# MNIST E2E on Kubeflow on Vanilla k8s

This example guides you through:
  
  1. Taking an example TensorFlow model and modifying it to support distributed training
  1. Serving the resulting model using TFServing
  1. Deploying and using a web-app that uses the model
  
## Requirements

  * You must be running Kubeflow 1.0 using the k8s istio config or the istio dex config.
 

## Prepare model

There is a delta between existing distributed mnist examples and what's needed to run well as a TFJob.

Basically, we must:

1. Add options in order to make the model configurable.
1. Use `tf.estimator.train_and_evaluate` to enable model exporting and serving.
1. Define serving signatures for model serving.

The resulting model is [model.py](model.py).

### Install Required Packages

Click `Kernel` -> `Restart` after your install new packages.

In [1]:
!pip install boto3 table_logger

[31mERROR: Could not find a version that satisfies the requirement boto3 (from versions: none)[0m
[31mERROR: No matching distribution found for boto3[0m


In [3]:
import notebook_setup
from importlib import reload
reload(notebook_setup)
notebook_setup.notebook_setup(platform='onprem')

pip installing requirements.txt


CalledProcessError: Command '['pip3', 'install', '--user', '-r', 'requirements.txt']' returned non-zero exit status 1.

In [83]:
import k8s_util
# Force a reload of kubeflow; since kubeflow is a multi namespace module
# it looks like doing this in notebook_setup may not be sufficient
import kubeflow
reload(kubeflow)
from kubernetes import client as k8s_client
from kubernetes import config as k8s_config
from kubeflow.tfjob.api import tf_job_client as tf_job_client_module
from IPython.core.display import display, HTML
import yaml

## Configure external service credentials


## Step 1 - Pushing to DockerHub

Source documentation: [Kaniko docs](https://github.com/GoogleContainerTools/kaniko#pushing-to-docker-hub)

### Why do we need this?

Kaniko is used by fairing to build the model every time the notebook is run and deploy a fresh model.
The newly built image is pushed into the DOCKER_REGISTRY and pulled from there by subsequent resources.

### Configure docker credentials

Get your docker registry user and password encoded in base64 <br>

`echo -n USER:PASSWORD | base64` <br>

Create a config.json file with your Docker registry url and the previous generated base64 string <br>
```json
{
	"auths": {
		"https://index.docker.io/v1/": {
			"auth": "xxxxxxxxxxxxxxx"
		}
	}
}
```
```json
{
    "auths": {
        "https://small-sacha-644-harbor.app.small-sacha-644.bubble.superhub.io/library/": {
            "auth": "YWRtaW46QWRtaW4xMjM="
        }
    }
}
```

<br>

### Create a config-map in the namespace you're using with the docker config

`kubectl create --namespace ${NAMESPACE} configmap docker-config --from-file=<path to config.json>`
for example: <br>
"kubectl delete --namespace workspace configmap docker-config" <br>
"kubectl create --namespace workspace configmap docker-config --from-file=config.json" <br>

## Step 2 - Set DOCKER_REGISTRY

The **DOCKER_REGISTRY** variable is used to push the newly built image. <br>
Please change the variable to the registry for which you've configured credentials.

In [84]:
import logging
import os
import uuid
from importlib import reload
import boto3

In [85]:
from kubernetes import client as k8s_client
from kubernetes.client import rest as k8s_rest
from kubeflow import fairing   
from kubeflow.fairing import utils as fairing_utils
from kubeflow.fairing.builders import append
from kubeflow.fairing.deployers import job
from kubeflow.fairing.preprocessors import base as base_preprocessor

DOCKER_REGISTRY = "small-sacha-644-harbor.app.small-sacha-644.bubble.superhub.io/library"
namespace = fairing_utils.get_current_k8s_namespace()
logging.info(f"Running in namespace {namespace}")

from kubernetes import client as k8s_client
from kubernetes.client.rest import ApiException

api_client = k8s_client.CoreV1Api()


s3_endpoint = "buckets.app.small-julie-379.bubble.superhub.io/"
minio_service_endpoint = s3_endpoint
minio_endpoint = "https://"+s3_endpoint
minio_username = "admin"
minio_key = "Admin123"
minio_region = "us-east-1"

logging.info(f"Running in namespace {namespace}")
logging.info(f"Using docker registry {DOCKER_REGISTRY}")
logging.info(f"Using minio instance with endpoint '{s3_endpoint}'")

Running in namespace workspace
Running in namespace workspace
Using docker registry small-sacha-644-harbor.app.small-sacha-644.bubble.superhub.io/library
Using minio instance with endpoint 'buckets.app.small-julie-379.bubble.superhub.io/'


In [86]:
import logging
import os
import uuid
from importlib import reload
import boto3
from botocore.client import Config

s3 = boto3.client('s3', endpoint_url="https://buckets.app.small-julie-379.bubble.superhub.io/", 
             aws_access_key_id='admin',
             aws_secret_access_key='Admin123',
             region_name='us-east-1')
for _ in s3.list_buckets()["Buckets"]:
  print(_["Name"])

send: b'GET / HTTP/1.1\r\nHost: buckets.app.small-julie-379.bubble.superhub.io\r\nAccept-Encoding: identity\r\nUser-Agent: Boto3/1.16.37 Python/3.6.9 Linux/4.14.203-156.332.amzn2.x86_64 Botocore/1.19.37\r\nX-Amz-Date: 20201223T221044Z\r\nX-Amz-Content-SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\r\nAuthorization: AWS4-HMAC-SHA256 Credential=admin/20201223/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=b2790310479d5bc3f648420e2d7a5ef08c60021cc9f1ce6590c99c8a633eb23b\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Accept-Ranges: bytes
header: Content-Length: 835
header: Content-Security-Policy: block-all-mixed-content
header: Content-Type: application/xml
header: Date: Wed, 23 Dec 2020 22:10:44 GMT
header: Server: MinIO/RELEASE.2020-07-02T00-15-09Z
header: Vary: Origin
header: X-Amz-Request-Id: 16537802A0603EA7
header: X-Xss-Protection: 1; mode=block
kubeflow-pipelines
kubeflow-us-east-1
mnist
small-sa-mnist
test
tutoria

## Install Required Libraries

Import the libraries required to train this model.

In [7]:
import logging
import os
import uuid
from importlib import reload
import notebook_setup
reload(notebook_setup)
notebook_setup.notebook_setup(platform='onprem')

pip installing requirements.txt
Checkout kubeflow/tf-operator @9238906


In [23]:
import k8s_util
# Force a reload of kubeflow; since kubeflow is a multi namespace module
# it looks like doing this in notebook_setup may not be sufficient
import kubeflow
reload(kubeflow)
from kubernetes import client as k8s_client
from kubernetes import config as k8s_config
from kubeflow.tfjob.api import tf_job_client as tf_job_client_module
from IPython.core.display import display, HTML
import yaml

In [24]:
# TODO(https://github.com/kubeflow/fairing/issues/426): We should get rid of this once the default 
# Kaniko image is updated to a newer image than 0.7.0.
from kubeflow.fairing import constants
#constants.constants.KANIKO_IMAGE = "gcr.io/kaniko-project/executor:v0.14.0"
constants.constants.KANIKO_IMAGE = "gcr.io/kaniko-project/executor:v0.19.0"

In [25]:
from kubeflow.fairing.builders import cluster

# output_map is a map of extra files to add to the notebook.
# It is a map from source location to the location inside the context.
output_map =  {
    "Dockerfile.model": "Dockerfile",
    "model.py": "model.py"
}

preprocessor = base_preprocessor.BasePreProcessor(
    command=["python"], # The base class will set this.
    input_files=[],
    path_prefix="/app", # irrelevant since we aren't preprocessing any files
    output_map=output_map)

preprocessor.preprocess()

set()

In [26]:
# Use a Tensorflow image as the base image
# We use a custom Dockerfile 
from kubeflow.fairing.cloud.k8s import MinioUploader
from kubeflow.fairing.builders.cluster.minio_context import MinioContextSource

minio_uploader = MinioUploader(endpoint_url=minio_endpoint, minio_secret=minio_username, minio_secret_key=minio_key, region_name=minio_region)
minio_context_source = MinioContextSource(endpoint_url=minio_endpoint, minio_secret=minio_username, minio_secret_key=minio_key, region_name=minio_region)

In [27]:
print (minio_endpoint)
#docker push small-sacha-644-harbor.app.small-sacha-644.bubble.superhub.io/library/IMAGE[:TAG]

https://buckets.app.small-julie-379.bubble.superhub.io/


In [28]:
cluster_builder = cluster.cluster.ClusterBuilder(registry=DOCKER_REGISTRY,
                                                 base_image="", # base_image is set in the Dockerfile
                                                 preprocessor=preprocessor,
                                                 image_name="mnist",
                                                 dockerfile_path="Dockerfile",
                                                 context_source=minio_context_source)
cluster_builder.build()
logging.info(f"Built image {cluster_builder.image_tag}")

Building image using cluster builder.
Creating docker context: /tmp/fairing_context_4mmyl72j
Dockerfile already exists in Fairing context, skipping...
Waiting for fairing-builder-94mgs-gql8r to start...
Waiting for fairing-builder-94mgs-gql8r to start...
Waiting for fairing-builder-94mgs-gql8r to start...
Pod started running True


[36mINFO[0m[0005] Resolved base name tensorflow/tensorflow:1.15.2-py3 to tensorflow/tensorflow:1.15.2-py3
[36mINFO[0m[0005] Resolved base name tensorflow/tensorflow:1.15.2-py3 to tensorflow/tensorflow:1.15.2-py3
[36mINFO[0m[0005] Retrieving image manifest tensorflow/tensorflow:1.15.2-py3
[36mINFO[0m[0006] Retrieving image manifest tensorflow/tensorflow:1.15.2-py3
[36mINFO[0m[0007] Built cross stage deps: map[]
[36mINFO[0m[0007] Retrieving image manifest tensorflow/tensorflow:1.15.2-py3
[36mINFO[0m[0007] Retrieving image manifest tensorflow/tensorflow:1.15.2-py3
[36mINFO[0m[0008] Unpacking rootfs as cmd ADD model.py /opt/model.py requires it.
[36mINFO[0m[0028] Taking snapshot of full filesystem...
[36mINFO[0m[0036] Resolving paths
[36mINFO[0m[0040] Using files from context: [/kaniko/buildcontext/model.py]
[36mINFO[0m[0040] ADD model.py /opt/model.py
[36mINFO[0m[0040] RUN chmod +x /opt/model.py
[36mINFO[0m[0040] cmd: /bin/sh
[36mINFO[0m[0040] args: [-c chmod

Built image small-sacha-644-harbor.app.small-sacha-644.bubble.superhub.io/library/mnist:99902A36


## Create a Minio Bucket

* Create a minio bucket to store our models and other results.

In [29]:
mnist_bucket = f"{DOCKER_REGISTRY}"[0:8]+"-mnist"
minio_uploader.create_bucket(mnist_bucket)
logging.info(f"Bucket {mnist_bucket} created or already exists")

Bucket small-sa-mnist created or already exists


## Distributed training

* We will train the model by using TFJob to run a distributed training job

### Training job parameters

In [30]:
train_name = f"mnist-train-{uuid.uuid4().hex[:4]}"
num_ps = 1
num_workers = 2
model_dir = f"s3://{mnist_bucket}/mnist"
export_path = f"s3://{mnist_bucket}/mnist/export" 
train_steps = 200
batch_size = 100
learning_rate = .01
image = cluster_builder.image_tag

In [31]:
train_spec = f"""apiVersion: kubeflow.org/v1
kind: TFJob
metadata:
  name: {train_name}  
spec:
  tfReplicaSpecs:
    Ps:
      replicas: {num_ps}
      template:
        metadata:
          annotations:
            sidecar.istio.io/inject: "false"
        spec:
          serviceAccount: default-editor
          containers:
          - name: tensorflow
            command:
            - python
            - /opt/model.py
            - --tf-model-dir={model_dir}
            - --tf-export-dir={export_path}
            - --tf-train-steps={train_steps}
            - --tf-batch-size={batch_size}
            - --tf-learning-rate={learning_rate}
            env:
            - name: S3_ENDPOINT
              value: {s3_endpoint}
            - name: AWS_ENDPOINT_URL
              value: {minio_endpoint}
            - name: AWS_REGION
              value: {minio_region}
            - name: BUCKET_NAME
              value: {mnist_bucket}
            - name: S3_USE_HTTPS
              value: "0"
            - name: S3_VERIFY_SSL
              value: "0"
            - name: AWS_ACCESS_KEY_ID
              value: {minio_username}
            - name: AWS_SECRET_ACCESS_KEY
              value: {minio_key}
            image: {image}
            workingDir: /opt
          restartPolicy: OnFailure
    Chief:
      replicas: 1
      template:
        metadata:
          annotations:
            sidecar.istio.io/inject: "false"
        spec:
          serviceAccount: default-editor
          containers:
          - name: tensorflow
            command:
            - python
            - /opt/model.py
            - --tf-model-dir={model_dir}
            - --tf-export-dir={export_path}
            - --tf-train-steps={train_steps}
            - --tf-batch-size={batch_size}
            - --tf-learning-rate={learning_rate}
            env:
            - name: S3_ENDPOINT
              value: {s3_endpoint}
            - name: AWS_ENDPOINT_URL
              value: {minio_endpoint}
            - name: AWS_REGION
              value: {minio_region}
            - name: BUCKET_NAME
              value: {mnist_bucket}
            - name: S3_USE_HTTPS
              value: "0"
            - name: S3_VERIFY_SSL
              value: "0"
            - name: AWS_ACCESS_KEY_ID
              value: {minio_username}
            - name: AWS_SECRET_ACCESS_KEY
              value: {minio_key}
            image: {image}
            workingDir: /opt
          restartPolicy: OnFailure
    Worker:
      replicas: 1
      template:
        metadata:
          annotations:
            sidecar.istio.io/inject: "false"
        spec:
          serviceAccount: default-editor
          containers:
          - name: tensorflow
            command:
            - python
            - /opt/model.py
            - --tf-model-dir={model_dir}
            - --tf-export-dir={export_path}
            - --tf-train-steps={train_steps}
            - --tf-batch-size={batch_size}
            - --tf-learning-rate={learning_rate}
            env:
            - name: S3_ENDPOINT
              value: {s3_endpoint}
            - name: AWS_ENDPOINT_URL
              value: {minio_endpoint}
            - name: AWS_REGION
              value: {minio_region}
            - name: BUCKET_NAME
              value: {mnist_bucket}
            - name: S3_USE_HTTPS
              value: "0"
            - name: S3_VERIFY_SSL
              value: "0"
            - name: AWS_ACCESS_KEY_ID
              value: {minio_username}
            - name: AWS_SECRET_ACCESS_KEY
              value: {minio_key}
            image: {image}
            workingDir: /opt
          restartPolicy: OnFailure
""" 

### Create the training job

* You could write the spec to a YAML file and then do `kubectl apply -f {FILE}`
* Since you are running in jupyter you will use the TFJob client
* You will run the TFJob in a namespace created by a Kubeflow profile
  * The namespace will be the same namespace you are running the notebook in
  * Creating a profile ensures the namespace is provisioned with service accounts and other resources needed for Kubeflow

In [32]:
tf_job_client = tf_job_client_module.TFJobClient()

In [33]:
tf_job_body = yaml.safe_load(train_spec)
tf_job = tf_job_client.create(tf_job_body, namespace=namespace)  

logging.info(f"Created job {namespace}.{train_name}")

Created job workspace.mnist-train-36a1


In [34]:
from kubeflow.tfjob import TFJobClient
tfjob_client = TFJobClient()
tfjob_client.wait_for_job(train_name, namespace=namespace, watch=True)

NAME                           STATE                TIME                          
mnist-train-36a1               Created              2020-12-23T06:14:33Z          
mnist-train-36a1               Running              2020-12-23T06:14:35Z          
mnist-train-36a1               Running              2020-12-23T06:14:35Z          
mnist-train-36a1               Running              2020-12-23T06:14:35Z          
mnist-train-36a1               Succeeded            2020-12-23T06:14:40Z          


## Get TF Job logs

In [35]:
tfjob_client.get_logs(train_name, namespace=namespace)

The logs of Pod mnist-train-36a1-chief-0:


W1223 06:14:36.963032 140282999609152 module_wrapper.py:139] From /opt/model.py:153: The name tf.logging.set_verbosity is deprecated. Please use tf.compat.v1.logging.set_verbosity instead.


W1223 06:14:36.963326 140282999609152 module_wrapper.py:139] From /opt/model.py:153: The name tf.logging.INFO is deprecated. Please use tf.compat.v1.logging.INFO instead.


W1223 06:14:36.964720 140282999609152 module_wrapper.py:139] From /opt/model.py:158: The name tf.logging.info is deprecated. Please use tf.compat.v1.logging.info instead.

INFO:tensorflow:TF_CONFIG {"cluster":{"chief":["mnist-train-36a1-chief-0.workspace.svc:2222"],"ps":["mnist-train-36a1-ps-0.workspace.svc:2222"],"worker":["mnist-train-36a1-worker-0.workspace.svc:2222"]},"task":{"type":"chief","index":0},"environment":"cloud"}
I1223 06:14:36.964831 140282999609152 model.py:158] TF_CONFIG {"cluster":{"chief":["mnist-train-36a1-chief-0.workspace.svc:2222"],"ps":["mnist-train-36a1-ps-0.w

## Check the model in Minio

In [209]:
#TODO(swiftdiaries): Check object key for model specifically
from botocore.exceptions import ClientError

try:
    model_response = minio_uploader.client.list_objects(Bucket=mnist_bucket)
    # Minimal check to see if at least the bucket is created
    if model_response["ResponseMetadata"]["HTTPStatusCode"] == 200:
        logging.info(f"{model_dir} found in {mnist_bucket} bucket")
except ClientError as err:
    logging.error(err)

s3://small-sa-mnist/mnist found in small-sa-mnist bucket


send: b'GET /small-sa-mnist?encoding-type=url HTTP/1.1\r\nHost: buckets.app.small-julie-379.bubble.superhub.io\r\nAccept-Encoding: identity\r\nUser-Agent: Boto3/1.16.37 Python/3.6.9 Linux/4.14.203-156.332.amzn2.x86_64 Botocore/1.19.37\r\nX-Amz-Date: 20201228T212013Z\r\nX-Amz-Content-SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\r\nAuthorization: AWS4-HMAC-SHA256 Credential=admin/20201228/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=d4c621b6d3ef62821a32de537134b212f069a64609f42f997f791eeea4760144\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Accept-Ranges: bytes
header: Content-Length: 5520
header: Content-Security-Policy: block-all-mixed-content
header: Content-Type: application/xml
header: Date: Mon, 28 Dec 2020 21:20:13 GMT
header: Server: MinIO/RELEASE.2020-07-02T00-15-09Z
header: Vary: Origin
header: X-Amz-Request-Id: 1654FE27B7C7E95E
header: X-Xss-Protection: 1; mode=block


## Deploy Tensorboard

In [37]:
tb_name = "mnist-tensorboard"
tb_deploy = f"""apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: mnist-tensorboard
  name: {tb_name}
  namespace: {namespace}
spec:
  selector:
    matchLabels:
      app: mnist-tensorboard
  template:
    metadata:
      labels:
        app: mnist-tensorboard
        version: v1
    spec:
      serviceAccount: default-editor
      containers:
      - command:
        - /usr/local/bin/tensorboard
        - --logdir={model_dir}
        - --port=80
        image: tensorflow/tensorflow:1.15.2-py3
        env:
        - name: S3_ENDPOINT
          value: {s3_endpoint}
        - name: AWS_ENDPOINT_URL
          value: {minio_endpoint}
        - name: AWS_REGION
          value: {minio_region}
        - name: BUCKET_NAME
          value: {mnist_bucket}
        - name: S3_USE_HTTPS
          value: "0"
        - name: S3_VERIFY_SSL
          value: "0"
        - name: AWS_ACCESS_KEY_ID
          value: {minio_username}
        - name: AWS_SECRET_ACCESS_KEY
          value: {minio_key}  
        name: tensorboard
        ports:
        - containerPort: 80
"""
tb_service = f"""apiVersion: v1
kind: Service
metadata:
  labels:
    app: mnist-tensorboard
  name: {tb_name}
  namespace: {namespace}
spec:
  ports:
  - name: http-tb
    port: 80
    targetPort: 80
  selector:
    app: mnist-tensorboard
  type: ClusterIP
"""

tb_virtual_service = f"""apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: {tb_name}
  namespace: {namespace}
spec:
  gateways:
  - kubeflow/kubeflow-gateway
  hosts:
  - '*'
  http:
  - match:
    - uri:
        prefix: /mnist/{namespace}/tensorboard/
    rewrite:
      uri: /
    route:
    - destination:
        host: {tb_name}.{namespace}.svc.cluster.local
        port:
          number: 80
    timeout: 300s
"""

tb_specs = [tb_deploy, tb_service, tb_virtual_service]

In [38]:
k8s_util.apply_k8s_specs(tb_specs, k8s_util.K8S_CREATE_OR_REPLACE)

  spec = yaml.load(spec)
Deleted Deployment workspace.mnist-tensorboard
Created Deployment workspace.mnist-tensorboard
Deleted Service workspace.mnist-tensorboard
Created Service workspace.mnist-tensorboard
Deleted VirtualService workspace.mnist-tensorboard
Created VirtualService mnist-tensorboard.mnist-tensorboard


[{'api_version': 'apps/v1',
  'kind': 'Deployment',
  'metadata': {'annotations': None,
               'cluster_name': None,
               'creation_timestamp': datetime.datetime(2020, 12, 23, 6, 15, 6, tzinfo=tzlocal()),
               'deletion_grace_period_seconds': None,
               'deletion_timestamp': None,
               'finalizers': None,
               'generate_name': None,
               'generation': 1,
               'initializers': None,
               'labels': {'app': 'mnist-tensorboard'},
               'managed_fields': None,
               'name': 'mnist-tensorboard',
               'namespace': 'workspace',
               'owner_references': None,
               'resource_version': '5848598',
               'self_link': '/apis/apps/v1/namespaces/workspace/deployments/mnist-tensorboard',
               'uid': '33ba9b3e-47ff-43f4-935a-81d5a7dc79ae'},
  'spec': {'min_ready_seconds': None,
           'paused': None,
           'progress_deadline_seconds': 600,
   

## Get Tensorboard URL

Run this with the appropriate RBAC permissions <br>

In [41]:
istio_ingress_endpoint = None
try:
    istio_ingress_endpoint = api_client.read_namespaced_service(name='istio-ingressgateway', namespace='istio-system')
    istio_ports = istio_ingress_endpoint.spec.ports
    for istio_port in istio_ports:
        if istio_port.name == "http2":
            logging.warning("get worker-node-ip by running 'kubectl get nodes -o wide'")
            logging.info(f"Tensorboard URL: <worker-node-ip>:{istio_port.node_port}/mnist/anonymous/tensorboard/")
except ApiException as e:
    if e.status == 403:
        logging.warning(f"The service account doesn't have sufficient privileges "
                      f"to get the kubeflow minio-service. "
                      f"You will have to manually enter the minio cluster-ip. "
                      f"To make this function work ask someone with cluster "
                      f"priveleges to create an appropriate "
                      f"clusterrolebinding by running a command.\n"
                      f"kubectl create --namespace=istio-system rolebinding "
                       "--clusterrole=kubeflow-view "
                       "--serviceaccount=${NAMESPACE}:default-editor "
                       "${NAMESPACE}-ingressgateway-view")
        logging.warn("API Access restricted. Please get URL by running the kubectl commands at the end of the notebook")

Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f86643d5da0>: Failed to establish a new connection: [Errno 111] Connection refused',)': /api/v1/namespaces/istio-system/services/istio-ingressgateway
Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f866475b3c8>: Failed to establish a new connection: [Errno 111] Connection refused',)': /api/v1/namespaces/istio-system/services/istio-ingressgateway
Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f866475beb8>: Failed to establish a new connection: [Errno 111] Connection refused',)': /api/v1/namespaces/istio-system/services/istio-ingressgatewa

MaxRetryError: HTTPSConnectionPool(host='localhost', port=443): Max retries exceeded with url: /api/v1/namespaces/istio-system/services/istio-ingressgateway (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f86643cf978>: Failed to establish a new connection: [Errno 111] Connection refused',))

In [46]:
kubeflow_url = "kubeflow.small-julie-379.bubble.superhub.io"
endpoint = kubeflow_url 
if endpoint:    
    vs = yaml.safe_load(tb_virtual_service)
    path= vs["spec"]["http"][0]["match"][0]["uri"]["prefix"]
    tb_endpoint = endpoint + path
    display(HTML(f"TensorBoard UI is at http://{tb_endpoint}"))

## Serve the model

* Deploy the model using tensorflow serving
* We need to create
  1. A Kubernetes Deployment
  1. A Kubernetes service
  1. (Optional) Create a configmap containing the prometheus monitoring config

In [223]:
namespace

'seldon'

In [224]:
export_path

's3://small-sa-mnist/mnist/export'

In [225]:
deploy_name = "mnist-model"
model_base_path = export_path

# The web ui defaults to mnist-service so if you change it you will
# need to change it in the UI as well to send predictions to the mode
model_service = "mnist-service"

deploy_spec = f"""apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: mnist
  name: {deploy_name}
  namespace: {namespace}
spec:
  selector:
    matchLabels:
      app: mnist-model
  template:
    metadata:
      # TODO(jlewi): Right now we disable the istio side car because otherwise ISTIO rbac will prevent the
      # UI from sending RPCs to the server. We should create an appropriate ISTIO rbac authorization
      # policy to allow traffic from the UI to the model servier.
      # https://istio.io/docs/concepts/security/#target-selectors
      annotations:        
        sidecar.istio.io/inject: "false"
      labels:
        app: mnist-model
        version: v1
    spec:
      serviceAccount: default-editor
      containers:
      - args:
        - --port=9000
        - --rest_api_port=8500
        - --model_name=mnist
        - --model_base_path={model_base_path}
        command:
        - /usr/bin/tensorflow_model_server
        env:
        - name: modelBasePath
          value: {model_base_path}
        - name: S3_ENDPOINT
          value: {s3_endpoint}
        - name: AWS_ENDPOINT_URL
          value: {minio_endpoint}
        - name: AWS_REGION
          value: {minio_region}
        - name: BUCKET_NAME
          value: {mnist_bucket}
        - name: S3_USE_HTTPS
          value: "0"
        - name: S3_VERIFY_SSL
          value: "0"
        - name: AWS_ACCESS_KEY_ID
          value: {minio_username}
        - name: AWS_SECRET_ACCESS_KEY
          value: {minio_key}  
        image: tensorflow/serving:1.15.0
        imagePullPolicy: IfNotPresent
        livenessProbe:
          initialDelaySeconds: 30
          periodSeconds: 30
          tcpSocket:
            port: 9000
        name: mnist
        ports:
        - containerPort: 9000
        - containerPort: 8500
        resources:
          limits:
            cpu: "4"
            memory: 4Gi
          requests:
            cpu: "1"
            memory: 1Gi
        volumeMounts:
        - mountPath: /var/config/
          name: model-config
      volumes:
      - configMap:
          name: {deploy_name}
        name: model-config
"""

service_spec = f"""apiVersion: v1
kind: Service
metadata:
  annotations:    
    prometheus.io/path: /monitoring/prometheus/metrics
    prometheus.io/port: "8500"
    prometheus.io/scrape: "true"
  labels:
    app: mnist-model
  name: {model_service}
  namespace: {namespace}
spec:
  ports:
  - name: grpc-tf-serving
    port: 9000
    targetPort: 9000
  - name: http-tf-serving
    port: 8500
    targetPort: 8500
  selector:
    app: mnist-model
  type: ClusterIP
"""

monitoring_config = f"""kind: ConfigMap
apiVersion: v1
metadata:
  name: {deploy_name}
  namespace: {namespace}
data:
  monitoring_config.txt: |-
    prometheus_config: {{
      enable: true,
      path: "/monitoring/prometheus/metrics"
    }}
"""

model_specs = [deploy_spec, service_spec, monitoring_config]

In [226]:
k8s_util.apply_k8s_specs(model_specs, k8s_util.K8S_CREATE_OR_REPLACE)     

  spec = yaml.load(spec)
Created Deployment seldon.mnist-model
Created Service seldon.mnist-service
Created ConfigMap seldon.mnist-model


send: b'POST /apis/apps/v1/namespaces/seldon/deployments HTTP/1.1\r\nHost: 10.100.0.1\r\nAccept-Encoding: identity\r\nContent-Length: 1612\r\nAccept: application/json\r\nContent-Type: application/json\r\nUser-Agent: Swagger-Codegen/10.0.1/python\r\nauthorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImlQU2hmTWEyODViRjk5OU9tTENpVEJWdHBEWV9QT3FaTGh6b3RteDVXaVUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ3b3Jrc3BhY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGVmYXVsdC1lZGl0b3ItdG9rZW4tYm03aGgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdC1lZGl0b3IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxMDJlZjdkYS1jNWU1LTRmOWItODFjMy03NDVkYTFmNjM3NmEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6d29ya3NwYWNlOmRlZmF1bHQtZWRpdG9yIn0.lsyjgUDOdCGHq0cHvwkHpbcQZcVPq-ov_Ukjd1yr1xODNmi9ze97Yi4KCfAwIC5XzYQCPDHkjQynQS2llhoapyRCawCLwk7siCKj9gLQytQ3tjXXkDAiWhl4axZJvkZ92AqiP9yI_m

[{'api_version': 'apps/v1',
  'kind': 'Deployment',
  'metadata': {'annotations': None,
               'cluster_name': None,
               'creation_timestamp': datetime.datetime(2020, 12, 29, 2, 18, 32, tzinfo=tzlocal()),
               'deletion_grace_period_seconds': None,
               'deletion_timestamp': None,
               'finalizers': None,
               'generate_name': None,
               'generation': 1,
               'initializers': None,
               'labels': {'app': 'mnist'},
               'managed_fields': None,
               'name': 'mnist-model',
               'namespace': 'seldon',
               'owner_references': None,
               'resource_version': '7815271',
               'self_link': '/apis/apps/v1/namespaces/seldon/deployments/mnist-model',
               'uid': '859e421f-bf78-445c-b956-76542bbbc7dc'},
  'spec': {'min_ready_seconds': None,
           'paused': None,
           'progress_deadline_seconds': 600,
           'replicas': 1,
      

## Deploy the mnist UI

* We will now deploy the UI to visual the mnist results
* Note: This is using a prebuilt and public docker image for the UI

In [49]:
ui_name = "mnist-ui"
ui_deploy = f"""apiVersion: apps/v1
kind: Deployment
metadata:
  name: {ui_name}
  namespace: {namespace}
spec:
  replicas: 1
  selector:
    matchLabels:
      app: mnist-web-ui
  template:
    metadata:
      labels:
        app: mnist-web-ui
    spec:
      containers:
      - image: gcr.io/kubeflow-examples/mnist/web-ui:v20190112-v0.2-142-g3b38225
        name: web-ui
        ports:
        - containerPort: 5000        
      serviceAccount: default-editor
"""

ui_service = f"""apiVersion: v1
kind: Service
metadata:
  annotations:
  name: {ui_name}
  namespace: {namespace}
spec:
  ports:
  - name: http-mnist-ui
    port: 80
    targetPort: 5000
  selector:
    app: mnist-web-ui
  type: ClusterIP
"""

ui_virtual_service = f"""apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: {ui_name}
  namespace: {namespace}
spec:
  gateways:
  - kubeflow/kubeflow-gateway
  hosts:
  - '*'
  http:
  - match:
    - uri:
        prefix: /mnist/{namespace}/ui/
    rewrite:
      uri: /
    route:
    - destination:
        host: {ui_name}.{namespace}.svc.cluster.local
        port:
          number: 80
    timeout: 300s
"""

ui_specs = [ui_deploy, ui_service, ui_virtual_service]

In [50]:
k8s_util.apply_k8s_specs(ui_specs, k8s_util.K8S_CREATE_OR_REPLACE)     

Deleted Deployment workspace.mnist-ui
Created Deployment workspace.mnist-ui
Deleted Service workspace.mnist-ui
Created Service workspace.mnist-ui
Deleted VirtualService workspace.mnist-ui
Created VirtualService mnist-ui.mnist-ui


[{'api_version': 'apps/v1',
  'kind': 'Deployment',
  'metadata': {'annotations': None,
               'cluster_name': None,
               'creation_timestamp': datetime.datetime(2020, 12, 23, 6, 22, 25, tzinfo=tzlocal()),
               'deletion_grace_period_seconds': None,
               'deletion_timestamp': None,
               'finalizers': None,
               'generate_name': None,
               'generation': 1,
               'initializers': None,
               'labels': None,
               'managed_fields': None,
               'name': 'mnist-ui',
               'namespace': 'workspace',
               'owner_references': None,
               'resource_version': '5850394',
               'self_link': '/apis/apps/v1/namespaces/workspace/deployments/mnist-ui',
               'uid': 'd0aab05f-542c-4b60-bf9a-b6979af9ccb6'},
  'spec': {'min_ready_seconds': None,
           'paused': None,
           'progress_deadline_seconds': 600,
           'replicas': 1,
           'revisi

## Access the  web UI


In [174]:
istio_ingress_endpoint = None
try:
    istio_ingress_endpoint = api_client.read_namespaced_service(name='istio-ingressgateway', namespace='istio-system')
    istio_ports = istio_ingress_endpoint.spec.ports
    for istio_port in istio_ports:
        if istio_port.name == "http2":
            logging.warning("get worker-node-ip by running 'kubectl get nodes -o wide'")
            logging.info(f"Tensorboard URL: <worker-node-ip>:{istio_port.node_port}/mnist/workspace/ui/")
except ApiException as e:
    if e.status == 403:
        logging.warning(f"The service account doesn't have sufficient privileges "
                      f"to get the kubeflow minio-service. "
                      f"You will have to manually enter the minio cluster-ip. "
                      f"To make this function work ask someone with cluster "
                      f"priveleges to create an appropriate "
                      f"clusterrolebinding by running a command.\n"
                      f"kubectl create --namespace=kubeflow rolebinding "
                       "--clusterrole=kubeflow-view "
                       "--serviceaccount=${NAMESPACE}:default-editor "
                       "${NAMESPACE}-minio-view")
        logging.warn("API Access restricted. Please get URL by running the kubectl commands at the end of the notebook")

get worker-node-ip by running 'kubectl get nodes -o wide'
Tensorboard URL: <worker-node-ip>:31380/mnist/workspace/ui/


send: b'GET /api/v1/namespaces/istio-system/services/istio-ingressgateway HTTP/1.1\r\nHost: 10.100.0.1\r\nAccept-Encoding: identity\r\nAccept: application/json\r\nContent-Type: application/json\r\nUser-Agent: Swagger-Codegen/10.0.1/python\r\nauthorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImlQU2hmTWEyODViRjk5OU9tTENpVEJWdHBEWV9QT3FaTGh6b3RteDVXaVUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ3b3Jrc3BhY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGVmYXVsdC1lZGl0b3ItdG9rZW4tYm03aGgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdC1lZGl0b3IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxMDJlZjdkYS1jNWU1LTRmOWItODFjMy03NDVkYTFmNjM3NmEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6d29ya3NwYWNlOmRlZmF1bHQtZWRpdG9yIn0.lsyjgUDOdCGHq0cHvwkHpbcQZcVPq-ov_Ukjd1yr1xODNmi9ze97Yi4KCfAwIC5XzYQCPDHkjQynQS2llhoapyRCawCLwk7siCKj9gLQytQ3tjXXkDAiWhl4axZJvkZ92AqiP9yI_mBo2pbAu

## Access the Web UI

Run this with the appropriate RBAC permissions <br>
**Note:** You can get the node worker ip from `kubectl get no -o wide` <br>
```bash
!export INGRESS_HOST=<worker-node-ip>
!export INGRESS_PORT=$(kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}')
!printf "mnist-web-app URL: \n${INGRESS_HOST}:${INGRESS_PORT}/mnist/anonymous/ui/\n"
```
Web UI is at http://kubeflow.small-julie-379.bubble.superhub.io/mnist/workspace/ui/

## Serve the model with Seldon

* Deploy the model using Seldon
* We need to create
  1. A Kubernetes Deployment
  2. A Kubernetes service
  3. (Optional) Create a configmap containing the prometheus monitoring config

In [227]:
s3 = boto3.client('s3', endpoint_url="https://buckets.app.small-julie-379.bubble.superhub.io/", 
             aws_access_key_id='admin',
             aws_secret_access_key='Admin123',
             region_name='us-east-1')


In [228]:
s3.list_buckets()

send: b'GET / HTTP/1.1\r\nHost: buckets.app.small-julie-379.bubble.superhub.io\r\nAccept-Encoding: identity\r\nUser-Agent: Boto3/1.16.37 Python/3.6.9 Linux/4.14.203-156.332.amzn2.x86_64 Botocore/1.19.37\r\nX-Amz-Date: 20201229T022947Z\r\nX-Amz-Content-SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\r\nAuthorization: AWS4-HMAC-SHA256 Credential=admin/20201229/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=c7a63a1ccb00f98d124bccee53fd76cb706c8ee146edfbc6e065c848129f367d\r\n\r\n'
reply: 'HTTP/1.1 200 OK\r\n'
header: Accept-Ranges: bytes
header: Content-Length: 835
header: Content-Security-Policy: block-all-mixed-content
header: Content-Type: application/xml
header: Date: Tue, 29 Dec 2020 02:29:47 GMT
header: Server: MinIO/RELEASE.2020-07-02T00-15-09Z
header: Vary: Origin
header: X-Amz-Request-Id: 16550F0C54E38D91
header: X-Xss-Protection: 1; mode=block


{'ResponseMetadata': {'RequestId': '16550F0C54E38D91',
  'HostId': '',
  'HTTPStatusCode': 200,
  'HTTPHeaders': {'accept-ranges': 'bytes',
   'content-length': '835',
   'content-security-policy': 'block-all-mixed-content',
   'content-type': 'application/xml',
   'date': 'Tue, 29 Dec 2020 02:29:47 GMT',
   'server': 'MinIO/RELEASE.2020-07-02T00-15-09Z',
   'vary': 'Origin',
   'x-amz-request-id': '16550F0C54E38D91',
   'x-xss-protection': '1; mode=block'},
  'RetryAttempts': 0},
 'Buckets': [{'Name': 'kubeflow-pipelines',
   'CreationDate': datetime.datetime(2020, 12, 6, 18, 15, 17, 12000, tzinfo=tzlocal())},
  {'Name': 'kubeflow-us-east-1',
   'CreationDate': datetime.datetime(2020, 12, 9, 23, 47, 10, 798000, tzinfo=tzlocal())},
  {'Name': 'mnist',
   'CreationDate': datetime.datetime(2020, 12, 11, 1, 39, 31, 34000, tzinfo=tzlocal())},
  {'Name': 'small-sa-mnist',
   'CreationDate': datetime.datetime(2020, 12, 10, 4, 52, 34, 632000, tzinfo=tzlocal())},
  {'Name': 'test',
   'Creatio

In [229]:
secret_spec = f"""apiVersion: v1
kind: Secret
metadata:
metadata:
  name: seldon-init-container-secret
  namespace: {namespace}
type: Opaque
stringData:
  AWS_ACCESS_KEY_ID: admin
  AWS_SECRET_ACCESS_KEY: Admin123
  AWS_ENDPOINT_URL: https://buckets.app.small-julie-379.bubble.superhub.io/
  USE_SSL: "true"
"""

minio_specs = [secret_spec]      

In [230]:
k8s_util.apply_k8s_specs(minio_specs, k8s_util.K8S_CREATE_OR_REPLACE)

  spec = yaml.load(spec)
Deleted Secret seldon.seldon-init-container-secret
Created Secret seldon.seldon-init-container-secret


send: b'POST /api/v1/namespaces/seldon/secrets HTTP/1.1\r\nHost: 10.100.0.1\r\nAccept-Encoding: identity\r\nContent-Length: 314\r\nAccept: application/json\r\nContent-Type: application/json\r\nUser-Agent: Swagger-Codegen/10.0.1/python\r\nauthorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImlQU2hmTWEyODViRjk5OU9tTENpVEJWdHBEWV9QT3FaTGh6b3RteDVXaVUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ3b3Jrc3BhY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGVmYXVsdC1lZGl0b3ItdG9rZW4tYm03aGgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdC1lZGl0b3IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxMDJlZjdkYS1jNWU1LTRmOWItODFjMy03NDVkYTFmNjM3NmEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6d29ya3NwYWNlOmRlZmF1bHQtZWRpdG9yIn0.lsyjgUDOdCGHq0cHvwkHpbcQZcVPq-ov_Ukjd1yr1xODNmi9ze97Yi4KCfAwIC5XzYQCPDHkjQynQS2llhoapyRCawCLwk7siCKj9gLQytQ3tjXXkDAiWhl4axZJvkZ92AqiP9yI_mBo2pbAu5GUp

[{'api_version': 'v1',
  'data': {'AWS_ACCESS_KEY_ID': 'YWRtaW4=',
           'AWS_ENDPOINT_URL': 'aHR0cHM6Ly9idWNrZXRzLmFwcC5zbWFsbC1qdWxpZS0zNzkuYnViYmxlLnN1cGVyaHViLmlvLw==',
           'AWS_SECRET_ACCESS_KEY': 'QWRtaW4xMjM=',
           'USE_SSL': 'dHJ1ZQ=='},
  'kind': 'Secret',
  'metadata': {'annotations': None,
               'cluster_name': None,
               'creation_timestamp': datetime.datetime(2020, 12, 29, 2, 30, 8, tzinfo=tzlocal()),
               'deletion_grace_period_seconds': None,
               'deletion_timestamp': None,
               'finalizers': None,
               'generate_name': None,
               'generation': None,
               'initializers': None,
               'labels': None,
               'managed_fields': None,
               'name': 'seldon-init-container-secret',
               'namespace': 'seldon',
               'owner_references': None,
               'resource_version': '7818038',
               'self_link': '/api/v1/namespaces/seld

In [233]:
export_path

's3://small-sa-mnist/mnist/export'

In [252]:
export_path="s3://mnist/mnist"

In [253]:
deploy_name = "tfserving"
model_base_path = export_path

# The web ui defaults to mnist2-service so if you change it you will
# need to change it in the UI as well to send predictions to the mode
model_service = "mnist2-service"

deploy_spec = f"""apiVersion: machinelearning.seldon.io/v1alpha2
kind: SeldonDeployment
metadata:
  name: {deploy_name}
  namespace: {namespace}
  annotations:        
    sidecar.istio.io/inject: "false"
spec:
  name: mnist
  serviceAccount: default-editor
  predictors:
  - graph:
      children: []
      implementation: TENSORFLOW_SERVER
      modelUri: {model_base_path}
      envSecretRefName: seldon-init-container-secret
      name: mnist
      parameters:
        - name: signature_name
          type: STRING
          value: serving_default
        - name: model_name
          type: STRING
          value: mnist
        - name: model_input
          type: STRING
          value: images
        - name: model_output
          type: STRING
          value: scores     
    name: default
    replicas: 1
"""

service_spec = f"""apiVersion: v1
kind: Service
metadata:
  annotations:    
    prometheus.io/path: /monitoring/prometheus/metrics
    prometheus.io/port: "8500"
    prometheus.io/scrape: "true"
  labels:
    app: mnist-model
  name: {model_service}
  namespace: {namespace}
spec:
  ports:
  - name: grpc-tf-serving
    port: 9000
    targetPort: 9000
  - name: http-tf-serving
    port: 8500
    targetPort: 8500
  selector:
    app: mnist-model
  type: ClusterIP
"""

monitoring_config = f"""kind: ConfigMap
apiVersion: v1
metadata:
  name: {deploy_name}
  namespace: {namespace}
data:
  monitoring_config.txt: |-
    prometheus_config: {{
      enable: true,
      path: "/monitoring/prometheus/metrics"
    }}
"""

model_specs = [deploy_spec, service_spec, monitoring_config]    

In [254]:
k8s_util.apply_k8s_specs(model_specs, k8s_util.K8S_CREATE_OR_REPLACE) 

Deleted SeldonDeployment seldon.tfserving
Created SeldonDeployment tfserving.tfserving
Deleted Service seldon.mnist2-service
Created Service seldon.mnist2-service


send: b'POST /apis/machinelearning.seldon.io/v1alpha2/namespaces/seldon/seldondeployments HTTP/1.1\r\nHost: 10.100.0.1\r\nAccept-Encoding: identity\r\nContent-Length: 748\r\nAccept: application/json\r\nUser-Agent: Swagger-Codegen/10.0.1/python\r\nauthorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImlQU2hmTWEyODViRjk5OU9tTENpVEJWdHBEWV9QT3FaTGh6b3RteDVXaVUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ3b3Jrc3BhY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGVmYXVsdC1lZGl0b3ItdG9rZW4tYm03aGgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdC1lZGl0b3IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxMDJlZjdkYS1jNWU1LTRmOWItODFjMy03NDVkYTFmNjM3NmEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6d29ya3NwYWNlOmRlZmF1bHQtZWRpdG9yIn0.lsyjgUDOdCGHq0cHvwkHpbcQZcVPq-ov_Ukjd1yr1xODNmi9ze97Yi4KCfAwIC5XzYQCPDHkjQynQS2llhoapyRCawCLwk7siCKj9gLQytQ3tjXXkDAiWhl4axZJvkZ92AqiP9yI_mBo

Deleted ConfigMap seldon.tfserving
Created ConfigMap seldon.tfserving


send: b'POST /api/v1/namespaces/seldon/configmaps HTTP/1.1\r\nHost: 10.100.0.1\r\nAccept-Encoding: identity\r\nContent-Length: 222\r\nAccept: application/json\r\nContent-Type: application/json\r\nUser-Agent: Swagger-Codegen/10.0.1/python\r\nauthorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImlQU2hmTWEyODViRjk5OU9tTENpVEJWdHBEWV9QT3FaTGh6b3RteDVXaVUifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ3b3Jrc3BhY2UiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlY3JldC5uYW1lIjoiZGVmYXVsdC1lZGl0b3ItdG9rZW4tYm03aGgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdC1lZGl0b3IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIxMDJlZjdkYS1jNWU1LTRmOWItODFjMy03NDVkYTFmNjM3NmEiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6d29ya3NwYWNlOmRlZmF1bHQtZWRpdG9yIn0.lsyjgUDOdCGHq0cHvwkHpbcQZcVPq-ov_Ukjd1yr1xODNmi9ze97Yi4KCfAwIC5XzYQCPDHkjQynQS2llhoapyRCawCLwk7siCKj9gLQytQ3tjXXkDAiWhl4axZJvkZ92AqiP9yI_mBo2pbAu5

[{'apiVersion': 'machinelearning.seldon.io/v1alpha2',
  'kind': 'SeldonDeployment',
  'metadata': {'annotations': {'sidecar.istio.io/inject': 'false'},
   'creationTimestamp': '2020-12-29T05:50:46Z',
   'generation': 1,
   'name': 'tfserving',
   'namespace': 'seldon',
   'resourceVersion': '7865466',
   'selfLink': '/apis/machinelearning.seldon.io/v1alpha2/namespaces/seldon/seldondeployments/tfserving',
   'uid': 'e83d71af-051e-4c31-9bce-6b684532134e'},
  'spec': {'name': 'mnist',
   'predictors': [{'graph': {'children': [],
      'envSecretRefName': 'seldon-init-container-secret',
      'implementation': 'TENSORFLOW_SERVER',
      'modelUri': 's3://mnist/mnist',
      'name': 'mnist',
      'parameters': [{'name': 'signature_name',
        'type': 'STRING',
        'value': 'serving_default'},
       {'name': 'model_name', 'type': 'STRING', 'value': 'mnist'},
       {'name': 'model_input', 'type': 'STRING', 'value': 'images'},
       {'name': 'model_output', 'type': 'STRING', 'value'

Add admin permissions to the notebook user using the following command: <br>`kubectl create clusterrolebinding workspace-cluster-admin --clusterrole=cluster-admin --serviceaccount=workspace:default-editor`

In [240]:
!kubectl rollout status deploy/$(kubectl get deploy -l seldon-deployment-id=tfserving -o jsonpath='{.items[0].metadata.name}')
#deployment "tfserving-default-0-mnist-model" successfully rolled out

error: deployment "tfserving-default-0-mnist" exceeded its progress deadline


Get a token from the Dex gateway. At present as Dex does not support curl password credentials you will need to get it from your browser logged into the cluster. Open up a browser console and run `document.cookie`

In [255]:
TOKEN="MTYwOTE5MDExNXxOd3dBTkVnMlRFdGFOMU0zU1ZCSVZGZzBSVmRSUkZwUVYxcEhXVkZNVGxCVFQwWllSRFJOVFZkVVVsVlRUa3BOVFZaTlZEWlhTRUU9fD5h8q0EUw7adNfzGn_F-fpsffnT6wMOoeZ6XdUz2VmM"

In [256]:
from seldon_core.seldon_client import SeldonClient, SeldonChannelCredentials, SeldonCallCredentials
host = "kubeflow.small-julie-379.bubble.superhub.io"
port = "443" # Make sure you use the port above
ISTIO_GATEWAY=host + ":" + port
deployment_name = "tfserving"
transport="rest"
namespace="seldon"

sc = SeldonClient(deployment_name=deployment_name,namespace=namespace,gateway_endpoint=ISTIO_GATEWAY,debug=False,
                 channel_credentials=SeldonChannelCredentials(verify=False),
                 call_credentials=SeldonCallCredentials(token=TOKEN))

Configuration:{'client_return_type': 'dict', 'debug': False, 'call_credentials': <seldon_core.seldon_client.SeldonCallCredentials object at 0x7f862fe0c128>, 'channel_credentials': <seldon_core.seldon_client.SeldonChannelCredentials object at 0x7f862fe0cf28>, 'grpc_max_receive_message_length': 4194304, 'grpc_max_send_message_length': 4194304, 'microservice_endpoint': 'localhost:5000', 'gateway_endpoint': 'kubeflow.small-julie-379.bubble.superhub.io:443', 'payload_type': 'tensor', 'deployment_name': 'tfserving', 'namespace': 'seldon', 'transport': 'rest', 'gateway': 'ambassador'}


In [257]:
r = sc.predict(gateway="istio",transport="rest",shape=(1,784))
print(r)
assert(r.success==True)


URL is https://kubeflow.small-julie-379.bubble.superhub.io:443/seldon/seldon/tfserving/api/v1.0/predictions
Raw response: {"data":{"names":["t:0","t:1","t:2","t:3","t:4","t:5","t:6","t:7","t:8","t:9"],"tensor":{"shape":[1,10],"values":[6.40168423e-07,2.06322195e-08,0.00719272206,0.849088252,3.77108266e-17,0.142557859,0.000983143109,0.000177409253,1.96624459e-08,1.05058717e-09]}},"meta":{}}



send: b'POST /seldon/seldon/tfserving/api/v1.0/predictions HTTP/1.1\r\nHost: kubeflow.small-julie-379.bubble.superhub.io\r\nUser-Agent: python-requests/2.22.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nX-Auth-Token: MTYwOTE5MDExNXxOd3dBTkVnMlRFdGFOMU0zU1ZCSVZGZzBSVmRSUkZwUVYxcEhXVkZNVGxCVFQwWllSRFJOVFZkVVVsVlRUa3BOVFZaTlZEWlhTRUU9fD5h8q0EUw7adNfzGn_F-fpsffnT6wMOoeZ6XdUz2VmM\r\nContent-Length: 15957\r\nContent-Type: application/json\r\n\r\n'
send: b'{"meta": {}, "data": {"tensor": {"shape": [1, 784], "values": [0.3955159261103074, 0.6381102894063806, 0.48469802836440345, 0.31975661542424927, 0.9855437291903449, 0.21559349316674403, 0.7893842017222712, 0.7820289238398234, 0.7855660714467824, 0.5021372596436016, 0.5306706069952672, 0.5526366168761174, 0.3159026400228985, 0.511709853675273, 0.45555958335642976, 0.13115972933703768, 0.5347372138303822, 0.7085510518442072, 0.19206056531279758, 0.8530149712782652, 0.966107753308926, 0.7854683116056633, 0.039

In [244]:
print (f"Inference request successful: {r.success}")

Inference request successful: True


In [74]:
!kubectl -n istio-system get service istio-ingressgateway -o jsonpath='{.spec.ports[?(@.name=="http2")].nodePort}'

31380

In [75]:
ISTIO_GATEWAY="http://kubeflow.small-julie-379.bubble.superhub.io/"

In [68]:
from seldon_core.seldon_client import SeldonClient
sc = SeldonClient(deployment_name="mymodel",namespace="seldon",gateway_endpoint=ISTIO_GATEWAY)

Configuration:{'client_return_type': 'dict', 'debug': False, 'call_credentials': None, 'channel_credentials': None, 'grpc_max_receive_message_length': 4194304, 'grpc_max_send_message_length': 4194304, 'microservice_endpoint': 'localhost:5000', 'gateway_endpoint': 'http://kubeflow.small-julie-379.bubble.superhub.io/', 'payload_type': 'tensor', 'deployment_name': 'mymodel', 'namespace': 'seldon', 'transport': 'rest', 'gateway': 'ambassador'}


In [69]:
from seldon_core.seldon_client import SeldonClient
import numpy as np
import subprocess

host = "kubeflow.small-julie-379.bubble.superhub.io"
port = "80" # Make sure you use the port above
ISTIO_GATEWAY=host + ":" + port
batch = np.array(["Hello world this is a test"])
payload_type = "ndarray"
# Get the deployment name
#deployment_name = subprocess.getoutput("kubectl -n seldon get seldondeployment -o jsonpath='{.items[0].metadata.name}'")
deployment_name = "mnist-classifier"
transport="rest"
namespace="seldon"

sc = SeldonClient(deployment_name=deployment_name,namespace=namespace,gateway_endpoint=ISTIO_GATEWAY,debug=True, gateway="istio")


Configuration:{'client_return_type': 'dict', 'debug': True, 'call_credentials': None, 'channel_credentials': None, 'grpc_max_receive_message_length': 4194304, 'grpc_max_send_message_length': 4194304, 'microservice_endpoint': 'localhost:5000', 'gateway_endpoint': 'kubeflow.small-julie-379.bubble.superhub.io:80', 'payload_type': 'tensor', 'deployment_name': 'mnist-classifier', 'namespace': 'seldon', 'transport': 'rest', 'gateway': 'istio'}


In [71]:
deployment_name

'mnist-classifier'

#### REST Request

In [72]:
r = sc.predict(gateway="istio",transport="rest")
assert(r.success==True)
print(r)

URL is http://kubeflow.small-julie-379.bubble.superhub.io:80/seldon/seldon/mnist-classifier/api/v1.0/predictions
Raw response: <!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <title>dex</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link href="../static/main.css" rel="stylesheet">
    <link href="../theme/styles.css" rel="stylesheet">
    <link rel="icon" href="../theme/favicon.png">
  </head>

  <body class="theme-body">
    <div class="theme-navbar">
      <div class="theme-navbar__logo-wrap">
        <img class="theme-navbar__logo" src="../theme/logo.png">
      </div>
    </div>

    <div class="dex-container">



<div class="theme-panel">
  <h2 class="theme-heading">Log in to Your Account</h2>
  <form method="post" action="/auth/local?req=bpehoqtv4hyg4klcdwobioupe">
    <div class="theme-form-row">
      <div class="theme-form-label">
        <label for="useri

send: b'POST /seldon/seldon/mnist-classifier/api/v1.0/predictions HTTP/1.1\r\nHost: kubeflow.small-julie-379.bubble.superhub.io\r\nUser-Agent: python-requests/2.22.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\nContent-Length: 85\r\nContent-Type: application/json\r\n\r\n'
send: b'{"meta": {}, "data": {"tensor": {"shape": [1, 1], "values": [0.003536823929929267]}}}'
reply: 'HTTP/1.1 301 Moved Permanently\r\n'
header: location: https://kubeflow.small-julie-379.bubble.superhub.io/seldon/seldon/mnist-classifier/api/v1.0/predictions
header: date: Wed, 23 Dec 2020 20:13:58 GMT
header: server: envoy
header: content-length: 0
header: x-envoy-upstream-service-time: 5
send: b'GET /seldon/seldon/mnist-classifier/api/v1.0/predictions HTTP/1.1\r\nHost: kubeflow.small-julie-379.bubble.superhub.io\r\nUser-Agent: python-requests/2.22.0\r\nAccept-Encoding: gzip, deflate\r\nAccept: */*\r\nConnection: keep-alive\r\n\r\n'
reply: 'HTTP/1.1 302 Found\r\n'
header: content-typ