baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(mlflow): Fix auth and service monitor

Browse Source
This commit is contained in:
Masaki Yatsu
2025-11-09 21:31:33 +09:00
parent f429bcb3f8
commit d3a5aa289d
5 changed files with 143 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
mlflow/values.gomplate.yaml
View File

@@ -60,8 +60,8 @@ log:
# Use oidc-auth-fastapi for FastAPI/ASGI compatibility with Uvicorn
extraArgs:
appName: "oidc-auth-fastapi"
# Allow connections from external hostname (with and without port)
allowedHosts: "{{ .Env.MLFLOW_HOST }},{{ .Env.MLFLOW_HOST }}:443"
# Allow connections from external hostname and Kubernetes internal access
allowedHosts: "{{ .Env.MLFLOW_HOST }},{{ .Env.MLFLOW_HOST }}:443,mlflow.{{ .Env.MLFLOW_NAMESPACE }}.svc.cluster.local,mlflow.{{ .Env.MLFLOW_NAMESPACE }}.svc.cluster.local:5000,*"
# Extra secrets for OIDC configuration
extraSecretNamesForEnvFrom:
@@ -86,13 +86,19 @@ extraEnvVars:
# Session configuration - use cachelib with filesystem backend
SESSION_TYPE: "cachelib"
SESSION_CACHE_DIR: "/tmp/session"
# Security configuration - allow same-origin CORS and configured host
MLFLOW_SERVER_CORS_ALLOWED_ORIGINS: "https://{{ .Env.MLFLOW_HOST }}"
MLFLOW_SERVER_ALLOWED_HOSTS: "{{ .Env.MLFLOW_HOST }},{{ .Env.MLFLOW_HOST }}:443"
MLFLOW_SERVER_X_FRAME_OPTIONS: "SAMEORIGIN"
{{- else }}
# Extra environment variables for S3/MinIO configuration
# Extra environment variables for S3/MinIO configuration (OIDC disabled)
extraEnvVars:
MLFLOW_S3_ENDPOINT_URL: "http://minio.{{ .Env.MINIO_NAMESPACE }}.svc.cluster.local:9000"
MLFLOW_S3_IGNORE_TLS: "true"
# Disable security middleware when using Gunicorn (env var approach)
MLFLOW_SERVER_DISABLE_SECURITY_MIDDLEWARE: "true"
# Security configuration - allow same-origin CORS and configured host
MLFLOW_SERVER_CORS_ALLOWED_ORIGINS: "https://{{ .Env.MLFLOW_HOST }}"
MLFLOW_SERVER_ALLOWED_HOSTS: "{{ .Env.MLFLOW_HOST }},{{ .Env.MLFLOW_HOST }}:443"
MLFLOW_SERVER_X_FRAME_OPTIONS: "SAMEORIGIN"
{{- end }}
# Service configuration
@@ -106,6 +112,7 @@ ingress:
className: "traefik"
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: {{ .Env.MLFLOW_NAMESPACE }}-mlflow-headers@kubernetescrd
hosts:
- host: {{ .Env.MLFLOW_HOST }}
paths:
@@ -123,7 +130,7 @@ serviceMonitor:
interval: 30s
telemetryPath: /metrics
labels:
prometheus: kube-prometheus
release: kube-prometheus-stack
timeout: 10s
# Resource limits