Replace Streamlit by Reflex for playground (#493)

* wip 0

* add role page

* add user and organization

* lint

* hide somes page for master user

* remove password dialog

* clean key page

* clean usage page

* create role

* wip

* clean role

* wip

* finish

* add doc

* Update pyproject.toml version

* Update coverage badge

---------

Co-authored-by: GitHub Actions <actions@github.com>
Co-authored-by: leoguillaume <leoguillaume@users.noreply.github.com>

Author: leoguillaume

.github/badges/coverage.json

@@ -1 +1 @@
-{"schemaVersion":1,"label":"coverage","message":"72.71%","color":"yellow"}
+{"schemaVersion":1,"label":"coverage","message":"72.77%","color":"yellow"}

.github/workflows/assets/favicon.ico

@@ -0,0 +1,6 @@
+settings:
+  app_title: Albert API
+  auth_key_max_expiration_days: 365
+  playground_opengatellm_url: ${OPENGATELLM_URL}
+  playground_default_model: ${PLAYGROUND_DEFAULT_MODEL}
+  playground_theme_accent_color: indigo

.github/workflows/assets/playground.config.yml

@@ -12,7 +12,7 @@ on:
 
 jobs:
   build-api:
-    name: Build and push from ${{ github.ref_name }}/${{ github.sha }}
+    name: Build and push OpenGateLLM API image
     runs-on: ubuntu-latest
     env:
       API_IMAGE_NAME: ghcr.io/etalab-ia/opengatellm/api
@@ -36,7 +36,7 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Build and push api
+      - name: Build and push OpenGateLLM API image to GitHub
         uses: docker/build-push-action@v6
         with:
           context: .
@@ -47,11 +47,13 @@ jobs:
           cache-from: type=registry,ref=${{ env.API_IMAGE_NAME }}:cache
           cache-to: type=registry,ref=${{ env.API_IMAGE_NAME }}:cache,mode=max
 
-  build-playground:
-    name: Build and push Playground image
+  build-opengatellm-playground:
+    name: Build and push OpenGateLLM playground image
     runs-on: ubuntu-latest
     env:
-      PLAYGROUND_IMAGE_NAME: ghcr.io/etalab-ia/opengatellm/playground
+      GITHUB_PLAYGROUND_IMAGE_NAME: ghcr.io/etalab-ia/opengatellm/playground
+      GITLAB_PLAYGROUND_IMAGE_NAME: registry.gitlab.com/${{ secrets.GITLAB_PROJECT_PATH }}/playground
+      PLAYGROUND_URL: https://albert.playground.env.etalab.gouv.fr
       IMAGE_TAG: ${{ github.event_name == 'release' && github.event.release.tag_name || 'latest' }}
     steps:
       - name: Checkout repository
@@ -67,29 +69,78 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Build and push Playground image
+      - name: Build and push OpenGateLLM playground image to GitHub
         uses: docker/build-push-action@v6
         with:
           context: .
+          build-args: |
+            CONFIG_FILE=.github/workflows/assets/playground.config.yml
+            FAVICON=.github/workflows/assets/favicon.ico
           file: ./playground/Dockerfile
           platforms: linux/amd64,linux/arm64
           push: true
-          tags: ${{ env.PLAYGROUND_IMAGE_NAME }}:${{ env.IMAGE_TAG }}
-          cache-from: type=registry,ref=${{ env.PLAYGROUND_IMAGE_NAME }}:cache
-          cache-to: type=registry,ref=${{ env.PLAYGROUND_IMAGE_NAME }}:cache,mode=max
+          tags: ${{ env.GITHUB_PLAYGROUND_IMAGE_NAME }}:${{ env.IMAGE_TAG }}
+          cache-from: type=registry,ref=${{ env.GITHUB_PLAYGROUND_IMAGE_NAME }}:cache
+          cache-to: type=registry,ref=${{ env.GITHUB_PLAYGROUND_IMAGE_NAME }}:cache,mode=max
+          
+  build-albert-playground:
+    name: Build and push Albert playground image
+    runs-on: ubuntu-latest
+    env:
+      GITLAB_PLAYGROUND_IMAGE_NAME: registry.gitlab.com/${{ secrets.GITLAB_PROJECT_PATH }}/playground
+      IMAGE_TAG: ${{ github.event_name == 'release' && github.event.release.tag_name || 'latest' }}
+    strategy:
+      matrix:
+        environment: [dev, staging, prod]
+        include:
+          - environment: prod
+            url: https://albert.playground.etalab.gouv.fr
+          - environment: staging
+            url: https://albert.playground.staging.etalab.gouv.fr
+          - environment: dev
+            url: https://albert.playground.dev.etalab.gouv.fr
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to GitLab Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: registry.gitlab.com
+          username: ${{ secrets.GITLAB_USERNAME }}
+          password: ${{ secrets.GITLAB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push Albert playground images to GitLab
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          build-args: |
+            REFLEX_BACKEND_URL=${{ matrix.url }}
+            REFLEX_FRONTEND_URL=${{ matrix.url }}
+            CONFIG_FILE=.github/workflows/assets/playground.config.yml
+            FAVICON=.github/workflows/assets/favicon.ico
+          file: ./playground/Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ env.GITLAB_PLAYGROUND_IMAGE_NAME }}/${{ matrix.environment }}:${{ env.IMAGE_TAG }}
+          cache-from: type=registry,ref=${{ env.GITHUB_PLAYGROUND_IMAGE_NAME }}:cache
 
   deploy-dev:
     if: github.event_name == 'push' # Only deploy on push to main
     name: Deploy from ${{ github.ref_name }}/${{ github.sha }}
     runs-on: ubuntu-latest
-    needs: [build-api, build-playground]
+    needs: [build-api, build-opengatellm-playground, build-albert-playground]
     steps:
       - name: Trigger dev deployment
         run: |
           RESPONSE="$(curl --request POST \
             --form token=${{ secrets.GITLAB_CI_TOKEN }} \
             --form ref=main \
-            --form 'variables[pipeline_name]=${{ github.event.repository.name }} - ${{ needs.build-and-push.outputs.commit_title }}' \
+            --form 'variables[pipeline_name]=${{ github.event.repository.name }} - ${{ needs.build-api.outputs.commit_title }}' \
             --form 'variables[docker_image_tag]=latest' \
             --form 'variables[application_to_deploy]=albert-api' \
             --form 'variables[deployment_environment]=dev' \

.github/workflows/build_and_deploy.yml

@@ -5,6 +5,10 @@ on:
     branches: [ main ]
   pull_request:
     branches: [ main ]
+  release:
+    types: 
+      - published
+      - edited
   workflow_call: # Add this to make the workflow reusable
   workflow_dispatch: # Add this to allow manual triggering
 
@@ -24,7 +28,7 @@ jobs:
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip
-          pip install ".[api,dev]"
+          pip install ".[api,playground,dev]"
 
       - name: Generate documentation
         run: |

.github/workflows/generate_documentation.yml

@@ -47,17 +47,22 @@ help:
 
 .start-api:
 	@bash -c 'set -a; . $(env); \
-	SERVER=uvicorn \
-	SERVER_CMD_ARGS="--reload --log-level debug" \
-	./scripts/startup_api.sh &' \
-	&& sleep 2 \
-	&& open http://localhost:8000/docs
+	trap "trap - SIGTERM && kill -- -$$$$" SIGINT SIGTERM EXIT; \
+	python -m alembic -c api/alembic.ini upgrade head \
+	&& uvicorn api.main:app --host 0.0.0.0 --port 8000 --reload --log-level debug & \
+	sleep 10; \
+	open http://localhost:8000/docs; \
+	wait'
+
 
 .start-playground:
-	@mkdir -p ~/.streamlit/
-	@echo "[general]"  > ~/.streamlit/credentials.toml
-	@echo "email = \"\""  >> ~/.streamlit/credentials.toml
-	@bash -c 'set -a; . $(env); ./scripts/startup_ui.sh'
+	@bash -c 'set -a; . $(env); \
+	trap "trap - SIGTERM && kill -- -$$$$" SIGINT SIGTERM EXIT; \
+	cd ./playground \
+	&& CONFIG_FILE=../$${CONFIG_FILE} API_URL="http://localhost:8500" reflex run --env dev --loglevel debug & \
+	sleep 10; \
+	open http://localhost:8501; \
+	wait'
 
 .pre-checks:
 	@if [ ! -f $(env) ]; then \

Makefile

@@ -1,5 +1,3 @@
-# First, build the application in the `/api` directory.
-# See `Dockerfile` for details.
 FROM ghcr.io/astral-sh/uv:python3.12-bookworm-slim AS builder
 ENV UV_COMPILE_BYTECODE=1 UV_LINK_MODE=copy
 
@@ -8,16 +6,17 @@ ENV UV_COMPILE_BYTECODE=1 UV_LINK_MODE=copy
 # copied from the build image into the final image; see `standalone.Dockerfile`
 # for an example.
 ENV UV_PYTHON_DOWNLOADS=0
-# Install build dependencies
+
 RUN apt-get update && apt-get install -y \
     libpq-dev \
     gcc \
     python3-dev \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /
-# Copy project files
+
 COPY ./api/ /api
+
 RUN --mount=type=cache,target=/root/.cache/uv \
     uv venv
 RUN --mount=type=cache,target=/root/.cache/uv \

api/Dockerfile

@@ -31,7 +31,7 @@ def create_app(db_func=None, *args, **kwargs) -> FastAPI:
         sentry_sdk.init(**configuration.dependencies.sentry.model_dump())
 
     app = FastAPI(
-        title=configuration.settings.swagger_title,
+        title=configuration.settings.app_title,
         summary=configuration.settings.swagger_summary,
         version=configuration.settings.swagger_version,
         description=configuration.settings.swagger_description,

api/factory.py

@@ -28,6 +28,7 @@
     InvalidCurrentPasswordException,
     InvalidTokenExpirationException,
     OrganizationNotFoundException,
+    ReservedEmailException,
     RoleAlreadyExistsException,
     RoleNotFoundException,
     TokenNotFoundException,
@@ -42,9 +43,9 @@ class IdentityAccessManager:
     TOKEN_PREFIX = "sk-"
     PLAYGROUND_KEY_NAME = "playground"
 
-    def __init__(self, master_key: str, max_token_expiration_days: int | None = None, playground_session_duration: int = 3600):
+    def __init__(self, master_key: str, key_max_expiration_days: int | None = None, playground_session_duration: int = 3600):
         self.master_key = master_key
-        self.max_token_expiration_days = max_token_expiration_days
+        self.key_max_expiration_days = key_max_expiration_days
         self.playground_session_duration = playground_session_duration
 
     def _hash_password(self, password: str) -> str:
@@ -239,6 +240,9 @@ async def create_user(
         expires_at: int | None = None,
         priority: int = 0,
     ) -> int:
+        if email == "master":
+            raise ReservedEmailException()
+
         expires_at = func.to_timestamp(expires_at) if expires_at is not None else None
 
         # check if role exists
@@ -337,6 +341,10 @@ async def update_user(
 
         # update the user
         email = email if email is not None else user.email
+
+        if email == "master":
+            raise ReservedEmailException()
+
         name = name if name is not None else user.name
         iss = iss if iss is not None else user.iss
         sub = sub if sub is not None else user.sub
@@ -499,11 +507,11 @@ async def get_organizations(
         return organizations
 
     async def create_token(self, session: AsyncSession, user_id: int, name: str, expires_at: int | None = None) -> tuple[int, str]:
-        if self.max_token_expiration_days:
+        if self.key_max_expiration_days:
             if expires_at is None:
-                expires_at = int(dt.datetime.now(tz=dt.UTC).timestamp()) + self.max_token_expiration_days * 86400
-            elif expires_at > int(dt.datetime.now(tz=dt.UTC).timestamp()) + self.max_token_expiration_days * 86400:
-                raise InvalidTokenExpirationException(detail=f"Token expiration timestamp cannot be greater than {self.max_token_expiration_days} days from now.")  # fmt: off
+                expires_at = int(dt.datetime.now(tz=dt.UTC).timestamp()) + self.key_max_expiration_days * 86400
+            elif expires_at > int(dt.datetime.now(tz=dt.UTC).timestamp()) + self.key_max_expiration_days * 86400:
+                raise InvalidTokenExpirationException(detail=f"Token expiration timestamp cannot be greater than {self.key_max_expiration_days} days from now.")  # fmt: off
 
         result = await session.execute(statement=select(UserTable).where(UserTable.id == user_id))
         try:

api/helpers/_identityaccessmanager.py

@@ -12,13 +12,7 @@
 import yaml
 
 from api.schemas.models import ModelType
-from api.utils.variables import (
-    DEFAULT_APP_NAME,
-    DEFAULT_TIMEOUT,
-    ROUTER__ADMIN,
-    ROUTER__AUTH,
-    ROUTERS,
-)
+from api.utils.variables import DEFAULT_APP_NAME, DEFAULT_TIMEOUT, ROUTER__ADMIN, ROUTER__AUTH, ROUTERS
 
 # utils ----------------------------------------------------------------------------------------------------------------------------------------------
 
@@ -414,9 +408,10 @@ class Tokenizer(str, Enum):
 
 @custom_validation_error(url="https://github.com/etalab-ia/opengatellm/blob/main/docs/configuration.md#settings")
 class Settings(ConfigBaseModel):
-    # other
+    # general
     disabled_routers: list[Routers] = Field(default_factory=list, description="Disabled routers to limits services of the API.", examples=[["embeddings"]])  # fmt: off
     hidden_routers: list[Routers] = Field(default_factory=list, description="Routers are enabled but hidden in the swagger and the documentation of the API.", examples=[["admin"]])  # fmt: off
+    app_title: str | None = Field(default="Albert API", description="Display title of your API in swagger UI, see https://fastapi.tiangolo.com/tutorial/metadata for more information.", examples=["Albert API"])  # fmt: off
 
     # metrics
     metrics_retention_ms: int = Field(default=40000, ge=1, description="Retention time for metrics in milliseconds.")  # fmt: off
@@ -429,7 +424,6 @@ class Settings(ConfigBaseModel):
     log_format: str | None = Field(default="[%(asctime)s][%(process)d:%(name)s][%(levelname)s] %(client_ip)s - %(message)s", description="Logging format of the API.")  # fmt: off
 
     # swagger
-    swagger_title: str | None = Field(default="Albert API", description="Display title of your API in swagger UI, see https://fastapi.tiangolo.com/tutorial/metadata for more information.", examples=["Albert API"])  # fmt: off
     swagger_summary: str | None = Field(default="Albert API connect to your models. You can configuration this swagger UI in the configuration file, like hide routes or change the title.", description="Display summary of your API in swagger UI, see https://fastapi.tiangolo.com/tutorial/metadata for more information.", examples=["Albert API connect to your models."])  # fmt: off
     swagger_version: str | None = Field(default="latest", description="Display version of your API in swagger UI, see https://fastapi.tiangolo.com/tutorial/metadata for more information.", examples=["2.5.0"])  # fmt: off
     swagger_description: str | None = Field(default="[See documentation](https://github.com/etalab-ia/opengatellm/blob/main/README.md)", description="Display description of your API in swagger UI, see https://fastapi.tiangolo.com/tutorial/metadata for more information.", examples=["[See documentation](https://github.com/etalab-ia/opengatellm/blob/main/README.md)"])  # fmt: off
@@ -443,7 +437,7 @@ class Settings(ConfigBaseModel):
 
     # auth
     auth_master_key: constr(strip_whitespace=True, min_length=1) = Field(default="changeme", description="Master key for the API. It should be a random string with at least 32 characters. This key has all permissions and cannot be modified or deleted. This key is used to create the first role and the first user. This key is also used to encrypt user tokens, watch out if you modify the master key, you'll need to update all user API keys.")  # fmt: off
-    auth_max_token_expiration_days: int | None = Field(default=None, ge=1, description="Maximum number of days for a token to be valid.")  # fmt: off
+    auth_key_max_expiration_days: int | None = Field(default=None, ge=1, description="Maximum number of days for a new API key to be valid.")  # fmt: off
     auth_playground_session_duration: int = Field(default=3600, ge=1, description="Duration of the playground session in seconds.")  # fmt: off
 
     # rate_limiting
@@ -528,13 +522,9 @@ def validate_model(cls, values) -> Any:
 # load config ----------------------------------------------------------------------------------------------------------------------------------------
 @custom_validation_error(url="https://github.com/etalab-ia/opengatellm/blob/main/docs/configuration.md#all-configuration")
 class ConfigFile(ConfigBaseModel):
-    """
-    Refer to the [configuration example file](https://github.com/etalab-ia/OpenGateLLM/blob/main/config.example.yml) for an example of configuration.
-    """
-
     models: list[Model] = Field(min_length=1, description="Models used by the API. At least one model must be defined.")  # fmt: off
     dependencies: Dependencies = Field(default_factory=Dependencies, description="Dependencies used by the API.")  # fmt: off
-    settings: Settings = Field(default_factory=Settings, description="Settings used by the API.")  # fmt: off
+    settings: Settings = Field(default_factory=Settings, description="General settings configuration fields.")  # fmt: off
 
     @field_validator("settings", mode="before")
     def set_default_settings(cls, settings) -> Any: