Installation with Helm
This document describes how to install the ML Aide in your Kubernetes cluster using Helm. ML Aide requires an S3 compatible storage and MongoDB to store machine learning models and metadata. Additionally, an identity and access management (IAM) system is required. The helm chart can be configured to use external, existing installations of S3, MongoDB, and IAM or to instantiate those as part of the Helm deployment.
Prerequisites
- Kubernetes cluster 1.19+
- Helm 3.0+
- Any domain where you can configure A or AAAA records
Adding the Helm Repository
helm repo add mlaide https://helm.mlaide.com
helm repo update
Configure the Chart
ML Aide requires configuration of the following core functionalities:
- Expose ML Aide using Ingress (DNS and TLS configuration)
- Connection to S3 compatible storage
- Connection to MongoDB
- Connection to IAM using OpenID Connect (OIDC)
1. Expose ML Aide using Ingress
To use a Google Kubernetes Engine (GKE) Ingress use the following configuration.
- Reserve static IP addresses on Google Cloud
- Configure DNS entries
- Configure Ingress for webserver and UI
- Optional: Configure Ingress for Keycloak
1. Reserve static IP addresses on Google Cloud
Google Cloud Load Balancers are assigned to a public IP address. You need to reserve the IP addresses by running the following commands.
Reserve IP addresses
# IP for webserver
gcloud compute addresses create mlaide-webserver \
--global \
--ip-version IPV4
# IP for UI
gcloud compute addresses create mlaide-ui \
--global \
--ip-version IPV4
# Optional: IP for Keycloak
gcloud compute addresses create mlaide-keycloak \
--global \
--ip-version IPV4
2. Configure DNS entries
Use your DNS management tool to configure the A-records for the three domains pointing
to the reserved IP addresses. You can get the reserved IPs by using the following
command: gcloud compute addresses list
Assign the IPs to the following domains using your DNS configuration tool:
mlaide-webserver→api.mlaide.<your-domain>mlaide-ui→mlaide.<your-domain>- Optional:
mlaide-keycloak→login.mlaide.<your-domain>
3. Configure Ingress for webserver and UI
Store the shown yaml as ingress.yaml in your working directory.
Replace <your-domain> with your actual domain configured in the step above.
Webserver and UI Ingress
webserver:
ingress:
enabled: true
domain: api.mlaide.<your-domain>
annotations:
networking.gke.io/managed-certificates: mlaide-webserver-cert
kubernetes.io/ingress.global-static-ip-name: mlaide-webserver
kubernetes.io/ingress.class: gce
kubernetes.io/ingress.allow-http: "false"
hosts:
- host: api.mlaide.<your-domain>
paths:
- path: /*
pathType: ImplementationSpecific
ui:
ingress:
enabled: true
domain: mlaide.<your-domain>
annotations:
networking.gke.io/managed-certificates: mlaide-ui-cert
kubernetes.io/ingress.global-static-ip-name: mlaide-ui
kubernetes.io/ingress.class: gce
kubernetes.io/ingress.allow-http: "false"
hosts:
- host: mlaide.<your-domain>
paths:
- path: /*
pathType: ImplementationSpecific
googleCloudPlatform:
enableManagedCertificate: true
4. Optional: Configure Ingress for Keycloak
If you want to use the Keycloak instance shipped with the Helm Chart, you need to add the ingress configuration for Keycloak. Add this to your ingress.yaml.
Keycloak Ingress
keycloak:
ingress:
enabled: true
domain: "login.mlaide.<your-domain>"
rules:
- host: "login.mlaide.<your-domain>"
paths:
- path: /*
pathType: ImplementationSpecific
tls: []
annotations:
networking.gke.io/managed-certificates: mlaide-keycloak-cert
kubernetes.io/ingress.global-static-ip-name: mlaide-keycloak
kubernetes.io/ingress.class: gce
kubernetes.io/ingress.allow-http: "false"
TODO
2. Connection to S3 compatible storage
ML Aide uses the S3 (simple storage service) API to store artifacts. You can use AWS S3 or any other S3 compatible service. The ML Aide helm charts can be installed using MinIO directly running on Kubernetes.
Store the shown yaml as s3.yaml in your working directory and adopt it to your needs.
webserver:
s3:
host: "my-release-minio"
port: "9000"
accessKey: "my-s3-user"
secretKey: "my-s3-password"
# enable MinIO deployment
minio:
enabled: true
auth:
rootUser: my-s3-user
rootPassword: my-s3-password
TODO
3. Connection to MongoDB
ML Aide uses the MongoDB to store projects, run, metrics, and other metadata. You can use any MongoDB instance or alternatively use MongoDB shipped as part of the helm chart.
Store the shown yaml as mongodb.yaml in your working directory and adopt it to your needs.
webserver:
mongodb:
host: "my-release-mongodb"
port: "27017"
username: "root"
password: "mypassword"
database: "mlaide"
autoIndexCreation: true
authenticationDatabase: admin
# enable MongoDB deployment
mongodb:
enabled: true
auth:
usernames:
- my-user
passwords:
- my-pw
databases:
- mlaide
rootPassword: mypassword
TODO
4. Connection to IAM
Store the shown yaml as iam.yaml in your working directory. Replace <your-domain> with your actual domain.
# enable Keycloak deployment
keycloak:
enabled: true
postgresql:
fullnameOverride: my-release-keycloak-postgresql
oidc:
audience: "https://api.mlaide.<your-domain>"
issuer: "https://login.mlaide.<your-domain>/auth/realms/mlaide-demo"
scope: "openid profile email offline_access"
ui:
clientId: "mlaide-k8s-demo"
webserver:
jwkSetUri: "https://login.mlaide.<your-domain>/auth/realms/mlaide-demo/protocol/openid-connect/certs"
userInfoEndpoint: "https://login.mlaide.<your-domain>/auth/realms/mlaide-demo/protocol/openid-connect/userinfo"
nicknamePropertyName: "preferred_username"
TODO
Installing the Chart
Install the ML Aide helm chart with a release name my-release:
helm install my-release mlaide/mlaide -f ingress.yaml -f s3.yaml -f mongodb.yaml -f iam.yaml
Try it out
Open the configured URL (https://mlaide.<your-domain>) for MLAide in your browser.
If you have installed MLAide using the built-in Keycloak, you can log in using the pre-configured users:
- User:
adam@example.com
Password:adam1 - User:
bob@example.com
Password:bob1
If you have used another OpenID connect provider, use any registered user within the particular provider.
Upgrading the Chart
If you have a running installation of MLAide using Helm, you can update configured paremeters using the follong command::
helm upgrade my-release mlaide/mlaide
Uninstalling the Chart
To uninstall the release my-release use the following command:
helm uninstall my-release
Configuration
mlaide
A Helm chart to install ML Aide on Kubernetes
Requirements
| Repository | Name | Version |
|---|---|---|
| https://charts.bitnami.com/bitnami | minio | 11.10.25 |
| https://charts.bitnami.com/bitnami | mongodb | 13.1.5 |
| https://codecentric.github.io/helm-charts | keycloak | 18.4.0 |
Values
| Key | Type | Default | Description |
|---|---|---|---|
| fullnameOverride | string | "" |
String to fully override mlaide.fullname template |
| googleCloudPlatform | object | {"enableManagedCertificate":false,"keycloakCertificateName":"mlaide-keycloak-cert","uiCertificateName":"mlaide-ui-cert","webserverCertificateName":"mlaide-webserver-cert"} |
Google Cloud Platform specific configuration. Use this only if you are using Google Kubernetes Engine (GKE). |
| googleCloudPlatform.enableManagedCertificate | bool | false |
Enable automatic TLS certificate management. With this option enabled Google Cloud will automatically create TLS certificates. |
| googleCloudPlatform.keycloakCertificateName | string | "mlaide-keycloak-cert" |
The name of the managed certificate to be created for the built-in Keycloak. The same name must be listed in keycloak.ingress.annotations."networking.gke.io/managed-certificates". This property is only required if you are using the built-in Keycloak installation. |
| googleCloudPlatform.uiCertificateName | string | "mlaide-ui-cert" |
The name of the managed certificate to be created for the UI. The same name must be listed in ui.ingress.annotations."networking.gke.io/managed-certificates". |
| googleCloudPlatform.webserverCertificateName | string | "mlaide-webserver-cert" |
The name of the managed certificate to be created for the webserver. The same name must be listed in webserver.ingress.annotations."networking.gke.io/managed-certificates". |
| imagePullSecrets | list | [] |
The name of the secret containing docker registry credentials. Secret must exist in the same namespace as the helm release. |
| keycloak.enabled | bool | false |
Specifies whether this Helm chart should install Keycloak. |
| minio.enabled | bool | false |
Specifies whether this Helm chart should install MinIO (S3). |
| mongodb.enabled | bool | false |
Specifies whether this Helm chart should install MongoDB. |
| nameOverride | string | "" |
String to partially override mlaide.fullname template (will maintain the release name) |
| oidc | object | see below | Configures OpenID Connect (OIDC) for MLAide. |
| oidc.audience | string | nil |
The audience specified in the access token issued by the authorization server. |
| oidc.issuer | string | nil |
The issuer URL of the authorization server. |
| oidc.scope | string | nil |
The scopes to request during login. |
| oidc.ui.clientId | string | nil |
The client ID of MLAide registered on the authorization server. |
| oidc.webserver.jwkSetUri | string | nil |
The JWKS URI provided by the authorization server. |
| oidc.webserver.nicknamePropertyName | string | nil |
The property name withing the user info JSON containing the nickname/name of the user. |
| oidc.webserver.userInfoEndpoint | string | nil |
The User Info Endpoint URI provided by the authorization server to retrieve user details. |
| ui.affinity | object | {} |
Pod affinity. |
| ui.autoscaling.enabled | bool | false |
Specifies whether autoscaling should be enabled. |
| ui.autoscaling.maxReplicas | int | 100 |
The maximum number of Pods when autoscaling is enabled. |
| ui.autoscaling.minReplicas | int | 1 |
The minimum number of Pods when autoscaling is enabled. |
| ui.autoscaling.targetCPUUtilizationPercentage | string | nil |
The target CPU utilization for the horizontal pod autoscaler. |
| ui.autoscaling.targetMemoryUtilizationPercentage | string | nil |
The target memory utilization for the horizontal pod autoscaler. |
| ui.image.pullPolicy | string | "IfNotPresent" |
The pull policy for the MLAide UI image. |
| ui.image.repository | string | "mlaide/web-ui" |
|
| ui.image.tag | string | "latest" |
The tag of the MLAide UI image. |
| ui.ingress.annotations | object | {} |
Ingress annotations. |
| ui.ingress.className | string | "" |
The name of the Ingress Class associated with the ingress. |
| ui.ingress.enabled | bool | false |
Specifies whether a ingress should be created. |
| ui.ingress.hosts[0].host | string | nil |
Host for the ingress rule. |
| ui.ingress.hosts[0].paths[0].path | string | "/" |
Path for the Ingress rule. |
| ui.ingress.hosts[0].paths[0].pathType | string | "ImplementationSpecific" |
Path Type for the Ingress rule. |
| ui.ingress.tls | list | [] |
TLS configuration. |
| ui.nodeSelector | object | {} |
Node labels for Pod assignment. |
| ui.podAnnotations | object | {} |
Pod annotations for MLAide UI. |
| ui.podSecurityContext | object | {} |
Pod security context configuration to be applied for MLAide UI. |
| ui.replicaCount | int | 1 |
The number of replicas of the UI deployment. |
| ui.resources | object | {} |
Pod resource requests and limits. |
| ui.securityContext | object | {} |
Container security context configuration to be applied for MLAide UI. |
| ui.service.port | int | 80 |
The port for the MLAide UI service. |
| ui.service.type | string | "ClusterIP" |
The type of service to create for the MLAide UI. |
| ui.serviceAccount.annotations | object | {} |
Annotations to add to the service account. |
| ui.serviceAccount.create | bool | true |
Specifies whether a service account should be created. |
| ui.serviceAccount.name | string | "ui" |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
| ui.tolerations | list | [] |
Node taints to tolerate. |
| webserver.affinity | object | {} |
Pod affinity. |
| webserver.autoscaling.enabled | bool | false |
Specifies whether autoscaling should be enabled. |
| webserver.autoscaling.maxReplicas | int | 100 |
The maximum number of Pods when autoscaling is enabled. |
| webserver.autoscaling.minReplicas | int | 1 |
The minimum number of Pods when autoscaling is enabled. |
| webserver.autoscaling.targetCPUUtilizationPercentage | string | nil |
The target CPU utilization for the horizontal pod autoscaler. |
| webserver.autoscaling.targetMemoryUtilizationPercentage | string | nil |
The target memory utilization for the horizontal pod autoscaler. |
| webserver.image.pullPolicy | string | "IfNotPresent" |
The pull policy for the MLAide webserver image. |
| webserver.image.repository | string | "mlaide/webserver" |
|
| webserver.image.tag | string | "latest" |
The tag of the MLAide webserver image. |
| webserver.ingress.annotations | object | {} |
Ingress annotations. |
| webserver.ingress.className | string | "" |
The name of the Ingress Class associated with the ingress. |
| webserver.ingress.enabled | bool | false |
Specifies whether a ingress should be created. |
| webserver.ingress.hosts[0].host | string | nil |
Host for the ingress rule. |
| webserver.ingress.hosts[0].paths[0].path | string | "/" |
Path for the Ingress rule. |
| webserver.ingress.hosts[0].paths[0].pathType | string | "ImplementationSpecific" |
Path Type for the Ingress rule. |
| webserver.ingress.tls | list | [] |
TLS configuration. |
| webserver.loggingLevel | string | "INFO" |
The logging level. Must be one of [TRACE, DEBUG, INFO, WARN, ERROR] |
| webserver.mongodb.database | string | nil |
The MongoDB® database name. |
| webserver.mongodb.host | string | nil |
The MongoDB® hostname. |
| webserver.mongodb.password | string | nil |
The MongoDB® password. This will be stored as a kubernetes secret. |
| webserver.mongodb.port | string | nil |
The MongoDB® port. |
| webserver.mongodb.username | string | nil |
The MongoDB® username. This will be stored as a kubernetes secret. |
| webserver.nodeSelector | object | {} |
Node labels for Pod assignment. |
| webserver.podAnnotations | object | {} |
Pod annotations for MLAide webserver. |
| webserver.podSecurityContext | object | {} |
Pod security context configuration to be applied for MLAide webserver. |
| webserver.replicaCount | int | 1 |
The number of replicas of the webserver deployment. |
| webserver.resources | object | {} |
Pod resource requests and limits. |
| webserver.s3.accessKey | string | nil |
The S3 access key. This will be stored as a kubernetes secret. |
| webserver.s3.host | string | nil |
The S3 hostname. |
| webserver.s3.port | string | nil |
The S3 port. |
| webserver.s3.secretKey | string | nil |
The S3 secret key. This will be stored as a kubernetes secret. |
| webserver.securityContext | object | {} |
Container security context configuration to be applied for MLAide webserver. |
| webserver.service.port | int | 80 |
The port for the MLAide webserver service. |
| webserver.service.type | string | "ClusterIP" |
The type of service to create for the MLAide webserver. |
| webserver.serviceAccount.annotations | object | {} |
Annotations to add to the service account. |
| webserver.serviceAccount.create | bool | true |
Specifies whether a service account should be created. |
| webserver.serviceAccount.name | string | "webserver" |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
| webserver.tolerations | list | [] |
Node taints to tolerate. |
Autogenerated from chart metadata using helm-docs v1.11.0