From d573b2221411f27ea03f001c5d93f8c4f59b45fa Mon Sep 17 00:00:00 2001 From: Jonathan Innis Date: Thu, 6 Jan 2022 17:50:34 -0800 Subject: [PATCH] [k8s-extension] Release v1.0.4 with SSL secret support for AzureML (#4286) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Create pull.yml * Update pull.yml * Update azure-pipelines.yml * Initial commit of k8s-extension * Update pipelines file * Update CODEOWNERS * Update private preview pipelines * Remove open service mesh from public release * Update pipeline files * Update public extension pipeline * Change condition variable * Add version to public preview/private preview * Update pipelines * Add different testing based on private branch * Add annotations to extension model * Update k8s-custom-pipelines.yml * Update SDKs with Updated Swagger Spec for 2020-07-01-preview (#13) * Update sdks with updated swagger spec * Update version and history rst * Reorder release history timeline * Fix ExtensionInstanceForCreate for import * remove py2 bdist support * Add custom table formatting * Remove unnecessary files * Fix style issues * Fix branch based on comments * Update identity piece manually * Don't handle defaults at the CLI level * Remove defaults from CLI client * Check null target namespace with namespace scope * Update style * Add cassandra operator and location to model * Stage Public Version of k8s-extension 0.2.0 for official release (#15) * Create pull.yml * Update pull.yml * Update azure-pipelines.yml * Initial commit of k8s-extension * Update pipelines file * Update CODEOWNERS * Update private preview pipelines * Remove open service mesh from public release * Update pipeline files * Update public extension pipeline * Change condition variable * Add version to public preview/private preview * Update pipelines * Add different testing based on private branch * Add annotations to extension model * Update k8s-custom-pipelines.yml * Update SDKs with Updated Swagger Spec for 2020-07-01-preview (#13) * Update sdks with updated swagger spec * Update version and history rst * Reorder release history timeline * Fix ExtensionInstanceForCreate for import * remove py2 bdist support * Add custom table formatting * Remove unnecessary files * Fix style issues * Fix branch based on comments * Update identity piece manually * Don't handle defaults at the CLI level * Remove defaults from CLI client * Check null target namespace with namespace scope * Update style * Add cassandra operator and location to model Co-authored-by: action@github.com * Remove custom pipelines file * Update extension description, remove private const * Update pipeline file * Disable refs docs * Update to include better create warning logs and remove update context (#20) * Update to include better create warning logs and remove update context * Remove help text for update * Fix spelling error * Update message * Fix k8s-extension conflict with private version * Fix style errors * Fix filename * add customization for microsoft.azureml.kubernetes (#23) * add customization for microsoft.azureml.kubernetes * Update release history Co-authored-by: Yue Yu Co-authored-by: jonathan-innis * Add E2E Testing from Separate branch into internal code (#26) * Add internal e2e testing * Change to testing folder * Inference CLI validation for Scoring FE (#24) * cli validation starter * added the call to the fe validation function * nodeport validation not required * test fix Co-authored-by: Jonathan Innis * legal warning added (#27) * Remove deprecated method logger.warn * Update k8s-custom-pipelines.yml for Azure Pipelines * Update k8s-custom-pipelines.yml for Azure Pipelines * Add Azure Defender to E2E testing (#28) * Add azure defender testing to e2e * Remove the debug flag * Add configuration testing * Fix pipeline failures * Make test script more intuitive * Remove parameter from testing * Fix wrong location for k8s config whl * Fix pip upgrade issue * Fix pip install upgrade issue * Fix pip install issue * delete resurce in testcase (#29) Co-authored-by: Yue Yu Co-authored-by: Jonathan Innis * Check Provider is Registered with Subscription Before Making Requests (#18) * Add check for KubernetesConfiguration * Disable pylint and rename * Update provider registration link * Update version * Remove extra blank line * Fix bug in import * only validate scoring fe when inference is enabled (#31) * only validate scoring fe when inference is enabled * Fix versioning Co-authored-by: Yue Yu Co-authored-by: jonathan-innis * Provider registration case insensitive * do not validate against scoring fe if inference is not enabled. (#33) * do not validate against scoring fe if inference is not enabled. * add inference enabled scenario * refine * increase sleeping time * fix Co-authored-by: Yue Yu Co-authored-by: Jonathan Innis * Add OSM as Public Preview Extension (#34) * Add OSM as public preview extension * Add osm testing * Add release train to tests * Fix failing osm test * Upgrade pip in integration testing * Remove ununsed import * Fix release train check in update * Parallelize E2E Testing (#36) * Add OSM as public preview extension * Add osm testing * Update test logic to parallelize * Fix test success checking * Parallelize extension testing * Better error checking logic * Fix azureml deletion * Fix private build (#40) * change amlk8s to amlarc (#42) Co-authored-by: Yue Yu * Servicebus client model changes (#44) * Servicebus client model changes * Fix testing script * Update history file and pipeline * Update min cli core version for track 2 updates * Read SSL cert and key from files (#38) * first sketch of the change fixes removed extra blank lines changes regarding param renaming added ssl tests added more detail to the unit test additional import moved pem files out of public folder fixed import chenged import changed import unit tests fix unit test fix fixed unit tests fixed unit test unit test fix changes int test cert and key * test protected config * fix test typo * temporary changes reverted * fixing tests * fixed file paths * removed accidentally added file * changes according to review comments * more changes according to review comments * changes according to review comments Co-authored-by: Jonathan Innis * Upgrade release version * Liakaz/inference read ssl from file (#47) * first sketch of the change fixes removed extra blank lines changes regarding param renaming added ssl tests added more detail to the unit test additional import moved pem files out of public folder fixed import chenged import changed import unit tests fix unit test fix fixed unit tests fixed unit test unit test fix changes int test cert and key * test protected config * fix test typo * temporary changes reverted * fixing tests * fixed file paths * removed accidentally added file * changes according to review comments * more changes according to review comments * changes according to review comments * fixed decode error * renamed the experimental param Co-authored-by: Jonathan Innis * Fix style issues (#51) * Fixed scoring fe related extension param names (#49) * fixed scoring fe related extension params * bug fix and style fixes * variable rename * fixed the error type * set cluster to prod by default * Add distro validation for osm-arc (#50) * Add distro validation for osm-arc * fixed indentation * Fix linting * Resolve comments * Add unit test * fix lint Co-authored-by: Jonathan Innis * Add distro validation for osm-arc (#50) * Add distro validation for osm-arc * fixed indentation * Fix linting * Resolve comments * Add unit test * fix lint Co-authored-by: Jonathan Innis * Add distro validation for osm-arc (#53) removed release-train logic * Add Custom Delete Logic for Partners (#54) * Add custom delete logic * Fix failing unit tests * Add warning message when deleting amlarc extension (#55) * add warning message * fix indentation * Update release version * Remove Pyhelm from OSM customization (#58) * Fix OSM pyhelm bug * Debug bootstrap error * Update release message * Remove pyhelm dependency * Update tests to only check extensionconfig creation (#61) * Update tests to only check extensionconfig creation * Single set of CRUD for AzureML * Debug logs for connectedk8s * Increase open service mesh version number * Update k8s-extension Models to Track2 (#64) * Update k8s-extension models to track2 * Add debug for failed cleanup * Increase version number * Exit 0 on failed cleanup * Fix identity in wrong place in model (#66) * Readd osm-arc distro validation (#62) * Add distro validation for osm-arc removed release-train logic * Readd osm_arc distro validation * Fix style * Rm space * Edit test * Fixed tests and error logic * Remove dependency * Add delete method Co-authored-by: Jonathan Innis * Don't Send Identity Headers If In DF (#67) * Don't send identity for clusters in dogfood * Add location to model for identity * Add identity validation to testing * Use default extension with identity instead of Cassandra specific (#69) * Remove the identity check for now * Add -t for clusterType parameter (#71) * Adding a flag for AKS to AMLARC migration and set up corresponding FE… (#65) * Adding a flag for AKS to AMLARC migration and set up corresponding FE helm values * Remove one extra line * Adding Scoring FE IS_AKS_MIGRATION check logic for helm values Co-authored-by: Harry Yang Co-authored-by: Jonathan Innis * remove version requirement and auto upgrade minor version check (#72) * Custom User Confirmation for Partners (#70) * Custom user confirmation * Check for disable confirm prompty for confirmation * Add yes to delete command * Code cleanup and style fixes (#73) * Enabled identity by default (#74) * Increase version * Fix df check and add unit test (#77) * Bump extension version * Pin helm version * Extensions GA changes into Public Branch (#79) * Add openservicemesh back * OpenServiceMesh import * Update osm with new extension model * Add back private file * Add Azure ML to list of private extensions (#16) * Update k8s-custom-pipelines.yml * Add Microsoft.PolicyInsights extension (#17) * Add Policy extension * Update comment * Update args * Fix linting errors Co-authored-by: Jonathan Innis * Add HISTORY_private file for private preview * Change versioning scheme * Update the code for supporting both extensions at once * Fix style issue * Remove old consts file * change the resource tag from managed_by:amlk8s to created_by:amlk8s-e… (#22) * change the resource tag from managed_by:amlk8s to created_by:amlk8s-extension * remove the lock when creating resources * fix lint * update version and HISTORY_private.rst * change error message Co-authored-by: Yue Yu * Update the beta version with upstream * Update the private history file * Add upgrade pip to pipeline * Move pip install within virtualenv * Merge in k8s-extension/public (0.3.1) (#32) * delete resurce in testcase (#29) Co-authored-by: Yue Yu Co-authored-by: Jonathan Innis * Check Provider is Registered with Subscription Before Making Requests (#18) * Add check for KubernetesConfiguration * Disable pylint and rename * Update provider registration link * Update version * Remove extra blank line * Fix bug in import * only validate scoring fe when inference is enabled (#31) * only validate scoring fe when inference is enabled * Fix versioning Co-authored-by: Yue Yu Co-authored-by: jonathan-innis * Update private release Co-authored-by: yuyue9284 <15863499+yuyue9284@users.noreply.github.com> Co-authored-by: Yue Yu * Release Version 0.4.0-b1 (#37) * Merge k8s-extension/public into k8s-extension/private * Update the version * Fix testing concurrency * K8s extension/private 0.4.0b2 (#41) * Fix private build (#40) * Update version * Upgrade to v0.5.2 * Fix policy bug * Increase private version * Update consts_private.py * Increase private version * Increase version with public * Add flux to private version * Update models for 2021-05-01-preview * Add async models to version * Add no wait to delete and create * support managed cluster * Bump version * Pin helm version * Add cmd to delete call * Add force deletion * add dapr extension (#78) Signed-off-by: Ji An Liu * Fix failing integration tests * Adding the GA changes for private branch * Fix confirm prompt * Fix update E2E tests Co-authored-by: jonathan-innis Co-authored-by: action@github.com Co-authored-by: nreisch Co-authored-by: yuyue9284 <15863499+yuyue9284@users.noreply.github.com> Co-authored-by: Yue Yu Co-authored-by: anagg929 <59664801+anagg929@users.noreply.github.com> Co-authored-by: Ji'an Liu Co-authored-by: nanthi * Fix configuration settings in update * Only provide confirmation when specifying settings * Fix style issues * Cassandra tests with update (#81) * Add Microsoft.PolicyInsights extension for public preview (#83) * Add Azure Policy * Remove custom configuration and update tests * Yuyu3/fix upgrade public (#85) * populate configuration protected settings for azureml bump version && add log fetch connection string only if configuration protected settings are set update ssl key * bump the version * reverse changes on version and HISTORY.rst * inferenceLoadBalancerHA Co-authored-by: Yue Yu * Remove Parallel Powershell Jobs (#82) * Unparallelize tests * Moved location of pipeline file * Remove the parallel invoke expression calls * Add templates to testing * Remove policy update test from extension E2E (#88) * feIsNodePort, feIsInternalLoadBalancer (#87) Co-authored-by: Yue Yu Co-authored-by: Jonathan Innis * Fix history file * Add one more prompt for amlarc extension update (#94) * Add one more prompt for amlarc extension update * fix pylint issue * fix pylint issue * fix pylint issue * fix pylint issue Co-authored-by: Youhua Tu Co-authored-by: Youhua Tu * Update Identity Creation for Appliance to Latest Version (#95) * Update appliance API to latest version for identity * Create a utils file with get parent_api_version * Fix style errors * Bump version * Remove additional entry from history * Do not create identity with appliances (#97) * Bump version * support sslSecret (#99) * support sslSecret * fix * fix error message Co-authored-by: Jun Min * Bump version to 1.0.4 * Remove unneeded files Co-authored-by: action@github.com Co-authored-by: yuyue9284 <15863499+yuyue9284@users.noreply.github.com> Co-authored-by: Yue Yu Co-authored-by: Lia Kazakova <58274127+liakaz@users.noreply.github.com> Co-authored-by: Niranjan Shankar Co-authored-by: jingyizhu99 <83610845+jingyizhu99@users.noreply.github.com> Co-authored-by: Harry Yang Co-authored-by: Harry Yang Co-authored-by: Thomas Stringer Co-authored-by: NarayanThiru Co-authored-by: nreisch Co-authored-by: anagg929 <59664801+anagg929@users.noreply.github.com> Co-authored-by: Ji'an Liu Co-authored-by: nanthi Co-authored-by: youhuatuyh <87928654+youhuatuyh@users.noreply.github.com> Co-authored-by: Youhua Tu Co-authored-by: Youhua Tu Co-authored-by: Jun Co-authored-by: Jun Min --- src/k8s-extension/HISTORY.rst | 4 ++ .../partner_extensions/AzureMLKubernetes.py | 49 ++++++++++++------- src/k8s-extension/setup.py | 2 +- 3 files changed, 37 insertions(+), 18 deletions(-) diff --git a/src/k8s-extension/HISTORY.rst b/src/k8s-extension/HISTORY.rst index b4a73e6015b..243dd8f7307 100644 --- a/src/k8s-extension/HISTORY.rst +++ b/src/k8s-extension/HISTORY.rst @@ -3,6 +3,10 @@ Release History =============== +1.0.4 +++++++++++++++++++ +* microsoft.azureml.kubernetes: Support SSL secret + 1.0.3 ++++++++++++++++++ * Remove identity creation for calls to Microsoft.ResourceConnector diff --git a/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py b/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py index d9c5f5e31f0..3414cf9d803 100644 --- a/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py +++ b/src/k8s-extension/azext_k8s_extension/partner_extensions/AzureMLKubernetes.py @@ -81,6 +81,7 @@ def __init__(self): self.privateEndpointILB = 'privateEndpointILB' self.privateEndpointNodeport = 'privateEndpointNodeport' self.inferenceLoadBalancerHA = 'inferenceLoadBalancerHA' + self.SSL_SECRET = 'sslSecret' # constants for existing AKS to AMLARC migration self.IS_AKS_MIGRATION = 'isAKSMigration' @@ -108,7 +109,7 @@ def Create(self, cmd, client, resource_group_name, cluster_name, name, cluster_t ext_scope = Scope(cluster=scope_cluster, namespace=None) # validate the config - self.__validate_config(configuration_settings, configuration_protected_settings) + self.__validate_config(configuration_settings, configuration_protected_settings, release_namespace) # get the arc's location subscription_id = get_subscription_id(cmd.cli_ctx) @@ -285,7 +286,7 @@ def Update(self, cmd, resource_group_name, cluster_name, auto_upgrade_minor_vers if self.sslKeyPemFile in configuration_protected_settings and \ self.sslCertPemFile in configuration_protected_settings: logger.info(f"Both {self.sslKeyPemFile} and {self.sslCertPemFile} are set, update ssl key.") - self.__set_inference_ssl_from_file(configuration_protected_settings) + self.__set_inference_ssl_from_file(configuration_protected_settings, self.sslCertPemFile, self.sslKeyPemFile) return PatchExtension(auto_upgrade_minor_version=auto_upgrade_minor_version, release_train=release_train, @@ -318,7 +319,7 @@ def __normalize_config(self, configuration_settings, configuration_protected_set logger.warning( 'Internal load balancer only supported on AKS and AKS Engine Clusters.') - def __validate_config(self, configuration_settings, configuration_protected_settings): + def __validate_config(self, configuration_settings, configuration_protected_settings, release_namespace): # perform basic validation of the input config config_keys = configuration_settings.keys() config_protected_keys = configuration_protected_settings.keys() @@ -339,12 +340,12 @@ def __validate_config(self, configuration_settings, configuration_protected_sett if enable_inference: logger.warning("The installed AzureML extension for AML inference is experimental and not covered by customer support. Please use with discretion.") - self.__validate_scoring_fe_settings(configuration_settings, configuration_protected_settings) + self.__validate_scoring_fe_settings(configuration_settings, configuration_protected_settings, release_namespace) self.__set_up_inference_ssl(configuration_settings, configuration_protected_settings) elif not (enable_training or enable_inference): raise InvalidArgumentValueError( - "Please create Microsoft.AzureML.Kubernetes extension, either " - "for Machine Learning training or inference by specifying " + "To create Microsoft.AzureML.Kubernetes extension, either " + "enable Machine Learning training or inference by specifying " f"'--configuration-settings {self.ENABLE_TRAINING}=true' or '--configuration-settings {self.ENABLE_INFERENCE}=true'") configuration_settings[self.ENABLE_TRAINING] = configuration_settings.get(self.ENABLE_TRAINING, enable_training) @@ -353,7 +354,7 @@ def __validate_config(self, configuration_settings, configuration_protected_sett configuration_protected_settings.pop(self.ENABLE_TRAINING, None) configuration_protected_settings.pop(self.ENABLE_INFERENCE, None) - def __validate_scoring_fe_settings(self, configuration_settings, configuration_protected_settings): + def __validate_scoring_fe_settings(self, configuration_settings, configuration_protected_settings, release_namespace): isTestCluster = _get_value_from_config_protected_config( self.inferenceLoadBalancerHA, configuration_settings, configuration_protected_settings) isTestCluster = str(isTestCluster).lower() == 'false' @@ -367,16 +368,20 @@ def __validate_scoring_fe_settings(self, configuration_settings, configuration_p if isAKSMigration: configuration_settings['scoringFe.namespace'] = "default" configuration_settings[self.IS_AKS_MIGRATION] = "true" + sslSecret = _get_value_from_config_protected_config( + self.SSL_SECRET, configuration_settings, configuration_protected_settings) feSslCertFile = configuration_protected_settings.get(self.sslCertPemFile) feSslKeyFile = configuration_protected_settings.get(self.sslKeyPemFile) allowInsecureConnections = _get_value_from_config_protected_config( self.allowInsecureConnections, configuration_settings, configuration_protected_settings) allowInsecureConnections = str(allowInsecureConnections).lower() == 'true' - if (not feSslCertFile or not feSslKeyFile) and not allowInsecureConnections: + sslEnabled = (feSslCertFile and feSslKeyFile) or sslSecret + if not sslEnabled and not allowInsecureConnections: raise InvalidArgumentValueError( - "Provide ssl certificate and key. " - "Otherwise explicitly allow insecure connection by specifying " - "'--configuration-settings allowInsecureConnections=true'") + "To enable HTTPs endpoint, " + "either provide sslCertPemFile and sslKeyPemFile to config protected settings, " + f"or provide sslSecret (kubernetes secret name) containing both ssl cert and ssl key under {release_namespace} namespace. " + "Otherwise, to enable HTTP endpoint, explicitly set allowInsecureConnections=true.") feIsNodePort = _get_value_from_config_protected_config( self.privateEndpointNodeport, configuration_settings, configuration_protected_settings) @@ -395,16 +400,17 @@ def __validate_scoring_fe_settings(self, configuration_settings, configuration_p logger.warning( 'Internal load balancer only supported on AKS and AKS Engine Clusters.') - def __set_inference_ssl_from_file(self, configuration_protected_settings): + def __set_inference_ssl_from_secret(self, configuration_settings, fe_ssl_secret): + configuration_settings['scoringFe.sslSecret'] = fe_ssl_secret + + def __set_inference_ssl_from_file(self, configuration_protected_settings, fe_ssl_cert_file, fe_ssl_key_file): import base64 - feSslCertFile = configuration_protected_settings.get(self.sslCertPemFile) - feSslKeyFile = configuration_protected_settings.get(self.sslKeyPemFile) - with open(feSslCertFile) as f: + with open(fe_ssl_cert_file) as f: cert_data = f.read() cert_data_bytes = cert_data.encode("ascii") ssl_cert = base64.b64encode(cert_data_bytes).decode() configuration_protected_settings['scoringFe.sslCert'] = ssl_cert - with open(feSslKeyFile) as f: + with open(fe_ssl_key_file) as f: key_data = f.read() key_data_bytes = key_data.encode("ascii") ssl_key = base64.b64encode(key_data_bytes).decode() @@ -415,7 +421,16 @@ def __set_up_inference_ssl(self, configuration_settings, configuration_protected self.allowInsecureConnections, configuration_settings, configuration_protected_settings) allowInsecureConnections = str(allowInsecureConnections).lower() == 'true' if not allowInsecureConnections: - self.__set_inference_ssl_from_file(configuration_protected_settings) + fe_ssl_secret = _get_value_from_config_protected_config( + self.SSL_SECRET, configuration_settings, configuration_protected_settings) + fe_ssl_cert_file = configuration_protected_settings.get(self.sslCertPemFile) + fe_ssl_key_file = configuration_protected_settings.get(self.sslKeyPemFile) + + # always take ssl key/cert first, then secret if key/cert file is not provided + if fe_ssl_cert_file and fe_ssl_key_file: + self.__set_inference_ssl_from_file(configuration_protected_settings, fe_ssl_cert_file, fe_ssl_key_file) + else: + self.__set_inference_ssl_from_secret(configuration_settings, fe_ssl_secret) else: logger.warning( 'SSL is not enabled. Allowing insecure connections to the deployed services.') diff --git a/src/k8s-extension/setup.py b/src/k8s-extension/setup.py index c846f00ce76..177316aaf15 100644 --- a/src/k8s-extension/setup.py +++ b/src/k8s-extension/setup.py @@ -33,7 +33,7 @@ # TODO: Add any additional SDK dependencies here DEPENDENCIES = [] -VERSION = "1.0.3" +VERSION = "1.0.4" with open("README.rst", "r", encoding="utf-8") as f: README = f.read()