Auth Support (#17)

* feat: Added integration workflow Refs: #1 * fix: Added kubectl wait to wait for deployment to complete Refs: #1 * fix: Some issue with service. Experimenting with listing service. Refs: #1 * fix: Fixed the service issue and added matrix testing of kube versions Refs: #1 * chore: Updated test matrix to match chart kubeVersion range >=1.24 <= 1.27 Refs: #1 * fix: Fixed chart issue with boolean flags - Added further variance to the test matrix by including allowReset and isPersistent flags (no specific tests are implemented but those are coming soon) Refs: #1 * fix: Added docker image hnswlib rebuild + sqlite3 for debugging - Added a small test to ensure chroma is up and running. - Docker image rebuilt. * docs: Added small clarification how to build/push the docker image. * chore: Added bug and feature request issue templates and docker image in ghcr Refs: #2 * feat: Backup and restore feature Refs: #6 * feat: Backup and restore feature - Adding sudo to the image for fsfreeze use Refs: #6 * feat: Backup and restore feature - Making chroma user sudoer Refs: #6 * feat: Adding tests for v0.4.5 * feat: Adding Chroma 0.4.5 support to chart * feat: Updating WFs * feat: Lowering chart requirements to k8s API 1.23.0 * feat: Adding multi-platform build * fix: Moved platforms out of the matrix and directly into platform parameter of build-push action * fix: Fixed a typo in build images workflow. * chore: Removing hnswlib reinstall to check multi-arch build * feat: Adding support for Chroma 0.4.6 * chore: Updating integration tests * feat: Updating chart version and default version to 0.4.6 * fix: chroma-hnswlib reinstall is needed as it does uniformly work across platforms. * chore: Chart version bump for hnsw lib fix * chore: Chart version bump for hnsw lib fix * feat: Support for k8s API 1.28 and Chroma 0.4.7 Refs: #14 * feat: Support for k8s API 1.28 and Chroma 0.4.7 - Bumping upper bound of chart support. - Removed isPeristent/allowReset from test matrix to reduce generated jobs. Refs: #14 * fix: Made the integration test install local copy of the chart instead of pullingit. * fix: Updating chart version to allow RC Refs: #14 * chore: Version bumps - Default Chroma version set to 0.4.7 - Chart version bump Refs: #14 * feat: Chroma auth support - Token and basic auth support - Bumping chart version - Added chroma 0.4.8 and 0.4.9 support - Minor tweaks to Dockerfile Refs: #13 * feat: Chroma auth support - Fixed image builds Refs: #13 * feat: Chroma auth support - bump wait time Refs: #13 * feat: Chroma auth support - Adding debug Refs: #13 * feat: Chroma auth support - Adding debug Refs: #13 * feat: Chroma auth support - Adding debug Refs: #13 * feat: Chroma auth support - Merging dev image build with int test Refs: #13 * feat: Chroma auth support - Fixed a typo in dev image build Refs: #13 * feat: Chroma auth support - Fixed wrong chart value in integration test. Refs: #13 * feat: Chroma auth support - Increasing wait time for pod Refs: #13 * feat: Chroma auth support - Chasing 0.4.7 bug Refs: #13 * feat: Chroma auth support - Chasing 0.4.7 bug Refs: #13 * feat: Chroma auth support - Chasing 0.4.7 bug Refs: #13 * feat: Chroma auth support - Conditional support of auth: basic (0.4.7), token (0.4.8) Refs: #13 * feat: Chroma auth support - Added full test matrix Refs: #13 * feat: Chroma auth support - Int testing is now trigger for changes in Chart, tests, Docker image Refs: #13
amikos-tech · Sep 10, 2023 · 9aa192c · 9aa192c
1 parent d1434cb
commit 9aa192c
Show file tree

Hide file tree

Showing 12 changed files with 242 additions and 86 deletions.
diff --git a/.github/workflows/build-images-dev.yml b/.github/workflows/build-images-dev.yml
diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml
@@ -7,13 +7,13 @@ on:
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: "ghcr.io/amikos-tech/chromadb-chart/chroma"
-  LATEST_VERSION: "0.4.7"
+  LATEST_VERSION: "0.4.9"
 
 jobs:
   build-images:
     strategy:
       matrix:
-        chroma-version: [ 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7  ]
+        chroma-version: [ 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9 ]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -42,7 +42,7 @@ jobs:
           context: .
           file: image/Dockerfile
           push: true
-          platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64
+          platforms: linux/amd64,linux/arm64
           build-args: |
             CHROMA_VERSION=${{ matrix.chroma-version }}
           tags: "${{ env.IMAGE_NAME }}:${{ matrix.chroma-version }},${{ env.IMAGE_NAME }}:latest"
@@ -53,7 +53,7 @@ jobs:
           context: .
           file: image/Dockerfile
           push: true
-          platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64
+          platforms: linux/amd64,linux/arm64
           build-args: |
             CHROMA_VERSION=${{ matrix.chroma-version }}
           tags: "${{ env.IMAGE_NAME }}:${{ matrix.chroma-version }}"
diff --git a/.github/workflows/integration-test.yml b/.github/workflows/integration-test.yml
@@ -1,19 +1,75 @@
-name: Integration test
+name: Dev Image Build and Integration test
 
 on:
   push:
     branches:
-      - main
       - develop
+    paths:
+      - charts/**
+      - image/**
+      - tests/**
   pull_request:
     branches:
       - main
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: "ghcr.io/amikos-tech/chromadb-chart/chroma"
+  LATEST_VERSION: "0.4.9"
 jobs:
-  release:
+  build-images:
+    strategy:
+      matrix:
+        chroma-version: [ 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9 ]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Log in to the Container registry
+        uses: docker/[email protected]
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.IMAGE_NAME }}
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Build and push release Docker image
+        uses: docker/[email protected]
+        if: ${{ env.LATEST_VERSION == matrix.chroma-version }}
+        with:
+          context: .
+          file: image/Dockerfile
+          push: true
+          platforms: linux/amd64,linux/arm64
+          build-args: |
+            CHROMA_VERSION=${{ matrix.chroma-version }}
+          tags: "${{ env.IMAGE_NAME }}:${{ matrix.chroma-version }}-dev,${{ env.IMAGE_NAME }}:canary"
+      - name: Build and push release Docker image
+        uses: docker/[email protected]
+        if: ${{ env.LATEST_VERSION != matrix.chroma-version }}
+        with:
+          context: .
+          file: image/Dockerfile
+          push: true
+          platforms: linux/amd64,linux/arm64
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            CHROMA_VERSION=${{ matrix.chroma-version }}
+          tags: "${{ env.IMAGE_NAME }}:${{ matrix.chroma-version }}-dev"
+  integration-test:
+    needs: build-images
     strategy:
       matrix:
         kubernetes-version: [1.23.0, 1.24.0, 1.27.3, v1.28.0-rc.0 ]
-        chroma-version: [ 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7 ]
+        chroma-version: [ 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9 ]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -31,17 +87,12 @@ jobs:
         uses: medyagh/setup-minikube@latest
         with:
           kubernetes-version: ${{ matrix.kubernetes-version }}
-#      - name: Add helm repo
-#        run: |
-#          set -e
-#          helm repo add chromadb https://amikos-tech.github.io/chromadb-chart/
-#          helm repo update
       - name: Install chromadb
         run: |
           set -e
           helm install chromadb ./charts/chromadb-chart --set chromadb.isPersistent=true \
           --set chromadb.allowReset=true \
-          --set chromadb.chromaVersion=${{ matrix.chroma-version }}
+          --set chromadb.apiVersion=${{ matrix.chroma-version }}-dev
       - name: Wait for deployment to be ready
         run: |
           set -e

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -51,4 +51,5 @@ jobs:
           context: .
           file: image/Dockerfile
           push: true
+          platforms: linux/amd64,linux/arm64
           tags: "${{ env.IMAGE_NAME }}:latest"
diff --git a/README.md b/README.md
@@ -7,7 +7,7 @@ This chart deploys a ChromaDB Vector Store cluster on a Kubernetes cluster using
 - [ ] Security - the ability to secure chroma API with TLS and OIDC <- PoC completed waiting to be merged in the main
   repo
 - [ ] Backup and restore - the ability to back up and restore the index data
-- [ ] Monitoring - the ability to monitor the cluster using Prometheus and Grafana
+- [ ] Observability - the ability to monitor the cluster using Prometheus and Grafana
 
 ## Prerequisites
 
@@ -71,7 +71,9 @@ helm install chroma chroma/chromadb --set chromadb.allowReset="true"
 | `chromadb.serverHost`             | string  | `0.0.0.0`                             | The API server host.                                                                                                                                                               |
 | `chromadb.serverHttpPort`         | int     | `8000`                                | The API server port.                                                                                                                                                               |
 | `chromadb.dataVolumeSize`         | string  | `1Gi`                                 | The data volume size.                                                                                                                                                              |
-| `chromadb.dataVolumeStorageClass` | striung | `standard`                            | The storage class                                                                                                                                                                  |
+| `chromadb.dataVolumeStorageClass` | string  | `standard`                            | The storage class                                                                                                                                                                  |
+| `chromadb.auth.enabled`           | boolean | `true`                                | A flag to enable/disable authentication in Chroma                                                                                                                                  |
+| `chromadb.auth.type`              | string  | `token`                                   | Type of auth. Currently "token" (apiVersion>=0.4.8) and "basic" (apiVersion>=0.4.7) are supported.                                                                   |
 
 ## Verifying installation
 
@@ -91,9 +93,65 @@ docker push <image:tag>
 For this example we'll set up a Kubernetes cluster using minikube.
 
 ```bash
-minikube start --addons=ingress
+minikube start --addons=ingress -p chroma #create a simple minikube cluster with ingress addon
+minikube profile chroma #select chroma profile in minikube as active for kubectl commands
 ```
 
+## Chroma Authentication
+
+> Note: Token auth is enabled by default
+
+By default, the chart will use a `chromadb-auth` secret in Chroma's namespace to authenticate requests. This secret is
+generated at install time.
+
+Chroma authentication is supported for the following API versions:
+- basic >= 0.4.7
+- token >= 0.4.8
+
+> Note: Using auth parameters with lower version will result in auth parameters being ignored.
+
+### Token Auth
+
+Token Auth works with two types of headers that can be configured via `chromadb.auth.token.tokenHeader`:
+- `AUTHORIZATION` (default) - the clients are expected to pass `Authorization: Brearer <token>` header
+- `X-CHROMA-TOKEN` - the clients are expected to pass `X-Chroma-Token: <token>` header
+
+Get the token:
+
+```bash
+CHROMA_TOKEN=$(kubectl --namespace default get secret chromadb-auth -o jsonpath="{.data.token}" | base64 --decode)
+CHROMA_HEADER_NAME=$(kubectl --namespace default get secret chromadb-auth -o jsonpath="{.data.header}" | base64 --decode)
+```
+
+>Note: The above examples assume `default` namespace is used for Chroma deployment.
+
+Test the token:
+
+```bash
+curl -v http://localhost:8000/api/v1/collections -H "${CHROMA_HEADER_NAME}: ${CHROMA_TOKEN}"
+```
+
+> Note: The above `curl` assumes a localhost forwarding is made to port 8000
+
+### Basic Auth
+
+Get auth credentials:
+
+```bash
+CHROMA_BASIC_AUTH_USERNAME=$(kubectl --namespace default get secret chromadb-auth -o jsonpath="{.data.username}" | base64 --decode)
+CHROMA_BASIC_AUTH_PASSWORD=$(kubectl --namespace default get secret chromadb-auth -o jsonpath="{.data.password}" | base64 --decode)
+```
+
+>Note: The above examples assume `default` namespace is used for Chroma deployment.
+
+Test the token:
+
+```bash
+curl -v http://localhost:8000/api/v1/collections -u "${CHROMA_BASIC_AUTH_USERNAME}:${CHROMA_BASIC_AUTH_PASSWORD}" 
+```
+
+> Note: The above `curl` assumes a localhost forwarding is made to port 8000
+
 ## References
 
 - Helm install: https://helm.sh/docs/intro/install/

diff --git a/charts/chromadb-chart/Chart.yaml b/charts/chromadb-chart/Chart.yaml
@@ -17,6 +17,6 @@ keywords:
   - ai/ml
 type: application
 
-version: 0.1.14
+version: 0.1.15
 # chromadb version
-appVersion: "0.4.7"
+appVersion: "0.4.9"
diff --git a/charts/chromadb-chart/templates/NOTES.txt b/charts/chromadb-chart/templates/NOTES.txt
@@ -20,3 +20,11 @@
   echo "Visit http://127.0.0.1:8080 to use your application"
   kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
 {{- end }}
+2. To get auth credentials run:
+
+{{- if and .Values.chromadb.auth.enabled (eq .Values.chromadb.auth.type "token") }}
+kubectl --namespace {{ .Release.Namespace }} get secret chromadb-auth -o jsonpath="{.data.token}" | base64 --decode
+{{- end }}
+{{- if and .Values.chromadb.auth.enabled (eq .Values.chromadb.auth.type "basic") }}
+kubectl --namespace {{ .Release.Namespace }} get secret chromadb-auth -o json | jq -r '(.data.username | @base64d) + ":" + (.data.password | @base64d)'
+{{- end }}
diff --git a/charts/chromadb-chart/templates/config.yaml b/charts/chromadb-chart/templates/config.yaml
@@ -6,4 +6,33 @@ metadata:
 data:
   log_config.yaml: |-
     {{- .Files.Get "config/log_config.yaml" | nindent 4 }}
+---
+{{- if and (semverCompare ">= 0.4.8" .Values.chromadb.apiVersion) .Values.chromadb.auth.enabled (eq .Values.chromadb.auth.type "token") }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: chromadb-auth
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  token: {{ randAlphaNum 32 | b64enc | quote }}
+  {{- if eq .Values.chromadb.auth.token.headerType "AUTHORIZATION" }}
+  header: {{ "Authorization" | b64enc | quote}}
+  {{- end }}
+  {{- if eq .Values.chromadb.auth.token.headerType "X_CHROMA_TOKEN" }}
+  header: {{ "X-Chroma-Token" | b64enc | quote}}
+  {{- end }}
+{{- end }}
+---
+{{- if and (semverCompare ">= 0.4.7" .Values.chromadb.apiVersion) .Values.chromadb.auth.enabled (eq .Values.chromadb.auth.type "basic") }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: chromadb-auth
+  namespace: {{ .Release.Namespace }}
+type: Opaque
+data:
+  username: {{ .Values.chromadb.auth.basic.username | b64enc | quote}}
+  password: {{ randAlphaNum 16 | b64enc | quote }}
+{{- end }}
 ---