Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[flyte-core] Flyte Connection #5126

Draft
wants to merge 43 commits into
base: master
Choose a base branch
from
Draft

[flyte-core] Flyte Connection #5126

wants to merge 43 commits into from

Conversation

pingsutw
Copy link
Member

@pingsutw pingsutw commented Mar 27, 2024

Tracking issue

#3936

Why are the changes needed?

It will allow users to pass different API_KEY to the chatGPT agent from flytepropeller

What changes were proposed in this pull request?

Agent client will read the secret from env or local file, and pass it to the agent server.

How was this patch tested?

local sandbox

Setup process

  1. Install flytekit and flyteidl
pip install "git+https://github.com/flyteorg/flytekit.git@76dfef0c89615bb28dfa1ead932544150d9c2cde"
pip install "git+https://github.com/flyteorg/flyte.git@d96975d0bc590b57e9205d81f4de9595a4bd1708#subdirectory=flyteidl"
  1. Update local config

Add below config to flyte-single-binary-local.yamlm and Add your API key to local env

export FLYTE_SECRET_OPENAI_API_KEY=<YOUR_OPENAI_API_KEY>
externalResources:
  connections:
    chatgpt:
      secrets:
        openai_api_key: OPENAI_API_KEY
      configs:
        openai_organization: org-P2rdnZQry4Fw7Ak3vSpXEIrx
  1. Run Flyte cluster locally
cd flyte
pyflyte serve agent
make compile
flyte start --config flyte-single-binary-local.yaml
  1. Run a ChatGPT task
pyflyte run --remote flyte-example/chatgpt_example.py my_chatgpt_job --message hello
from flytekit import workflow, Secret
from flytekitplugins.chatgpt import ChatGPTTask

chatgpt_small_job = ChatGPTTask(
    name="3.5-turbo",
    openai_organization="org-P2rdnZQry4Fw7Ak3vSpXEIrx",
    connection="chatgpt",
    chatgpt_config={
        "model": "gpt-3.5-turbo",
        "temperature": 0.7,
    },
)


@workflow
def my_chatgpt_job(message: str) -> str:
    message = chatgpt_small_job(message=message)
    return message

Screenshots

Secret not found in propeller
image

image
  • I updated the documentation accordingly.
  • All new and existing tests passed.
  • All commits are signed-off.

Related PRs

flyteorg/flytekit#2297

Docs link

NA

Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
@dosubot dosubot bot added size:XXL This PR changes 1000+ lines, ignoring generated files. documentation Improvements or additions to documentation enhancement New feature or request security Issues related to Security improvements labels Mar 27, 2024
Copy link

codecov bot commented Mar 27, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 66.98%. Comparing base (ce5eb03) to head (ad0a88f).

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #5126      +/-   ##
==========================================
+ Coverage   60.99%   66.98%   +5.98%     
==========================================
  Files         794      278     -516     
  Lines       51475    12638   -38837     
==========================================
- Hits        31397     8465   -22932     
+ Misses      17186     3549   -13637     
+ Partials     2892      624    -2268     
Flag Coverage Δ
unittests-datacatalog 69.31% <ø> (ø)
unittests-flyteadmin ?
unittests-flytecopilot 17.79% <ø> (ø)
unittests-flytectl 68.03% <ø> (ø)
unittests-flyteidl 79.04% <ø> (ø)
unittests-flyteplugins ?
unittests-flytepropeller ?
unittests-flytestdlib 65.59% <ø> (+0.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@noahjax
Copy link
Contributor

noahjax commented Mar 28, 2024

@pingsutw Would it be possible to merge the work of this PR with that of my PR? It seems like both include secrets in requests made to the agent, but this PR goes a step farther by resolving the value of secrets. On the other hand, my PR includes more details about which user is executing a task, which is also very useful for the agent to have.

pingsutw added 3 commits April 3, 2024 16:39
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
@pingsutw pingsutw changed the title [WIP] Pass secret to the agent server Pass secret to the agent server Apr 4, 2024
pingsutw and others added 7 commits April 5, 2024 11:46
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
pingsutw added 2 commits May 1, 2024 22:48
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
@pingsutw pingsutw changed the title Pass secret to the agent server [flyte-core] Flyte Connection May 7, 2024
pingsutw added 12 commits May 10, 2024 17:26
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
Signed-off-by: Kevin Su <[email protected]>
@@ -36,6 +36,9 @@ enum MatchableResource {

// Controls how to select an available cluster on which this execution should run.
CLUSTER_ASSIGNMENT = 7;

// Configures the task connection to be used by the agent to connect to external systems.
EXTERNAL_RESOURCE = 8;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could extend this to be used by regular tasks too right ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you mean by extending here? something like

@task(external_resource=...)
# or
@task(connection=...)

// Flyte will use the default connection in the project-domain settings, but users
// still be able to override it by specifying the connection in the task decorator.
// +optional
string connection = 4;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we make a note of the order of overrides as its just not project-domain settings alone. Also can we add details on how this should map to values in external resource attributes

@@ -45,6 +45,14 @@ message Secret {
MountType mount_requirement = 4;
}

message Connection {
// The credentials to use for the connection, such as API keys, OAuth2 tokens, etc.
map<string, string> secrets = 1;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we also add comment on the format of what the key and what the value is and how they map to what the agent expects

map<string, string> secrets = 1;

// The configuration to use for the connection, such as the endpoint, account name, etc.
map<string, string> configs = 2;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similalrly for the configs

@@ -97,6 +99,24 @@ func (p Plugin) Create(ctx context.Context, taskCtx webapi.TaskExecutionContextR
taskCategory := admin.TaskCategory{Name: taskTemplate.Type, Version: taskTemplate.TaskTypeVersion}
agent, isSync := getFinalAgent(&taskCategory, p.cfg, p.agentRegistry)

connection := flyteIdl.Connection{}
if taskTemplate.SecurityContext != nil && taskTemplate.SecurityContext.Connection != "" {
conn, ok := taskCtx.TaskExecutionMetadata().GetExternalResourceAttributes().GetConnections()[taskTemplate.SecurityContext.Connection]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use getters for taskTemplate.SecurityContext.Connection and would be cleaner to define this as connectionKey may be as we are not defining the connection in the security context but just a ref/key. May be connectionRef might also be ok

@pingsutw pingsutw marked this pull request as draft August 16, 2024 20:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation enhancement New feature or request security Issues related to Security improvements size:XXL This PR changes 1000+ lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants