mlrun 1.10.0rc40__py3-none-any.whl → 1.11.0rc16__py3-none-any.whl

mlrun/runtimes/base.py

@@ -16,8 +16,9 @@ import http
 import re
 import typing
 import warnings
+from collections.abc import Callable
 from os import environ
-from typing import Callable, Optional, Union
+from typing import Optional, Union
 
 import requests.exceptions
 from nuclio.build import mlrun_footer
@@ -30,6 +31,7 @@ import mlrun.common.schemas
 import mlrun.common.schemas.model_monitoring.constants as mm_constants
 import mlrun.errors
 import mlrun.launcher.factory
+import mlrun.runtimes
 import mlrun.utils.helpers
 import mlrun.utils.notifications
 import mlrun.utils.regex
@@ -277,18 +279,6 @@ class BaseRuntime(ModelObj):
             mlrun.model.Credentials.generate_access_key
         )
 
-    def generate_runtime_k8s_env(self, runobj: RunObject = None) -> list[dict]:
-        """
-        Prepares a runtime environment as it's expected by kubernetes.models.V1Container
-
-        :param runobj: Run context object (RunObject) with run metadata and status
-        :return: List of dicts with the structure {"name": "var_name", "value": "var_value"}
-        """
-        return [
-            {"name": k, "value": v}
-            for k, v in self._generate_runtime_env(runobj).items()
-        ]
-
     def run(
         self,
         runspec: Optional[
@@ -394,8 +384,6 @@ class BaseRuntime(ModelObj):
             )
         output_path = output_path or out_path or artifact_path
 
-        mlrun.utils.helpers.validate_function_name(self.metadata.name)
-
         launcher = mlrun.launcher.factory.LauncherFactory().create_launcher(
             self._is_remote, local=local, **launcher_kwargs
         )
@@ -443,13 +431,14 @@ class BaseRuntime(ModelObj):
         if task:
             return task.to_dict()
 
-    def _generate_runtime_env(self, runobj: RunObject = None) -> dict:
+    def _generate_runtime_env(self, runobj: RunObject = None):
         """
-        Prepares all available environment variables for usage on a runtime
-        Data will be extracted from several sources and most of them are not guaranteed to be available
+        Prepares all available environment variables for usage on a runtime.
 
-        :param runobj: Run context object (RunObject) with run metadata and status
-        :return: Dictionary with all the variables that could be parsed
+        :param runobj: Optional run context object (RunObject) with run metadata and status
+        :return: Tuple of (runtime_env, external_source_env) where:
+                 - runtime_env: Dict of {env_name: value} for standard env vars
+                 - external_source_env: Dict of {env_name: value_from} for env vars with external sources
         """
         active_project = self.metadata.project or config.active_project
         runtime_env = {
@@ -457,6 +446,16 @@ class BaseRuntime(ModelObj):
             # TODO: Remove this in 1.12.0 as MLRUN_DEFAULT_PROJECT is deprecated and should not be injected anymore
             "MLRUN_DEFAULT_PROJECT": active_project,
         }
+
+        # Set auth session only for nuclio runtimes that have an access key
+        if (
+            self.kind in mlrun.runtimes.RuntimeKinds.nuclio_runtimes()
+            and self.metadata.credentials.access_key
+        ):
+            runtime_env[
+                mlrun.common.runtimes.constants.FunctionEnvironmentVariables.auth_session
+            ] = self.metadata.credentials.access_key
+
         if runobj:
             runtime_env["MLRUN_EXEC_CONFIG"] = runobj.to_json(
                 exclude_notifications_params=True
@@ -471,7 +470,47 @@ class BaseRuntime(ModelObj):
             runtime_env["MLRUN_DBPATH"] = config.httpdb.api_url
         if self.metadata.namespace or config.namespace:
             runtime_env["MLRUN_NAMESPACE"] = self.metadata.namespace or config.namespace
-        return runtime_env
+
+        external_source_env = self._generate_external_source_runtime_envs()
+
+        return runtime_env, external_source_env
+
+    def _generate_external_source_runtime_envs(self):
+        """
+        Returns non-static env vars to be added to the runtime pod/container.
+
+        :return: Dict of {env_name: value_from} for env vars with external sources (e.g., fieldRef)
+        """
+        return {
+            "MLRUN_RUNTIME_KIND": {
+                "fieldRef": {
+                    "apiVersion": "v1",
+                    "fieldPath": f"metadata.labels['{mlrun_constants.MLRunInternalLabels.mlrun_class}']",
+                }
+            },
+        }
+
+    def _generate_k8s_runtime_env(self, runobj: RunObject = None):
+        """
+        Generates runtime environment variables in Kubernetes format.
+
+        :param runobj: Optional run context object (RunObject) with run metadata and status
+        :return: List of env var dicts in K8s format:
+                 - Standard envs: [{"name": key, "value": value}, ...]
+                 - External source envs: [{"name": key, "valueFrom": value_from}, ...]
+        """
+        runtime_env, external_source_env = self._generate_runtime_env(runobj)
+
+        # Convert standard env vars to K8s format
+        k8s_env = [{"name": k, "value": v} for k, v in runtime_env.items()]
+
+        # Convert external source env vars to K8s format
+        k8s_external_env = [
+            {"name": k, "valueFrom": v} for k, v in external_source_env.items()
+        ]
+
+        k8s_env.extend(k8s_external_env)
+        return k8s_env
 
     @staticmethod
     def _handle_submit_job_http_error(error: requests.HTTPError):
@@ -949,5 +988,34 @@ class BaseRuntime(ModelObj):
                             line += f", default={p['default']}"
                         print("    " + line)
 
+    def remove_auth_secret_volumes(self):
+        secret_name_prefix = (
+            mlrun.mlconf.secret_stores.kubernetes.auth_secret_name.format(
+                hashed_access_key=""
+            )
+        )
+        volumes = self.spec.volumes or []
+        mounts = self.spec.volume_mounts or []
+
+        volumes_to_remove = set()
+
+        # Identify volumes to remove
+        for vol in volumes:
+            secret_name = mlrun.utils.get_in(vol, "secret.secretName", "")
+
+            # Pattern of auth secret volumes
+            if secret_name.startswith(secret_name_prefix):
+                volumes_to_remove.add(vol["name"])
+
+        # Filter out only the matched volumes
+        self.spec.volumes = [
+            volume for volume in volumes if volume["name"] not in volumes_to_remove
+        ]
+
+        # Filter out matching mounts
+        self.spec.volume_mounts = [
+            mount for mount in mounts if mount["name"] not in volumes_to_remove
+        ]
+
     def skip_image_enrichment(self):
         return False

mlrun/runtimes/constants.py

@@ -0,0 +1,225 @@
+# Copyright 2023 Iguazio
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import typing
+
+import mlrun.runtimes.nuclio as nuclio_runtime
+import mlrun.runtimes.nuclio.application as nuclio_application
+import mlrun.runtimes.nuclio.serving as nuclio_serving
+
+
+class RuntimeKinds:
+    remote = "remote"
+    nuclio = "nuclio"
+    dask = "dask"
+    job = "job"
+    spark = "spark"
+    remotespark = "remote-spark"
+    mpijob = "mpijob"
+    serving = "serving"
+    local = "local"
+    handler = "handler"
+    databricks = "databricks"
+    application = "application"
+
+    @staticmethod
+    def all():
+        return [
+            RuntimeKinds.remote,
+            RuntimeKinds.nuclio,
+            RuntimeKinds.serving,
+            RuntimeKinds.dask,
+            RuntimeKinds.job,
+            RuntimeKinds.spark,
+            RuntimeKinds.remotespark,
+            RuntimeKinds.mpijob,
+            RuntimeKinds.local,
+            RuntimeKinds.databricks,
+            RuntimeKinds.application,
+        ]
+
+    @staticmethod
+    def runtime_with_handlers():
+        return [
+            RuntimeKinds.dask,
+            RuntimeKinds.job,
+            RuntimeKinds.spark,
+            RuntimeKinds.remotespark,
+            RuntimeKinds.mpijob,
+            RuntimeKinds.databricks,
+        ]
+
+    @staticmethod
+    def abortable_runtimes():
+        return [
+            RuntimeKinds.job,
+            RuntimeKinds.spark,
+            RuntimeKinds.remotespark,
+            RuntimeKinds.mpijob,
+            RuntimeKinds.databricks,
+            RuntimeKinds.local,
+            RuntimeKinds.handler,
+            "",
+        ]
+
+    @staticmethod
+    def retriable_runtimes():
+        return [
+            RuntimeKinds.job,
+        ]
+
+    @staticmethod
+    def nuclio_runtimes():
+        return [
+            RuntimeKinds.remote,
+            RuntimeKinds.nuclio,
+            RuntimeKinds.serving,
+            RuntimeKinds.application,
+        ]
+
+    @staticmethod
+    def pure_nuclio_deployed_runtimes():
+        return [
+            RuntimeKinds.remote,
+            RuntimeKinds.nuclio,
+            RuntimeKinds.serving,
+        ]
+
+    @staticmethod
+    def handlerless_runtimes():
+        return [
+            RuntimeKinds.serving,
+            # Application runtime handler is internal reverse proxy
+            RuntimeKinds.application,
+        ]
+
+    @staticmethod
+    def local_runtimes():
+        return [
+            RuntimeKinds.local,
+            RuntimeKinds.handler,
+        ]
+
+    @staticmethod
+    def is_log_collectable_runtime(kind: typing.Optional[str]):
+        """
+        whether log collector can collect logs for that runtime
+        :param kind: kind name
+        :return: whether log collector can collect logs for that runtime
+        """
+        # if local run, the log collector doesn't support it as it is only supports k8s resources
+        # when runtime is local the client is responsible for logging the stdout of the run by using `log_std`
+        if RuntimeKinds.is_local_runtime(kind):
+            return False
+
+        if (
+            kind
+            not in [
+                # dask implementation is different from other runtimes, because few runs can be run against the same
+                # runtime resource, so collecting logs on that runtime resource won't be correct, the way we collect
+                # logs for dask is by using `log_std` on client side after we execute the code against the cluster,
+                # as submitting the run with the dask client will return the run stdout.
+                # For more information head to `DaskCluster._run`.
+                RuntimeKinds.dask
+            ]
+            + RuntimeKinds.nuclio_runtimes()
+        ):
+            return True
+
+        return False
+
+    @staticmethod
+    def is_local_runtime(kind):
+        # "" or None counted as local
+        if not kind or kind in RuntimeKinds.local_runtimes():
+            return True
+        return False
+
+    @staticmethod
+    def requires_k8s_name_validation(kind: str) -> bool:
+        """
+        Returns True if the runtime kind creates Kubernetes resources that use the function name.
+
+        Function names for k8s-deployed runtimes must conform to DNS-1123 label requirements:
+        - Lowercase alphanumeric characters or '-'
+        - Start and end with an alphanumeric character
+        - Maximum 63 characters
+
+        Local runtimes (local, handler) run on the local machine and don't create k8s resources,
+        so they don't require k8s naming validation.
+
+        :param kind: Runtime kind string (job, spark, serving, local, etc.)
+        :return: True if function name needs k8s DNS-1123 validation, False otherwise
+        """
+        return not RuntimeKinds.is_local_runtime(kind)
+
+    @staticmethod
+    def requires_absolute_artifacts_path(kind):
+        """
+        Returns True if the runtime kind requires absolute artifacts' path (i.e. is local), False otherwise.
+        """
+        if RuntimeKinds.is_local_runtime(kind):
+            return False
+
+        if kind not in [
+            # logging artifacts is done externally to the dask cluster by a client that can either run locally (in which
+            # case the path can be relative) or remotely (in which case the path must be absolute and will be passed
+            # to another run)
+            RuntimeKinds.dask
+        ]:
+            return True
+        return False
+
+    @staticmethod
+    def requires_image_name_for_execution(kind):
+        if RuntimeKinds.is_local_runtime(kind):
+            return False
+
+        # both spark and remote spark uses different mechanism for assigning images
+        return kind not in [RuntimeKinds.spark, RuntimeKinds.remotespark]
+
+    @staticmethod
+    def supports_from_notebook(kind):
+        return kind not in [RuntimeKinds.application]
+
+    @staticmethod
+    def resolve_nuclio_runtime(kind: str, sub_kind: str):
+        kind = kind.split(":")[0]
+        if kind not in RuntimeKinds.nuclio_runtimes():
+            raise ValueError(
+                f"Kind {kind} is not a nuclio runtime, "
+                f"available runtimes are {RuntimeKinds.nuclio_runtimes()}"
+            )
+
+        # These names are imported at module level below; referenced at call-time (no imports here).
+        if sub_kind == nuclio_serving.serving_subkind:
+            return nuclio_runtime.ServingRuntime()
+
+        if kind == RuntimeKinds.application:
+            return nuclio_application.ApplicationRuntime()
+
+        runtime = nuclio_runtime.RemoteRuntime()
+        runtime.spec.function_kind = sub_kind
+        return runtime
+
+    @staticmethod
+    def resolve_nuclio_sub_kind(kind: str):
+        is_nuclio = kind.startswith("nuclio")
+        sub_kind = kind[kind.find(":") + 1 :] if is_nuclio and ":" in kind else None
+        if kind == RuntimeKinds.serving:
+            is_nuclio = True
+            sub_kind = nuclio_serving.serving_subkind
+        elif kind == RuntimeKinds.application:
+            is_nuclio = True
+        return is_nuclio, sub_kind

mlrun/runtimes/daskjob.py

@@ -15,8 +15,9 @@ import datetime
 import inspect
 import socket
 import time
+from collections.abc import Callable
 from os import environ
-from typing import Callable, Optional, Union
+from typing import Optional, Union
 
 import mlrun.common.schemas
 import mlrun.errors
@@ -551,7 +552,8 @@ class DaskCluster(KubejobRuntime):
 
         # TODO: investigate if the following instructions could overwrite the environment on any MLRun API Pod
         # Such action could result on race conditions against other runtimes and MLRun itself
-        extra_env = self._generate_runtime_env(runobj)
+        extra_env, _ = self._generate_runtime_env(runobj)
+        # Since it runs locally, we don't need the external sources env vars
         environ.update(extra_env)
 
         context = MLClientCtx.from_dict(

mlrun/runtimes/databricks_job/databricks_runtime.py

@@ -14,7 +14,8 @@
 import typing
 from ast import FunctionDef, parse, unparse
 from base64 import b64decode
-from typing import Callable, Optional, Union
+from collections.abc import Callable
+from typing import Optional, Union
 
 import mlrun
 import mlrun.runtimes.kubejob as kubejob

mlrun/runtimes/mounts.py

@@ -17,6 +17,8 @@ import typing
 import warnings
 from collections import namedtuple
 
+import mlrun.common.secrets
+import mlrun.errors
 from mlrun.config import config
 from mlrun.config import config as mlconf
 from mlrun.errors import MLRunInvalidArgumentError
@@ -412,6 +414,9 @@ def mount_secret(
                          the specified paths, and unlisted keys will not be
                          present."""
 
+    if secret_name:
+        mlrun.common.secrets.validate_not_forbidden_secret(secret_name.strip())
+
     def _mount_secret(runtime: "KubeResource"):
         # Define the secret volume source
         secret_volume_source = {

mlrun/runtimes/nuclio/__init__.py

@@ -12,11 +12,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from .serving import ServingRuntime, new_v2_model_server  # noqa
-from .nuclio import nuclio_init_hook  # noqa
-from .function import (
-    min_nuclio_versions,
-    multiple_port_sidecar_is_supported,
-    RemoteRuntime,
-)  # noqa
-from .api_gateway import APIGateway
+import mlrun.runtimes.nuclio.serving as nuclio_serving  # noqa
+import mlrun.runtimes.nuclio.nuclio as nuclio_nuclio  # noqa
+import mlrun.runtimes.nuclio.function as nuclio_function  # noqa
+import mlrun.runtimes.nuclio.api_gateway as nuclio_api_gateway  # noqa
+
+ServingRuntime = nuclio_serving.ServingRuntime
+new_v2_model_server = nuclio_serving.new_v2_model_server
+nuclio_init_hook = nuclio_nuclio.nuclio_init_hook
+min_nuclio_versions = nuclio_function.min_nuclio_versions
+multiple_port_sidecar_is_supported = nuclio_function.multiple_port_sidecar_is_supported
+RemoteRuntime = nuclio_function.RemoteRuntime
+APIGateway = nuclio_api_gateway.APIGateway

mlrun/runtimes/nuclio/api_gateway.py

@@ -17,13 +17,14 @@ from typing import Optional, Union
 from urllib.parse import urljoin
 
 import requests
-from nuclio.auth import AuthInfo as NuclioAuthInfo
 from nuclio.auth import AuthKinds as NuclioAuthKinds
 
 import mlrun
+import mlrun.auth.nuclio
 import mlrun.common.constants as mlrun_constants
 import mlrun.common.helpers
 import mlrun.common.schemas as schemas
+import mlrun.common.schemas.auth
 import mlrun.common.types
 from mlrun.model import ModelObj
 from mlrun.platforms.iguazio import min_iguazio_versions
@@ -55,6 +56,11 @@ class Authenticator(typing.Protocol):
             == schemas.APIGatewayAuthenticationMode.access_key.value
         ):
             return AccessKeyAuth()
+        elif (
+            api_gateway_spec.authenticationMode
+            == schemas.APIGatewayAuthenticationMode.iguazio.value
+        ):
+            return IguazioAuth()
         else:
             return NoneAuth()
 
@@ -112,6 +118,16 @@ class AccessKeyAuth(APIGatewayAuthenticator):
         return schemas.APIGatewayAuthenticationMode.access_key.value
 
 
+class IguazioAuth(APIGatewayAuthenticator):
+    """
+    An API gateway authenticator with Iguazio authentication.
+    """
+
+    @property
+    def authentication_mode(self) -> str:
+        return schemas.APIGatewayAuthenticationMode.iguazio.value
+
+
 class APIGatewayMetadata(ModelObj):
     _dict_fields = ["name", "namespace", "labels", "annotations", "creation_timestamp"]
 
@@ -430,7 +446,7 @@ class APIGateway(ModelObj):
                 raise mlrun.errors.MLRunInvalidArgumentError(
                     "API Gateway invocation requires authentication. Please pass credentials"
                 )
-            auth = NuclioAuthInfo(
+            auth = mlrun.auth.nuclio.NuclioAuthInfo(
                 username=credentials[0], password=credentials[1]
             ).to_requests_auth()
 
@@ -440,23 +456,30 @@ class APIGateway(ModelObj):
         ):
             # inject access key from env
             if credentials:
-                auth = NuclioAuthInfo(
+                auth = mlrun.auth.nuclio.NuclioAuthInfo(
                     username=credentials[0],
                     password=credentials[1],
                     mode=NuclioAuthKinds.iguazio,
                 ).to_requests_auth()
             else:
-                auth = NuclioAuthInfo().from_envvar().to_requests_auth()
+                auth = (
+                    mlrun.auth.nuclio.NuclioAuthInfo().from_envvar().to_requests_auth()
+                )
             if not auth:
                 raise mlrun.errors.MLRunInvalidArgumentError(
                     "API Gateway invocation requires authentication. Please set V3IO_ACCESS_KEY env var"
                 )
+        if (
+            self.spec.authentication.authentication_mode
+            == schemas.APIGatewayAuthenticationMode.iguazio.value
+        ):
+            auth = mlrun.auth.nuclio.NuclioAuthInfo.from_envvar().to_requests_auth()
         url = urljoin(self.invoke_url, path or "")
 
         # Determine the correct keyword argument for the body
         if isinstance(body, dict):
             kwargs["json"] = body
-        elif isinstance(body, (str, bytes)):
+        elif isinstance(body, str | bytes):
             kwargs["data"] = body
 
         return requests.request(
@@ -527,6 +550,13 @@ class APIGateway(ModelObj):
         """
         self.spec.authentication = AccessKeyAuth()
 
+    @min_nuclio_versions("1.15.10")
+    def with_iguazio_auth(self):
+        """
+        Set iguazio authentication for the API gateway.
+        """
+        self.spec.authentication = IguazioAuth()
+
     def with_canary(
         self,
         functions: Union[
@@ -692,7 +722,7 @@ class APIGateway(ModelObj):
     @staticmethod
     def _generate_basic_auth(username: str, password: str):
         token = base64.b64encode(f"{username}:{password}".encode()).decode()
-        return f"Basic {token}"
+        return f"{mlrun.common.schemas.AuthorizationHeaderPrefixes.basic}{token}"
 
     @staticmethod
     def _resolve_canary(