The following guides include reference details related to installing Wallaroo via Helm.
1 - Wallaroo Helm Reference Table
A Helm chart for the control plane for Wallaroo
Configuration
The following table lists the configurable parameters of the Wallaroo chart and their default values.
| Parameter | Description | Default |
|---|---|---|
kubernetes_distribution | One of: aks, eks, gke, or kurl. May be safe to leave defaulted. | "" |
imageRegistry | imageRegistry where images are pulled from | "ghcr.io/wallaroolabs" |
imageTag | imageTag that images default to - can be overridden for each component | "main" |
replImagePrefix | imageRegistry where images are pulled from, as overridden by Kots | "ghcr.io/wallaroolabs" |
assays.enabled | Controls the display of Assay data in the Dashboard | true |
custTlsSecretName | Name of existing Kubernetes TLS type secret | "" |
deploymentStage | Deployment stage, must be set to “cust” when deployed | "dev" |
custTlsCert | Customer provided certificate chain when deploymentStage is “cust”. | "" |
custTlsKey | Customer provided private key when deploymentStage is “cust”. | "" |
nodeSelector | Global node selector | {} |
tolerations | Global tolerations | [{"key": "wallaroo", "operator": "Exists", "effect": "NoSchedule"}] |
domainPrefix | DNS prefix of Wallaroo endpoints, can be empty for none | "xxx" |
domainSuffix | DNS suffix of Wallaroo endpoints, MUST be provided | "yyy" |
externalIpOverride | Used in cases where we can’t accurately determine our external, inbound IP address. Normally “”. | "" |
imagePullPolicy | Global policy saying when K8s pulls images: Always, Never, or IfNotPresent. | "Always" |
wallarooSecretName | Secret name for pulling Wallaroo images | "regcred" |
apilb.nodeSelector | standard node selector for API-LB | {} |
apilb.annotations | Annotations for api-lb service | {} |
apilb.serviceType | Service type of api-lb service | "ClusterIP" |
apilb.external_inference_endpoints_enabled | Enable external URL inference endpoints: pipeline inference endpoints that are accessible outside of the Wallaroo cluster. | true |
jupyter.enabled | If true, a jupyer hub was deployed which components can point to. | false |
keycloak.user | administrative username | "admin" |
keycloak.password | default admin password: overridden if generate_secrets is true | "admin" |
keycloak.provider.clientId | upstream client id | "" |
keycloak.provider.clientSecret | upstream client secret | "" |
keycloak.provider.name | human name for provider | "" |
keycloak.provider.id | Type of provider, one of: “github”, “google”, or “OIDC” | "" |
keycloak.provider.authorizationUrl | URL to contact the upstream client for auth requests | null |
keycloak.provider.clientAuthMethod | client auth method - Must be client_secret_post for OIDC provider type, leave blank otherwise. | null |
keycloak.provider.displayName | human name for provider, displayed to end user in login dialogs | null |
keycloak.provider.tokenUrl | Used only for ODIC, see token endpoint under Azure endpoints. | null |
dbcleaner.schedule | when the cleaner runs, default is every eight hours | "* */8 * * *" |
dbcleaner.maxAgeDays | delete older than this many days | "30" |
plateau.enabled | Enable Plateau deployment | true |
plateau.diskSize | Disk space to allocate. Smaller than 100Gi is not recommended. | "100Gi" |
telemetry.enabled | Used only for our CE product. Leave disabled for EE/Helm installs. | false |
dashboard.enabled | Enable dashboard service | true |
dashboard.clientName | Customer display name which appears at the top of the dashboard window. | "Fitzroy Macropods, LLC" |
minio.imagePullSecrets | Must override for helm + private registry; eg -name: "some-secret" | [] |
minio.image.repository | Must override for helm + private registry | "quay.io/minio/minio" |
minio.mcImage.repository | Must override for helm + private registry | "quay.io/minio/mc" |
minio.persistence.size | Minio model storage disk size. Smaller than 10Gi is not recommended. | "10Gi" |
fluent-bit.imagePullSecrets | Must override for helm + private registry; eg -name: "some-secret" | [] |
fluent-bit.image.repository | Must override for helm + private registry | "cr.fluentbit.io/fluent/fluent-bit" |
helmTests.enabled | When enabled, create “helm test” resources. | true |
helmTests.nodeSelector | When helm test is run, this selector places the test pods. | {} |
pythonAPIServer.enabled | This service is used for model conversion. | false |
explainabilityServer.enabled | Enable the model explainability service | false |
replImagePrefix | Sets the replicated image prefix for installation containers. Set to replImagePrefix: proxy.replicated.com/proxy/wallaroo/ghcr.io/wallaroolabs unless otherwise instructed. |
2 - Wallaroo Helm Reference Details
post_delete_hook
This hook runs when you do helm uninstall unless …
- you give –no-hooks to helm
- you set the enable flag to False at INSTALL time.
imageRegistry
Registry and Tag portion of Wallaroo images. Third party images are not included. Tag is
computed at runtime and overridden. In online Helm installs, these should not be touched; in
airgap Helm installs imageRegistry must be overridden to local registry.
generate_secrets
If true, generate random secrets for several services at install time.
If false, use the generic defaults listed here, which can also be overridden by caller.
assays
This is a (currently) Dashboard-specific feature flag to control the display of Assays.
custTlsSecretName
To provide TLS certificates, (1) set deploymentStage to “cust”, then (2) provide EITHER the
name of an existing Kubernetes TLS secret in custTlsSecret OR provide base64 encoded secrets
in custTlsCert and custTlsKey.
domainPrefix
DNS specification for our named external service endpoints.
To form URLs, we concatenate the optional domainPrefix, the service name in question, and then
the domainSuffix. Their values are based on license, type, and customer config inputs. They
MUST be overriden per install via helm values, or by Replicated.
Community – prefix/suffix in license
| domainPrefix | domainSuffix | dashboard_fqdn | thing_fqdn (thing = jup, kc, etc) |
|---|---|---|---|
| "" | wallaroo.community | (never) | (never) |
| cust123 | wallaroo.community | cust123.wallaroo.community | cust123.thing.wallaroo.community |
Enterprise et al – prefix/suffix from config
| domainPrefix | domainSuffix | dashboard_fqdn | thing_fqdn (thing = jup, kc, etc) |
|---|---|---|---|
| "" | wl.bigco | wl.bigco | thing.wl. |
| cust123 | wl.bigco | cust123.wl.bigco | cust123.thing.wl.bigco |
wallarooSecretName
In online Helm installs, an image pull secret is created and this is its name. The secret allows
the Kubernetes node to pull images from proxy.replicated.com. In airgap Helm installs, a local
Secret of type docker-registry must be created and this value set to its name.
privateModelRegistry
If the customer has specified a private model container registry, the enable flag will reflect
and the secret will be populated. registry, username, and password are mandatory. email
is optional. registry is of the form “hostname:port”.
apilb
Main ingress LB for Wallaroo services.
The Kubernetes Ingress object is not used, instead we deploy a single Envoy load balancer with a
single IP in all cases, which serves: TLS termination, authentication (JWT) checking, and both
host based and path based application routing. Customer should be aware of two values in particular.
api.serviceType defaults to ClusterIP. If api.serviceType is set to LoadBalancer, cloud
services will allocate a hosted LB service, in which case the apilb.annotations should be
provided, in order to pass configuration such as “internal” or “external” to the cloud service.
Example:
apilb:
serviceType: LoadBalancer
annotations: service.beta.kubernetes.io/aws-load-balancer-internal: “true”
keycloak
Wallaroo can connect to a variety of identity providers, broker OpenID Connect authentication
requests, and then limit access to endpoints. This section configures a https://www.keycloak.org
installation. If a provider is specified here, Keycloak will configure itself to use that on
install. If no providers are specified here, the administrator must login to the Keycloak
service as the administrative user and either add users by hand or create an auth provider. In
general, a client must be created upstream and a URL, client ID, and secret (token) for that
client is entered here.
dbcleaner
Manage retention for fluentbit table. This contains log message outputs from orchestration tasks.
plateau
Plateau is a low-profile fixed-footprint log processor / event store for fast storage of
inference results. The amount of disk space provisioned is adjustable. Smaller than “100Gi” is
not recommended for performance reasons.
pythonAPIServer
Model conversion is an optional service that allows converting non-onnx models (keras, sklearn,
and xgboost) to onnx and adding them to your pipeline, without extensive manual conversion or
processing steps. This allows more rapid iteration over models or experiments.
wsProxy
This controls the wsProxy, and should only be enabled if nats (ArbEx) is also enabled.
wsProxy is required for the Dashboard to subscribe to events and show notifications.
orchestration
Pipeline orchestration is general task execution service that allows users to upload arbitrary
code and have it executed on their behalf by the system. nats and arbex must be enabled.
models
The model server supports model autoconversion and requires nats and arbitrary execution to be
enabled.