Skip to content

Commit

Permalink
Add new settings including SSO, advanced db volumes, and DNS / host o…
Browse files Browse the repository at this point in the history
…verrides

Updates for dev tools and mysql
  • Loading branch information
vanpelt authored Nov 7, 2022
2 parents c855622 + 24795d4 commit 596be1b
Show file tree
Hide file tree
Showing 11 changed files with 145 additions and 21 deletions.
22 changes: 9 additions & 13 deletions .github/workflows/lint-test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ jobs:
fetch-depth: 0

- name: Set up Helm
uses: azure/setup-helm@v1
uses: azure/setup-helm@v3.4
with:
version: v3.8.1
version: v3.9.0

# Python is required because `ct lint` runs Yamale (https://github.com/23andMe/Yamale) and
# yamllint (https://github.com/adrienverge/yamllint) which require Python
Expand All @@ -25,9 +25,9 @@ jobs:
python-version: "3.10"

- name: Set up chart-testing
uses: helm/chart-testing-action@v2.2.1
uses: helm/chart-testing-action@v2.3.1
with:
version: v3.5.1
version: v3.7.1

- name: Run chart-testing (list-changed)
id: list-changed
Expand All @@ -37,20 +37,16 @@ jobs:
echo "::set-output name=changed::true"
fi
- name: Temporary yaml patching (can be removed when --helm-extra-set-args is added post v3.5.1)
env:
LICENSE: ${{ secrets.LICENSE }}
run: |
echo "license: $LICENSE" >> charts/wandb/ci/basic-values.yaml
- name: Run chart-testing (lint)
run: ct lint --config ct.yaml

- name: Create kind cluster
uses: helm/kind-action@v1.2.0
uses: helm/kind-action@v1.4.0
with:
version: v0.14.0
version: v0.16.0
if: steps.list-changed.outputs.changed == 'true'

- name: Run chart-testing (install)
run: ct install --config ct.yaml
env:
LICENSE: ${{ secrets.LICENSE }}
run: ct install --config ct.yaml --helm-extra-set-args --set=license=$LICENSE
4 changes: 2 additions & 2 deletions charts/wandb/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@ apiVersion: v2
name: wandb
description: A Helm chart for deploying W&B to Kubernetes
type: application
version: 0.1.3
appVersion: "0.11.0"
version: 0.2.0
appVersion: "0.22.0"
icon: https://wandb.ai/logo.svg
maintainers:
- name: wandb
Expand Down
1 change: 1 addition & 0 deletions charts/wandb/ci/basic-values.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
enableAdminApi: true
resources:
requests:
cpu: 100m
Expand Down
20 changes: 20 additions & 0 deletions charts/wandb/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -68,3 +68,23 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

{{/*
MySQL version guess
*/}}
{{- define "wandb.mysqlVersion" -}}
{{- if or (eq .Values.mysql.image.tag "latest") (hasPrefix "8" .Values.mysql.image.tag) }}
{{- default "8" .Values.mysql.version }}
{{- else }}
{{- default "5" .Values.mysql.version }}
{{- end }}
{{- end }}

{{/*
SQL configuration helpers, MySQL 8 needs session variable permissions
*/}}
{{- define "wandb.extraMysqlGrants" -}}
{{- if eq (include "wandb.mysqlVersion" .) "8" }}
{{- printf "SESSION_VARIABLES_ADMIN," -}}
{{- end }}
{{- end }}
15 changes: 15 additions & 0 deletions charts/wandb/templates/configmap.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{{- if .Values.customCACerts }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "wandb.fullname" . }}-ca-certs
labels:
{{- include "wandb.labels" . | nindent 4 }}
data:
{{- range $index, $pem := .Values.customCACerts }}
customCA{{$index}}.crt: |-
{{- range splitList "\n" $pem }}
{{ . }}
{{- end }}
{{- end }}
{{- end }}
46 changes: 44 additions & 2 deletions charts/wandb/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -65,11 +65,32 @@ spec:
secretKeyRef:
name: {{ include "wandb.fullname" . }}-secrets
key: LICENSE
{{- if .Values.sso.enabled }}
- name: OIDC_ISSUER
value: {{ .Values.sso.issuer }}
- name: OIDC_AUTH_METHOD
value: {{ default "implicit" .Values.sso.method }}
- name: OIDC_CLIENT_ID
value: {{ .Values.sso.clientId }}
{{- if .Values.sso.clientSecret }}
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: {{ include "wandb.fullname" . }}-secrets
key: CLIENT_SECRET
{{- end }}
- name: GORILLA_DISABLE_SSO_PROVISIONING
value: "{{ not .Values.sso.autoProvision }}"
{{- end}}
{{- if .Values.enableAdminApi }}
- name: GLOBAL_ADMIN_API_KEY
valueFrom:
secretKeyRef:
name: {{ include "wandb.fullname" . }}-secrets
key: ADMIN_API_KEY
- name: GORILLA_INSECURE_ALLOW_API_KEY_ADMIN_ACCESS
value: "true"
{{- end }}
- name: WANDB_HELM_CHART
value: {{ include "wandb.fullname" . }}:{{ .Chart.Version }}
{{- if .Values.smtpServer }}
Expand All @@ -79,6 +100,10 @@ spec:
name: {{ include "wandb.fullname" . }}-secrets
key: SMTP_SERVER
{{- end }}
{{- if .Values.extraCors }}
- name: GORILLA_CORS_ORIGINS
value: {{ .Values.extraCors }}
{{- end }}
{{- if .Values.bucket }}
- name: BUCKET
valueFrom:
Expand Down Expand Up @@ -120,13 +145,25 @@ spec:
path: /ready
port: http
failureThreshold: 120
{{- if not .Values.bucket }}
volumeMounts:
{{- if not .Values.bucket }}
- name: wandb-data
mountPath: /vol
{{- if .Values.subPath }}
subPath: {{ .Values.subPath }}
{{- end }}
{{- end }}
{{- range $index, $v := .Values.customCACerts }}
- name: wandb-ca-certs
mountPath: /usr/local/share/ca-certificates/customCA{{$index}}.crt
subPath: customCA{{$index}}.crt
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
hostAliases:
{{- with .Values.hostAliases }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand All @@ -139,12 +176,17 @@ spec:
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or (not .Values.bucket) .Values.existingClaim }}
volumes:
{{- if or (not .Values.bucket) .Values.existingClaim }}
- name: wandb-data
persistentVolumeClaim:
claimName: {{ .Values.existingClaim | default (include "wandb.volumeClaim" .) }}
{{- end }}
{{- if .Values.customCACerts }}
- name: wandb-ca-certs
configMap:
name: {{ include "wandb.fullname" . }}-ca-certs
{{- end }}
---
{{- if and (not .Values.bucket) (not .Values.existingClaim) }}
kind: PersistentVolumeClaim
Expand Down
4 changes: 4 additions & 0 deletions charts/wandb/templates/ingress.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,10 @@ metadata:
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
# When we're hosting the bucket we override the default 50m post limit
{{- if not .Values.bucket }}
nginx.ingress.kubernetes.io/proxy-body-size: "0"
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
Expand Down
27 changes: 25 additions & 2 deletions charts/wandb/templates/mysql.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ spec:
{{- toYaml . | nindent 8 }}
{{- end }}
# TODO: ideally only create the checksum when the DB password is rotated
# TODO: add the config map to this calculation / put it in a helper
checksum/config: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
labels:
{{- include "wandb.selectorLabels" . | nindent 8 }}
Expand Down Expand Up @@ -74,6 +75,8 @@ spec:
value: {{ default "wandb_local" .Values.mysql.user | quote }}
- name: MYSQL_DATABASE
value: {{ default "wandb_local" .Values.mysql.database | quote }}
- name: MYSQL
value: "mysql://$(MYSQL_USER):$(MYSQL_PASSWORD)@localhost/$(MYSQL_DATABASE)"
{{- if .Values.mysql.command }}
command: {{ .Values.mysql.command }}
{{- else }}
Expand Down Expand Up @@ -103,6 +106,11 @@ spec:
{{- end }}
- name: mysql-initdb
mountPath: /docker-entrypoint-initdb.d
- name: mysql-initdb
mountPath: /etc/mysql/
{{- if .Values.mysql.persistence.extraVolumeMounts }}
{{ toYaml .Values.mysql.persistence.extraVolumeMounts | nindent 8 }}
{{- end }}
volumes:
- name: mysql-initdb
configMap:
Expand All @@ -114,15 +122,30 @@ spec:
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.mysql.persistence.extraVolumes }}
{{ toYaml .Values.mysql.persistence.extraVolumes | nindent 6 }}
{{- end }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mysql-initdb-config
data:
# We need RELOAD for making backups
my.cnf: |
[mysqld]
binlog_format = 'ROW'
innodb_online_alter_log_max_size = 268435456
sync_binlog = 1
innodb_flush_log_at_trx_commit = 1
binlog_row_image = 'MINIMAL'
local-infile = 1
{{- if eq (include "wandb.mysqlVersion" .) "8" }}
sort_buffer_size = 33554432
{{- end }}
# TODO wire through user settings
# We need RELOAD, SELECT, and LOCK TABLES for making backups
initdb.sql: |
GRANT RELOAD ON *.* TO `wandb_local`@`%`;
GRANT {{ include "wandb.extraMysqlGrants" . }}RELOAD,SELECT,LOCK TABLES ON *.* TO `{{ default "wandb_local" .Values.mysql.user }}`@`%`;
---
{{- if and .Values.mysql.persistence.enabled (not .Values.mysql.persistence.existingClaim) }}
kind: PersistentVolumeClaim
Expand Down
3 changes: 3 additions & 0 deletions charts/wandb/templates/secrets.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,7 @@ data:
{{- end }}
{{- if .Values.bucket }}
BUCKET: {{ .Values.bucket | b64enc }}
{{- end}}
{{- if .Values.sso.clientSecret }}
CLIENT_SECRET: {{ .Values.clientSecret | b64enc }}
{{- end}}
3 changes: 2 additions & 1 deletion charts/wandb/templates/tests/test-connection.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,9 @@ spec:
secretKeyRef:
name: {{ include "wandb.fullname" . }}-secrets
key: ADMIN_API_KEY
# wandb verify is terribly flaky, there's a PR up to fix it until then we try 3 times
command:
- sh
- -c
- "pip install protobuf==3.20.1 wandb && wandb verify"
- "pip install wandb && (wandb verify || (sleep 10 && wandb verify) || (sleep 10 && wandb verify))"
restartPolicy: Never
21 changes: 20 additions & 1 deletion charts/wandb/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ image:

# Required for production environments
license:
# If set to true we'll provision an admin user and allow admin api access
enableAdminApi: false
# If using S3 be sure the pod has valid IAM creds, if using minio
# you can include the creds in the bucket url, i.e.
# !!! Be sure to use the externally accessible host / ingress,
Expand All @@ -32,6 +34,12 @@ imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

# dns hostAliases, generally only used in development
hostAliases: []
# Custom CA's to make SSL verification work for self signed certs
# You'll likely want to use `--set-file customCACerts={/path/to/rootCA.crt}`
customCACerts: []

serviceAccount:
create: true
annotations: {}
Expand All @@ -54,6 +62,17 @@ service:
type: ClusterIP
port: 8080

sso:
enabled: false
# Automatically provision a user if SSO auth succeeds
autoProvision: true
issuer:
# Can be implicit or pkce
method: implicit
clientId:
# Optional, only if your IDP requires it
clientSecret:

ingress:
enabled: false
className: ""
Expand Down Expand Up @@ -94,7 +113,7 @@ mysql:
image:
pullPolicy: IfNotPresent
repository: mysql/mysql-server
tag: latest
tag: "8.0"
resources:
requests:
cpu: 1000m
Expand Down

0 comments on commit 596be1b

Please sign in to comment.