From 6201105d5bcea57acaafe0f85a691673165d0a4a Mon Sep 17 00:00:00 2001
From: Rafal Skolasinski <r.j.skolasinski@gmail.com>
Date: Mon, 12 Jun 2023 10:21:59 +0100
Subject: [PATCH] Add Seldon Deploy v2.1.0 Helm Charts (#37)

---
 helm-charts/seldon-deploy/Chart.yaml          |  4 +-
 .../clusterrole-seldon-deploy-role.yaml       | 20 +++-
 ...configmap-seldon-deploy-feature-flags.yaml |  2 +
 .../seldon-deploy/templates/deployment.yaml   | 18 ++--
 .../templates/request-logger.yaml             | 91 ++++++++++++++++++-
 helm-charts/seldon-deploy/values.yaml         | 40 +++++---
 6 files changed, 151 insertions(+), 24 deletions(-)

diff --git a/helm-charts/seldon-deploy/Chart.yaml b/helm-charts/seldon-deploy/Chart.yaml
index 75298c1..d62d36d 100644
--- a/helm-charts/seldon-deploy/Chart.yaml
+++ b/helm-charts/seldon-deploy/Chart.yaml
@@ -1,5 +1,5 @@
 apiVersion: v2
-appVersion: "2.0.2"
+appVersion: "2.1.0"
 description: A Helm chart for Kubernetes
 name: seldon-deploy
-version: 2.0.2
+version: 2.1.0
diff --git a/helm-charts/seldon-deploy/templates/clusterrole-seldon-deploy-role.yaml b/helm-charts/seldon-deploy/templates/clusterrole-seldon-deploy-role.yaml
index 22bfc1f..efbd0f8 100644
--- a/helm-charts/seldon-deploy/templates/clusterrole-seldon-deploy-role.yaml
+++ b/helm-charts/seldon-deploy/templates/clusterrole-seldon-deploy-role.yaml
@@ -168,6 +168,18 @@ rules:
       - virtualservices/status
     verbs:
       - get
+  - apiGroups:
+      - security.istio.io
+    resources: 
+      - authorizationpolicies
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
   - apiGroups:
       - v1
     resources:
@@ -228,5 +240,11 @@ rules:
       - patch
       - update
       - watch
+  - apiGroups:
+      - eventing.knative.dev
+    resources:
+      - brokers
+    verbs:
+      - get
   {{- end }}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/helm-charts/seldon-deploy/templates/configmap-seldon-deploy-feature-flags.yaml b/helm-charts/seldon-deploy/templates/configmap-seldon-deploy-feature-flags.yaml
index e82b83f..9cfe29e 100644
--- a/helm-charts/seldon-deploy/templates/configmap-seldon-deploy-feature-flags.yaml
+++ b/helm-charts/seldon-deploy/templates/configmap-seldon-deploy-feature-flags.yaml
@@ -7,6 +7,8 @@ data:
   flags: |-
     [
       { "ID": "USER_MANAGEMENT_ENABLED", "Value": "true" },
+      { "ID": "SELDON_DEPLOYMENTS_ENABLED", "Value": "{{ .Values.seldon.enabled }}" },
+      { "ID": "KNATIVE_SERVICES_ENABLED", "Value": "{{ .Values.seldon.knativeEnabled }}" },
       { "ID": "SELDON_PIPELINES_ENABLED", "Value": "{{ .Values.seldonCoreV2.enabled }}" }
     ]
 {{- end -}}
\ No newline at end of file
diff --git a/helm-charts/seldon-deploy/templates/deployment.yaml b/helm-charts/seldon-deploy/templates/deployment.yaml
index 9d91018..4049e95 100644
--- a/helm-charts/seldon-deploy/templates/deployment.yaml
+++ b/helm-charts/seldon-deploy/templates/deployment.yaml
@@ -55,6 +55,12 @@ spec:
             {{- end}}
             - name: "ENABLE_READ_NAMESPACES"
               value: "{{ .Values.rbac.readNamespaces }}"
+            - name: "CORE_V1_CRD_AVAILABLE"
+              value: "{{ .Values.seldon.enabled }}"
+            - name: "CORE_V2_CRD_AVAILABLE"
+              value: "{{ .Values.seldonCoreV2.enabled }}"
+            - name: "KNATIVE_CRD_AVAILABLE"
+              value: "{{ .Values.seldon.knativeEnabled }}"
             - name: "LOADTEST_IMAGE"
               value: "{{ .Values.loadtest.image }}"
             - name: "ALIBI_DETECT_SERVER_IMAGE"
@@ -70,7 +76,7 @@ spec:
             - name: "WORKFLOW_SECURITY_CONTEXT_RUN_AS_USER"
               value: "{{ .Values.workflow.securityContext.runAsUser }}"
             - name: "WORKFLOW_SECURITY_CONTEXT_FS_GROUP"
-              value: "{{ .Values.workflow.securityContext.fsGroup }}"            
+              value: "{{ .Values.workflow.securityContext.fsGroup }}"
             {{- if .Values.gitops.fileFormat }}
             - name: "GITOPS_FORMAT"
               value: "{{ .Values.gitops.fileFormat }}"
@@ -83,6 +89,10 @@ spec:
             - name: "REQUEST_LOGGER_NAMESPACE"
               value: "{{ .Values.requestLogger.namespace.name }}"
             {{- end}}
+            {{- if .Values.requestLogger.trigger.broker }}
+            - name: "KNATIVE_BROKER"
+              value: "{{ .Values.requestLogger.trigger.broker }}"
+            {{- end}}
             {{- if and .Values.metadata.pg.secret .Values.metadata.pg.enabled }}
             - name: "METADATA_PG_ENABLED"
               value: "true"
@@ -181,12 +191,6 @@ spec:
             - name: "EXTERNAL_PROTOCOL"
               value: "{{ .Values.external.protocol }}"
             {{- end }}
-            - name: "SELDONDEPLOYMENTS"
-              value: "{{ .Values.seldon.enabled }}"
-            - name: "SELDONPIPELINES"
-              value: "{{ .Values.seldonCoreV2.enabled }}"
-            - name: "KNATIVE"
-              value: "{{ .Values.seldon.knativeEnabled }}"
             {{- if .Values.virtualService.create }}
             - name: "EXTERNAL_PREFIX"
               value: "{{ .Values.virtualService.prefix }}"
diff --git a/helm-charts/seldon-deploy/templates/request-logger.yaml b/helm-charts/seldon-deploy/templates/request-logger.yaml
index 1598608..2f3238b 100644
--- a/helm-charts/seldon-deploy/templates/request-logger.yaml
+++ b/helm-charts/seldon-deploy/templates/request-logger.yaml
@@ -14,7 +14,8 @@ spec:
   finalizers:
     - kubernetes
 ---
-{{- end -}}
+{{- end }}
+{{- if .Values.requestLogger.trigger.create -}}
 apiVersion: {{ .Values.requestLogger.trigger.apiVersion }}
 kind: Trigger
 metadata:
@@ -35,6 +36,7 @@ spec:
       kind: Service
       name: seldon-request-logger
 ---
+{{- end }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -112,13 +114,96 @@ spec:
             - name: DEPLOY_API_HOST
               value: {{ .Values.requestLogger.deployHost | quote }}
 {{- end }}
-{{- if and .Values.requestLogger.authSecret .Values.metadata.pg.enabled }}
+{{- if .Values.requestLogger.kafka_consumer.enabled }}
+{{- if or
+  (eq .Values.requestLogger.kafka_consumer.protocol "SSL")
+  (eq .Values.requestLogger.kafka_consumer.protocol "SASL_SSL")
+}}
+            - name: METRONOME_SERVER_KAFKA_CONSUMER_SECURITY_PROTOCOL
+              value: {{ .Values.requestLogger.kafka_consumer.protocol | quote }}
+{{- if (eq .Values.requestLogger.kafka_consumer.protocol "SSL") }}
+            - name: METRONOME_SERVER_KAFKA_CONSUMER_SSL_KEY_LOCATION
+              value: {{ .Values.requestLogger.kafka_consumer.ssl.client.keyPath | quote }}
+            - name: METRONOME_SERVER_KAFKA_CONSUMER_SSL_CERTIFICATE_LOCATION
+              value: {{ .Values.requestLogger.kafka_consumer.ssl.client.crtPath | quote }}
+{{- if .Values.requestLogger.kafka_consumer.ssl.client.brokerValidationSecret }}
+            - name: METRONOME_SERVER_KAFKA_CONSUMER_SSL_CA_LOCATION
+              value: {{ .Values.requestLogger.kafka_consumer.ssl.client.brokerCaPath | quote }}
+{{- else }}
+            - name: METRONOME_SERVER_KAFKA_CONSUMER_SSL_CA_LOCATION
+              value: {{ .Values.requestLogger.kafka_consumer.ssl.client.caPath | quote }}
+{{- end }}
+{{- end }}
+{{- if (eq .Values.requestLogger.kafka_consumer.protocol "SASL_SSL") }}
+            - name: METRONOME_SERVER_KAFKA_CONSUMER_SASL_MECHANISM
+              value: {{ .Values.requestLogger.kafka_consumer.sasl.mechanism | quote }}
+            - name: METRONOME_SERVER_KAFKA_CONSUMER_SASL_USERNAME
+              value: {{ .Values.requestLogger.kafka_consumer.sasl.client.username | quote }}
+{{- if .Values.requestLogger.kafka_consumer.sasl.client.secret }}
+            - name: METRONOME_SERVER_KAFKA_CONSUMER_SASL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.requestLogger.kafka_consumer.sasl.client.secret | quote}}
+                  key: {{ base .Values.requestLogger.kafka_consumer.sasl.client.passwordPath | quote}}
+{{- end }}
+{{- if .Values.requestLogger.kafka_consumer.ssl.client.brokerValidationSecret }}
+            - name: METRONOME_SERVER_KAFKA_CONSUMER_SSL_CA_LOCATION
+              value: {{ .Values.requestLogger.kafka_consumer.ssl.client.brokerCaPath | quote }}
+{{- else if .Values.requestLogger.kafka_consumer.ssl.client.secret }}
+            - name: METRONOME_SERVER_KAFKA_CONSUMER_SSL_CA_LOCATION
+              value: {{ .Values.requestLogger.kafka_consumer.ssl.client.caPath | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
           envFrom:
+{{- if and .Values.requestLogger.authSecret .Values.metadata.pg.enabled }}
           - secretRef:
               name: {{ .Values.requestLogger.authSecret }}
 {{- end }}
           resources:
 {{ toYaml .Values.requestLogger.resources | indent 12 }}
+{{- if .Values.requestLogger.kafka_consumer.enabled }}
+          volumeMounts:
+{{- if eq .Values.requestLogger.kafka_consumer.protocol "SSL" }}
+{{- if .Values.requestLogger.kafka_consumer.ssl.client.secret }}
+            - name: kafka-ssl-client-certs
+              mountPath: {{ .Values.requestLogger.kafka_consumer.ssl.client.keyPath }}
+              readOnly: true
+              subPath: {{ base .Values.requestLogger.kafka_consumer.ssl.client.keyPath }}
+            - name: kafka-ssl-client-certs
+              mountPath: {{ .Values.requestLogger.kafka_consumer.ssl.client.crtPath }}
+              readOnly: true
+              subPath: {{ base .Values.requestLogger.kafka_consumer.ssl.client.crtPath }}
+            - name: kafka-ssl-client-certs
+              mountPath: {{ .Values.requestLogger.kafka_consumer.ssl.client.caPath }}
+              readOnly: true
+              subPath: {{ base .Values.requestLogger.kafka_consumer.ssl.client.caPath }}
+{{- end }}
+{{- end }}
+{{- if or
+  (eq .Values.requestLogger.kafka_consumer.protocol "SSL")
+  (eq .Values.requestLogger.kafka_consumer.protocol "SASL_SSL")
+}}
+{{- if .Values.requestLogger.kafka_consumer.ssl.client.brokerValidationSecret }}
+            - name: kafka-ssl-broker-certs
+              mountPath: {{ .Values.requestLogger.kafka_consumer.ssl.client.brokerCaPath }}
+              readOnly: true
+              subPath: {{ base .Values.requestLogger.kafka_consumer.ssl.client.brokerCaPath }}
+{{- end }}
+{{- end }}
+      volumes:
+{{- if .Values.requestLogger.kafka_consumer.ssl.client.secret }}
+        - name: kafka-ssl-client-certs
+          secret:
+            secretName: {{ .Values.requestLogger.kafka_consumer.ssl.client.secret }}
+{{- end }}
+{{- if .Values.requestLogger.kafka_consumer.ssl.client.brokerValidationSecret }}
+        - name: kafka-ssl-broker-certs
+          secret:
+            secretName: {{ .Values.requestLogger.kafka_consumer.ssl.client.brokerValidationSecret }}
+{{- end }}
+{{- end }}
 ---
 apiVersion: v1
 kind: Service
@@ -137,4 +222,4 @@ spec:
     - protocol: TCP
       port: 80
       targetPort: 8080
-{{- end -}}
\ No newline at end of file
+{{- end -}}
diff --git a/helm-charts/seldon-deploy/values.yaml b/helm-charts/seldon-deploy/values.yaml
index d30112d..f58010f 100644
--- a/helm-charts/seldon-deploy/values.yaml
+++ b/helm-charts/seldon-deploy/values.yaml
@@ -50,7 +50,7 @@ env:
   # RESOURCE_URI: "" # resource at which access is requested
   # APP_ANALYTICS_TOKEN: "" # if enableAppAnalytics enabled use token
   SELDON_MANAGED_INFRA: "false"
-  ALERTMANAGER_URL: "http://seldon-monitoring-alertmanager.seldon-system:9093/api/v1/alerts"
+  ALERTMANAGER_URL: "http://seldon-monitoring-alertmanager.seldon-monitoring:9093/api/v1/alerts"
 
   # Cache duration for listing visible namespaces to Deploy. Higher values improve performance on common operations
   # around listing deployments, but reduce responsiveness to adding new namespaces. Set the value to "0"  to disable
@@ -97,7 +97,7 @@ gitops:
     skipVerifyGit: true
     webhook:
       service:
-        create: true
+        create: false
         loadBalancerSourceRanges: {}
   fileFormat: "json"
   argocd:
@@ -112,18 +112,18 @@ workflow:
 
 batchjobs:
   processor:
-    image: seldonio/seldon-core-s2i-python37:1.15.0
+    image: seldonio/seldon-core-s2i-python37:1.16.0
   processorV2:
-    image: seldonio/mlserver:1.2.0.dev13-slim
+    image: seldonio/mlserver:1.3.1-slim
   storageInitializer:
-    image: seldonio/rclone-storage-initializer:1.15.0
+    image: seldonio/rclone-storage-initializer:1.16.0
   pvc:
     defaultSize: 1Gi
 
 seldon:
   protocol: "http"
-  enabled: true
-  knativeEnabled: true
+  enabled: false
+  knativeEnabled: false
   #Below are templates that can be changed to adjust how requests are made and what curl option is shown to user.
   #Change ip to hostname on AWS. Or put real cluster IP after install. Shown to user for calls outside cluster.
   curlForm: |
@@ -144,7 +144,7 @@ seldon:
 
 seldonCoreV2:
   protocol: "http"
-  enabled: true
+  enabled: false
   curlForm: |
     CLUSTER_IP=$(kubectl -n {{ .IngressNamespace }} get service {{ .IngressServiceName }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')<br>
     curl -v {{ .SeldonProtocol }}://$CLUSTER_IP/v2/models/{{ .ModelName }}/infer -H "Content-Type: application/json" -H "seldon-model: {{ .ModelName }}.pipeline" -d '{{ .Payload }}'
@@ -174,7 +174,7 @@ rbac:
   #for single namespace mode with just namespaced roles, turn off cluserWide and turn off readNamespaces
   readNamespaces: true
   nsLabelsAuth:
-    enabled: true
+    enabled: false
   opa:
     enabled: false
     configMap: seldon-deploy-policies
@@ -196,7 +196,7 @@ skipVerifyHttpCalls: true
 
 prometheus:
   seldon:
-    url: "http://seldon-monitoring-prometheus.seldon-system:9090/api/v1/"
+    url: "http://seldon-monitoring-prometheus.seldon-monitoring:9090/api/v1/"
     # resource metrics may come from different prometheus than req metrics - set only if different
     # resourceMetricsUrl: ""
     # see https://github.com/openshift/cluster-monitoring-operator/issues/768
@@ -226,7 +226,7 @@ elasticsearch:
 #detectors are created in the namespace requestLogger.namespace.name so rbac is created there
 requestLogger:
   create: true
-  image: seldonio/metronome:1.4.1
+  image: seldonio/metronome:1.5.1
   #increase logger replicas if there are high traffic volumes
   replicas: 1
   imagePullPolicy: IfNotPresent
@@ -247,12 +247,30 @@ requestLogger:
     group_id: metronome
     auto_offset_reset: earliest
 
+    protocol: PLAINTEXT
+    sasl:
+      mechanism: SCRAM-SHA-512
+      client:
+        username: seldon
+        secret:
+        passwordPath: /tmp/sasl/kafka/client/password
+    ssl:
+      client:
+        secret:
+        keyPath: /tmp/certs/kafka/client/tls.key
+        crtPath: /tmp/certs/kafka/client/tls.crt
+        caPath: /tmp/certs/kafka/client/ca.crt
+        brokerValidationSecret:
+        brokerCaPath: /tmp/certs/kafka/broker/ca.crt
+        endpointIdentificationAlgorithm:
+
   # env:
     # MAX_PAYLOAD_BYTES: "300000"
   deployHost: "http://seldon-deploy.seldon-system/seldon-deploy/api/v1alpha1"
   authSecret: ""
   trigger:
     apiVersion: "eventing.knative.dev/v1"
+    create: true
     broker: "default"
   resources:
     limits: