Source code for mlrun.runtimes.nuclio.application.application

# Copyright 2024 Iguazio
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import pathlib
import typing

import nuclio
import nuclio.auth

import mlrun.common.schemas as schemas
import mlrun.errors
import mlrun.run
from mlrun.common.runtimes.constants import NuclioIngressAddTemplatedIngressModes
from mlrun.runtimes import RemoteRuntime
from mlrun.runtimes.nuclio import min_nuclio_versions
from mlrun.runtimes.nuclio.api_gateway import (
    APIGateway,
    APIGatewayMetadata,
    APIGatewaySpec,
)
from mlrun.runtimes.nuclio.function import NuclioSpec, NuclioStatus
from mlrun.utils import logger, update_in


class ApplicationSpec(NuclioSpec):
    _dict_fields = NuclioSpec._dict_fields + [
        "internal_application_port",
    ]

    def __init__(
        self,
        command=None,
        args=None,
        image=None,
        mode=None,
        entry_points=None,
        description=None,
        replicas=None,
        min_replicas=None,
        max_replicas=None,
        volumes=None,
        volume_mounts=None,
        env=None,
        resources=None,
        config=None,
        base_spec=None,
        no_cache=None,
        source=None,
        image_pull_policy=None,
        function_kind=None,
        build=None,
        service_account=None,
        readiness_timeout=None,
        readiness_timeout_before_failure=None,
        default_handler=None,
        node_name=None,
        node_selector=None,
        affinity=None,
        disable_auto_mount=False,
        priority_class_name=None,
        pythonpath=None,
        workdir=None,
        image_pull_secret=None,
        tolerations=None,
        preemption_mode=None,
        security_context=None,
        service_type=None,
        add_templated_ingress_host_mode=None,
        clone_target_dir=None,
        state_thresholds=None,
        disable_default_http_trigger=None,
        internal_application_port=None,
    ):
        super().__init__(
            command=command,
            args=args,
            image=image,
            mode=mode,
            entry_points=entry_points,
            description=description,
            replicas=replicas,
            min_replicas=min_replicas,
            max_replicas=max_replicas,
            volumes=volumes,
            volume_mounts=volume_mounts,
            env=env,
            resources=resources,
            config=config,
            base_spec=base_spec,
            no_cache=no_cache,
            source=source,
            image_pull_policy=image_pull_policy,
            function_kind=function_kind,
            build=build,
            service_account=service_account,
            readiness_timeout=readiness_timeout,
            readiness_timeout_before_failure=readiness_timeout_before_failure,
            default_handler=default_handler,
            node_name=node_name,
            node_selector=node_selector,
            affinity=affinity,
            disable_auto_mount=disable_auto_mount,
            priority_class_name=priority_class_name,
            pythonpath=pythonpath,
            workdir=workdir,
            image_pull_secret=image_pull_secret,
            tolerations=tolerations,
            preemption_mode=preemption_mode,
            security_context=security_context,
            service_type=service_type,
            add_templated_ingress_host_mode=add_templated_ingress_host_mode,
            clone_target_dir=clone_target_dir,
            state_thresholds=state_thresholds,
            disable_default_http_trigger=disable_default_http_trigger,
        )

        # Override default min/max replicas (don't assume application is stateless)
        self.min_replicas = min_replicas or 1
        self.max_replicas = max_replicas or 1

        self.internal_application_port = (
            internal_application_port
            or mlrun.mlconf.function.application.default_sidecar_internal_port
        )

    @property
    def internal_application_port(self):
        return self._internal_application_port

    @internal_application_port.setter
    def internal_application_port(self, port):
        port = int(port)
        if port < 0 or port > 65535:
            raise ValueError("Port must be in the range 0-65535")
        self._internal_application_port = port


class ApplicationStatus(NuclioStatus):
    def __init__(
        self,
        state=None,
        nuclio_name=None,
        address=None,
        internal_invocation_urls=None,
        external_invocation_urls=None,
        build_pod=None,
        container_image=None,
        application_image=None,
        application_source=None,
        sidecar_name=None,
        api_gateway_name=None,
        api_gateway=None,
        url=None,
    ):
        super().__init__(
            state=state,
            nuclio_name=nuclio_name,
            address=address,
            internal_invocation_urls=internal_invocation_urls,
            external_invocation_urls=external_invocation_urls,
            build_pod=build_pod,
            container_image=container_image,
        )
        self.application_image = application_image or None
        self.application_source = application_source or None
        self.sidecar_name = sidecar_name or None
        self.api_gateway_name = api_gateway_name or None
        self.api_gateway: typing.Optional[APIGateway] = api_gateway or None
        self.url = url or None


[docs]class ApplicationRuntime(RemoteRuntime): kind = "application" reverse_proxy_image = None @min_nuclio_versions("1.13.1") def __init__(self, spec=None, metadata=None): super().__init__(spec=spec, metadata=metadata) @property def spec(self) -> ApplicationSpec: return self._spec @spec.setter def spec(self, spec): self._spec = self._verify_dict(spec, "spec", ApplicationSpec) @property def status(self) -> ApplicationStatus: return self._status @status.setter def status(self, status): self._status = self._verify_dict(status, "status", ApplicationStatus) @property def api_gateway(self): return self.status.api_gateway @api_gateway.setter def api_gateway(self, api_gateway: APIGateway): self.status.api_gateway = api_gateway @property def url(self): if not self.status.api_gateway: self._sync_api_gateway() return self.status.api_gateway.invoke_url @url.setter def url(self, url): self.status.url = url
[docs] def set_internal_application_port(self, port: int): self.spec.internal_application_port = port
[docs] def pre_deploy_validation(self): super().pre_deploy_validation() if not self.spec.config.get("spec.sidecars"): raise mlrun.errors.MLRunBadRequestError( "Application spec must include a sidecar configuration" ) sidecars = self.spec.config["spec.sidecars"] for sidecar in sidecars: if not sidecar.get("image"): raise mlrun.errors.MLRunBadRequestError( "Application sidecar spec must include an image" ) if not sidecar.get("ports"): raise mlrun.errors.MLRunBadRequestError( "Application sidecar spec must include at least one port" ) ports = sidecar["ports"] for port in ports: if not port.get("containerPort"): raise mlrun.errors.MLRunBadRequestError( "Application sidecar port spec must include a containerPort" ) if not port.get("name"): raise mlrun.errors.MLRunBadRequestError( "Application sidecar port spec must include a name" ) if not sidecar.get("command") and sidecar.get("args"): raise mlrun.errors.MLRunBadRequestError( "Application sidecar spec must include a command if args are provided" )
[docs] def prepare_image_for_deploy(self): if self.spec.build.source and self.spec.build.load_source_on_run: logger.warning( "Application runtime requires loading the source into the application image. " f"Even though {self.spec.build.load_source_on_run=}, loading on build will be forced." ) self.spec.build.load_source_on_run = False super().prepare_image_for_deploy()
[docs] def deploy( self, project="", tag="", verbose=False, auth_info: schemas.AuthInfo = None, builder_env: dict = None, force_build: bool = False, with_mlrun=None, skip_deployed=False, is_kfp=False, mlrun_version_specifier=None, show_on_failure: bool = False, create_default_api_gateway: bool = True, ): """ Deploy function, builds the application image if required (self.requires_build()) or force_build is True, Once the image is built, the function is deployed. :param project: Project name :param tag: Function tag :param verbose: Set True for verbose logging :param auth_info: Service AuthInfo (deprecated and ignored) :param builder_env: Env vars dict for source archive config/credentials e.g. builder_env={"GIT_TOKEN": token} :param force_build: Set True for force building the application image :param with_mlrun: Add the current mlrun package to the container build :param skip_deployed: Skip the build if we already have an image for the function :param is_kfp: Deploy as part of a kfp pipeline :param mlrun_version_specifier: Which mlrun package version to include (if not current) :param show_on_failure: Show logs only in case of build failure :param create_default_api_gateway: When deploy finishes the default API gateway will be created for the application. Disabling this flag means that the application will not be accessible until an API gateway is created for it. :return: The default API gateway URL if created or True if the function is ready (deployed) """ if (self.requires_build() and not self.spec.image) or force_build: self._fill_credentials() self._build_application_image( builder_env=builder_env, force_build=force_build, watch=True, with_mlrun=with_mlrun, skip_deployed=skip_deployed, is_kfp=is_kfp, mlrun_version_specifier=mlrun_version_specifier, show_on_failure=show_on_failure, ) # This is a class method that accepts a function instance, so we pass self as the function instance self._ensure_reverse_proxy_configurations(self) self._configure_application_sidecar() # We only allow accessing the application via the API Gateway self.spec.add_templated_ingress_host_mode = ( NuclioIngressAddTemplatedIngressModes.never ) super().deploy( project=project, tag=tag, verbose=verbose, auth_info=auth_info, builder_env=builder_env, ) logger.info( "Successfully deployed function.", ) # Restore the source in case it was removed to make nuclio not consider it when building if not self.spec.build.source and self.status.application_source: self.spec.build.source = self.status.application_source self.save(versioned=False) if create_default_api_gateway: try: api_gateway_name = self.resolve_default_api_gateway_name() return self.create_api_gateway(api_gateway_name, set_as_default=True) except Exception as exc: logger.warning( "Failed to create default API gateway, application may not be accessible. " "Use the `create_api_gateway` method to make it accessible", exc=mlrun.errors.err_to_str(exc), ) elif not self.status.api_gateway: logger.warning( "Application is online but may not be accessible since default gateway creation was not requested." "Use the `create_api_gateway` method to make it accessible." ) return True
[docs] def with_source_archive( self, source, workdir=None, pull_at_runtime: bool = False, target_dir: str = None, ): """load the code from git/tar/zip archive at build :param source: valid absolute path or URL to git, zip, or tar file, e.g. git://github.com/mlrun/something.git http://some/url/file.zip note path source must exist on the image or exist locally when run is local (it is recommended to use 'workdir' when source is a filepath instead) :param workdir: working dir relative to the archive root (e.g. './subdir') or absolute to the image root :param pull_at_runtime: currently not supported, source must be loaded into the image during the build process :param target_dir: target dir on runtime pod or repo clone / archive extraction """ if pull_at_runtime: logger.warning( f"{pull_at_runtime=} is currently not supported for application runtime " "and will be overridden to False", pull_at_runtime=pull_at_runtime, ) self._configure_mlrun_build_with_source( source=source, workdir=workdir, pull_at_runtime=False, target_dir=target_dir, )
[docs] def from_image(self, image): """ Deploy the function with an existing nuclio processor image. This applies only for the reverse proxy and not the application image. :param image: image name """ super().from_image(image) # nuclio implementation detail - when providing the image and emptying out the source code and build source, # nuclio skips rebuilding the image and simply takes the prebuilt image self.spec.build.functionSourceCode = "" self.status.application_source = self.spec.build.source self.spec.build.source = "" # save the image in the status, so we won't repopulate the function source code self.status.container_image = image # ensure golang runtime and handler for the reverse proxy self.spec.nuclio_runtime = "golang" update_in( self.spec.base_spec, "spec.handler", "main:Handler", )
[docs] @staticmethod def get_filename_and_handler() -> (str, str): reverse_proxy_file_path = pathlib.Path(__file__).parent / "reverse_proxy.go" return str(reverse_proxy_file_path), "Handler"
[docs] def create_api_gateway( self, name: str = None, path: str = None, direct_port_access: bool = False, authentication_mode: schemas.APIGatewayAuthenticationMode = None, authentication_creds: tuple[str, str] = None, ssl_redirect: bool = None, set_as_default: bool = False, gateway_timeout: typing.Optional[int] = None, ): """ Create the application API gateway. Once the application is deployed, the API gateway can be created. An application without an API gateway is not accessible. :param name: The name of the API gateway :param path: Optional path of the API gateway, default value is "/". The given path should be supported by the deployed application :param direct_port_access: Set True to allow direct port access to the application sidecar :param authentication_mode: API Gateway authentication mode :param authentication_creds: API Gateway basic authentication credentials as a tuple (username, password) :param ssl_redirect: Set True to force SSL redirect, False to disable. Defaults to mlrun.mlconf.force_api_gateway_ssl_redirect() :param set_as_default: Set the API gateway as the default for the application (`status.api_gateway`) :param gateway_timeout: nginx ingress timeout in sec (request timeout, when will the gateway return an error) :return: The API gateway URL """ if not name: raise mlrun.errors.MLRunInvalidArgumentError( "API gateway name must be specified." ) if not set_as_default and name == self.resolve_default_api_gateway_name(): raise mlrun.errors.MLRunInvalidArgumentError( f"Non-default API gateway cannot use the default gateway name, {name=}." ) if ( authentication_mode == schemas.APIGatewayAuthenticationMode.basic and not authentication_creds ): raise mlrun.errors.MLRunInvalidArgumentError( "Authentication credentials not provided" ) ports = self.spec.internal_application_port if direct_port_access else [] api_gateway = APIGateway( APIGatewayMetadata( name=name, namespace=self.metadata.namespace, labels=self.metadata.labels.copy(), ), APIGatewaySpec( functions=[self], project=self.metadata.project, path=path, ports=mlrun.utils.helpers.as_list(ports) if ports else None, ), ) api_gateway.with_gateway_timeout(gateway_timeout) if ssl_redirect is None: ssl_redirect = mlrun.mlconf.force_api_gateway_ssl_redirect() if ssl_redirect: # Force ssl redirect so that the application is only accessible via https api_gateway.with_force_ssl_redirect() # Add authentication if required authentication_mode = ( authentication_mode or mlrun.mlconf.function.application.default_authentication_mode ) if authentication_mode == schemas.APIGatewayAuthenticationMode.access_key: api_gateway.with_access_key_auth() elif authentication_mode == schemas.APIGatewayAuthenticationMode.basic: api_gateway.with_basic_auth(*authentication_creds) db = self._get_db() api_gateway_scheme = db.store_api_gateway( api_gateway=api_gateway.to_scheme(), project=self.metadata.project ) if set_as_default: self.status.api_gateway_name = api_gateway_scheme.metadata.name self.status.api_gateway = APIGateway.from_scheme(api_gateway_scheme) self.status.api_gateway.wait_for_readiness() self.url = self.status.api_gateway.invoke_url url = self.url else: api_gateway = APIGateway.from_scheme(api_gateway_scheme) api_gateway.wait_for_readiness() url = api_gateway.invoke_url # Update application status (enriches invocation url) self._get_state(raise_on_exception=False) logger.info("Successfully created API gateway", url=url) return url
[docs] def delete_api_gateway(self, name: str): """ Delete API gateway by name. Refreshes the application status to update api gateway and invocation URLs. :param name: The API gateway name """ self._get_db().delete_api_gateway(name=name, project=self.metadata.project) if name == self.status.api_gateway_name: self.status.api_gateway_name = None self.status.api_gateway = None self._get_state()
[docs] def invoke( self, path: str = "", body: typing.Optional[typing.Union[str, bytes, dict]] = None, method: str = None, headers: dict = None, dashboard: str = "", force_external_address: bool = False, auth_info: schemas.AuthInfo = None, mock: bool = None, credentials: tuple[str, str] = None, **http_client_kwargs, ): self._sync_api_gateway() # If the API Gateway is not ready or not set, try to invoke the function directly (without the API Gateway) if not self.status.api_gateway: logger.warning( "Default API gateway is not configured, invoking function invocation URL." ) # create a requests auth object if credentials are provided and not already set in the http client kwargs auth = http_client_kwargs.pop("auth", None) or ( nuclio.auth.AuthInfo( username=credentials[0], password=credentials[1] ).to_requests_auth() if credentials else None ) return super().invoke( path, body, method, headers, dashboard, force_external_address, auth_info, mock, auth=auth, **http_client_kwargs, ) if not method: method = "POST" if body else "GET" return self.status.api_gateway.invoke( method=method, headers=headers, credentials=credentials, path=path, body=body, **http_client_kwargs, )
[docs] @classmethod def deploy_reverse_proxy_image(cls): """ Build the reverse proxy image and save it. The reverse proxy image is used to route requests to the application sidecar. This is useful when you want to decrease build time by building the application image only once. :param use_cache: Use the cache when building the image """ # create a function that includes only the reverse proxy, without the application reverse_proxy_func = mlrun.run.new_function( name="reverse-proxy-temp", kind="remote" ) # default max replicas is 4, we only need one replica for the reverse proxy reverse_proxy_func.spec.max_replicas = 1 # the reverse proxy image should not be based on another image reverse_proxy_func.set_config("spec.build.baseImage", None) reverse_proxy_func.spec.image = "" reverse_proxy_func.spec.build.base_image = "" cls._ensure_reverse_proxy_configurations(reverse_proxy_func) reverse_proxy_func.deploy() # save the created container image cls.reverse_proxy_image = reverse_proxy_func.status.container_image # delete the function to avoid cluttering the project mlrun.get_run_db().delete_function( reverse_proxy_func.metadata.name, reverse_proxy_func.metadata.project )
[docs] def resolve_default_api_gateway_name(self): return ( f"{self.metadata.name}-{self.metadata.tag}" if self.metadata.tag else self.metadata.name )
@min_nuclio_versions("1.13.1") def disable_default_http_trigger( self, ): raise mlrun.runtimes.RunError( "Application runtime does not support disabling the default HTTP trigger" ) @min_nuclio_versions("1.13.1") def enable_default_http_trigger( self, ): pass def _run(self, runobj: "mlrun.RunObject", execution): raise mlrun.runtimes.RunError( "Application runtime .run() is not yet supported. Use .invoke() instead." ) def _enrich_command_from_status(self): pass def _build_application_image( self, builder_env: dict = None, force_build: bool = False, watch=True, with_mlrun=None, skip_deployed=False, is_kfp=False, mlrun_version_specifier=None, show_on_failure: bool = False, ): if not self.spec.command: logger.warning( "Building the application image without a command. " "Use spec.command and spec.args to specify the application entrypoint", command=self.spec.command, args=self.spec.args, ) if self.spec.build.source in [".", "./"]: logger.info( "The application is configured to use the project's source. " "Application runtime requires loading the source into the application image. " "Loading on build will be forced regardless of whether 'pull_at_runtime=True' was configured." ) with_mlrun = self._resolve_build_with_mlrun(with_mlrun) return self._build_image( builder_env=builder_env, force_build=force_build, mlrun_version_specifier=mlrun_version_specifier, show_on_failure=show_on_failure, skip_deployed=skip_deployed, watch=watch, is_kfp=is_kfp, with_mlrun=with_mlrun, ) @staticmethod def _ensure_reverse_proxy_configurations(function: RemoteRuntime): if function.spec.build.functionSourceCode or function.status.container_image: return filename, handler = ApplicationRuntime.get_filename_and_handler() name, spec, code = nuclio.build_file( filename, name=function.metadata.name, handler=handler, ) function.spec.function_handler = mlrun.utils.get_in(spec, "spec.handler") function.spec.build.functionSourceCode = mlrun.utils.get_in( spec, "spec.build.functionSourceCode" ) function.spec.nuclio_runtime = mlrun.utils.get_in(spec, "spec.runtime") # default the reverse proxy logger level to info logger_sinks_key = "spec.loggerSinks" if not function.spec.config.get(logger_sinks_key): function.set_config( logger_sinks_key, [{"level": "info", "sink": "myStdoutLoggerSink"}] ) def _configure_application_sidecar(self): # Save the application image in the status to allow overriding it with the reverse proxy entry point if self.spec.image and ( not self.status.application_image or self.spec.image != self.status.container_image ): self.status.application_image = self.spec.image self.spec.image = "" # reuse the reverse proxy image if it was built before if ( reverse_proxy_image := self.status.container_image or self.reverse_proxy_image ): self.from_image(reverse_proxy_image) self.status.sidecar_name = f"{self.metadata.name}-sidecar" self.with_sidecar( name=self.status.sidecar_name, image=self.status.application_image, ports=self.spec.internal_application_port, command=self.spec.command, args=self.spec.args, ) self.set_env("SIDECAR_PORT", self.spec.internal_application_port) self.set_env("SIDECAR_HOST", "http://localhost") # configure the sidecar container as the default container for logging purposes self.metadata.annotations["kubectl.kubernetes.io/default-container"] = ( self.status.sidecar_name ) def _sync_api_gateway(self): if not self.status.api_gateway_name: return db = self._get_db() api_gateway_scheme = db.get_api_gateway( name=self.status.api_gateway_name, project=self.metadata.project ) self.status.api_gateway = APIGateway.from_scheme(api_gateway_scheme) self.status.api_gateway.wait_for_readiness() self.url = self.status.api_gateway.invoke_url