Add skypilot

Author: funkypenguin

charts/stable/skypilot/.gitignore

@@ -0,0 +1,2 @@
+Chart.lock
+charts/

charts/stable/skypilot/.helmignore

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: skypilot
+description: A Helm chart for deploying SkyPilot API server on Kubernetes
+type: application
+version: 0.0.1-pre-01
+appVersion: "0.0"
+dependencies:
+  - name: ingress-nginx
+    version: 4.11.3
+    repository: https://kubernetes.github.io/ingress-nginx
+    condition: ingress-nginx.enabled

charts/stable/skypilot/Chart.yaml

@@ -0,0 +1,10 @@
+{{- if .Values.apiService.config }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-config
+  namespace: {{ .Release.Namespace }}
+data:
+  config.yaml: |
+{{ .Values.apiService.config | indent 4 }} 
+{{- end }}

charts/stable/skypilot/templates/api-configmap.yaml

@@ -0,0 +1,202 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}-api-server
+  namespace: {{ .Release.Namespace }}
+spec:
+  # Note: replicas > 1 is not well tested, and requires a PVC that supports ReadWriteMany.
+  replicas: {{ .Values.apiService.replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-api
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-api
+    spec:
+      automountServiceAccountToken: {{ .Values.kubernetesCredentials.useApiServerCluster }}
+      serviceAccountName: {{ .Release.Name }}-api-sa
+      {{- with $.Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: skypilot-api
+        image: {{ .Values.apiService.image }}
+        imagePullPolicy: Always
+        {{- with $.Values.securityContext }}
+        securityContext:
+          {{- toYaml . | nindent 10 }}
+        {{- end }}
+        resources:
+          {{- toYaml .Values.apiService.resources | nindent 10 }}
+        env:
+        - name: SKYPILOT_DEV
+          value: {{ .Values.apiService.skypilotDev | quote }}
+        {{- if .Values.gcpCredentials.enabled }}
+        - name: GOOGLE_APPLICATION_CREDENTIALS
+          value: /root/gcp-cred.json
+        {{- end }}
+        {{- if .Values.kubernetesCredentials.inclusterNamespace }}
+        - name: SKYPILOT_IN_CLUSTER_NAMESPACE
+          value: {{ .Values.kubernetesCredentials.inclusterNamespace }}
+        {{- end }}
+        # Use tini as the init process
+        command: ["tini", "--"]
+        # Start API server in foreground (if supported) to:
+        # 1. Bypass the healthz check of `sky api start`, let kubernetes probes manage the lifecycle directly.
+        # 2. Capture all logs in container to stdout/stderr, bypass in-container log file overhead.
+        # 3. Exec ensures the process is a direct child of tini, enables correct signal handling.
+        # Note: this comment is moved here to avoid appearing in the final start script.
+        args:
+        - /bin/sh
+        - -c
+        - |
+          set -e
+          {{- if .Values.apiService.preDeployHook }}
+          {{ .Values.apiService.preDeployHook | nindent 10 }}
+          {{- end }}
+          {{- if .Values.apiService.config }}
+          mkdir -p /root/.sky
+          echo "Copying config.yaml from ConfigMap \`skypilot-config\` to /root/.sky/config.yaml"
+          # The configmap serves as the ground truth for the config.yaml file.
+          # Any local changes to the config.yaml file will be overwritten by the contents of the configmap.
+          cp /tmp/config.yaml /root/.sky/config.yaml
+          {{- end }}
+
+          if sky api start -h | grep -q -- "--foreground"; then
+            exec sky api start --deploy --foreground
+          else
+            # For backward compatibility, run in background if --foreground is not supported.
+            # TODO(aylei): this will bedropped in 0.11.0.
+            if sky api start --deploy; then
+              tail -n+0 -f /root/.sky/api_server/server.log
+            else
+              cat /root/.sky/api_server/server.log
+            fi
+          fi
+        ports:
+        - containerPort: 46580
+        livenessProbe:
+          httpGet:
+            path: /api/health
+            port: 46580
+          periodSeconds: 30
+        readinessProbe:
+          httpGet:
+            path: /api/health
+            port: 46580
+          periodSeconds: 30
+        volumeMounts:
+        {{- if .Values.storage.enabled }}
+        - name: state-volume
+          mountPath: /root/.sky
+          subPath: .sky
+        - name: state-volume
+          mountPath: /root/.ssh # To preserve the SSH keys for the user when using the API server
+          subPath: .ssh
+        {{- end }}
+        {{- if .Values.apiService.config }}
+        - name: skypilot-config
+          mountPath: /tmp/config.yaml
+          subPath: config.yaml
+        {{- end }}
+        {{- if .Values.awsCredentials.enabled }}
+        - name: aws-config
+          mountPath: /root/.aws
+          readOnly: true
+        {{- end }}
+        {{- if .Values.gcpCredentials.enabled }}
+        - name: gcp-config
+          mountPath: /root/.config/gcloud
+        - name: gcp-credentials
+          mountPath: /root/gcp-cred.json
+          subPath: gcp-cred.json
+        {{- end }}
+        {{- if .Values.kubernetesCredentials.useKubeconfig }}
+        - name: kube-config
+          mountPath: /root/.kube
+        {{- end }}
+      initContainers:
+      {{- if .Values.awsCredentials.enabled }}
+      - name: create-aws-credentials
+        image: {{ .Values.apiService.image }}
+        command: ["/bin/sh", "-c"]
+        args:
+        - |
+          echo "Setting up AWS credentials..."
+          if [ -n "$AWS_ACCESS_KEY_ID" ] && [ -n "$AWS_SECRET_ACCESS_KEY" ]; then
+            echo "AWS credentials found in environment variables."
+            aws configure set aws_access_key_id "$AWS_ACCESS_KEY_ID"
+            aws configure set aws_secret_access_key "$AWS_SECRET_ACCESS_KEY"
+            echo "Credentials file created successfully."
+          else
+            echo "AWS credentials not found in environment variables. Skipping credentials setup."
+            sleep 600
+          fi
+        env:
+        - name: AWS_ACCESS_KEY_ID
+          valueFrom:
+            secretKeyRef:
+              name: aws-credentials
+              key: aws_access_key_id
+        - name: AWS_SECRET_ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              name: aws-credentials
+              key: aws_secret_access_key
+        volumeMounts:
+        - name: aws-config
+          mountPath: /root/.aws
+      {{- end }}
+      {{- if .Values.gcpCredentials.enabled }}
+      - name: setup-gcp-credentials
+        image: google/cloud-sdk:latest
+        command: ["/bin/sh", "-c"]
+        env:
+        - name: GOOGLE_APPLICATION_CREDENTIALS
+          value: /root/gcp-cred.json
+        args:
+        - |
+          gcloud auth activate-service-account --key-file=/root/gcp-cred.json
+          gcloud config set project {{ .Values.gcpCredentials.projectId }}
+        volumeMounts:
+        - name: gcp-credentials
+          mountPath: /root/gcp-cred.json
+          subPath: gcp-cred.json
+        - name: gcp-config
+          mountPath: /root/.config/gcloud
+      {{- end }}
+      volumes:
+      {{- if .Values.storage.enabled }}
+      - name: state-volume
+        persistentVolumeClaim:
+          claimName: {{ .Release.Name }}-state
+      {{- else }}
+      - name: state-volume
+        emptyDir: {}
+      {{- end }}
+      {{- if .Values.awsCredentials.enabled }}
+      - name: aws-config
+        emptyDir: {}
+      {{- end }}
+
+      {{- if .Values.gcpCredentials.enabled }}
+      - name: gcp-credentials
+        secret:
+          secretName: gcp-credentials
+      - name: gcp-config
+        emptyDir: {}
+      {{- end }}
+      {{- if .Values.kubernetesCredentials.useKubeconfig }}
+      - name: kube-config
+        secret:
+          secretName: {{ .Values.kubernetesCredentials.kubeconfigSecretName }}
+      {{- end }}
+      {{- if .Values.apiService.config }}
+      - name: skypilot-config
+        configMap:
+          name: {{ .Release.Name }}-config
+      {{- end }}

charts/stable/skypilot/templates/api-deployment.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-api-service
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: ClusterIP  # Use clusterIP to allow ingress to authenticate
+  ports:
+    - port: 80
+      targetPort: 46580  # Assuming your container listens on port 46580
+      protocol: TCP
+  selector:
+    app: {{ .Release.Name }}-api

charts/stable/skypilot/templates/api-service.yaml

@@ -0,0 +1,10 @@
+{{- if and (not .Values.ingress.authSecret) .Values.ingress.authCredentials }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-basic-auth
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+stringData:
+  auth: {{ .Values.ingress.authCredentials | quote }}
+{{- end }}

charts/stable/skypilot/templates/auth.yaml

@@ -0,0 +1,26 @@
+{{- if and .Values.ingress.nodePortEnabled (index .Values "ingress-nginx" "enabled") }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-ingress-controller-np
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: NodePort
+  ports:
+    - port: 80
+      targetPort: 80
+      {{- if .Values.ingress.httpNodePort }}
+      nodePort: {{ .Values.ingress.httpNodePort }}
+      {{- end }}
+      name: http
+    - port: 443
+      targetPort: 443
+      {{- if .Values.ingress.httpsNodePort }}
+      nodePort: {{ .Values.ingress.httpsNodePort }}
+      {{- end }}
+      name: https
+  selector:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/name: ingress-nginx
+{{- end}}

charts/stable/skypilot/templates/ingress-nodeport.yaml

@@ -0,0 +1,51 @@
+{{- if .Values.ingress.enabled }}
+{{- $kubeVersion := .Capabilities.KubeVersion.Major -}}
+{{- $kubeMinorVersion := .Capabilities.KubeVersion.Minor | trimSuffix "+" | int -}}
+{{- $useNewIngressClass := or (gt ($kubeVersion | int) 1) (and (eq ($kubeVersion | int) 1) (ge $kubeMinorVersion 18)) -}}
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}-ingress
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- if not $useNewIngressClass }}
+    kubernetes.io/ingress.class: nginx
+    {{- end }}
+    nginx.ingress.kubernetes.io/auth-type: basic
+    nginx.ingress.kubernetes.io/auth-secret: {{ .Values.ingress.authSecret | default (printf "%s-basic-auth" .Release.Name) }}
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
+    nginx.ingress.kubernetes.io/proxy-body-size: "1000m"
+    {{- if ne .Values.ingress.path "/" }}
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+    {{- end }}
+    nginx.ingress.kubernetes.io/server-snippets: |
+      location / {
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_http_version 1.1;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header Connection "upgrade";
+        proxy_cache_bypass $http_upgrade;
+      }
+
+
+spec:
+  {{- if $useNewIngressClass }}
+  ingressClassName: nginx
+  {{- end }}
+  rules:
+  - http:
+      paths:
+      {{- /* TODO(aylei): check whether this works for ingress-controllers other than nginx */}}
+      - pathType: {{ if eq .Values.ingress.path "/" }}Prefix{{ else }}ImplementationSpecific{{ end }}
+        path: {{ .Values.ingress.path }}{{ if ne .Values.ingress.path "/" }}(/|$)(.*){{ end }}
+        backend:
+          service:
+            name: {{ .Release.Name }}-api-service
+            port:
+              number: 80
+{{- end }}

charts/stable/skypilot/templates/ingress.yaml

@@ -0,0 +1,27 @@
+{{- if .Values.storage.enabled }}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .Release.Name }}-state
+  namespace: {{ .Release.Namespace }}
+  {{- with .Values.storage.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.storage.storageClassName }}
+  storageClassName: {{ .Values.storage.storageClassName }}
+  {{- end }}
+  {{- if .Values.storage.volumeName }}
+  volumeName: {{ .Values.storage.volumeName }}
+  {{- end }}
+  accessModes:
+    - {{ .Values.storage.accessMode }}
+  resources:
+    requests:
+      storage: {{ .Values.storage.size }}
+  {{- with .Values.storage.selector }}
+  selector:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}