Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/sebastian/prod-2981-set-up-catal…
Browse files Browse the repository at this point in the history
…og-pipeline' into sebastian/prod-2981-set-up-catalog-pipeline
  • Loading branch information
maciaszczykm committed Dec 17, 2024
2 parents bc0799d + 2eaf0f7 commit 981db6b
Show file tree
Hide file tree
Showing 20 changed files with 538 additions and 3 deletions.
4 changes: 2 additions & 2 deletions catalogs/data/airbyte/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ This is a baseline, prod ready airbyte installation using Plural. It includes a
* RDS/Google Cloud Sql, Azure Flexible Server to handle postgres. This gives you a robust RDBMS service to hold airbyte's core transactional data.
* Plural OIDC to handle authentication to Airbyte. Airbyte does not support this natively, and so we use oauth-proxy as a middleware to handle authentication.

In addtion, there are a few common customizations you might want to do.
In addition, there are a few common customizations you might want to do.

## Configure Basic Auth

Expand Down Expand Up @@ -80,4 +80,4 @@ when building your application.

## Contributing

If there are any features or documentation you'd like to add to this setup, please feel free to contribute back at https://github.com/pluralsh/scaffolds
If there are any features or documentation you'd like to add to this setup, please feel free to contribute back at https://github.com/pluralsh/scaffolds
1 change: 1 addition & 0 deletions catalogs/data/airbyte/airbyte-servicedeployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ spec:
cluster: {{ context.cluster }}
hostname: {{ context.hostname }}
bucket: {{ context.bucket }}
region: {{ context.region }}
clusterRef:
kind: Cluster
name: {{ context.cluster }}
Expand Down
2 changes: 1 addition & 1 deletion catalogs/data/airbyte/helm/airbyte.yaml.liquid
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ global:
type: S3
storageSecretName: airbyte-airbyte-secrets
s3:
region: us-east-2
region: {{ configuration.region }}
authenticationType: credentials
accessKeyId: {{ imports[imports_airbyte_key].access_key_id }}
accessKeyIdSecretKey: AWS_ACCESS_KEY_ID
Expand Down
7 changes: 7 additions & 0 deletions catalogs/data/mlflow/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# Mlflow

This is a baseline, prod-ready Mlflow installation using Plural.

## Contributing

If there are any features or documentation you'd like to add to this setup, please feel free to contribute back at https://github.com/pluralsh/scaffolds.
43 changes: 43 additions & 0 deletions catalogs/data/mlflow/helm/mlflow.yaml.liquid
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
{% raw %}
{% assign imports_mlflow_key = 'mlflow-' | append: configuration.cluster %}
tracking:
enabled: true
podAnnotations:
security.plural.sh/oauth-env-secret: mlflow-proxy-config
podLabels:
security.plural.sh/inject-oauth-sidecar: "true"
auth:
enabled: false
service:
type: ClusterIP
externalDatabase:
dialectDriver: "postgresql"
host: {{ imports[imports_mlflow_key].postgres_host }}
port: '5432'
user: 'mlflow'
database: 'mlflow'
authDatabase: 'mlflow_auth'
password: {{ imports[imports_airbyte_key].postgres_password }}
externalS3:
host: {{ configuration.region }}.amazonaws.com
port: 443
useCredentialsInSecret: true
accessKeyID: {{imports[imports_airbyte_key].access_key_id}}
accessKeySecret: {{imports[imports_airbyte_key].secret_access_key}}
existingSecret: ~
existingSecretAccessKeyIDKey: AWS_ACCESS_KEY_ID
existingSecretKeySecretKey: AWS_SECRET_ACCESS_KEY
protocol: "https"
bucket: {{ configuration.bucket }}
serveArtifacts: true
postgresql:
enabled: false
minio:
enabled: false
{% endraw %}
28 changes: 28 additions & 0 deletions catalogs/data/mlflow/helm/oauth-proxy-config.yaml.liquid
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{% raw %}
{% assign imports_mlflow_key = 'mlflow-' | append: configuration.cluster %}
service:
name: mlflow-oauth2-proxy
selector:
app.kubernetes.io/instance: mlflow
app.kubernetes.io/name: webapp
secret:
clientID: {{ imports[imports_mlflow_key].oidc_client_id }}
clientSecret: {{ imports[imports_mlflow_key].oidc_client_secret }}
cookieSecret: {{ imports[imports_mlflow_key].oidc_cookie_secret }}
issuer: https://oidc.plural.sh/
upstream: http://localhost:8080
name: mlflow-proxy-config
env:
OAUTH2_PROXY_UPSTREAM_TIMEOUT: '120s'
{% if configuration["basicAuth"] %}
{% assign basicAuth = configuration["basicAuth"] | from_json %}
users:
{% for user in basicAuth %}
{{ user[0] }}: {{ user[1] }}
{% endfor %}
{% endif %}
{% endraw %}
20 changes: 20 additions & 0 deletions catalogs/data/mlflow/mlflow-raw-servicedeployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: deployments.plural.sh/v1alpha1
kind: ServiceDeployment
metadata:
name: mlflow-raw-{{ context.cluster }}
namespace: apps
spec:
namespace: mlflow
git:
folder: services/apps/mlflow
ref: main
repositoryRef:
kind: GitRepository
name: infra
namespace: infra
configuration:
hostname: {{ context.hostname }}
clusterRef:
kind: Cluster
name: {{ context.cluster }}
namespace: infra
35 changes: 35 additions & 0 deletions catalogs/data/mlflow/mlflow-servicedeployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
apiVersion: deployments.plural.sh/v1alpha1
kind: ServiceDeployment
metadata:
name: mlflow-{{ context.cluster }}
namespace: apps
spec:
namespace: mflow
git:
folder: helm/mlflow/{{ context.cluster }}
ref: main
repositoryRef:
kind: GitRepository
name: infra
namespace: infra
helm:
version: "2.x.x"
chart: mlflow
release: mlflow
ignoreHooks: false
url: https://charts.bitnami.com/bitnami
valuesFiles:
- mlflow.yaml.liquid
imports:
- stackRef:
name: mlflow-{{ context.cluster }}
namespace: apps
configuration:
cluster: {{ context.cluster }}
hostname: {{ context.hostname }}
bucket: {{ context.bucket }}
region: {{ context.region }}
clusterRef:
kind: Cluster
name: {{ context.cluster }}
namespace: infra
22 changes: 22 additions & 0 deletions catalogs/data/mlflow/mlflow-stack.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
apiVersion: deployments.plural.sh/v1alpha1
kind: InfrastructureStack
metadata:
name: mlflow-{{ context.cluster }}
namespace: apps
spec:
detach: false
type: TERRAFORM
approval: true
manageState: true
actor: [email protected]
git:
ref: main
folder: terraform/apps/mlflow/{{ context.cluster }}
repositoryRef:
name: infra
namespace: infra
configuration:
version: '1.8'
clusterRef:
name: {{ context.cluster }}
namespace: infra
31 changes: 31 additions & 0 deletions catalogs/data/mlflow/oauth-proxy-config-servicedeployment.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
apiVersion: deployments.plural.sh/v1alpha1
kind: ServiceDeployment
metadata:
name: mlflow-oauth-proxy-config-{{ context.cluster }}
namespace: apps
spec:
namespace: mlflow
git:
folder: helm/mlflow/{{ context.cluster }}
ref: main
repositoryRef:
kind: GitRepository
name: infra
namespace: infra
helm:
version: "x.x.x"
chart: oidc-config
url: https://pluralsh.github.io/module-library
valuesFiles:
- oauth-proxy-config.yaml.liquid
imports:
- stackRef:
name: mlflow-{{ context.cluster }}
namespace: apps
configuration:
cluster: {{ context.cluster }}
hostname: {{ context.hostname }}
clusterRef:
kind: Cluster
name: {{ context.cluster }}
namespace: infra
33 changes: 33 additions & 0 deletions catalogs/data/mlflow/services/oauth-proxy-ingress.yaml.liquid
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
{% raw %}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: mlflow-webapp-proxy
namespace: mlflow
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/tls-acme: "true"
# Extend timeout to allow long running queries.
nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/use-regex: "true"
spec:
ingressClassName: nginx
rules:
- host: {{ configuration.hostname }}
http:
paths:
- backend:
service:
name: mlflow-oauth2-proxy
port:
number: 80
path: /.*
pathType: ImplementationSpecific
tls:
- hosts:
- {{ configuration.hostname }}
secretName: mlflow-tls
{% endraw %}
37 changes: 37 additions & 0 deletions catalogs/data/mlflow/terraform/aws/iam.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@

resource "aws_iam_policy" "mlflow" {
name_prefix = "mlflow"
description = "policy for the plural admin mlflow"
policy = data.aws_iam_policy_document.mlflow.json
}

resource "aws_iam_user" "mlflow" {
name = "${data.plural_cluster.cluster.name}-mlflow"

depends_on = [ data.plural_cluster.cluster ]
}

resource "aws_iam_access_key" "mlflow" {
user = aws_iam_user.mlflow.name
}

data "aws_iam_policy_document" "mlflow" {
statement {
sid = "admin"
effect = "Allow"
actions = ["s3:*"]

resources = [
"arn:aws:s3:::${var.mlflow_bucket}",
"arn:aws:s3:::${var.mlflow_bucket}/*",
]
}
}

resource "aws_iam_policy_attachment" "mlflow-user" {
name = "${data.plural_cluster.cluster.name}-mlflow-policy"
users = [aws_iam_user.mlflow.name]
policy_arn = aws_iam_policy.mlflow.arn

depends_on = [ data.plural_cluster.cluster ]
}
15 changes: 15 additions & 0 deletions catalogs/data/mlflow/terraform/aws/oidc.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
resource "random_password" "oidc_cookie" {
length = 24
min_lower = 1
min_numeric = 1
min_upper = 1
special = false
}

resource "plural_oidc_provider" "mlflow" {
name = "mlflow-{{ context.cluster }}"
auth_method = "BASIC"
type = "PLURAL"
description = "OIDC provider for mlflow deployed to the {{ context.cluster }} cluster"
redirect_uris = ["https://{{ context.hostname }}/oauth2/callback"]
}
32 changes: 32 additions & 0 deletions catalogs/data/mlflow/terraform/aws/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
output "access_key_id" {
value = aws_iam_access_key.mlflow.id
}

output "secret_access_key" {
value = aws_iam_access_key.mlflow.secret
sensitive = true
}

output "postgres_host" {
value = try(module.db.db_instance_address, "")
}

output "postgres_password" {
value = random_password.password.result
sensitive = true
}

output "oidc_cookie_secret" {
value = random_password.oidc_cookie.result
sensitive = true
}

output "oidc_client_id" {
value = plural_oidc_provider.mlflow.client_id
sensitive = true
}

output "oidc_client_secret" {
value = plural_oidc_provider.mlflow.client_secret
sensitive = true
}
3 changes: 3 additions & 0 deletions catalogs/data/mlflow/terraform/aws/plural.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
data "plural_cluster" "cluster" {
handle = var.cluster_name
}
Loading

0 comments on commit 981db6b

Please sign in to comment.