Hi folks. I am trying to set up Clear ML in our k8s cluster and would like to expose the Webserver and API server outisde our cluster. I am bit lost with the configuration settings and the ways to do it securely in k8s. I read https://clearml.slack.com/archives/CTK20V944/p1630682666183600 discussion and like smos I am also a bit shaky when it comes to web security. Is there some documentation explaining in simple terms what the different keys/secrets are used for?
“CLEARML__SECURE__HTTP__SESSION_SECRET__APISERVER”: “”,
“CLEARML__SECURE__AUTH__TOKEN_SECRET”: “”,
“CLEARML__SECURE__CREDENTIALS__APISERVER__USER_KEY”: “”,
“CLEARML__SECURE__CREDENTIALS__APISERVER__USER_SECRET”: “”,
“CLEARML__SECURE__CREDENTIALS__WEBSERVER__USER_KEY”: “”,
“CLEARML__SECURE__CREDENTIALS__WEBSERVER__USER_SECRET”: “”,
“CLEARML__SECURE__CREDENTIALS__TESTS__USER_KEY”: “”,
“CLEARML__SECURE__CREDENTIALS__TESTS__USER_SECRET”: “”.
I am setting up the cluster using the helm charts from https://github.com/allegroai/clearml-helm-charts . I understand that some key/secret pair are needed for internal access for the clearML components and the details in apiserver.conf
is needed for user access. If I understand right at the moment the apiserver.conf
can be sett using additonalconfigs as in the discussion https://clearml.slack.com/archives/CTK20V944/p1648044291291519 . But this means the configs are commited to git (from were the our helm charts are deployed to our cluster) . This we can all agree that is not safe. I also notice that this config can be mounted as a volume or secret or a configmap as suggested https://clearml.slack.com/archives/CTK20V944/p1627029627387300 . Is there any update on the same?
SuccessfulKoala55 With enableConfigVolume
approach , I have to ensure that a apiserver.conf
with the credentials is added to the storage volume?
Hi ColorfulBeetle67 ,
I also notice that this config can be mounted as a volume or secret or a configmap as suggested
That's indeed an option...
Another option is to pass these settings as environment variables, if that can suit your requirements
Thank you for the confirmation SuccessfulKoala55
Another option is to pass these settings as environment variables, if that can suit your requirements
The issue with the environment variables is that the helm chart updated the env variables from a secret as shown https://github.com/allegroai/clearml-helm-charts/blob/e16060f2ad9f7075531e132ad9f8155dc5e7870f/charts/clearml/templates/deployment-apiserver.yaml#L80 . If I additional pass the auth information using extraEnvs
I am not sure which value would be update. Hence I have raised an https://github.com/allegroai/clearml-helm-charts/issues/60 requesting the flexibility.