uctl create
Used for creating various union/flyte resources including apps, cluster pools, cluster configs
Synopsis
Create Flyte resource; if a project:
$ uctl create project --file project.yamlOptions
| Option | Type | Description | 
|---|---|---|
| -h,--help | help for create | 
Options inherited from parent commands
| Option | Type | Description | 
|---|---|---|
| --admin.audience | string | Audience to use when initiating OAuth2 authorization requests. | 
| --admin.authType | string | Type of OAuth2 flow used for communicating with admin.ClientSecret, Pkce, ExternalCommand are valid values (default “ClientSecret”) | 
| --admin.authorizationHeader | string | Custom metadata header to pass JWT | 
| --admin.authorizationServerUrl | string | This is the URL to your IdP’s authorization server. It’ll default to Endpoint | 
| --admin.caCertFilePath | string | Use specified certificate file to verify the admin server peer. | 
| --admin.clientId | string | Client ID (default “flytepropeller”) | 
| --admin.clientSecretEnvVar | string | Environment variable containing the client secret | 
| --admin.clientSecretLocation | string | File containing the client secret (default “/etc/secrets/client_secret”) | 
| --admin.command | strings | Command for external authentication token generation | 
| --admin.defaultOrg | string | OPTIONAL: Default org to use to support non-org based cli’s.'. | 
| --admin.defaultServiceConfig | string | |
| --admin.deviceFlowConfig.pollInterval | string | amount of time the device flow would poll the token endpoint if auth server doesn’t return a polling interval. Okta and google IDP do return an interval’ (default “5s”) | 
| --admin.deviceFlowConfig.refreshTime | string | grace period from the token expiry after which it would refresh the token. (default “5m0s”) | 
| --admin.deviceFlowConfig.timeout | string | amount of time the device flow should complete or else it will be cancelled. (default “10m0s”) | 
| --admin.endpoint | string | For admin types, specify where the uri of the service is located. | 
| --admin.httpProxyURL | string | OPTIONAL: HTTP Proxy to be used for OAuth requests. | 
| --admin.insecure | Use insecure connection. | |
| --admin.insecureSkipVerify | InsecureSkipVerify controls whether a client verifies the server’s certificate chain and host name.Caution: shouldn’t be use for production usecases' | |
| --admin.maxBackoffDelay | string | Max delay for grpc backoff (default “8s”) | 
| --admin.maxMessageSizeBytes | int | The max size in bytes for incoming gRPC messages | 
| --admin.maxRetries | int | Max number of gRPC retries (default 4) | 
| --admin.perRetryTimeout | string | gRPC per retry timeout (default “15s”) | 
| --admin.pkceConfig.refreshTime | string | grace period from the token expiry after which it would refresh the token. (default “5m0s”) | 
| --admin.pkceConfig.timeout | string | Amount of time the browser session would be active for authentication from client app. (default “2m0s”) | 
| --admin.proxyCommand | strings | Command for external proxy-authorization token generation | 
| --admin.scopes | strings | List of scopes to request | 
| --admin.tokenRefreshWindow | string | Max duration between token refresh attempt and token expiry. (default “0s”) | 
| --admin.tokenUrl | string | OPTIONAL: Your IdP’s token endpoint. It’ll be discovered from flyte admin’s OAuth Metadata endpoint if not provided. | 
| --admin.useAudienceFromAdmin | Use Audience configured from admins public endpoint config. | |
| --admin.useAuth | Deprecated: Auth will be enabled/disabled based on admin’s dynamically discovered information. | |
| --auth.appAuth.externalAuthServer.allowedAudience | strings | Optional: A list of allowed audiences. If not provided, the audience is expected to be the public Uri of the service. | 
| --auth.appAuth.externalAuthServer.baseUrl | string | This should be the base url of the authorization server that you are trying to hit. With Okta for instance, it will look something like https://company.okta.com/oauth2/abcdef123456789/ | 
| --auth.appAuth.externalAuthServer.httpProxyURL | string | OPTIONAL: HTTP Proxy to be used for OAuth requests. | 
| --auth.appAuth.externalAuthServer.metadataUrl | string | Optional: If the server doesn’t support /.well-known/oauth-authorization-server, you can set a custom metadata url here.' | 
| --auth.appAuth.externalAuthServer.retryAttempts | int | Optional: The number of attempted retries on a transient failure to get the OAuth metadata (default 5) | 
| --auth.appAuth.externalAuthServer.retryDelay | string | Optional, Duration to wait between retries (default “1s”) | 
| --auth.appAuth.selfAuthServer.accessTokenLifespan | string | Defines the lifespan of issued access tokens. (default “30m0s”) | 
| --auth.appAuth.selfAuthServer.authorizationCodeLifespan | string | Defines the lifespan of issued access tokens. (default “5m0s”) | 
| --auth.appAuth.selfAuthServer.claimSymmetricEncryptionKeySecretName | string | OPTIONAL: Secret name to use to encrypt claims in authcode token. (default “claim_symmetric_key”) | 
| --auth.appAuth.selfAuthServer.issuer | string | Defines the issuer to use when issuing and validating tokens. The default value is https://{requestUri.HostAndPort}/ | 
| --auth.appAuth.selfAuthServer.oldTokenSigningRSAKeySecretName | string | OPTIONAL: Secret name to use to retrieve Old RSA Signing Key. This can be useful during key rotation to continue to accept older tokens. (default “token_rsa_key_old.pem”) | 
| --auth.appAuth.selfAuthServer.refreshTokenLifespan | string | Defines the lifespan of issued access tokens. (default “1h0m0s”) | 
| --auth.appAuth.selfAuthServer.tokenSigningRSAKeySecretName | string | OPTIONAL: Secret name to use to retrieve RSA Signing Key. (default “token_rsa_key.pem”) | 
| --auth.appAuth.thirdPartyConfig.flyteClient.audience | string | Audience to use when initiating OAuth2 authorization requests. | 
| --auth.appAuth.thirdPartyConfig.flyteClient.clientId | string | public identifier for the app which handles authorization for a Flyte deployment (default “uctl”) | 
| --auth.appAuth.thirdPartyConfig.flyteClient.redirectUri | string | This is the callback uri registered with the app which handles authorization for a Flyte deployment (default “http://localhost:53593/callback”) | 
| --auth.appAuth.thirdPartyConfig.flyteClient.scopes | strings | Recommended scopes for the client to request. (default [all,offline]) | 
| --auth.disableForGrpc | Disables auth enforcement on Grpc Endpoints. | |
| --auth.disableForHttp | Disables auth enforcement on HTTP Endpoints. | |
| --auth.grpcAuthorizationHeader | string | (default “flyte-authorization”) | 
| --auth.httpAuthorizationHeader | string | (default “flyte-authorization”) | 
| --auth.httpProxyURL | string | OPTIONAL: HTTP Proxy to be used for OAuth requests. | 
| --auth.tokenEndpointProxyPath | string | The path used to proxy calls to the TokenURL | 
| --auth.userAuth.cookieBlockKeySecretName | string | OPTIONAL: Secret name to use for cookie block key. (default “cookie_block_key”) | 
| --auth.userAuth.cookieHashKeySecretName | string | OPTIONAL: Secret name to use for cookie hash key. (default “cookie_hash_key”) | 
| --auth.userAuth.cookieSetting.domain | string | OPTIONAL: Allows you to set the domain attribute on the auth cookies. | 
| --auth.userAuth.cookieSetting.sameSitePolicy | string | OPTIONAL: Allows you to declare if your cookie should be restricted to a first-party or same-site context.Wrapper around http.SameSite. (default “DefaultMode”) | 
| --auth.userAuth.httpProxyURL | string | OPTIONAL: HTTP Proxy to be used for OAuth requests. | 
| --auth.userAuth.idpQueryParameter | string | idp query parameter used for selecting a particular IDP for doing user authentication. Eg: for Okta passing idp={IDP-ID} forces the authentication to happen with IDP-ID | 
| --auth.userAuth.openId.baseUrl | string | |
| --auth.userAuth.openId.clientId | string | |
| --auth.userAuth.openId.clientSecretFile | string | |
| --auth.userAuth.openId.clientSecretName | string | (default “oidc_client_secret”) | 
| --auth.userAuth.openId.scopes | strings | (default [openid,profile]) | 
| --auth.userAuth.redirectUrl | string | (default “/console”) | 
| --authorizer.internalCommunicationConfig.enabled | Enables authorization decisions for internal communication. (default true) | |
| --authorizer.internalCommunicationConfig.ingressIdentity | string | IngressIdentity used in the cluster. Needed to exclude the communication coming from ingress. (default “ingress-nginx.ingress-nginx.serviceaccount.identity.linkerd.cluster.local”) | 
| --authorizer.internalCommunicationConfig.tenantUrlPatternIdentity | string | UrlPatternIdentity of the internal tenant service endpoint identities. (default “{{ service }}.{{ org }}.serviceaccount.identity.linkerd.cluster.local”) | 
| --authorizer.internalCommunicationConfig.urlPatternIdentity | string | UrlPatternIdentity of the internal service endpoint identities. (default “{{ service }}-helmchart.{{ service }}.serviceaccount.identity.linkerd.cluster.local”) | 
| --authorizer.mode | string | (default “Active”) | 
| --authorizer.organizationConfig.PolicyConfig.adminPolicyDescription | string | description for the boilerplate admin policy (default “Contributor permissions and full admin permissions to manage users and view usage dashboards”) | 
| --authorizer.organizationConfig.PolicyConfig.contributorPolicyDescription | string | description for the boilerplate contributor policy (default “Viewer permissions and permissions to create workflows, tasks, launch plans, and executions”) | 
| --authorizer.organizationConfig.PolicyConfig.defaultUserPolicyRoleType | string | name of the role type to determine which default policy new users added to the organization should be assigned (default “Viewer”) | 
| --authorizer.organizationConfig.PolicyConfig.serverlessContributorPolicyDescription | string | description for the boilerplate serverless contributor policy (default “Viewer permissions and permissions to create workflows, tasks, launch plans, and executions”) | 
| --authorizer.organizationConfig.PolicyConfig.serverlessViewerPolicyDescription | string | description for the boilerplate serverless viewer policy (default “Permissions to view Flyte entities”) | 
| --authorizer.organizationConfig.PolicyConfig.viewerPolicyDescription | string | description for the boilerplate viewer policy (default “Permissions to view Flyte entities”) | 
| --authorizer.organizationConfig.defaultPolicyCacheDuration | string | Cache entry duration for the store of the default policy per organization (default “10m0s”) | 
| --authorizer.syncRuleRefreshInterval | string | (default “1m0s”) | 
| --authorizer.type | string | (default “UserClouds”) | 
| --authorizer.userCloudsClient.cache.redis.ttl.edgeTypes | string | Specifies how long edge types remain in the cache.. (default “30m0s”) | 
| --authorizer.userCloudsClient.cache.redis.ttl.edges | string | Specifies how long edges remain in the cache. (default “30m0s”) | 
| --authorizer.userCloudsClient.cache.redis.ttl.objectTypes | string | Specifies how long object types remain in the cache. (default “30m0s”) | 
| --authorizer.userCloudsClient.cache.redis.ttl.objects | string | Specifies how long objects remain in the cache. (default “30m0s”) | 
| --authorizer.userCloudsClient.cache.type | string | Cache type to use. (default “none”) | 
| --authorizer.userCloudsClient.clientID | string | UserClouds client id | 
| --authorizer.userCloudsClient.clientSecretName | string | UserCloud client secret name to read from the secret manager. (default “userclouds-client-secret”) | 
| --authorizer.userCloudsClient.enableLogging | Enable userclouds client’s internal logging. Calls to post logs take 250-350 ms and will impact p99 latency, enable with caution. | |
| --authorizer.userCloudsClient.tenantID | string | UserClouds tenant id. Should be a UUID. | 
| --authorizer.userCloudsClient.tenantUrl | string | Something like https://{yourtenant}.tenant.userclouds.com | 
| --config | string | config file (default is /Users/andrew/.union/config.yaml) | 
| --connection.environment | string | |
| --connection.region | string | |
| --connection.rootTenantURLPattern | string | Pattern for tenant url. (default “dns:///{{ organization }}.cloud-staging.union.ai”) | 
| --console.endpoint | string | Endpoint of console, if different than flyte admin | 
| --database.connMaxLifeTime | string | sets the maximum amount of time a connection may be reused (default “1h0m0s”) | 
| --database.enableForeignKeyConstraintWhenMigrating | Whether to enable gorm foreign keys when migrating the db | |
| --database.maxIdleConnections | int | maxIdleConnections sets the maximum number of connections in the idle connection pool. (default 10) | 
| --database.maxOpenConnections | int | maxOpenConnections sets the maximum number of open connections to the database. (default 100) | 
| --database.postgres.dbname | string | The database name (default “postgres”) | 
| --database.postgres.debug | ||
| --database.postgres.host | string | The host name of the database server (default “localhost”) | 
| --database.postgres.options | string | See http://gorm.io/docs/connecting_to_the_database.html for available options passed, in addition to the above. (default “sslmode=disable”) | 
| --database.postgres.password | string | The database password. (default “postgres”) | 
| --database.postgres.passwordPath | string | Points to the file containing the database password. | 
| --database.postgres.port | int | The port name of the database server (default 30001) | 
| --database.postgres.readReplicaHost | string | The host name of the read replica database server (default “localhost”) | 
| --database.postgres.username | string | The database user who is connecting to the server. (default “postgres”) | 
| --database.sqlite.file | string | The path to the file (existing or new) where the DB should be created / stored. If existing, then this will be re-used, else a new will be created | 
| --db.connectionPool.maxConnectionLifetime | string | (default “0s”) | 
| --db.connectionPool.maxIdleConnections | int | |
| --db.connectionPool.maxOpenConnections | int | |
| --db.dbname | string | (default “postgres”) | 
| --db.debug | ||
| --db.host | string | (default “postgres”) | 
| --db.log_level | int | (default 4) | 
| --db.options | string | (default “sslmode=disable”) | 
| --db.password | string | |
| --db.passwordPath | string | |
| --db.port | int | (default 5432) | 
| --db.username | string | (default “postgres”) | 
| -d,--domain | string | Specifies the Flyte project’s domain. | 
| --files.archive | Pass in archive file either an http link or local path. | |
| --files.assumableIamRole | string | Custom assumable iam auth role to register launch plans with. | 
| --files.continueOnError | Continue on error when registering files. | |
| --files.destinationDirectory | string | Location of source code in container. | 
| --files.dryRun | Execute command without making any modifications. | |
| --files.enableSchedule | Enable the schedule if the files contain schedulable launchplan. | |
| --files.force | Force use of version number on entities registered with flyte. | |
| --files.k8ServiceAccount | string | Deprecated. Please use --K8sServiceAccount | 
| --files.k8sServiceAccount | string | Custom kubernetes service account auth role to register launch plans with. | 
| --files.outputLocationPrefix | string | Custom output location prefix for offloaded types (files/schemas). | 
| --files.sourceUploadPath | string | Deprecated: Update flyte admin to avoid having to configure storage access from uctl. | 
| --files.version | string | Version of the entity to be registered with flyte which are un-versioned after serialization. | 
| --logger.formatter.type | string | Sets logging format type. (default “json”) | 
| --logger.level | int | Sets the minimum logging level. (default 3) | 
| --logger.mute | Mutes all logs regardless of severity. Intended for benchmarks/tests only. | |
| --logger.show-source | Includes source code location in logs. | |
| --org | string | Organization to work on. If not set, default to user’s org. | 
| --otel.file.filename | string | Filename to store exported telemetry traces (default “/tmp/trace.txt”) | 
| --otel.jaeger.endpoint | string | Endpoint for the jaeger telemetry trace ingestor (default “http://localhost:14268/api/traces”) | 
| --otel.otlpgrpc.endpoint | string | Endpoint for the OTLP telemetry trace collector (default “http://localhost:4317”) | 
| --otel.otlphttp.endpoint | string | Endpoint for the OTLP telemetry trace collector (default “http://localhost:4318/v1/traces”) | 
| --otel.sampler.parentSampler | string | Sets the parent sampler to use for the tracer (default “always”) | 
| --otel.type | string | Sets the type of exporter to configure [noop/file/jaeger/otlpgrpc/otlphttp]. (default “noop”) | 
| -o,--output | string | Specifies the output type - supported formats [TABLE JSON YAML DOT DOTURL]. NOTE: dot, doturl are only supported for Workflow (default “table”) | 
| --plugins.catalogcache.reader.maxItems | int | Maximum number of entries to keep in the index. (default 10000) | 
| --plugins.catalogcache.reader.maxRetries | int | Maximum number of retries per item. (default 3) | 
| --plugins.catalogcache.reader.workers | int | Number of concurrent workers to start processing the queue. (default 10) | 
| --plugins.catalogcache.writer.maxItems | int | Maximum number of entries to keep in the index. (default 10000) | 
| --plugins.catalogcache.writer.maxRetries | int | Maximum number of retries per item. (default 3) | 
| --plugins.catalogcache.writer.workers | int | Number of concurrent workers to start processing the queue. (default 10) | 
| -p,--project | string | Specifies the Flyte project. | 
| --rediscache.passwordSecretName | string | Name of secret with Redis password. | 
| --rediscache.primaryEndpoint | string | Primary endpoint for the redis cache that can be used for both reads and writes. | 
| --rediscache.replicaEndpoint | string | Replica endpoint for the redis cache that can be used for reads. | 
| --secrets.env-prefix | string | Prefix for environment variables (default “FLYTE_SECRET_”) | 
| --secrets.secrets-prefix | string | Prefix where to look for secrets file (default “/etc/secrets”) | 
| --secrets.type | string | Sets the type of storage to configure [local]. (default “local”) | 
| --server.dataProxy.download.maxExpiresIn | string | Maximum allowed expiration duration. (default “1h0m0s”) | 
| --server.dataProxy.upload.defaultFileNameLength | int | Default length for the generated file name if not provided in the request. (default 20) | 
| --server.dataProxy.upload.maxExpiresIn | string | Maximum allowed expiration duration. (default “1h0m0s”) | 
| --server.dataProxy.upload.maxSize | string | Maximum allowed upload size. (default “6Mi”) | 
| --server.dataProxy.upload.storagePrefix | string | Storage prefix to use for all upload requests. | 
| --server.grpc.enableGrpcLatencyMetrics | Enable grpc latency metrics. Note Histograms metrics can be expensive on Prometheus servers. | |
| --server.grpc.maxMessageSizeBytes | int | The max size in bytes for incoming gRPC messages | 
| --server.grpc.port | int | On which grpc port to serve admin (default 8089) | 
| --server.grpc.serverReflection | Enable GRPC Server Reflection (default true) | |
| --server.grpcPort | int | deprecated | 
| --server.grpcServerReflection | deprecated | |
| --server.httpPort | int | On which http port to serve admin (default 8088) | 
| --server.kube-config | string | Path to kubernetes client config file, default is empty, useful for incluster config. | 
| --server.kubeClientConfig.burst | int | Max burst rate for throttle. 0 defaults to 10 (default 25) | 
| --server.kubeClientConfig.qps | int32 | Max QPS to the master for requests to KubeAPI. 0 defaults to 5. (default 100) | 
| --server.kubeClientConfig.timeout | string | Max duration allowed for every request to KubeAPI before giving up. 0 implies no timeout. (default “30s”) | 
| --server.master | string | The address of the Kubernetes API server. | 
| --server.readHeaderTimeoutSeconds | int | The amount of time allowed to read request headers. (default 32) | 
| --server.security.allowCors | (default true) | |
| --server.security.allowedHeaders | strings | (default [Content-Type,flyte-authorization]) | 
| --server.security.allowedOrigins | strings | (default [*]) | 
| --server.security.auditAccess | ||
| --server.security.secure | ||
| --server.security.ssl.certificateFile | string | |
| --server.security.ssl.keyFile | string | |
| --server.security.useAuth | ||
| --server.thirdPartyConfig.flyteClient.audience | string | Audience to use when initiating OAuth2 authorization requests. | 
| --server.thirdPartyConfig.flyteClient.clientId | string | public identifier for the app which handles authorization for a Flyte deployment | 
| --server.thirdPartyConfig.flyteClient.redirectUri | string | This is the callback uri registered with the app which handles authorization for a Flyte deployment | 
| --server.thirdPartyConfig.flyteClient.scopes | strings | Recommended scopes for the client to request. | 
| --server.watchService.maxActiveClusterConnections | int | (default 5) | 
| --server.watchService.maxPageSize | int | (default 50000) | 
| --server.watchService.nonTerminalStatusUpdatesInterval | string | (default “1m0s”) | 
| --server.watchService.pollInterval | string | (default “1s”) | 
| --sharedservice.connectPort | string | On which connect port to serve admin (default “8080”) | 
| --sharedservice.grpc.grpcMaxResponseStatusBytes | int32 | specifies the maximum (uncompressed) size of header list that the client is prepared to accept on grpc calls (default 32000) | 
| --sharedservice.grpc.maxConcurrentStreams | int | Limit on the number of concurrent streams to each ServerTransport. (default 100) | 
| --sharedservice.grpc.maxMessageSizeBytes | int | Limit on the size of message that can be received on the server. (default 10485760) | 
| --sharedservice.grpcServerReflection | Enable GRPC Server Reflection (default true) | |
| --sharedservice.httpPort | string | On which http port to serve admin (default “8089”) | 
| --sharedservice.kubeConfig | string | Path to kubernetes client config file. | 
| --sharedservice.master | string | The address of the Kubernetes API server. | 
| --sharedservice.metrics.enableClientGrpcHistograms | Enable client grpc histograms (default true) | |
| --sharedservice.metrics.enableGrpcHistograms | Enable grpc histograms (default true) | |
| --sharedservice.metrics.scope | string | Scope to emit metrics under (default “service:”) | 
| --sharedservice.port | string | On which grpc port to serve admin (default “8080”) | 
| --sharedservice.profiler.enabled | Enable Profiler on server | |
| --sharedservice.profilerPort | string | Profile port to start listen for pprof and metric handlers on. (default “10254”) | 
| --sharedservice.security.allowCors | ||
| --sharedservice.security.allowLocalhostAccess | Whether to permit localhost unauthenticated access to the server | |
| --sharedservice.security.allowedHeaders | strings | |
| --sharedservice.security.allowedOrigins | strings | |
| --sharedservice.security.auditAccess | ||
| --sharedservice.security.orgOverride | string | Override org in identity context if localhost access enabled | 
| --sharedservice.security.secure | ||
| --sharedservice.security.ssl.certificateAuthorityFile | string | |
| --sharedservice.security.ssl.certificateFile | string | |
| --sharedservice.security.ssl.keyFile | string | |
| --sharedservice.security.useAuth | ||
| --sharedservice.sync.syncInterval | string | Time interval to sync (default “5m0s”) | 
| --storage.cache.max_size_mbs | int | Maximum size of the cache where the Blob store data is cached in-memory. If not specified or set to 0, cache is not used | 
| --storage.cache.target_gc_percent | int | Sets the garbage collection target percentage. | 
| --storage.connection.access-key | string | Access key to use. Only required when authtype is set to accesskey. | 
| --storage.connection.auth-type | string | Auth Type to use [iam, accesskey]. (default “iam”) | 
| --storage.connection.disable-ssl | Disables SSL connection. Should only be used for development. | |
| --storage.connection.endpoint | string | URL for storage client to connect to. | 
| --storage.connection.region | string | Region to connect to. (default “us-east-1”) | 
| --storage.connection.secret-key | string | Secret to use when accesskey is set. | 
| --storage.container | string | Initial container (in s3 a bucket) to create -if it doesn’t exist-.' | 
| --storage.defaultHttpClient.timeout | string | Sets time out on the http client. (default “0s”) | 
| --storage.enable-multicontainer | If this is true, then the container argument is overlooked and redundant. This config will automatically open new connections to new containers/buckets as they are encountered | |
| --storage.limits.maxDownloadMBs | int | Maximum allowed download size (in MBs) per call. (default 2) | 
| --storage.stow.config | stringToString | Configuration for stow backend. Refer to github/flyteorg/stow (default []) | 
| --storage.stow.kind | string | Kind of Stow backend to use. Refer to github/flyteorg/stow | 
| --storage.type | string | Sets the type of storage to configure [s3/minio/local/mem/stow]. (default “s3”) | 
| --union.auth.authorizationMetadataKey | string | Authorization Header to use when passing Access Tokens to the server (default “flyte-authorization”) | 
| --union.auth.clientId | string | Client ID | 
| --union.auth.clientSecretEnvVar | string | Environment variable containing the client secret | 
| --union.auth.clientSecretLocation | string | File containing the client secret | 
| --union.auth.deviceFlow.pollInterval | string | amount of time the device flow would poll the token endpoint if auth server doesn’t return a polling interval. Okta and google IDP do return an interval’ (default “5s”) | 
| --union.auth.deviceFlow.refreshTime | string | grace period from the token expiry after which it would refresh the token. (default “5m0s”) | 
| --union.auth.deviceFlow.timeout | string | amount of time the device flow should complete or else it will be cancelled. (default “10m0s”) | 
| --union.auth.enable | Whether to enable an authenticated conenction when communicating with admin. (default true) | |
| --union.auth.externalAuth.command | strings | Command for external authentication token generation | 
| --union.auth.pkce.refreshTime | string | grace period from the token expiry after which it would refresh the token. (default “5m0s”) | 
| --union.auth.pkce.timeout | string | Amount of time the browser session would be active for authentication from client app. (default “15s”) | 
| --union.auth.scopes | strings | List of scopes to request | 
| --union.auth.tokenRefreshWindow | string | Max duration between token refresh attempt and token expiry. (default “1h0m0s”) | 
| --union.auth.tokenUrl | string | OPTIONAL: Your IdP’s token endpoint. It’ll be discovered from flyte admin’s OAuth Metadata endpoint if not provided. | 
| --union.auth.type | string | Type of OAuth2 flow used for communicating with admin. (default “Pkce”) | 
| --union.cache.maxItemsCount | int | Maximum number of items to keep in the cache before evicting. (default 1000) | 
| --union.connection.host | string | Host to connect to (default “dns:///utt-mgdp-stg-us-east-2.cloud-staging.union.ai”) | 
| --union.connection.insecure | Whether to connect over insecure channel | |
| --union.connection.insecureSkipVerify | InsecureSkipVerify controls whether a client verifies the server’s certificate chain and host name.Caution: shouldn’t be use for production usecases' | |
| --union.connection.keepAliveConfig.permitWithoutStream | If true, client sends keepalive pings even with no active RPCs. | |
| --union.connection.keepAliveConfig.time | string | After a duration of this time if the client doesn’t see any activity it pings the server to see if the transport is still alive. (default “20s”) | 
| --union.connection.keepAliveConfig.timeout | string | After having pinged for keepalive check, the client waits for a duration of Timeout and if no activity is seen even after that the connection is closed. (default “2m0s”) | 
| --union.connection.maxBackoffDelay | string | Max delay for grpc backoff (default “8s”) | 
| --union.connection.maxRecvMsgSize | int | Maximum size of a message in bytes of a gRPC message (default 10485760) | 
| --union.connection.maxRetries | int | Max number of gRPC retries (default 4) | 
| --union.connection.minConnectTimeout | string | Minimum timeout for establishing a connection (default “20s”) | 
| --union.connection.perRetryTimeout | string | gRPC per retry timeout (default “15s”) | 
| --union.connection.serviceConfig | string | Defines gRPC experimental JSON Service Config (default “{“loadBalancingConfig”: [{“round_robin”:{}}]}”) | 
| --union.connection.trustedIdentityClaims.enabled | Enables passing of trusted claims while making inter service calls | |
| --union.connection.trustedIdentityClaims.externalIdentityClaim | string | External identity claim of the service which is authorized to make internal service call. These are verified against userclouds actions | 
| --union.connection.trustedIdentityClaims.externalIdentityTypeClaim | string | External identity type claim of app or user to use for the current service identity. It should be an ‘app’ for inter service communication | 
| --union.internalConnectionConfig.- | stringToString | (default []) | 
| --union.internalConnectionConfig.enabled | Enables internal service to service communication instead of going through ingress. | |
| --union.internalConnectionConfig.urlPattern | string | UrlPattern of the internal service endpoints. (default “{{ service }}-helmchart.{{ service }}.svc.cluster.local:80”) | 
| --webhook.awsSecretManager.sidecarImage | string | Specifies the sidecar docker image to use (default “docker.io/amazon/aws-secrets-manager-secret-sidecar:v0.1.4”) | 
| --webhook.certDir | string | Certificate directory to use to write generated certs. Defaults to /etc/webhook/certs/ (default “/etc/webhook/certs”) | 
| --webhook.embeddedSecretManagerConfig.awsConfig.region | string | AWS region | 
| --webhook.embeddedSecretManagerConfig.fileMountInitContainer.image | string | Specifies init container image to use for mounting secrets as files. (default “busybox:1.28”) | 
| --webhook.embeddedSecretManagerConfig.gcpConfig.project | string | GCP project to be used for secret manager | 
| --webhook.embeddedSecretManagerConfig.type | string | (default “AWS”) | 
| --webhook.gcpSecretManager.sidecarImage | string | Specifies the sidecar docker image to use (default “gcr.io/google.com/cloudsdktool/cloud-sdk:alpine”) | 
| --webhook.listenPort | int | The port to use to listen to webhook calls. Defaults to 9443 (default 9443) | 
| --webhook.localCert | write certs locally. Defaults to false | |
| --webhook.metrics-prefix | string | An optional prefix for all published metrics. (default “flyte:”) | 
| --webhook.secretName | string | Secret name to write generated certs to. (default “flyte-pod-webhook”) | 
| --webhook.serviceName | string | The name of the webhook service. (default “flyte-pod-webhook”) | 
| --webhook.servicePort | int32 | The port on the service that hosting webhook. (default 443) | 
| --webhook.vaultSecretManager.role | string | Specifies the vault role to use (default “flyte”) |