[DEV-802] Helm chart to deploy agents

ai-models/agents_deployment/helm/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: cvat-sam2-agent
+description: A chart to deploy CVAT SAM2 Agent.
+type: application
+version: 0.1.0
+appVersion: "1.0.4"

ai-models/agents_deployment/helm/templates/NOTES.txt

@@ -0,0 +1,18 @@
+=== CVAT SAM2 Agent ===
+
+Agent deployed with {{ .Values.agent.replicaCount }} replica(s).
+CVAT URL: {{ .Values.agent.cvat_base_url }}
+Model:    {{ .Values.agent.model_id }}
+
+The function registration job runs as a pre-install/pre-upgrade hook.
+Check its status:
+  kubectl get jobs -n {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
+
+View agent logs:
+  kubectl logs -n {{ .Release.Namespace }} -l app.kubernetes.io/name={{ .Chart.Name }},app.kubernetes.io/component!=job -f
+
+{{- if .Values.agent.cvat_access_token }}
+WARNING: You are using a hardcoded CVAT access token in plain text. This token WILL be visible in the Helm release history and in pod definition.
+Consider using .Values.agent.secret_env to store the token in a Kubernetes Secret for better security.
+NB! this token overrides the value from .Values.agent.secret_env if both are set.
+{{- end }}

ai-models/agents_deployment/helm/templates/deployment.yaml

@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "agent.fullname" . }}
+  labels:
+    {{- include "agent.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.agent.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "agent.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "agent.selectorLabels" . | nindent 8 }}
+    spec:
+      securityContext:
+      {{- include "agent.podSecurityContext" . | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            allowPrivilegeEscalation: false
+          {{- include "agent.image" . | nindent 10 }}
+          #NB! configMap is created by job.yaml
+          envFrom:
+            - configMapRef:
+                optional: true
+                name: {{ include "agent.fullname" . }}-config
+          env:
+            {{- include "agent.commonEnv" . | nindent 12 }}
+            - name: USE_CUDA
+              value: {{ .Values.agent.use_cuda | default "false" | quote }}
+            {{- range .Values.agent.envVars }}
+            - name: {{ .name }}
+              value: {{ .value | quote }}
+            {{- end }}
+          resources:
+            {{- toYaml .Values.agent.resources | nindent 12 }}

ai-models/agents_deployment/helm/templates/helpers.tpl

@@ -0,0 +1,81 @@
+{{/*
+Fully qualified app name (truncated to 63 chars).
+*/}}
+{{- define "agent.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "agent.labels" -}}
+app.kubernetes.io/name: {{ .Chart.Name }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "agent.selectorLabels" -}}
+app.kubernetes.io/name: {{ .Chart.Name }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Job selector labels
+*/}}
+{{- define "agent.jobSelectorLabels" -}}
+app.kubernetes.io/name: {{ .Chart.Name }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/component: job
+{{- end }}
+
+{{/*
+Common environment variables
+*/}}
+{{- define "agent.commonEnv" -}}
+- name: CVAT_BASE_URL
+  value: {{ .Values.agent.cvat_base_url | default "https://app.cvat.ai" | quote }}
+{{- if .Values.agent.cvat_access_token }}
+- name: CVAT_ACCESS_TOKEN
+  value: {{ .Values.agent.cvat_access_token | quote }}
+{{- end }}
+{{- if not .Values.agent.cvat_access_token }}
+{{- range .Values.agent.secret_env }}
+- name: {{ .name }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ .secretName }}
+      key: {{ .secretKey }}
+{{- end }}
+{{- end }}
+- name: MODEL_ID
+  value: {{ .Values.agent.model_id | quote }}
+- name: NAMESPACE
+  value: {{ .Release.Namespace }}
+- name: CONFIGMAP_NAME
+  value: {{ include "agent.fullname" . }}-config
+- name: ORG_SLUG
+  value: {{ .Values.agent.org_slug | quote }}
+{{- end }}
+
+{{/*
+Common image/imagePullPolicy
+*/}}
+
+{{- define "agent.image" -}}
+image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+imagePullPolicy: {{ .Values.image.pullPolicy }}
+{{- end }}
+
+{{- define "agent.podSecurityContext" -}}
+runAsNonRoot: true
+runAsUser: 1000
+runAsGroup: 1000
+{{- end }}

ai-models/agents_deployment/helm/templates/job.yaml

@@ -0,0 +1,36 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "agent.fullname" . }}-function-registration
+  labels:
+    {{- include "agent.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation
+    "helm.sh/hook-weight": "0"
+spec:
+  backoffLimit: {{ .Values.job.backoffLimit | default 3 }}
+  ttlSecondsAfterFinished: {{ .Values.job.ttlSecondsAfterFinished | default 300 }}
+  template:
+    metadata:
+      labels:
+        {{- include "agent.jobSelectorLabels" . | nindent 8 }}
+    spec:
+      securityContext:
+      {{- include "agent.podSecurityContext" . | nindent 8 }}
+      serviceAccountName: {{ include "agent.fullname" . }}-job-sa
+      restartPolicy: Never
+      containers:
+        - name: function-registration
+          securityContext:
+            allowPrivilegeEscalation: false
+          {{- include "agent.image" . | nindent 10 }}
+          command: ["./function_registration.sh"]
+          env:
+            {{- include "agent.commonEnv" . | nindent 12 }}
+            {{- range .Values.job.envVars }}
+            - name: {{ .name }}
+              value: {{ .value | quote }}
+            {{- end }}
+          resources:
+            {{- toYaml .Values.job.resources | nindent 12 }}

ai-models/agents_deployment/helm/templates/job_cleanup.yaml

@@ -0,0 +1,40 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "agent.fullname" . }}-function-deregistration
+  labels:
+    {{- include "agent.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": before-hook-creation
+    "helm.sh/hook-weight": "0"
+spec:
+  backoffLimit: {{ .Values.job.backoffLimit | default 3 }}
+  ttlSecondsAfterFinished: {{ .Values.job.ttlSecondsAfterFinished | default 300 }}
+  template:
+    metadata:
+      labels:
+        {{- include "agent.jobSelectorLabels" . | nindent 8 }}
+    spec:
+      securityContext:
+      {{- include "agent.podSecurityContext" . | nindent 8 }}
+      serviceAccountName: {{ include "agent.fullname" . }}-job-sa
+      restartPolicy: Never
+      containers:
+        - name: function-deregistration
+          securityContext:
+            allowPrivilegeEscalation: false
+          {{- include "agent.image" . | nindent 10 }}
+          command: ["./function_deregistration.sh"]
+          envFrom:
+            - configMapRef:
+                optional: true
+                name: {{ include "agent.fullname" . }}-config
+          env:
+            {{- include "agent.commonEnv" . | nindent 12 }}
+            {{- range .Values.job.envVars }}
+            - name: {{ .name }}
+              value: {{ .value | quote }}
+            {{- end }}
+          resources:
+            {{- toYaml .Values.job.resources | nindent 12 }}

ai-models/agents_deployment/helm/templates/job_role.yaml

@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "agent.fullname" . }}-job-role
+  labels:
+    {{- include "agent.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade, pre-delete
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-5"
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["create", "get", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["{{ include "agent.fullname" . }}-config"]
+    verbs: ["delete"]
+
+# You cannot restrict [...] or top-level create requests by resource name.
+# For create, this limitation is because the name of the new object may not be known at authorization time.
+# https://kubernetes.io/docs/reference/access-authn-authz/rbac/

ai-models/agents_deployment/helm/templates/job_rolebinding.yaml

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "agent.fullname" . }}-job-rolebinding
+  labels:
+    {{- include "agent.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade, pre-delete
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-5"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "agent.fullname" . }}-job-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "agent.fullname" . }}-job-sa
+    namespace: {{ .Release.Namespace }}

ai-models/agents_deployment/helm/templates/job_sa.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "agent.fullname" . }}-job-sa
+  labels:
+    {{- include "agent.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install, pre-upgrade, pre-delete
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-5"

ai-models/agents_deployment/helm/values.yaml

@@ -0,0 +1,49 @@
+fullnameOverride: "sam2-agent"
+
+# Please replace with your Docker image URL that contains the SAM2 agent implementation.
+# TODO replace with our actual public image URL once it's available.
+image:
+  repository: ""
+  tag: ""
+  pullPolicy: IfNotPresent
+
+agent:
+  # Please replace with your actual CVAT instance URL.
+  cvat_base_url: "https://app.cvat.ai"
+  # You can provide the CVAT access token directly here, but it's recommended to use Kubernetes Secrets for better security.
+  # If you choose to use a secret, make sure to create it in your cluster and reference it in the `secret_env` section below.
+  # Token takes precedence over the secret, so if both are provided, the value here will be used.
+  cvat_access_token: ""
+  # Please specify the model ID you want to use. You can find available models on Hugging Face, ex: https://huggingface.co/models?search=facebook%2Fsam2.
+  model_id: "facebook/sam2-hiera-tiny"
+  # Please specify the number of agent replicas you want to deploy.
+  replicaCount: 1
+  org_slug: ""
+  use_cuda: false
+  # TODO need to find out optimal recommended resources.
+  resources:
+    limits:
+      cpu: 1
+#      memory: 1.5Gi
+    requests:
+      cpu: 200m
+      memory: 256Mi
+  envVars: []
+#    - name: EXAMPLE_ENV_VAR
+#      value: true
+  secret_env:
+    - name: CVAT_ACCESS_TOKEN
+      secretName: cvat-agent
+      secretKey: token
+
+job:
+  resources:
+    limits:
+      cpu: 1
+      memory: 1Gi
+    requests:
+      cpu: 400m
+      memory: 256Mi
+  envVars: []
+#   - name: EXAMPLE_ENV_VAR
+#     value: true

ai-models/agents_deployment/sam2/function_deregistration.sh

@@ -18,7 +18,8 @@ fi
 
 if [ -z "$FUNCTION_ID" ]; then
     echo -e "Error: FUNCTION_ID environment variable must be set to remove function from CVAT.\nPlease consider manual removal using cvat-cli --server-host $CVAT_BASE_URL function delete FUNCTION_ID"
-    exit 1
+    echo "Or it might be that the function was not registered at all, in that case you can safely ignore this message."
+    exit 0
 fi
 
 if [ -n "$KUBERNETES_SERVICE_HOST" ]; then