Chainguard model engine (#702)

* chainguard mods for federal use cases

* changes to enable model-engine

* logging to fix enqueuing onto the redis broker for the gateway

* added a PROD env variable to utilize redis queue

* forgot to import PROD variable into these file locations

* added configuration changes to helmchart, addressed comments in the pr

* removed federal flag and replaced with fips_compliance. Gated logging behind debug mode

* changes made based on pr comments

* resolve comments from pr

* grammar errors and gating some more logging

* linting for python

* black formatting

* isort fixes

* ruff check

* type check

* black

* type check

* dummy aws creds for circle ci

* mock default profile

* default config

* escape

* omit logging statements from testing coverage

* black formatting

* unit test coverge

* unit test coverage

* formatting

* unit tests

* remove unused import

* fixed testing

* fixed some tests

* simplify tests

* celery test fix

* fix test celery

Author: andytang-scale

.circleci/config.yml

@@ -45,6 +45,20 @@ jobs:
     parallelism: 1
     steps:
       - checkout # checkout source code to working directory
+      - run:
+          name: Setup AWS Config for Testing
+          command: |
+            mkdir -p ~/.aws
+            cat > ~/.aws/credentials \<< EOF
+            [default]
+            aws_access_key_id = dummy
+            aws_secret_access_key = dummy
+            EOF
+            cat > ~/.aws/config \<< EOF
+            [default]
+            region = us-west-2
+            output = json
+            EOF
       - environment_setup
       - install_server
       - run:

charts/model-engine/templates/cacher_deployment.yaml

@@ -29,8 +29,16 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ include "modelEngine.cachername" . }}
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           image: "{{ .Values.image.gatewayRepository }}:{{ .Values.tag}}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:

charts/model-engine/templates/endpoint_builder_deployment.yaml

@@ -30,8 +30,16 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: {{ include "modelEngine.buildername" . }}
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           image: "{{ .Values.image.builderRepository }}:{{ .Values.tag}}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:

charts/model-engine/templates/gateway_deployment.yaml

@@ -37,10 +37,18 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: 60
       priorityClassName: model-engine-high-priority
       containers:
         - name: {{ include "modelEngine.fullname" . }}
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
           image: "{{ .Values.image.gatewayRepository }}:{{ .Values.tag}}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:

charts/model-engine/templates/service_config_map.yaml

@@ -19,6 +19,15 @@ data:
     {{- end }}
   infra_service_config: |-
     env: {{ .Values.context | quote }}
+    {{- if .Values.celery_enable_sha256 }}
+    celery_enable_sha256: {{ .Values.celery_enable_sha256 }}
+    {{- end }}
+    {{- if .Values.debug_mode }}
+    debug_mode: {{ .Values.debug_mode }}
+    {{- end }}
+    {{- if .Values.celery_broker_type_redis }}
+    celery_broker_type_redis: {{ .Values.celery_broker_type_redis }}
+    {{- end }}
     {{- with .Values.config.values.infra }}
     {{- range $key, $value := . }}
     {{ $key }}: {{ $value | quote }}
@@ -48,6 +57,15 @@ data:
     {{- end }}
   infra_service_config: |-
     env: {{ .Values.context | quote }}
+    {{- if .Values.celery_enable_sha256 }}
+    celery_enable_sha256: {{ .Values.celery_enable_sha256 }}
+    {{- end }}
+    {{- if .Values.debug_mode }}
+    debug_mode: {{ .Values.debug_mode }}
+    {{- end }}
+    {{- if .Values.celery_broker_type_redis }}
+    celery_broker_type_redis: {{ .Values.celery_broker_type_redis }}
+    {{- end }}
     {{- with .Values.config.values.infra }}
     {{- range $key, $value := . }}
     {{ $key }}: {{ $value | quote }}

charts/model-engine/values.yaml

@@ -1,6 +1,30 @@
 dd_trace_enabled: true
 spellbook:
   enabled: false
+
+# celery_enable_sha256 [optional] uses SHA256 hashes for federal compliance mode (FIPS, enhanced security)
+celery_enable_sha256: null
+
+# debug_mode [optional] enables detailed debug logging for infrastructure components  
+debug_mode: null
+
+# celery_broker_type_redis [optional] explicitly uses Redis for the Celery broker  
+celery_broker_type_redis: null
+
+#uncomment below if using a container image that requires nonroot (ex. chainguard)
+# podSecurityContext:
+#   runAsUser: 65532     
+#   runAsGroup: 65532    
+#   runAsNonRoot: true
+#   fsGroup: 65532  
+
+# containerSecurityContext:
+#   allowPrivilegeEscalation: false
+#   readOnlyRootFilesystem: false
+#   capabilities:
+#     drop:
+#       - ALL  
+
 redis:
   auth:
   enableTLS: false

charts/model-engine/values_circleci.yaml

@@ -1,5 +1,23 @@
 # This is a YAML-formatted file.
 
+celery_enable_sha256: null
+celery_broker_type_redis: null
+debug_mode: null
+
+#uncomment below if using a container image that requires nonroot (ex. chainguard)
+# podSecurityContext:
+#   runAsUser: 65532     
+#   runAsGroup: 65532    
+#   runAsNonRoot: true
+#   fsGroup: 65532  
+
+# containerSecurityContext:
+#   allowPrivilegeEscalation: false
+#   readOnlyRootFilesystem: false
+#   capabilities:
+#     drop:
+#       - ALL  
+
 replicaCount:
   gateway: 1
   cacher: 1

charts/model-engine/values_sample.yaml

@@ -1,5 +1,28 @@
 # This is a YAML-formatted file.
 
+# celery_enable_sha256 [optional] uses SHA256 hashes for federal compliance mode (FIPS, enhanced security)
+celery_enable_sha256: null
+
+# debug_mode [optional] enables detailed debug logging for infrastructure components  
+debug_mode: null
+
+# celery_broker_type_redis [optional] explicitly uses Redis for the Celery broker  
+celery_broker_type_redis: null
+
+#uncomment below if using a container image that requires nonroot (ex. chainguard)
+# podSecurityContext:
+#   runAsUser: 65532     
+#   runAsGroup: 65532    
+#   runAsNonRoot: true
+#   fsGroup: 65532  
+
+# containerSecurityContext:
+#   allowPrivilegeEscalation: false
+#   readOnlyRootFilesystem: false
+#   capabilities:
+#     drop:
+#       - ALL  
+
 # tag [required] is the LLM Engine docker image tag
 tag: 60ac144c55aad971cdd7f152f4f7816ce2fb7d2f
 # context is a user-specified deployment tag. Can be used to 

federal/Dockerfile.chainguard

@@ -0,0 +1,47 @@
+# federal/Dockerfile.chainguard
+FROM cgr.dev/scale.com/python-fips:3.10.15-dev
+WORKDIR /workspace
+USER root
+
+RUN apk add htop \
+            dumb-init \
+            libssh \
+            openssh-client \
+            iftop \
+            curl \
+            curl-dev \
+            procps \
+            libcurl-openssl4 \
+            vim \
+            kubectl
+
+RUN curl -Lo /bin/aws-iam-authenticator https://github.com/kubernetes-sigs/aws-iam-authenticator/releases/download/v0.5.9/aws-iam-authenticator_0.5.9_linux_amd64
+RUN chmod +x /bin/aws-iam-authenticator
+
+RUN pip install pip==24.2
+RUN chmod -R 777 /workspace
+
+RUN pip install awscli==1.34.28 --no-cache-dir
+
+COPY federal/sitecustomize.py /usr/lib/python3.10/site-packages/sitecustomize.py
+
+WORKDIR /workspace/model-engine/
+COPY model-engine/requirements-test.txt /workspace/model-engine/requirements-test.txt
+COPY model-engine/requirements.txt /workspace/model-engine/requirements.txt
+COPY model-engine/requirements_override.txt /workspace/model-engine/requirements_override.txt
+RUN pip install -r requirements-test.txt --no-cache-dir
+RUN pip install -r requirements.txt --no-cache-dir
+RUN pip install -r requirements_override.txt --no-cache-dir
+COPY model-engine/setup.py /workspace/model-engine/setup.py
+COPY model-engine/model_engine_server /workspace/model-engine/model_engine_server
+RUN pip install -e .
+
+COPY integration_tests /workspace/integration_tests
+
+WORKDIR /workspace
+ENV PYTHONPATH /workspace
+ENV WORKSPACE /workspace
+
+USER nonroot
+
+EXPOSE 5000

federal/sitecustomize.py

@@ -0,0 +1,17 @@
+import hashlib
+
+# Replace md5 with sha256 for FIPS compliance
+hashlib.md5 = hashlib.sha256
+
+# Also patch SQLAlchemy specifically
+try:
+    from sqlalchemy.util import langhelpers
+
+    def sha256_hex(data):
+        if isinstance(data, str):
+            data = data.encode("utf-8")
+        return hashlib.sha256(data).hexdigest()[:8]  # Match MD5 length expectation
+
+    langhelpers.md5_hex = sha256_hex
+except ImportError:
+    pass