Doc revamp

Author: ryansingman

INSTALLATION.md INSTALLATION.md.DEPRECATEDINSTALLATION.md renamed to INSTALLATION.md.DEPRECATED

@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.28
+version: 0.1.29
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.1.20"
+appVersion: "0.1.0"

deploy/helm/tlm/Chart.yaml

@@ -34,9 +34,11 @@ spec:
               value: "{{ .Values.chat_backend.container.port }}"
             - name: NUM_PROXIES
               value: "{{ .Values.chat_backend.num_proxies }}"
+            - name: ENVIRONMENT
+              value: "{{ .Values.environment }}"
           envFrom:
             - secretRef:
-                name: {{ .Release.Name }}-chat-backend-secret
+                name: {{ .Values.chat_backend.secret_name}}
           startupProbe:
             httpGet:
               path: /api/health/
@@ -61,7 +63,7 @@ spec:
               port: {{ .Values.chat_backend.container.port }}
           resources:
             {{- toYaml .Values.chat_backend.resources | nindent 12 }}
-        {{- if .Values.imagePullSecret.enabled }}
+      {{- if .Values.imagePullSecret.enabled }}
       imagePullSecrets:
         - name: {{ .Values.imagePullSecret.name }}
       {{- end }}

deploy/helm/tlm/templates/chat/deployment.yaml

@@ -2,13 +2,16 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
+environment: "production"
 replicaCount: 1
 
 imagePullSecret:
   enabled: false
   name: ""
 
 chat_backend:
+  secret_name: ""
+
   image:
     repository: 043170249292.dkr.ecr.us-east-1.amazonaws.com/tlm/chat-backend
     pullPolicy: IfNotPresent

deploy/helm/tlm/values.yaml

@@ -43,6 +43,9 @@ def deploy_chat():
             "deploy/helm/tlm/values.yaml",
             "deploy/helm/values/local.yaml",
         ],
+        set=[
+            "chat_backend.secret_name=tlm-chat-backend-secret",
+        ],
     ))
 
     docker_build(

deploy/tilt/Tiltfile.chat

@@ -0,0 +1,249 @@
+# TLM Installation on Azure Kubernetes Service (AKS)
+This guide describes how to install the TLM app on Azure Kubernetes Service (AKS).
+
+## 0. Prerequisites
+
+Before you begin the installation process, ensure that the following prerequisites are met:
+
+- **Azure Kubernetes Service (AKS) Cluster**: You must have an existing AKS cluster. The cluster should be configured with a Virtual Network (VNet) of size `/22` or larger.
+
+- **Azure Application Gateway Ingress Controller (AGIC) Add-on** *(optional)*: If you plan to use the Azure Application Gateway Ingress Controller to expose the TLM application, ensure that the AGIC add-on is enabled when creating your AKS cluster.
+
+- **Configured Tools**: The tools listed below must be installed and properly configured on your machine:
+  - [helm](https://helm.sh/docs/intro/install/)
+  - [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl)
+  - [az (Azure CLI)](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
+  - [jq](https://jqlang.github.io/jq/)
+
+Ensure that these prerequisites are satisfied to successfully install and run the TLM application on AKS.
+
+## 1. Cross-tenant Azure Container Registry Authentication
+
+TLM container images are stored in Azure Container Registry (ACR). To pull these images, you will need to authenticate your AKS cluster to the ACR.
+
+Since the ACR repository is in a different tenant, it is necessary to set up a cross-tenant Entra app registration.
+
+1. Create the app registration in your ACR tenant
+```bash
+acr_app_id=$(az ad app create \
+  --display-name "CleanlabTLMCrossTenantApp" \
+  --sign-in-audience AzureADMultipleOrgs \
+  --web-redirect-uris https://microsoft.com \
+  --query appId -o tsv)
+```
+2. Reset the app registration credentials
+```bash
+acr_app_credentials=$(az ad app credential reset --id $acr_app_id)
+acr_app_password=$(echo $acr_app_credentials | jq -r '.password')
+acr_app_tenant_id=$(echo $acr_app_credentials | jq -r '.tenant')
+```
+3. Share the application ID and tenant ID with the Cleanlab Infra team.
+4. Export the application ID and password as environment variables for later use:
+```bash
+export ACR_APP_ID=$acr_app_id
+export ACR_APP_PASSWORD=$acr_app_password
+export ACR_APP_TENANT_ID=$acr_app_tenant_id
+```
+
+You will use the the application ID and password to pull the TLM helm chart and to pull the TLM container images in the AKS cluster.
+
+## 2. Azure OpenAI Service
+
+### 2a. Set up Azure OpenAI Resource
+
+If you do not already have an Azure OpenAI resource that you wish to use, you can create one:
+```bash
+azure_openai_endpoint=$(az cognitiveservices account create \
+    --name CleanlabTLMOpenAIResource \
+    --resource-group <resource_group_name> \
+    --location <location> \
+    --sku S0 \
+    --kind OpenAI \
+    --yes \
+    --query properties.endpoint -o tsv)
+export AZURE_OPENAI_ENDPOINT=$azure_openai_endpoint
+```
+
+### 2b. Set up Azure OpenAI Deployments
+
+You will need to set up deployments for each model that you wish to use. This must include at least one each of `completion` and `embedding` deployments.
+
+For example, if you wish to use `gpt-4o` and `gpt-4o-mini` completions and `text-embedding-3-small` embeddings, you will need to set up the following deployments:
+```bash
+az cognitiveservices deployment create \
+    --name CleanlabTLMOpenAIResource \
+    --resource-group <resource_group_name> \
+    --model-name gpt-4o \
+    --model-version 1 \
+    --model-format OpenAI \
+
+az cognitiveservices deployment create \
+    --name CleanlabTLMOpenAIResource \
+    --resource-group <resource_group_name> \
+    --model-name gpt-4o-mini \
+    --model-version 1 \
+    --model-format OpenAI \
+
+az cognitiveservices deployment create \
+    --name CleanlabTLMOpenAIResource \
+    --resource-group <resource_group_name> \
+    --model-name text-embedding-3-small \
+    --model-version 1 \
+    --model-format OpenAI \
+```
+
+### 2c. Set up Azure OpenAI Service Principal
+
+To set up a Service Principal for Azure OpenAI and assign the necessary role, follow these steps:
+
+1. **Create a Service Principal**
+
+   Create a new Service Principal and capture its credentials:
+   ```bash
+   openai_sp_credentials=$(az ad sp create-for-rbac --name "CleanlabTLMOpenAISP" --skip-assignment)
+   openai_sp_app_id=$(echo $openai_sp_credentials | jq -r '.appId')
+   openai_sp_password=$(echo $openai_sp_credentials | jq -r '.password')
+   openai_sp_tenant=$(echo $openai_sp_credentials | jq -r '.tenant')
+   ```
+
+2. **Assign the Cognitive Services OpenAI User Role**
+
+   Assign the `Cognitive Services OpenAI User` role to the Service Principal:
+   ```bash
+   az role assignment create \
+     --assignee $openai_sp_app_id \
+     --role "Cognitive Services OpenAI User" \
+     --scope /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.CognitiveServices/accounts/CleanlabTLMOpenAIResource
+   ```
+
+   Replace `<subscription_id>`, `<resource_group_name>`, and `<openai_resource_name>` with your Azure subscription ID, the resource group name, and the name of your Azure OpenAI resource, respectively.
+
+3. **Export Service Principal Credentials**
+
+   Store the Service Principal credentials as environment variables for later use:
+   ```bash
+   export OPENAI_SP_APP_ID=$openai_sp_app_id
+   export OPENAI_SP_PASSWORD=$openai_sp_password
+   export OPENAI_SP_TENANT=$openai_sp_tenant
+   ```
+
+   Ensure that these environment variables are securely stored and accessible to the components of the TLM application that require them.
+
+4. **Verify the Role Assignment**
+
+   Confirm that the role has been successfully assigned:
+   ```bash
+   az role assignment list --assignee $openai_sp_app_id --role "Cognitive Services OpenAI User" --scope /subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.CognitiveServices/accounts/<openai_resource_name>
+   ```
+
+   You should see an output confirming the role assignment for the Service Principal.
+
+By completing these steps, you establish a Service Principal with the appropriate permissions to interact with the Azure OpenAI resources required by the TLM application.
+
+## 3. Install TLM
+
+### 3a. Create Kubernetes Namespace
+
+```bash
+kubectl create namespace cleanlabtlm
+```
+
+### 3b. Set up secrets (image pull secret, OpenAI service principal)
+
+1. Using the service principal credentials created in the [cross-tenant authentication section](#1-create-azure-openai-service-principal), create a `docker-registry` secret. This will be used to pull container images from the `cleanlabtlm.azurecr.io` repository.
+
+```bash
+kubectl create secret docker-registry cleanlabtlm-acr-secret \
+    --namespace cleanlabtlm \
+    --docker-server cleanlabtlm.azurecr.io \
+    --docker-username $ACR_APP_ID \
+    --docker-password $ACR_APP_PASSWORD
+```
+
+2. Using the service principal credentials created in the [Azure OpenAI Service Principal section](#2c-set-up-azure-openai-service-principal), create a secret containing the credentials needed to authenticate with Azure OpenAI:
+
+```bash
+kubectl create secret generic chat-backend-secret \
+    --namespace cleanlabtlm \
+    --from-literal=AZURE_TENANT_ID=$OPENAI_SP_TENANT \
+    --from-literal=AZURE_CLIENT_ID=$OPENAI_SP_APP_ID \
+    --from-literal=AZURE_CLIENT_SECRET=$OPENAI_SP_PASSWORD \
+    --from-literal=AZURE_API_BASE=$AZURE_OPENAI_ENDPOINT
+```
+
+### 3c. Log in to the `cleanlabtlm` Helm registry
+
+Using the Azure Container Registry credentials created in the [cross-tenant authentication section](#1-create-azure-openai-service-principal), log in to the `cleanlabtlm` Helm registry:
+
+```bash
+helm registry login cleanlabtlm.azurecr.io \
+    --username $ACR_APP_ID \
+    --password $ACR_APP_PASSWORD
+```
+
+### 3d. Construct `values.yaml`
+
+The following contains default values for the TLM helm chart. You can modify these values to suit your needs.
+
+```bash
+cat <<EOF > values.yaml
+chat_backend:
+  image:
+    repository: cleanlabtlm.azurecr.io/tlm/chat-backend
+
+imagePullSecret:
+  enabled: true
+  name: cleanlabtlm-acr-secret
+EOF
+```
+
+### 3e. Install the Helm Chart
+
+You can now install the helm chart using the `values.yaml` file you created in the previous step:
+
+```bash
+helm upgrade --install tlm oci://cleanlab.azurecr.io/tlm/tlm \
+    --namespace cleanlabtlm \
+    -f values.yaml
+```
+
+@ryan TODO!!!
+If you wish to [setup an Azure AGIC](#4-set-up-azure-application-gateway-ingress-controller-agic-optional), you will need to note the following values printed out after performing the TLM helm install:
+- `uri_prefix`
+- `service.name`
+- `service.port`
+
+## 4. Set up Azure Application Gateway Ingress Controller (AGIC) (optional)
+
+This is one means of exposing the TLM application. You will need to have the AGIC add-on installed on your AKS cluster.
+
+Then, you can create the ingress resource by running the following:
+```bash
+tlm_uri_prefix=<uri_prefix> \
+tlm_service_name=<service.name> \
+tlm_service_port=<service.port> \
+kubectl apply -f - <<EOF
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: tlm-ingress
+spec:
+  ingressClassName: azure-application-gateway
+  rules:
+  - http:
+      paths:
+      - path: $tlm_uri_prefix
+        backend:
+          service:
+            name: $tlm_service_name
+            port:
+              number: $tlm_service_port
+        pathType: Prefix
+EOF
+```
+
+## References
+
+- [Cross tenant Azure Container Registry Authentication](https://learn.microsoft.com/en-us/azure/container-registry/authenticate-aks-cross-tenant)
+- [Azure Application Gateway Ingress Controller](https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-overview)
+- [Azure OpenAI Service -- Create Resource](https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/create-resource?pivots=cli)