From 35341f2f9d845ea7c94a9a4bf6a3e46ff374b119 Mon Sep 17 00:00:00 2001 From: Rafal Skolasinski Date: Fri, 8 Mar 2024 14:40:37 +0000 Subject: [PATCH] Add Seldon Deploy v2.2.0 Helm Chart (#62) --- helm-charts/seldon-deploy/Chart.yaml | 4 +- .../seldon-deploy/templates/deployment.yaml | 12 +- .../templates/role-seldon-deploy-role.yaml | 479 +++++++++--------- .../rolebinding-seldon-deploy-role.yaml | 12 +- helm-charts/seldon-deploy/values.yaml | 25 +- 5 files changed, 280 insertions(+), 252 deletions(-) diff --git a/helm-charts/seldon-deploy/Chart.yaml b/helm-charts/seldon-deploy/Chart.yaml index 1bf0540..fdbd98f 100644 --- a/helm-charts/seldon-deploy/Chart.yaml +++ b/helm-charts/seldon-deploy/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -appVersion: "2.2.0-rc7" +appVersion: "2.2.0" description: A Helm chart for Kubernetes name: seldon-deploy -version: 2.2.0-rc7 +version: 2.2.0 diff --git a/helm-charts/seldon-deploy/templates/deployment.yaml b/helm-charts/seldon-deploy/templates/deployment.yaml index 62654a9..59e67e1 100644 --- a/helm-charts/seldon-deploy/templates/deployment.yaml +++ b/helm-charts/seldon-deploy/templates/deployment.yaml @@ -55,6 +55,8 @@ spec: {{- end}} - name: "ENABLE_READ_NAMESPACES" value: "{{ .Values.rbac.readNamespaces }}" + - name: "ENABLED_NAMESPACES" + value: "{{ join "," .Values.rbac.namespaces }}" - name: "CORE_V1_CRD_AVAILABLE" value: "{{ .Values.seldon.enabled }}" - name: "CORE_V2_CRD_AVAILABLE" @@ -85,6 +87,10 @@ spec: value: "{{ .Values.workflow.securityContext.runAsUser }}" - name: "WORKFLOW_SECURITY_CONTEXT_FS_GROUP" value: "{{ .Values.workflow.securityContext.fsGroup }}" + - name: "CLIENTGO_RATELIMITER_QPS" + value: "{{ .Values.clientGo.rateLimiter.qps }}" + - name: "CLIENTGO_RATELIMITER_BURST" + value: "{{ .Values.clientGo.rateLimiter.burst }}" {{- if .Values.gitops.fileFormat }} - name: "GITOPS_FORMAT" value: "{{ .Values.gitops.fileFormat }}" @@ -354,8 +360,6 @@ spec: resources: {{ toYaml .Values.resources | indent 12 }} volumeMounts: - - name: custom-theme - mountPath: "/seldon-deploy/custom-theme" {{- if and .Values.gitops.git.secret .Values.gitops.argocd.enabled }} - name: ssh-known-hosts mountPath: "/etc/ssh" @@ -379,10 +383,6 @@ spec: readOnly: true {{- end}} volumes: - - name: custom-theme - secret: - secretName: seldon-deploy-custom-theme - optional: true {{- if and .Values.gitops.git.secret .Values.gitops.argocd.enabled }} - name: ssh-known-hosts secret: diff --git a/helm-charts/seldon-deploy/templates/role-seldon-deploy-role.yaml b/helm-charts/seldon-deploy/templates/role-seldon-deploy-role.yaml index 80e4ec2..2c0e0b1 100644 --- a/helm-charts/seldon-deploy/templates/role-seldon-deploy-role.yaml +++ b/helm-charts/seldon-deploy/templates/role-seldon-deploy-role.yaml @@ -1,239 +1,252 @@ +{{- $namespaces := .Values.rbac.namespaces -}} +{{- $namespaces = append $namespaces .Release.Namespace -}} + {{- if .Values.rbac.create }} +{{- range $namespaces }} +--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - creationTimestamp: null name: seldon-deploy-role - namespace: '{{ .Release.Namespace }}' + namespace: {{ . }} rules: - - apiGroups: - - argoproj.io - resources: - - workflows - verbs: - - get - - list - - watch - - create - - delete - - apiGroups: - - 'apiextensions.k8s.io' - resources: - - customresourcedefinitions - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - deployments - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - pods - verbs: - - get - - list - - watch - - apiGroups: - - batch - resources: - - jobs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers/status - verbs: - - get - - patch - - update - - apiGroups: - - machinelearning.seldon.io - resources: - - seldondeployments - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - machinelearning.seldon.io - resources: - - seldondeployments/finalizers - verbs: - - get - - patch - - update - - apiGroups: - - machinelearning.seldon.io - resources: - - seldondeployments/status - verbs: - - get - - patch - - update - - apiGroups: - - mlops.seldon.io - resources: - - pipelines - - models - - experiments - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - mlops.seldon.io - resources: - - pipelines/finalizers - - models/finalizers - - experiments/finalizers - verbs: - - get - - patch - - update - - apiGroups: - - mlops.seldon.io - resources: - - pipelines/status - - models/status - - experiments/status - verbs: - - get - - patch - - update - - apiGroups: - - networking.istio.io - resources: - - destinationrules - verbs: - - get - - list - - watch - - apiGroups: - - networking.istio.io - resources: - - destinationrules/status - verbs: - - get - - apiGroups: - - networking.istio.io - resources: - - virtualservices - verbs: - - get - - list - - watch - - apiGroups: - - networking.istio.io - resources: - - virtualservices/status - verbs: - - get - - apiGroups: - - security.istio.io - resources: - - authorizationpolicies - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - v1 - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - v1 - resources: - - services/status - verbs: - - get - - apiGroups: - - '' - resources: - - configmaps - verbs: - - create - - update - - get - - list - - watch - - apiGroups: - - '' - resources: - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - serving.knative.dev - resources: - - services - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - eventing.knative.dev - resources: - - triggers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - eventing.knative.dev - resources: - - brokers - verbs: - - get - {{- end }} +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - argoproj.io + resources: + - workflows + verbs: + - get + - list + - watch + - create + - delete +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers/status + verbs: + - get + - patch + - update +- apiGroups: + - machinelearning.seldon.io + resources: + - seldondeployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - machinelearning.seldon.io + resources: + - seldondeployments/finalizers + verbs: + - get + - patch + - update +- apiGroups: + - machinelearning.seldon.io + resources: + - seldondeployments/status + verbs: + - get + - patch + - update +- apiGroups: + - mlops.seldon.io + resources: + - pipelines + - models + - experiments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - mlops.seldon.io + resources: + - pipelines/finalizers + - models/finalizers + - experiments/finalizers + verbs: + - get + - patch + - update +- apiGroups: + - mlops.seldon.io + resources: + - pipelines/status + - models/status + - experiments/status + verbs: + - get + - patch + - update +- apiGroups: + - networking.istio.io + resources: + - destinationrules + verbs: + - get + - list + - watch +- apiGroups: + - networking.istio.io + resources: + - destinationrules/status + verbs: + - get +- apiGroups: + - networking.istio.io + resources: + - virtualservices + verbs: + - get + - list + - watch +- apiGroups: + - networking.istio.io + resources: + - virtualservices/status + verbs: + - get +- apiGroups: + - security.istio.io + resources: + - authorizationpolicies + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - v1 + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - v1 + resources: + - services/status + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - update + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - serving.knative.dev + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - eventing.knative.dev + resources: + - triggers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - eventing.knative.dev + resources: + - brokers + verbs: + - get +{{- end }} +{{- end }} diff --git a/helm-charts/seldon-deploy/templates/rolebinding-seldon-deploy-role.yaml b/helm-charts/seldon-deploy/templates/rolebinding-seldon-deploy-role.yaml index e64dfba..535a53a 100644 --- a/helm-charts/seldon-deploy/templates/rolebinding-seldon-deploy-role.yaml +++ b/helm-charts/seldon-deploy/templates/rolebinding-seldon-deploy-role.yaml @@ -1,15 +1,21 @@ +{{- $namespaces := .Values.rbac.namespaces -}} +{{- $namespaces = append $namespaces .Release.Namespace -}} + {{- if .Values.rbac.create }} +{{- range $namespaces }} +--- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: seldon-deploy-rolebinding - namespace: '{{ .Release.Namespace }}' + namespace: {{ . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: seldon-deploy-role subjects: - kind: ServiceAccount - name: {{ include "seldon-deploy.serviceAccountName" . }} - namespace: '{{ .Release.Namespace }}' + name: {{ include "seldon-deploy.serviceAccountName" $ }} + namespace: '{{ $.Release.Namespace }}' +{{- end }} {{- end }} diff --git a/helm-charts/seldon-deploy/values.yaml b/helm-charts/seldon-deploy/values.yaml index 5de3f17..c9ddde3 100644 --- a/helm-charts/seldon-deploy/values.yaml +++ b/helm-charts/seldon-deploy/values.yaml @@ -19,7 +19,7 @@ loadtest: image: seldonio/hey-loadtester:0.2 alibidetect: - image: seldonio/alibi-detect-server:1.17.1 + image: seldonio/alibi-detect-server:1.18.1 nameOverride: "" fullnameOverride: "" @@ -115,13 +115,18 @@ workflow: runAsUser: 1000 fsGroup: 1000 +clientGo: + rateLimiter: + qps: 250 + burst: 250 + batchjobs: processor: - image: seldonio/seldon-core-s2i-python37:1.17.1 + image: seldonio/seldon-core-s2i-python38:1.18.1 processorV2: - image: seldonio/mlserver:1.4.0.rc5-slim + image: seldonio/mlserver:1.4.0-slim storageInitializer: - image: seldonio/rclone-storage-initializer:1.17.1 + image: seldonio/rclone-storage-initializer:1.18.1 pvc: defaultSize: 1Gi resources: @@ -183,11 +188,15 @@ virtualService: rbac: create: true - #clusterWide rbac is needed for deploy to see and create resources in different namespaces + # clusterWide rbac is needed for deploy to see and create resources in different namespaces clusterWide: true - #reading namespaces is needed for single deploy to be used across namespaces, even if rbac gets added for each specific namespace - #for single namespace mode with just namespaced roles, turn off cluserWide and turn off readNamespaces + # reading namespaces is needed for single deploy to be used across namespaces, even if rbac gets added for each specific namespace + # for single namespace mode with just namespaced roles, turn off cluserWide and turn off readNamespaces readNamespaces: true + # local roles for Seldon Deploy will be created + # in these namespaces (in addition to .Release.Namespace) + # when rbac.create is true. + namespaces: [] nsLabelsAuth: enabled: false opa: @@ -241,7 +250,7 @@ elasticsearch: #detectors are created in the namespace requestLogger.namespace.name so rbac is created there requestLogger: create: true - image: seldonio/metronome:1.6.0 + image: seldonio/metronome:1.8.3 #increase logger replicas if there are high traffic volumes replicas: 1 imagePullPolicy: IfNotPresent