The Unified Deployment experience is in Beta and has not officially been released, so these instructions are subject to change.
In this guide, we’ll show you how to update your cluster configuration to support a unified installation and deployment of Pachyderm + Determined.
Before You Start #
This guide assumes that you have already completed all of the following:
- Deployed Pachyderm using one of the cloud deployment guides (AWS, GCP, or Azure).
- Added an active Enterprise License Key.
- Set up TLS (SSL, HTTPS) for your Pachyderm cluster and already have a TLS secret.
- Set up an OIDC connector for your Pachyderm cluster.
How to Configure a Unified Setup #
1. Create Necessary Secrets #
You will need to create two secrets for Determined:
A Determined Enterprise docker image credentials secret (e.g.,
det-image)kubectl create secret docker-registry det-image \ --docker-server=https://index.docker.io/v1/ \ --docker-username=<username> \ --docker-password=<password> \ --docker-email=<email> \ --output=json > det-image-secret.json
A Determined Enterprise admin credentials secret (e.g.,
det-creds)kubectl create secret generic det-creds \ --from-literal=determined-username=admin \ --from-literal=determined-password="" \ --output=json > det-creds-secret.json
2. Update the Pachyderm Helm Chart #
- Open your
values.yamlfile or generate a local copy using the following command:
helm get values pachyderm > values.yaml- Add the following
determinedsection to yourvalues.yamlfile and fill in the appropriate values:
determined:
detVersion: 0.24.0
enabled: true
enterpriseEdition: true
imagePullSecretName: det-image
maxSlotsPerPod: 1
oidc:
clientID: determined
enabled: true
idpRecipientUrl: # https://<proxy.host.value.com>:8080
idpSsoUrl: # https://<proxy.host.value.com>/dex
provider: # your oidc.upstreamIDPs.config.id; e.g., Auth0 or Okta
tlsSecret: # your tls secret name- Update the
pachdsection of yourvalues.yamlfile to include the full endpoint address and the name of the Determined admin credentials secret:
pachd:
determined:
apiEndpoint: # https://determined-master-service-internal-<HELM RELEASE NAME>:8082
credentialsSecretName: det-creds
activateEnterprise: true3. Provision Determined Users #
Currently, Pachyderm does not automatically provision users for Determined. You will need to manually provision users for Determined using the following command:
- Invoke Determine’s Auth/Login API as the default admin user:
curl --location 'https://<proxy.host.value.com>:8080/api/v1/auth/login' \
--header 'Content-Type: application/json' \
--data '{
"username": "admin",
"password": "",
"isHashed": true
}'- Invoke Determine’s User API and create a new user matching a registered IDP user:
curl --location 'https://<proxy.host.value.com>:8080/api/v1/users' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <TOKEN FROM PREVIOUS RESPONSE>' \
--data-raw '{
"user": {
"id": 0,
"username": "<USER FROM IDP>",
"admin": true,
"active": true,
"agentUserGroup": {
"agentUid": 0,
"agentGid": 0,
"agentUser": "string",
"agentGroup": "string"
},
"displayName": "<ANY NAME>",
"modifiedAt": "2023-06-21T14:36:49.980Z",
"remote": true
},
"password": "",
"isHashed": true
}'Adding Users to Pipelines #
You can add a determined section to your pipeline specification file and make use of a user via the $DET_USER and $DET_PASS environment variables. This can be used by the user code that run determined work to talk back to Pachyderm and can be used with the Pachyderm SDK.
{
"pipeline": {
"name": "<PIPELINE NAME>"
},
"description": "<PIPELINE DESCRIPTION>",
"input": {
"pfs": {
"name": "data",
"repo": "input",
"branch": "master",
"glob": "/",
"emptyFiles": true
}
},
"transform": {
"cmd": ["/bin/sh"],
"stdin": ["pip install determined && echo $DET_PASS | det user login $DET_USER && det model list -w WORKSPACE-NAME > /pfs/out/WORKSPACE-NAME.txt"],
"image": "python:3.8"
},
"determined": {
"workspaces": ["WORKSPACE-NAME"]
}
}These tokens life cycles are scoped to the jobs and are revoked after the job ends.