Optional imagePullSecret

Author: ryansingman

INSTALLATION.md

@@ -64,7 +64,9 @@ Confirm that your `kubectl` is configured to use your AKS cluster by running `ku
 
 To pull container images during installation and upgrades, your Azure tenant must be able to pull images from Cleanlab's container registry.
 
-To do this, follow the instructions [here](https://learn.microsoft.com/en-us/azure/container-registry/authenticate-aks-cross-tenant) as Tenant A (steps 1 and 4). After step 1, ensure that you send your application client ID to Cleanlab to enable us to grant the necessary registry permissions.
+To do this, follow the instructions [here](https://learn.microsoft.com/en-us/azure/container-registry/authenticate-aks-cross-tenant) as Tenant A. Only do step 1. After step 1, ensure that you send your application client ID to Cleanlab to enable us to grant the necessary registry permissions.
+
+Ensure you save the service principal ID and password for later use.
 
 #### Configuring model access
 
@@ -96,13 +98,10 @@ Run through the following scripts to install the TLM app:
 ```
 ./scripts/aks/0_prerequisites.sh
 ./scripts/aks/1_secrets.sh
-./scripts/aks/2_app.sh
+./scripts/aks/2_registry.sh
+./scripts/aks/3_app.sh
 ```
 
-Things to note:
-- To allow the TLM to access models and provide it with other secrets, you must go through the Azure Key Vault secret flow
-  - You only need to do this once per installation (or when you want to update the secrets)
-
 ### Upgrading the TLM app
 
 To upgrade the TLM app, you can run the following command:

deploy/helm/tlm/templates/chat/deployment.yaml

@@ -61,3 +61,7 @@ spec:
               port: {{ .Values.chat_backend.container.port }}
           resources:
             {{- toYaml .Values.chat_backend.resources | nindent 12 }}
+        {{- if .Values.imagePullSecret.enabled }}
+      imagePullSecrets:
+        - name: {{ .Values.imagePullSecret.name }}
+      {{- end }}

deploy/helm/tlm/values.yaml

@@ -4,6 +4,10 @@
 
 replicaCount: 1
 
+imagePullSecret:
+  enabled: false
+  name: ""
+
 chat_backend:
   master_api_key: ""
 

scripts/aks/2_registry.sh

@@ -0,0 +1,15 @@
+#! /bin/bash
+
+BASEDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+. "$BASEDIR/../utils/registry.sh"
+. "$BASEDIR/../utils/prompt.sh"
+
+print_header "2. Setting up registry login credentials"
+
+read -p "Enter the service principal ID: " service_principal_id
+read -sp "Enter the service principal password: " service_principal_password
+
+create_registry_secret $service_principal_id $service_principal_password
+
+echo "Registry login credentials setup successfully"

scripts/aks/2_app.sh scripts/aks/3_app.shscripts/aks/2_app.sh renamed to scripts/aks/3_app.sh

@@ -23,6 +23,13 @@ flags="$flags --set image.repository=cleanlabtlm.azurecr.io/tlm/chat-backend"
 api_key=$(openssl rand -base64 16)
 flags="$flags --set chat_backend.master_api_key=$api_key"
 
+# Check if registry secret exists
+if check_registry_secret_exists; then
+    flags="$flags --set imagePullSecret.enabled=true --set imagePullSecret.name=$REGISTRY_CREDENTIALS_SECRET_NAME"
+else
+    echo "Registry secret does not exist. Skipping image pull secret setup."
+fi
+
 # Login to Azure Container Registry
 USERNAME="00000000-0000-0000-0000-000000000000"
 az acr login --name cleanlabtlm --expose-token --output tsv --query accessToken | \

scripts/utils/registry.sh

@@ -0,0 +1,29 @@
+#! /bin/bash
+
+set -e  # Exit immediately if any command fails
+set -u  # Treat unset variables as errors
+set -o pipefail  # Ensure pipeline failures are caught
+
+BASEDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+. "$BASEDIR/../utils/kubernetes.sh"
+
+REGISTRY_NAME="cleanlabtlm"
+REGISTRY_CREDENTIALS_SECRET_NAME="$REGISTRY_NAME-login-credentials"
+
+
+function create_registry_secret() {
+    service_principal_id=$1
+    service_principal_password=$2
+
+    kubectl create secret docker-registry $REGISTRY_CREDENTIALS_SECRET_NAME \
+        --namespace $TLM_NAMESPACE \
+        --docker-server=$REGISTRY_NAME.azurecr.io \
+        --docker-username=$service_principal_id \
+        --docker-password=$service_principal_password
+}
+
+
+function check_registry_secret_exists() {
+    kubectl get secret $REGISTRY_CREDENTIALS_SECRET_NAME --namespace $NAMESPACE &> /dev/null
+}