From ae29b7b87f9ce702b2897f8d87fe9978354c8515 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Wed, 6 Nov 2024 20:17:35 +0100 Subject: [PATCH 1/2] Switch notebook to use ds-pipeline-config-custom The Jupyter notebook is configured to bind-mount this `ds-pipeline-config` secret. The problem is that this secret gets only generate if you log into the RHOAI dashboard, go to data science projects and choose the `ml-development` namespace. Since this secret contains things that we already know, let's just create another identical one. The RHOAI dashboard created one looks like this: $ oc extract -n ml-development secrets/ds-pipeline-config --to=- --keys=odh_dsp.json 2>/dev/null | jq . { "display_name": "Data Science Pipeline", "metadata": { "tags": [], "display_name": "Data Science Pipeline", "engine": "Argo", "auth_type": "KUBERNETES_SERVICE_ACCOUNT_TOKEN", "api_endpoint": "https://ds-pipeline-dspa-ml-development.apps.mcg-hub.aws.validatedpatterns.io", "public_api_endpoint": "https://rhods-dashboard-redhat-ods-applications.apps.mcg-hub.aws.validatedpatterns.io/experiments/ml-development", "cos_auth_type": "KUBERNETES_SECRET", "cos_secret": "aws-connection-pipeline-bucket", "cos_endpoint": "http://s3.openshift-storage.svc.cluster.local", "cos_bucket": "pipeline-bucket", "cos_username": "..", "cos_password": "..", "runtime_type": "KUBEFLOW_PIPELINES" }, "schema_name": "kfp" } The one we create here will have this content: $ oc extract -n ml-development secrets/ds-pipeline-config-custom --to=- --keys=odh_dsp.json 2>/dev/null | jq . { "display_name": "Data Science Pipeline", "metadata": { "tags": [], "display_name": "Data Science Pipeline", "engine": "Argo", "auth_type": "KUBERNETES_SERVICE_ACCOUNT_TOKEN", "api_endpoint": "https://ds-pipeline-dspa-ml-development.apps.mcg-hub.aws.validatedpatterns.io", "public_api_endpoint": "https://rhods-dashboard-redhat-ods-applications.apps.mcg-hub.aws.validatedpatterns.io/experiments/ml-development/", "cos_auth_type": "KUBERNETES_SECRET", "cos_secret": "aws-connection-pipeline-bucket", "cos_endpoint": "http://s3.openshift-storage.svc.cluster.local", "cos_bucket": "pipeline-bucket", "cos_username": "..", "cos_password": "../TXbWAnPebRI4r1ICKQ/tZn8O6U", "runtime_type": "KUBEFLOW_PIPELINES" }, "schema_name": "kfp" } --- .../templates/dev-project.yaml | 2 +- .../templates/ds-pipeline-config-custom.yaml | 63 +++++++++++++++++++ 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 charts/datacenter/data-science-project/templates/ds-pipeline-config-custom.yaml diff --git a/charts/datacenter/data-science-project/templates/dev-project.yaml b/charts/datacenter/data-science-project/templates/dev-project.yaml index a24be1d23..ef7e7c71e 100644 --- a/charts/datacenter/data-science-project/templates/dev-project.yaml +++ b/charts/datacenter/data-science-project/templates/dev-project.yaml @@ -250,7 +250,7 @@ spec: claimName: workbench-pvc - name: elyra-dsp-details secret: - secretName: ds-pipeline-config + secretName: ds-pipeline-config-custom - emptyDir: medium: Memory name: shm diff --git a/charts/datacenter/data-science-project/templates/ds-pipeline-config-custom.yaml b/charts/datacenter/data-science-project/templates/ds-pipeline-config-custom.yaml new file mode 100644 index 000000000..09292b085 --- /dev/null +++ b/charts/datacenter/data-science-project/templates/ds-pipeline-config-custom.yaml @@ -0,0 +1,63 @@ +# At the moment it seems that the ds-pipeline-config secret only +# gets generated by the RHOAI dashboard once you log in and click around +# Until it is a bit more gitops friendly, let's create it ourselves +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: ds-pipeline-config-custom-tpl +data: + odh_dsp.json: | + { + "display_name": "Data Science Pipeline", + "metadata": { + "tags": [], + "display_name": "Data Science Pipeline", + "engine": "Argo", + "auth_type": "KUBERNETES_SERVICE_ACCOUNT_TOKEN", + "api_endpoint": "https://ds-pipeline-dspa-ml-development.apps.{{ .Values.global.localClusterDomain }}", + "public_api_endpoint": "https://rhods-dashboard-redhat-ods-applications.apps.{{ .Values.global.localClusterDomain }}/experiments/ml-development/", + "cos_auth_type": "KUBERNETES_SECRET", + "cos_secret": "aws-connection-pipeline-bucket", + "cos_endpoint": "http://s3.openshift-storage.svc.cluster.local", + "cos_bucket": "pipeline-bucket", + "cos_username": "{{ `{{ .aws_access_key_id }}` }}", + "cos_password": "{{ `{{ .aws_secret_access_key }}` }}", + "runtime_type": "KUBEFLOW_PIPELINES" + }, + "schema_name": "kfp" + } +--- +apiVersion: "external-secrets.io/v1beta1" +kind: ExternalSecret +metadata: + name: ds-pipeline-config-custom + namespace: ml-development +spec: + refreshInterval: 15s + secretStoreRef: + name: {{ $.Values.secretStore.name }} + kind: {{ $.Values.secretStore.kind }} + target: + name: ds-pipeline-config-custom + template: + type: Opaque + engineVersion: v2 + templateFrom: + - target: Data + configMap: + name: ds-pipeline-config-custom-tpl + items: + - key: odh_dsp.json + templateAs: Values + data: + - secretKey: aws_secret_access_key + remoteRef: + key: "pushsecrets/pipeline-bucket" + property: "AWS_SECRET_ACCESS_KEY" + + - secretKey: aws_access_key_id + remoteRef: + key: "pushsecrets/pipeline-bucket" + property: "AWS_ACCESS_KEY_ID" + From 2caf5cdb46eb2155be377b39c9aecd84f46c51d3 Mon Sep 17 00:00:00 2001 From: Michele Baldessari Date: Wed, 6 Nov 2024 20:59:44 +0100 Subject: [PATCH 2/2] Drop apps. from urls as localClusterDomain includes it --- .../data-science-project/templates/dev-project.yaml | 12 ++++++------ .../templates/ds-pipeline-config-custom.yaml | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/datacenter/data-science-project/templates/dev-project.yaml b/charts/datacenter/data-science-project/templates/dev-project.yaml index ef7e7c71e..1daf5bc69 100644 --- a/charts/datacenter/data-science-project/templates/dev-project.yaml +++ b/charts/datacenter/data-science-project/templates/dev-project.yaml @@ -83,7 +83,7 @@ metadata: notebooks.opendatahub.io/inject-oauth: 'true' notebooks.opendatahub.io/last-size-selection: Small notebooks.opendatahub.io/oauth-logout-url: >- - https://rhods-dashboard-redhat-ods-applications.apps.{{ .Values.global.localClusterDomain }}/projects/ml-development?notebookLogout=jupyterlab + https://rhods-dashboard-redhat-ods-applications.{{ .Values.global.localClusterDomain }}/projects/ml-development?notebookLogout=jupyterlab opendatahub.io/username: 'user' openshift.io/description: '' openshift.io/display-name: JupyterLab @@ -149,7 +149,7 @@ spec: --ServerApp.password='' --ServerApp.base_url=/notebook/ml-development/jupyterlab --ServerApp.quit_button=False - --ServerApp.tornado_settings={"user":"user","hub_host":"https://rhods-dashboard-redhat-ods-applications.apps.{{ .Values.global.localClusterDomain }}","hub_prefix":"/projects/ml-development"} + --ServerApp.tornado_settings={"user":"user","hub_host":"https://rhods-dashboard-redhat-ods-applications.{{ .Values.global.localClusterDomain }}","hub_prefix":"/projects/ml-development"} - name: JUPYTER_IMAGE value: image-registry.openshift-image-registry.svc:5000/redhat-ods-applications/industrial-edge:industrial-edge-v0.1.0 - name: SSL_CERT_FILE @@ -241,7 +241,7 @@ spec: - >- --openshift-sar={"verb":"get","resource":"notebooks","resourceAPIGroup":"kubeflow.org","resourceName":"jupyterlab","namespace":"$(NAMESPACE)"} - >- - --logout-url=https://rhods-dashboard-redhat-ods-applications.apps.{{ .Values.global.localClusterDomain }}/projects/ml-development?notebookLogout=jupyterlab + --logout-url=https://rhods-dashboard-redhat-ods-applications.{{ .Values.global.localClusterDomain }}/projects/ml-development?notebookLogout=jupyterlab enableServiceLinks: false serviceAccountName: jupyterlab volumes: @@ -328,7 +328,7 @@ metadata: notebooks.opendatahub.io/inject-oauth: 'true' notebooks.opendatahub.io/last-size-selection: Small notebooks.opendatahub.io/oauth-logout-url: >- - https://rhods-dashboard-redhat-ods-applications.apps.{{ .Values.global.localClusterDomain }}/projects/ml-development?notebookLogout=s3-browser + https://rhods-dashboard-redhat-ods-applications.{{ .Values.global.localClusterDomain }}/projects/ml-development?notebookLogout=s3-browser opendatahub.io/username: 'user' openshift.io/description: '' openshift.io/display-name: 'S3 Browser' @@ -389,7 +389,7 @@ spec: --ServerApp.password='' --ServerApp.base_url=/notebook/ml-development/s3-browser --ServerApp.quit_button=False - --ServerApp.tornado_settings={"user":"user","hub_host":"https://rhods-dashboard-redhat-ods-applications.apps.{{ .Values.global.localClusterDomain }}","hub_prefix":"/projects/ml-development"} + --ServerApp.tornado_settings={"user":"user","hub_host":"https://rhods-dashboard-redhat-ods-applications.{{ .Values.global.localClusterDomain }}","hub_prefix":"/projects/ml-development"} - name: JUPYTER_IMAGE value: image-registry.openshift-image-registry.svc:5000/redhat-ods-applications/odh-tec:v0.1 - name: SSL_CERT_FILE @@ -482,7 +482,7 @@ spec: - >- --openshift-sar={"verb":"get","resource":"notebooks","resourceAPIGroup":"kubeflow.org","resourceName":"s3-browser","namespace":"$(NAMESPACE)"} - >- - --logout-url=https://rhods-dashboard-redhat-ods-applications.apps.{{ .Values.global.localClusterDomain }}/projects/ml-development?notebookLogout=s3-browser + --logout-url=https://rhods-dashboard-redhat-ods-applications.{{ .Values.global.localClusterDomain }}/projects/ml-development?notebookLogout=s3-browser enableServiceLinks: false serviceAccountName: s3-browser volumes: diff --git a/charts/datacenter/data-science-project/templates/ds-pipeline-config-custom.yaml b/charts/datacenter/data-science-project/templates/ds-pipeline-config-custom.yaml index 09292b085..f5e1c853c 100644 --- a/charts/datacenter/data-science-project/templates/ds-pipeline-config-custom.yaml +++ b/charts/datacenter/data-science-project/templates/ds-pipeline-config-custom.yaml @@ -15,8 +15,8 @@ data: "display_name": "Data Science Pipeline", "engine": "Argo", "auth_type": "KUBERNETES_SERVICE_ACCOUNT_TOKEN", - "api_endpoint": "https://ds-pipeline-dspa-ml-development.apps.{{ .Values.global.localClusterDomain }}", - "public_api_endpoint": "https://rhods-dashboard-redhat-ods-applications.apps.{{ .Values.global.localClusterDomain }}/experiments/ml-development/", + "api_endpoint": "https://ds-pipeline-dspa-ml-development.{{ .Values.global.localClusterDomain }}", + "public_api_endpoint": "https://rhods-dashboard-redhat-ods-applications.{{ .Values.global.localClusterDomain }}/experiments/ml-development/", "cos_auth_type": "KUBERNETES_SECRET", "cos_secret": "aws-connection-pipeline-bucket", "cos_endpoint": "http://s3.openshift-storage.svc.cluster.local",