search

wandb / helm-charts

Our official helm charts for deploying wandb into k8s
MIT License
18 stars 8 forks source link

feat: Add custom CA support to Launch Agent #74

Closed flamarion closed 8 months ago

flamarion commented 8 months ago

Relevant configuration in values.yaml

customCABundle:
 configMap:
   name:
   key:

Create a configMap with the CA Bundle

kubectl -n wandb create configmap my-custom-ca-bundle --from-file=wandb.local.crt

Configure the values.yaml with the configMap name and key

[...]
customCABundle:
 configMap:
   name: my-custom-ca-bundle
   key: wandb.local.crt

Upgrade the deployment. Here demonstrated the current pod has no CA Bundle configured.

$ kubectl -n wandb get pods
NAME                                         READY   STATUS    RESTARTS   AGE
launch-agent-wandb-launch-69b8c9b96b-82m8m   1/1     Running   0          2m8s

$ kubectl -n wandb exec -ti launch-agent-wandb-launch-69b8c9b96b-82m8m -- env|grep CA

$ helm upgrade --namespace=wandb --install wandb-launch ./launch-agent -f values-test-ca.yaml
Release "wandb-launch" has been upgraded. Happy Helming!
NAME: wandb-launch
LAST DEPLOYED: Fri Feb  2 15:17:03 2024
NAMESPACE: wandb
STATUS: deployed
REVISION: 6
TEST SUITE: None

$ kubectl -n wandb get pods -w
NAME                                         READY   STATUS        RESTARTS   AGE
[...]
launch-agent-wandb-launch-69b8c9b96b-82m8m   0/1     Terminating   0          3m29s
[...]
launch-agent-wandb-launch-5bc7688546-qpzpr   0/1     ContainerCreating   0          0s
[...]

With the new pod created, check if the CA Bundle is configured

$ kubectl -n wandb exec -ti launch-agent-wandb-launch-5bc7688546-qpzpr -- env|grep CA
REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/custom-ca.crt

$ kubectl -n wandb exec -ti launch-agent-wandb-launch-5bc7688546-qpzpr -- cat /usr/local/share/ca-certificates/custom-ca.crt
-----BEGIN CERTIFICATE-----
MIIDnzCCAocCFGOeXz1eYRBUa5lWnkKABec6UYcJMA0GCSqGSIb3DQEBCwUAMIGH
MQswCQYDVQQGEwJOTDEQMA4GA1UECAwHVXRyZWNodDETMBEGA1UEBwwKQW1lcnNm
[...]

Remove the configuration from values.yaml and check if the new pod is updated without the CA Bundle

[...]
customCABundle:
 configMap:
   name:
   key:

Upgrade the deployment and check if the CA Bundle configuration is removed

$ helm upgrade --namespace=wandb --install wandb-launch ./launch-agent -f values-test-ca.yaml
Release "wandb-launch" has been upgraded. Happy Helming!
NAME: wandb-launch
LAST DEPLOYED: Fri Feb  2 15:20:05 2024
NAMESPACE: wandb
STATUS: deployed
REVISION: 7
TEST SUITE: None

$ kubectl -n wandb get pods -w
NAME                                         READY   STATUS        RESTARTS   AGE
launch-agent-wandb-launch-5bc7688546-qpzpr   1/1     Terminating   0          2m34s
[...]
launch-agent-wandb-launch-69b8c9b96b-gvbfp   1/1     Running             0          2s

$ kubectl -n wandb exec -ti launch-agent-wandb-launch-69b8c9b96b-gvbfp -- env|grep CA

$ kubectl -n wandb exec -ti launch-agent-wandb-launch-69b8c9b96b-gvbfp -- cat /usr/local/share/ca-certificates/custom-ca.crt
cat: /usr/local/share/ca-certificates/custom-ca.crt: No such file or directory
command terminated with exit code 1