.destinationDirectory |
string | Location of source code in container. |
--files.dryRun |
Execute command without making any modifications. | |
--files.enableSchedule |
Enable the schedule if the files contain schedulable launchplan. | |
--files.force |
Force use of version number on entities registered with flyte. | |
--files.k8ServiceAccount |
string | Deprecated. Please use --K8sServiceAccount |
--files.k8sServiceAccount |
string | Custom kubernetes service account auth role to register launch plans with. |
--files.outputLocationPrefix |
string | Custom output location prefix for offloaded types (files/schemas). |
--files.sourceUploadPath |
string | Deprecated: Update flyte admin to avoid having to configure storage access from uctl. |
--files.version |
string | Version of the entity to be registered with flyte which are un-versioned after serialization. |
--logger.formatter.type |
string | Sets logging format type. (default “json”) |
--logger.level |
int | Sets the minimum logging level. (default 3) |
--logger.mute |
Mutes all logs regardless of severity. Intended for benchmarks/tests only. | |
--logger.show-source |
Includes source code location in logs. | |
--org |
string | Organization to work on. If not set, default to user’s org. |
--otel.file.filename |
string | Filename to store exported telemetry traces (default “/tmp/trace.txt”) |
--otel.jaeger.endpoint |
string | Endpoint for the jaeger telemetry trace ingestor (default “http://localhost:14268/api/traces”) |
--otel.otlpgrpc.endpoint |
string | Endpoint for the OTLP telemetry trace collector (default “http://localhost:4317”) |
--otel.otlphttp.endpoint |
string | Endpoint for the OTLP telemetry trace collector (default “http://localhost:4318/v1/traces”) |
--otel.sampler.parentSampler |
string | Sets the parent sampler to use for the tracer (default “always”) |
--otel.type |
string | Sets the type of exporter to configure [noop/file/jaeger/otlpgrpc/otlphttp]. (default “noop”) |
-o , --output |
string | Specifies the output type - supported formats [TABLE JSON YAML DOT DOTURL]. NOTE: dot, doturl are only supported for Workflow (default “table”) |
--plugins.catalogcache.reader.maxItems |
int | Maximum number of entries to keep in the index. (default 10000) |
--plugins.catalogcache.reader.maxRetries |
int | Maximum number of retries per item. (default 3) |
--plugins.catalogcache.reader.workers |
int | Number of concurrent workers to start processing the queue. (default 10) |
--plugins.catalogcache.writer.maxItems |
int | Maximum number of entries to keep in the index. (default 10000) |
--plugins.catalogcache.writer.maxRetries |
int | Maximum number of retries per item. (default 3) |
--plugins.catalogcache.writer.workers |
int | Number of concurrent workers to start processing the queue. (default 10) |
-p , --project |
string | Specifies the Flyte project. |
--rediscache.passwordSecretName |
string | Name of secret with Redis password. |
--rediscache.primaryEndpoint |
string | Primary endpoint for the redis cache that can be used for both reads and writes. |
--rediscache.replicaEndpoint |
string | Replica endpoint for the redis cache that can be used for reads. |
--secrets.env-prefix |
string | Prefix for environment variables (default “FLYTE_SECRET_”) |
--secrets.secrets-prefix |
string | Prefix where to look for secrets file (default “/etc/secrets”) |
--secrets.type |
string | Sets the type of storage to configure [local]. (default “local”) |
--server.dataProxy.download.maxExpiresIn |
string | Maximum allowed expiration duration. (default “1h0m0s”) |
--server.dataProxy.upload.defaultFileNameLength |
int | Default length for the generated file name if not provided in the request. (default 20) |
--server.dataProxy.upload.maxExpiresIn |
string | Maximum allowed expiration duration. (default “1h0m0s”) |
--server.dataProxy.upload.maxSize |
string | Maximum allowed upload size. (default “6Mi”) |
--server.dataProxy.upload.storagePrefix |
string | Storage prefix to use for all upload requests. |
--server.grpc.enableGrpcLatencyMetrics |
Enable grpc latency metrics. Note Histograms metrics can be expensive on Prometheus servers. | |
--server.grpc.maxMessageSizeBytes |
int | The max size in bytes for incoming gRPC messages |
--server.grpc.port |
int | On which grpc port to serve admin (default 8089) |
--server.grpc.serverReflection |
Enable GRPC Server Reflection (default true) | |
--server.grpcPort |
int | deprecated |
--server.grpcServerReflection |
deprecated | |
--server.httpPort |
int | On which http port to serve admin (default 8088) |
--server.kube-config |
string | Path to kubernetes client config file, default is empty, useful for incluster config. |
--server.kubeClientConfig.burst |
int | Max burst rate for throttle. 0 defaults to 10 (default 25) |
--server.kubeClientConfig.qps |
int32 | Max QPS to the master for requests to KubeAPI. 0 defaults to 5. (default 100) |
--server.kubeClientConfig.timeout |
string | Max duration allowed for every request to KubeAPI before giving up. 0 implies no timeout. (default “30s”) |
--server.master |
string | The address of the Kubernetes API server. |
--server.readHeaderTimeoutSeconds |
int | The amount of time allowed to read request headers. (default 32) |
--server.security.allowCors |
(default true) | |
--server.security.allowedHeaders |
strings | (default [Content-Type,flyte-authorization]) |
--server.security.allowedOrigins |
strings | (default [*]) |
--server.security.auditAccess |
||
--server.security.secure |
||
--server.security.ssl.certificateFile |
string | |
--server.security.ssl.keyFile |
string | |
--server.security.useAuth |
||
--server.thirdPartyConfig.flyteClient.audience |
string | Audience to use when initiating OAuth2 authorization requests. |
--server.thirdPartyConfig.flyteClient.clientId |
string | public identifier for the app which handles authorization for a Flyte deployment |
--server.thirdPartyConfig.flyteClient.redirectUri |
string | This is the callback uri registered with the app which handles authorization for a Flyte deployment |
--server.thirdPartyConfig.flyteClient.scopes |
strings | Recommended scopes for the client to request. |
--server.watchService.maxActiveClusterConnections |
int | (default 5) |
--server.watchService.maxPageSize |
int | (default 50000) |
--server.watchService.nonTerminalStatusUpdatesInterval |
string | (default “1m0s”) |
--server.watchService.pollInterval |
string | (default “1s”) |
--sharedservice.connectPort |
string | On which connect port to serve admin (default “8080”) |
--sharedservice.grpc.grpcMaxResponseStatusBytes |
int32 | specifies the maximum (uncompressed) size of header list that the client is prepared to accept on grpc calls (default 32000) |
--sharedservice.grpc.maxConcurrentStreams |
int | Limit on the number of concurrent streams to each ServerTransport. (default 100) |
--sharedservice.grpc.maxMessageSizeBytes |
int | Limit on the size of message that can be received on the server. (default 10485760) |
--sharedservice.grpcServerReflection |
Enable GRPC Server Reflection (default true) | |
--sharedservice.httpPort |
string | On which http port to serve admin (default “8089”) |
--sharedservice.kubeConfig |
string | Path to kubernetes client config file. |
--sharedservice.master |
string | The address of the Kubernetes API server. |
--sharedservice.metrics.enableClientGrpcHistograms |
Enable client grpc histograms (default true) | |
--sharedservice.metrics.enableGrpcHistograms |
Enable grpc histograms (default true) | |
--sharedservice.metrics.scope |
string | Scope to emit metrics under (default “service:”) |
--sharedservice.port |
string | On which grpc port to serve admin (default “8080”) |
--sharedservice.profiler.enabled |
Enable Profiler on server | |
--sharedservice.profilerPort |
string | Profile port to start listen for pprof and metric handlers on. (default “10254”) |
--sharedservice.security.allowCors |
||
--sharedservice.security.allowLocalhostAccess |
Whether to permit localhost unauthenticated access to the server | |
--sharedservice.security.allowedHeaders |
strings | |
--sharedservice.security.allowedOrigins |
strings | |
--sharedservice.security.auditAccess |
||
--sharedservice.security.orgOverride |
string | Override org in identity context if localhost access enabled |
--sharedservice.security.secure |
||
--sharedservice.security.ssl.certificateAuthorityFile |
string | |
--sharedservice.security.ssl.certificateFile |
string | |
--sharedservice.security.ssl.keyFile |
string | |
--sharedservice.security.useAuth |
||
--sharedservice.sync.syncInterval |
string | Time interval to sync (default “5m0s”) |
--storage.cache.max_size_mbs |
int | Maximum size of the cache where the Blob store data is cached in-memory. If not specified or set to 0, cache is not used |
--storage.cache.target_gc_percent |
int | Sets the garbage collection target percentage. |
--storage.connection.access-key |
string | Access key to use. Only required when authtype is set to accesskey. |
--storage.connection.auth-type |
string | Auth Type to use [iam, accesskey]. (default “iam”) |
--storage.connection.disable-ssl |
Disables SSL connection. Should only be used for development. | |
--storage.connection.endpoint |
string | URL for storage client to connect to. |
--storage.connection.region |
string | Region to connect to. (default “us-east-1”) |
--storage.connection.secret-key |
string | Secret to use when accesskey is set. |
--storage.container |
string | Initial container (in s3 a bucket) to create -if it doesn’t exist-.' |
--storage.defaultHttpClient.timeout |
string | Sets time out on the http client. (default “0s”) |
--storage.enable-multicontainer |
If this is true, then the container argument is overlooked and redundant. This config will automatically open new connections to new containers/buckets as they are encountered | |
--storage.limits.maxDownloadMBs |
int | Maximum allowed download size (in MBs) per call. (default 2) |
--storage.stow.config |
stringToString | Configuration for stow backend. Refer to github/flyteorg/stow (default []) |
--storage.stow.kind |
string | Kind of Stow backend to use. Refer to github/flyteorg/stow |
--storage.type |
string | Sets the type of storage to configure [s3/minio/local/mem/stow]. (default “s3”) |
--union.auth.authorizationMetadataKey |
string | Authorization Header to use when passing Access Tokens to the server (default “flyte-authorization”) |
--union.auth.clientId |
string | Client ID |
--union.auth.clientSecretEnvVar |
string | Environment variable containing the client secret |
--union.auth.clientSecretLocation |
string | File containing the client secret |
--union.auth.deviceFlow.pollInterval |
string | amount of time the device flow would poll the token endpoint if auth server doesn’t return a polling interval. Okta and google IDP do return an interval’ (default “5s”) |
--union.auth.deviceFlow.refreshTime |
string | grace period from the token expiry after which it would refresh the token. (default “5m0s”) |
--union.auth.deviceFlow.timeout |
string | amount of time the device flow should complete or else it will be cancelled. (default “10m0s”) |
--union.auth.enable |
Whether to enable an authenticated conenction when communicating with admin. (default true) | |
--union.auth.externalAuth.command |
strings | Command for external authentication token generation |
--union.auth.pkce.refreshTime |
string | grace period from the token expiry after which it would refresh the token. (default “5m0s”) |
--union.auth.pkce.timeout |
string | Amount of time the browser session would be active for authentication from client app. (default “15s”) |
--union.auth.scopes |
strings | List of scopes to request |
--union.auth.tokenRefreshWindow |
string | Max duration between token refresh attempt and token expiry. (default “1h0m0s”) |
--union.auth.tokenUrl |
string | OPTIONAL: Your IdP’s token endpoint. It’ll be discovered from flyte admin’s OAuth Metadata endpoint if not provided. |
--union.auth.type |
string | Type of OAuth2 flow used for communicating with admin. (default “Pkce”) |
--union.cache.maxItemsCount |
int | Maximum number of items to keep in the cache before evicting. (default 1000) |
--union.connection.host |
string | Host to connect to (default “dns:///utt-mgdp-stg-us-east-2.cloud-staging.union.ai”) |
--union.connection.insecure |
Whether to connect over insecure channel | |
--union.connection.insecureSkipVerify |
InsecureSkipVerify controls whether a client verifies the server’s certificate chain and host name.Caution: shouldn’t be use for production usecases' | |
--union.connection.keepAliveConfig.permitWithoutStream |
If true, client sends keepalive pings even with no active RPCs. | |
--union.connection.keepAliveConfig.time |
string | After a duration of this time if the client doesn’t see any activity it pings the server to see if the transport is still alive. (default “20s”) |
--union.connection.keepAliveConfig.timeout |
string | After having pinged for keepalive check, the client waits for a duration of Timeout and if no activity is seen even after that the connection is closed. (default “2m0s”) |
--union.connection.maxBackoffDelay |
string | Max delay for grpc backoff (default “8s”) |
--union.connection.maxRecvMsgSize |
int | Maximum size of a message in bytes of a gRPC message (default 10485760) |
--union.connection.maxRetries |
int | Max number of gRPC retries (default 4) |
--union.connection.minConnectTimeout |
string | Minimum timeout for establishing a connection (default “20s”) |
--union.connection.perRetryTimeout |
string | gRPC per retry timeout (default “15s”) |
--union.connection.serviceConfig |
string | Defines gRPC experimental JSON Service Config (default “{“loadBalancingConfig”: [{“round_robin”:{}}]}”) |
--union.connection.trustedIdentityClaims.enabled |
Enables passing of trusted claims while making inter service calls | |
--union.connection.trustedIdentityClaims.externalIdentityClaim |
string | External identity claim of the service which is authorized to make internal service call. These are verified against userclouds actions |
--union.connection.trustedIdentityClaims.externalIdentityTypeClaim |
string | External identity type claim of app or user to use for the current service identity. It should be an ‘app’ for inter service communication |
--union.internalConnectionConfig.- |
stringToString | (default []) |
--union.internalConnectionConfig.enabled |
Enables internal service to service communication instead of going through ingress. | |
--union.internalConnectionConfig.urlPattern |
string | UrlPattern of the internal service endpoints. (default “{{ service }}-helmchart.{{ service }}.svc.cluster.local:80”) |
--webhook.awsSecretManager.sidecarImage |
string | Specifies the sidecar docker image to use (default “docker.io/amazon/aws-secrets-manager-secret-sidecar:v0.1.4”) |
--webhook.certDir |
string | Certificate directory to use to write generated certs. Defaults to /etc/webhook/certs/ (default “/etc/webhook/certs”) |
--webhook.embeddedSecretManagerConfig.awsConfig.region |
string | AWS region |
--webhook.embeddedSecretManagerConfig.fileMountInitContainer.image |
string | Specifies init container image to use for mounting secrets as files. (default “busybox:1.28”) |
--webhook.embeddedSecretManagerConfig.gcpConfig.project |
string | GCP project to be used for secret manager |
--webhook.embeddedSecretManagerConfig.type |
string | (default “AWS”) |
--webhook.gcpSecretManager.sidecarImage |
string | Specifies the sidecar docker image to use (default “gcr.io/google.com/cloudsdktool/cloud-sdk:alpine”) |
--webhook.listenPort |
int | The port to use to listen to webhook calls. Defaults to 9443 (default 9443) |
--webhook.localCert |
write certs locally. Defaults to false | |
--webhook.metrics-prefix |
string | An optional prefix for all published metrics. (default “flyte:”) |
--webhook.secretName |
string | Secret name to write generated certs to. (default “flyte-pod-webhook”) |
--webhook.serviceName |
string | The name of the webhook service. (default “flyte-pod-webhook”) |
--webhook.servicePort |
int32 | The port on the service that hosting webhook. (default 443) |
--webhook.vaultSecretManager.role |
string | Specifies the vault role to use (default “flyte”) |