[feature] remove hard-coded configs in KFP V2 launcher #9689
Comments
|
@chensun @zijianjoy I think this is very important before cutting the 2.0.0 for the backend. |
|
/assign @zijianjoy |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
github-actions
bot
added
the
lifecycle/stale
The upstream pipelines project hardcodes the name of the object storage service to minio-service. The current implementation sets the service to just minio, which collides with what pipelines expect. This PR ensures the Service is created with the expected name and ports. Refer to kubeflow/pipelines#9689 for more information
* fix: explicitly apply minio-service with name The upstream pipelines project hardcodes the name of the object storage service to minio-service. The current implementation sets the service to just minio, which collides with what pipelines expect. This PR ensures the Service is created with the expected name and ports. Refer to kubeflow/pipelines#9689 for more information
|
Did this get resolved before the 1.8 release? |
|
@chensun can you confirm what the status on this is? |
This: * removes deprecated `DBCONFIG_USER`, etc, environment variables (they have been replaced by variables of name `DBCONFIG_[driver]CONFIG_*`) * adds `OBJECTSTORECONFIG_HOST`, `_PORT`, and `_REGION`, which previously were required. Although currently they seem to be ignored due to kubeflow/pipelines#9689 - but in theory they'll matter again? Not sure exactly the scope of that issue.
github-actions
bot
removed
the
lifecycle/stale
* update kfp-api's apiserver configuration This: * removes deprecated `DBCONFIG_USER`, etc, environment variables (they have been replaced by variables of name `DBCONFIG_[driver]CONFIG_*`) * adds `OBJECTSTORECONFIG_HOST`, `_PORT`, and `_REGION`, which previously were required. Although currently they seem to be ignored due to kubeflow/pipelines#9689 - but in theory they'll matter again? Not sure exactly the scope of that issue.
* update kfp-api's apiserver configuration This: * removes deprecated `DBCONFIG_USER`, etc, environment variables (they have been replaced by variables of name `DBCONFIG_[driver]CONFIG_*`) * adds `OBJECTSTORECONFIG_HOST`, `_PORT`, and `_REGION`, which previously were required. Although currently they seem to be ignored due to kubeflow/pipelines#9689 - but in theory they'll matter again? Not sure exactly the scope of that issue.
|
Just seeing this issue after I created #10318 and implemented #10319. If implemented, this would enable users to define arbitrary s3 endpoints for artifact storage. Does this help? |
|
Thank you for this @TobiasGoerke I think this is an improvement. Though the problem of the hardcoded configs still remains. Adding the endpoint as part of the query string seems more like a workaround to me for this issue, and as you said the issue of propagating credentials remains. There seems to be already a precedent with passing around mlmd endpoint info via a configmap, seems to make sense to do the same for the s3 endpoint as suggested by @thesuperzapper. In this same config we can specify the s3 credentials secret name/keys as well. |
|
@zijianjoy this is a priority item for our team so we'll be looking to resolve this in our downstream, and if you'd like I can help with implementing it here as well. If you are already in progress with this and would like to see it to completion, we'd be interested in your approach so we can be aligned in our solution while we wait for the change in upstream! Some follow ups: 1. Is there an obvious preference over option 1/2?Option 1 it seems easier to implement as well as easier to extend, one does not need to always update mlmd client code when adding new properties to the config. However, as previously mentioned it requires that every executor pod fetches the configmap, is this a major concern? Option 2 we'd follow the same pattern as we do for reading in the pipelineroot. So addtiional metadata fields for the provider creds would need to be added. In the driver we would find the matching auth provider config in the kfp launcher configmap and maybe store that as a json string. We then query MLMD for the configs within the launcher. I would be interested to hear other options/suggestions under consideration. 2. Configmap structureI like @thesuperzapper more flexible configmap suggestions, but I have some further suggestions/amendments: defaultPipelineRoot: "minio://my-bucket/v2/artifacts"
providers:
minio:
# can be another minio instance
endpoint: "minio.example.com:9000"
disableSSL: true
# by default use this secret for this provider
defaultProviderSecretRef:
secretName: "my-secret-in-profile-namespace"
accessKeyKey: "access_key"
secretKeyKey: "secret_key"
# optional, first matching prefix in pipelineRoot is used
# in this example v2/artifacts would be used if using the
# defaultPipelineRoot above
authConfigs:
- bucketName: "my-bucket"
keyPrefix: "v2/artifacts/123"
secretRef:
secretName: "my-secret-in-profile-namespace-1"
accessKeyKey: "access_key"
secretKeyKey: "secret_key"
- bucketName: "my-bucket"
keyPrefix: "v2/artifacts/"
secretRef:
secretName: "my-secret-in-profile-namespace-2"
accessKeyKey: "access_key"
secretKeyKey: "secret_key"
# Having the ability to override the regions here allows us to leverage other s3 compatible providers
# and not just aws s3
s3:
# allows for pointing to s3 compatible non aws solutions like ceph
endpoint: "https://s3.amazonaws.com"
disableSSL: true
region: us-east-2
defaultProviderSecretRef:
secretName: "my-aws-secret-in-profile-namespace"
accessKeyKey: "access_key"
secretKeyKey: "secret_key"
authConfigs: []
gs: { }3. mlPipelineEndpointI don't see the need to add this in kfp-launcher configmap, to me it makes more sense to specify this in the API server as a config/env var and pass it down as parameters within driver/kfp-launcher/etc. just like the mlmd address/port. |
|
@HumairAK I see that you have at least partially fixed this in your fork of KFP:
Would you be willing to raise a PR upstream, so we can all standardize on a fix? |
|
@thesuperzapper that's the plan, I'll send one out soon |
|
@thesuperzapper I've provided a WIP that is mostly complete, just need to do more testing, and fix a obj store region related bug I welcome feedback on implementation/approach there: |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
github-actions
bot
added
the
lifecycle/stale
|
Don't stale. |
stale
bot
removed
the
lifecycle/stale
|
/lifecycle frozen |
Feature Area
/area backend
Related Issues
The Problem
Currently, we are hardcoding a few important configs in KFP V2's launcher and cache code.
This is making it difficult for distributions to support KFP v2 in a generic way.
Launcher - The minio credentials secret is hard-coded as
mlpipeline-minio-artifact:pipelines/backend/src/v2/objectstore/object_store.go
Line 292 in 35f7507
Launcher - The minio credentials secret keys are hard-coded as
accesskeyandsecretkey:pipelines/backend/src/v2/objectstore/object_store.go
Lines 324 to 325 in 35f7507
Launcher - The minio endpoint is hard-coded as
minio-service.kubeflow:9000:pipelines/backend/src/v2/objectstore/object_store.go
Line 291 in 35f7507
Cache - The
ml-pipelineendpoint is hard-coded asml-pipeline.kubeflow:8887:pipelines/backend/src/v2/cacheutils/cache.go
Line 26 in 35f7507
The Solution
We want to allow the above configs to be changed from their defaults, preferably on a per-namespace basis.
I propose we add these configs to the
ConfigMap/kfp-launcherwhich already exists in each profile namespace to setdefaultPipelineRoot.For example, a new
ConfigMap/kfp-launcherin a profile namespace might look like this:The question now becomes how to propagate these configs to the
kfp-launchercontainer in each workflow Pod.I think there are two options:
kfp-launchercontainer read theConfigMap/kfp-launcherobjectstore.OpenBucketmlPipelineEndpointhas to be done before it runscacheutils.NewClient()ConfigMap/kfp-launcherinRootDAGat the same time as we read thedefaultPipelineRootConfigMap/kfp-launcher)Other Thoughts
We could make this slightly more advanced to allow for "selecting" credentials based on the bucket & key-prefix being used, because not all pipelines have to use the default bucket_root, so might need different credentials.
For example, we could extend
ConfigMap/kfp-launcherlike this:Love this idea? Give it a 👍.
The text was updated successfully, but these errors were encountered: