From 3f0148c67e359e9ba06bc2a0831c0e2927058ecb Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Fri, 14 Apr 2023 11:32:32 +0200 Subject: [PATCH 01/31] Terraform improvements --- infrastructure/terraform/ibm/helm.tf | 14 -- infrastructure/terraform/ibm/main.tf | 12 -- infrastructure/terraform/ibm/values.yaml | 198 ---------------------- infrastructure/terraform/ibm/variables.tf | 12 +- 4 files changed, 6 insertions(+), 230 deletions(-) delete mode 100644 infrastructure/terraform/ibm/helm.tf delete mode 100644 infrastructure/terraform/ibm/values.yaml diff --git a/infrastructure/terraform/ibm/helm.tf b/infrastructure/terraform/ibm/helm.tf deleted file mode 100644 index c1ed817f1..000000000 --- a/infrastructure/terraform/ibm/helm.tf +++ /dev/null @@ -1,14 +0,0 @@ -############################################################################## -# Create a helm execution -############################################################################## - -resource "helm_release" "quantum_serverless_release" { - name = "quantum-serverless-release" - chart = "../../helm/quantumserverless" - - values = [ - file("values.yaml") - ] -} - -############################################################################## diff --git a/infrastructure/terraform/ibm/main.tf b/infrastructure/terraform/ibm/main.tf index 8d40f1bec..c7b251bca 100644 --- a/infrastructure/terraform/ibm/main.tf +++ b/infrastructure/terraform/ibm/main.tf @@ -9,10 +9,6 @@ terraform { source = "IBM-Cloud/ibm" version = ">= 1.51.0" } - helm = { - source = "hashicorp/helm" - version = ">= 2.9.0" - } } required_version = "~> 1.4" @@ -24,14 +20,6 @@ provider "ibm" { ibmcloud_timeout = var.ibmcloud_timeout } -provider "helm" { - kubernetes { - host = data.ibm_container_cluster_config.quantum_serverless_cluster_config.host - token = data.ibm_container_cluster_config.quantum_serverless_cluster_config.token - cluster_ca_certificate = data.ibm_container_cluster_config.quantum_serverless_cluster_config.ca_certificate - } -} - ############################################################################## ############################################################################## diff --git a/infrastructure/terraform/ibm/values.yaml b/infrastructure/terraform/ibm/values.yaml deleted file mode 100644 index 85914c196..000000000 --- a/infrastructure/terraform/ibm/values.yaml +++ /dev/null @@ -1,198 +0,0 @@ -# =================== -# Quantum Serverless configs -# =================== - -# =================== -# Ingress Nginx controller configs -# =================== - -# Ingress Nginx controller is disabled by default to not affect cloud providers' controller configuration -nginxIngressControllerEnable: false - -# =================== -# Redis configs -# =================== - -redisEnable: true -redis: - architecture: "standalone" - - global: - redis: - password: "" - - auth: - enabled: false - - master: - service: - ports: - redis: 7000 - -# =================== -# Jupyter configs -# =================== - -jupyterEnable: false - -jupyter: - jupyterToken: "" - - image: - repository: "" - tag: "latest" - pullPolicy: IfNotPresent - - imagePullSecrets: [] - - container: - port: 8888 - - service: - port: 80 - - # If you enable it remember to enable nginx ingress controller if you need a controller for ingress - ingress: - enabled: false - className: "nginx" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - loadBalancer: - hostname: localhost - hosts: - - host: localhost - paths: - - path: / - pathType: Prefix - - -# =================== -# Ray Cluster -# =================== - -rayClusterEnable: true -ray-cluster: - nameOverride: "kuberay" - fullnameOverride: "" - - image: - repository: "qiskit/quantum-serverless-ray-node" - tag: "latest" - pullPolicy: IfNotPresent - - head: - rayStartParams: - dashboard-host: '0.0.0.0' - - worker: - # If you want to disable the default workergroup - # uncomment the line below - # disabled: true - replicas: 1 - type: worker - - service: - type: ClusterIP - - -# =================== -# Kuberay Operator -# =================== - -kuberayOperatorEnable: true -kuberay-operator: - nameOverride: "kuberay-operator" - fullnameOverride: "kuberay-operator" - - rbacEnable: true - ## Install Default RBAC roles and bindings - rbac: - create: true - apiVersion: v1 - - serviceAccount: - # Specifies whether a service account should be created - create: true - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "kuberay-operator" - - service: - type: ClusterIP - port: 8080 - - livenessProbe: - initialDelaySeconds: 10 - periodSeconds: 5 - failureThreshold: 5 - - readinessProbe: - initialDelaySeconds: 10 - periodSeconds: 5 - failureThreshold: 5 - - createCustomResource: true - - batchScheduler: - enabled: false - -# =================== -# Kuberay API Server -# =================== - -kuberayApiServerEnable: true -kuberay-apiserver: - name: "kuberay-apiserver" - image: - repository: kuberay/apiserver - tag: v0.5.0 - pullPolicy: IfNotPresent - - rbacEnable: true - ## Install Default RBAC roles and bindings - rbac: - create: true - apiVersion: v1 - - serviceAccount: - # Specifies whether a service account should be created - create: true - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "kuberay-apiserver" - - containerPort: - - containerPort: 8888 - - containerPort: 8887 - - resources: - limits: - cpu: 500m - memory: 500Mi - requests: - cpu: 300m - memory: 300Mi - - service: - type: NodePort - ports: - - name: http - port: 8888 - targetPort: 8888 - nodePort: 31888 - - name: rpc - port: 8887 - targetPort: 8887 - nodePort: 31887 - - ingress: - enabled: false - - replicaCount: 1 - -# =================== -# Keycloak -# =================== - -keycloakEnable: false diff --git a/infrastructure/terraform/ibm/variables.tf b/infrastructure/terraform/ibm/variables.tf index 5db79cda7..04be72f2f 100644 --- a/infrastructure/terraform/ibm/variables.tf +++ b/infrastructure/terraform/ibm/variables.tf @@ -42,13 +42,13 @@ variable "ibmcloud_timeout" { variable "name" { description = "The prefix name for all the resources" type = string - default = "qserverless" + default = "quantum-serverless" } variable "tags" { description = "The list of tags" type = list(string) - default = ["env:dev", "project:qserverless"] + default = ["env:dev", "project:middleware"] } variable "locations" { @@ -72,19 +72,19 @@ variable "number_of_addresses" { variable "machine_type" { description = "Machine type for the IKS Cluster" type = string - default = "cx2.2x4" + default = "cx2.8x16" } variable "worker_nodes_per_zone" { description = "Number of workers per zone" type = number - default = 1 + default = 2 } variable "disable_pse" { description = "Disable public service endpoint for cluster. True or false" type = bool - default = false + default = true } -############################################################################## +############################################################################## \ No newline at end of file From 6c55b12f99a80625d3e25bd845e74aea9b43fa22 Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Fri, 14 Apr 2023 11:46:53 +0200 Subject: [PATCH 02/31] Helm improvements --- .../repository/templates/deployment.yaml | 9 +++ .../templates/nginxconfig.yaml | 9 --- .../templates/rayingress.yaml | 53 +++++++++++---- .../helm/quantumserverless/values.yaml | 65 ++++++++++--------- 4 files changed, 86 insertions(+), 50 deletions(-) delete mode 100644 infrastructure/helm/quantumserverless/templates/nginxconfig.yaml diff --git a/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml b/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml index ba7631a80..d23fa85de 100644 --- a/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml +++ b/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml @@ -47,6 +47,15 @@ spec: # port: http resources: {{- toYaml .Values.resources | nindent 12 }} + env: + - name: DEBUG + value: { { .Values.application.debug | quote } } + - name: DJANGO_SUPERUSER_USERNAME + value: { { .Values.application.superuser.username | quote } } + - name: DJANGO_SUPERUSER_PASSWORD + value: { { .Values.application.superuser.password | quote } } + - name: DJANGO_SUPERUSER_EMAIL + value: { { .Values.application.superuser.email | quote } } {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/infrastructure/helm/quantumserverless/templates/nginxconfig.yaml b/infrastructure/helm/quantumserverless/templates/nginxconfig.yaml deleted file mode 100644 index c97f72145..000000000 --- a/infrastructure/helm/quantumserverless/templates/nginxconfig.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- if .Values.keycloakEnable }} -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ .Release.Name }}-nginx-ingress-controller -data: - proxy-buffer-size: "256k" - proxy-buffers: "4 512k" -{{- end }} diff --git a/infrastructure/helm/quantumserverless/templates/rayingress.yaml b/infrastructure/helm/quantumserverless/templates/rayingress.yaml index c2b7050c1..7964d72b4 100644 --- a/infrastructure/helm/quantumserverless/templates/rayingress.yaml +++ b/infrastructure/helm/quantumserverless/templates/rayingress.yaml @@ -1,20 +1,49 @@ {{- if .Values.keycloakEnable }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} kind: Ingress metadata: name: ray-ingress + {{- with .Values.ingress.annotations }} annotations: - nginx.ingress.kubernetes.io/rewrite-target: / + {{- toYaml . | nindent 4 }} + {{- end }} spec: - ingressClassName: nginx + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} rules: - - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ .Release.Name }}-kuberay-head-svc - port: - number: 4180 -{{- end }} + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ .serviceName }} + port: + number: {{ .servicePort }} + {{- else }} + serviceName: {{ .serviceName }} + servicePort: {{ .servicePort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/infrastructure/helm/quantumserverless/values.yaml b/infrastructure/helm/quantumserverless/values.yaml index b506c2357..1ca14c1ba 100644 --- a/infrastructure/helm/quantumserverless/values.yaml +++ b/infrastructure/helm/quantumserverless/values.yaml @@ -7,7 +7,22 @@ # =================== # Ingress Nginx controller is disabled by default to not affect cloud providers' controller configuration -nginxIngressControllerEnable: true +nginxIngressControllerEnable: false +ingress: + annotations: + # For IBM Cloud the valid ingress class values are: public-iks-k8s-nginx and private-iks-k8s-nginx + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/rewrite-target: / + nginx.ingress.kubernetes.io/proxy-buffers-number: "4" + nginx.ingress.kubernetes.io/proxy-buffer-size: "512k" + tls: [] +# tls: +# - hosts: +# - "quantum-serverless-url.cloud" +# secretName: "tls-secret-name" + hosts: [] +# hosts: +# - host: "quantum-serverless-url.cloud" # =================== # Gateway configs @@ -30,6 +45,9 @@ gateway: username: "admin" password: "passw0rd" email: "admin@examplemail.io" + service: + type: ClusterIP + port: 8000 # =================== # Redis configs @@ -45,11 +63,6 @@ redis: auth: enabled: false - - master: - service: - ports: - redis: 7000 # =================== # Jupyter configs @@ -73,22 +86,6 @@ jupyter: service: port: 80 - # If you enable it remember to enable nginx ingress controller if you need a controller for ingress - ingress: - enabled: false - className: "nginx" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - loadBalancer: - hostname: localhost - hosts: - - host: localhost - paths: - - path: / - pathType: Prefix - - # =================== # Ray Cluster # =================== @@ -133,7 +130,6 @@ ray-cluster: service: type: ClusterIP - # =================== # Kuberay Operator # =================== @@ -273,8 +269,8 @@ keycloak: logging: level: DEBUG service: - type: NodePort - nodePorts: + type: ClusterIP + ports: http: 31059 auth: adminUser: admin @@ -294,7 +290,17 @@ keycloak: repositoryEnable: true repository: - tag: "nightly" + image: + pullPolicy: IfNotPresent + tag: "latest" + application: + superuser: + username: "admin" + password: "passw0rd" + email: "admin@examplemail.io" + service: + type: ClusterIP + port: 8060 # =================== # Prometheus @@ -305,8 +311,9 @@ kube-prometheus-stack: grafana: adminPassword: passw0rd service: - type: NodePort - nodePort: 32294 + type: ClusterIP + ports: + http: 32294 grafana.ini: auth: disable_login_form: "true" @@ -353,7 +360,7 @@ loki: replicas: 1 gateway: service: - type: NodePort + type: ClusterIP # =================== # promtail From f30193688de5dae36e7a01437bb9469b708f9dd1 Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Mon, 17 Apr 2023 13:56:14 +0200 Subject: [PATCH 03/31] Public service endpoint enable --- infrastructure/terraform/ibm/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/terraform/ibm/variables.tf b/infrastructure/terraform/ibm/variables.tf index 04be72f2f..0adab91cc 100644 --- a/infrastructure/terraform/ibm/variables.tf +++ b/infrastructure/terraform/ibm/variables.tf @@ -84,7 +84,7 @@ variable "worker_nodes_per_zone" { variable "disable_pse" { description = "Disable public service endpoint for cluster. True or false" type = bool - default = true + default = false } ############################################################################## \ No newline at end of file From f1afb6c06100f978303118f27a3901a3ddf56f69 Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Mon, 17 Apr 2023 15:41:19 +0200 Subject: [PATCH 04/31] Fix template error in repository --- .../charts/repository/templates/deployment.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml b/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml index d23fa85de..34bfb43a5 100644 --- a/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml +++ b/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml @@ -49,13 +49,13 @@ spec: {{- toYaml .Values.resources | nindent 12 }} env: - name: DEBUG - value: { { .Values.application.debug | quote } } + value: {{ .Values.application.debug | quote }} - name: DJANGO_SUPERUSER_USERNAME - value: { { .Values.application.superuser.username | quote } } + value: {{ .Values.application.superuser.username | quote }} - name: DJANGO_SUPERUSER_PASSWORD - value: { { .Values.application.superuser.password | quote } } + value: {{ .Values.application.superuser.password | quote }} - name: DJANGO_SUPERUSER_EMAIL - value: { { .Values.application.superuser.email | quote } } + value: {{ .Values.application.superuser.email | quote }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} From aa93d407ff5eae96b635cb415670f495046cefdd Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Mon, 17 Apr 2023 16:02:20 +0200 Subject: [PATCH 05/31] Improved deployment configuration --- .../charts/gateway/templates/deployment.yaml | 18 +++++++++--------- .../repository/templates/deployment.yaml | 1 + .../{rayingress.yaml => ingress.yaml} | 0 3 files changed, 10 insertions(+), 9 deletions(-) rename infrastructure/helm/quantumserverless/templates/{rayingress.yaml => ingress.yaml} (100%) diff --git a/infrastructure/helm/quantumserverless/charts/gateway/templates/deployment.yaml b/infrastructure/helm/quantumserverless/charts/gateway/templates/deployment.yaml index 6eed5df90..08a5cf501 100644 --- a/infrastructure/helm/quantumserverless/charts/gateway/templates/deployment.yaml +++ b/infrastructure/helm/quantumserverless/charts/gateway/templates/deployment.yaml @@ -33,19 +33,19 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - command: ["python", "manage.py", "runserver", "0.0.0.0:8000"] #[ "gunicorn", "gateway.wsgi:application", "--bind", "0.0.0.0:8000", "--workers=3" ] + command: [ "gunicorn", "main.wsgi:application", "--bind", "0.0.0.0:8000", "--workers=4" ] ports: - name: http containerPort: {{ .Values.service.port }} protocol: TCP - livenessProbe: - httpGet: - path: / - port: http - readinessProbe: - httpGet: - path: / - port: http +# livenessProbe: +# httpGet: +# path: / +# port: http +# readinessProbe: +# httpGet: +# path: / +# port: http resources: {{- toYaml .Values.resources | nindent 12 }} env: diff --git a/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml b/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml index 34bfb43a5..903797e91 100644 --- a/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml +++ b/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml @@ -33,6 +33,7 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + command: [ "gunicorn", "main.wsgi:application", "--bind", "0.0.0.0:8060", "--workers=4" ] ports: - name: http containerPort: {{ .Values.service.port }} diff --git a/infrastructure/helm/quantumserverless/templates/rayingress.yaml b/infrastructure/helm/quantumserverless/templates/ingress.yaml similarity index 100% rename from infrastructure/helm/quantumserverless/templates/rayingress.yaml rename to infrastructure/helm/quantumserverless/templates/ingress.yaml From 617b362353a4a6b625f833a1be2fa508f52a02d1 Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Tue, 18 Apr 2023 12:50:05 +0200 Subject: [PATCH 06/31] Updated values for the new architecture --- .../helm/quantumserverless/values-ibm.yaml | 318 ++++++++++++++++++ .../helm/quantumserverless/values.yaml | 81 +---- 2 files changed, 328 insertions(+), 71 deletions(-) create mode 100644 infrastructure/helm/quantumserverless/values-ibm.yaml diff --git a/infrastructure/helm/quantumserverless/values-ibm.yaml b/infrastructure/helm/quantumserverless/values-ibm.yaml new file mode 100644 index 000000000..851d1dd6c --- /dev/null +++ b/infrastructure/helm/quantumserverless/values-ibm.yaml @@ -0,0 +1,318 @@ +# =================== +# Quantum Serverless configs +# =================== + +# =================== +# Ingress Nginx controller configs +# =================== + +# Ingress Nginx controller is disabled by default to not affect cloud providers' controller configuration +nginxIngressControllerEnable: false +ingress: + annotations: + # For IBM Cloud the valid ingress class values are: public-iks-k8s-nginx and private-iks-k8s-nginx + kubernetes.io/ingress.class: "public-iks-k8s-nginx" + nginx.ingress.kubernetes.io/proxy-buffers-number: "4" + nginx.ingress.kubernetes.io/proxy-buffer-size: "512k" + tls: + - hosts: + - "gateway.YOUR_INGRESS_PUBLIC_END_POINT" + - "repository.YOUR_INGRESS_PUBLIC_END_POINT" + secretName: "YOUR-INGRESS-SECRET" + hosts: + - host: "gateway.YOUR_INGRESS_PUBLIC_END_POINT" + paths: + - path: / + pathType: Prefix + serviceName: "RELEASE_NAME-gateway" + servicePort: 8000 + - host: "repository.YOUR_INGRESS_PUBLIC_END_POINT" + paths: + - path: / + pathType: Prefix + serviceName: "RELEASE_NAME-repository" + servicePort: 8060 + +# =================== +# Gateway configs +# =================== + +gatewayEnable: true +gateway: + image: + pullPolicy: IfNotPresent + tag: "nightly" + application: + siteHost: "http://localhost:8000" + rayHost: "http://RELEASE_NAME-kuberay-head-svc:8265" + keycloak: + clientId: "gateway-client" + url: "http://RELEASE_NAME-keycloak" + realm: "quantumserverless" + clientSecret: "secret" + superuser: + username: "admin" + password: "passw0rd" + email: "admin@examplemail.io" + service: + type: ClusterIP + port: 8000 + +# =================== +# Redis configs +# =================== + +redisEnable: true +redis: + architecture: "standalone" + global: + redis: + password: "" + auth: + enabled: false + +# =================== +# Jupyter configs +# =================== + +jupyterEnable: false +jupyter: + jupyterToken: "YOUR_JUPYTER_PASSWORD_HERE" + image: + repository: "qiskit/quantum-serverless-notebook" + tag: "nightly-py39" + pullPolicy: IfNotPresent + container: + port: 8888 + service: + port: 80 + +# =================== +# Ray Cluster +# =================== + +rayClusterEnable: true +ray-cluster: + nameOverride: "kuberay" + fullnameOverride: "" + image: + repository: "qiskit/quantum-serverless-ray-node" + tag: "nightly-py39" + pullPolicy: IfNotPresent + head: + rayStartParams: + dashboard-host: "0.0.0.0" + ports: [{containerPort: 8265, name: dashboard}] + worker: + # If you want to disable the default workergroup + # uncomment the line below + # disabled: true + replicas: 1 + type: worker + service: + type: ClusterIP + +# =================== +# Kuberay Operator +# =================== + +kuberayOperatorEnable: true +kuberay-operator: + nameOverride: "kuberay-operator" + fullnameOverride: "kuberay-operator" + image: + repository: kuberay/operator + tag: 0.5.0 + pullPolicy: IfNotPresent + rbacEnable: true + ## Install Default RBAC roles and bindings + rbac: + create: true + apiVersion: v1 + serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "kuberay-operator" + service: + type: ClusterIP + port: 8080 + livenessProbe: + initialDelaySeconds: 10 + periodSeconds: 5 + failureThreshold: 5 + readinessProbe: + initialDelaySeconds: 10 + periodSeconds: 5 + failureThreshold: 5 + createCustomResource: true + batchScheduler: + enabled: false + +# =================== +# Kuberay API Server +# =================== + +kuberayApiServerEnable: true +kuberay-apiserver: + nameOverride: "kuberay-apiserver" + fullnameOverride: "kuberay-apiserver" + image: + repository: kuberay/apiserver + tag: v0.5.0 + pullPolicy: IfNotPresent + rbacEnable: true + ## Install Default RBAC roles and bindings + rbac: + create: true + apiVersion: v1 + serviceAccount: + # Specifies whether a service account should be created + create: true + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "kuberay-apiserver" + containerPort: + - containerPort: 8888 + - containerPort: 8887 + - containerPort: 4180 + resources: + limits: + cpu: 500m + memory: 500Mi + requests: + cpu: 300m + memory: 300Mi + service: + type: NodePort + ports: + - name: http + port: 8888 + targetPort: 8888 + nodePort: 31888 + - name: rpc + port: 8887 + targetPort: 8887 + nodePort: 31887 + - name: proxy + port: 4180 + targetPort: 4180 + nodePort: 30634 + ingress: + enabled: false + replicaCount: 1 + +# =================== +# Keycloak +# =================== + +keycloakEnable: true +keycloakClientSecret: CLIENTSECRET-CHANGEME +keycloakApiServerSecret: APISERVERSECRET-CHANGEME +grafanaClientSecret: GRAFANASECRET-CHANGEME +keycloakAdminID: admin +keycloakAdminPassword: passw0rd +keycloakUserID: user +keycloakUserPassword: passw0rd +keycloak: + logging: + level: DEBUG + service: + type: ClusterIP + ports: + http: 31059 + auth: + adminUser: admin + adminPassword: passw0rd + extraVolumes: + - name: realm + configMap: + name: keycloakrealm + extraVolumeMounts: + - name: realm + mountPath: /opt/bitnami/keycloak/data/import + extraStartupArgs: "--import-realm" + +# =================== +# Quantum Repository +# =================== + +repositoryEnable: true +repository: + image: + pullPolicy: IfNotPresent + tag: "latest" + application: + superuser: + username: "admin" + password: "passw0rd" + email: "admin@examplemail.io" + service: + type: ClusterIP + port: 8060 + +# =================== +# Prometheus +# =================== + +prometheusEnable: true +kube-prometheus-stack: + grafana: + adminPassword: passw0rd + service: + type: ClusterIP + ports: + http: 32294 + grafana.ini: + auth: + disable_login_form: "true" + auth.generic_oauth: + enabled: "true" + name: Keycloak-OAuth + allow_sign_up: "true" + client_id: grafana + client_secret: GRAFANASECRET-CHANGEME + api_url: "http://RELEASE_NAME-keycloak:31059/realms/quantumserverless/protocol/openid-connect/userinfo" + auth_url: "http://RELEASE_NAME-keycloak:31059/realms/quantumserverless/protocol/openid-connect/auth" + token_url: "http://RELEASE_NAME-keycloak:31059/realms/quantumserverless/protocol/openid-connect/token" + role_attribute_path: "contains(roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'" + allow_assign_grafana_admin: "true" + scopes: openid email profile roles + email_attribute_path: user@quatunserverless.org + login_attribute_path: user + name_attribute_path: none + log: + level: debug + server: + root_url: "http://localhost:32294/" + +# =================== +# loki +# =================== + +lokiEnable: true +loki: + loki: + commonConfig: + replication_factor: 1 + storage: + type: 'filesystem' + auth_enabled: false + write: + replicas: 0 + read: + replicas: 0 + backend: + replicas: 0 + singleBinary: + replicas: 1 + gateway: + service: + type: ClusterIP + +# =================== +# promtail +# =================== + +promtailEnable: true diff --git a/infrastructure/helm/quantumserverless/values.yaml b/infrastructure/helm/quantumserverless/values.yaml index 1ca14c1ba..b67fd1196 100644 --- a/infrastructure/helm/quantumserverless/values.yaml +++ b/infrastructure/helm/quantumserverless/values.yaml @@ -7,12 +7,11 @@ # =================== # Ingress Nginx controller is disabled by default to not affect cloud providers' controller configuration -nginxIngressControllerEnable: false +nginxIngressControllerEnable: true ingress: annotations: # For IBM Cloud the valid ingress class values are: public-iks-k8s-nginx and private-iks-k8s-nginx kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/rewrite-target: / nginx.ingress.kubernetes.io/proxy-buffers-number: "4" nginx.ingress.kubernetes.io/proxy-buffer-size: "512k" tls: [] @@ -34,11 +33,11 @@ gateway: pullPolicy: IfNotPresent tag: "nightly" application: - siteHost: "http://127.0.0.1:8000" - rayHost: "http://serverless-cluster-kuberay-head-svc:8265" + siteHost: "http://localhost:8000" + rayHost: "http://RELEASE_NAME-kuberay-head-svc:8265" keycloak: clientId: "gateway-client" - url: "http://serverless-cluster-keycloak" + url: "http://RELEASE_NAME-keycloak" realm: "quantumserverless" clientSecret: "secret" superuser: @@ -56,11 +55,9 @@ gateway: redisEnable: true redis: architecture: "standalone" - global: redis: password: "" - auth: enabled: false @@ -69,20 +66,14 @@ redis: # =================== jupyterEnable: true - jupyter: - jupyterToken: "" - + jupyterToken: "YOUR_JUPYTER_PASSWORD_HERE" image: repository: "qiskit/quantum-serverless-notebook" tag: "nightly-py39" pullPolicy: IfNotPresent - - imagePullSecrets: [] - container: port: 8888 - service: port: 80 @@ -94,39 +85,20 @@ rayClusterEnable: true ray-cluster: nameOverride: "kuberay" fullnameOverride: "" - image: repository: "qiskit/quantum-serverless-ray-node" tag: "nightly-py39" pullPolicy: IfNotPresent - head: rayStartParams: - dashboard-host: '0.0.0.0' - ports: [{containerPort: 10001, name: client},{containerPort: 6379, name: redis},{containerPort: 8265, name: dashboard},{containerPort: 8080, name: metrics},{containerPort: 8000, name: serve},{containerPort: 4180, name: proxy}] - sidecarContainers: - - name: oauth-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0 - imagePullPolicy: IfNotPresent - args: - - --client-secret=CLIENTSECRET-CHANGEME - - --oidc-issuer-url=http://LOCAL-IP:31059/realms/quantumserverless - - --oidc-extra-audience="account" - - --email-domain="*" - - --insecure-oidc-allow-unverified-email=true - - --http-address=0.0.0.0:4180 - - --cookie-secret=SECRET0123456789 - - --provider=keycloak-oidc - - --client-id=rayclient - - --upstream="http://HELM-RELEASE-kuberay-head-svc:8265" - - --redirect-url=http://localhost/oauth2/callback + dashboard-host: "0.0.0.0" + ports: [{containerPort: 8265, name: dashboard}] worker: # If you want to disable the default workergroup # uncomment the line below # disabled: true replicas: 1 type: worker - service: type: ClusterIP @@ -138,41 +110,33 @@ kuberayOperatorEnable: true kuberay-operator: nameOverride: "kuberay-operator" fullnameOverride: "kuberay-operator" - image: repository: kuberay/operator tag: 0.5.0 pullPolicy: IfNotPresent - rbacEnable: true ## Install Default RBAC roles and bindings rbac: create: true apiVersion: v1 - serviceAccount: # Specifies whether a service account should be created create: true # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "kuberay-operator" - service: type: ClusterIP port: 8080 - livenessProbe: initialDelaySeconds: 10 periodSeconds: 5 failureThreshold: 5 - readinessProbe: initialDelaySeconds: 10 periodSeconds: 5 failureThreshold: 5 - createCustomResource: true - batchScheduler: enabled: false @@ -184,30 +148,25 @@ kuberayApiServerEnable: true kuberay-apiserver: nameOverride: "kuberay-apiserver" fullnameOverride: "kuberay-apiserver" - image: repository: kuberay/apiserver tag: v0.5.0 pullPolicy: IfNotPresent - rbacEnable: true ## Install Default RBAC roles and bindings rbac: create: true apiVersion: v1 - serviceAccount: # Specifies whether a service account should be created create: true # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "kuberay-apiserver" - containerPort: - containerPort: 8888 - containerPort: 8887 - containerPort: 4180 - resources: limits: cpu: 500m @@ -215,7 +174,6 @@ kuberay-apiserver: requests: cpu: 300m memory: 300Mi - service: type: NodePort ports: @@ -231,27 +189,10 @@ kuberay-apiserver: port: 4180 targetPort: 4180 nodePort: 30634 - ingress: enabled: false - replicaCount: 1 - sidecarContainers: - - image: quay.io/gogatekeeper/gatekeeper:2.3.0 - imagePullPolicy: IfNotPresent - name: gatekeeper - args: - - --no-redirects=true - - --forwarding-grant-type=client_credentials - - --listen=0.0.0.0:4180 - - --client-id=rayapiserver - - --client-secret=APISERVERSECRET-CHANGEME - - --discovery-url=http://LOCAL-IP:31059/realms/quantumserverless - - --enable-logging=true - - --verbose=true - - --upstream-url=http://kuberay-apiserver-service:8888/ - # =================== # Keycloak # =================== @@ -264,7 +205,6 @@ keycloakAdminID: admin keycloakAdminPassword: passw0rd keycloakUserID: user keycloakUserPassword: passw0rd - keycloak: logging: level: DEBUG @@ -323,9 +263,9 @@ kube-prometheus-stack: allow_sign_up: "true" client_id: grafana client_secret: GRAFANASECRET-CHANGEME - api_url: "http://LOCAL-IP:31059/realms/quantumserverless/protocol/openid-connect/userinfo" - auth_url: "http://LOCAL-IP:31059/realms/quantumserverless/protocol/openid-connect/auth" - token_url: "http://LOCAL-IP:31059/realms/quantumserverless/protocol/openid-connect/token" + api_url: "http://RELEASE_NAME-keycloak:31059/realms/quantumserverless/protocol/openid-connect/userinfo" + auth_url: "http://RELEASE_NAME-keycloak:31059/realms/quantumserverless/protocol/openid-connect/auth" + token_url: "http://RELEASE_NAME-keycloak:31059/realms/quantumserverless/protocol/openid-connect/token" role_attribute_path: "contains(roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'" allow_assign_grafana_admin: "true" scopes: openid email profile roles @@ -342,7 +282,6 @@ kube-prometheus-stack: # =================== lokiEnable: true - loki: loki: commonConfig: From 2201429dfa2568696828ddb0b2e15ee1c301b5ac Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Wed, 19 Apr 2023 10:48:13 +0200 Subject: [PATCH 07/31] Updated kuberay/operator version --- infrastructure/helm/quantumserverless/values-ibm.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/helm/quantumserverless/values-ibm.yaml b/infrastructure/helm/quantumserverless/values-ibm.yaml index 851d1dd6c..266f82328 100644 --- a/infrastructure/helm/quantumserverless/values-ibm.yaml +++ b/infrastructure/helm/quantumserverless/values-ibm.yaml @@ -122,7 +122,7 @@ kuberay-operator: fullnameOverride: "kuberay-operator" image: repository: kuberay/operator - tag: 0.5.0 + tag: v0.5.0 pullPolicy: IfNotPresent rbacEnable: true ## Install Default RBAC roles and bindings From e61f806f50a6342781b78f46415bc7f499dd7c66 Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Wed, 19 Apr 2023 16:42:52 +0200 Subject: [PATCH 08/31] Updated ray-cluster ports configuration with GCS --- infrastructure/helm/quantumserverless/values-ibm.yaml | 6 +++++- infrastructure/helm/quantumserverless/values.yaml | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/infrastructure/helm/quantumserverless/values-ibm.yaml b/infrastructure/helm/quantumserverless/values-ibm.yaml index 266f82328..3dfb94829 100644 --- a/infrastructure/helm/quantumserverless/values-ibm.yaml +++ b/infrastructure/helm/quantumserverless/values-ibm.yaml @@ -102,7 +102,11 @@ ray-cluster: head: rayStartParams: dashboard-host: "0.0.0.0" - ports: [{containerPort: 8265, name: dashboard}] + ports: [ + {containerPort: 10001, name: ray-client}, + {containerPort: 8265, name: dashboard}, + {containerPort: 6379, name: gcs-server} + ] worker: # If you want to disable the default workergroup # uncomment the line below diff --git a/infrastructure/helm/quantumserverless/values.yaml b/infrastructure/helm/quantumserverless/values.yaml index b67fd1196..e2fea9771 100644 --- a/infrastructure/helm/quantumserverless/values.yaml +++ b/infrastructure/helm/quantumserverless/values.yaml @@ -92,7 +92,11 @@ ray-cluster: head: rayStartParams: dashboard-host: "0.0.0.0" - ports: [{containerPort: 8265, name: dashboard}] + ports: [ + {containerPort: 10001, name: ray-client}, + {containerPort: 8265, name: dashboard}, + {containerPort: 6379, name: gcs-server} + ] worker: # If you want to disable the default workergroup # uncomment the line below From 913321433c0337f5e4f8fee2cbdbeb98994fa464 Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Thu, 20 Apr 2023 18:19:39 +0200 Subject: [PATCH 09/31] Use nightly for repository --- infrastructure/helm/quantumserverless/values-ibm.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infrastructure/helm/quantumserverless/values-ibm.yaml b/infrastructure/helm/quantumserverless/values-ibm.yaml index 3dfb94829..10fb249d1 100644 --- a/infrastructure/helm/quantumserverless/values-ibm.yaml +++ b/infrastructure/helm/quantumserverless/values-ibm.yaml @@ -246,7 +246,7 @@ repositoryEnable: true repository: image: pullPolicy: IfNotPresent - tag: "latest" + tag: "nightly" application: superuser: username: "admin" From ba8e6cf2e6dd4f034b6d916f347337648033bf09 Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Fri, 21 Apr 2023 11:00:33 +0200 Subject: [PATCH 10/31] Fix gateway keycloak's port configuration --- infrastructure/helm/quantumserverless/values-ibm.yaml | 4 ++-- infrastructure/helm/quantumserverless/values.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/infrastructure/helm/quantumserverless/values-ibm.yaml b/infrastructure/helm/quantumserverless/values-ibm.yaml index 10fb249d1..970a78845 100644 --- a/infrastructure/helm/quantumserverless/values-ibm.yaml +++ b/infrastructure/helm/quantumserverless/values-ibm.yaml @@ -47,7 +47,7 @@ gateway: rayHost: "http://RELEASE_NAME-kuberay-head-svc:8265" keycloak: clientId: "gateway-client" - url: "http://RELEASE_NAME-keycloak" + url: "http://RELEASE_NAME-keycloak:31059" realm: "quantumserverless" clientSecret: "secret" superuser: @@ -301,7 +301,7 @@ loki: commonConfig: replication_factor: 1 storage: - type: 'filesystem' + type: "filesystem" auth_enabled: false write: replicas: 0 diff --git a/infrastructure/helm/quantumserverless/values.yaml b/infrastructure/helm/quantumserverless/values.yaml index e2fea9771..352c3f5a1 100644 --- a/infrastructure/helm/quantumserverless/values.yaml +++ b/infrastructure/helm/quantumserverless/values.yaml @@ -37,7 +37,7 @@ gateway: rayHost: "http://RELEASE_NAME-kuberay-head-svc:8265" keycloak: clientId: "gateway-client" - url: "http://RELEASE_NAME-keycloak" + url: "http://RELEASE_NAME-keycloak:31059" realm: "quantumserverless" clientSecret: "secret" superuser: @@ -291,7 +291,7 @@ loki: commonConfig: replication_factor: 1 storage: - type: 'filesystem' + type: "filesystem" auth_enabled: false write: replicas: 0 From ed509b11bba4fa936c49c5b9bd90eb687c080ccc Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Wed, 3 May 2023 13:21:45 +0200 Subject: [PATCH 11/31] Simplified default values for kuberay-operator --- .../helm/quantumserverless/values-ibm.yaml | 27 ------------------- .../helm/quantumserverless/values.yaml | 27 ------------------- 2 files changed, 54 deletions(-) diff --git a/infrastructure/helm/quantumserverless/values-ibm.yaml b/infrastructure/helm/quantumserverless/values-ibm.yaml index 970a78845..189e38467 100644 --- a/infrastructure/helm/quantumserverless/values-ibm.yaml +++ b/infrastructure/helm/quantumserverless/values-ibm.yaml @@ -122,37 +122,10 @@ ray-cluster: kuberayOperatorEnable: true kuberay-operator: - nameOverride: "kuberay-operator" - fullnameOverride: "kuberay-operator" image: repository: kuberay/operator tag: v0.5.0 pullPolicy: IfNotPresent - rbacEnable: true - ## Install Default RBAC roles and bindings - rbac: - create: true - apiVersion: v1 - serviceAccount: - # Specifies whether a service account should be created - create: true - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "kuberay-operator" - service: - type: ClusterIP - port: 8080 - livenessProbe: - initialDelaySeconds: 10 - periodSeconds: 5 - failureThreshold: 5 - readinessProbe: - initialDelaySeconds: 10 - periodSeconds: 5 - failureThreshold: 5 - createCustomResource: true - batchScheduler: - enabled: false # =================== # Kuberay API Server diff --git a/infrastructure/helm/quantumserverless/values.yaml b/infrastructure/helm/quantumserverless/values.yaml index 1dfec49cc..28a2347d6 100644 --- a/infrastructure/helm/quantumserverless/values.yaml +++ b/infrastructure/helm/quantumserverless/values.yaml @@ -112,37 +112,10 @@ ray-cluster: kuberayOperatorEnable: true kuberay-operator: - nameOverride: "kuberay-operator" - fullnameOverride: "kuberay-operator" image: repository: kuberay/operator tag: v0.5.0 pullPolicy: IfNotPresent - rbacEnable: true - ## Install Default RBAC roles and bindings - rbac: - create: true - apiVersion: v1 - serviceAccount: - # Specifies whether a service account should be created - create: true - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "kuberay-operator" - service: - type: ClusterIP - port: 8080 - livenessProbe: - initialDelaySeconds: 10 - periodSeconds: 5 - failureThreshold: 5 - readinessProbe: - initialDelaySeconds: 10 - periodSeconds: 5 - failureThreshold: 5 - createCustomResource: true - batchScheduler: - enabled: false # =================== # Kuberay API Server From 69a7528b640f22f9f7fa2a2d841df38932304f43 Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Wed, 3 May 2023 14:45:18 +0200 Subject: [PATCH 12/31] Added configurations for additional workers instead of a default worker --- .../helm/quantumserverless/values-ibm.yaml | 86 ++++++++++++++++--- .../helm/quantumserverless/values.yaml | 86 ++++++++++++++++--- 2 files changed, 148 insertions(+), 24 deletions(-) diff --git a/infrastructure/helm/quantumserverless/values-ibm.yaml b/infrastructure/helm/quantumserverless/values-ibm.yaml index 189e38467..cdf5b4f49 100644 --- a/infrastructure/helm/quantumserverless/values-ibm.yaml +++ b/infrastructure/helm/quantumserverless/values-ibm.yaml @@ -93,8 +93,6 @@ jupyter: rayClusterEnable: true ray-cluster: - nameOverride: "kuberay" - fullnameOverride: "" image: repository: "qiskit/quantum-serverless-ray-node" tag: "nightly-py39" @@ -102,19 +100,83 @@ ray-cluster: head: rayStartParams: dashboard-host: "0.0.0.0" - ports: [ - {containerPort: 10001, name: ray-client}, - {containerPort: 8265, name: dashboard}, - {containerPort: 6379, name: gcs-server} - ] + ports: + - containerPort: 6379 + name: gcs + - containerPort: 8265 + name: dashboard + - containerPort: 10001 + name: client + resources: + limits: + cpu: "4" + # To avoid out-of-memory issues, never allocate less than 2G memory for the Ray head. + memory: "8G" + requests: + cpu: "4" + memory: "8G" worker: # If you want to disable the default workergroup # uncomment the line below - # disabled: true - replicas: 1 - type: worker - service: - type: ClusterIP + disabled: true + # The map's key is used as the groupName. + # For example, key:small-group in the map below + # will be used as the groupName + additionalWorkerGroups: + smallWorkerGroup: + # Disabled by default + disabled: false + replicas: 1 + minReplicas: 1 + maxReplicas: 4 + labels: { } + serviceAccountName: "" + rayStartParams: + block: 'true' + # containerEnv specifies environment variables for the Ray container, + # Follows standard K8s container env schema. + containerEnv: [ ] + # - name: EXAMPLE_ENV + # value: "1" + envFrom: [ ] + # - secretRef: + # name: my-env-secret + # ports optionally allows specifying ports for the Ray container. + # ports: [] + # resource requests and limits for the Ray head container. + # Modify as needed for your application. + # Note that the resources in this example are much too small for production; + # we don't recommend allocating less than 8G memory for a Ray pod in production. + # Ray pods should be sized to take up entire K8s nodes when possible. + # Always set CPU and memory limits for Ray pods. + # It is usually best to set requests equal to limits. + # See https://docs.ray.io/en/latest/cluster/kubernetes/user-guides/config.html#resources + # for further guidance. + resources: + limits: + cpu: 4 + memory: "8G" + requests: + cpu: 4 + memory: "8G" + annotations: { } + nodeSelector: { } + tolerations: [ ] + affinity: { } + # Ray container security context. + securityContext: { } + volumes: + - name: log-volume + emptyDir: { } + # Ray writes logs to /tmp/ray/session_latests/logs + volumeMounts: + - mountPath: /tmp/ray + name: log-volume + sidecarContainers: [ ] + # See docs/guidance/pod-command.md for more details about how to specify + # container command for worker Pod. + command: [ ] + args: [ ] # =================== # Kuberay Operator diff --git a/infrastructure/helm/quantumserverless/values.yaml b/infrastructure/helm/quantumserverless/values.yaml index 28a2347d6..2c42aa102 100644 --- a/infrastructure/helm/quantumserverless/values.yaml +++ b/infrastructure/helm/quantumserverless/values.yaml @@ -83,8 +83,6 @@ jupyter: rayClusterEnable: true ray-cluster: - nameOverride: "kuberay" - fullnameOverride: "" image: repository: "qiskit/quantum-serverless-ray-node" tag: "nightly-py39" @@ -92,19 +90,83 @@ ray-cluster: head: rayStartParams: dashboard-host: "0.0.0.0" - ports: [ - {containerPort: 10001, name: ray-client}, - {containerPort: 8265, name: dashboard}, - {containerPort: 6379, name: gcs-server} - ] + ports: + - containerPort: 6379 + name: gcs + - containerPort: 8265 + name: dashboard + - containerPort: 10001 + name: client + resources: + limits: + cpu: "1" + # To avoid out-of-memory issues, never allocate less than 2G memory for the Ray head. + memory: "2G" + requests: + cpu: "1" + memory: "2G" worker: # If you want to disable the default workergroup # uncomment the line below - # disabled: true - replicas: 1 - type: worker - service: - type: ClusterIP + disabled: true + # The map's key is used as the groupName. + # For example, key:small-group in the map below + # will be used as the groupName + additionalWorkerGroups: + smallWorkerGroup: + # Disabled by default + disabled: false + replicas: 1 + minReplicas: 1 + maxReplicas: 4 + labels: { } + serviceAccountName: "" + rayStartParams: + block: 'true' + # containerEnv specifies environment variables for the Ray container, + # Follows standard K8s container env schema. + containerEnv: [ ] + # - name: EXAMPLE_ENV + # value: "1" + envFrom: [ ] + # - secretRef: + # name: my-env-secret + # ports optionally allows specifying ports for the Ray container. + # ports: [] + # resource requests and limits for the Ray head container. + # Modify as needed for your application. + # Note that the resources in this example are much too small for production; + # we don't recommend allocating less than 8G memory for a Ray pod in production. + # Ray pods should be sized to take up entire K8s nodes when possible. + # Always set CPU and memory limits for Ray pods. + # It is usually best to set requests equal to limits. + # See https://docs.ray.io/en/latest/cluster/kubernetes/user-guides/config.html#resources + # for further guidance. + resources: + limits: + cpu: 1 + memory: "2G" + requests: + cpu: 1 + memory: "2G" + annotations: { } + nodeSelector: { } + tolerations: [ ] + affinity: { } + # Ray container security context. + securityContext: { } + volumes: + - name: log-volume + emptyDir: { } + # Ray writes logs to /tmp/ray/session_latests/logs + volumeMounts: + - mountPath: /tmp/ray + name: log-volume + sidecarContainers: [ ] + # See docs/guidance/pod-command.md for more details about how to specify + # container command for worker Pod. + command: [ ] + args: [ ] # =================== # Kuberay Operator From 96c33e3ea237e22323a9955f2eed482eff28155d Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Wed, 3 May 2023 18:24:51 +0200 Subject: [PATCH 13/31] Keycloak realm configuration --- .../templates/keycloakrealm.yaml | 484 +++++------------- .../helm/quantumserverless/values-ibm.yaml | 1 + .../helm/quantumserverless/values.yaml | 1 + 3 files changed, 128 insertions(+), 358 deletions(-) diff --git a/infrastructure/helm/quantumserverless/templates/keycloakrealm.yaml b/infrastructure/helm/quantumserverless/templates/keycloakrealm.yaml index 0561291c3..4160b93f0 100644 --- a/infrastructure/helm/quantumserverless/templates/keycloakrealm.yaml +++ b/infrastructure/helm/quantumserverless/templates/keycloakrealm.yaml @@ -303,42 +303,17 @@ data: "attributes": {} } ], - "grafana": [ - { - "id": "ecfdce07-baeb-4a4b-960b-5bdc2de6befd", - "name": "admin", - "composite": false, - "clientRole": true, - "containerId": "8cdd967a-f612-4e76-88b2-593ab9846d6c", - "attributes": {} - }, - { - "id": "74161e7e-4138-4fe5-8ca1-6a1fae06a9b1", - "name": "grafanaadmin", - "composite": false, - "clientRole": true, - "containerId": "8cdd967a-f612-4e76-88b2-593ab9846d6c", - "attributes": {} - }, - { - "id": "5a0d16b7-c492-4a33-9e56-0bad3c2edbae", - "name": "viewer", - "composite": false, - "clientRole": true, - "containerId": "8cdd967a-f612-4e76-88b2-593ab9846d6c", - "attributes": {} - }, + "security-admin-console": [], + "grafana-client": [ { - "id": "089e2d80-2877-41a5-a998-c6c938c29ed0", - "name": "editor", + "id": "4931e4ec-98c8-43c8-98c5-c2ca9be6f7b9", + "name": "grafana-admin", "composite": false, "clientRole": true, - "containerId": "8cdd967a-f612-4e76-88b2-593ab9846d6c", + "containerId": "5772c5c8-4e53-49be-befc-3bf9442b0551", "attributes": {} } ], - "rayclient": [], - "security-admin-console": [], "admin-cli": [], "account-console": [], "broker": [ @@ -439,8 +414,7 @@ data: "containerId": "8cb563b9-d51a-4d1a-891d-39f40e0b5d6c", "attributes": {} } - ], - "rayapiserver": [] + ] } }, "groups": [], @@ -463,8 +437,8 @@ data: "otpPolicyPeriod": 30, "otpPolicyCodeReusable": false, "otpSupportedApplications": [ - "totpAppFreeOTPName", - "totpAppGoogleName" + "totpAppGoogleName", + "totpAppFreeOTPName" ], "webAuthnPolicyRpEntityName": "keycloak", "webAuthnPolicySignatureAlgorithms": [ @@ -490,58 +464,6 @@ data: "webAuthnPolicyPasswordlessCreateTimeout": 0, "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, "webAuthnPolicyPasswordlessAcceptableAaguids": [], - "users": [ - { - "id": "117269c7-3630-4810-a537-1be0f0749371", - "createdTimestamp": 1676908028992, - "username": "service-account-rayapiserver", - "enabled": true, - "totp": false, - "emailVerified": false, - "serviceAccountClientId": "rayapiserver", - "disableableCredentialTypes": [], - "requiredActions": [], - "realmRoles": [ - "default-roles-quantumserverless" - ], - "notBefore": 0, - "groups": [] - }, - { - "username": "{{ .Values.keycloakUserID }}", - "enabled": true, - "email": "user@quatunserverless.org", - "emailVerified": true, - "credentials": [ - { - "type": "password", - "value": "{{ .Values.keycloakUserPassword }}" - } - ], - "clientRoles": { - "realm-management": [ "realm-admin" ], - "grafana": [ "editor" ], - "account": [ "manage-account" ] - } - }, - { - "username": "{{ .Values.keycloakAdminID }}", - "enabled": true, - "email": "admin@quatunserverless.org", - "emailVerified": true, - "credentials": [ - { - "type": "password", - "value": "{{ .Values.keycloakAdminPassword }}" - } - ], - "clientRoles": { - "realm-management": [ "realm-admin" ], - "grafana": [ "grafanaadmin" ], - "account": [ "manage-account" ] - } - } - ], "scopeMappings": [ { "clientScope": "offline_access", @@ -742,8 +664,8 @@ data: ] }, { - "id": "0bba5367-21c5-4223-98b7-2b47b30b6f69", - "clientId": "{{ .Values.gateway.application.keycloak.clientName }}", + "id": "3e8d8d23-3e5d-4f54-882a-7953c0c0f5b3", + "clientId": "gateway-client", "name": "", "description": "", "rootUrl": "", @@ -753,7 +675,7 @@ data: "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "secret": "{{ .Values.gateway.application.keycloak.clientSecret }}", + "secret": "{{ .Values.gatewayClientSecret }}", "redirectUris": [ "*" ], @@ -795,161 +717,8 @@ data: ] }, { - "id": "8cdd967a-f612-4e76-88b2-593ab9846d6c", - "clientId": "grafana", - "name": "", - "description": "", - "rootUrl": "http://localhost:32294/", - "adminUrl": "http://localhost:32294/", - "baseUrl": "http://localhost:32294/", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "{{ .Values.grafanaClientSecret }}", - "redirectUris": [ - "http://localhost:32294/*" - ], - "webOrigins": [ - "http://localhost:32294/" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "client.secret.creation.time": "1680193503", - "backchannel.logout.session.required": "true", - "display.on.consent.screen": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "roles", - "profile", - "email" - ], - "optionalClientScopes": [ - "web-origins", - "acr", - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "4f64e9b4-034d-48fd-b00b-0582e1017b71", - "clientId": "rayapiserver", - "name": "", - "description": "", - "rootUrl": "", - "adminUrl": "", - "baseUrl": "", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "{{ .Values.keycloakApiServerSecret }}", - "redirectUris": [], - "webOrigins": [], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": false, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": false, - "serviceAccountsEnabled": true, - "publicClient": false, - "frontchannelLogout": true, - "protocol": "openid-connect", - "attributes": { - "oidc.ciba.grant.enabled": "false", - "client.secret.creation.time": "1676907939", - "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "+", - "display.on.consent.screen": "false", - "oauth2.device.authorization.grant.enabled": "false", - "backchannel.logout.revoke.offline.tokens": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "protocolMappers": [ - { - "id": "d9421bc1-c83e-4c5d-8f23-0338e2dc0a22", - "name": "Client IP Address", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientAddress", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientAddress", - "jsonType.label": "String" - } - }, - { - "id": "19625f49-50fd-467d-81ca-24c84139133f", - "name": "Client Host", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientHost", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientHost", - "jsonType.label": "String" - } - }, - { - "id": "48c6d133-d94e-4450-8bfe-16ab8c8ae2ad", - "name": "Client ID", - "protocol": "openid-connect", - "protocolMapper": "oidc-usersessionmodel-note-mapper", - "consentRequired": false, - "config": { - "user.session.note": "clientId", - "userinfo.token.claim": "true", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "clientId", - "jsonType.label": "String" - } - } - ], - "defaultClientScopes": [ - "web-origins", - "acr", - "roles", - "profile", - "email", - "rayapiserver" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, - { - "id": "5d01b1dd-fbc8-48b6-bf55-2748057607a8", - "clientId": "rayclient", + "id": "5772c5c8-4e53-49be-befc-3bf9442b0551", + "clientId": "grafana-client", "name": "", "description": "", "rootUrl": "", @@ -959,9 +728,9 @@ data: "enabled": true, "alwaysDisplayInConsole": false, "clientAuthenticatorType": "client-secret", - "secret": "{{ .Values.keycloakClientSecret }}", + "secret": "{{ .Values.grafanaClientSecret }}", "redirectUris": [ - "http://localhost/oauth2/callback" + "*" ], "webOrigins": [], "notBefore": 0, @@ -976,9 +745,9 @@ data: "protocol": "openid-connect", "attributes": { "oidc.ciba.grant.enabled": "false", - "client.secret.creation.time": "1675977386", + "client.secret.creation.time": "1682082959", "backchannel.logout.session.required": "true", - "post.logout.redirect.uris": "+", + "post.logout.redirect.uris": "*", "display.on.consent.screen": "false", "oauth2.device.authorization.grant.enabled": "false", "backchannel.logout.revoke.offline.tokens": "false" @@ -1166,12 +935,11 @@ data: "protocolMapper": "oidc-usermodel-client-role-mapper", "consentRequired": false, "config": { - "multivalued": "true", - "userinfo.token.claim": "true", - "id.token.claim": "true", + "user.attribute": "foo", "access.token.claim": "true", - "claim.name": "roles", - "jsonType.label": "String" + "claim.name": "resource_access.${client_id}.roles", + "jsonType.label": "String", + "multivalued": "true" } }, { @@ -1190,80 +958,6 @@ data: } ] }, - { - "id": "6ebb70be-c92a-454c-b759-2a094afe96a9", - "name": "address", - "description": "OpenID Connect built-in scope: address", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "true", - "consent.screen.text": "${addressScopeConsentText}" - }, - "protocolMappers": [ - { - "id": "0aa5d230-954d-42fa-8cfa-9ad77ab61128", - "name": "address", - "protocol": "openid-connect", - "protocolMapper": "oidc-address-mapper", - "consentRequired": false, - "config": { - "user.attribute.formatted": "formatted", - "user.attribute.country": "country", - "user.attribute.postal_code": "postal_code", - "userinfo.token.claim": "true", - "user.attribute.street": "street", - "id.token.claim": "true", - "user.attribute.region": "region", - "access.token.claim": "true", - "user.attribute.locality": "locality" - } - } - ] - }, - { - "id": "915b3bf7-466f-4a44-b52e-ac4ccab2307e", - "name": "microprofile-jwt", - "description": "Microprofile - JWT built-in scope", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "true", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "id": "df0e9106-4fd5-4cfa-9554-939902d3f72f", - "name": "groups", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-realm-role-mapper", - "consentRequired": false, - "config": { - "multivalued": "true", - "userinfo.token.claim": "true", - "user.attribute": "foo", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "groups", - "jsonType.label": "String" - } - }, - { - "id": "e894e9a1-185b-40e4-b090-13a5dcb05e24", - "name": "upn", - "protocol": "openid-connect", - "protocolMapper": "oidc-usermodel-property-mapper", - "consentRequired": false, - "config": { - "userinfo.token.claim": "true", - "user.attribute": "username", - "id.token.claim": "true", - "access.token.claim": "true", - "claim.name": "upn", - "jsonType.label": "String" - } - } - ] - }, { "id": "72852fcc-364d-4f5f-af44-28a13a477d8d", "name": "profile", @@ -1484,6 +1178,80 @@ data: } ] }, + { + "id": "6ebb70be-c92a-454c-b759-2a094afe96a9", + "name": "address", + "description": "OpenID Connect built-in scope: address", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "true", + "consent.screen.text": "${addressScopeConsentText}" + }, + "protocolMappers": [ + { + "id": "0aa5d230-954d-42fa-8cfa-9ad77ab61128", + "name": "address", + "protocol": "openid-connect", + "protocolMapper": "oidc-address-mapper", + "consentRequired": false, + "config": { + "user.attribute.formatted": "formatted", + "user.attribute.country": "country", + "user.attribute.postal_code": "postal_code", + "userinfo.token.claim": "true", + "user.attribute.street": "street", + "id.token.claim": "true", + "user.attribute.region": "region", + "access.token.claim": "true", + "user.attribute.locality": "locality" + } + } + ] + }, + { + "id": "915b3bf7-466f-4a44-b52e-ac4ccab2307e", + "name": "microprofile-jwt", + "description": "Microprofile - JWT built-in scope", + "protocol": "openid-connect", + "attributes": { + "include.in.token.scope": "true", + "display.on.consent.screen": "false" + }, + "protocolMappers": [ + { + "id": "df0e9106-4fd5-4cfa-9554-939902d3f72f", + "name": "groups", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-realm-role-mapper", + "consentRequired": false, + "config": { + "multivalued": "true", + "userinfo.token.claim": "true", + "user.attribute": "foo", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "groups", + "jsonType.label": "String" + } + }, + { + "id": "e894e9a1-185b-40e4-b090-13a5dcb05e24", + "name": "upn", + "protocol": "openid-connect", + "protocolMapper": "oidc-usermodel-property-mapper", + "consentRequired": false, + "config": { + "userinfo.token.claim": "true", + "user.attribute": "username", + "id.token.claim": "true", + "access.token.claim": "true", + "claim.name": "upn", + "jsonType.label": "String" + } + } + ] + }, { "id": "739c27ab-3430-4fda-8b9a-36f8c8e756bf", "name": "phone", @@ -1701,14 +1469,14 @@ data: "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ + "saml-user-attribute-mapper", + "oidc-usermodel-property-mapper", "oidc-usermodel-attribute-mapper", "oidc-address-mapper", - "oidc-usermodel-property-mapper", - "saml-role-list-mapper", - "saml-user-attribute-mapper", "oidc-full-name-mapper", - "saml-user-property-mapper", - "oidc-sha256-pairwise-sub-mapper" + "oidc-sha256-pairwise-sub-mapper", + "saml-role-list-mapper", + "saml-user-property-mapper" ] } }, @@ -1761,13 +1529,13 @@ data: "config": { "allowed-protocol-mapper-types": [ "oidc-usermodel-property-mapper", - "oidc-sha256-pairwise-sub-mapper", - "saml-user-property-mapper", "oidc-address-mapper", - "saml-role-list-mapper", + "saml-user-property-mapper", + "oidc-sha256-pairwise-sub-mapper", "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", - "oidc-full-name-mapper" + "oidc-full-name-mapper", + "saml-role-list-mapper" ] } }, @@ -1841,7 +1609,7 @@ data: "supportedLocales": [], "authenticationFlows": [ { - "id": "48db3a70-9f86-49a6-91b5-3b5adfc455be", + "id": "5ee2ce69-5690-476a-8e5d-be6e4c0fcfbe", "alias": "Account verification options", "description": "Method with which to verity the existing account", "providerId": "basic-flow", @@ -1867,7 +1635,7 @@ data: ] }, { - "id": "aaefd751-4c6f-4ab2-92ac-212f50cd609f", + "id": "8ea8c899-5308-4c5e-b2b8-4742789f033a", "alias": "Authentication Options", "description": "Authentication options.", "providerId": "basic-flow", @@ -1901,7 +1669,7 @@ data: ] }, { - "id": "60e450b5-f004-4cf0-bece-4649208299d7", + "id": "6e74ae44-cb2f-4c1e-a026-40a65fafce9e", "alias": "Browser - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1927,7 +1695,7 @@ data: ] }, { - "id": "c1903183-46ea-4e01-bbff-b12af6b5e900", + "id": "6dd45d74-f4bf-4daa-bf5c-1d330cb7ecc6", "alias": "Direct Grant - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1953,7 +1721,7 @@ data: ] }, { - "id": "6d87dc89-939b-40f9-ba5a-c084ac28696c", + "id": "6eccf40e-01d4-4e4d-a837-e73564d760cc", "alias": "First broker login - Conditional OTP", "description": "Flow to determine if the OTP is required for the authentication", "providerId": "basic-flow", @@ -1979,7 +1747,7 @@ data: ] }, { - "id": "f04c79f1-6bab-409a-90b0-654fe572c56e", + "id": "5b1029a0-c1ce-4c1b-beba-c373afd8a295", "alias": "Handle Existing Account", "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider", "providerId": "basic-flow", @@ -2005,7 +1773,7 @@ data: ] }, { - "id": "8a8fa511-fed4-4948-8854-6f8cafa95789", + "id": "66482ca7-bb0d-400b-97bb-4cf545c9ef06", "alias": "Reset - Conditional OTP", "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.", "providerId": "basic-flow", @@ -2031,7 +1799,7 @@ data: ] }, { - "id": "1861bc61-0030-4732-bc13-c8ed1655f594", + "id": "00688c8a-b4e5-456b-8ff2-7dce8cc2f3ca", "alias": "User creation or linking", "description": "Flow for the existing/non-existing user alternatives", "providerId": "basic-flow", @@ -2058,7 +1826,7 @@ data: ] }, { - "id": "4e690d30-6e66-472d-a0cf-1247207dbbd8", + "id": "591bea17-4cfc-4caf-8f3e-b5ba96b2a730", "alias": "Verify Existing Account by Re-authentication", "description": "Reauthentication of existing account", "providerId": "basic-flow", @@ -2084,7 +1852,7 @@ data: ] }, { - "id": "4cef73bb-1a67-402b-85ff-6923364414ad", + "id": "5dbb8459-72fb-4f0a-bec3-e7e814bdb048", "alias": "browser", "description": "browser based authentication", "providerId": "basic-flow", @@ -2126,7 +1894,7 @@ data: ] }, { - "id": "3dc417b8-1fa0-470a-b145-cfd1983935c2", + "id": "c76a96f4-adfc-42b1-bd6e-bee230a01d72", "alias": "clients", "description": "Base authentication for clients", "providerId": "client-flow", @@ -2168,7 +1936,7 @@ data: ] }, { - "id": "f5bb2d47-ffbe-426e-84a4-8cf2c51da609", + "id": "c0fc1a7f-7df2-4584-86e3-3b8e2ee24e6a", "alias": "direct grant", "description": "OpenID Connect Resource Owner Grant", "providerId": "basic-flow", @@ -2202,7 +1970,7 @@ data: ] }, { - "id": "4c161d45-b57d-434d-a32e-908af332bf55", + "id": "da493b05-f4f4-4228-8dbf-dbb14db7ab8d", "alias": "docker auth", "description": "Used by Docker clients to authenticate against the IDP", "providerId": "basic-flow", @@ -2220,7 +1988,7 @@ data: ] }, { - "id": "2e0f3317-75b2-40c2-bee8-783e67f6e925", + "id": "1a199e5b-3b3c-43c3-a652-f6a17f0c9e8d", "alias": "first broker login", "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account", "providerId": "basic-flow", @@ -2247,7 +2015,7 @@ data: ] }, { - "id": "45a50fbd-7d3e-420d-a408-90e3ac36db69", + "id": "e07eb84a-aaee-4954-8443-de77832e5232", "alias": "forms", "description": "Username, password, otp and other auth forms.", "providerId": "basic-flow", @@ -2273,7 +2041,7 @@ data: ] }, { - "id": "299a83e2-ebf8-4077-b974-1f05a6557b7d", + "id": "5b29b609-24ca-4f89-b12c-c9379e39b446", "alias": "http challenge", "description": "An authentication flow based on challenge-response HTTP Authentication Schemes", "providerId": "basic-flow", @@ -2299,7 +2067,7 @@ data: ] }, { - "id": "abf42ef9-21f2-4c95-872f-312a96b7ad52", + "id": "4028b93d-665a-4224-8415-926705ea956d", "alias": "registration", "description": "registration flow", "providerId": "basic-flow", @@ -2318,7 +2086,7 @@ data: ] }, { - "id": "e1aaa56d-cd27-4ff4-9faa-16f4c2f65e0a", + "id": "50190c0a-dc27-4bc6-b863-5469ca711d9d", "alias": "registration form", "description": "registration form", "providerId": "form-flow", @@ -2360,7 +2128,7 @@ data: ] }, { - "id": "33735fcc-4a62-48f4-afd5-d1054cb6da92", + "id": "f1b2ce41-8012-45cd-98ef-0abefcbdaa39", "alias": "reset credentials", "description": "Reset credentials for a user if they forgot their password or something", "providerId": "basic-flow", @@ -2402,7 +2170,7 @@ data: ] }, { - "id": "a719eea3-840e-448e-be51-fd0420616e37", + "id": "d65a5e36-77d4-4632-958a-296780849975", "alias": "saml ecp", "description": "SAML ECP Profile Authentication Flow", "providerId": "basic-flow", @@ -2422,14 +2190,14 @@ data: ], "authenticatorConfig": [ { - "id": "8ceb2673-3b4b-4839-b6f3-dca9f2678a62", + "id": "bf975551-0e39-43aa-885f-b59db7d1707c", "alias": "create unique user config", "config": { "require.password.update.after.registration": "false" } }, { - "id": "e3d9b8d1-fb1f-4272-9f31-5c607c774455", + "id": "f4a1c9bb-243b-430d-b715-413ab451bf31", "alias": "review profile config", "config": { "update.profile.on.first.login": "missing" diff --git a/infrastructure/helm/quantumserverless/values-ibm.yaml b/infrastructure/helm/quantumserverless/values-ibm.yaml index cdf5b4f49..797f348c1 100644 --- a/infrastructure/helm/quantumserverless/values-ibm.yaml +++ b/infrastructure/helm/quantumserverless/values-ibm.yaml @@ -250,6 +250,7 @@ keycloakEnable: true keycloakClientSecret: CLIENTSECRET-CHANGEME keycloakApiServerSecret: APISERVERSECRET-CHANGEME grafanaClientSecret: GRAFANASECRET-CHANGEME +gatewayClientSecret: GATEWAYSECRET-CHANGEME keycloakAdminID: admin keycloakAdminPassword: passw0rd keycloakUserID: user diff --git a/infrastructure/helm/quantumserverless/values.yaml b/infrastructure/helm/quantumserverless/values.yaml index 2c42aa102..822055c68 100644 --- a/infrastructure/helm/quantumserverless/values.yaml +++ b/infrastructure/helm/quantumserverless/values.yaml @@ -239,6 +239,7 @@ kuberay-apiserver: keycloakEnable: true keycloakClientSecret: CLIENTSECRET-CHANGEME keycloakApiServerSecret: APISERVERSECRET-CHANGEME +gatewayClientSecret: GATEWAYSECRET-CHANGEME grafanaClientSecret: GRAFANASECRET-CHANGEME keycloakAdminID: admin keycloakAdminPassword: passw0rd From 034acb6f54aac9ce6f736958a2b28c972ad2dab6 Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Wed, 3 May 2023 18:28:29 +0200 Subject: [PATCH 14/31] Simplified kuberay-api-server without default values --- .../helm/quantumserverless/values-ibm.yaml | 21 ------------------- .../helm/quantumserverless/values.yaml | 21 ------------------- 2 files changed, 42 deletions(-) diff --git a/infrastructure/helm/quantumserverless/values-ibm.yaml b/infrastructure/helm/quantumserverless/values-ibm.yaml index 797f348c1..cc95ec5a5 100644 --- a/infrastructure/helm/quantumserverless/values-ibm.yaml +++ b/infrastructure/helm/quantumserverless/values-ibm.yaml @@ -201,28 +201,10 @@ kuberay-apiserver: repository: kuberay/apiserver tag: v0.5.0 pullPolicy: IfNotPresent - rbacEnable: true - ## Install Default RBAC roles and bindings - rbac: - create: true - apiVersion: v1 - serviceAccount: - # Specifies whether a service account should be created - create: true - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "kuberay-apiserver" containerPort: - containerPort: 8888 - containerPort: 8887 - containerPort: 4180 - resources: - limits: - cpu: 500m - memory: 500Mi - requests: - cpu: 300m - memory: 300Mi service: type: NodePort ports: @@ -238,9 +220,6 @@ kuberay-apiserver: port: 4180 targetPort: 4180 nodePort: 30634 - ingress: - enabled: false - replicaCount: 1 # =================== # Keycloak diff --git a/infrastructure/helm/quantumserverless/values.yaml b/infrastructure/helm/quantumserverless/values.yaml index 822055c68..901aeaf1d 100644 --- a/infrastructure/helm/quantumserverless/values.yaml +++ b/infrastructure/helm/quantumserverless/values.yaml @@ -191,28 +191,10 @@ kuberay-apiserver: repository: kuberay/apiserver tag: v0.5.0 pullPolicy: IfNotPresent - rbacEnable: true - ## Install Default RBAC roles and bindings - rbac: - create: true - apiVersion: v1 - serviceAccount: - # Specifies whether a service account should be created - create: true - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "kuberay-apiserver" containerPort: - containerPort: 8888 - containerPort: 8887 - containerPort: 4180 - resources: - limits: - cpu: 500m - memory: 500Mi - requests: - cpu: 300m - memory: 300Mi service: type: NodePort ports: @@ -228,9 +210,6 @@ kuberay-apiserver: port: 4180 targetPort: 4180 nodePort: 30634 - ingress: - enabled: false - replicaCount: 1 # =================== # Keycloak From 4ab10b36f308872d03ef3bc1e3cc54079a8499aa Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Fri, 5 May 2023 16:52:25 +0200 Subject: [PATCH 15/31] Uploaded keycloakRealm --- .../templates/keycloakrealm.yaml | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/infrastructure/helm/quantumserverless/templates/keycloakrealm.yaml b/infrastructure/helm/quantumserverless/templates/keycloakrealm.yaml index 4160b93f0..178d522c6 100644 --- a/infrastructure/helm/quantumserverless/templates/keycloakrealm.yaml +++ b/infrastructure/helm/quantumserverless/templates/keycloakrealm.yaml @@ -464,6 +464,54 @@ data: "webAuthnPolicyPasswordlessCreateTimeout": 0, "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false, "webAuthnPolicyPasswordlessAcceptableAaguids": [], + "users": [ + { + "username": "{{ .Values.keycloakUserID }}", + "enabled": true, + "email": "user@quantumserverless.org", + "emailVerified": true, + "credentials": [ + { + "type": "password", + "value": "{{ .Values.keycloakUserPassword }}" + } + ], + "clientRoles": { + "realm-management": [ + "realm-admin" + ], + "grafana": [ + "editor" + ], + "account": [ + "manage-account" + ] + } + }, + { + "username": "{{ .Values.keycloak.auth.adminUser }}", + "enabled": true, + "email": "admin@quantumserverless.org", + "emailVerified": true, + "credentials": [ + { + "type": "password", + "value": "{{ .Values.keycloak.auth.adminPassword }}" + } + ], + "clientRoles": { + "realm-management": [ + "realm-admin" + ], + "grafana": [ + "grafanaadmin" + ], + "account": [ + "manage-account" + ] + } + } + ], "scopeMappings": [ { "clientScope": "offline_access", From e784798f5f87843b9db6524aab73fccad731a8ec Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Fri, 5 May 2023 16:52:57 +0200 Subject: [PATCH 16/31] Fixed DEBUG configuration in repository --- repository/main/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/repository/main/settings.py b/repository/main/settings.py index e1cbf2f9b..d1d977349 100644 --- a/repository/main/settings.py +++ b/repository/main/settings.py @@ -23,7 +23,7 @@ SECRET_KEY = "django-insecure-o%6p_(-fq39^ihz_ca3@mp14%+nks%!a-i9gma@*1qp9g9-(p2" # SECURITY WARNING: don't run with debug turned on in production! -DEBUG = True +DEBUG = int(os.environ.get("DEBUG", 1)) ALLOWED_HOSTS = os.environ.get("ALLOWED_HOSTS", "*").split(",") From e70784f074a67150a5b53813f951ae94cbe134a5 Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Mon, 8 May 2023 12:33:56 +0200 Subject: [PATCH 17/31] Fixed keycloak realm users configuration --- .../templates/keycloakrealm.yaml | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/infrastructure/helm/quantumserverless/templates/keycloakrealm.yaml b/infrastructure/helm/quantumserverless/templates/keycloakrealm.yaml index 178d522c6..3193b0bb5 100644 --- a/infrastructure/helm/quantumserverless/templates/keycloakrealm.yaml +++ b/infrastructure/helm/quantumserverless/templates/keycloakrealm.yaml @@ -90,7 +90,6 @@ data: } ], "client": { - "{{ .Values.gateway.application.keycloak.clientName }}": [], "realm-management": [ { "id": "4354f1b3-b8d1-45c0-996f-2b37282b2039", @@ -477,14 +476,11 @@ data: } ], "clientRoles": { - "realm-management": [ - "realm-admin" - ], - "grafana": [ - "editor" + "gateway-client": [ + "default-roles-quantumserverless" ], - "account": [ - "manage-account" + "grafana-client": [ + "default-roles-quantumserverless" ] } }, @@ -503,9 +499,6 @@ data: "realm-management": [ "realm-admin" ], - "grafana": [ - "grafanaadmin" - ], "account": [ "manage-account" ] From 34773bca625a9c85d42047a978ec5ff28437ea7f Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Mon, 8 May 2023 12:37:16 +0200 Subject: [PATCH 18/31] Use ARGS instead of COMMAND --- .../quantumserverless/charts/gateway/templates/deployment.yaml | 2 +- .../charts/repository/templates/deployment.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/infrastructure/helm/quantumserverless/charts/gateway/templates/deployment.yaml b/infrastructure/helm/quantumserverless/charts/gateway/templates/deployment.yaml index 33f4246be..c36eab6ab 100644 --- a/infrastructure/helm/quantumserverless/charts/gateway/templates/deployment.yaml +++ b/infrastructure/helm/quantumserverless/charts/gateway/templates/deployment.yaml @@ -33,7 +33,7 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - command: [ "gunicorn", "main.wsgi:application", "--bind", "0.0.0.0:8000", "--workers=4" ] + args: [ "gunicorn", "main.wsgi:application", "--bind", "0.0.0.0:8000", "--workers=4" ] ports: - name: http containerPort: {{ .Values.service.port }} diff --git a/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml b/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml index 903797e91..a8b31ed16 100644 --- a/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml +++ b/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml @@ -33,7 +33,7 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - command: [ "gunicorn", "main.wsgi:application", "--bind", "0.0.0.0:8060", "--workers=4" ] + args: [ "gunicorn", "main.wsgi:application", "--bind", "0.0.0.0:8060", "--workers=4" ] ports: - name: http containerPort: {{ .Values.service.port }} From 4b713f95369b2be747581549609ee6e1d47e9956 Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Mon, 8 May 2023 13:55:05 +0200 Subject: [PATCH 19/31] Updated values --- .../helm/quantumserverless/values-ibm.yaml | 12 ++++-------- infrastructure/helm/quantumserverless/values.yaml | 10 +++------- 2 files changed, 7 insertions(+), 15 deletions(-) diff --git a/infrastructure/helm/quantumserverless/values-ibm.yaml b/infrastructure/helm/quantumserverless/values-ibm.yaml index cc95ec5a5..2a885300f 100644 --- a/infrastructure/helm/quantumserverless/values-ibm.yaml +++ b/infrastructure/helm/quantumserverless/values-ibm.yaml @@ -49,7 +49,7 @@ gateway: clientId: "gateway-client" url: "http://RELEASE_NAME-keycloak:31059" realm: "quantumserverless" - clientSecret: "secret" + clientSecret: GATEWAYSECRET-CHANGEME superuser: username: "admin" password: "passw0rd" @@ -226,12 +226,8 @@ kuberay-apiserver: # =================== keycloakEnable: true -keycloakClientSecret: CLIENTSECRET-CHANGEME -keycloakApiServerSecret: APISERVERSECRET-CHANGEME -grafanaClientSecret: GRAFANASECRET-CHANGEME gatewayClientSecret: GATEWAYSECRET-CHANGEME -keycloakAdminID: admin -keycloakAdminPassword: passw0rd +grafanaClientSecret: GRAFANASECRET-CHANGEME keycloakUserID: user keycloakUserPassword: passw0rd keycloak: @@ -290,12 +286,12 @@ kube-prometheus-stack: enabled: "true" name: Keycloak-OAuth allow_sign_up: "true" - client_id: grafana + client_id: grafana-client client_secret: GRAFANASECRET-CHANGEME api_url: "http://RELEASE_NAME-keycloak:31059/realms/quantumserverless/protocol/openid-connect/userinfo" auth_url: "http://RELEASE_NAME-keycloak:31059/realms/quantumserverless/protocol/openid-connect/auth" token_url: "http://RELEASE_NAME-keycloak:31059/realms/quantumserverless/protocol/openid-connect/token" - role_attribute_path: "contains(roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'" + role_attribute_path: "contains(roles[*], 'grafana-admin') && 'GrafanaAdmin' || contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'" allow_assign_grafana_admin: "true" scopes: openid email profile roles email_attribute_path: user@quatunserverless.org diff --git a/infrastructure/helm/quantumserverless/values.yaml b/infrastructure/helm/quantumserverless/values.yaml index 901aeaf1d..a3e87a0ee 100644 --- a/infrastructure/helm/quantumserverless/values.yaml +++ b/infrastructure/helm/quantumserverless/values.yaml @@ -39,7 +39,7 @@ gateway: clientId: "gateway-client" url: "http://RELEASE_NAME-keycloak:31059" realm: "quantumserverless" - clientSecret: "secret" + clientSecret: GATEWAYSECRET-CHANGEME superuser: username: "admin" password: "passw0rd" @@ -216,12 +216,8 @@ kuberay-apiserver: # =================== keycloakEnable: true -keycloakClientSecret: CLIENTSECRET-CHANGEME -keycloakApiServerSecret: APISERVERSECRET-CHANGEME gatewayClientSecret: GATEWAYSECRET-CHANGEME grafanaClientSecret: GRAFANASECRET-CHANGEME -keycloakAdminID: admin -keycloakAdminPassword: passw0rd keycloakUserID: user keycloakUserPassword: passw0rd keycloak: @@ -280,12 +276,12 @@ kube-prometheus-stack: enabled: "true" name: Keycloak-OAuth allow_sign_up: "true" - client_id: grafana + client_id: grafana-client client_secret: GRAFANASECRET-CHANGEME api_url: "http://RELEASE_NAME-keycloak:31059/realms/quantumserverless/protocol/openid-connect/userinfo" auth_url: "http://RELEASE_NAME-keycloak:31059/realms/quantumserverless/protocol/openid-connect/auth" token_url: "http://RELEASE_NAME-keycloak:31059/realms/quantumserverless/protocol/openid-connect/token" - role_attribute_path: "contains(roles[*], 'grafanaadmin') && 'GrafanaAdmin' || contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'" + role_attribute_path: "contains(roles[*], 'grafana-admin') && 'GrafanaAdmin' || contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'" allow_assign_grafana_admin: "true" scopes: openid email profile roles email_attribute_path: user@quatunserverless.org From 1ccd1b6d63232420e15413d536b1f70a9d87eafb Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Mon, 8 May 2023 14:13:10 +0200 Subject: [PATCH 20/31] Remove conditional in ingress --- infrastructure/helm/quantumserverless/templates/ingress.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/infrastructure/helm/quantumserverless/templates/ingress.yaml b/infrastructure/helm/quantumserverless/templates/ingress.yaml index 7964d72b4..d3b369257 100644 --- a/infrastructure/helm/quantumserverless/templates/ingress.yaml +++ b/infrastructure/helm/quantumserverless/templates/ingress.yaml @@ -1,4 +1,3 @@ -{{- if .Values.keycloakEnable }} {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} apiVersion: networking.k8s.io/v1 {{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} @@ -46,4 +45,3 @@ spec: {{- end }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file From 116c0fc487fb47fb0b99f6bfed5c06914d9693f0 Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Mon, 8 May 2023 14:47:51 +0200 Subject: [PATCH 21/31] Use dynamic port values in the deployment args --- .../quantumserverless/charts/gateway/templates/deployment.yaml | 2 +- .../charts/repository/templates/deployment.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/infrastructure/helm/quantumserverless/charts/gateway/templates/deployment.yaml b/infrastructure/helm/quantumserverless/charts/gateway/templates/deployment.yaml index c36eab6ab..3de0be26d 100644 --- a/infrastructure/helm/quantumserverless/charts/gateway/templates/deployment.yaml +++ b/infrastructure/helm/quantumserverless/charts/gateway/templates/deployment.yaml @@ -33,7 +33,7 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - args: [ "gunicorn", "main.wsgi:application", "--bind", "0.0.0.0:8000", "--workers=4" ] + args: [ "gunicorn", "main.wsgi:application", "--bind", "0.0.0.0:{{ .Values.service.port }}", "--workers=4" ] ports: - name: http containerPort: {{ .Values.service.port }} diff --git a/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml b/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml index a8b31ed16..a3377dee0 100644 --- a/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml +++ b/infrastructure/helm/quantumserverless/charts/repository/templates/deployment.yaml @@ -33,7 +33,7 @@ spec: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - args: [ "gunicorn", "main.wsgi:application", "--bind", "0.0.0.0:8060", "--workers=4" ] + args: [ "gunicorn", "main.wsgi:application", "--bind", "0.0.0.0:{{ .Values.service.port }}", "--workers=4" ] ports: - name: http containerPort: {{ .Values.service.port }} From c26aae18b5d670405e5fcfa239e20d0c908bdbe9 Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Mon, 8 May 2023 17:01:38 +0200 Subject: [PATCH 22/31] Added swagger to gateway --- gateway/main/settings.py | 3 +++ gateway/main/urls.py | 24 +++++++++++++++++++++++- gateway/requirements.txt | 1 + repository/main/urls.py | 2 +- 4 files changed, 28 insertions(+), 2 deletions(-) diff --git a/gateway/main/settings.py b/gateway/main/settings.py index 68e75b244..aa7422059 100644 --- a/gateway/main/settings.py +++ b/gateway/main/settings.py @@ -53,6 +53,7 @@ "allauth.socialaccount.providers.keycloak", "dj_rest_auth", "dj_rest_auth.registration", + "drf_yasg", "api", ] @@ -199,3 +200,5 @@ MEDIA_ROOT = os.path.join(BASE_DIR, "media") MEDIA_URL = "/media/" + +SWAGGER_SETTINGS = {"LOGIN_URL": "/api-auth/login/", "LOGOUT_URL": "/api-auth/logout/"} diff --git a/gateway/main/urls.py b/gateway/main/urls.py index e3468b2b8..bfe6f7b97 100644 --- a/gateway/main/urls.py +++ b/gateway/main/urls.py @@ -17,12 +17,23 @@ from django.conf.urls.static import static from django.contrib import admin from django.urls import path, include, re_path -from rest_framework import routers +from rest_framework import routers, permissions +from drf_yasg.views import get_schema_view +from drf_yasg import openapi from api.views import KeycloakLogin, KeycloakUsersView router = routers.DefaultRouter() +schema = get_schema_view( # pylint: disable=invalid-name + openapi.Info( + title="Gateway API", + default_version="v1", + description="List of available API endpoints for the Gateway.", + ), + public=True, + permission_classes=[permissions.AllowAny], +) urlpatterns = [ path("dj-rest-auth/", include("dj_rest_auth.urls")), @@ -33,6 +44,17 @@ path("admin/", admin.site.urls), path("", include("django_prometheus.urls")), re_path(r"^api/v1/", include(("api.v1.urls", "api"), namespace="v1")), + # docs + re_path( + r"^swagger(?P\.json|\.yaml)$", + schema.without_ui(cache_timeout=0), + name="schema-json", + ), + re_path( + r"^swagger/$", + schema.with_ui("swagger", cache_timeout=0), + name="schema-swagger-ui", + ), ] if settings.DEBUG: diff --git a/gateway/requirements.txt b/gateway/requirements.txt index 0f7a92488..1df2f029c 100644 --- a/gateway/requirements.txt +++ b/gateway/requirements.txt @@ -10,3 +10,4 @@ ray[default]>=2.3.0 Django>=4.1.7 gunicorn>=20.1.0 requests>=2.28.2 +drf-yasg>=1.21.5 diff --git a/repository/main/urls.py b/repository/main/urls.py index 0bdb206c3..5ceafc046 100644 --- a/repository/main/urls.py +++ b/repository/main/urls.py @@ -27,7 +27,7 @@ default_version="v1", description="List of available API endpoint for Program repository.", ), - public=False, + public=True, permission_classes=[permissions.AllowAny], ) From 706cbdfd9543d248c5cf7217bb5fe26c69f07591 Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Mon, 8 May 2023 17:32:46 +0200 Subject: [PATCH 23/31] Removed RELEASE_NAME --- .../helm/quantumserverless/values-ibm.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/infrastructure/helm/quantumserverless/values-ibm.yaml b/infrastructure/helm/quantumserverless/values-ibm.yaml index 2a885300f..bb9941aaf 100644 --- a/infrastructure/helm/quantumserverless/values-ibm.yaml +++ b/infrastructure/helm/quantumserverless/values-ibm.yaml @@ -24,13 +24,13 @@ ingress: paths: - path: / pathType: Prefix - serviceName: "RELEASE_NAME-gateway" + serviceName: "gateway" servicePort: 8000 - host: "repository.YOUR_INGRESS_PUBLIC_END_POINT" paths: - path: / pathType: Prefix - serviceName: "RELEASE_NAME-repository" + serviceName: "repository" servicePort: 8060 # =================== @@ -44,10 +44,10 @@ gateway: tag: "nightly" application: siteHost: "http://localhost:8000" - rayHost: "http://RELEASE_NAME-kuberay-head-svc:8265" + rayHost: "http://kuberay-head-svc:8265" keycloak: clientId: "gateway-client" - url: "http://RELEASE_NAME-keycloak:31059" + url: "http://keycloak:31059" realm: "quantumserverless" clientSecret: GATEWAYSECRET-CHANGEME superuser: @@ -288,9 +288,9 @@ kube-prometheus-stack: allow_sign_up: "true" client_id: grafana-client client_secret: GRAFANASECRET-CHANGEME - api_url: "http://RELEASE_NAME-keycloak:31059/realms/quantumserverless/protocol/openid-connect/userinfo" - auth_url: "http://RELEASE_NAME-keycloak:31059/realms/quantumserverless/protocol/openid-connect/auth" - token_url: "http://RELEASE_NAME-keycloak:31059/realms/quantumserverless/protocol/openid-connect/token" + api_url: "http://keycloak:31059/realms/quantumserverless/protocol/openid-connect/userinfo" + auth_url: "http://keycloak:31059/realms/quantumserverless/protocol/openid-connect/auth" + token_url: "http://keycloak:31059/realms/quantumserverless/protocol/openid-connect/token" role_attribute_path: "contains(roles[*], 'grafana-admin') && 'GrafanaAdmin' || contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'" allow_assign_grafana_admin: "true" scopes: openid email profile roles From 394dbe1bce3c0614da484a5f4a86491dca21da3f Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Mon, 8 May 2023 17:37:09 +0200 Subject: [PATCH 24/31] Removed RELEASE_NAME from values --- infrastructure/helm/quantumserverless/values.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/infrastructure/helm/quantumserverless/values.yaml b/infrastructure/helm/quantumserverless/values.yaml index f1f34d598..b311b658e 100644 --- a/infrastructure/helm/quantumserverless/values.yaml +++ b/infrastructure/helm/quantumserverless/values.yaml @@ -40,10 +40,10 @@ gateway: tag: "0.0.7" application: siteHost: "http://localhost:8000" - rayHost: "http://RELEASE_NAME-kuberay-head-svc:8265" + rayHost: "http://kuberay-head-svc:8265" keycloak: clientId: "gateway-client" - url: "http://RELEASE_NAME-keycloak:31059" + url: "http://keycloak:31059" realm: "quantumserverless" clientSecret: GATEWAYSECRET-CHANGEME superuser: @@ -318,9 +318,9 @@ kube-prometheus-stack: allow_sign_up: "true" client_id: grafana-client client_secret: GRAFANASECRET-CHANGEME - api_url: "http://RELEASE_NAME-keycloak:31059/realms/quantumserverless/protocol/openid-connect/userinfo" - auth_url: "http://RELEASE_NAME-keycloak:31059/realms/quantumserverless/protocol/openid-connect/auth" - token_url: "http://RELEASE_NAME-keycloak:31059/realms/quantumserverless/protocol/openid-connect/token" + api_url: "http://keycloak:31059/realms/quantumserverless/protocol/openid-connect/userinfo" + auth_url: "http://keycloak:31059/realms/quantumserverless/protocol/openid-connect/auth" + token_url: "http://keycloak:31059/realms/quantumserverless/protocol/openid-connect/token" role_attribute_path: "contains(roles[*], 'grafana-admin') && 'GrafanaAdmin' || contains(roles[*], 'admin') && 'Admin' || contains(roles[*], 'editor') && 'Editor' || 'Viewer'" allow_assign_grafana_admin: "true" scopes: openid email profile roles From 3c143976bfa24d4c65ece224662253279c68189e Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Mon, 8 May 2023 17:41:12 +0200 Subject: [PATCH 25/31] Use 0.0.7 instead of nightly --- infrastructure/helm/quantumserverless/values-ibm.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/infrastructure/helm/quantumserverless/values-ibm.yaml b/infrastructure/helm/quantumserverless/values-ibm.yaml index bb9941aaf..42c26c7a1 100644 --- a/infrastructure/helm/quantumserverless/values-ibm.yaml +++ b/infrastructure/helm/quantumserverless/values-ibm.yaml @@ -41,7 +41,7 @@ gatewayEnable: true gateway: image: pullPolicy: IfNotPresent - tag: "nightly" + tag: "0.0.7" application: siteHost: "http://localhost:8000" rayHost: "http://kuberay-head-svc:8265" @@ -80,7 +80,7 @@ jupyter: jupyterToken: "YOUR_JUPYTER_PASSWORD_HERE" image: repository: "qiskit/quantum-serverless-notebook" - tag: "nightly-py39" + tag: "0.0.7-py39" pullPolicy: IfNotPresent container: port: 8888 @@ -95,7 +95,7 @@ rayClusterEnable: true ray-cluster: image: repository: "qiskit/quantum-serverless-ray-node" - tag: "nightly-py39" + tag: "0.0.7-py39" pullPolicy: IfNotPresent head: rayStartParams: @@ -257,7 +257,7 @@ repositoryEnable: true repository: image: pullPolicy: IfNotPresent - tag: "nightly" + tag: "0.0.7" application: superuser: username: "admin" From 28584ba008edad55bc2e0248131803095baf5f26 Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Mon, 8 May 2023 17:45:04 +0200 Subject: [PATCH 26/31] Revert "Added swagger to gateway" This reverts commit c26aae18b5d670405e5fcfa239e20d0c908bdbe9. --- gateway/main/settings.py | 3 --- gateway/main/urls.py | 24 +----------------------- gateway/requirements.txt | 1 - repository/main/urls.py | 2 +- 4 files changed, 2 insertions(+), 28 deletions(-) diff --git a/gateway/main/settings.py b/gateway/main/settings.py index aa7422059..68e75b244 100644 --- a/gateway/main/settings.py +++ b/gateway/main/settings.py @@ -53,7 +53,6 @@ "allauth.socialaccount.providers.keycloak", "dj_rest_auth", "dj_rest_auth.registration", - "drf_yasg", "api", ] @@ -200,5 +199,3 @@ MEDIA_ROOT = os.path.join(BASE_DIR, "media") MEDIA_URL = "/media/" - -SWAGGER_SETTINGS = {"LOGIN_URL": "/api-auth/login/", "LOGOUT_URL": "/api-auth/logout/"} diff --git a/gateway/main/urls.py b/gateway/main/urls.py index bfe6f7b97..e3468b2b8 100644 --- a/gateway/main/urls.py +++ b/gateway/main/urls.py @@ -17,23 +17,12 @@ from django.conf.urls.static import static from django.contrib import admin from django.urls import path, include, re_path -from rest_framework import routers, permissions -from drf_yasg.views import get_schema_view -from drf_yasg import openapi +from rest_framework import routers from api.views import KeycloakLogin, KeycloakUsersView router = routers.DefaultRouter() -schema = get_schema_view( # pylint: disable=invalid-name - openapi.Info( - title="Gateway API", - default_version="v1", - description="List of available API endpoints for the Gateway.", - ), - public=True, - permission_classes=[permissions.AllowAny], -) urlpatterns = [ path("dj-rest-auth/", include("dj_rest_auth.urls")), @@ -44,17 +33,6 @@ path("admin/", admin.site.urls), path("", include("django_prometheus.urls")), re_path(r"^api/v1/", include(("api.v1.urls", "api"), namespace="v1")), - # docs - re_path( - r"^swagger(?P\.json|\.yaml)$", - schema.without_ui(cache_timeout=0), - name="schema-json", - ), - re_path( - r"^swagger/$", - schema.with_ui("swagger", cache_timeout=0), - name="schema-swagger-ui", - ), ] if settings.DEBUG: diff --git a/gateway/requirements.txt b/gateway/requirements.txt index 44fddf392..462d137c1 100644 --- a/gateway/requirements.txt +++ b/gateway/requirements.txt @@ -10,4 +10,3 @@ ray[default]>=2.3.0 Django>=4.2 gunicorn>=20.1.0 requests>=2.28.2 -drf-yasg>=1.21.5 diff --git a/repository/main/urls.py b/repository/main/urls.py index 5ceafc046..0bdb206c3 100644 --- a/repository/main/urls.py +++ b/repository/main/urls.py @@ -27,7 +27,7 @@ default_version="v1", description="List of available API endpoint for Program repository.", ), - public=True, + public=False, permission_classes=[permissions.AllowAny], ) From b34340c30e06f728dfb00e5119df61d1b16b4c1a Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Tue, 9 May 2023 13:49:27 +0200 Subject: [PATCH 27/31] Updated main infrastructure README --- infrastructure/readme.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/infrastructure/readme.md b/infrastructure/readme.md index 6271901f1..00a340108 100644 --- a/infrastructure/readme.md +++ b/infrastructure/readme.md @@ -22,20 +22,22 @@ the different Python executions that you can send to your [k8s](https://kubernet ## Docker folder -In [this folder](./docker) you will find the resources related with the creation of the docker images that the infrastructure requires to deploy. There are two main images: +In [this folder](./docker) you will find the resources related with the creation of the docker images that the infrastructure requires to deploy. There are four main images: - **Jupyter notebook**: an image to be able to deploy a jupyter notebook in the infrastructure and make use of the project in a easy way without install anything locally. - **Ray**: an image that contains the ray library to be used in the infrastructure. +- **Gateway**: the API of the project that will provide you access to ray. +- **Repository**: a repository backend where to store Programs and share them. ## Helm folder -In [this folder](./helm) you will find the main configuration to set up your k8s cluster and the services that this project uses. There are 5 main configurations: +In [this folder](./helm) you will find the main configuration to set up your k8s cluster and the services that this project uses. There are 7 main services: - **Jupyter**: this configuration deploys in your cluster the service that provides you with a notebook to work easily with the project. -- **Manager**: this configuration deploys the API to handle your Ray cluster. -- **Operator**: a standard ray configuration to set up the KubeRay operator in the k8s cluster. This resource provides a Kubernetes-native way to manage Ray clusters. +- **Gateway**: this configuration deploys the API to handle your Ray cluster. +- **Kuberay Operator**: a standard ray configuration to set up the KubeRay operator in the k8s cluster. This resource provides a Kubernetes-native way to manage Ray clusters. - **Ray cluster**: standard configuration to set up and deploy your Ray cluster in a k8s environment. - **Kuberay API server**: a standard configuration to manage KubeRay resources using gRPC and HTTP APIs. - **Keycloak**: a standard configuration to manage access to the resources. -- **Prometheus**: a systems and service monitoring system. It collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true. +- **Grafana / Prometheus**: a systems and service monitoring system. It collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true. ## Terraform The [folder](./terraform) contains the configuration that helps you to create your k8s and Ray clusters. Currently, the project supports deployments in: From aeab4dba74417ddf04e4579548e371de332adcc6 Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Tue, 9 May 2023 13:53:36 +0200 Subject: [PATCH 28/31] Updated dockerfile README --- infrastructure/docker/README.md | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/infrastructure/docker/README.md b/infrastructure/docker/README.md index de53a83a3..b8df15118 100644 --- a/infrastructure/docker/README.md +++ b/infrastructure/docker/README.md @@ -1,9 +1,10 @@ # Docker images -Docker images that the infrastructure requires to deploy. There are three main images: +Docker images that the infrastructure requires to deploy. There are four main images: - [Jupyter notebook](#ray-node-with-jupyter-notebook) - [Ray](#custom-ray) - [Repository server](#repository-server) +- [Gateway](#gateway) ## Custom ray @@ -11,6 +12,7 @@ Docker images that the infrastructure requires to deploy. There are three main i An image that contains our custom [ray](https://github.com/ray-project/ray) configuration. It works for local development or to be used with [ray-cluster](https://docs.ray.io/en/latest/cluster/getting-started.html). +We provide support too for ARM chips too. ### Build @@ -33,7 +35,7 @@ docker build -f ./infrastructure/docker/Dockerfile-ray-qiskit -t . ## Ray node with Jupyter notebook -An image to be able to deploy a jupyter notebook in the infrastructure and make use of the project in a easy way without install anything locally. +An image to be able to deploy a jupyter notebook in the infrastructure and make use of the project in an easy way without install anything locally. ### Build To build image just run from the root of the project: @@ -71,3 +73,24 @@ docker build -f ./infrastructure/docker/Dockerfile-repository-server -t . +``` + +### Versions +- Python == 3.9 \ No newline at end of file From 9c4b0b9c98691ec70113c083ee43aea9792ef056 Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Tue, 9 May 2023 13:57:43 +0200 Subject: [PATCH 29/31] Updated helm infrastructure --- .../helm/quantumserverless/README.md | 59 +------------------ 1 file changed, 1 insertion(+), 58 deletions(-) diff --git a/infrastructure/helm/quantumserverless/README.md b/infrastructure/helm/quantumserverless/README.md index c025fb580..c09324cdc 100644 --- a/infrastructure/helm/quantumserverless/README.md +++ b/infrastructure/helm/quantumserverless/README.md @@ -16,43 +16,8 @@ helm dependency build ``` Update values.yaml file. Find and replace the following strings -- **CLIENTSECRET-CHANGEME**: string used as the secret for a OIDC protocol -- **APISERVERSECRET-CHANGEME**: string used as the secret for a OIDC protocol for apiserver -- **SECRET-CHANGEME**: string used as the secret for a OIDC protocol +- **GATEWAY-CHANGEME**: string used as the secret for a OIDC protocol - **GRAFANASECRET-CHANGEME**: string used as the secret for a OIDC protocol for Grafana -- **HELM-RELEASE**: release name used in the helm install command -- **LOCAL-IP**: IP address that can be accessed from both outside of the cluster and inside of the cluster. - -**LOCAL-IP Example** - -MacOS - ifconfig output (**192.168.4.23**) -``` -en0: flags=8963 mtu 1500 - options=6463 - ether a4:83:e7:27:70:71 - inet6 fe80::8b4:58c9:11dd:e7e0%en0 prefixlen 64 secured scopeid 0x6 - inet 192.168.4.23 netmask 0xfffffc00 broadcast 192.168.7.255 - nd6 options=201 - media: autoselect - status: active -``` -Ubuntu - ifconfig output (**169.62.189.94**) -``` -eth1: flags=4163 mtu 1500 - inet 169.62.189.94 netmask 255.255.255.224 broadcast 169.62.189.95 - inet6 fe80::477:a9ff:fe0f:30c0 prefixlen 64 scopeid 0x20 - ether 06:77:a9:0f:30:c0 txqueuelen 1000 (Ethernet) - RX packets 41529956 bytes 5172595130 (5.1 GB) - RX errors 0 dropped 0 overruns 0 frame 0 - TX packets 5373197 bytes 774842996 (774.8 MB) - TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 -``` -Kind - kubectl output (**172.18.0.2**) -``` -# kubectl get node -o wide -NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME -kind-control-plane Ready control-plane 5d6h v1.25.3 172.18.0.2 Ubuntu 22.04.1 LTS 5.4.0-139-generic containerd://1.6.9 -``` Install from the default values file ```shell @@ -130,25 +95,3 @@ If you are interested in more complex configurations, you have access to all the - For our promtail charts dependencies, we are using the default configuration created by Grafana project. To simplify the configuration we offered you with a straigh-forward initial parameters setup. But if you are interested in more complex configurations, you have access to all the parameters documented [here](https://github.com/grafana/helm-charts/blob/main/charts/promtail/README.md). - -## Usage - -- Ray Api Server access needs the access token issued by the keycloak. Here is the example to obtain the access token and send request to the Ray API Server - -``` -#!/bin/bash -API=$1 -RESPONSE=$(curl --request POST \ - --url 'http://:31059/realms/quantumserverless/protocol/openid-connect/token' \ - --header 'content-type: application/x-www-form-urlencoded' \ - --data grant_type=client_credentials \ - --data client_id=rayapiserver \ - --data client_secret=APISERVERSECRET-CHANGEME \ - --data audience=rayapiserver | jq .access_token) -TOKEN=${RESPONSE//'"'/} - -curl --request GET -k --proxy http://:30634/ \ ---header "authorization: Bearer $TOKEN" \ ---header 'content-type: application/json' \ ---url "http://kuberay-apiserver-service:8888/$API" -``` From a7faa0b55a34dfaa029aad974846786439a1573b Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Tue, 9 May 2023 14:00:01 +0200 Subject: [PATCH 30/31] Updated terraform IBM documentation --- infrastructure/terraform/ibm/README.md | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/infrastructure/terraform/ibm/README.md b/infrastructure/terraform/ibm/README.md index ff4e06eb7..653411010 100644 --- a/infrastructure/terraform/ibm/README.md +++ b/infrastructure/terraform/ibm/README.md @@ -4,16 +4,14 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | ~> 1.2 | -| [helm](#requirement\_helm) | >= 2.8.0 | -| [ibm](#requirement\_ibm) | >= 1.50.0 | +| [terraform](#requirement\_terraform) | ~> 1.4 | +| [ibm](#requirement\_ibm) | >= 1.51.0 | ## Providers | Name | Version | |------|---------| -| [helm](#provider\_helm) | 2.8.0 | -| [ibm](#provider\_ibm) | 1.50.0 | +| [ibm](#provider\_ibm) | 1.52.1 | ## Modules @@ -26,7 +24,6 @@ | Name | Type | |------|------| -| [helm_release.quantum_serverless_release](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | | [ibm_container_cluster_config.quantum_serverless_cluster_config](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/container_cluster_config) | data source | | [ibm_resource_group.ibmcloud_resource_group](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/resource_group) | data source | @@ -40,11 +37,11 @@ | [ibmcloud\_resource\_group](#input\_ibmcloud\_resource\_group) | Name of resource group to provision resources | `string` | `"Default"` | no | | [ibmcloud\_timeout](#input\_ibmcloud\_timeout) | The general timeout to operate with the IBMCloud provider | `number` | `60` | no | | [locations](#input\_locations) | The locations for the subnets and nodes | `list(string)` | 
[
  "us-south-1",
  "us-south-2"
]
| no | -| [machine\_type](#input\_machine\_type) | Machine type for the IKS Cluster | `string` | `"cx2.2x4"` | no | -| [name](#input\_name) | The prefix name for all the resources | `string` | `"qserverless"` | no | +| [machine\_type](#input\_machine\_type) | Machine type for the IKS Cluster | `string` | `"cx2.8x16"` | no | +| [name](#input\_name) | The prefix name for all the resources | `string` | `"quantum-serverless-test"` | no | | [number\_of\_addresses](#input\_number\_of\_addresses) | The number of addresses by subnet | `number` | `64` | no | -| [tags](#input\_tags) | The list of tags | `list(string)` | 
[
  "env:dev",
  "project:qserverless"
]
| no | -| [worker\_nodes\_per\_zone](#input\_worker\_nodes\_per\_zone) | Number of workers per zone | `number` | `1` | no | +| [tags](#input\_tags) | The list of tags | `list(string)` | 
[
  "env:dev",
  "project:middleware"
]
| no | +| [worker\_nodes\_per\_zone](#input\_worker\_nodes\_per\_zone) | Number of workers per zone | `number` | `2` | no | ## Outputs From 626ba6c1857e6c382b86a01a424e9cdf1845f5c4 Mon Sep 17 00:00:00 2001 From: david <9059044+Tansito@users.noreply.github.com> Date: Tue, 9 May 2023 14:18:31 +0200 Subject: [PATCH 31/31] Uploaded documentation for IBM Cloud --- docs/deployment/cloud.rst | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/docs/deployment/cloud.rst b/docs/deployment/cloud.rst index 7294d882d..486375604 100644 --- a/docs/deployment/cloud.rst +++ b/docs/deployment/cloud.rst @@ -61,8 +61,7 @@ If you have ``make`` available you can run the next commands in your terminal: .. code-block:: :caption: run the commands from the root of the project - $ make build-notebook - $ make build-ray-node + $ make build-all Or if you don't have it (Windows for example), you can always build the images manually: @@ -71,13 +70,14 @@ Or if you don't have it (Windows for example), you can always build the images m $ docker build -t qiskit/quantum-serverless-notebook -f ./infrastructure/docker/Dockerfile-notebook . $ docker build -t qiskit/quantum-serverless-ray-node -f ./infrastructure/docker/Dockerfile-ray-qiskit . + $ ... Now that you have built the needed Docker images you can run **docker-compose** to deploy locally the project: .. code-block:: :caption: run the command from the root of the project - $ docker-compose up + $ docker-compose --profile full up And once time finished the execution of the command if everything went well you are going to be able to open the browser and have access to: @@ -110,6 +110,8 @@ and run the next commands: $ helm repo add bitnami https://charts.bitnami.com/bitnami $ helm repo add kuberay https://ray-project.github.io/kuberay-helm + $ helm repo add prometheus-community https://prometheus-community.github.io/helm-charts + $ helm repo add grafana https://grafana.github.io/helm-charts $ helm dependency build $ helm -n install quantum-serverless --create-namespace . @@ -123,8 +125,8 @@ always will work is to use the ``port-forward`` command: $ kubectl get pod -o wide $ > ... - $ > -jupyter- - $ > -kuberay-head- + $ > jupyter- + $ > kuberay-head- $ > ... Now that we have the desired pods we can expose their ports: @@ -132,8 +134,8 @@ Now that we have the desired pods we can expose their ports: .. code-block:: :caption: ports 8265 and 8888 are the the default ports for each service - $ kubectl port-forward -kuberay-head- 8265 - $ kubectl port-forward -jupyter- 8888 + $ kubectl port-forward kuberay-head- 8265 + $ kubectl port-forward jupyter- 8888 This way you will be able to access to your cluster services from localhost. @@ -183,9 +185,7 @@ with the next content: **In AWS** case instead to create a file you will need to configure a set of environment variables in your terminal as it is defined `here `_. -Once time your account is configured to be used by terraform just check that in your provider folder you have configured -your desired values for your services in ``values.yaml`` before the deployment process. To confirm the configuration -just run terraform: +To confirm the configuration just run terraform: .. code-block:: :caption: always run a plan before an apply, this will compare your current configuration with the new one @@ -203,6 +203,16 @@ When the process finishes you should be able to see the cluster with the resourc * `IBM Cloud cluster access guide `_ * `AWS cluster connection guide `_ +Now that you have a cluster you just will need to run the previous `helm` steps to deploy the different applications. + +For IBM Cloud in particular we provided you with a specific values with a default configuration in `values-ibm.yaml `_ + +The only thing that you will need to check in this case are some placeholders: + * YOUR_INGRESS_PUBLIC_END_POINT: this value can be obtained from your Ingress configuration of your cluster + * YOUR-INGRESS-SECRET: this value can be obtained from your Ingress configuration of your cluster + * GATEWAYSECRET-CHANGEME: the secret that your application will use to connect `Gateway` with `Keycloak` + * GRAFANASECRET-CHANGEME: the secret that your application will use to connect `Grafana` with `Keycloak` + Quantum Serverless configuration ==================================