From a41891c1c522af636ac6c248a5b882f8dec7b464 Mon Sep 17 00:00:00 2001
From: Kyle Goyette <kyle@wandb.com>
Date: Fri, 25 Oct 2024 16:57:42 -0700
Subject: [PATCH] wip

---
 .../templates/dangerzone_secret.yaml          | 13 +++++++++++
 .../weave-trace/templates/deployment.yaml     | 16 ++++++++++++-
 .../charts/weave-trace/templates/rbac.yaml    | 23 +++++++++++++++++++
 charts/wandb/templates/deployment.yaml        | 22 ++++--------------
 charts/wandb/templates/ingress.yaml           | 16 +++++++------
 charts/wandb/values.yaml                      |  2 ++
 6 files changed, 66 insertions(+), 26 deletions(-)
 create mode 100644 charts/operator-wandb/charts/weave-trace/templates/dangerzone_secret.yaml
 create mode 100644 charts/operator-wandb/charts/weave-trace/templates/rbac.yaml

diff --git a/charts/operator-wandb/charts/weave-trace/templates/dangerzone_secret.yaml b/charts/operator-wandb/charts/weave-trace/templates/dangerzone_secret.yaml
new file mode 100644
index 00000000..43d4b450
--- /dev/null
+++ b/charts/operator-wandb/charts/weave-trace/templates/dangerzone_secret.yaml
@@ -0,0 +1,13 @@
+{{- $secretName := printf "%s-secrets" (include "weaveTrace.name" .) }}
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace $secretName }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "weaveTrace.name" . }}-dangerzone-secrets
+type: Opaque
+data:
+  WEAVE_TRACE_GORILLA_JWT_SECRET: {{ if $existingSecret }}
+    {{ $existingSecret.data.WEAVE_TRACE_GORILLA_JWT_SECRET }}
+  {{ else }}
+    {{ randAlphaNum 32 | b64enc }}
+  {{ end }}
\ No newline at end of file
diff --git a/charts/operator-wandb/charts/weave-trace/templates/deployment.yaml b/charts/operator-wandb/charts/weave-trace/templates/deployment.yaml
index 2e5ebaed..fa99a68d 100644
--- a/charts/operator-wandb/charts/weave-trace/templates/deployment.yaml
+++ b/charts/operator-wandb/charts/weave-trace/templates/deployment.yaml
@@ -44,6 +44,7 @@ spec:
       initContainers:
         - name: {{ include "weaveTraceMigrate.fullname" . }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
           command:
             - "python"
             - "migrator.py"
@@ -67,6 +68,10 @@ spec:
       containers:
         - name: {{ include "weaveTrace.fullname" .  }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          volumeMounts:
+            - name: weave-trace-dangerzone-secrets
+              mountPath: /tmp/weave-trace/dangerzone
           ports:
             - name: http
               containerPort: 8080
@@ -79,7 +84,7 @@ spec:
             - name: WANDB_PUBLIC_BASE_URL
               value: {{ .Values.global.host }}
             - name: WANDB_BASE_URL
-              value: http://{{ .Release.Name }}-app:8080/
+              value: http://{{ .Release.Name }}:8080/
             - name: WF_TRACE_SERVER_URL
               value: "{{ .Values.global.host }}/traces"
             - name: WF_ENFORCE_PASSWORD_LENGTH
@@ -128,9 +133,18 @@ spec:
             failureThreshold: 12
             periodSeconds: 10
 
+
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       serviceAccountName: {{ include "weaveTrace.serviceAccountName" . }}
+      volumes:
+        - name: weave-trace-dangerzone-secrets
+          projected:
+            sources:
+              - serviceAccountToken:
+                  audience: dangerzone
+                  path: token
+                  expirationSeconds: 600
 ---
 apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
diff --git a/charts/operator-wandb/charts/weave-trace/templates/rbac.yaml b/charts/operator-wandb/charts/weave-trace/templates/rbac.yaml
new file mode 100644
index 00000000..20a9a09c
--- /dev/null
+++ b/charts/operator-wandb/charts/weave-trace/templates/rbac.yaml
@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "weaveTrace.serviceAccountName" . }}-svc-act-role
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups: ["", "apps", "batch"]
+    resources: ["pods", "services", "secrets"]
+    verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "weaveTrace.serviceAccountName" . }}-svc-act-role-binding
+  namespace: {{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "weaveTrace.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "weaveTrace.serviceAccountName" . }}-svc-act-role
+  apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/charts/wandb/templates/deployment.yaml b/charts/wandb/templates/deployment.yaml
index 28099d63..b30c74fe 100644
--- a/charts/wandb/templates/deployment.yaml
+++ b/charts/wandb/templates/deployment.yaml
@@ -151,6 +151,10 @@ spec:
             - name: LOCAL_LDAP_GROUP_ALLOW_LIST
               value: {{ .Values.ldap.groupAllowList }}
             {{- end }}
+            {{- if .Values.weaveTrace.enabled }}
+            - name: WEAVE_TRACES_ENABLED
+              value: "true"
+            {{- end }}
             {{- if .Values.extraEnv }}
             {{- toYaml .Values.extraEnv | nindent 12 }}
             {{- end }}
@@ -233,21 +237,3 @@ spec:
               - key: {{ .Values.ldap.tlsCert.configMap.key }}
                 path: ca.crt
       {{- end }}
----
-{{- if and (not .Values.bucket) .Values.existingClaim }}
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: {{ include "wandb.volumeClaim" . }}
-  annotations:
-    "helm.sh/resource-policy": keep
-  labels:
-    {{- include "wandb.labels" . | nindent 4 }}
-    app.kubernetes.io/component: local
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 64Gi
-{{- end }}
diff --git a/charts/wandb/templates/ingress.yaml b/charts/wandb/templates/ingress.yaml
index 5b80f4cd..4ad3a381 100644
--- a/charts/wandb/templates/ingress.yaml
+++ b/charts/wandb/templates/ingress.yaml
@@ -45,21 +45,23 @@ spec:
     - host: {{ .host | quote }}
       http:
         paths:
+          {{- if index $.Values "weaveTrace" "enabled" }}
+          - pathType: Prefix
+            path: /traces
+            backend:
+              service:
+                name: {{ $.Release.Name }}-weave-trace
+                port:
+                  number: 8722
+          {{- end }}
           {{- range .paths }}
           - path: {{ .path }}
-            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
             pathType: {{ .pathType }}
-            {{- end }}
             backend:
-              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
               service:
                 name: {{ $fullName }}
                 port:
                   number: {{ $svcPort }}
-              {{- else }}
-              serviceName: {{ $fullName }}
-              servicePort: {{ $svcPort }}
-              {{- end }}
           {{- end }}
     {{- end }}
 {{- end }}
diff --git a/charts/wandb/values.yaml b/charts/wandb/values.yaml
index 0b3ac47a..151d15aa 100644
--- a/charts/wandb/values.yaml
+++ b/charts/wandb/values.yaml
@@ -128,6 +128,8 @@ nodeSelector: {}
 tolerations: []
 
 affinity: {}
+weaveTrace:
+  enabled: false 
 
 mysql:
   # Set this to false if you want to bring your own mysql