feat: upgrade MLflow to 3.3.2 and disable basic auth

BREAKING CHANGE: Basic authentication is now disabled due to
compatibility issues between MLflow 3.x basic-auth and various
deployment configurations.

Security fixes:
- Upgraded MLflow from 2.11.0 to 3.3.2 (resolves 13/14 HIGH alerts)
- Upgraded scikit-learn to >=1.5.0 (resolves 1 MEDIUM alert)
- All medium and low severity alerts addressed

Infrastructure updates:
- Migrated container images to bitnamilegacy registry
- Updated kubectl image to bitnamilegacy/kubectl:1.33.4-debian-12-r0
- Updated postgres image to bitnamilegacy/postgresql:17.6.0-debian-12-r4
- Made postgres backup image configurable

MLflow 3.x compatibility:
- Removed --dev flag (incompatible with MLflow 3.x)
- Fixed template indentation for extraInitContainers and extraVolumes
- Fixed basic_auth.ini template to remove quotes from credentials
- Added SQLite auth database path (though auth is disabled)

Test updates:
- Removed authentication from tests
- Updated test to work with MLflow 3.x without basic auth

Known limitations:
- Basic auth disabled (MLflow 3.x experimental feature has issues)
- Dependabot alert #22 has no patch available

Chart version bumped to 0.5.0 reflecting the breaking change.

Author: chris-sanders

applications/mlflow/charts/mlflow/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: mlflow
 description: A Helm chart for MLflow - Open source platform for the machine learning lifecycle.
 type: application
-version: "0.4.11"
+version: "0.5.0"
 appVersion: "3.3.2"
 home: https://github.com/mlflow/mlflow/tree/master/charts/mlflow
 sources:

applications/mlflow/charts/mlflow/templates/deployment.yaml

@@ -129,7 +129,7 @@ spec:
             name: {{ include "mlflow.fullname" . }}
       {{- end }}
       {{- with .Values.mlflow.extraInitContainers }}
-        {{ toYaml . | nindent 8 }}
+      {{ toYaml . | nindent 6 }}
       {{- end }}
       containers:
       - name: {{ include "mlflow.fullname" . }}
@@ -235,7 +235,7 @@ spec:
           {{- end }}
       {{- end }}
       {{- with .Values.mlflow.extraVolumes }}
-        {{- toYaml . | nindent 8 }}
+      {{- toYaml . | nindent 6 }}
       {{- end }}
       {{- with .Values.mlflow.hostAliases }}
       hostAliases:

applications/mlflow/charts/mlflow/templates/mlflow-auth-secret.yaml

@@ -19,7 +19,7 @@ stringData:
   basic_auth.ini: |
     [mlflow]
     default_permission = {{ .defaultPermission }}
-    database_uri = {{ $dbUri }}
+    database_uri = sqlite:////tmp/basic_auth.db
     admin_username = {{ .adminUsername }}
     admin_password = {{ .adminPassword }}
     authorization_function = {{ .authorizationFunction }}

applications/mlflow/charts/mlflow/values.yaml

@@ -74,10 +74,7 @@ mlflow:
     # ENV_NAME_2: value
 
     # Extra environment variables in mlflow container (not in init containers)
-    # Required for MLflow 3.x with basic auth enabled
-    container:
-      - name: MLFLOW_FLASK_SERVER_SECRET_KEY
-        value: "change-me-in-production"
+    container: []
     # - name: extra-env-name-1
     #   value: extra-env-value-1
     # - name: extra-env-name-2
@@ -106,19 +103,9 @@ mlflow:
 
   # -- Extra volumes that can be mounted by containers belonging to the mlflow pod
   extraVolumes: []
-  # - name: mlflow-volume
-  #   persistentVolumeClaim:
-  #     name: mlflow-pvc
-  # - name: mlflow-configmap-volume
-  #   configMap:
-  #     name: mlflow-configmap
 
   # -- Extra volume mounts to mount into the mlflow container's file system
   extraVolumeMounts: []
-  # - name: mlflow-volume
-  #   mountPath: /opt/mlflow
-  # - name: mlflow-configmap-volume
-  #   mountPath: /etc/mlflow
 
   # -- Use hostAliases to add custom entries to /etc/hosts - mapping IP addresses to hostnames.
   # [[ref]](https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/)
@@ -267,9 +254,10 @@ mlflow:
 
     # Basic authentication configuration,
     # for more information, please visit https://mlflow.org/docs/latest/auth/index.html#configuration
+    # NOTE: Basic auth is disabled due to compatibility issues with MLflow 3.x
     basicAuth:
       # -- Specifies whether to enable basic authentication
-      enabled: true
+      enabled: false
       # -- Name of an existing secret which contains key `basic_auth.ini`
       existingSecret: ""
       # If enables BasicAuth and no existing secret is specified, creates a secret to store authentication configurations
@@ -278,8 +266,8 @@ mlflow:
         defaultPermission: READ
         # -- Default admin username if the admin is not already created
         adminUsername: admin
-        # -- Default admin password if the admin is not already created
-        adminPassword: password
+        # -- Default admin password if the admin is not already created (min 12 chars for MLflow 3.x)
+        adminPassword: password123456
         # -- Function to authenticate requests
         authorizationFunction: mlflow.server.auth:authenticate_request_basic_auth
 

applications/mlflow/release/mlflow-chart.yaml

@@ -5,7 +5,7 @@ metadata:
 spec:
   chart:
     name: mlflow
-    chartVersion: 0.4.11
+    chartVersion: 0.5.0
   weight: 10
   helmUpgradeFlags:
     - --wait

applications/mlflow/tests/helm/nodeport-ingress-disabled.yaml

@@ -15,8 +15,6 @@ mlflow:
     nodePort: 30080
     # Service port name
     name: http
-  # Environment configuration (only for main container, not init containers)
-  env:
-    container:
-      - name: MLFLOW_FLASK_SERVER_SECRET_KEY
-        value: "change-me-in-production"
+  # Environment configuration
+  # env:
+  #   container: []

applications/mlflow/tests/mlflow_test.py

@@ -48,8 +48,8 @@ def check_server_connection(tracking_uri, timeout=30, retry_interval=5):
     host = parsed_url.hostname
     port = parsed_url.port or (443 if parsed_url.scheme == 'https' else 80)
 
-    # Authentication credentials
-    auth = ("admin", "password")
+    # Authentication disabled for MLflow 3.x compatibility
+    auth = None
 
     start_time = time.time()
     while time.time() - start_time < timeout:
@@ -65,8 +65,8 @@ def check_server_connection(tracking_uri, timeout=30, retry_interval=5):
 
         # Then try an HTTP request to the root URL
         try:
-            # For our test environment, always disable SSL verification and include auth
-            response = requests.get(health_url, timeout=5, verify=False, auth=auth)
+            # For our test environment, always disable SSL verification
+            response = requests.get(health_url, timeout=5, verify=False, auth=auth if auth else None)
             status_code = response.status_code
             logger.info(f"Server returned status code: {status_code}")
 
@@ -109,12 +109,8 @@ def run_mlflow_test(tracking_uri, connection_timeout=60):
             logger.error("Failed to connect to MLflow server, aborting test")
             return False
 
-        # Set MLflow tracking URI with authentication
-        # Format: http(s)://username:password@hostname:port
-        parsed_url = urlparse(tracking_uri)
-        auth_url = f"{parsed_url.scheme}://admin:password@{parsed_url.netloc}{parsed_url.path}"
-        logger.info(f"Using authenticated tracking URI")
-        mlflow.set_tracking_uri(auth_url)
+        # Set MLflow tracking URI
+        mlflow.set_tracking_uri(tracking_uri)
 
         # Load the Iris dataset
         logger.info("Loading dataset and training model...")
@@ -246,8 +242,8 @@ def main():
     if args.protocol == "http":
         logger.info("Using HTTP protocol (insecure)")
 
-    # Note about hardcoded credentials
-    logger.info("Using hardcoded authentication (admin/password)")
+    # Note: Authentication disabled for MLflow 3.x
+    logger.info("Authentication disabled (MLflow 3.x without basic auth)")
 
     # Ensure dependencies are installed
     ensure_dependencies()