consume a Secret in a volume in a Pod

[prathamsolanki]

Hi,

My code responsible for generating the predictions has to load the model from gcs and thus it needs the appropriate authentication.

I'm trying the approach of using a secret and mounting it as a volume to the container like this:

---
apiVersion: machinelearning.seldon.io/v1alpha2
kind: SeldonDeployment
metadata:
  labels:
    app: seldon
  name: "seldon-deployment"
  namespace: seldon-core-1
spec:
  annotations:
    project_name: Pipeline
    deployment_version: v1
  name: "seldon-deployment"
  oauth_key: oauth-key
  oauth_secret: oauth-secret
  predictors:
  - componentSpecs:
    - spec:
        containers:
        - image: registrypreprocess
          imagePullPolicy: Always
          name: preprocess
          resources:
            requests:
              memory: 1Mi
        - image: registrytrain
          volumeMounts:
            - name: secret-volume
              mountPath: "/etc/secret-volume"
          imagePullPolicy: Always
          name: train
        imagePullSecrets:
        - name: gitlab-auth
        volumes:
          - name: secret-volume
            secret:
              secretName: user-gcp-sa
        terminationGracePeriodSeconds: 20
    graph:
      children:
      - name: train
        endpoint:
          type: REST
        type: MODEL
        children: []
      name: preprocess
      endpoint:
        type: REST
      type: MODEL
    name: single-model
    replicas: 1
    annotations:
      predictor_version: v1

However, the deployment status fails. When I describe the deployment it shows the following:

Status:
  Description:  Cannot find field: secret in message k8s.io.api.core.v1.Volume
  State:        Failed
Events:         <none>

I do not really know what I'm doing wrong here.

[ukclivecox]

Which version of Seldon are you running?
Can you show the create yaml for the deployment?

[prathamsolanki]

Which version of Seldon are you running?

v0.2.7

Can you show the create yaml for the deployment?

import kfp.dsl as dsl
import yaml
from kubernetes import client as k8s
import kfp.gcp as gcp


@dsl.pipeline(
	name='demo',
	description='pipeline for demo')


def demo_pipeline():
	getdata_step = dsl.ContainerOp(
		name='get_data',
		image='registry/get_data',
		command="python",
		arguments=[
			"/microservice/get_data.py"
		]
	)

	preprocess_step=dsl.ContainerOp(
		name='preprocess',
		image='registry/preprocess',
		command="python",
		arguments=[
			"/microservice/preprocess.py"
		]
	)

	preprocess_step.after(getdata_step)

	train_step=dsl.ContainerOp(
		name='train',
		image='registry/train',
		command="python",
		arguments=[
			"/microservice/model.py"
		]
	)

	train_step.after(preprocess_step)

	steps=[getdata_step,preprocess_step,train_step]

	for step in steps:
		step.apply(gcp.use_gcp_secret('user-gcp-sa')) 
		
	try:
		seldon_config = yaml.load(open("../deploy_pipeline/seldon_production_pipeline.yaml"))
	except:
        # If this file is run from the project core directory
		seldon_config = yaml.load(open("deploy_pipeline/seldon_production_pipeline.yaml"))
		
	deploy_step = dsl.ResourceOp(
        name="seldondeploy",
        k8s_resource=seldon_config,
        attribute_outputs={"name": "{.metadata.name}"})
		
	deploy_step.after(train_step)


if __name__ == '__main__':
	import kfp.compiler as compiler
	compiler.Compiler().compile(demo_pipeline, 'demo.tar.gz')

[ukclivecox]

OK yes this is an issue with <=0.2.7 It can be solved by using a more verbose way of providing the volume. See #116 (comment)

This is fixed in version >0.2.7

[prathamsolanki]

It worked with the workaround you mentioned for <=0.2.7. The deployment is available at the endpoint. Now I'll try pinging it with some requests. In parallel I'm also deploying the version 0.4.

Thank you for your help Mr. CTO @cliveseldon