diff --git a/apps/mlflow/kustomization.yaml b/apps/mlflow/kustomization.yaml new file mode 100644 index 0000000..8a5b596 --- /dev/null +++ b/apps/mlflow/kustomization.yaml @@ -0,0 +1,34 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: mlflow + +resources: +- namespace.yaml +- minio-pvc.yaml +- minio-deployment.yaml +- minio-service.yaml +- minio-ingress.yaml +- mlflow-deployment.yaml +- mlflow-ingress.yaml +- mlflow-service.yaml + +generators: +- secret-generator.yaml + +helmCharts: +- name: postgresql + releaseName: postgresql + version: 13.2.24 + repo: oci://registry-1.docker.io/bitnamicharts + namespace: mlflow + valuesInline: + auth: + enablePostgresUser: false + existingSecret: postgres-secret + username: mlflow + database: mlflow_db + primary: + persistence: + enabled: true + storageClass: retain-local-path + diff --git a/apps/mlflow/minio-admin-secret.enc.yaml b/apps/mlflow/minio-admin-secret.enc.yaml new file mode 100644 index 0000000..1955977 --- /dev/null +++ b/apps/mlflow/minio-admin-secret.enc.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +metadata: + name: minio-admin-secret + namespace: mlflow +stringData: + MINIO_ROOT_USER: ENC[AES256_GCM,data:JxKzZPR6S0a/2XKoxDFOOg==,iv:CsCxYsB7DP2vRtkohcp7ysC54xGP2EdWCFwjWe/PjRA=,tag:F/2gFpm2GQ4P/EM8hFRZUw==,type:str] + MINIO_ROOT_PASSWORD: ENC[AES256_GCM,data:wxo/pZJ6IDGg+zZqspqJ2brLfx8=,iv:EoNk2k+F6BUEGik09hs65fo2RNGFYsUlzvNQoGeij1o=,tag:a47V7C8A0jVV3NCZk3JJmw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1QldsSWZWdkFWaDEySnJ3 + ZnVBVXVRSlNhWmd5dGZqcktNQ2xlTnkvYzNzCkxvWVNFeTFCMWpmVG5qck1YRWVE + eXA4VFlaNmN3NFlGT29MY2g0aENQNE0KLS0tIFhCT3J2SzFEbkJXWFdySlJyM29V + Tm1UMlBJQTcyVjJtUm0zSzcwYXNtWkEKOKntF52e4vpT3cED78RVdDl5bStVDRYF + YuEuM1RVwnT5zEkTAQxG+77r18OfF6FZnJQNPHsrdhZn23CQV8yXlQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-11T21:14:05Z" + mac: ENC[AES256_GCM,data:iSiR7v0NzAAtuR097Sl+YtgXUDLxjVi7AcIYMyjcNmsoFN3y52M9TqP/JhC2jP+4g7RSuwJtHA7/LIokGuFS2zPrCBrg2ODUr+8Wiw4KFbvO7y1mLm6t1K5p6wrf/Yv8Hom0jeES0tVjOkQtEOTpxNk/xWHqlhhyqNw5bpvldYE=,iv:gkLQD/o/3YnZ77sGdpnlUJLk3mPiKLJyrydPzdscNJc=,tag:cW2DwDtcgCt0eepgrmL3yA==,type:str] + pgp: [] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.8.1 diff --git a/apps/mlflow/minio-deployment.yaml b/apps/mlflow/minio-deployment.yaml new file mode 100644 index 0000000..1e076c2 --- /dev/null +++ b/apps/mlflow/minio-deployment.yaml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio + namespace: mlflow +spec: + replicas: 1 + selector: + matchLabels: + app: minio + template: + metadata: + labels: + app: minio + spec: + containers: + - name: minio + image: quay.io/minio/minio:RELEASE.2023-12-09T18-17-51Z + command: + - /bin/bash + - -c + args: + - minio server /data --console-address :9001 + volumeMounts: + - mountPath: /data + name: minio-data + envFrom: + - secretRef: + name: minio-admin-secret + volumes: + - name: minio-data + persistentVolumeClaim: + claimName: minio-data + + diff --git a/apps/mlflow/minio-ingress.yaml b/apps/mlflow/minio-ingress.yaml new file mode 100755 index 0000000..a09e0d0 --- /dev/null +++ b/apps/mlflow/minio-ingress.yaml @@ -0,0 +1,19 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: minio-ingress + namespace: mlflow +spec: + entryPoints: + - websecure + routes: + - match: Host(`minio.namesny.com`) + kind: Rule + services: + - name: minio-svc + port: 9001 + - match: Host(`s3.namesny.com`) + kind: Rule + services: + - name: minio-svc + port: 9000 diff --git a/apps/mlflow/minio-pvc.yaml b/apps/mlflow/minio-pvc.yaml new file mode 100755 index 0000000..028d538 --- /dev/null +++ b/apps/mlflow/minio-pvc.yaml @@ -0,0 +1,12 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: minio-data + namespace: mlflow +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + storageClassName: retain-local-path diff --git a/apps/mlflow/minio-service.yaml b/apps/mlflow/minio-service.yaml new file mode 100755 index 0000000..79c531b --- /dev/null +++ b/apps/mlflow/minio-service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: minio-svc + namespace: minio +spec: + selector: + app: minio + type: ClusterIP + ports: + - name: minio-api + protocol: TCP + port: 9000 + targetPort: 9000 + - name: minio-console + protocol: TCP + port: 9001 + targetPort: 9001 diff --git a/apps/mlflow/minio-user-secret.enc.yaml b/apps/mlflow/minio-user-secret.enc.yaml new file mode 100644 index 0000000..b9ee09f --- /dev/null +++ b/apps/mlflow/minio-user-secret.enc.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +metadata: + name: minio-user-secret + namespace: mlflow +stringData: + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:msIdjmwl3WHW70M8XfmcxA==,iv:XPKHyeg5LKTw520JESMMtihj0pssNw56n+hvGwZk6g0=,tag:2wODLJrtUHjnwbphUpS6ew==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:mybhUMqDdy/P1eN7nFVPhxM+4PA=,iv:4e45iHScWtxlvFdt4qJnF/JcO0+ExHN27H2+k9d1zXo=,tag:iJKROqnRlulzrXpPZ1zedQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrdXRGdlNhRWhyQUk0ZGlw + YWt4QW5vdnI3M1dXYmdGbGVtQ2M3Q0RnREhJCm9oMUdmQzhXVDdNcTJpMGZoS3pn + SzRQVWZ5OUtZOUV3dDRDUHB4NWJpUUEKLS0tIDFnUWNGY3pLM1hCYlZ6U042R1Fs + Y2dhYUF5SDlEYUt3TFIwSm9ZLzdrcWMK+0YHn6O4ztkvvI4n3luTE42WEZXIpTMk + x5sTpPTrjC+aY1K/mOvYeeifl/OzF47xSIhkz/CHb3XzS9qu9L6t8Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-11T21:15:06Z" + mac: ENC[AES256_GCM,data:SgNbDhrGxOcmkv6GqZzz59sI8+r4or3sL/wD/5kfzPmU8KNo6y5g505R98KN86/Y7Qrmz7HRYNu4u6+qwUmxP4sRMQZGY+hL8J4nRmWHfhadiWqcLcGXBesbwyrsHqyMp18DnOZm4BHE1LX2JNEvr7e+3ey/CTpugUWwUyeTqp8=,iv:+vakqD9RvH7FX303JAkVo6+NCSnbMm35FU0OOvI+jYE=,tag:TWgy5pnEOBtmSGq1OOA9oQ==,type:str] + pgp: [] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.8.1 diff --git a/apps/mlflow/mlflow-deployment.yaml b/apps/mlflow/mlflow-deployment.yaml new file mode 100644 index 0000000..98bbe19 --- /dev/null +++ b/apps/mlflow/mlflow-deployment.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mlflow + namespace: mlflow +spec: + replicas: 1 + selector: + matchLabels: + app: mlflow + template: + metadata: + labels: + app: mlflow + spec: + imagePullSecrets: + - name: gitea-regcred + initContainers: + - name: init-s3-bucket + image: minio/mc + command: ["/bin/sh", "-c"] + args: + - until mc alias set mlflow-minio http://minio-svc.mlflow.svc.cluster.local:9000 $MINIO_ROOT_USER $MINIO_ROOT_PASSWORD; do sleep 5; done; + mc admin user add mlflow-minio $AWS_ACCESS_KEY_ID $AWS_SECRET_ACCESS_KEY; + mc admin policy attach mlflow-minio readwrite --user $AWS_ACCESS_KEY_ID; + mc mb mlflow-minio/mlflow; + exit 0; + envFrom: + - secretRef: + name: minio-admin-secret + - secretRef: + name: minio-user-secret + containers: + - name: mlflow + image: git.namesny.com/cluster/mlflow:2.9.1 + imagePullPolicy: Always + args: + - --host=0.0.0.0 + - --port=5000 + envFrom: + - secretRef: + name: mlflow-secret + - secretRef: + name: minio-user-secret + ports: + - name: http + containerPort: 5000 + protocol: TCP diff --git a/apps/mlflow/mlflow-ingress.yaml b/apps/mlflow/mlflow-ingress.yaml new file mode 100755 index 0000000..c046eef --- /dev/null +++ b/apps/mlflow/mlflow-ingress.yaml @@ -0,0 +1,16 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: mlflow-ingress + namespace: mlflow +spec: + entryPoints: + - websecure + routes: + - match: Host(`mlflow.namesny.com`) + kind: Rule + middlewares: + - name: "auth-authelia@kubernetescrd" + services: + - name: mlflow-svc + port: 5000 diff --git a/apps/mlflow/mlflow-secret.enc.yaml b/apps/mlflow/mlflow-secret.enc.yaml new file mode 100644 index 0000000..978cae0 --- /dev/null +++ b/apps/mlflow/mlflow-secret.enc.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +metadata: + name: mlflow-secret + namespace: mlflow +stringData: + MLFLOW_BACKEND_STORE_URI: ENC[AES256_GCM,data:uYVz7MxGaqbq0Z7Jwr+cLIt+ofiseKPDf7/QEnwiQpgwoISSGbVgDNvayYwJjfBlyuIsCQhFEw8fnp1KEL61fwBui00wzp+5VguW5QiJXhE=,iv:C5Y6QJkKu84QJ4KvA/4mkDn8HqTCk/EUkLssiaJ4KFg=,tag:HuPVO/+W4nmZmc5xcscpmQ==,type:str] + MLFLOW_S3_ENDPOINT_URL: ENC[AES256_GCM,data:qJU+bWfWJ0fQcGBRibM4n4EFih8rKQ==,iv:UOdBuc8fWPpmvC8rjJrKxdHkovLHP1WRXEsQ5GZ4+XU=,tag:nzHEOB8pDdZuycGFFoSoIQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPcWx6a3Nhbzl4Zm1GRFI4 + cW5takJaVlB0Y0lBek5QeVBYUTkwbDNLNEh3CnlEUzJKcHRVTGRNZ0lCRDZkKzV0 + SE5wSFpjT0svK1I1TktldGtKQ2RwTXMKLS0tIDBxRFVHZW5sUFMxSnBoV2RhMy9t + NjA5TFhhQ0JPOXhwU2ZLSk9icGhYT0EKPO8HiQkIDmokLcMkgUkgQ6NSbTRNcx1E + cOhss9NCdaQIe729Op4uAfYzTxxST7yfGvamwfHI/PRoH4uhMJIzhw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-11T22:04:56Z" + mac: ENC[AES256_GCM,data:Mz8fBrcUREHDVGCn6LK3kBXDSk/RaVJwnWS6vZtcGAjWUtk0OnKw9BbchRixRXNcQigf/HR5xAk/E8e+T4hbc42n468d6DSq0g1Iat5BojZDU8RV1Duec1Uc6LjxsD6ii+xwA09oEs+UnXvnulxWTsnh5GtYBYOi+OqXBPtCtTA=,iv:D1WSU0sCbaA/CLSFPyA6yG1kwXInlepgtup0KdRdTd4=,tag:2RFm5tNymwQy0s+MFxUmkA==,type:str] + pgp: [] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.8.1 diff --git a/apps/mlflow/mlflow-service.yaml b/apps/mlflow/mlflow-service.yaml new file mode 100755 index 0000000..ca44927 --- /dev/null +++ b/apps/mlflow/mlflow-service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: mlflow-svc + namespace: mlflow +spec: + selector: + app: mlflow + type: ClusterIP + ports: + - protocol: TCP + port: 5000 + targetPort: 5000 diff --git a/apps/mlflow/namespace.yaml b/apps/mlflow/namespace.yaml new file mode 100755 index 0000000..70f0aa3 --- /dev/null +++ b/apps/mlflow/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: mlflow diff --git a/apps/mlflow/postgres-secret.enc.yaml b/apps/mlflow/postgres-secret.enc.yaml new file mode 100644 index 0000000..1eaadab --- /dev/null +++ b/apps/mlflow/postgres-secret.enc.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Secret +metadata: + name: postgres-secret + namespace: mlflow +stringData: + password: ENC[AES256_GCM,data:G74Y+VhZJLx1,iv:JBHIRIJCT9gcKjVxopEV+CFEGsrnqzKUZ3i2b112SO8=,tag:E3Q+bYwF8Dk8/+yFr5N3cQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVVWJjTFJZMTFTdmJwWmMv + YnNRdDBwcm9ReUo1dXZYZTRST2czMExIYzBFCkJJOEFZOTZrWDRQSGtYNjRNaW5H + Zk5zak5SNmpGMWphVU4yL1lqZnpGaDQKLS0tIGRwdFJZSW1CNEJIVVpVYUtaTE80 + THgxQkFKWWlVekppMkpJL2RPMFRVVkUKZFB3iLeIIF3sxyNbpynq1C0M8SuMHQrO + t1TyRC8dUL3m5Umijwm42en+aZIGGY8P6TyDvsU+6L3n5MhVutAGmw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-11T21:16:20Z" + mac: ENC[AES256_GCM,data:hDNBBV/iTJHow8lzOYCMhuoQFQhMTxedHqmYQ/jf8eFBvPnsxfPv9wwafCjos0uKXPSMo9vrsfTs3A2QI3L9pGnzMDWk1VPxLwjbZ6M+GD+Winn5qwFpGt0w0uJBO3btL1AZPdYlNWnQljXFMvfk0r+MmeTV8W7iwK7LSfQ26Sg=,iv:s2WcEcxW72cdCHgoKXprBqKHx+IZicDFgtTCVvVt/0c=,tag:JxrTN05ZIMzZ2NzvkPkzNw==,type:str] + pgp: [] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.8.1 diff --git a/apps/mlflow/registry-secret.enc.yaml b/apps/mlflow/registry-secret.enc.yaml new file mode 100644 index 0000000..56a5b92 --- /dev/null +++ b/apps/mlflow/registry-secret.enc.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +data: + .dockerconfigjson: ENC[AES256_GCM,data:81lEiqTzN770axbtzxlTXjacUAcW1cmyp39vyhQ6LIyyu0/35pti53AFjYhge437GuM4hiB2JBPcbgIhrVXOcqFSt66L+eg4B2o3B2Ahv29sZVoDEws7f1x6A+q4/npjMOt+FHSVWoI4tE2XTTkQSKC8YHIGn9F5fEbimp1ttwp3TqudArixxWh0GKrchiS9V0GH/t+2zEbUUHHw39BvFUJnnOc72np4U4G44BOo3wENS4u6zXmMBtXECQY2vkKy3uOipqChgUDENPq8JomIOrU0N2qxzXWArveVmbESj2dg3zJBbYwGNoJQzmEFzj0kkH/kpRTFOpMtofwhwRpMYm7AgeMWuJ9m2RxnO7rIK/8OcbkB,iv:kN9ZlSchoBKSn6XtYQ6s5JzD4Ojo1QRVJwNFSD0a0jE=,tag:NaTiRAY3QBYwH1luRJHS9Q==,type:str] +kind: Secret +metadata: + name: gitea-regcred + namespace: mlflow +type: kubernetes.io/dockerconfigjson +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age14dgmts59tc2gv2xu9305auvu854n3pfl8vkheqzzqyrygyeequ0sjhl92v + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZG1sWnZXcnZXTE51alNG + SHBBRVhNSjRnb1A4K0JTeFRDeTFzYzhPTUNnCmhycUNtMVJUdjJqV2o5RGo2bXc3 + eXdhOVdkN0VadVNMekhQZkNJalU5ZUEKLS0tIFAzZW5MS0VzV2ZpNG5wQWNtY2Zs + OENCcGxSVTloZ2laOC8wZWlxRkhGOVUKl/98ZX2imzvlJwMNs7xQoImq1yMCaSOS + XazndINml8T3giDCThFgW3cl2UwgV0VdL7HGKWg8YNzpkoPzu/yFag== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-12-11T21:37:17Z" + mac: ENC[AES256_GCM,data:LAjODj2bwCBP/PvRHqY7lK8DepVG8Ok1CvulPZBoIefIDm7itxK3xyz3BKztPF0femiv8V3P2QzOb3zgPj4SXUSli9KpV/GCm1MbwO1o7m/HC78dHCdNiJEpIosSXBgb5laJBZhfuilJwxCc4KTA69jLbw25lLAIfUiHL6hMIjs=,iv:7mJvniuUuugfCB5J9fcHmhixjyJGPrEDYRl3VpHBBJA=,tag:5rAjl7nUwioABABmOnACKg==,type:str] + pgp: [] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.8.1 diff --git a/apps/mlflow/secret-generator.yaml b/apps/mlflow/secret-generator.yaml new file mode 100644 index 0000000..e44fa59 --- /dev/null +++ b/apps/mlflow/secret-generator.yaml @@ -0,0 +1,14 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: mlflow-secret-generator + annotations: + config.kubernetes.io/function: | + exec: + path: ksops +files: +- ./mlflow-secret.enc.yaml +- ./minio-admin-secret.enc.yaml +- ./minio-user-secret.enc.yaml +- ./postgres-secret.enc.yaml +- ./registry-secret.enc.yaml