Single Cluster Production-grade Cloud Deployment#

Tags: Kubernetes, Infrastructure, Advanced

The following guide assumes you’ve successfully set up a Single Cluster Simple Cloud Deployment.

This guide describes additional setup steps to productionize your Flyte deployment. While not strictly required, we recommend that you incorporate these changes.

Ingress/DNS#

Assuming your cluster has an existing Ingress controller, Flyte will be accessible without port forwarding. The base chart installed in the previous guide already contains the ingress rules, but they are not enabled by default.

To turn on ingress, update your values.yaml file to include the following block.

charts/flyte-binary/eks-production.yaml#

ingress:
  create: true
  commonAnnotations:
    kubernetes.io/ingress.class: nginx
  httpAnnotations:
    nginx.ingress.kubernetes.io/app-root: /console
  grpcAnnotations:
    nginx.ingress.kubernetes.io/backend-protocol: GRPC
  host: <your-Flyte-URL> # change for the URL you'll use to connect to Flyte

ingress:
  create: true
  commonAnnotations:
    alb.ingress.kubernetes.io/certificate-arn: '<your-SSL-certificate-ARN>'
    alb.ingress.kubernetes.io/group.name: flyte
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/ssl-redirect: '443'
    alb.ingress.kubernetes.io/target-type: ip
    kubernetes.io/ingress.class: alb
  httpAnnotations:
    alb.ingress.kubernetes.io/actions.app-root: '{"Type": "redirect", "RedirectConfig": {"Path": "/console", "StatusCode": "HTTP_302"}}'
  grpcAnnotations:
    alb.ingress.kubernetes.io/backend-protocol-version: GRPC
  host: <your-URL> #use a DNS CNAME pointing to your ALB

charts/flyte-core/values-gcp.yaml#

    annotations:
      kubernetes.io/ingress.class: nginx
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      cert-manager.io/issuer: "letsencrypt-production"
    # --- separateGrpcIngress puts GRPC routes into a separate ingress if true. Required for certain ingress controllers like nginx.
    separateGrpcIngress: true
    # --- Extra Ingress annotations applied only to the GRPC ingress. Only makes sense if `separateGrpcIngress` is enabled.
    separateGrpcIngressAnnotations:
      nginx.ingress.kubernetes.io/backend-protocol: "GRPC"

Authentication#

Authentication comes with Flyte in the form of OAuth 2.0. Please see the authentication guide for instructions.

Note

Authorization is not supported out-of-the-box in Flyte. This is due to the wide and variety of authorization requirements that different organizations use.

Upgrade Path#

To upgrade, simply helm upgrade your relevant chart.

One thing to keep in mind during upgrades is that Flyte is released regularly using semantic versioning. Since Flyte 1.0.0 will be with us for a while, you should expect large changes in minor version bumps, which backwards compatibility being maintained, for the most part.

If you’re using the multi-cluster deployment model for Flyte, components should be upgraded together.