feat: Shift around some values and actually enable user supplied buck…

…et access secrets (#279)
wandb · Dec 11, 2024 · f167f1a · f167f1a
1 parent 5f9860e
commit f167f1a
Show file tree

Hide file tree

Showing 10 changed files with 96 additions and 30 deletions.
diff --git a/charts/operator-wandb/Chart.yaml b/charts/operator-wandb/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: operator-wandb
 description: A Helm chart for deploying W&B to Kubernetes
 type: application
-version: 0.20.3
+version: 0.21.0
 appVersion: 1.0.0
 icon: https://wandb.ai/logo.svg
 

diff --git a/charts/operator-wandb/charts/app/templates/deployment.yaml b/charts/operator-wandb/charts/app/templates/deployment.yaml
@@ -104,6 +104,20 @@ spec:
                   resource: limits.memory
             - name: GLUE_ENABLED
               value: "{{ not .Values.global.beta.glue.enabled }}"
+            - name: BUCKET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ (include "wandb.bucket" . | fromYaml).secretName }}"
+                  key: "{{ (include "wandb.bucket" . | fromYaml).accessKeyName }}"
+                  optional: true
+            - name: BUCKET_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ (include "wandb.bucket" . | fromYaml).secretName }}"
+                  key: "{{ (include "wandb.bucket" . | fromYaml).secretKeyName }}"
+                  optional: true
+            - name: BUCKET
+              value: "{{ (include "wandb.bucket" . | fromYaml).url }}"
             - name: HOST
               value: "{{ .Values.global.host }}"
             {{- if .Values.extraCors }}
@@ -140,7 +154,7 @@ spec:
                 secretKeyRef:
                   name: {{ include "wandb.redis.passwordSecret" . }}
                   optional: true
-                  key: {{ .Values.global.redis.secretKey }}
+                  key: {{ .Values.global.redis.secret.secretKey }}
             - name: REDIS_PORT
               value: "{{ include "wandb.redis.port" . }}"
             - name: REDIS_HOST

diff --git a/charts/operator-wandb/charts/executor/templates/deployment.yaml b/charts/operator-wandb/charts/executor/templates/deployment.yaml
@@ -67,6 +67,20 @@ spec:
               valueFrom:
                 resourceFieldRef:
                   resource: limits.memory
+            - name: BUCKET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ (include "wandb.bucket" . | fromYaml).secretName }}"
+                  key: "{{ (include "wandb.bucket" . | fromYaml).accessKeyName }}"
+                  optional: true
+            - name: BUCKET_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ (include "wandb.bucket" . | fromYaml).secretName }}"
+                  key: "{{ (include "wandb.bucket" . | fromYaml).secretKeyName }}"
+                  optional: true
+            - name: BUCKET
+              value: "{{ (include "wandb.bucket" . | fromYaml).url }}"
             {{- if ne .Values.traceRatio 0.0 }}
             - name: GORILLA_TRACER
               value: "otlp+grpc://{{ .Release.Name }}-otel-daemonset:4317?trace_ratio={{ .Values.traceRatio }}"

diff --git a/charts/operator-wandb/charts/filestream/templates/deployment.yaml b/charts/operator-wandb/charts/filestream/templates/deployment.yaml
@@ -75,6 +75,20 @@ spec:
               value: 'true'
             - name: LOGGING_ENABLED
               value: 'true'
+            - name: BUCKET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ (include "wandb.bucket" . | fromYaml).secretName }}"
+                  key: "{{ (include "wandb.bucket" . | fromYaml).accessKeyName }}"
+                  optional: true
+            - name: BUCKET_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ (include "wandb.bucket" . | fromYaml).secretName }}"
+                  key: "{{ (include "wandb.bucket" . | fromYaml).secretKeyName }}"
+                  optional: true
+            - name: BUCKET
+              value: "{{ (include "wandb.bucket" . | fromYaml).url }}"
             - name: AZURE_STORAGE_KEY
               valueFrom:
                 secretKeyRef:

diff --git a/charts/operator-wandb/charts/flat-run-fields-updater/templates/deployment.yaml b/charts/operator-wandb/charts/flat-run-fields-updater/templates/deployment.yaml
@@ -75,6 +75,20 @@ spec:
               value: 'true'
             - name: LOGGING_ENABLED
               value: 'true'
+            - name: BUCKET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ (include "wandb.bucket" . | fromYaml).secretName }}"
+                  key: "{{ (include "wandb.bucket" . | fromYaml).accessKeyName }}"
+                  optional: true
+            - name: BUCKET_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ (include "wandb.bucket" . | fromYaml).secretName }}"
+                  key: "{{ (include "wandb.bucket" . | fromYaml).secretKeyName }}"
+                  optional: true
+            - name: BUCKET
+              value: "{{ (include "wandb.bucket" . | fromYaml).url }}"
             - name: AZURE_STORAGE_KEY
               valueFrom:
                 secretKeyRef:

diff --git a/charts/operator-wandb/charts/parquet/templates/deployment.yaml b/charts/operator-wandb/charts/parquet/templates/deployment.yaml
@@ -77,6 +77,20 @@ spec:
               valueFrom:
                 resourceFieldRef:
                   resource: limits.memory
+            - name: BUCKET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ (include "wandb.bucket" . | fromYaml).secretName }}"
+                  key: "{{ (include "wandb.bucket" . | fromYaml).accessKeyName }}"
+                  optional: true
+            - name: BUCKET_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ (include "wandb.bucket" . | fromYaml).secretName }}"
+                  key: "{{ (include "wandb.bucket" . | fromYaml).secretKeyName }}"
+                  optional: true
+            - name: BUCKET
+              value: "{{ (include "wandb.bucket" . | fromYaml).url }}"
             {{- if ne .Values.traceRatio 0.0 }}
             - name: GORILLA_TRACER
               value: "otlp+grpc://{{ .Release.Name }}-otel-daemonset:4317?trace_ratio={{ .Values.traceRatio }}"

diff --git a/charts/operator-wandb/templates/_bucket.tpl b/charts/operator-wandb/templates/_bucket.tpl
@@ -2,10 +2,8 @@
   Assorted bucket related helpers.
 */}}
 {{- define "wandb.bucket.secret" -}}
-{{- if .Values.global.bucket.secretName -}}
-  {{ .Values.global.bucket.secretName }}
-{{- else if .Values.global.defaultBucket.secretName -}}
-  {{ .Values.global.defaultBucket.secretName }}
+{{- if .Values.global.bucket.secret.secretName -}}
+  {{ .Values.global.bucket.secret.secretName }}
 {{- else }}
   {{- print .Release.Name "-bucket" -}}
 {{- end -}}
@@ -15,35 +13,34 @@
 {{ .Release.Name }}-bucket-configmap
 {{- end -}}
 
-
 {{- define "wandb.bucket" -}}
-{{- $url := "" -}} 
+{{- $url := "" -}}
 {{- $provider := .Values.global.bucket.provider -}}
 provider: {{ $provider }}
 {{- $name := .Values.global.bucket.name | default .Values.global.defaultBucket.name }}
 name: {{ $name }}
-{{- $path := .Values.global.bucket.path | default (default "" .Values.global.defaultBucket.path) }} 
+{{- $path := .Values.global.bucket.path | default .Values.global.defaultBucket.path }}
 path: {{ $path }}
 region: {{ .Values.global.bucket.region | default .Values.global.defaultBucket.region }}
 kmsKey: {{ .Values.global.bucket.kmsKey | default .Values.global.defaultBucket.kmsKey }}
 {{- $accessKey:= .Values.global.bucket.accessKey | default .Values.global.defaultBucket.accessKey }}
 accessKey: {{ $accessKey }}
 {{- $secretKey:= .Values.global.bucket.secretKey | default .Values.global.defaultBucket.secretKey }}
 secretKey: {{ $secretKey }}
-accessKeyName: {{ .Values.global.bucket.accessKeyName | default (default "ACCESS_KEY" .Values.global.defaultBucket.accessKeyName) }}
-secretKeyName: {{ .Values.global.bucket.secretKeyName | default (default "SECRET_KEY" .Values.global.defaultBucket.secretKeyName) }}
+accessKeyName: {{ .Values.global.bucket.secret.accessKeyName }}
+secretKeyName: {{ .Values.global.bucket.secret.secretKeyName }}
 secretName: {{ include "wandb.bucket.secret" . }}
 {{- if eq $provider "az" -}}
-{{- $url = printf "az://%s/%s" $name $path -}}
+{{- $url = "az://$(BUCKET_NAME)/$(BUCKET_PATH)" -}}
 {{- end -}}
 {{- if eq $provider "gcs" -}}
-{{- $url = printf "gs://%s/%s" $name $path -}}
+{{- $url = "gs://$(BUCKET_NAME)/$(BUCKET_PATH)" -}}
 {{- end -}}
 {{- if eq $provider "s3" -}}
-{{- if and $accessKey $secretKey -}}
-{{- $url = printf "s3://%s:%s@%s/%s" $accessKey $secretKey $name $path -}}
+{{- if or (and $accessKey $secretKey) .Values.global.bucket.secret.secretName -}}
+{{- $url = "s3://$(BUCKET_ACCESS_KEY):$(BUCKET_SECRET_KEY)@$(BUCKET_NAME)/$(BUCKET_PATH)" -}}
 {{- else -}}
-{{- $url = printf "s3://%s/%s" $name $path -}}
+{{- $url = "s3://$(BUCKET_NAME)/$(BUCKET_PATH)" -}}
 {{- end -}}
 {{- end -}}
 {{- $url = trimSuffix "/" $url }}

diff --git a/charts/operator-wandb/templates/_redis.tpl b/charts/operator-wandb/templates/_redis.tpl
@@ -2,8 +2,8 @@
 Return name of secret where redis information is stored
 */}}
 {{- define "wandb.redis.passwordSecret" -}}
-{{- if .Values.global.redis.secretName -}}
-  {{ .Values.global.redis.secretName }}
+{{- if .Values.global.redis.secret.secretName -}}
+  {{ .Values.global.redis.secret.secretName }}
 {{- else -}}
   {{- print .Release.Name "-redis" -}}
 {{- end -}}
@@ -46,7 +46,7 @@ Return the redis to url
 
 {{- define "wandb.redis.connectionString" -}}
 {{- $password := include "wandb.redis.password" . }}
-{{- if or $password .Values.global.redis.secretName }}
+{{- if or $password .Values.global.redis.secret.secretName }}
 redis://:$(REDIS_PASSWORD)@$(REDIS_HOST):$(REDIS_PORT)
 {{- else }}
 redis://$(REDIS_HOST):$(REDIS_PORT)

diff --git a/charts/operator-wandb/templates/bucket.yaml b/charts/operator-wandb/templates/bucket.yaml
@@ -6,11 +6,12 @@ metadata:
     {{- include "wandb.commonLabels" . | nindent 4 }}
 data:
 {{- with include "wandb.bucket" . | fromYaml }}
-  BUCKET: {{ .url | quote }}
+  BUCKET_NAME: {{ .name | quote }}
+  BUCKET_PATH: {{ .path | quote }}
   AWS_REGION: {{ .region | quote }}
   AWS_S3_KMS_ID: {{ .kmsKey | quote }}
 {{- end }}
-{{- if not .Values.global.bucket.secretName }}
+{{- if not .Values.global.bucket.secret.secretName }}
 ---
 apiVersion: v1
 kind: Secret

diff --git a/charts/operator-wandb/values.yaml b/charts/operator-wandb/values.yaml
@@ -102,25 +102,23 @@ global:
     path: ""
     region: ""
     kmsKey: ""
-    secretKey: ""
-    accessKey: ""
-    secretName: ""
 
   # If specified the application will use this bucket for all storage operations, and will not be overridable by the user.
   bucket:
-    secretName: ""
-    accessKeyName: "ACCESS_KEY"
-    secretAccessKeyName: "SECRET_KEY"
+    secret:
+      secretName: ""
+      accessKeyName: "ACCESS_KEY"
+      secretKeyName: "SECRET_KEY"
 
   redis:
     host: ""
     port: 6379
     password: ""
     parameters: {}
     caCert: ""
-    # The name of the user supplied secret containing the password for the redis instance.
-    secretName: ""
-    secretKey: "REDIS_PASSWORD"
+    secret:
+      secretName: ""
+      secretKey: "REDIS_PASSWORD"
 
   bigtable:
     v3: