Change credentials for LocalStack between environments without replicating all of my environment properties.

[carter-cundiff]

In your Spark Application you are set up be default to utilize two sets of credentials. Localstack credentials are provided in your dev values and remote credentials pulled from a SealedSecret are provided in your base values. Currently these credentials are passed to your Spark Application as env variables. Unfortunately due to the way lists are handled in yaml, there is no good way to append these env variables between yaml files, so as a result you must duplicate all your env variables within your dev values and base values.

This could be improved by utilizing the envFrom field within our Spark Application for passing our different credentials within the dev and base values without the need to duplicate all the other env variables that we would like regardless of the environment.

DOD

• Update existing Spark Application base values template to utilize envFrom.secretRef ✔️
  • Remove hardcoded LocalStack credentials ✔️
• Remove hardcoded LocalStack credentials from existing Mlflow dev values template ✔️
  • Update existing Baton migration to exclude adding those credentials ✔️
• Create new LocalStack credentials secret within LocalStack V2 helm chart ✔️
  • Include config flag to enable/disable the secret ✔️
• Baton migration for base values: ✔️

Feature: Migrate a spark application base values with Localstack S3 credentials to use a secret reference
  Scenario: Migrate a spark application base values with Localstack S3 credentials
    Given a project that has a spark application base values 
    And the base values contains hardcoded Localstack S3 credentials
    And the base values contains "<yaml-config>" configuration
    When the spark application base values credential migration executes
    Then the base values S3 credentials will be updated to use a secret reference
    And the hardcoded Localstack S3 credentials will be removed

  Examples:
    | yaml-config      |
    | driver           |
    | driver-envFrom   |
    | executor         |
    | executor-envFrom |

  Scenario: Skip spark application base values migration with secret based S3 credentials in the base values
    Given a project that has a spark application base values 
    And the base values contains secret based S3 credentials
    When the spark application base values credential migration executes
    Then the spark application base values credential migration is skipped

  Scenario: Skip spark application base values migration without any S3 credentials in the base values
    Given a project that has a spark application base values 
    And the base values does not contain any S3 credentials
    When the spark application base values credential migration executes
    Then the spark application base values credential migration is skipped

  Scenario: Skip spark application base values migration without any environment variables in the base values
    Given a project that has a spark application base values
    And the base values does not contain any environment variables
    When the spark application base values credential migration executes
    Then the spark application base values credential migration is skipped

• Update migration table within the release notes ✔️
• Stretch goal:
  • Update baton version ✔️

Test Step Outline

Test New Project SparkApplication Generation

1. Pull the latest commits from dev and build the following in aissemble:

mvn clean install -pl :build-parent,:aissemble-localstack-chart,:foundation-mda,:foundation-archetype,:foundation-upgrade,:aissemble-spark -Dmaven.build.cache.enabled=false

2. Create a downstream project from the archetype using the following command:

mvn archetype:generate -DarchetypeGroupId=com.boozallen.aissemble -DarchetypeArtifactId=foundation-archetype -DarchetypeVersion=1.7.0-SNAPSHOT -DgroupId=com.example -DartifactId=example -DprojectGitUrl=url -DprojectName=example && cd example

3. Add the attached MlPipelineTraining.json, PysparkPipeline.json, and SparkPipeline.json to example-pipeline-models/src/main/resources/pipelines/
4. Run the following once:

mvn clean install

5. Run the following until all the manual actions are complete:

mvn clean generate-sources

6. Add the following to the save_model function within example-pipelines/ml-pipeline-training/pipeline-training-step/src/pipeline_training_step/impl/ml_pipeline_training.py:

mlflow.log_dict({"success": "true"}, "TestLocalStack.json")

7. WSL ONLY: Add the following to example-docker/example-pipeline-training-step-docker/pom.xml:

            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-dependency-plugin</artifactId>
                <executions>
                    <execution>
                        <id>unpack</id>
                        <phase>prepare-package</phase>
                        <goals>
                            <goal>unpack</goal>
                        </goals>
                        <configuration>
                            <artifactItems>
                                <artifactItem>
                                    <groupId>com.boozallen.aissemble</groupId>
                                    <artifactId>extensions-docker-cacerts</artifactId>
                                    <version>1.7.0-SNAPSHOT</version>
                                    <overWrite>true</overWrite>
                                    <outputDirectory>${project.build.directory}/cacerts</outputDirectory>
                                    <type>zip</type>                               
                                </artifactItem>
                            </artifactItems>
                        </configuration>
                    </execution>
                </executions>
            </plugin>

and example-docker/example-pipeline-training-step-docker/src/main/resources/docker/Dockerfile (after the FROM command):

COPY ./target/cacerts/* /usr/local/share/ca-certificates/
RUN update-ca-certificates

8. Run the following once:

mvn clean install

9. Update the example-deploy/src/main/resources/apps/s3-local/Chart.yaml dependencies section to the following:
   Note: this relative path assumes the aiSSEMBLE repo lives alongside this project in the same directory

dependencies:
  - name: aissemble-localstack-chart
    version: "1.0.0"
    repository: "file://../../../../../../../aissemble/extensions/extensions-helm/aissemble-localstack-chart"

10. Replace aissemble-localstack with aissemble-localstack-chart in the example-deploy/src/main/resources/apps/s3-local/values.yaml
11. Delete the cached repositories:

rm -rf example-deploy/src/main/resources/apps/s3-local/charts
rm -rf example-deploy/src/main/resources/apps/s3-local/Chart.lock

12. Run the following to pull the local chart:

helm dependency build example-deploy/src/main/resources/apps/s3-local/

13. tilt up; tilt down
14. Once all the pods are ready, run the spark-pipeline resource and wait for the pipeline to finish running
15. Then run the pyspark-pipeline resource and wait for the pipeline to finish running
16. Verify there are now two events in the s3a:spark-infrastructure/spark-events/ bucket with the following command in a new teminal:

awslocal s3 ls spark-infrastructure/spark-events/

17. Run the following in a new terminal:

curl --location 'http://localhost:5001/training-jobs?pipeline_step=pipeline-training-step' \--header 'Content-Type: application/json' \--data '{}' 

18. Wait for the pipeline to finish running (around 10 seconds). Will show as complete on the following command:

kubectl get jobs

19. Navigate to http://localhost:5005/#/experiments/1 and select the latest run
20. Within the run, verify the file TestLocalStack.json with the following content exists in the artifacts tab:

{
  "success": "true"
}

Test upgrading a project

1. Create a downstream project from the archetype using the following command:

mvn archetype:generate -DarchetypeGroupId=com.boozallen.aissemble -DarchetypeArtifactId=foundation-archetype -DarchetypeVersion=1.6.1 -DgroupId=com.example -DartifactId=example-upgrade -DprojectGitUrl=url -DprojectName=example-upgrade && cd example-upgrade

2. Add the attached MlPipelineTraining.json, PysparkPipeline.json, and SparkPipeline.json to example-pipeline-models/src/main/resources/pipelines/
3. Run the following once:

mvn clean install -pl :example-upgrade-pipeline-models

4. Run the following until all the manual actions are complete:

mvn clean generate-sources

5. Remove <version>${version.clean.plugin}</version> from example-upgrade-deploy/pom.xml
6. Update the root pom.xml build-parent version to 1.7.0-SNAPSHOT
7. Run the following:

mvn baton:1.0.0:baton-migrate -pl :example-upgrade

8. Verify the example-upgrade-pipelines/pyspark-pipeline/src/pyspark_pipeline/resources/apps/pyspark-pipeline-base-values.yaml and example-upgrade-pipelines/spark-pipeline/src/main/resources/apps/spark-pipeline-base-values.yaml now contain the following:

    driver:
      # Setup these secret key references within your SealedSecret
      envFrom:
        - secretRef:
            name: remote-auth-config
      cores: 1
      coreLimit: "1200m"
      memory: "512m"
      env:
        - name: KRAUSENING_BASE
          value: /opt/spark/krausening/base
    executor:
      envFrom:
        - secretRef:
            name: remote-auth-config
      cores: 1
      memory: "512m"
      env:
        - name: KRAUSENING_BASE
          value: /opt/spark/krausening/base

Note: the spark-pipeline-base-values.yaml will also contain javaOptions:
9. Verify the example-upgrade-deploy/src/main/resources/apps/mlflow-ui/values-dev.yaml now has the following:

aissemble-mlflow-chart:
  mlflow:
    externalS3:
      host: "s3-local"
      port: 4566
      protocol: http
      existingSecretAccessKeyIDKey: "AWS_ACCESS_KEY_ID"
      existingSecretKeySecretKey: "AWS_SECRET_ACCESS_KEY"
    tracking:
      service:
        type: LoadBalancer

10. Verify the example-upgrade-deploy/src/main/resources/apps/mlflow-ui/values.yaml now has the following:

aissemble-mlflow-chart:
  mlflow:
    externalS3:
      existingSecret: remote-auth-config
      bucket: mlflow-models/mlflow-storage

      # Update these keys with your external S3 details and credentials defined here:
      # [YOUR-PROJECT]-deploy/src/main/resources/templates/sealed-secret.yaml
      # existingSecretAccessKeyIDKey: 
      # existingSecretKeySecretKey: 
      # host:

[carter-cundiff]

Discussed DOD with @ewilkins-csi and @jacksondelametter

[carter-cundiff]

Decided to use one secret ref in the base values:

envFrom:
  - secretRef:
      name: remote-auth-config

Then the contents of the remote-auth-config will vary based on your deployment environment.

[carter-cundiff]

Adjusted DOD. LocalStack secret will now be included as part of LocalStack V2 helm chart. Will update Mlflow to utilize this secret as well.

[ewilkins-csi]

OTS looks good!

[Cho-William]

Testing passed, closing issue.