From bdef5ae828976aee7eeb4d71276f8f6fa312fe1e Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Wed, 18 Oct 2023 23:19:44 +0000 Subject: [PATCH 01/21] initial commit --- .github/workflows/pipeline.yaml | 77 ++++++++++++++++++++++++++++++++- .gitignore | 3 ++ Dockerfile | 11 +++++ Makefile | 6 +++ certs/generate-tls-certs.sh | 35 +++++++++++++++ certs/openssl-custom.cnf | 13 ++++++ pyproject.toml | 6 +-- 7 files changed, 147 insertions(+), 4 deletions(-) create mode 100755 certs/generate-tls-certs.sh create mode 100644 certs/openssl-custom.cnf diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 27e57443..fc29c2e0 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -211,4 +211,79 @@ jobs: # This ensures that we always stop the container regardless of the outcomes of # the previous steps if: always() - run: docker stop ${{ steps.start_container.outputs.container_id }} \ No newline at end of file + run: docker stop ${{ steps.start_container.outputs.container_id }} + + test-sdk-with-https: + runs-on: ubuntu-22.04 + steps: + - name: Check out code + uses: actions/checkout@v3 + + - name: Set up python + uses: actions/setup-python@v4 + with: + python-version: ${{ env.PYTHON_VERSION }} + + - name: Generate TLS Certificate + run: make generate-tls-cert + + - name: Install Docker + run: | + sudo apt-get update + sudo apt-get remove moby-runc + sudo apt-get install apt-transport-https ca-certificates curl software-properties-common + curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - + sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" + sudo apt-get update + sudo apt-get install docker-ce + + - name: Build Docker Image + run: docker build --tag groundlight-edge . + + - name: Start Docker Container + id: start_container + run: | + source test/setup_plain_test_env.sh + echo "EDGE_CONFIG=$EDGE_CONFIG" + container_id=$(docker run \ + -e LOG_LEVEL=DEBUG \ + -e EDGE_CONFIG \ + -d -p 6717:443 \ + groundlight-edge) + echo "::set-output name=container_id::$container_id" + + - name: Install poetry + uses: snok/install-poetry@v1 + with: + version: ${{ env.POETRY_VERSION }} + virtualenvs-create: true + virtualenvs-in-project: true + installer-parallel: true + + # Note that we're pulling the latest main from the SDK repo + # This might be ahead of what's published to pypi, but it's useful to test things before they're released. + - name: Checkout Groundlight SDK + uses: actions/checkout@v3 + with: + repository: groundlight/python-sdk + path: groundlight-sdk + + - name: Install Groundlight SDK dependencies + run: | + cd groundlight-sdk + poetry install + + - name: Load Cached venv + id: cached-poetry-dependencies + uses: actions/cache@v3 + with: + path: .venv + key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{hashFiles('**/poetry.lock') }} + + - name: Run SDK tests + run: | + export TLS_VERIFY=0 # disable TLS verification + GROUNDLIGHT_ENDPOINT=https://localhost:6717 + cd groundlight-sdk + poetry run pytest + cd .. diff --git a/.gitignore b/.gitignore index 641d1d43..f149419f 100644 --- a/.gitignore +++ b/.gitignore @@ -9,6 +9,9 @@ __pycache__/ # C extensions *.so +# SSL-related +certs/ssl/ + # Distribution / packaging .Python build/ diff --git a/Dockerfile b/Dockerfile index bf2a1619..4ed21ce9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -59,6 +59,13 @@ COPY configs ${APP_ROOT}/configs COPY deploy/k3s/inference_deployment/inference_deployment_template.yaml \ /etc/groundlight/inference-deployment/ +RUN mkdir /etc/nginx/ssl + +# Check if the TLS certificate and private key are present in the build context +RUN if [ -f certs/ssl/nginx_ed25519.key ] && [ -f certs/ssl/nginx_ed25519.crt ]; then \ + cp certs/ssl/nginx_ed25519.key /etc/nginx/ssl/nginx_ed25519.key; \ + cp certs/ssl/nginx_ed25519.crt /etc/nginx/ssl/nginx_ed25519.crt; \ + fi ################## # Production Stage @@ -77,6 +84,10 @@ WORKDIR ${APP_ROOT} COPY /app ${APP_ROOT}/app/ COPY --from=production-dependencies-build-stage ${APP_ROOT}/configs/nginx.conf /etc/nginx/nginx.conf +COPY --from=production-dependencies-build-stage /etc/nginx/ssl /etc/nginx/ssl + +# Update certificates +RUN update-ca-certificates # Remove default nginx config RUN rm /etc/nginx/sites-enabled/default diff --git a/Makefile b/Makefile index 131c7d38..6475c0f3 100644 --- a/Makefile +++ b/Makefile @@ -19,3 +19,9 @@ lint: install-lint ## Run linter to check formatting and style format: install-lint ## Run standard python formatting ./code-quality/format ${LINT_PATHS} + +# OpenSSL related commands +generate-tls-certs: + mkdir -p certs/ssl + ./certs/generate_tls_cert.sh + sudo chmod 644 certs/ssl/* diff --git a/certs/generate-tls-certs.sh b/certs/generate-tls-certs.sh new file mode 100755 index 00000000..c8adb717 --- /dev/null +++ b/certs/generate-tls-certs.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +set -ex + +# Function to check if openssl is installed. If not exist +# then install it. +check_openssl() { + if ! command -v openssl &> /dev/null + then + echo "openssl could not be found" + echo "Installing openssl..." + sudo apt-get install openssl + fi +} + +# Check if openssl is installed +check_openssl + +# Change to current directory +cd $(dirname $0) + +# Set TLS_CERT_DIR to current directory +TLS_CERT_DIR=$(pwd)/ssl + +# Generate an Ed25519 Private key +sudo openssl genpkey -algorithm Ed25519 -out ${TLS_CERT_DIR}/nginx_ed25519.key + +# Generate a self-signed certificate using the Ed25519 Private key +# Valid for 365 days +sudo openssl req -new -x509 \ + -config openssl-custom.cnf \ + -batch \ + -key ${TLS_CERT_DIR}/nginx_ed25519.key \ + -out ${TLS_CERT_DIR}/nginx_ed25519.crt \ + -days 365 \ No newline at end of file diff --git a/certs/openssl-custom.cnf b/certs/openssl-custom.cnf new file mode 100644 index 00000000..f5f08ed3 --- /dev/null +++ b/certs/openssl-custom.cnf @@ -0,0 +1,13 @@ +# https://www.phildev.net/ssl/opensslconf.html + +[req] +distinguished_name = req_distinguished_name +x509_extensions = v3_ca +prompt = no + +[req_distinguished_name] +commonName = localhost + +[v3_ca] +basicConstraints = CA:TRUE +keyUsage = digitalSignature, keyCertSign, cRLSign \ No newline at end of file diff --git a/pyproject.toml b/pyproject.toml index f95734bc..7a4c9d49 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -8,9 +8,9 @@ license = "MIT" [tool.poetry.dependencies] python = "^3.9" uvicorn = {version = "^0.20.0", extras = ["standard"]} -fastapi = "^0.88.0" -pydantic = "^1.10.2" -groundlight = "0.11.0" +fastapi = "0.103.2" +pydantic = ">=2.0,<3.0.0" +groundlight = {git = "https://github.com/groundlight/python-sdk.git", rev = "disable-tls-verification"} opencv-python = "^4.7.0.72" pillow = "^9.5.0" framegrab = "^0.2.1" From 64a855f6186e40072c398af42610ddd22779f8fa Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Wed, 18 Oct 2023 23:21:58 +0000 Subject: [PATCH 02/21] fix makefile --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 6475c0f3..ba6f97d7 100644 --- a/Makefile +++ b/Makefile @@ -21,7 +21,7 @@ format: install-lint ## Run standard python formatting ./code-quality/format ${LINT_PATHS} # OpenSSL related commands -generate-tls-certs: +generate-tls-cert: mkdir -p certs/ssl ./certs/generate_tls_cert.sh sudo chmod 644 certs/ssl/* From f1890049616dac880212ff758258df5c549888b3 Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Wed, 18 Oct 2023 23:25:44 +0000 Subject: [PATCH 03/21] fix typo --- Makefile | 2 +- certs/{generate-tls-certs.sh => generate-tls-cert.sh} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename certs/{generate-tls-certs.sh => generate-tls-cert.sh} (100%) diff --git a/Makefile b/Makefile index ba6f97d7..27921fef 100644 --- a/Makefile +++ b/Makefile @@ -23,5 +23,5 @@ format: install-lint ## Run standard python formatting # OpenSSL related commands generate-tls-cert: mkdir -p certs/ssl - ./certs/generate_tls_cert.sh + ./certs/generate-tls-cert.sh sudo chmod 644 certs/ssl/* diff --git a/certs/generate-tls-certs.sh b/certs/generate-tls-cert.sh similarity index 100% rename from certs/generate-tls-certs.sh rename to certs/generate-tls-cert.sh From a88d4dcde262511fa5a1ca78cf166a50943e9176 Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Wed, 18 Oct 2023 23:35:36 +0000 Subject: [PATCH 04/21] use a specific SDK branch --- .github/workflows/pipeline.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index fc29c2e0..0841498a 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -267,6 +267,7 @@ jobs: with: repository: groundlight/python-sdk path: groundlight-sdk + ref: disable-tls-verification - name: Install Groundlight SDK dependencies run: | From 9ff56c02fdfb5f52f134ba5527d6be70b67e0c40 Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Thu, 19 Oct 2023 00:07:17 +0000 Subject: [PATCH 05/21] mount tls certificates into k3s pod --- deploy/bin/cluster_setup.sh | 1 + deploy/bin/make-tls-cert-secret.sh | 23 +++++++++++++++++++ .../k3s/edge_deployment/edge_deployment.yaml | 11 +++++++-- 3 files changed, 33 insertions(+), 2 deletions(-) create mode 100755 deploy/bin/make-tls-cert-secret.sh diff --git a/deploy/bin/cluster_setup.sh b/deploy/bin/cluster_setup.sh index 152db7ae..1a3daa28 100755 --- a/deploy/bin/cluster_setup.sh +++ b/deploy/bin/cluster_setup.sh @@ -14,6 +14,7 @@ INFERENCE_FLAVOR=${INFERENCE_FLAVOR:-"GPU"} # Secrets ./deploy/bin/make-gl-api-token-secret.sh ./deploy/bin/make-aws-secret.sh +./deploy/bin/make-tls-cert-secret.sh # Verify secrets have been properly created if ! $K get secret registry-credentials; then diff --git a/deploy/bin/make-tls-cert-secret.sh b/deploy/bin/make-tls-cert-secret.sh new file mode 100755 index 00000000..9ecefd03 --- /dev/null +++ b/deploy/bin/make-tls-cert-secret.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +K="k3s kubectl" +TLS_PRIVATE_KEY="certs/ssl/nginx_ed25519.key" +TLS_CERTIFICATE="certs/ssl/nginx_ed25519.crt" + +$K delete --ignore-not-found secret tls-certificate + + +# First check if the certs/ssl/nginx_ed25519.key and certs/ssl/nginx_ed25519.crt exist +# If not exit early with an error message +if [ ! -f "$TLS_PRIVATE_KEY" ] || [ ! -f "$TLS_CERTIFICATE" ]; then + echo "TLS certificate and key not found at the desired location. Exiting..." + exit 1 +fi + + +# Create a kubernetes secret for the groundlight api token +# Make sure that you have the groundlight api token set in your environment + +$K create secret generic tls-certificate \ + --from-file=nginx_ed25519.key=${TLS_PRIVATE_KEY} \ + --from-file=nginx_ed25519.crt=${TLS_CERTIFICATE} \ No newline at end of file diff --git a/deploy/k3s/edge_deployment/edge_deployment.yaml b/deploy/k3s/edge_deployment/edge_deployment.yaml index 65c62224..435d7a54 100644 --- a/deploy/k3s/edge_deployment/edge_deployment.yaml +++ b/deploy/k3s/edge_deployment/edge_deployment.yaml @@ -46,7 +46,7 @@ spec: - containerPort: 6717 env: - name: LOG_LEVEL - value: "DEBUG" + value: "INFO" - name: DEPLOY_DETECTOR_LEVEL_INFERENCE value: "True" - name: GROUNDLIGHT_API_TOKEN @@ -57,6 +57,9 @@ spec: volumeMounts: - name: edge-config-volume mountPath: /etc/groundlight/edge-config + - name: tls-certificate-volume + mountPath: /etc/nginx/ssl + readOnly: true - name: inference-model-updater image: 723181461334.dkr.ecr.us-west-2.amazonaws.com/edge-endpoint:c4e05f237-tyler-small-updates @@ -65,7 +68,7 @@ spec: args: ["poetry run python -m app.model_updater.update_models"] env: - name: LOG_LEVEL - value: "DEBUG" + value: "INFO" - name: DEPLOY_DETECTOR_LEVEL_INFERENCE value: "True" - name: GROUNDLIGHT_API_TOKEN @@ -97,3 +100,7 @@ spec: # TODO: check out k3s local path provisioner: https://docs.k3s.io/storage#setting-up-the-local-storage-provider path: /var/groundlight/serving/model_repository type: DirectoryOrCreate + + - name: tls-certificate-volume + secret: + secretName: tls-certificate From 2d8f099459bf6d0ae8c46ae202541729acf84d12 Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Thu, 19 Oct 2023 04:23:34 +0000 Subject: [PATCH 06/21] github action --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 0841498a..56ef1d1b 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -283,7 +283,7 @@ jobs: - name: Run SDK tests run: | - export TLS_VERIFY=0 # disable TLS verification + export TLS_VERIFY=1 # disable TLS verification GROUNDLIGHT_ENDPOINT=https://localhost:6717 cd groundlight-sdk poetry run pytest From 5e1ed0c6502a8b95592af3fb54941d8e3d8ec5c4 Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Thu, 19 Oct 2023 06:39:30 +0000 Subject: [PATCH 07/21] remove cached venv --- .github/workflows/pipeline.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 56ef1d1b..6c02ffe6 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -274,13 +274,6 @@ jobs: cd groundlight-sdk poetry install - - name: Load Cached venv - id: cached-poetry-dependencies - uses: actions/cache@v3 - with: - path: .venv - key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{hashFiles('**/poetry.lock') }} - - name: Run SDK tests run: | export TLS_VERIFY=1 # disable TLS verification From d3653a9b54d1383a1f066c08f725518fedf430c3 Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Thu, 19 Oct 2023 06:53:57 +0000 Subject: [PATCH 08/21] rename environment variable to DISABLE_TLS_VERIFY --- .github/workflows/pipeline.yaml | 10 +++++++++- deploy/bin/make-tls-cert-secret.sh | 8 +++----- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 6c02ffe6..0d374e41 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -276,8 +276,16 @@ jobs: - name: Run SDK tests run: | - export TLS_VERIFY=1 # disable TLS verification + export DISABLE_TLS_VERIFY=1 # disable TLS verification GROUNDLIGHT_ENDPOINT=https://localhost:6717 cd groundlight-sdk poetry run pytest cd .. + + - name: Dump Logs from Docker Container + if: always() + run: docker logs ${{ steps.start_container.outputs.container_id }} + + - name: Stop Docker Container + if: always() + run: docker stop ${{ steps.start_container.outputs.container_id }} diff --git a/deploy/bin/make-tls-cert-secret.sh b/deploy/bin/make-tls-cert-secret.sh index 9ecefd03..429de3c7 100755 --- a/deploy/bin/make-tls-cert-secret.sh +++ b/deploy/bin/make-tls-cert-secret.sh @@ -8,16 +8,14 @@ $K delete --ignore-not-found secret tls-certificate # First check if the certs/ssl/nginx_ed25519.key and certs/ssl/nginx_ed25519.crt exist -# If not exit early with an error message +# If not exit early. Using exit 0 instead of exit 1 since this is an optional secret. if [ ! -f "$TLS_PRIVATE_KEY" ] || [ ! -f "$TLS_CERTIFICATE" ]; then echo "TLS certificate and key not found at the desired location. Exiting..." - exit 1 + exit 0 fi -# Create a kubernetes secret for the groundlight api token -# Make sure that you have the groundlight api token set in your environment - +# Create a kubernetes secret for the TLS certificate and private key $K create secret generic tls-certificate \ --from-file=nginx_ed25519.key=${TLS_PRIVATE_KEY} \ --from-file=nginx_ed25519.crt=${TLS_CERTIFICATE} \ No newline at end of file From 6e5be888e72c5c2b6aef8dcf43009023b6c39351 Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Thu, 19 Oct 2023 07:05:30 +0000 Subject: [PATCH 09/21] try removing lock file and re-installing --- .github/workflows/pipeline.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 0d374e41..c7674579 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -272,6 +272,7 @@ jobs: - name: Install Groundlight SDK dependencies run: | cd groundlight-sdk + rm poetry.lock poetry install - name: Run SDK tests From 309a4ef6a00ed97d355bcf3228c01683a43162fc Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Thu, 19 Oct 2023 07:25:45 +0000 Subject: [PATCH 10/21] github action --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index c7674579..0b6b5c4e 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -272,7 +272,7 @@ jobs: - name: Install Groundlight SDK dependencies run: | cd groundlight-sdk - rm poetry.lock + cat src/groundlight/client.py poetry install - name: Run SDK tests From 785267811f583874eff83aa085f661ceb9daaa4a Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Thu, 19 Oct 2023 11:00:10 +0000 Subject: [PATCH 11/21] fix Dockerfile --- .github/workflows/pipeline.yaml | 5 ++--- Dockerfile | 11 ++++------ configs/nginx.conf | 39 ++++++++++++++++++++++++++++++--- 3 files changed, 42 insertions(+), 13 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 0b6b5c4e..1eb2cf24 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -238,7 +238,7 @@ jobs: sudo apt-get install docker-ce - name: Build Docker Image - run: docker build --tag groundlight-edge . + run: docker build --tag edge-endpoint . - name: Start Docker Container id: start_container @@ -249,7 +249,7 @@ jobs: -e LOG_LEVEL=DEBUG \ -e EDGE_CONFIG \ -d -p 6717:443 \ - groundlight-edge) + edge-endpoint) echo "::set-output name=container_id::$container_id" - name: Install poetry @@ -281,7 +281,6 @@ jobs: GROUNDLIGHT_ENDPOINT=https://localhost:6717 cd groundlight-sdk poetry run pytest - cd .. - name: Dump Logs from Docker Container if: always() diff --git a/Dockerfile b/Dockerfile index 4ed21ce9..7e476166 100644 --- a/Dockerfile +++ b/Dockerfile @@ -27,6 +27,7 @@ RUN apt-get update \ nginx \ libglib2.0-0 \ libgl1-mesa-glx \ + coreutils \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* \ && curl -sSL https://install.python-poetry.org | python - @@ -59,13 +60,9 @@ COPY configs ${APP_ROOT}/configs COPY deploy/k3s/inference_deployment/inference_deployment_template.yaml \ /etc/groundlight/inference-deployment/ -RUN mkdir /etc/nginx/ssl +RUN mkdir -p /etc/nginx/ssl -# Check if the TLS certificate and private key are present in the build context -RUN if [ -f certs/ssl/nginx_ed25519.key ] && [ -f certs/ssl/nginx_ed25519.crt ]; then \ - cp certs/ssl/nginx_ed25519.key /etc/nginx/ssl/nginx_ed25519.key; \ - cp certs/ssl/nginx_ed25519.crt /etc/nginx/ssl/nginx_ed25519.crt; \ - fi +COPY certs/ssl /etc/nginx/ssl ################## # Production Stage @@ -84,7 +81,7 @@ WORKDIR ${APP_ROOT} COPY /app ${APP_ROOT}/app/ COPY --from=production-dependencies-build-stage ${APP_ROOT}/configs/nginx.conf /etc/nginx/nginx.conf -COPY --from=production-dependencies-build-stage /etc/nginx/ssl /etc/nginx/ssl +COPY --from=production-dependencies-build-stage /etc/nginx/ssl /etc/nginx/ssl # Update certificates RUN update-ca-certificates diff --git a/configs/nginx.conf b/configs/nginx.conf index 81d9ef81..cda674a7 100644 --- a/configs/nginx.conf +++ b/configs/nginx.conf @@ -3,8 +3,41 @@ events { } http { + + #https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/ server { - listen 6717; + listen 6717; # HTTP server + listen 443 ssl; # HTTPS server + server_name localhost; + + # If SSL certificate does not exist, then fallback to HTTP + if (!-f /etc/nginx/ssl/nginx_ed25519.crt) { + rewrite ^ http://$host$request_uri? permanent; + } + + # Point to the self-signed certificate and key + ssl_certificate /etc/nginx/ssl/nginx_ed25519.crt; + ssl_certificate_key /etc/nginx/ssl/nginx_ed25519.key; + + # SSL settings. + + # ssl_protocols: Only newer versions of TLS are allowed. + # ssl_ciphers: Specifies a list of ciphers that the server is willing to use. + # The given list includes modern, secure ciphers. + # Refer to https://mozilla.github.io/server-side-tls/ssl-config-generator/ for more details. + + # ssl_prefer_server_ciphers: Dictates who gets to choose the cipher for the SSL/TLS connection. + # When set to on, the server's list of ciphers takes priority. + # Here it's set to off, allowing client preference but still bound by the server's list. + # ssl_session_cache: Enables session caching for SSL/TLS, which can improve performance. + # By caching the session, repeat handshakes within a short period can be avoided. + # In this configuration, the cache is shared among all workers and has a 10-minute lifespan. + + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers off; + ssl_session_cache shared:SSL:10m; location / { proxy_pass http://localhost:6718; @@ -21,6 +54,6 @@ http { # Fallback to the cloud API server proxy_pass https://api.groundlight.ai; } - } -} + +} \ No newline at end of file From 684512ed747c3dd1128514d34d6cff9af34a9539 Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Thu, 19 Oct 2023 11:33:46 +0000 Subject: [PATCH 12/21] add edge deployment customization --- Dockerfile | 2 +- deploy/bin/cluster_setup.sh | 12 ++++++-- .../conditional_volume_patch.yaml | 29 +++++++++++++++++++ .../k3s/edge_deployment/edge_deployment.yaml | 8 +---- deploy/k3s/edge_deployment/kustomization.yaml | 5 ++++ 5 files changed, 46 insertions(+), 10 deletions(-) create mode 100644 deploy/k3s/edge_deployment/conditional_volume_patch.yaml create mode 100644 deploy/k3s/edge_deployment/kustomization.yaml diff --git a/Dockerfile b/Dockerfile index 7e476166..53b52119 100644 --- a/Dockerfile +++ b/Dockerfile @@ -62,7 +62,7 @@ COPY deploy/k3s/inference_deployment/inference_deployment_template.yaml \ RUN mkdir -p /etc/nginx/ssl -COPY certs/ssl /etc/nginx/ssl +COPY certs/ssl/. /etc/nginx/ssl ################## # Production Stage diff --git a/deploy/bin/cluster_setup.sh b/deploy/bin/cluster_setup.sh index 1a3daa28..c33d2aa5 100755 --- a/deploy/bin/cluster_setup.sh +++ b/deploy/bin/cluster_setup.sh @@ -10,11 +10,11 @@ fail() { K="k3s kubectl" INFERENCE_FLAVOR=${INFERENCE_FLAVOR:-"GPU"} +USE_HTTPS=${USE_HTTPS:-"0"} # Secrets ./deploy/bin/make-gl-api-token-secret.sh ./deploy/bin/make-aws-secret.sh -./deploy/bin/make-tls-cert-secret.sh # Verify secrets have been properly created if ! $K get secret registry-credentials; then @@ -63,6 +63,14 @@ $K get service -o custom-columns=":metadata.name" --no-headers=true | \ xargs -I {} $K delete service {} # Reapply changes -$K apply -f deploy/k3s/edge_deployment/edge_deployment.yaml +if [[ "${USE_HTTPS}" == "1" ]]; then + echo "Using HTTPS. Expecting a TLS certificate and a private key to have been generated." + ./deploy/bin/make-tls-cert-secret.sh + $K kustomize deploy/k3s/edge_deployment > edge_deployment.yaml + $K apply -f edge_deployment.yaml + rm edge_deployment.yaml +else + $K apply -f deploy/k3s/edge_deployment/edge_deployment.yaml +fi $K describe deployment edge-endpoint \ No newline at end of file diff --git a/deploy/k3s/edge_deployment/conditional_volume_patch.yaml b/deploy/k3s/edge_deployment/conditional_volume_patch.yaml new file mode 100644 index 00000000..2ae7a0e5 --- /dev/null +++ b/deploy/k3s/edge_deployment/conditional_volume_patch.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: edge-endpoint + labels: + app: edge-endpoint +spec: + replicas: 1 + selector: + matchLabels: + app: edge-logic-server + template: + metadata: + labels: + app: edge-logic-server + spec: + serviceAccountName: edge-endpoint-service-account + containers: + - name: edge-endpoint + volumeMounts: + - name: tsl-certificate-volume + mountPath: /etc/nginx/ssl + readOnly: true + volumes: + # Expecting the `tls-certificate` secret to have been + # generated before applying this patch + - name: tls-certificate-volume + secret: + secretName: tls-certificate \ No newline at end of file diff --git a/deploy/k3s/edge_deployment/edge_deployment.yaml b/deploy/k3s/edge_deployment/edge_deployment.yaml index 435d7a54..3d7d8117 100644 --- a/deploy/k3s/edge_deployment/edge_deployment.yaml +++ b/deploy/k3s/edge_deployment/edge_deployment.yaml @@ -57,9 +57,6 @@ spec: volumeMounts: - name: edge-config-volume mountPath: /etc/groundlight/edge-config - - name: tls-certificate-volume - mountPath: /etc/nginx/ssl - readOnly: true - name: inference-model-updater image: 723181461334.dkr.ecr.us-west-2.amazonaws.com/edge-endpoint:c4e05f237-tyler-small-updates @@ -100,7 +97,4 @@ spec: # TODO: check out k3s local path provisioner: https://docs.k3s.io/storage#setting-up-the-local-storage-provider path: /var/groundlight/serving/model_repository type: DirectoryOrCreate - - - name: tls-certificate-volume - secret: - secretName: tls-certificate + diff --git a/deploy/k3s/edge_deployment/kustomization.yaml b/deploy/k3s/edge_deployment/kustomization.yaml new file mode 100644 index 00000000..7d4eb5df --- /dev/null +++ b/deploy/k3s/edge_deployment/kustomization.yaml @@ -0,0 +1,5 @@ +resources: + - edge_deployment.yaml + +patchesStrategicMerge: + - conditional_volume_patch.yaml From 3ab3bc38fa92f7ff4e942bb5f806f7bde1067eb1 Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Thu, 19 Oct 2023 16:31:49 +0000 Subject: [PATCH 13/21] more nginx configuration --- app/core/app_state.py | 2 +- certs/openssl-custom.cnf | 2 +- configs/nginx.conf | 10 ++++++---- deploy/k3s/edge_deployment/edge_deployment.yaml | 9 ++++++--- 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/app/core/app_state.py b/app/core/app_state.py index 2dd4165e..32518ba4 100644 --- a/app/core/app_state.py +++ b/app/core/app_state.py @@ -46,7 +46,7 @@ def load_edge_config() -> RootEdgeConfig: @lru_cache(maxsize=MAX_SDK_INSTANCES_CACHE_SIZE) def _get_groundlight_sdk_instance_internal(api_token: str): - return Groundlight(api_token=api_token) + return Groundlight(api_token=api_token, disable_tls_verification=True) def get_groundlight_sdk_instance(request: Request): diff --git a/certs/openssl-custom.cnf b/certs/openssl-custom.cnf index f5f08ed3..1236fbbf 100644 --- a/certs/openssl-custom.cnf +++ b/certs/openssl-custom.cnf @@ -6,7 +6,7 @@ x509_extensions = v3_ca prompt = no [req_distinguished_name] -commonName = localhost +countryName = US [v3_ca] basicConstraints = CA:TRUE diff --git a/configs/nginx.conf b/configs/nginx.conf index cda674a7..15476e91 100644 --- a/configs/nginx.conf +++ b/configs/nginx.conf @@ -8,7 +8,7 @@ http { server { listen 6717; # HTTP server listen 443 ssl; # HTTPS server - server_name localhost; + server_name _; # If SSL certificate does not exist, then fallback to HTTP if (!-f /etc/nginx/ssl/nginx_ed25519.crt) { @@ -34,9 +34,11 @@ http { # In this configuration, the cache is shared among all workers and has a 10-minute lifespan. - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - ssl_prefer_server_ciphers off; + proxy_ssl_server_name on; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + # ssl_ciphers HIGH:!aNULL:!MD5; + ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384'; + ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; location / { diff --git a/deploy/k3s/edge_deployment/edge_deployment.yaml b/deploy/k3s/edge_deployment/edge_deployment.yaml index 3d7d8117..ea6ffebc 100644 --- a/deploy/k3s/edge_deployment/edge_deployment.yaml +++ b/deploy/k3s/edge_deployment/edge_deployment.yaml @@ -40,15 +40,18 @@ spec: serviceAccountName: edge-endpoint-service-account containers: - name: edge-endpoint - image: 723181461334.dkr.ecr.us-west-2.amazonaws.com/edge-endpoint:c4e05f237-tyler-small-updates + image: 723181461334.dkr.ecr.us-west-2.amazonaws.com/edge-endpoint:using-https-684512ed7-dirty-32c669a0b149163 imagePullPolicy: IfNotPresent ports: - - containerPort: 6717 + - containerPort: 443 env: - name: LOG_LEVEL value: "INFO" - name: DEPLOY_DETECTOR_LEVEL_INFERENCE value: "True" + + - name: DISABLE_TLS_VERIFY + value: "1" - name: GROUNDLIGHT_API_TOKEN valueFrom: secretKeyRef: @@ -59,7 +62,7 @@ spec: mountPath: /etc/groundlight/edge-config - name: inference-model-updater - image: 723181461334.dkr.ecr.us-west-2.amazonaws.com/edge-endpoint:c4e05f237-tyler-small-updates + image: 723181461334.dkr.ecr.us-west-2.amazonaws.com/edge-endpoint:using-https-684512ed7-dirty-32c669a0b149163 imagePullPolicy: IfNotPresent command: ["/bin/bash", "-c"] args: ["poetry run python -m app.model_updater.update_models"] From c7f148bdf47d82a0478ce9972babd45617179b6d Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Thu, 19 Oct 2023 16:59:12 +0000 Subject: [PATCH 14/21] fix tests --- Dockerfile | 2 +- certs/generate-tls-cert.sh | 2 +- certs/openssl-custom.cnf | 13 ------------- 3 files changed, 2 insertions(+), 15 deletions(-) delete mode 100644 certs/openssl-custom.cnf diff --git a/Dockerfile b/Dockerfile index 53b52119..7e476166 100644 --- a/Dockerfile +++ b/Dockerfile @@ -62,7 +62,7 @@ COPY deploy/k3s/inference_deployment/inference_deployment_template.yaml \ RUN mkdir -p /etc/nginx/ssl -COPY certs/ssl/. /etc/nginx/ssl +COPY certs/ssl /etc/nginx/ssl ################## # Production Stage diff --git a/certs/generate-tls-cert.sh b/certs/generate-tls-cert.sh index c8adb717..116878e6 100755 --- a/certs/generate-tls-cert.sh +++ b/certs/generate-tls-cert.sh @@ -28,7 +28,7 @@ sudo openssl genpkey -algorithm Ed25519 -out ${TLS_CERT_DIR}/nginx_ed25519.key # Generate a self-signed certificate using the Ed25519 Private key # Valid for 365 days sudo openssl req -new -x509 \ - -config openssl-custom.cnf \ + -config ssl/openssl-custom.cnf \ -batch \ -key ${TLS_CERT_DIR}/nginx_ed25519.key \ -out ${TLS_CERT_DIR}/nginx_ed25519.crt \ diff --git a/certs/openssl-custom.cnf b/certs/openssl-custom.cnf deleted file mode 100644 index 1236fbbf..00000000 --- a/certs/openssl-custom.cnf +++ /dev/null @@ -1,13 +0,0 @@ -# https://www.phildev.net/ssl/opensslconf.html - -[req] -distinguished_name = req_distinguished_name -x509_extensions = v3_ca -prompt = no - -[req_distinguished_name] -countryName = US - -[v3_ca] -basicConstraints = CA:TRUE -keyUsage = digitalSignature, keyCertSign, cRLSign \ No newline at end of file From 4f9f64749ddaaf5b94c5d29f6715b59ccb70684c Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Thu, 19 Oct 2023 17:02:09 +0000 Subject: [PATCH 15/21] add ssl config file --- .gitignore | 3 ++- certs/ssl/openssl-custom.cnf | 13 +++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 certs/ssl/openssl-custom.cnf diff --git a/.gitignore b/.gitignore index f149419f..40c2cb0a 100644 --- a/.gitignore +++ b/.gitignore @@ -10,7 +10,8 @@ __pycache__/ *.so # SSL-related -certs/ssl/ +certs/ssl/nginx_ed25519.key +certs/ssl/nginx_ed25519.crt # Distribution / packaging .Python diff --git a/certs/ssl/openssl-custom.cnf b/certs/ssl/openssl-custom.cnf new file mode 100644 index 00000000..1236fbbf --- /dev/null +++ b/certs/ssl/openssl-custom.cnf @@ -0,0 +1,13 @@ +# https://www.phildev.net/ssl/opensslconf.html + +[req] +distinguished_name = req_distinguished_name +x509_extensions = v3_ca +prompt = no + +[req_distinguished_name] +countryName = US + +[v3_ca] +basicConstraints = CA:TRUE +keyUsage = digitalSignature, keyCertSign, cRLSign \ No newline at end of file From b362afcb23edc18a88129b8de8a631ea9e7b8f92 Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Thu, 19 Oct 2023 17:15:47 +0000 Subject: [PATCH 16/21] fixing motion detection tests --- app/core/app_state.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/core/app_state.py b/app/core/app_state.py index 32518ba4..2dd4165e 100644 --- a/app/core/app_state.py +++ b/app/core/app_state.py @@ -46,7 +46,7 @@ def load_edge_config() -> RootEdgeConfig: @lru_cache(maxsize=MAX_SDK_INSTANCES_CACHE_SIZE) def _get_groundlight_sdk_instance_internal(api_token: str): - return Groundlight(api_token=api_token, disable_tls_verification=True) + return Groundlight(api_token=api_token) def get_groundlight_sdk_instance(request: Request): From 82f053744a1a160dbc29a0f7b1c1833d66e7239a Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Thu, 19 Oct 2023 20:41:15 +0000 Subject: [PATCH 17/21] separate https from http server block --- .github/workflows/pipeline.yaml | 6 ++++++ configs/nginx.conf | 22 +++++++++++++++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 1eb2cf24..8d220ec2 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -59,6 +59,9 @@ jobs: with : python-version: ${{ env.PYTHON_VERSION }} + - name: Generate TLS certificate + run: make generate-tls-cert + - name: Install Docker # moby-runc is a CLI tool for spawning and running containers according to the Open Container Initiative (OCI) # specification, and it is used by the Docker runtime. The existing version of moby-runc on the GitHub Actions runner @@ -135,6 +138,9 @@ jobs: with: python-version: ${{ env.PYTHON_VERSION }} + - name: Generate TLS certificate + run: make generate-tls-cert + - name: Install Docker run: | sudo apt-get update diff --git a/configs/nginx.conf b/configs/nginx.conf index 15476e91..ebfa41fe 100644 --- a/configs/nginx.conf +++ b/configs/nginx.conf @@ -3,10 +3,30 @@ events { } http { + + server { + listen 6717; + + location / { + proxy_pass http://localhost:6718; + + # If local edge server is not up or can't handle the query arguments, + # then fallback to the cloud API server. + # 422 - Unprocessable Entity + # 404 - Not Found + proxy_intercept_errors on; + error_page 404 422 405 = @fallback; + } + + location @fallback { + # Fallback to the cloud API server + proxy_pass https://api.groundlight.ai; + } + + } #https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/ server { - listen 6717; # HTTP server listen 443 ssl; # HTTPS server server_name _; From 831455ffa4f7e07ef9275bb5a37bbb989ba4c86b Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Thu, 19 Oct 2023 21:03:12 +0000 Subject: [PATCH 18/21] documentation --- README.md | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 9d740d76..22ea78cc 100644 --- a/README.md +++ b/README.md @@ -126,9 +126,24 @@ docker run -d --name groundlight-edge -e GROUNDLIGHT_API_TOKEN --rm -p 127.0.0.1 ### Configuring HTTPS on the NGINX proxy -Because the first server application code reaches is always the NGINX proxy, standard nginx configuration can be used -to configure HTTPS. You must either supply a signed TLS certificate or generate a self-signed certificate in this case. -When using a self-signed certificate, be sure to configure calling applications to ignore TLS warnings. +Because the first server application code reaches is always the NGINX proxy, standard NGINX configuration can be used +to configure HTTPS. The NGINX configuration file [`nginx.conf`](./configs/nginx.conf) is already set up for both +HTTP and HTTPS. -To set up TLS, modify the [`nginx.conf`](./configs/nginx.conf) file. Then rebuild your container and relaunch the server. +In order to use HTTPS for the edge endpoint, you must either supply a signed TLS certificate or generate a self-signed +certificate. You can generate a self-signed certificate with OpenSSL by running + +```shell +make generate-tls-cert +``` + +This will create both a private key and a TLS certificate stored at `certs/ssl/nginx_ed25519.key` and `certs/ssl/nginx_ed25519.crt`. +Then, rebuild and re-lauch the server, making sure to specify the port for HTTPS, which is 443, instead of 6717 for HTTP. + +```shell +docker build --tag edge-endpoint +export EDGE_CONFIG=$(cat configs/edge-config.yaml) +# Send requests to the HTTPS server +docker run -d --name groundlight-edge -e EDGE_CONFIG --rm -p 6717:443 edge-endpoint +``` From c30eb0aacb050685fb4846b04eec14be9fe459e9 Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Mon, 23 Oct 2023 19:24:06 +0000 Subject: [PATCH 19/21] [wip] --- app/core/app_state.py | 1 + configs/nginx.conf | 2 +- deploy/k3s/edge_deployment/edge_deployment.yaml | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/app/core/app_state.py b/app/core/app_state.py index 2dd4165e..39fa65dd 100644 --- a/app/core/app_state.py +++ b/app/core/app_state.py @@ -46,6 +46,7 @@ def load_edge_config() -> RootEdgeConfig: @lru_cache(maxsize=MAX_SDK_INSTANCES_CACHE_SIZE) def _get_groundlight_sdk_instance_internal(api_token: str): + logger.debug(f"Creating new Groundlight SDK instance with API token: {api_token}") return Groundlight(api_token=api_token) diff --git a/configs/nginx.conf b/configs/nginx.conf index ebfa41fe..c2edd313 100644 --- a/configs/nginx.conf +++ b/configs/nginx.conf @@ -28,7 +28,7 @@ http { #https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/ server { listen 443 ssl; # HTTPS server - server_name _; + server_name edge-endpoint-service; # If SSL certificate does not exist, then fallback to HTTP if (!-f /etc/nginx/ssl/nginx_ed25519.crt) { diff --git a/deploy/k3s/edge_deployment/edge_deployment.yaml b/deploy/k3s/edge_deployment/edge_deployment.yaml index ea6ffebc..217422cf 100644 --- a/deploy/k3s/edge_deployment/edge_deployment.yaml +++ b/deploy/k3s/edge_deployment/edge_deployment.yaml @@ -40,7 +40,7 @@ spec: serviceAccountName: edge-endpoint-service-account containers: - name: edge-endpoint - image: 723181461334.dkr.ecr.us-west-2.amazonaws.com/edge-endpoint:using-https-684512ed7-dirty-32c669a0b149163 + image: 723181461334.dkr.ecr.us-west-2.amazonaws.com/edge-endpoint:using-https-831455ffa-dirty-27326c78fb0646c imagePullPolicy: IfNotPresent ports: - containerPort: 443 @@ -62,7 +62,7 @@ spec: mountPath: /etc/groundlight/edge-config - name: inference-model-updater - image: 723181461334.dkr.ecr.us-west-2.amazonaws.com/edge-endpoint:using-https-684512ed7-dirty-32c669a0b149163 + image: 723181461334.dkr.ecr.us-west-2.amazonaws.com/edge-endpoint:using-https-831455ffa-dirty-27326c78fb0646c imagePullPolicy: IfNotPresent command: ["/bin/bash", "-c"] args: ["poetry run python -m app.model_updater.update_models"] From 124ca86f46d1816a38b4afa32c31e97e67db7d55 Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Tue, 24 Oct 2023 20:44:34 +0000 Subject: [PATCH 20/21] save temporary work --- .../k3s/edge_deployment/edge_deployment.yaml | 16 ++++++-- test.py | 40 +++++++++++++++++++ 2 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 test.py diff --git a/deploy/k3s/edge_deployment/edge_deployment.yaml b/deploy/k3s/edge_deployment/edge_deployment.yaml index 217422cf..fed06e69 100644 --- a/deploy/k3s/edge_deployment/edge_deployment.yaml +++ b/deploy/k3s/edge_deployment/edge_deployment.yaml @@ -14,9 +14,19 @@ spec: app: edge-logic-server ports: - protocol: TCP + name: http + port: 80 # Service port for NGINX - port: 6717 + targetPort: 6717 + # NodePort for HTTP nodePort: 30101 + - protocol: TCP + name: https + port: 443 + # Service port for NGINX + targetPort: 6717 + # NodePort for HTTPS + nodePort: 30102 type: NodePort --- apiVersion: apps/v1 @@ -40,7 +50,7 @@ spec: serviceAccountName: edge-endpoint-service-account containers: - name: edge-endpoint - image: 723181461334.dkr.ecr.us-west-2.amazonaws.com/edge-endpoint:using-https-831455ffa-dirty-27326c78fb0646c + image: 723181461334.dkr.ecr.us-west-2.amazonaws.com/edge-endpoint:using-https-c30eb0aac-dirty-6743fd4608890eb imagePullPolicy: IfNotPresent ports: - containerPort: 443 @@ -62,7 +72,7 @@ spec: mountPath: /etc/groundlight/edge-config - name: inference-model-updater - image: 723181461334.dkr.ecr.us-west-2.amazonaws.com/edge-endpoint:using-https-831455ffa-dirty-27326c78fb0646c + image: 723181461334.dkr.ecr.us-west-2.amazonaws.com/edge-endpoint:using-https-c30eb0aac-dirty-6743fd4608890eb imagePullPolicy: IfNotPresent command: ["/bin/bash", "-c"] args: ["poetry run python -m app.model_updater.update_models"] diff --git a/test.py b/test.py new file mode 100644 index 00000000..4ad3c38e --- /dev/null +++ b/test.py @@ -0,0 +1,40 @@ +import time + +from groundlight import Groundlight +from PIL import Image + +DETECTORS = { + "dog_detector": { + "detector_id": "det_2UOxalD1gegjk4TnyLbtGggiJ8p", + "query": "Is there a dog in the image?", + "confidence_threshold": 0.9, + }, + "cat_detector": { + "detector_id": "det_2UOxao4HZyB9gv4ZVtwMOvdqgh9", + "query": "Is there a cat in the image?", + "confidence_threshold": 0.9, + }, +} + + +def main(): + gl = Groundlight(endpoint="https://10.45.0.71:30102", disable_tls_verification=True) + dog_detector = DETECTORS["dog_detector"]["detector_id"] + cat_detector = DETECTORS["cat_detector"]["detector_id"] + + dog_image = Image.open("test/assets/dog.jpeg") + cat_image = Image.open("test/assets/cat.jpeg") + + gl.submit_image_query(detector=dog_detector, image=dog_image) + gl.submit_image_query(detector=cat_detector, image=cat_image) + + time.sleep(300) + + for _ in range(40): + gl.submit_image_query(detector=dog_detector, image=dog_image) + + gl.submit_image_query(detector=cat_detector, image=cat_image) + + +if __name__ == "__main__": + main() \ No newline at end of file From a95daa24a9936782fe0c29883a3267efb1cf7010 Mon Sep 17 00:00:00 2001 From: blaise-muhirwa Date: Sun, 29 Oct 2023 18:14:33 +0000 Subject: [PATCH 21/21] add nodeport for https routing --- deploy/k3s/edge_deployment/edge_deployment.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/deploy/k3s/edge_deployment/edge_deployment.yaml b/deploy/k3s/edge_deployment/edge_deployment.yaml index fed06e69..cecb40ee 100644 --- a/deploy/k3s/edge_deployment/edge_deployment.yaml +++ b/deploy/k3s/edge_deployment/edge_deployment.yaml @@ -13,7 +13,7 @@ spec: selector: app: edge-logic-server ports: - - protocol: TCP + - protocol: TCP name: http port: 80 # Service port for NGINX @@ -24,7 +24,7 @@ spec: name: https port: 443 # Service port for NGINX - targetPort: 6717 + targetPort: 443 # NodePort for HTTPS nodePort: 30102 type: NodePort @@ -50,7 +50,7 @@ spec: serviceAccountName: edge-endpoint-service-account containers: - name: edge-endpoint - image: 723181461334.dkr.ecr.us-west-2.amazonaws.com/edge-endpoint:using-https-c30eb0aac-dirty-6743fd4608890eb + image: 723181461334.dkr.ecr.us-west-2.amazonaws.com/edge-endpoint:using-https-ac70b5082-dirty-447ad46d6dde4af imagePullPolicy: IfNotPresent ports: - containerPort: 443 @@ -72,7 +72,7 @@ spec: mountPath: /etc/groundlight/edge-config - name: inference-model-updater - image: 723181461334.dkr.ecr.us-west-2.amazonaws.com/edge-endpoint:using-https-c30eb0aac-dirty-6743fd4608890eb + image: 723181461334.dkr.ecr.us-west-2.amazonaws.com/edge-endpoint:using-https-ac70b5082-dirty-447ad46d6dde4af imagePullPolicy: IfNotPresent command: ["/bin/bash", "-c"] args: ["poetry run python -m app.model_updater.update_models"]