search

run-x / opta

The next generation of Infrastructure-as-Code. Work with high-level constructs instead of getting lost in low-level cloud configuration.
https://docs.opta.dev
Apache License 2.0
906 stars 61 forks source link

Automatic selection of a domain to create a DNS resource #642

Open anmyachev opened 2 years ago

anmyachev commented 2 years ago

What would you like to be added:

Now I have to manually fill <domain> field in the file flyte/opta/aws/env.yaml. However, for example, it is possible to create ec2 instances with default DNS (example: ec2-3-237-182-243.compute-1.amazonaws.com). Can this approach be reused for opta?

Why is this needed:

Simplifying the user experience in situations where it is not needed.

Extra info (e.g. existing slack convo link):

ankurd1 commented 2 years ago

So Flyte cli uses GRPC which requires SSL - that's why we need a domain name. We can't provide ssl on the aws managed domains.

Let me get the Flyte folks opinion on this as well.

EngHabu commented 2 years ago

Hi @anmyachev. This is Haytham from the Flyte project. @legalosLOTR is right, Flyte relies on gRPC which requires SSL.

Can you elaborate more on your desired setup? Are you still installing on an EKS cluster (through Opta) ? or are you attempting to install on a single EC2 instance?

ELB will actually create a publicly accessible AWS Managed DNS for you... and traffic will be routed through Opta-installed IngressController (nginx). I do not know enough Networking to say if you can issue an SSL Cert for that domain and have it used in nginx or not because I'm sure that requires DNS validation...

Or maybe what you are asking for is a support for a self-signed cert? that will give you all kinds of SSL errors in browsers but may give you a path forward to unblock demo-ing/testing scenarios?

ankurd1 commented 2 years ago

From the Opta side, we will be exploring putting a self signed cert on the ELB. This would enable flyte to be used (but without cert verification).

anmyachev commented 2 years ago

Hi @anmyachev. This is Haytham from the Flyte project. @legalosLOTR is right, Flyte relies on gRPC which requires SSL.

Can you elaborate more on your desired setup? Are you still installing on an EKS cluster (through Opta) ? or are you attempting to install on a single EC2 instance?

ELB will actually create a publicly accessible AWS Managed DNS for you... and traffic will be routed through Opta-installed IngressController (nginx). I do not know enough Networking to say if you can issue an SSL Cert for that domain and have it used in nginx or not because I'm sure that requires DNS validation...

Or maybe what you are asking for is a support for a self-signed cert? that will give you all kinds of SSL errors in browsers but may give you a path forward to unblock demo-ing/testing scenarios?

Hi @EngHabu,

my desired setup: EKS cluster (through Opta). I am not strong in the topic of networking, but after looking at a little information, I think that yes, I mean the possibility of using self-signed cert. This would be convenient in the case when the EKS is created for a limited amount of users (for example for one company).

anmyachev commented 2 years ago

From the Opta side, we will be exploring putting a self signed cert on the ELB. This would enable flyte to be used (but without cert verification).

Thanks @legalosLOTR!