diff --git a/benchmarks/inference-server/text-generation-inference/custom-metrics-stackdriver-adapter/README.md b/benchmarks/inference-server/text-generation-inference/custom-metrics-stackdriver-adapter/README.md deleted file mode 100644 index ce2e38665..000000000 --- a/benchmarks/inference-server/text-generation-inference/custom-metrics-stackdriver-adapter/README.md +++ /dev/null @@ -1,31 +0,0 @@ -# Custom Metrics Stackdriver Adapter - -Adapted from https://raw.githubusercontent.com/GoogleCloudPlatform/k8s-stackdriver/master/custom-metrics-stackdriver-adapter/deploy/production/adapter_new_resource_model.yaml - -## Usage - -To use this module, include it from your main terraform config, i.e.: - -``` -module "custom_metrics_stackdriver_adapter" { - source = "./path/to/custom-metrics-stackdriver-adapter" -} -``` - -For a workload identity enabled cluster, some additional configuration is -needed: - -``` -module "custom_metrics_stackdriver_adapter" { - source = "./path/to/custom-metrics-stackdriver-adapter" - workload_identity = { - enabled = true - project_id = "" - } -} -``` - -# TODO - -This module should be moved out of the text-generation-inference subdirectory, -as it should be more broadly applicable. diff --git a/benchmarks/inference-server/text-generation-inference/custom-metrics-stackdriver-adapter/main.tf b/benchmarks/inference-server/text-generation-inference/custom-metrics-stackdriver-adapter/main.tf deleted file mode 100644 index 8e2a16ade..000000000 --- a/benchmarks/inference-server/text-generation-inference/custom-metrics-stackdriver-adapter/main.tf +++ /dev/null @@ -1,278 +0,0 @@ -resource "kubernetes_namespace_v1" "custom-metrics" { - metadata { - name = "custom-metrics" - } -} - -resource "kubernetes_service_account_v1" "custom-metrics-stackdriver-adapter-no-wi" { - count = var.workload_identity.enabled ? 0 : 1 - metadata { - name = "custom-metrics-stackdriver-adapter" - namespace = kubernetes_namespace_v1.custom-metrics.metadata[0].name - } -} - -resource "kubernetes_service_account_v1" "custom-metrics-stackdriver-adapter-wi" { - count = var.workload_identity.enabled ? 1 : 0 - metadata { - name = "custom-metrics-stackdriver-adapter" - namespace = kubernetes_namespace_v1.custom-metrics.metadata[0].name - annotations = { - "iam.gke.io/gcp-service-account" = google_service_account.cmsa-sa[0].email - } - } -} - -resource "kubernetes_cluster_role_binding_v1" "custom-metrics-system-auth-delegator" { - metadata { - name = "custom-metrics:system:auth-delegator" - } - role_ref { - api_group = "rbac.authorization.k8s.io" - kind = "ClusterRole" - name = "system:auth-delegator" - } - subject { - kind = "ServiceAccount" - name = (var.workload_identity.enabled - ? kubernetes_service_account_v1.custom-metrics-stackdriver-adapter-wi[0].metadata[0].name - : kubernetes_service_account_v1.custom-metrics-stackdriver-adapter-no-wi[0].metadata[0].name - ) - namespace = kubernetes_namespace_v1.custom-metrics.metadata[0].name - } -} - -resource "kubernetes_role_binding_v1" "custom-metrics-auth-reader" { - metadata { - name = "custom-metrics-auth-reader" - namespace = "kube-system" - } - role_ref { - api_group = "rbac.authorization.k8s.io" - kind = "Role" - name = "extension-apiserver-authentication-reader" - } - subject { - kind = "ServiceAccount" - name = (var.workload_identity.enabled - ? kubernetes_service_account_v1.custom-metrics-stackdriver-adapter-wi[0].metadata[0].name - : kubernetes_service_account_v1.custom-metrics-stackdriver-adapter-no-wi[0].metadata[0].name - ) - namespace = kubernetes_namespace_v1.custom-metrics.metadata[0].name - } -} - -resource "kubernetes_cluster_role_v1" "custom-metrics-resource-reader" { - metadata { - name = "custom-metrics-resource-reader" - } - rule { - api_groups = [""] - resources = ["pods", "nodes", "nodes/stats"] - verbs = ["get", "list", "watch"] - } -} - -resource "kubernetes_cluster_role_binding_v1" "custom-metrics-resource-reader" { - metadata { - name = "custom-metrics-resource-reader" - } - role_ref { - api_group = "rbac.authorization.k8s.io" - kind = "ClusterRole" - name = kubernetes_cluster_role_v1.custom-metrics-resource-reader.metadata[0].name - } - subject { - kind = "ServiceAccount" - name = (var.workload_identity.enabled - ? kubernetes_service_account_v1.custom-metrics-stackdriver-adapter-wi[0].metadata[0].name - : kubernetes_service_account_v1.custom-metrics-stackdriver-adapter-no-wi[0].metadata[0].name - ) - namespace = kubernetes_namespace_v1.custom-metrics.metadata[0].name - } -} - -resource "kubernetes_deployment_v1" "custom-metrics-stackdriver-adapter" { - metadata { - name = "custom-metrics-stackdriver-adapter" - namespace = kubernetes_namespace_v1.custom-metrics.metadata[0].name - labels = { - run = "custom-metrics-stackdriver-adapter" - k8s-app = "custom-metrics-stackdriver-adapter" - } - } - spec { - replicas = 1 - - selector { - match_labels = { - run = "custom-metrics-stackdriver-adapter" - k8s-app = "custom-metrics-stackdriver-adapter" - } - } - - template { - metadata { - labels = { - run = "custom-metrics-stackdriver-adapter" - k8s-app = "custom-metrics-stackdriver-adapter" - "kubernetes.io/cluster-service" = "true" - } - } - - spec { - service_account_name = (var.workload_identity.enabled - ? kubernetes_service_account_v1.custom-metrics-stackdriver-adapter-wi[0].metadata[0].name - : kubernetes_service_account_v1.custom-metrics-stackdriver-adapter-no-wi[0].metadata[0].name - ) - - container { - image = "gcr.io/gke-release/custom-metrics-stackdriver-adapter:v0.14.2-gke.0" - image_pull_policy = "Always" - name = "pod-custom-metrics-stackdriver-adapter" - command = ["/adapter", "--use-new-resource-model=true", "--fallback-for-container-metrics=true"] - resources { - limits = { - cpu = "250m" - memory = "200Mi" - } - requests = { - cpu = "250m" - memory = "200Mi" - } - } - } - } - } - } -} - -resource "kubernetes_service_v1" "custom-metrics-stackdriver-adapter" { - metadata { - name = "custom-metrics-stackdriver-adapter" - namespace = kubernetes_namespace_v1.custom-metrics.metadata[0].name - labels = { - run = "custom-metrics-stackdriver-adapter" - k8s-app = "custom-metrics-stackdriver-adapter" - "kubernetes.io/cluster-service" = "true" - "kubernetes.io/name" = "Adapter" - } - } - spec { - selector = { - run = "custom-metrics-stackdriver-adapter" - k8s-app = "custom-metrics-stackdriver-adapter" - } - port { - port = 443 - protocol = "TCP" - target_port = 443 - } - type = "ClusterIP" - } -} - -resource "kubernetes_api_service_v1" "v1beta1-custom-metrics-k8s-io" { - metadata { - name = "v1beta1.custom.metrics.k8s.io" - } - spec { - insecure_skip_tls_verify = true - group = "custom.metrics.k8s.io" - group_priority_minimum = 100 - version_priority = 100 - service { - name = kubernetes_service_v1.custom-metrics-stackdriver-adapter.metadata[0].name - namespace = kubernetes_namespace_v1.custom-metrics.metadata[0].name - } - version = "v1beta1" - } -} - -resource "kubernetes_api_service_v1" "v1beta2-custom-metrics-k8s-io" { - metadata { - name = "v1beta2.custom.metrics.k8s.io" - } - spec { - insecure_skip_tls_verify = true - group = "custom.metrics.k8s.io" - group_priority_minimum = 100 - version_priority = 200 - service { - name = kubernetes_service_v1.custom-metrics-stackdriver-adapter.metadata[0].name - namespace = kubernetes_namespace_v1.custom-metrics.metadata[0].name - } - version = "v1beta2" - } -} - -resource "kubernetes_api_service_v1" "v1beta1-external-metrics-k8s-io" { - metadata { - name = "v1beta1.external.metrics.k8s.io" - } - spec { - insecure_skip_tls_verify = true - group = "external.metrics.k8s.io" - group_priority_minimum = 100 - version_priority = 100 - service { - name = kubernetes_service_v1.custom-metrics-stackdriver-adapter.metadata[0].name - namespace = kubernetes_namespace_v1.custom-metrics.metadata[0].name - } - version = "v1beta1" - } -} - -resource "kubernetes_cluster_role_binding_v1" "external-metrics-reader" { - metadata { - name = "external-metrics-reader" - } - role_ref { - api_group = "rbac.authorization.k8s.io" - kind = "ClusterRole" - name = "external-metrics-reader" - } - subject { - kind = "ServiceAccount" - name = "horizontal-pod-autoscaler" - namespace = "kube-system" - } -} - - -# If workload identity is enabled, extra steps are required. We need to: -# - create a service account -# - grant it the monitoring.viewer IAM role -# - bind it to the workload identity user for the cmsa -# - annotate the cmsa service account (done above) - -resource "google_service_account" "cmsa-sa" { - count = var.workload_identity.enabled ? 1 : 0 - account_id = "cmsa-sa" - project = var.workload_identity.project_id -} - -# Equivalent to: -# gcloud projects add-iam-policy-binding PROJECT_ID \ -# --member=serviceAccount:cmsa-sa@PROJECT_ID.iam.gserviceaccount.com \ -# --role=roles/monitoring.viewer -resource "google_project_iam_binding" "cmsa-project-binding" { - count = var.workload_identity.enabled ? 1 : 0 - project = var.workload_identity.project_id - role = "roles/monitoring.viewer" - members = [ - "serviceAccount:${google_service_account.cmsa-sa[0].account_id}@${var.workload_identity.project_id}.iam.gserviceaccount.com" - ] -} - -# Equivalent to: -# gcloud iam service-accounts add-iam-policy-binding \ -# --role roles/iam.workloadIdentityUser \ -# --member "serviceAccount:PROJECT_ID.svc.id.goog[custom-metrics/custom-metrics-stackdriver-adapter]" \ -# cmsa-sa@PROJECT_ID.iam.gserviceaccount.com -resource "google_service_account_iam_member" "cmsa-bind-to-gsa" { - count = var.workload_identity.enabled ? 1 : 0 - service_account_id = google_service_account.cmsa-sa[0].name - role = "roles/iam.workloadIdentityUser" - member = "serviceAccount:${var.workload_identity.project_id}.svc.id.goog[custom-metrics/custom-metrics-stackdriver-adapter]" -} diff --git a/benchmarks/inference-server/text-generation-inference/custom-metrics-stackdriver-adapter/variables.tf b/benchmarks/inference-server/text-generation-inference/custom-metrics-stackdriver-adapter/variables.tf deleted file mode 100644 index c3b338256..000000000 --- a/benchmarks/inference-server/text-generation-inference/custom-metrics-stackdriver-adapter/variables.tf +++ /dev/null @@ -1,16 +0,0 @@ -variable "workload_identity" { - type = object({ - enabled = bool - project_id = optional(string) - }) - default = { - enabled = false - } - validation { - condition = ( - (var.workload_identity.enabled && var.workload_identity.project_id != null) - || (!var.workload_identity.enabled) - ) - error_message = "A project_id must be specified if workload_identity_enabled is set." - } -} diff --git a/benchmarks/inference-server/text-generation-inference/main.tf b/benchmarks/inference-server/text-generation-inference/main.tf index c094b1b14..a70fb214b 100644 --- a/benchmarks/inference-server/text-generation-inference/main.tf +++ b/benchmarks/inference-server/text-generation-inference/main.tf @@ -55,7 +55,7 @@ locals { module "custom_metrics_stackdriver_adapter" { count = local.custom_metrics_enabled ? 1 : 0 - source = "./custom-metrics-stackdriver-adapter" + source = "../../../modules/custom-metrics-stackdriver-adapter" workload_identity = { enabled = true project_id = var.project_id diff --git a/modules/custom-metrics-stackdriver-adapter/main.tf b/modules/custom-metrics-stackdriver-adapter/main.tf index cf775e6e3..ea3b7238b 100644 --- a/modules/custom-metrics-stackdriver-adapter/main.tf +++ b/modules/custom-metrics-stackdriver-adapter/main.tf @@ -1,15 +1,15 @@ locals { - v1beta1-custom-metrics-k8s-io = "${path.module}/templates/apiservice_v1beta1.custom.metrics.k8s.io.yaml.tftpl" - v1beta1-external-metrics-k8s-io = "${path.module}/templates/apiservice_v1beta1.external.metrics.k8s.io.yaml.tftpl" - v1beta2-custom-metrics-k8s-io = "${path.module}/templates/apiservice_v1beta2.custom.metrics.k8s.io.yaml.tftpl" - cluster-role-custom-metrics-resource-reader = "${path.module}/templates/clusterrole_custom-metrics-resource-reader.yaml.tftpl" - cluster-role-binding-custom-metrics-resource-reader = "${path.module}/templates/clusterrolebinding_custom-metrics-resource-reader.yaml.tftpl" - custom-metrics-system-auth-delegator = "${path.module}/templates/clusterrolebinding_custom-metrics:system:auth-delegator.yaml.tftpl" - external-metrics-reader = "${path.module}/templates/clusterrolebinding_external-metrics-reader.yaml.tftpl" - deployment-custom-metrics-stackdriver-adapter = "${path.module}/templates/deployment_custom-metrics-stackdriver-adapter.yaml.tftpl" - service-custom-metrics-stackdriver-adapter = "${path.module}/templates/service_custom-metrics-stackdriver-adapter.yaml.tftpl" - service-account-custom-metrics-stackdriver-adapter = "${path.module}/templates/serviceaccount_custom-metrics-stackdriver-adapter.yaml.tftpl" - custom-metrics-auth-reader = "${path.module}/templates/rolebinding_custom-metrics-auth-reader.yaml.tftpl" + v1beta1-custom-metrics-k8s-io = "${path.module}/templates/apiservice_v1beta1.custom.metrics.k8s.io.yaml.tftpl" + v1beta1-external-metrics-k8s-io = "${path.module}/templates/apiservice_v1beta1.external.metrics.k8s.io.yaml.tftpl" + v1beta2-custom-metrics-k8s-io = "${path.module}/templates/apiservice_v1beta2.custom.metrics.k8s.io.yaml.tftpl" + cluster-role-custom-metrics-resource-reader = "${path.module}/templates/clusterrole_custom-metrics-resource-reader.yaml.tftpl" + cluster-role-binding-custom-metrics-resource-reader = "${path.module}/templates/clusterrolebinding_custom-metrics-resource-reader.yaml.tftpl" + cluster-role-binding-custom-metrics-system-auth-delegator = "${path.module}/templates/clusterrolebinding_custom-metrics:system:auth-delegator.yaml.tftpl" + cluster-role-binding-external-metrics-reader = "${path.module}/templates/clusterrolebinding_external-metrics-reader.yaml.tftpl" + deployment-custom-metrics-stackdriver-adapter = "${path.module}/templates/deployment_custom-metrics-stackdriver-adapter.yaml.tftpl" + service-custom-metrics-stackdriver-adapter = "${path.module}/templates/service_custom-metrics-stackdriver-adapter.yaml.tftpl" + service-account-custom-metrics-stackdriver-adapter = "${path.module}/templates/serviceaccount_custom-metrics-stackdriver-adapter.yaml.tftpl" + role-binding-custom-metrics-auth-reader = "${path.module}/templates/rolebinding_custom-metrics-auth-reader.yaml.tftpl" } resource "kubernetes_namespace_v1" "custom-metrics" { @@ -18,8 +18,7 @@ resource "kubernetes_namespace_v1" "custom-metrics" { } } -resource "kubernetes_service_account_v1" "custom-metrics-stackdriver-adapter" { - count = 1 +resource "kubernetes_service_account_v1" "service-account-custom-metrics-stackdriver-adapter" { metadata { name = "custom-metrics-stackdriver-adapter" namespace = kubernetes_namespace_v1.custom-metrics.metadata[0].name @@ -30,13 +29,17 @@ resource "kubernetes_service_account_v1" "custom-metrics-stackdriver-adapter" { } resource "kubernetes_manifest" "custom-metrics-system-auth-delegator" { - count = 1 - manifest = yamldecode(file(local.custom-metrics-system-auth-delegator)) + count = 1 + manifest = yamldecode(templatefile(local.cluster-role-binding-custom-metrics-system-auth-delegator, { + cmsa-serviceaccount-name = kubernetes_service_account_v1.service-account-custom-metrics-stackdriver-adapter.metadata[0].name + })) } -resource "kubernetes_manifest" "custom-metrics-auth-reader" { - count = 1 - manifest = yamldecode(file(local.custom-metrics-auth-reader)) +resource "kubernetes_manifest" "role-binding-custom-metrics-auth-reader" { + count = 1 + manifest = yamldecode(templatefile(local.role-binding-custom-metrics-auth-reader, { + cmsa-serviceaccount-name = kubernetes_service_account_v1.service-account-custom-metrics-stackdriver-adapter.metadata[0].name + })) } resource "kubernetes_manifest" "cluster-role-custom-metrics-resource-reader" { @@ -45,13 +48,17 @@ resource "kubernetes_manifest" "cluster-role-custom-metrics-resource-reader" { } resource "kubernetes_manifest" "cluster-role-binding-custom-metrics-resource-reader" { - count = 1 - manifest = yamldecode(file(local.cluster-role-binding-custom-metrics-resource-reader)) + count = 1 + manifest = yamldecode(templatefile(local.cluster-role-binding-custom-metrics-resource-reader, { + cmsa-serviceaccount-name = kubernetes_service_account_v1.service-account-custom-metrics-stackdriver-adapter.metadata[0].name + })) } resource "kubernetes_manifest" "deployment-custom-metrics-stackdriver-adapter" { - count = 1 - manifest = yamldecode(file(local.deployment-custom-metrics-stackdriver-adapter)) + count = 1 + manifest = yamldecode(templatefile(local.deployment-custom-metrics-stackdriver-adapter, { + cmsa-serviceaccount-name = kubernetes_service_account_v1.service-account-custom-metrics-stackdriver-adapter.metadata[0].name + })) } resource "kubernetes_manifest" "service-custom-metrics-stackdriver-adapter" { @@ -76,7 +83,7 @@ resource "kubernetes_manifest" "v1beta1-external-metrics-k8s-io" { resource "kubernetes_manifest" "external-metrics-reader" { count = 1 - manifest = yamldecode(file(local.external-metrics-reader)) + manifest = yamldecode(file(local.cluster-role-binding-external-metrics-reader)) } # If workload identity is enabled, extra steps are required. We need to: diff --git a/modules/custom-metrics-stackdriver-adapter/templates/clusterrolebinding_custom-metrics-resource-reader.yaml.tftpl b/modules/custom-metrics-stackdriver-adapter/templates/clusterrolebinding_custom-metrics-resource-reader.yaml.tftpl index 8468a16cd..dd0cb0d85 100644 --- a/modules/custom-metrics-stackdriver-adapter/templates/clusterrolebinding_custom-metrics-resource-reader.yaml.tftpl +++ b/modules/custom-metrics-stackdriver-adapter/templates/clusterrolebinding_custom-metrics-resource-reader.yaml.tftpl @@ -8,5 +8,5 @@ roleRef: name: view subjects: - kind: ServiceAccount - name: custom-metrics-stackdriver-adapter + name: ${cmsa-serviceaccount-name} namespace: custom-metrics diff --git a/modules/custom-metrics-stackdriver-adapter/templates/clusterrolebinding_custom-metrics:system:auth-delegator.yaml.tftpl b/modules/custom-metrics-stackdriver-adapter/templates/clusterrolebinding_custom-metrics:system:auth-delegator.yaml.tftpl index 940bbe821..44887e5ab 100644 --- a/modules/custom-metrics-stackdriver-adapter/templates/clusterrolebinding_custom-metrics:system:auth-delegator.yaml.tftpl +++ b/modules/custom-metrics-stackdriver-adapter/templates/clusterrolebinding_custom-metrics:system:auth-delegator.yaml.tftpl @@ -8,5 +8,5 @@ roleRef: name: system:auth-delegator subjects: - kind: ServiceAccount - name: custom-metrics-stackdriver-adapter + name: ${cmsa-serviceaccount-name} namespace: custom-metrics diff --git a/modules/custom-metrics-stackdriver-adapter/templates/deployment_custom-metrics-stackdriver-adapter.yaml.tftpl b/modules/custom-metrics-stackdriver-adapter/templates/deployment_custom-metrics-stackdriver-adapter.yaml.tftpl index b86aee5e1..d0ecc0387 100644 --- a/modules/custom-metrics-stackdriver-adapter/templates/deployment_custom-metrics-stackdriver-adapter.yaml.tftpl +++ b/modules/custom-metrics-stackdriver-adapter/templates/deployment_custom-metrics-stackdriver-adapter.yaml.tftpl @@ -19,7 +19,7 @@ spec: k8s-app: custom-metrics-stackdriver-adapter kubernetes.io/cluster-service: "true" spec: - serviceAccountName: custom-metrics-stackdriver-adapter + serviceAccountName: ${cmsa-serviceaccount-name} containers: - image: gcr.io/gke-release/custom-metrics-stackdriver-adapter:v0.14.2-gke.0 imagePullPolicy: Always diff --git a/modules/custom-metrics-stackdriver-adapter/templates/rolebinding_custom-metrics-auth-reader.yaml.tftpl b/modules/custom-metrics-stackdriver-adapter/templates/rolebinding_custom-metrics-auth-reader.yaml.tftpl index c56782e28..92fae046e 100644 --- a/modules/custom-metrics-stackdriver-adapter/templates/rolebinding_custom-metrics-auth-reader.yaml.tftpl +++ b/modules/custom-metrics-stackdriver-adapter/templates/rolebinding_custom-metrics-auth-reader.yaml.tftpl @@ -9,5 +9,5 @@ roleRef: name: extension-apiserver-authentication-reader subjects: - kind: ServiceAccount - name: custom-metrics-stackdriver-adapter + name: ${cmsa-serviceaccount-name} namespace: custom-metrics