mlflow
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
##
15
16
## @param global.imageRegistry Global Docker image registry
17
## @param global.imagePullSecrets Global Docker registry secret names as an array
18
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
19
##
20
global:
21
imageRegistry: ""
22
## E.g.
23
## imagePullSecrets:
24
## - myRegistryKeySecretName
25
##
26
imagePullSecrets: []
27
defaultStorageClass: ""
28
## Security parameters
29
##
30
security:
31
## @param global.security.allowInsecureImages Allows skipping image verification
32
allowInsecureImages: false
33
## Compatibility adaptations for Kubernetes platforms
34
##
35
compatibility:
36
## Compatibility adaptations for Openshift
37
##
38
openshift:
39
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
40
##
41
adaptSecurityContext: auto
42
org: ""
43
## @section Common parameters
44
##
45
46
## @param kubeVersion Override Kubernetes version
47
##
48
kubeVersion: ""
49
## @param apiVersions Override Kubernetes API versions reported by .Capabilities
50
##
51
apiVersions: []
52
## @param nameOverride String to partially override common.names.name
53
##
54
nameOverride: ""
55
## @param fullnameOverride String to fully override common.names.fullname
56
##
57
fullnameOverride: ""
58
## @param namespaceOverride String to fully override common.names.namespace
59
##
60
namespaceOverride: ""
61
## @param commonLabels Labels to add to all deployed objects
62
##
63
commonLabels: {}
64
## @param commonAnnotations Annotations to add to all deployed objects
65
##
66
commonAnnotations: {}
67
## @param clusterDomain Kubernetes cluster domain name
68
##
69
clusterDomain: cluster.local
70
## @param extraDeploy Array of extra objects to deploy with the release
71
##
72
extraDeploy: []
73
## Enable diagnostic mode in the deployment
74
##
75
diagnosticMode:
76
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
77
##
78
enabled: false
79
## @param diagnosticMode.command Command to override all containers in the deployment
80
##
81
command:
82
- sleep
83
## @param diagnosticMode.args Args to override all containers in the deployment
84
##
85
args:
86
- infinity
87
## @section MLflow common Parameters
88
##
89
90
## Iamguarded mlflow image
91
## @param image.registry [default: REGISTRY_NAME] mlflow image registry
92
## @param image.repository [default: REPOSITORY_NAME/mlflow] mlflow image repository
93
## @skip image.tag mlflow image tag (immutable tags are recommended)
94
## @param image.digest mlflow image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)
95
## @param image.pullPolicy mlflow image pull policy
96
## @param image.pullSecrets mlflow image pull secrets
97
## @param image.debug Enable mlflow image debug mode
98
##
99
image:
100
registry: cgr.dev
101
repository: chainguard-private/mlflow-iamguarded
102
tag: 3.10.0
103
digest: ""
104
## Specify a imagePullPolicy
105
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
106
##
107
pullPolicy: IfNotPresent
108
## Optionally specify an array of imagePullSecrets.
109
## Secrets must be manually created in the namespace.
110
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
111
## e.g:
112
## pullSecrets:
113
## - myRegistryKeySecretName
114
##
115
pullSecrets: []
116
## Enable debug mode
117
##
118
debug: false
119
## Iamguarded git image version
120
## @param gitImage.registry [default: REGISTRY_NAME] Git image registry
121
## @param gitImage.repository [default: REPOSITORY_NAME/git] Git image repository
122
## @skip gitImage.tag Git image tag (immutable tags are recommended)
123
## @param gitImage.digest Git image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
124
## @param gitImage.pullPolicy Git image pull policy
125
## @param gitImage.pullSecrets Specify docker-registry secret names as an array
126
##
127
gitImage:
128
registry: cgr.dev
129
repository: chainguard-private/git-iamguarded
130
tag: 2.53.0
131
digest: ""
132
pullPolicy: IfNotPresent
133
## Optionally specify an array of imagePullSecrets.
134
## Secrets must be manually created in the namespace.
135
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
136
## Example:
137
## pullSecrets:
138
## - myRegistryKeySecretName
139
##
140
pullSecrets: []
141
## @section MLflow Tracking parameters
142
##
143
tracking:
144
## @param tracking.enabled Enable Tracking server
145
##
146
enabled: true
147
## @param tracking.replicaCount Number of mlflow replicas to deploy
148
##
149
replicaCount: 1
150
## @param tracking.host mlflow tracking listening host. Set to "[::]" to use ipv6.
151
##
152
host: "0.0.0.0"
153
## @param tracking.containerPorts.http mlflow HTTP container port
154
##
155
containerPorts:
156
http: 5000
157
## Configure extra options for mlflow containers' liveness and readiness probes
158
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
159
## @param tracking.livenessProbe.enabled Enable livenessProbe on mlflow containers
160
## @param tracking.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
161
## @param tracking.livenessProbe.periodSeconds Period seconds for livenessProbe
162
## @param tracking.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
163
## @param tracking.livenessProbe.failureThreshold Failure threshold for livenessProbe
164
## @param tracking.livenessProbe.successThreshold Success threshold for livenessProbe
165
##
166
livenessProbe:
167
enabled: true
168
initialDelaySeconds: 5
169
periodSeconds: 10
170
timeoutSeconds: 5
171
failureThreshold: 5
172
successThreshold: 1
173
## @param tracking.readinessProbe.enabled Enable readinessProbe on mlflow containers
174
## @param tracking.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
175
## @param tracking.readinessProbe.periodSeconds Period seconds for readinessProbe
176
## @param tracking.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
177
## @param tracking.readinessProbe.failureThreshold Failure threshold for readinessProbe
178
## @param tracking.readinessProbe.successThreshold Success threshold for readinessProbe
179
##
180
readinessProbe:
181
enabled: true
182
initialDelaySeconds: 5
183
periodSeconds: 10
184
timeoutSeconds: 5
185
failureThreshold: 5
186
successThreshold: 1
187
## @param tracking.startupProbe.enabled Enable startupProbe on mlflow containers
188
## @param tracking.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
189
## @param tracking.startupProbe.periodSeconds Period seconds for startupProbe
190
## @param tracking.startupProbe.timeoutSeconds Timeout seconds for startupProbe
191
## @param tracking.startupProbe.failureThreshold Failure threshold for startupProbe
192
## @param tracking.startupProbe.successThreshold Success threshold for startupProbe
193
##
194
startupProbe:
195
enabled: false
196
initialDelaySeconds: 5
197
periodSeconds: 10
198
timeoutSeconds: 5
199
failureThreshold: 5
200
successThreshold: 1
201
## @param tracking.customLivenessProbe Custom livenessProbe that overrides the default one
202
##
203
customLivenessProbe: {}
204
## @param tracking.customReadinessProbe Custom readinessProbe that overrides the default one
205
##
206
customReadinessProbe: {}
207
## @param tracking.customStartupProbe Custom startupProbe that overrides the default one
208
##
209
customStartupProbe: {}
210
## mlflow resource requests and limits
211
## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
212
## @param tracking.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if tracking.resources is set (tracking.resources is recommended for production).
213
##
214
resourcesPreset: "medium"
215
## @param tracking.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
216
## Example:
217
## resources:
218
## requests:
219
## cpu: 2
220
## memory: 512Mi
221
## limits:
222
## cpu: 3
223
## memory: 1024Mi
224
##
225
resources: {}
226
## Configure Pods Security Context
227
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
228
## @param tracking.podSecurityContext.enabled Enabled mlflow pods' Security Context
229
## @param tracking.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
230
## @param tracking.podSecurityContext.sysctls Set kernel settings using the sysctl interface
231
## @param tracking.podSecurityContext.supplementalGroups Set filesystem extra groups
232
## @param tracking.podSecurityContext.fsGroup Set mlflow pod's Security Context fsGroup
233
##
234
podSecurityContext:
235
enabled: true
236
fsGroupChangePolicy: Always
237
sysctls: []
238
supplementalGroups: []
239
fsGroup: 1001
240
## Configure Container Security Context
241
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
242
## @param tracking.containerSecurityContext.enabled Enabled containers' Security Context
243
## @param tracking.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
244
## @param tracking.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
245
## @param tracking.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
246
## @param tracking.containerSecurityContext.privileged Set containers' Security Context privileged
247
## @param tracking.containerSecurityContext.runAsNonRoot Set containers' Security Context runAsNonRoot
248
## @param tracking.containerSecurityContext.readOnlyRootFilesystem Set containers' Security Context readOnlyRootFilesystem
249
## @param tracking.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
250
## @param tracking.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
251
## @param tracking.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
252
##
253
containerSecurityContext:
254
enabled: true
255
seLinuxOptions: {}
256
runAsUser: 1001
257
runAsGroup: 1001
258
runAsNonRoot: true
259
privileged: false
260
readOnlyRootFilesystem: true
261
allowPrivilegeEscalation: false
262
capabilities:
263
drop: ["ALL"]
264
seccompProfile:
265
type: "RuntimeDefault"
266
## Basic authentication
267
## @param tracking.auth.enabled Enable basic authentication
268
## @param tracking.auth.username Admin username
269
## @param tracking.auth.password Admin password
270
## @param tracking.auth.flaskServerSecretKey Flask server secret key (required for enabling CSRF protection)
271
## @param tracking.auth.existingSecret Name of a secret containing the admin password
272
## @param tracking.auth.existingSecretUserKey Key inside the secret containing the admin password
273
## @param tracking.auth.existingSecretPasswordKey Key inside the secret containing the admin password
274
## @param tracking.auth.existingSecretFlaskServerSecretKey Key inside the secret containing the flask server secret key
275
## @param tracking.auth.extraOverrides Add extra settings to the basic_auth.ini file
276
## @param tracking.auth.overridesConfigMap Name of a ConfigMap containing overrides to the basic_auth.ini file
277
auth:
278
enabled: true
279
username: user
280
password: ""
281
flaskServerSecretKey: ""
282
existingSecret: ""
283
existingSecretUserKey: ""
284
existingSecretPasswordKey: ""
285
existingSecretFlaskServerSecretKey: ""
286
extraOverrides: {}
287
overridesConfigMap: ""
288
## TLS configuration
289
##
290
tls:
291
## @param tracking.tls.enabled Enable TLS traffic support
292
##
293
enabled: false
294
## @param tracking.tls.autoGenerated Generate automatically self-signed TLS certificates
295
##
296
autoGenerated: false
297
## @param tracking.tls.certificatesSecret Name of an existing secret that contains the certificates
298
##
299
certificatesSecret: ""
300
## @param tracking.tls.certFilename Certificate filename
301
##
302
certFilename: ""
303
## @param tracking.tls.certKeyFilename Certificate key filename
304
##
305
certKeyFilename: ""
306
## @param tracking.tls.certCAFilename CA Certificate filename
307
## If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate
308
## ref: https://www.postgresql.org/docs/9.6/auth-methods.html
309
##
310
certCAFilename: ""
311
## @param tracking.command Override default container command (useful when using custom images)
312
##
313
command: []
314
## @param tracking.args Override default container args (useful when using custom images)
315
##
316
args: []
317
## @param tracking.extraArgs Add extra arguments together with the default ones
318
##
319
extraArgs: []
320
## @param tracking.runUpgradeDB Add an init container to run mlflow db upgrade
321
##
322
runUpgradeDB: false
323
## @param tracking.automountServiceAccountToken Mount Service Account token in pod
324
##
325
automountServiceAccountToken: false
326
## @param tracking.hostAliases mlflow pods host aliases
327
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
328
##
329
hostAliases: []
330
## @param tracking.podLabels Extra labels for mlflow pods
331
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
332
##
333
podLabels: {}
334
## @param tracking.podAnnotations Annotations for mlflow pods
335
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
336
##
337
podAnnotations: {}
338
## @param tracking.podAffinityPreset Pod affinity preset. Ignored if `.affinity` is set. Allowed values: `soft` or `hard`
339
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
340
##
341
podAffinityPreset: ""
342
## @param tracking.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `.affinity` is set. Allowed values: `soft` or `hard`
343
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
344
##
345
podAntiAffinityPreset: soft
346
## Pod Disruption Budget configuration
347
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
348
## @param tracking.pdb.create Enable/disable a Pod Disruption Budget creation
349
## @param tracking.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
350
## @param tracking.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
351
##
352
pdb:
353
create: true
354
minAvailable: ""
355
maxUnavailable: ""
356
## Autoscaling configuration
357
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
358
##
359
autoscaling:
360
hpa:
361
## @param tracking.autoscaling.hpa.enabled Enable HPA
362
##
363
enabled: false
364
## @param tracking.autoscaling.hpa.minReplicas Minimum number of replicas
365
##
366
minReplicas: ""
367
## @param tracking.autoscaling.hpa.maxReplicas Maximum number of replicas
368
##
369
maxReplicas: ""
370
## @param tracking.autoscaling.hpa.targetCPU Target CPU utilization percentage
371
##
372
targetCPU: ""
373
## @param tracking.autoscaling.hpa.targetMemory Target Memory utilization percentage
374
##
375
targetMemory: ""
376
vpa:
377
## @param tracking.autoscaling.vpa.enabled Enable VPA
378
##
379
enabled: false
380
## @param tracking.autoscaling.vpa.annotations Annotations for VPA resource
381
##
382
annotations: {}
383
## @param tracking.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
384
##
385
controlledResources: []
386
## @param tracking.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
387
## cpu: 200m
388
## memory: 100Mi
389
maxAllowed: {}
390
## @param tracking.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
391
## cpu: 200m
392
## memory: 100Mi
393
minAllowed: {}
394
updatePolicy:
395
## @param tracking.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
396
## Possible values are "Off", "Initial", "Recreate", and "Auto".
397
##
398
updateMode: Auto
399
## Node .affinity preset
400
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
401
##
402
nodeAffinityPreset:
403
## @param tracking.nodeAffinityPreset.type Node affinity preset type. Ignored if `.affinity` is set. Allowed values: `soft` or `hard`
404
##
405
type: ""
406
## @param tracking.nodeAffinityPreset.key Node label key to match. Ignored if `.affinity` is set
407
##
408
key: ""
409
## @param tracking.nodeAffinityPreset.values Node label values to match. Ignored if `.affinity` is set
410
## E.g.
411
## values:
412
## - e2e-az1
413
## - e2e-az2
414
##
415
values: []
416
## @param tracking.affinity Affinity for mlflow pods assignment
417
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
418
## NOTE: `.podAffinityPreset`, `.podAntiAffinityPreset`, and `.nodeAffinityPreset` will be ignored when it's set
419
##
420
affinity: {}
421
## @param tracking.nodeSelector Node labels for mlflow pods assignment
422
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/
423
##
424
nodeSelector: {}
425
## @param tracking.tolerations Tolerations for mlflow pods assignment
426
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
427
##
428
tolerations: []
429
## @param tracking.updateStrategy.type mlflow statefulset strategy type
430
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
431
##
432
updateStrategy:
433
## StrategyType
434
## Can be set to RollingUpdate or OnDelete
435
##
436
type: RollingUpdate
437
## @param tracking.priorityClassName mlflow pods' priorityClassName
438
##
439
priorityClassName: ""
440
## @param tracking.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
441
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
442
##
443
topologySpreadConstraints: []
444
## @param tracking.schedulerName Name of the k8s scheduler (other than default) for mlflow pods
445
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
446
##
447
schedulerName: ""
448
## @param tracking.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
449
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
450
##
451
terminationGracePeriodSeconds: ""
452
## @param tracking.lifecycleHooks for the mlflow container(s) to automate configuration before or after startup
453
##
454
lifecycleHooks: {}
455
## @param tracking.extraEnvVars Array with extra environment variables to add to mlflow nodes
456
## e.g:
457
## extraEnvVars:
458
## - name: FOO
459
## value: "bar"
460
##
461
extraEnvVars: []
462
## @param tracking.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for mlflow nodes
463
##
464
extraEnvVarsCM: ""
465
## @param tracking.extraEnvVarsSecret Name of existing Secret containing extra env vars for mlflow nodes
466
##
467
extraEnvVarsSecret: ""
468
## @param tracking.extraVolumes Optionally specify extra list of additional volumes for the mlflow pod(s)
469
##
470
extraVolumes: []
471
## @param tracking.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the mlflow container(s)
472
##
473
extraVolumeMounts: []
474
## @param tracking.sidecars Add additional sidecar containers to the mlflow pod(s)
475
## e.g:
476
## sidecars:
477
## - name: your-image-name
478
## image: your-image
479
## imagePullPolicy: Always
480
## ports:
481
## - name: portname
482
## containerPort: 1234
483
##
484
sidecars: []
485
## @param tracking.enableDefaultInitContainers Add default init containers to the deployment
486
##
487
enableDefaultInitContainers: true
488
## @param tracking.initContainers Add additional init containers to the mlflow pod(s)
489
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
490
## e.g:
491
## initContainers:
492
## - name: your-image-name
493
## image: your-image
494
## imagePullPolicy: Always
495
## command: ['sh', '-c', 'echo "hello world"']
496
##
497
initContainers: []
498
## @section MLflow Tracking Traffic Exposure Parameters
499
##
500
501
## mlflow service parameters
502
##
503
service:
504
## @param tracking.service.type mlflow service type
505
##
506
type: LoadBalancer
507
## @param tracking.service.ports.http mlflow service HTTP port
508
## @param tracking.service.ports.https mlflow service HTTPS port
509
##
510
ports:
511
http: 80
512
https: 443
513
## Node ports to expose
514
## @param tracking.service.nodePorts.http Node port for HTTP
515
## @param tracking.service.nodePorts.https Node port for HTTPS
516
## NOTE: choose port between <30000-32767>
517
##
518
nodePorts:
519
http: ""
520
https: ""
521
## @param tracking.service.clusterIP mlflow service Cluster IP
522
## e.g.:
523
## clusterIP: None
524
##
525
clusterIP: ""
526
## @param tracking.service.loadBalancerIP mlflow service Load Balancer IP
527
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
528
##
529
loadBalancerIP: ""
530
## @param tracking.service.loadBalancerSourceRanges mlflow service Load Balancer sources
531
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
532
## e.g:
533
## loadBalancerSourceRanges:
534
## - 10.10.10.0/24
535
##
536
loadBalancerSourceRanges: []
537
## @param tracking.service.labels Add labels to the service object
538
##
539
labels: {}
540
## @param tracking.service.externalTrafficPolicy mlflow service external traffic policy
541
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
542
##
543
externalTrafficPolicy: Cluster
544
## @param tracking.service.annotations Additional custom annotations for mlflow service
545
##
546
annotations: {}
547
## @param tracking.service.extraPorts Extra ports to expose in mlflow service (normally used with the `sidecars` value)
548
##
549
extraPorts: []
550
## @param tracking.service.sessionAffinity Control where client requests go, to the same pod or round-robin
551
## Values: ClientIP or None
552
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
553
##
554
sessionAffinity: None
555
## @param tracking.service.sessionAffinityConfig Additional settings for the sessionAffinity
556
## sessionAffinityConfig:
557
## clientIP:
558
## timeoutSeconds: 300
559
##
560
sessionAffinityConfig: {}
561
## mlflow ingress parameters
562
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
563
##
564
ingress:
565
## @param tracking.ingress.enabled Enable ingress record generation for mlflow
566
##
567
enabled: false
568
## @param tracking.ingress.pathType Ingress path type
569
##
570
pathType: ImplementationSpecific
571
## @param tracking.ingress.hostname Default host for the ingress record
572
##
573
hostname: mlflow.local
574
## @param tracking.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
575
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
576
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
577
##
578
ingressClassName: ""
579
## @param tracking.ingress.path Default path for the ingress record
580
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
581
##
582
path: /
583
## @param tracking.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
584
## Use this parameter to set the required annotations for cert-manager, see
585
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
586
## e.g:
587
## annotations:
588
## kubernetes.io/ingress.class: nginx
589
## cert-manager.io/cluster-issuer: cluster-issuer-name
590
##
591
annotations: {}
592
## @param tracking.ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
593
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
594
## You can:
595
## - Use the `ingress.secrets` parameter to create this TLS secret
596
## - Rely on cert-manager to create it by setting the corresponding annotations
597
## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
598
##
599
tls: false
600
## @param tracking.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
601
##
602
selfSigned: false
603
## @param tracking.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
604
## e.g:
605
## extraHosts:
606
## - name: mlflow.local
607
## path: /
608
##
609
extraHosts: []
610
## @param tracking.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
611
## e.g:
612
## extraPaths:
613
## - path: /*
614
## backend:
615
## serviceName: ssl-redirect
616
## servicePort: use-annotation
617
##
618
extraPaths: []
619
## @param tracking.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
620
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
621
## e.g:
622
## extraTls:
623
## - hosts:
624
## - mlflow.local
625
## secretName: mlflow.local-tls
626
##
627
extraTls: []
628
## @param tracking.ingress.secrets Custom TLS certificates as secrets
629
## NOTE: 'key' and 'certificate' are expected in PEM format
630
## NOTE: 'name' should line up with a 'secretName' set further up
631
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
632
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
633
## It is also possible to create and manage the certificates outside of this helm chart
634
## Please see README.md for more information
635
## e.g:
636
## secrets:
637
## - name: mlflow.local-tls
638
## key: |-
639
## -----BEGIN RSA PRIVATE KEY-----
640
## ...
641
## -----END RSA PRIVATE KEY-----
642
## certificate: |-
643
## -----BEGIN CERTIFICATE-----
644
## ...
645
## -----END CERTIFICATE-----
646
##
647
secrets: []
648
## @param tracking.ingress.extraRules Additional rules to be covered with this ingress record
649
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
650
## e.g:
651
## extraRules:
652
## - host: example.local
653
## http:
654
## path: /
655
## backend:
656
## service:
657
## name: example-svc
658
## port:
659
## name: http
660
##
661
extraRules: []
662
## Network Policy configuration
663
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
664
##
665
networkPolicy:
666
## @param tracking.networkPolicy.enabled Enable creation of NetworkPolicy resources
667
##
668
enabled: true
669
## @param tracking.networkPolicy.allowExternal The Policy model to apply
670
## When set to false, only pods with the correct client label will have network access to the ports MLFlow is
671
## listening on. When true, MLFlow will accept connections from any source (with the correct destination port).
672
##
673
allowExternal: true
674
## @param tracking.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
675
##
676
allowExternalEgress: true
677
## @param tracking.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
678
## e.g:
679
## extraIngress:
680
## - ports:
681
## - port: 1234
682
## from:
683
## - podSelector:
684
## - matchLabels:
685
## - role: frontend
686
## - podSelector:
687
## - matchExpressions:
688
## - key: role
689
## operator: In
690
## values:
691
## - frontend
692
##
693
extraIngress: []
694
## @param tracking.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
695
## e.g:
696
## extraEgress:
697
## - ports:
698
## - port: 1234
699
## to:
700
## - podSelector:
701
## - matchLabels:
702
## - role: frontend
703
## - podSelector:
704
## - matchExpressions:
705
## - key: role
706
## operator: In
707
## values:
708
## - frontend
709
##
710
extraEgress: []
711
## @param tracking.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
712
## @param tracking.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
713
##
714
ingressNSMatchLabels: {}
715
ingressNSPodMatchLabels: {}
716
## @section MLflow Tracking Persistence Parameters
717
##
718
719
## Enable persistence using Persistent Volume Claims
720
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
721
##
722
persistence:
723
## @param tracking.persistence.enabled Enable persistence using Persistent Volume Claims
724
##
725
enabled: true
726
## @param tracking.persistence.mountPath Path to mount the volume at.
727
##
728
mountPath: /iamguarded/mlflow
729
## @param tracking.persistence.subPath The subdirectory of the volume to mount to, useful in dev environments and one PV for multiple services
730
##
731
subPath: ""
732
## @param tracking.persistence.storageClass Storage class of backing PVC
733
## If defined, storageClassName: <storageClass>
734
## If set to "-", storageClassName: "", which disables dynamic provisioning
735
## If undefined (the default) or set to null, no storageClassName spec is
736
## set, choosing the default provisioner. (gp2 on AWS, standard on
737
## GKE, AWS & OpenStack)
738
##
739
storageClass: ""
740
## @param tracking.persistence.labels Persistent Volume labels
741
##
742
labels: {}
743
## @param tracking.persistence.annotations Persistent Volume Claim annotations
744
##
745
annotations: {}
746
## @param tracking.persistence.accessModes Persistent Volume Access Modes
747
##
748
accessModes:
749
- ReadWriteOnce
750
## @param tracking.persistence.size Size of data volume
751
##
752
size: 8Gi
753
## @param tracking.persistence.existingClaim The name of an existing PVC to use for persistence
754
##
755
existingClaim: ""
756
## @param tracking.persistence.selector Selector to match an existing Persistent Volume for MLflow data PVC
757
## If set, the PVC can't have a PV dynamically provisioned for it
758
## E.g.
759
## selector:
760
## matchLabels:
761
## app: my-app
762
##
763
selector: {}
764
## @param tracking.persistence.dataSource Custom PVC data source
765
##
766
dataSource: {}
767
## MLflow Tracking Generic Ephemeral Volume Parameters
768
## ref: https://kubernetes.io/docs/concepts/storage/ephemeral-volumes/#generic-ephemeral-volumes
769
##
770
tmpVolume:
771
ephemeral:
772
## @param tracking.tmpVolume.ephemeral.enabled Use a generic ephemeral volume for `/tmp` instead of `emptyDir`
773
enabled: false
774
## @param tracking.tmpVolume.ephemeral.volumeClaimTemplate Custom `volumeClaimTemplate` for the ephemeral volume (YAML map)
775
volumeClaimTemplate: {}
776
## @section MLflow Tracking Other Parameters
777
##
778
serviceAccount:
779
## @param tracking.serviceAccount.create Specifies whether a ServiceAccount should be created
780
##
781
create: true
782
## @param tracking.serviceAccount.name The name of the ServiceAccount to use.
783
## If not set and create is true, a name is generated using the common.names.fullname template
784
##
785
name: ""
786
## @param tracking.serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
787
##
788
annotations: {}
789
## @param tracking.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
790
##
791
automountServiceAccountToken: false
792
## @section MLflow Tracking Metrics Parameters
793
##
794
metrics:
795
## @param tracking.metrics.enabled Enable the export of Prometheus metrics
796
##
797
enabled: false
798
## @param tracking.metrics.annotations [object] Annotations for the tracking service in order to scrape metrics
799
annotations:
800
prometheus.io/scrape: "true"
801
prometheus.io/port: "{{ .Values.tracking.service.ports.http }}"
802
## Prometheus Operator ServiceMonitor configuration
803
##
804
serviceMonitor:
805
## @param tracking.metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
806
##
807
enabled: false
808
## @param tracking.metrics.serviceMonitor.namespace Namespace in which Prometheus is running
809
##
810
namespace: ""
811
## @param tracking.metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor
812
##
813
annotations: {}
814
## @param tracking.metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
815
##
816
labels: {}
817
## @param tracking.metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
818
##
819
jobLabel: ""
820
## @param tracking.metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
821
##
822
honorLabels: false
823
## @param tracking.metrics.serviceMonitor.interval Interval at which metrics should be scraped.
824
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
825
## e.g:
826
## interval: 10s
827
##
828
interval: ""
829
## @param tracking.metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
830
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
831
## e.g:
832
## scrapeTimeout: 10s
833
##
834
scrapeTimeout: ""
835
## @param tracking.metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics
836
##
837
metricRelabelings: []
838
## @param tracking.metrics.serviceMonitor.relabelings Specify general relabeling
839
##
840
relabelings: []
841
## @param tracking.metrics.serviceMonitor.selector Prometheus instance selector labels
842
## selector:
843
## prometheus: my-prometheus
844
##
845
selector: {}
846
## @section MLflow Run Parameters
847
##
848
run:
849
## @param run.enabled Enable Run deployment
850
##
851
enabled: true
852
## @param run.useJob Deploy as job
853
##
854
useJob: false
855
## @param run.backoffLimit set backoff limit of the job
856
##
857
backoffLimit: 10
858
## @param run.restartPolicy set restart policy of the job
859
##
860
restartPolicy: OnFailure
861
## @param run.extraEnvVars Array with extra environment variables to add to run nodes
862
## e.g:
863
## extraEnvVars:
864
## - name: FOO
865
## value: "bar"
866
##
867
extraEnvVars: []
868
## @param run.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for run nodes
869
##
870
extraEnvVarsCM: ""
871
## @param run.extraEnvVarsSecret Name of existing Secret containing extra env vars for run nodes
872
##
873
extraEnvVarsSecret: ""
874
## @param run.annotations Annotations for the run deployment
875
##
876
annotations: {}
877
## @param run.command Override default container command (useful when using custom images)
878
##
879
command: []
880
## @param run.args Override default container args (useful when using custom images)
881
##
882
args: []
883
## @param run.terminationGracePeriodSeconds Run termination grace period (in seconds)
884
##
885
terminationGracePeriodSeconds: ""
886
## @param run.customLivenessProbe Custom livenessProbe that overrides the default one
887
##
888
customLivenessProbe: {}
889
## @param run.customReadinessProbe Custom readinessProbe that overrides the default one
890
##
891
customReadinessProbe: {}
892
## @param run.customStartupProbe Custom startupProbe that overrides the default one
893
##
894
customStartupProbe: {}
895
## run resource requests and limits
896
## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
897
## @param run.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if run.resources is set (run.resources is recommended for production).
898
##
899
resourcesPreset: "small"
900
## @param run.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
901
## Example:
902
## resources:
903
## requests:
904
## cpu: 2
905
## memory: 512Mi
906
## limits:
907
## cpu: 3
908
## memory: 1024Mi
909
##
910
resources: {}
911
## Configure Pods Security Context
912
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
913
## @param run.podSecurityContext.enabled Enabled Run pods' Security Context
914
## @param run.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
915
## @param run.podSecurityContext.sysctls Set kernel settings using the sysctl interface
916
## @param run.podSecurityContext.supplementalGroups Set filesystem extra groups
917
## @param run.podSecurityContext.fsGroup Set Run pod's Security Context fsGroup
918
##
919
podSecurityContext:
920
enabled: true
921
fsGroupChangePolicy: Always
922
sysctls: []
923
supplementalGroups: []
924
fsGroup: 1001
925
## Configure Container Security Context
926
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
927
## @param run.containerSecurityContext.enabled Enabled Run containers' Security Context
928
## @param run.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
929
## @param run.containerSecurityContext.runAsUser Set Run containers' Security Context runAsUser
930
## @param run.containerSecurityContext.runAsGroup Set Run containers' Security Context runAsGroup
931
## @param run.containerSecurityContext.runAsNonRoot Set Run containers' Security Context runAsNonRoot
932
## @param run.containerSecurityContext.privileged Set Run containers' Security Context privileged
933
## @param run.containerSecurityContext.readOnlyRootFilesystem Set Run containers' Security Context runAsNonRoot
934
## @param run.containerSecurityContext.allowPrivilegeEscalation Set Run container's privilege escalation
935
## @param run.containerSecurityContext.capabilities.drop Set Run container's Security Context runAsNonRoot
936
## @param run.containerSecurityContext.seccompProfile.type Set Run container's Security Context seccomp profile
937
##
938
containerSecurityContext:
939
enabled: true
940
seLinuxOptions: {}
941
runAsUser: 1001
942
runAsGroup: 1001
943
runAsNonRoot: true
944
privileged: false
945
readOnlyRootFilesystem: true
946
allowPrivilegeEscalation: false
947
capabilities:
948
drop: ["ALL"]
949
seccompProfile:
950
type: "RuntimeDefault"
951
## @param run.lifecycleHooks for the run container(s) to automate configuration before or after startup
952
##
953
lifecycleHooks: {}
954
## @param run.runtimeClassName Name of the runtime class to be used by pod(s)
955
## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/
956
##https://github.com/microsoft/MlflowExamples
957
runtimeClassName: ""
958
## @param run.automountServiceAccountToken Mount Service Account token in pod
959
##
960
automountServiceAccountToken: false
961
## @param run.hostAliases run pods host aliases
962
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
963
##
964
hostAliases: []
965
## @param run.labels Extra labels for the run deployment
966
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
967
##
968
labels: {}
969
## @param run.podLabels Extra labels for run pods
970
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
971
##
972
podLabels: {}
973
## @param run.podAnnotations Annotations for run pods
974
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
975
##
976
podAnnotations: {}
977
## @param run.podAffinityPreset Pod affinity preset. Ignored if `run.affinity` is set. Allowed values: `soft` or `hard`
978
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
979
##
980
podAffinityPreset: ""
981
## @param run.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `run.affinity` is set. Allowed values: `soft` or `hard`
982
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
983
##
984
podAntiAffinityPreset: soft
985
## Node run.affinity preset
986
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
987
##
988
nodeAffinityPreset:
989
## @param run.nodeAffinityPreset.type Node affinity preset type. Ignored if `run.affinity` is set. Allowed values: `soft` or `hard`
990
##
991
type: ""
992
## @param run.nodeAffinityPreset.key Node label key to match. Ignored if `run.affinity` is set
993
##
994
key: ""
995
## @param run.nodeAffinityPreset.values Node label values to match. Ignored if `run.affinity` is set
996
## E.g.
997
## values:
998
## - e2e-az1
999
## - e2e-az2
1000
##
1001
values: []
1002
## @param run.affinity Affinity for Run pods assignment
1003
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1004
## NOTE: `run.podAffinityPreset`, `run.podAntiAffinityPreset`, and `run.nodeAffinityPreset` will be ignored when it's set
1005
##
1006
affinity: {}
1007
## @param run.nodeSelector Node labels for Run pods assignment
1008
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/
1009
##
1010
nodeSelector: {}
1011
## @param run.tolerations Tolerations for Run pods assignment
1012
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1013
##
1014
tolerations: []
1015
## @param run.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains
1016
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
1017
##
1018
topologySpreadConstraints: []
1019
## @param run.priorityClassName Run pods' priorityClassName
1020
##
1021
priorityClassName: ""
1022
## @param run.schedulerName Kubernetes pod scheduler registry
1023
## https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1024
##
1025
schedulerName: ""
1026
## @param run.updateStrategy.type Run statefulset strategy type
1027
## @param run.updateStrategy.rollingUpdate Run statefulset rolling update configuration parameters
1028
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
1029
##
1030
updateStrategy:
1031
type: RollingUpdate
1032
rollingUpdate: {}
1033
## @param run.extraVolumes Optionally specify extra list of additional volumes for the Run pod(s)
1034
##
1035
extraVolumes: []
1036
## @param run.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Run container(s)
1037
##
1038
extraVolumeMounts: []
1039
## @param run.sidecars Add additional sidecar containers to the Run pod(s)
1040
## e.g:
1041
## sidecars:
1042
## - name: your-image-name
1043
## image: your-image
1044
## imagePullPolicy: Always
1045
## ports:
1046
## - name: portname
1047
## containerPort: 1234
1048
##
1049
sidecars: []
1050
## @param run.enableDefaultInitContainers Deploy default init containers
1051
##
1052
enableDefaultInitContainers: true
1053
## @param run.initContainers Add additional init containers to the Run pod(s)
1054
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
1055
## e.g:
1056
## initContainers:
1057
## - name: your-image-name
1058
## image: your-image
1059
## imagePullPolicy: Always
1060
## command: ['sh', '-c', 'echo "hello world"']
1061
##
1062
initContainers: []
1063
## Network Policy configuration
1064
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1065
##
1066
networkPolicy:
1067
## @param run.networkPolicy.enabled Enable creation of NetworkPolicy resources
1068
##
1069
enabled: true
1070
## @param run.networkPolicy.allowExternal The Policy model to apply
1071
## When set to false, only pods with the correct client label will have network access to the ports MLFlow is
1072
## listening on. When true, MLFlow will accept connections from any source (with the correct destination port).
1073
##
1074
allowExternal: true
1075
## @param run.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1076
##
1077
allowExternalEgress: true
1078
## @param run.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1079
## e.g:
1080
## extraIngress:
1081
## - ports:
1082
## - port: 1234
1083
## from:
1084
## - podSelector:
1085
## - matchLabels:
1086
## - role: frontend
1087
## - podSelector:
1088
## - matchExpressions:
1089
## - key: role
1090
## operator: In
1091
## values:
1092
## - frontend
1093
##
1094
extraIngress: []
1095
## @param run.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1096
## e.g:
1097
## extraEgress:
1098
## - ports:
1099
## - port: 1234
1100
## to:
1101
## - podSelector:
1102
## - matchLabels:
1103
## - role: frontend
1104
## - podSelector:
1105
## - matchExpressions:
1106
## - key: role
1107
## operator: In
1108
## values:
1109
## - frontend
1110
##
1111
extraEgress: []
1112
## @param run.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
1113
## @param run.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
1114
##
1115
ingressNSMatchLabels: {}
1116
ingressNSPodMatchLabels: {}
1117
## Source code parameters
1118
##
1119
source:
1120
## @param run.source.type Where the source comes from: Possible values: configmap, git, custom
1121
##
1122
type: "configmap"
1123
## @param run.source.launchCommand deepspeed command to run over the project
1124
##
1125
launchCommand: ""
1126
## @param run.source.configMap List of files of the project
1127
##
1128
configMap: {}
1129
## @param run.source.existingConfigMap Name of a configmap containing the files of the project
1130
##
1131
existingConfigMap: ""
1132
git:
1133
## @param run.source.git.repository Repository that holds the files
1134
##
1135
repository: ""
1136
## @param run.source.git.revision Revision from the repository to checkout
1137
##
1138
revision: ""
1139
## @param run.source.git.extraVolumeMounts Add extra volume mounts for the Git container
1140
## Useful to mount keys to connect through ssh. (normally used with extraVolumes)
1141
## E.g:
1142
## extraVolumeMounts:
1143
## - name: ssh-dir
1144
## mountPath: /.ssh/
1145
##
1146
extraVolumeMounts: []
1147
## Service account for Run to use
1148
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
1149
##
1150
serviceAccount:
1151
## @param run.serviceAccount.create Enable creation of ServiceAccount for Run pods
1152
##
1153
create: true
1154
## @param run.serviceAccount.name The name of the ServiceAccount to use
1155
## If not set and create is true, a name is generated using the common.names.fullname template
1156
##
1157
name: ""
1158
## @param run.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
1159
## Can be set to false if pods using this serviceAccount do not need to use K8s API
1160
##
1161
automountServiceAccountToken: false
1162
## @param run.serviceAccount.annotations Additional custom annotations for the ServiceAccount
1163
##
1164
annotations: {}
1165
## @section Mlflow Run persistence paramaters
1166
## Enable persistence using Persistent Volume Claims
1167
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
1168
##
1169
persistence:
1170
## @param run.persistence.enabled Use a PVC to persist data
1171
##
1172
enabled: false
1173
## @param run.persistence.storageClass discourse & sidekiq data Persistent Volume Storage Class
1174
## If defined, storageClassName: <storageClass>
1175
## If set to "-", storageClassName: "", which disables dynamic provisioning
1176
## If undefined (the default) or set to null, no storageClassName spec is
1177
## set, choosing the default provisioner. (gp2 on AWS, standard on
1178
## GKE, AWS & OpenStack)
1179
##
1180
storageClass: ""
1181
## @param run.persistence.existingClaim Use a existing PVC which must be created manually before bound
1182
##
1183
existingClaim: ""
1184
## @param run.persistence.mountPath Path to mount the volume at
1185
##
1186
mountPath: /iamguarded/mlflow/data
1187
## @param run.persistence.subPath subPath to use for mounting the volume
1188
##
1189
subPath: ""
1190
## @param run.persistence.accessModes Persistent Volume Access Mode
1191
##
1192
accessModes:
1193
- ReadWriteOnce
1194
## @param run.persistence.dataSource Custom PVC data source
1195
##
1196
dataSource: {}
1197
## @param run.persistence.selector Selector to match an existing Persistent Volume for the run data PVC
1198
## If set, the PVC can't have a PV dynamically provisioned for it
1199
## E.g.
1200
## selector:
1201
## matchLabels:
1202
## app: my-app
1203
##
1204
selector: {}
1205
## @param run.persistence.size Size of data volume
1206
##
1207
size: 8Gi
1208
## @param run.persistence.labels Persistent Volume labels
1209
##
1210
labels: {}
1211
## @param run.persistence.annotations Persistent Volume annotations
1212
##
1213
annotations: {}
1214
## @section Init Container Parameters
1215
##
1216
1217
## 'volumePermissions' init container parameters
1218
## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values
1219
## based on the *podSecurityContext/*containerSecurityContext parameters
1220
##
1221
volumePermissions:
1222
## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup`
1223
##
1224
enabled: false
1225
## OS Shell + Utility image
1226
## @param volumePermissions.image.registry [default: REGISTRY_NAME] OS Shell + Utility image registry
1227
## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] OS Shell + Utility image repository
1228
## @skip volumePermissions.image.tag OS Shell + Utility image tag (immutable tags are recommended)
1229
## @param volumePermissions.image.pullPolicy OS Shell + Utility image pull policy
1230
## @param volumePermissions.image.pullSecrets OS Shell + Utility image pull secrets
1231
##
1232
image:
1233
registry: cgr.dev
1234
repository: chainguard-private/iamguarded-charts/os-shell-iamguarded
1235
tag: 1.0.0
1236
pullPolicy: IfNotPresent
1237
## Optionally specify an array of imagePullSecrets.
1238
## Secrets must be manually created in the namespace.
1239
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1240
## e.g:
1241
## pullSecrets:
1242
## - myRegistryKeySecretName
1243
##
1244
pullSecrets: []
1245
digest: ""
1246
## Init container's resource requests and limits
1247
## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
1248
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
1249
##
1250
resourcesPreset: "nano"
1251
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1252
## Example:
1253
## resources:
1254
## requests:
1255
## cpu: 2
1256
## memory: 512Mi
1257
## limits:
1258
## cpu: 3
1259
## memory: 1024Mi
1260
##
1261
resources: {}
1262
## Init container Container Security Context
1263
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1264
## @param volumePermissions.containerSecurityContext.enabled Set container security context settings
1265
## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1266
## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser
1267
## NOTE: when runAsUser is set to special value "auto", init container will try to chown the
1268
## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2`
1269
## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed)
1270
##
1271
containerSecurityContext:
1272
enabled: true
1273
seLinuxOptions: {}
1274
runAsUser: 0
1275
waitContainer:
1276
## @param waitContainer.image.registry [default: REGISTRY_NAME] Init container wait-container image registry
1277
## @param waitContainer.image.repository [default: REPOSITORY_NAME/os-shell] Init container wait-container image name
1278
## @skip waitContainer.image.tag Init container wait-container image tag
1279
## @param waitContainer.image.digest Init container wait-container image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
1280
##
1281
image:
1282
registry: cgr.dev
1283
repository: chainguard-private/os-shell-iamguarded
1284
tag: 1.0.0
1285
digest: ""
1286
## @param waitContainer.image.pullPolicy Init container wait-container image pull policy
1287
##
1288
pullPolicy: IfNotPresent
1289
## @param waitContainer.image.pullSecrets [array] Specify docker-registry secret names as an array
1290
## Optionally specify an array of imagePullSecrets.
1291
## Secrets must be manually created in the namespace.
1292
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1293
## e.g:
1294
## pullSecrets:
1295
## - myRegistryKeySecretName
1296
##
1297
pullSecrets: []
1298
## Configure Container Security Context
1299
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1300
## @param waitContainer.containerSecurityContext.enabled Enabled containers' Security Context
1301
## @param waitContainer.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1302
## @param waitContainer.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
1303
## @param waitContainer.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
1304
## @param waitContainer.containerSecurityContext.runAsNonRoot Set containers' Security Context runAsNonRoot
1305
## @param waitContainer.containerSecurityContext.privileged Set containers' Security Context privileged
1306
## @param waitContainer.containerSecurityContext.readOnlyRootFilesystem Set containers' Security Context runAsNonRoot
1307
## @param waitContainer.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
1308
## @param waitContainer.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
1309
## @param waitContainer.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
1310
##
1311
containerSecurityContext:
1312
enabled: true
1313
seLinuxOptions: {}
1314
runAsUser: 1001
1315
runAsGroup: 1001
1316
runAsNonRoot: true
1317
privileged: false
1318
readOnlyRootFilesystem: true
1319
allowPrivilegeEscalation: false
1320
capabilities:
1321
drop: ["ALL"]
1322
seccompProfile:
1323
type: "RuntimeDefault"
1324
## @section PostgreSQL chart configuration
1325
## @param postgresql.enabled Switch to enable or disable the PostgreSQL helm chart
1326
## @param postgresql.auth.username Name for a custom user to create
1327
## @param postgresql.auth.password Password for the custom user to create
1328
## @param postgresql.auth.database Name for a custom database to create
1329
## @param postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials
1330
## @param postgresql.architecture PostgreSQL architecture (`standalone` or `replication`)
1331
## @param postgresql.primary.service.ports.postgresql PostgreSQL service port
1332
##
1333
postgresql:
1334
enabled: true
1335
auth:
1336
username: bn_mlflow
1337
password: ""
1338
database: iamguarded_mlflow
1339
existingSecret: ""
1340
architecture: standalone
1341
primary:
1342
service:
1343
ports:
1344
postgresql: 5432
1345
## @param postgresql.primary.initdb.scripts [object] Map with init scripts for the PostgreSQL database
1346
initdb:
1347
scripts:
1348
# For authentication, Mlflow requires a different database in order to work
1349
create_auth_db.sh: |
1350
#!/bin/bash
1351
PGPASSWORD=$POSTGRES_POSTGRES_PASSWORD psql -U postgres <<< "CREATE DATABASE {{ include "mlflow.v0.database-auth.name" . }}"
1352
PGPASSWORD=$POSTGRES_POSTGRES_PASSWORD psql -U postgres <<< "GRANT ALL PRIVILEGES ON DATABASE {{ include "mlflow.v0.database-auth.name" . }} to {{ .Values.auth.username }}"
1353
PGPASSWORD=$POSTGRES_POSTGRES_PASSWORD psql -U postgres <<< "ALTER DATABASE {{ include "mlflow.v0.database-auth.name" . }} OWNER TO {{ .Values.auth.username }}"
1354
## @section External PostgreSQL configuration
1355
## All of these values are only used when postgresql.enabled is set to false
1356
## @param externalDatabase.dialectDriver Database Dialect(+Driver)
1357
## @param externalDatabase.host Database host
1358
## @param externalDatabase.port Database port number
1359
## @param externalDatabase.user Non-root username
1360
## @param externalDatabase.password Password for the non-root username
1361
## @param externalDatabase.database Database name
1362
## @param externalDatabase.authDatabase Database name for the auth module (only if tracking.auth.enabled=true)
1363
## @param externalDatabase.existingSecret Name of an existing secret resource containing the database credentials
1364
## @param externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials
1365
##
1366
externalDatabase:
1367
dialectDriver: "postgresql"
1368
host: ""
1369
port: 5432
1370
user: postgres
1371
database: mlflow
1372
authDatabase: mlflow_auth
1373
password: ""
1374
existingSecret: ""
1375
existingSecretPasswordKey: "db-password"
1376
## @section MinIO® chart parameters
1377
##
1378
minio:
1379
## @param minio.enabled Enable/disable MinIO® chart installation
1380
## to be used as an objstore for Mlflow
1381
##
1382
enabled: true
1383
## MinIO® authentication parameters
1384
##
1385
auth:
1386
## @param minio.auth.rootUser MinIO® root username
1387
##
1388
rootUser: admin
1389
## @param minio.auth.rootPassword Password for MinIO® root user
1390
##
1391
rootPassword: ""
1392
## @param minio.auth.existingSecret Name of an existing secret containing the MinIO® credentials
1393
##
1394
existingSecret: ""
1395
## @param minio.defaultBuckets Comma, semi-colon or space separated list of MinIO® buckets to create
1396
##
1397
defaultBuckets: "mlflow"
1398
## @param minio.provisioning.enabled Enable/disable MinIO® provisioning job
1399
## @param minio.provisioning.extraCommands Extra commands to run on MinIO® provisioning job
1400
##
1401
provisioning:
1402
enabled: true
1403
# We need to allow downloads in order for the UI to work
1404
extraCommands: ["mc anonymous set download provisioning/mlflow"]
1405
## @param minio.tls.enabled Enable/disable MinIO® TLS support
1406
##
1407
tls:
1408
enabled: false
1409
## @param minio.service.type MinIO® service type
1410
## @param minio.service.loadBalancerIP MinIO® service LoadBalancer IP
1411
## @param minio.service.ports.api MinIO® service port
1412
##
1413
service:
1414
type: ClusterIP
1415
loadBalancerIP: ""
1416
ports:
1417
api: 80
1418
## @param minio.console.enabled Enable MinIO® Console
1419
##
1420
console:
1421
enabled: false
1422
## @section External S3 parameters
1423
## All of these values are only used when minio.enabled is set to false
1424
## @param externalS3.host External S3 host. When using AWS S3, include appropriate [regional code](https://docs.aws.amazon.com/general/latest/gr/s3.html#s3_region), e.g. "eu-central-1.amazonaws.com
1425
## @param externalS3.port External S3 port number
1426
## @param externalS3.useCredentialsInSecret Whether to use a secret to store the S3 credentials
1427
## @param externalS3.accessKeyID External S3 access key ID
1428
## @param externalS3.accessKeySecret External S3 access key secret
1429
## @param externalS3.existingSecret Name of an existing secret resource containing the S3 credentials
1430
## @param externalS3.existingSecretAccessKeyIDKey Name of an existing secret key containing the S3 access key ID
1431
## @param externalS3.existingSecretKeySecretKey Name of an existing secret key containing the S3 access key secret
1432
## @param externalS3.protocol External S3 protocol
1433
## @param externalS3.bucket External S3 bucket
1434
## @param externalS3.serveArtifacts Whether artifact serving is enabled
1435
##
1436
externalS3:
1437
host: ""
1438
port: 443
1439
useCredentialsInSecret: true
1440
accessKeyID: ""
1441
accessKeySecret: ""
1442
existingSecret: ""
1443
existingSecretAccessKeyIDKey: "root-user"
1444
existingSecretKeySecretKey: "root-password"
1445
protocol: "https"
1446
bucket: "mlflow"
1447
serveArtifacts: true
1448
## @section External Google Cloud Storage parameters
1449
## All of these values are only used when minio.enabled is set to false and externalS3 is not configured (host is empty)
1450
## @param externalGCS.bucket GCS bucket name. Activate gcs artifact storage if set
1451
## @param externalGCS.googleCloudProject Google Cloud Project to use (optional, needed when using "default application credentials")
1452
## @param externalGCS.useCredentialsInSecret Whether to read the GCS application credentials from a secret
1453
## @param externalGCS.existingSecret Name of an existing secret key containing the application credentials file (required when useCredentialsInSecret is true)
1454
## @param externalGCS.existingSecretKey Key in the existing secret containing the application credentials (required when useCredentialsInSecret is true)
1455
## @param externalGCS.serveArtifacts Whether artifact serving is enabled
1456
##
1457
externalGCS:
1458
bucket: ""
1459
googleCloudProject: ""
1460
useCredentialsInSecret: false
1461
existingSecret: ""
1462
existingSecretKey: ""
1463
serveArtifacts: true
1464
## @section External Azure Blob Storage parameters
1465
## All of these values are only used when minio.enabled is set to false and externalS3 is not configured (host is empty)
1466
## and externalGCS is not configured (bucket is empty).
1467
## @param externalAzureBlob.storageAccount Azure Blob Storage account name. Activate azure artifact storage if set,
1468
## @param externalAzureBlob.accessKey Azure Blob Storage access key. Optional if connectionString is set
1469
## @param externalAzureBlob.connectionString Azure Blob Storage connection string. Optional if accessKey is set.
1470
## @param externalAzureBlob.containerName Azure Blob Storage container name
1471
## @param externalAzureBlob.clientId Azure Blob Storage client ID
1472
## @param externalAzureBlob.tenantId Azure Blob Storage tenant ID
1473
## @param externalAzureBlob.clientSecret Azure Blob Storage client secret
1474
## @param externalAzureBlob.useCredentialsInSecret Whether to read the Azure Blob Storage credentials from a secret
1475
## @param externalAzureBlob.existingSecret Name of an existing secret key containing the Azure Blob Storage credentials (required when useCredentialsInSecret is true)
1476
## @param externalAzureBlob.existingAccessKeyKey Key in the existing secret containing the Azure Blob Storage access key (required when useCredentialsInSecret is true)
1477
## @param externalAzureBlob.existingConnectionStringKey Key in the existing secret containing the Azure Blob Storage connection string (required when useCredentialsInSecret is true)
1478
## @param externalAzureBlob.clientSecretKey Key in the existing secret containing the Azure Blob Storage client secret (required when useCredentialsInSecret is true)
1479
## @param externalAzureBlob.serveArtifacts Whether artifact serving is enabled
1480
##
1481
externalAzureBlob:
1482
storageAccount: ""
1483
accessKey: ""
1484
connectionString: ""
1485
containerName: "mlflow"
1486
clientId: ""
1487
tenantId: ""
1488
clientSecret: ""
1489
useCredentialsInSecret: false
1490
existingSecret: ""
1491
existingAccessKeyKey: ""
1492
existingConnectionStringKey: ""
1493
clientSecretKey: ""
1494
serveArtifacts: true
1495