From a1673ae8e4a85b81537f9df594f342b0bb9bcc67 Mon Sep 17 00:00:00 2001 From: Erik Jacobs Date: Wed, 27 Sep 2023 03:19:55 -0400 Subject: [PATCH] adds a default clearml-core service account for the core components (#253) * adds a default clearml-core service account for the core components * Changed: use many sa * Fixed: sa name * Fixed: sa name * Fixed: sa name * Fixed: naming * Update README.md --------- Co-authored-by: Valeriano Manassero <14011549+valeriano-manassero@users.noreply.github.com> --- charts/clearml/Chart.yaml | 6 +++--- charts/clearml/README.md | 11 +++++++---- charts/clearml/templates/apiserver-deployment.yaml | 1 + .../clearml/templates/fileserver-deployment.yaml | 1 + charts/clearml/templates/serviceAccount.yaml | 14 ++++++++++++++ charts/clearml/templates/webserver-deployment.yaml | 1 + charts/clearml/values.yaml | 6 ++++++ 7 files changed, 33 insertions(+), 7 deletions(-) create mode 100644 charts/clearml/templates/serviceAccount.yaml diff --git a/charts/clearml/Chart.yaml b/charts/clearml/Chart.yaml index f355a31..8b11b84 100644 --- a/charts/clearml/Chart.yaml +++ b/charts/clearml/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: clearml description: MLOps platform type: application -version: "7.3.2" +version: "7.4.0" appVersion: "1.12.0" kubeVersion: ">= 1.21.0-0 < 1.29.0-0" home: https://clear.ml @@ -32,5 +32,5 @@ dependencies: condition: elasticsearch.enabled annotations: artifacthub.io/changes: | - - kind: fixed - description: missing serviceAccount for Elasticsearch + - kind: added + description: service accounts for core clearml components diff --git a/charts/clearml/README.md b/charts/clearml/README.md index acd928b..0719339 100644 --- a/charts/clearml/README.md +++ b/charts/clearml/README.md @@ -1,6 +1,6 @@ # ClearML Ecosystem for Kubernetes -![Version: 7.3.2](https://img.shields.io/badge/Version-7.3.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.12.0](https://img.shields.io/badge/AppVersion-1.12.0-informational?style=flat-square) +![Version: 7.4.0](https://img.shields.io/badge/Version-7.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.12.0](https://img.shields.io/badge/AppVersion-1.12.0-informational?style=flat-square) MLOps platform @@ -145,7 +145,7 @@ Kubernetes: `>= 1.21.0-0 < 1.29.0-0` | Key | Type | Default | Description | |-----|------|---------|-------------| -| apiserver | object | `{"additionalConfigs":{},"affinity":{},"containerSecurityContext":{},"enabled":true,"existingAdditionalConfigsConfigMap":"","existingAdditionalConfigsSecret":"","extraEnvs":[],"image":{"pullPolicy":"IfNotPresent","registry":"","repository":"allegroai/clearml","tag":"1.12.0-393"},"ingress":{"annotations":{},"enabled":false,"hostName":"api.clearml.127-0-0-1.nip.io","ingressClassName":"","path":"/","tlsSecretName":""},"initContainers":{"resources":{"limits":{"cpu":"10m","memory":"64Mi"},"requests":{"cpu":"10m","memory":"64Mi"}}},"nodeSelector":{},"podAnnotations":{},"podSecurityContext":{},"prepopulateEnabled":true,"processes":{"count":8,"maxRequests":1000,"maxRequestsJitter":300,"timeout":24000},"replicaCount":1,"resources":{"limits":{"cpu":"2000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"256Mi"}},"service":{"annotations":{},"nodePort":30008,"port":8008,"type":"NodePort"},"tolerations":[]}` | Api Server configurations | +| apiserver | object | `{"additionalConfigs":{},"affinity":{},"containerSecurityContext":{},"enabled":true,"existingAdditionalConfigsConfigMap":"","existingAdditionalConfigsSecret":"","extraEnvs":[],"image":{"pullPolicy":"IfNotPresent","registry":"","repository":"allegroai/clearml","tag":"1.12.0-393"},"ingress":{"annotations":{},"enabled":false,"hostName":"api.clearml.127-0-0-1.nip.io","ingressClassName":"","path":"/","tlsSecretName":""},"initContainers":{"resources":{"limits":{"cpu":"10m","memory":"64Mi"},"requests":{"cpu":"10m","memory":"64Mi"}}},"nodeSelector":{},"podAnnotations":{},"podSecurityContext":{},"prepopulateEnabled":true,"processes":{"count":8,"maxRequests":1000,"maxRequestsJitter":300,"timeout":24000},"replicaCount":1,"resources":{"limits":{"cpu":"2000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"256Mi"}},"service":{"annotations":{},"nodePort":30008,"port":8008,"type":"NodePort"},"serviceAccountName":"clearml","tolerations":[]}` | Api Server configurations | | apiserver.additionalConfigs | object | `{}` | files declared in this parameter will be mounted and read by apiserver (examples in values.yaml) if not overridden by existingAdditionalConfigsSecret | | apiserver.affinity | object | `{}` | Api Server affinity setup | | apiserver.containerSecurityContext | object | `{}` | Api Server containers security context | @@ -176,6 +176,7 @@ Kubernetes: `>= 1.21.0-0 < 1.29.0-0` | apiserver.service | object | `{"annotations":{},"nodePort":30008,"port":8008,"type":"NodePort"}` | Api Server internal service configuration | | apiserver.service.annotations | object | `{}` | specific annotation for Api Server service | | apiserver.service.nodePort | int | `30008` | If service.type set to NodePort, this will be set to service's nodePort field. If service.type is set to others, this field will be ignored | +| apiserver.serviceAccountName | string | `"clearml"` | The default serviceAccountName to be used | | apiserver.tolerations | list | `[]` | Api Server tolerations setup | | clearml | object | `{"apiserverKey":"GGS9F4M6XB2DXJ5AFT9F","apiserverSecret":"2oGujVFhPfaozhpuz2GzQfA5OyxmMsR3WVJpsCR5hrgHFs20PO","clientConfigurationApiUrl":"","clientConfigurationFilesUrl":"","cookieDomain":"","cookieName":"clearml-token-k8s","defaultCompany":"d1bd92a3b039400cbafc60a7a5b1e52b","existingSecret":"","fileserverKey":"XXCRJ123CEE2KSQ068WO","fileserverSecret":"YIy8EVAC7QCT4FtgitxAQGyW7xRHDZ4jpYlTE7HKiscpORl1hG","readinessprobeKey":"GK4PRTVT3706T25K6BA1","readinessprobeSecret":"ymLh1ok5k5xNUQfS944Xdx9xjf0wueokqKM2dMZfHuH9ayItG2","secureAuthTokenSecret":"ymLh1ok5k5xNUQfS944Xdx9xjf0wueokqKM2dMZfHuH9ayItG2","testUserKey":"ENP39EQM4SLACGD5FXB7","testUserSecret":"lPcm0imbcBZ8mwgO7tpadutiS3gnJD05x9j7afwXPS35IKbpiQ"}` | ClearMl generic configurations | | clearml.apiserverKey | string | `"GGS9F4M6XB2DXJ5AFT9F"` | Api Server basic auth key | @@ -200,7 +201,7 @@ Kubernetes: `>= 1.21.0-0 < 1.29.0-0` | externalServices.mongodbConnectionStringBackend | string | `"mongodb://mongodb_hostnamehostname:27017/backend"` | Existing MongoDB connection string for AUTH to use if mongodb.enabled is false (example in values.yaml) | | externalServices.redisHost | string | `"redis_hostname"` | Existing Redis Hostname to use if redis.enabled is false (example in values.yaml) | | externalServices.redisPort | int | `6379` | Existing Redis Port to use if redis.enabled is false | -| fileserver | object | `{"affinity":{},"containerSecurityContext":{},"enabled":true,"extraEnvs":[],"image":{"pullPolicy":"IfNotPresent","registry":"","repository":"allegroai/clearml","tag":"1.12.0-393"},"ingress":{"annotations":{},"enabled":false,"hostName":"files.clearml.127-0-0-1.nip.io","ingressClassName":"","path":"/","tlsSecretName":""},"initContainers":{"resources":{"limits":{"cpu":"10m","memory":"64Mi"},"requests":{"cpu":"10m","memory":"64Mi"}}},"nodeSelector":{},"podAnnotations":{},"podSecurityContext":{},"replicaCount":1,"resources":{"limits":{"cpu":"2000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"256Mi"}},"service":{"annotations":{},"nodePort":30081,"port":8081,"type":"NodePort"},"storage":{"data":{"accessMode":"ReadWriteOnce","class":"","existingPVC":"","size":"50Gi"},"enabled":true},"tolerations":[]}` | File Server configurations | +| fileserver | object | `{"affinity":{},"containerSecurityContext":{},"enabled":true,"extraEnvs":[],"image":{"pullPolicy":"IfNotPresent","registry":"","repository":"allegroai/clearml","tag":"1.12.0-393"},"ingress":{"annotations":{},"enabled":false,"hostName":"files.clearml.127-0-0-1.nip.io","ingressClassName":"","path":"/","tlsSecretName":""},"initContainers":{"resources":{"limits":{"cpu":"10m","memory":"64Mi"},"requests":{"cpu":"10m","memory":"64Mi"}}},"nodeSelector":{},"podAnnotations":{},"podSecurityContext":{},"replicaCount":1,"resources":{"limits":{"cpu":"2000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"256Mi"}},"service":{"annotations":{},"nodePort":30081,"port":8081,"type":"NodePort"},"serviceAccountName":"clearml","storage":{"data":{"accessMode":"ReadWriteOnce","class":"","existingPVC":"","size":"50Gi"},"enabled":true},"tolerations":[]}` | File Server configurations | | fileserver.affinity | object | `{}` | File Server affinity setup | | fileserver.containerSecurityContext | object | `{}` | File Server containers security context | | fileserver.enabled | bool | `true` | Enable/Disable component deployment | @@ -222,6 +223,7 @@ Kubernetes: `>= 1.21.0-0 < 1.29.0-0` | fileserver.service | object | `{"annotations":{},"nodePort":30081,"port":8081,"type":"NodePort"}` | File Server internal service configuration | | fileserver.service.annotations | object | `{}` | specific annotation for File Server service | | fileserver.service.nodePort | int | `30081` | If service.type set to NodePort, this will be set to service's nodePort field. If service.type is set to others, this field will be ignored | +| fileserver.serviceAccountName | string | `"clearml"` | The default serviceAccountName to be used | | fileserver.storage | object | `{"data":{"accessMode":"ReadWriteOnce","class":"","existingPVC":"","size":"50Gi"},"enabled":true}` | File server persistence settings | | fileserver.storage.data.accessMode | string | `"ReadWriteOnce"` | Access mode (must be ReadWriteMany if fileserver replica > 1) | | fileserver.storage.data.class | string | `""` | Storage class (use default if empty) | @@ -239,7 +241,7 @@ Kubernetes: `>= 1.21.0-0 < 1.29.0-0` | imageCredentials.username | string | `"someone"` | Registry username | | mongodb | object | `{"architecture":"standalone","auth":{"enabled":false},"enabled":true,"persistence":{"accessModes":["ReadWriteOnce"],"enabled":true,"size":"50Gi","storageClass":null},"replicaCount":1}` | Configuration from https://github.com/bitnami/charts/blob/master/bitnami/mongodb/values.yaml | | redis | object | `{"architecture":"standalone","auth":{"enabled":false},"databaseNumber":0,"enabled":true,"master":{"name":"{{ .Release.Name }}-redis-master","persistence":{"accessModes":["ReadWriteOnce"],"enabled":true,"size":"5Gi","storageClass":null},"port":6379}}` | Configuration from https://github.com/bitnami/charts/blob/master/bitnami/redis/values.yaml | -| webserver | object | `{"additionalConfigs":{},"affinity":{},"containerSecurityContext":{},"enabled":true,"extraEnvs":[],"image":{"pullPolicy":"IfNotPresent","registry":"","repository":"allegroai/clearml","tag":"1.12.0-393"},"ingress":{"annotations":{},"enabled":false,"hostName":"app.clearml.127-0-0-1.nip.io","ingressClassName":"","path":"/","tlsSecretName":""},"initContainers":{"resources":{"limits":{"cpu":"10m","memory":"64Mi"},"requests":{"cpu":"10m","memory":"64Mi"}}},"nodeSelector":{},"podAnnotations":{},"podSecurityContext":{},"replicaCount":1,"resources":{"limits":{"cpu":"2000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"256Mi"}},"service":{"annotations":{},"nodePort":30080,"port":8080,"type":"NodePort"},"tolerations":[]}` | Web Server configurations | +| webserver | object | `{"additionalConfigs":{},"affinity":{},"containerSecurityContext":{},"enabled":true,"extraEnvs":[],"image":{"pullPolicy":"IfNotPresent","registry":"","repository":"allegroai/clearml","tag":"1.12.0-393"},"ingress":{"annotations":{},"enabled":false,"hostName":"app.clearml.127-0-0-1.nip.io","ingressClassName":"","path":"/","tlsSecretName":""},"initContainers":{"resources":{"limits":{"cpu":"10m","memory":"64Mi"},"requests":{"cpu":"10m","memory":"64Mi"}}},"nodeSelector":{},"podAnnotations":{},"podSecurityContext":{},"replicaCount":1,"resources":{"limits":{"cpu":"2000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"256Mi"}},"service":{"annotations":{},"nodePort":30080,"port":8080,"type":"NodePort"},"serviceAccountName":"clearml","tolerations":[]}` | Web Server configurations | | webserver.additionalConfigs | object | `{}` | Additional specific webserver configurations | | webserver.affinity | object | `{}` | Web Server affinity setup | | webserver.containerSecurityContext | object | `{}` | Web Server containers security context | @@ -262,4 +264,5 @@ Kubernetes: `>= 1.21.0-0 < 1.29.0-0` | webserver.service | object | `{"annotations":{},"nodePort":30080,"port":8080,"type":"NodePort"}` | Web Server internal service configuration | | webserver.service.annotations | object | `{}` | specific annotation for Web Server service | | webserver.service.nodePort | int | `30080` | If service.type set to NodePort, this will be set to service's nodePort field. If service.type is set to others, this field will be ignored | +| webserver.serviceAccountName | string | `"clearml"` | The default serviceAccountName to be used | | webserver.tolerations | list | `[]` | Web Server tolerations setup | diff --git a/charts/clearml/templates/apiserver-deployment.yaml b/charts/clearml/templates/apiserver-deployment.yaml index 7d71731..9f9e2df 100644 --- a/charts/clearml/templates/apiserver-deployment.yaml +++ b/charts/clearml/templates/apiserver-deployment.yaml @@ -19,6 +19,7 @@ spec: labels: {{- include "apiserver.selectorLabels" . | nindent 8 }} spec: + serviceAccountName: {{ .Values.apiserver.serviceAccountName }}-apiserver {{- if .Values.imageCredentials.enabled }} imagePullSecrets: {{- if .Values.imageCredentials.existingSecret }} diff --git a/charts/clearml/templates/fileserver-deployment.yaml b/charts/clearml/templates/fileserver-deployment.yaml index e25e715..e8a93ba 100644 --- a/charts/clearml/templates/fileserver-deployment.yaml +++ b/charts/clearml/templates/fileserver-deployment.yaml @@ -19,6 +19,7 @@ spec: labels: {{- include "fileserver.selectorLabels" . | nindent 8 }} spec: + serviceAccountName: {{ .Values.fileserver.serviceAccountName }}-fileserver {{- if .Values.imageCredentials.enabled }} imagePullSecrets: {{- if .Values.imageCredentials.existingSecret }} diff --git a/charts/clearml/templates/serviceAccount.yaml b/charts/clearml/templates/serviceAccount.yaml new file mode 100644 index 0000000..d22d4b5 --- /dev/null +++ b/charts/clearml/templates/serviceAccount.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.apiserver.serviceAccountName }}-apiserver +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.fileserver.serviceAccountName }}-fileserver +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.webserver.serviceAccountName }}-webserver diff --git a/charts/clearml/templates/webserver-deployment.yaml b/charts/clearml/templates/webserver-deployment.yaml index fc25e61..a0a86d1 100644 --- a/charts/clearml/templates/webserver-deployment.yaml +++ b/charts/clearml/templates/webserver-deployment.yaml @@ -19,6 +19,7 @@ spec: labels: {{- include "webserver.selectorLabels" . | nindent 8 }} spec: + serviceAccountName: {{ .Values.webserver.serviceAccountName }}-webserver {{- if .Values.imageCredentials.enabled }} imagePullSecrets: {{- if .Values.imageCredentials.existingSecret }} diff --git a/charts/clearml/values.yaml b/charts/clearml/values.yaml index ed77ec2..77df56f 100644 --- a/charts/clearml/values.yaml +++ b/charts/clearml/values.yaml @@ -58,6 +58,8 @@ apiserver: enabled: true # -- Enable/Disable example data load prepopulateEnabled: true + # -- The default serviceAccountName to be used + serviceAccountName: clearml # -- Api Server image configuration image: registry: "" @@ -172,6 +174,8 @@ apiserver: fileserver: # -- Enable/Disable component deployment enabled: true + # -- The default serviceAccountName to be used + serviceAccountName: clearml # -- File Server image configuration image: registry: "" @@ -254,6 +258,8 @@ fileserver: webserver: # -- Enable/Disable component deployment enabled: true + # -- The default serviceAccountName to be used + serviceAccountName: clearml # -- Web Server image configuration image: registry: ""