Flytectl CLI
The flytectl CLI provides functionality for Union administrators to manage Union-specific entities like users, roles, and Union configuration.
It also includes much of the functionality of the
pyflyte CLI, but since it is a compiled binary (written in Go), it is faster and more efficient than the Python-based pyflyte CLI and more suitable for situations like running in a CI/CD environment where you might want to avoid the overhead of large Python dependencies.
If you are not a Union administrator, or if you will be interacting with Union in an environment where
Python is installed, you should use the
pyflyte CLI instead.
Installation
To install Homebrew curl To use Manual download To download the binary manually, see the
To install curl To use Manual download To download the binary manually, see the
To install curl To use Manual download To download the binary manually, see the
flytectl on a Mac, use
Homebrew, curl, or manually download the binary.$ brew tap flyteorg/homebrew-tap
$ brew install flytectlcurl, set BINDIR to the install location (it defaults to ./bin) and run the following command:$ curl -sL https://ctl.flyte.org/install | bashflytectl releases page.flytectl on Linux, use curl or manually download the binary.curl, set BINDIR to the install location (it defaults to ./bin) and run the following command:$ curl -sL https://ctl.flyte.org/install | bashflytectl releases page.flytectl on Windows, use curl or manually download the binary.curl, in a Linux shell (such as
WSL), set BINDIR to the install location (it defaults to ./bin) and run the following command:$ curl -sL https://ctl.flyte.org/install | bashflytectl releases page.
Configuration
To create a configuration file that contains your Union connection information, run the following command, replacing <union-host-url> with the URL of your Union instance:
$ flytectl config init --host <flyte-host-url>This will create a new configuration file at ~/.flyte/config.yaml:
admin:
endpoint: dns:///<flyte-host-url>
insecure: false
authType: PkcePKCE is the default authentication type. To specify a different authentication type in the configuration file, see Authentication.
Configuration file location hierarchy
By default, the flytectl CLI will use the configuration file at ~/.flyte/config.yaml to connect to your Union instance unless you override it. flytectl searches for configuration files in the following order:
Options
| Option | Type | Description |
|---|---|---|
--admin.audience |
string | Audience to use when initiating OAuth2 authorization requests. |
--admin.authType |
string | Type of OAuth2 flow used for communicating with admin.ClientSecret, Pkce, ExternalCommand are valid values (default “ClientSecret”) |
--admin.authorizationHeader |
string | Custom metadata header to pass JWT |
--admin.authorizationServerUrl |
string | This is the URL to your IdP’s authorization server. It’ll default to Endpoint |
--admin.caCertFilePath |
string | Use specified certificate file to verify the admin server peer. |
--admin.clientId |
string | Client ID (default “flytepropeller”) |
--admin.clientSecretEnvVar |
string | Environment variable containing the client secret |
--admin.clientSecretLocation |
string | File containing the client secret (default “/etc/secrets/client_secret”) |
--admin.command |
strings | Command for external authentication token generation |
--admin.defaultServiceConfig |
string | |
--admin.deviceFlowConfig.pollInterval |
string | amount of time the device flow would poll the token endpoint if auth server doesn’t return a polling interval. Okta and google IDP do return an interval’ (default “5s”) |
--admin.deviceFlowConfig.refreshTime |
string | grace period from the token expiry after which it would refresh the token. (default “5m0s”) |
--admin.deviceFlowConfig.timeout |
string | amount of time the device flow should complete or else it will be cancelled. (default “10m0s”) |
--admin.endpoint |
string | For admin types, specify where the uri of the service is located. |
--admin.httpProxyURL |
string | OPTIONAL: HTTP Proxy to be used for OAuth requests. |
--admin.insecure |
Use insecure connection. | |
--admin.insecureSkipVerify |
InsecureSkipVerify controls whether a client verifies the server’s certificate chain and host name. Caution : shouldn’t be use for production usecases' | |
--admin.maxBackoffDelay |
string | Max delay for grpc backoff (default “8s”) |
--admin.maxRetries |
int | Max number of gRPC retries (default 4) |
--admin.perRetryTimeout |
string | gRPC per retry timeout (default “15s”) |
--admin.pkceConfig.refreshTime |
string | grace period from the token expiry after which it would refresh the token. (default “5m0s”) |
--admin.pkceConfig.timeout |
string | Amount of time the browser session would be active for authentication from client app. (default “2m0s”) |
--admin.scopes |
strings | List of scopes to request |
--admin.tokenRefreshWindow |
string | Max duration between token refresh attempt and token expiry. (default “0s”) |
--admin.tokenUrl |
string | OPTIONAL: Your IdP’s token endpoint. It’ll be discovered from flyte admin’s OAuth Metadata endpoint if not provided. |
--admin.useAudienceFromAdmin |
Use Audience configured from admins public endpoint config. | |
--admin.useAuth |
Deprecated: Auth will be enabled/disabled based on admin’s dynamically discovered information. | |
-c, --config |
string | config file (default is $HOME/.flyte/config.yaml) |
--console.endpoint |
string | Endpoint of console, if different than flyte admin |
-d, --domain |
string | Specifies the Flyte project’s domain. |
--files.archive |
Pass in archive file either an http link or local path. | |
--files.assumableIamRole |
string | Custom assumable iam auth role to register launch plans with. |
--files.continueOnError |
Continue on error when registering files. | |
--files.destinationDirectory |
string | Location of source code in container. |
--files.dryRun |
Execute command without making any modifications. | |
--files.enableSchedule |
Enable the schedule if the files contain schedulable launchplan. | |
--files.force |
Force use of version number on entities registered with flyte. | |
--files.k8ServiceAccount |
string | Deprecated. Please use --K8sServiceAccount |
--files.k8sServiceAccount |
string | Custom kubernetes service account auth role to register launch plans with. |
--files.outputLocationPrefix |
string | Custom output location prefix for offloaded types (files/schemas). |
--files.sourceUploadPath |
string | Deprecated: Update flyte admin to avoid having to configure storage access from flytectl. |
--files.version |
string | Version of the entity to be registered with flyte which are un-versioned after serialization. |
-h, --help |
help for flytectl | |
--logger.formatter.type |
string | Sets logging format type. (default “json”) |
--logger.level |
int | Sets the minimum logging level. (default 3) |
--logger.mute |
Mutes all logs regardless of severity. Intended for benchmarks/tests only. | |
--logger.show-source |
Includes source code location in logs. | |
-o, --output |
string | Specifies the output type - supported formats [TABLE JSON YAML DOT DOTURL]. NOTE: dot, doturl are only supported for Workflow (default “TABLE”) |
-p, --project |
string | Specifies the Flyte project. |
--storage.cache.max_size_mbs |
int | Maximum size of the cache where the Blob store data is cached in-memory. If not specified or set to 0, cache is not used |
--storage.cache.target_gc_percent |
int | Sets the garbage collection target percentage. |
--storage.connection.access-key |
string | Access key to use. Only required when authtype is set to accesskey. |
--storage.connection.auth-type |
string | Auth Type to use [iam, accesskey]. (default “iam”) |
--storage.connection.disable-ssl |
Disables SSL connection. Should only be used for development. | |
--storage.connection.endpoint |
string | URL for storage client to connect to. |
--storage.connection.region |
string | Region to connect to. (default “us-east-1”) |
--storage.connection.secret-key |
string | Secret to use when accesskey is set. |
--storage.container |
string | Initial container (in s3 a bucket) to create -if it doesn’t exist-.' |
--storage.defaultHttpClient.timeout |
string | Sets time out on the http client. (default “0s”) |
--storage.enable-multicontainer |
If this is true, then the container argument is overlooked and redundant. This config will automatically open new connections to new containers/buckets as they are encountered | |
--storage.limits.maxDownloadMBs |
int | Maximum allowed download size (in MBs) per call. (default 2) |
--storage.stow.config |
stringToString | Configuration for stow backend. Refer to github/flyteorg/stow (default []) |
--storage.stow.kind |
string | Kind of Stow backend to use. Refer to github/flyteorg/stow |
--storage.type |
string | Sets the type of storage to configure [s3/minio/local/mem/stow]. (default “s3”) |
Commands
flytectl create {flytectl-create/index}creates various Flyte resources such as tasks, workflows, launch plans, executions, and projects.flytectl delete {flytectl-delete/index}terminates/deletes various Flyte resources, such as executions and resource attributes.flytectl demo {flytectl-demo/index}provides commands for starting and interacting with a standalone minimal local environment for running Flyte.flytectl get {flytectl-get/index}fetches various Flyte resources such as tasks, workflows, launch plans, executions, and projects.flytectl register {flytectl-register/index}registers tasks, workflows, and launch plans from a list of generated serialized files.flytectl update {flytectl-update/index}update Flyte resources e.g., projects.flytectl version {flytectl-version>fetchesflytectlversion.
Entities
| Entity | Commands |
|---|---|
| Cluster resource attribute | |
| Config | |
| Demo | |
| Execution | |
| Execution cluster label | |
| Execution queue attribute | |
| Files |
flytectl regiser files |
| Launch plan | |
| Plugin override | |
| Project | |
| Task | |
| Task resource attribute | |
| Workflow | |
| Workflow execution config |