first cut at runpod credentials

Signed-off-by: David Young <[email protected]>

Author: funkypenguin

charts/stable/skypilot/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: skypilot
 description: A Helm chart for deploying SkyPilot API server on Kubernetes
 type: application
-version: 0.0.1-pre-05
+version: 0.0.1-pre-06
 appVersion: "0.0"
 dependencies:
   - name: ingress-nginx

charts/stable/skypilot/templates/NOTES.txt

@@ -0,0 +1,3 @@
+{{- if not .Values.apiService.skipResourceCheck }}
+{{- include "skypilot.checkResources" . }}
+{{- end }}

charts/stable/skypilot/templates/_helpers.tpl

@@ -0,0 +1,45 @@
+{{- define "skypilot.checkResources" -}}
+{{- $cpu := .Values.apiService.resources.requests.cpu | default "0" -}}
+{{- $memory := .Values.apiService.resources.requests.memory | default "0" -}}
+
+{{- /* Convert CPU to numeric value */ -}}
+{{- $cpuNum := 0.0 -}}
+{{- if kindIs "string" $cpu -}}
+  {{- if hasSuffix "m" $cpu -}}
+    {{- $cpuNum = float64 (divf (trimSuffix "m" $cpu | atoi) 1000) -}}
+  {{- else -}}
+    {{- $cpuNum = float64 ($cpu | atoi) -}}
+  {{- end -}}
+{{- else -}}
+  {{- $cpuNum = float64 $cpu -}}
+{{- end -}}
+
+{{- /* Convert memory to Gi */ -}}
+{{- $memNum := 0.0 -}}
+{{- if hasSuffix "Gi" $memory -}}
+  {{- $memNum = float64 (trimSuffix "Gi" $memory | atoi) -}}
+{{- else if hasSuffix "Mi" $memory -}}
+  {{- $memNum = float64 (divf (trimSuffix "Mi" $memory | atoi) 1024) -}}
+{{- else if hasSuffix "G" $memory -}}
+  {{- $memNum = float64 ($memory | trimSuffix "G" | atoi) -}}
+{{- else if hasSuffix "M" $memory -}}
+  {{- $memNum = float64 (divf (trimSuffix "M" $memory | atoi) 1024) -}}
+{{- end -}}
+
+{{- if or (lt $cpuNum 4.0) (lt $memNum 8.0) -}}
+{{/* TODO(aylei): add a reference to the tuning guide once complete */}}
+  {{- fail "Error\nDeploying a SkyPilot API server requires at least 4 CPU cores and 8 GiB memory. You can either:\n1. Change `--set apiService.resources.requests.cpu` and `--set apiService.resources.requests.memory` to meet the requirements or unset them to use defaults\n2. add `--set apiService.skipResourceCheck=true` in command args to bypass this check (not recommended for production)\nto resolve this issue and then try again." -}}
+{{- end -}}
+
+{{- end -}} 
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "skypilot.serviceAccountName" -}}
+{{- if .Values.rbac.serviceAccountName -}}
+{{ .Values.rbac.serviceAccountName }}
+{{- else -}}
+{{ .Release.Name }}-api-sa
+{{- end -}}
+{{- end -}} 

charts/stable/skypilot/templates/api-deployment.yaml

@@ -17,11 +17,11 @@ spec:
         app: {{ .Release.Name }}-api
     spec:
       automountServiceAccountToken: {{ .Values.kubernetesCredentials.useApiServerCluster }}
-      serviceAccountName: {{ .Release.Name }}-api-sa
+      serviceAccountName: {{ include "skypilot.serviceAccountName" . }}
       {{- with .Values.podSecurityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+      {{- end }}      
       runtimeClassName: {{ .Values.runtimeClassName }}
       containers:
       - name: skypilot-api
@@ -62,9 +62,8 @@ spec:
           {{- if .Values.apiService.config }}
           mkdir -p /root/.sky
           echo "Copying config.yaml from ConfigMap \`skypilot-config\` to /root/.sky/config.yaml"
-          # The configmap serves as the ground truth for the config.yaml file.
-          # Any local changes to the config.yaml file will be overwritten by the contents of the configmap.
-          cp /tmp/config.yaml /root/.sky/config.yaml
+          # The configmap serves as the ground truth for the config.yaml file, read-only
+          ln -sf /var/skypilot/config/config.yaml /root/.sky/config.yaml
           {{- end }}
 
           if sky api start -h | grep -q -- "--foreground"; then
@@ -101,8 +100,7 @@ spec:
         {{- end }}
         {{- if .Values.apiService.config }}
         - name: skypilot-config
-          mountPath: /tmp/config.yaml
-          subPath: config.yaml
+          mountPath: /var/skypilot/config
         {{- end }}
         {{- if .Values.awsCredentials.enabled }}
         - name: aws-config
@@ -126,7 +124,7 @@ spec:
         {{- with .Values.securityContext }}
         securityContext:
           {{- toYaml . | nindent 10 }}
-        {{- end }}      
+        {{- end }}
         image: {{ .Values.apiService.image }}
         command: ["/bin/sh", "-c"]
         args:
@@ -161,7 +159,7 @@ spec:
         {{- with .Values.securityContext }}
         securityContext:
           {{- toYaml . | nindent 10 }}
-        {{- end }}      
+        {{- end }}
         image: google/cloud-sdk:latest
         command: ["/bin/sh", "-c"]
         env:
@@ -178,6 +176,36 @@ spec:
         - name: gcp-config
           mountPath: /root/.config/gcloud
       {{- end }}
+      {{- if .Values.runpodCredentials.enabled }}
+      - name: create-runpod-credentials
+        {{- with .Values.securityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        image: {{ .Values.apiService.image }}
+        command: ["/bin/sh", "-c"]
+        args:
+        - |
+          echo "Setting up RunPod credentials..."
+          if [ -n "$RUNPOD_API_KEY" ]; then
+            echo "RunPod credentials found in environment variable."
+            mkdir -p /root/.runpod
+            echo "[default]" > /root/.runpod/config.toml
+            echo "api_key = \"$RUNPOD_API_KEY\"" >> /root/.runpod/config.toml
+          else
+            echo "RunPod credentials not found in environment variables. Skipping credentials setup."
+            sleep 600
+          fi
+        env:
+        - name: RUNPOD_API_KEY
+          valueFrom:
+            secretKeyRef:
+              name: runpod-credentials
+              key: api_key
+        volumeMounts:
+        - name: runpod-config
+          mountPath: /root/.runpod
+      {{- end }}      
       volumes:
       {{- if .Values.storage.enabled }}
       - name: state-volume
@@ -191,14 +219,17 @@ spec:
       - name: aws-config
         emptyDir: {}
       {{- end }}
-
       {{- if .Values.gcpCredentials.enabled }}
       - name: gcp-credentials
         secret:
           secretName: gcp-credentials
       - name: gcp-config
         emptyDir: {}
       {{- end }}
+      {{- if .Values.runpodCredentials.enabled }}
+      - name: runpod-config
+        emptyDir: {}
+      {{- end }}
       {{- if .Values.kubernetesCredentials.useKubeconfig }}
       - name: kube-config
         secret:

charts/stable/skypilot/templates/ingress-nodeport.yaml

@@ -1,4 +1,18 @@
-{{- if and .Values.ingress.nodePortEnabled (index .Values "ingress-nginx" "enabled") }}
+{{- /* TODO(aylei): remove this template in v0.9.0 release */ -}}
+{{- $createNodePort := false -}}
+{{- if eq .Values.ingress.nodePortEnabled nil -}}
+  {{- /* Keep existing NodePort service if ingress.nodePortEnabled is not set */ -}}
+  {{- $existingService := lookup "v1" "Service" .Release.Namespace (printf "%s-ingress-controller-np" .Release.Name) -}}
+  {{- if $existingService -}}
+    {{- /* If there is an existing legacy NodePort service, error out and ask user to set ingress.nodePortEnabled explicitly */ -}}
+    {{- fail (printf "Service %s-ingress-controller-np is deprecated and will be removed in SkyPilot v0.9.0. Refer to https://docs.skypilot.co/en/latest/reference/api-server/api-server-admin-deploy.html#sky-migrate-legacy-service for migration steps." .Release.Name) -}}
+  {{- end -}}
+{{- else -}}
+  {{- /* Use explicitly set value */ -}}
+  {{- $createNodePort = .Values.ingress.nodePortEnabled -}}
+{{- end -}}
+
+{{- if and $createNodePort (index .Values "ingress-nginx" "enabled") }}
 apiVersion: v1
 kind: Service
 metadata:
@@ -23,4 +37,4 @@ spec:
     app.kubernetes.io/component: controller
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/name: ingress-nginx
-{{- end}}
+{{- end }}

charts/stable/skypilot/templates/rbac.yaml

@@ -1,3 +1,7 @@
+{{- if .Values.rbac.create }}
+{{- if .Values.rbac.rules }}
+{{- fail "`.rbac.rules` is deprecated. Please use `.rbac.namespaceRules` and `.rbac.clusterRules` instead" }}
+{{- end }}
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -10,7 +14,7 @@ kind: ClusterRole
 metadata:
   name: {{ .Release.Name }}-api-role
 rules:
-{{ toYaml .Values.rbac.rules | indent 2 }}
+{{ toYaml .Values.rbac.clusterRules | indent 2 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -24,3 +28,46 @@ roleRef:
   kind: ClusterRole
   name: {{ .Release.Name }}-api-role
   apiGroup: rbac.authorization.k8s.io
+---
+{{- $namespaces := list }}
+{{- range .Values.rbac.grantedNamespaces }}
+{{- $namespaces = append $namespaces .namespace }}
+{{- end }}
+{{- $namespaces = append $namespaces .Release.Namespace | uniq }}
+{{- range $namespaces }}
+{{/* Create namespaces in advance to enable RBAC rules, filter out the release namespace in case user accidentally added it to grantedNamespaces*/}}
+{{- if and (ne . $.Release.Namespace) (not (lookup "v1" "Namespace" "" .)) }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ . }}
+  annotations:
+    {{/* Keep the namespace when uninstalling the chart, so that the deployed sky resources (if any) can still work even if the API server get uninstalled */}}
+    helm.sh/resource-policy: keep
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $.Release.Name }}-api-role
+  namespace: {{ . }}
+rules:
+{{ toYaml $.Values.rbac.namespaceRules | indent 2 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $.Release.Name }}-api-role-binding
+  namespace: {{ . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ $.Release.Name }}-api-sa
+  namespace: {{ $.Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ $.Release.Name }}-api-role
+  apiGroup: rbac.authorization.k8s.io
+---
+{{- end }}
+{{- end }}