feat: Add SSL support for http api servers via bentoml serve #2886
Conversation
Supress pylint warning
|
Hello @sptowey, Thanks for updating this PR. There are currently no PEP 8 issues detected in this PR. Cheers! 🍻 Comment last updated at 2022-08-11 19:51:29 UTC |
bentoml/serve.py
Outdated
| ssl_keyfile: t.Optional[str] = None, | ||
| ssl_certfile: t.Optional[str] = None, | ||
| ssl_keyfile_password: t.Optional[str] = None, | ||
| ssl_version: t.Optional[int] = None, | ||
| ssl_cert_reqs: t.Optional[int] = None, | ||
| ssl_ca_certs: t.Optional[str] = None, | ||
| ssl_ciphers: t.Optional[str] = None, |
There was a problem hiding this comment.
Should we use dependency injection here?
There was a problem hiding this comment.
+1. Let's inject config here.
ssl_keyfile: t.Optional[str] = Provide[BentoMLContainer.api_server_config.ssl.keyfile]
There was a problem hiding this comment.
Aha, I understand now. I'd considered doing it that was to start, but wasn't entirely clear on if Provide would default to None as expected.
| "--ssl-keyfile", | ||
| type=click.STRING, | ||
| help="SSL key file", | ||
| default=None, |
There was a problem hiding this comment.
Should we set the default value from config here? e.g.
default=BentoMLContainer.api_server_config.ssl.keyfile.get(),
There was a problem hiding this comment.
I think we should use dependency injection like Aaron said above, we probably should try to start avoiding depending on BentoML before the click initialization so that click completion isn't horribly slow.
There was a problem hiding this comment.
After this PR got merge, I think we can do a quick cleanup on CLI and set default value to None, and then we can access the value via DI lazily.
There was a problem hiding this comment.
Let me know if you want me to help out with this. Sounds like you all may have it under control though?
There was a problem hiding this comment.
Since there is no default value for the SSL related configurations, doing dependency injection here is not very meaningful. I think we can leave it out.
There was a problem hiding this comment.
It is more about user providing this option via config right?
There was a problem hiding this comment.
Correct. What I meant was that we should do config injection at the places you suggested in serve_development and serve_production instead of CLI.
Codecov Report
@@ Coverage Diff @@
## main #2886 +/- ##
==========================================
+ Coverage 70.70% 70.85% +0.14%
==========================================
Files 103 103
Lines 9302 9328 +26
==========================================
+ Hits 6577 6609 +32
+ Misses 2725 2719 -6
|
Whoops, I ran the linter but missed the formatter! |
| "--ssl-keyfile", | ||
| type=click.STRING, | ||
| help="SSL key file", | ||
| default=None, |
There was a problem hiding this comment.
Correct. What I meant was that we should do config injection at the places you suggested in serve_development and serve_production instead of CLI.
bentoml/serve.py
Outdated
| ssl_keyfile: t.Optional[str] = None, | ||
| ssl_certfile: t.Optional[str] = None, | ||
| ssl_keyfile_password: t.Optional[str] = None, | ||
| ssl_version: t.Optional[int] = None, | ||
| ssl_cert_reqs: t.Optional[int] = None, | ||
| ssl_ca_certs: t.Optional[str] = None, | ||
| ssl_ciphers: t.Optional[str] = None, |
There was a problem hiding this comment.
+1. Let's inject config here.
ssl_keyfile: t.Optional[str] = Provide[BentoMLContainer.api_server_config.ssl.keyfile]
bentoml/serve.py
Outdated
| ssl_keyfile: t.Optional[str] = None, | ||
| ssl_certfile: t.Optional[str] = None, | ||
| ssl_keyfile_password: t.Optional[str] = None, | ||
| ssl_version: t.Optional[int] = None, | ||
| ssl_cert_reqs: t.Optional[int] = None, | ||
| ssl_ca_certs: t.Optional[str] = None, | ||
| ssl_ciphers: t.Optional[str] = None, |
There was a problem hiding this comment.
And inject config here.
ssl_keyfile: t.Optional[str] = Provide[BentoMLContainer.api_server_config.ssl.keyfile],
| api_server_watcher_args.extend( | ||
| ["--ssl-keyfile", ssl_keyfile] | ||
| ) if ssl_keyfile is not None else None # pylint: disable=W0106 | ||
| api_server_watcher_args.extend( | ||
| ["--ssl-certfile", ssl_certfile] | ||
| ) if ssl_certfile is not None else None # pylint: disable=W0106 | ||
| api_server_watcher_args.extend( | ||
| ["--ssl-keyfile-password", ssl_keyfile_password] | ||
| ) if ssl_keyfile_password is not None else None # pylint: disable=W0106 | ||
| api_server_watcher_args.extend( | ||
| ["--ssl-version", str(ssl_version)] | ||
| ) if ssl_version is not None else None # pylint: disable=W0106 | ||
| api_server_watcher_args.extend( | ||
| ["--ssl-cert-reqs", str(ssl_cert_reqs)] | ||
| ) if ssl_cert_reqs is not None else None # pylint: disable=W0106 | ||
| api_server_watcher_args.extend( | ||
| ["--ssl-ca-certs", ssl_ca_certs] | ||
| ) if ssl_ca_certs is not None else None # pylint: disable=W0106 | ||
| api_server_watcher_args.extend( | ||
| ["--ssl-ciphers", ssl_ciphers] | ||
| ) if ssl_ciphers is not None else None # pylint: disable=W0106 |
There was a problem hiding this comment.
Uvicorn does handle None option for some option.
IMO, a nicer way to write None check is
if ssl_certfile:
args.extend(["--ssl-certfile", ssl_certfile])
if ssl_cert_reqs:
args.extend(...)
if ssl_version:
...
Then we can pass all of the other options straight through
There was a problem hiding this comment.
Yes, this is a weird bit of code. It doesn't (shouldn't?) actually pass None into uvicorn - here is where uvicorn actually gets the args if they exist.
I wrote it this way to try compacting the code a bit, but running it through the formatter made that a moot point. I agree that it should be reformatted to the way you proposed - much easier to understand.
* Passthrough SSL args from "bentoml server" to uvicorn api servers Supress pylint warning * Delete TODO comments * Fix code formatting * Inject ssl defaults from config Signed-off-by: Aaron Pham <[email protected]>
What does this PR address?
Before submitting:
guide on how to create a pull request.
make formatandmake lintscript have passed (instructions)?those accordingly? Here are documentation guidelines and tips on writting docs.
Who can help review?
@ssheng
@sauyon
Feel free to tag members/contributors who can help review your PR.