2 |
3 | [](https://cran.r-project.org/package=AzureContainers)
4 | 
5 | 
6 |
7 | A package for working with [Azure Container Registry (ACR)](https://azure.microsoft.com/en-us/products/container-registry/), [Azure Kubernetes Service (AKS)](https://azure.microsoft.com/en-us/products/kubernetes-service/) and [Azure Container Instances (ACI)](https://azure.microsoft.com/en-us/products/container-instances/). Extends the Azure Resource Manager interface provided by the [AzureRMR](https://github.com/Azure/AzureRMR) package.
8 |
9 | AzureContainers lets you build and deploy containerised services in R, using Docker and Kubernetes. For full functionality, you should have [Docker](https://docs.docker.com/install/) installed, as well as the [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/) and [helm](https://helm.sh/) commandline tools. Otherwise it is relatively lightweight, requiring neither Powershell nor Python.
10 |
11 | Note that AzureContainers can talk to any Docker registry that uses the [V2 HTTP API](https://docs.docker.com/registry/spec/api/), not just those created via ACR. Similarly, it can interface with Kubernetes clusters anywhere, not just those created via AKS.
12 |
13 | The primary repo for this package is at https://github.com/Azure/AzureContainers; please submit issues and PRs there. It is also mirrored at the Cloudyr org at https://github.com/cloudyr/AzureContainers. You can install the development version of the package with `devtools::install_github("Azure/AzureContainers")`.
14 |
15 | ## Example workflow
16 |
17 | Here is a sample R workflow to package up an R model as a container, deploy it to a Kubernetes cluster, and expose it as a service.
18 |
19 | ```r
20 | library(AzureContainers)
21 |
22 | az <- AzureRMR::get_azure_login()
23 | resgroup <- az$
24 | get_subscription("
}}\preformatted{create_aci(name, location = self$location,
13 | container = name, image,
14 | registry_creds = list(),
15 | cores = 1, memory = 8,
16 | os = c("Linux", "Windows"),
17 | command = list(), env_vars = list(),
18 | ports = aci_ports(), dns_name = name, public_ip = TRUE,
19 | restart = c("Always", "OnFailure", "Never"), managed_identity = TRUE,
20 | ...)
21 | }\if{html}{\out{
}}
22 | }
23 |
24 | \section{Arguments}{
25 |
26 | \itemize{
27 | \item \code{name}: The name of the ACI service.
28 | \item \code{location}: The location/region in which to create the ACI service. Defaults to this resource group's location.
29 | \item \code{container}: The name of the running container.
30 | \item \code{image}: The name of the image to run.
31 | \item \code{registry_creds}: Docker registry authentication credentials, if the image is stored in a private registry. See 'Details'.
32 | \item \code{cores}: The number of CPU cores for the instance.
33 | \item \code{memory}: The memory size in GB for the instance.
34 | \item \code{os}: The operating system to run in the instance.
35 | \item \code{command}: A list of commands to run in the instance. This is similar to the \code{--entrypoint} commandline argument to \verb{docker run}; see \href{https://learn.microsoft.com/en-us/azure/container-instances/container-instances-start-command}{here} for some examples.
36 | \item \code{env_vars}: A list of name-value pairs to set as environment variables in the instance.
37 | \item \code{secure_env_vars}: A list of name-value pairs to set as \emph{secure} environment variables in the instance. The values of these variables are not visible in the container's properties, eg when viewed in the Azure portal or via the CLI.
38 | \item \code{ports}: The network ports to open. By default, opens ports 80 and 443. See 'Details'.
39 | \item \code{dns_name}: The domain name prefix for the instance. Only takes effect if \code{public_ip=TRUE}.
40 | \item \code{public_ip}: Whether the instance should be publicly accessible.
41 | \item \code{restart}: Whether to restart the instance should an event occur.
42 | \item \code{managed_identity}: Whether to assign the container instance a managed identity.
43 | \item \code{...}: Other named arguments to pass to the \link[AzureRMR:az_resource]{AzureRMR::az_resource} initialization function.
44 | }
45 | }
46 |
47 | \section{Details}{
48 |
49 | An ACI resource is a running container hosted in Azure. See the \href{https://learn.microsoft.com/en-us/azure/container-instances/}{documentation for the resource} for more information. Currently ACI only supports a single image in an instance.
50 |
51 | To supply the registry authentication credentials, the \code{registry_creds} argument should contain either an \link[=acr]{ACR} object, a \link{docker_registry} object, or the result of a call to the \link{aci_creds} function.
52 |
53 | The ports to open should be obtained by calling the \link{aci_ports} function. This takes a vector of port numbers as well as the protocol (TCP or UDP) for each port.
54 | }
55 |
56 | \section{Value}{
57 |
58 | An object of class \code{az_container_instance} representing the instance.
59 | }
60 |
61 | \examples{
62 | \dontrun{
63 |
64 | rg <- AzureRMR::get_azure_login()$
65 | get_subscription("subscription_id")$
66 | get_resource_group("rgname")
67 |
68 | # get the ACR resource that contains the image
69 | myacr <- rg$get_acr("myregistry", as_admin=TRUE)
70 |
71 | rg$create_aci("mycontainer",
72 | image="myregistry.azurecr.io/myimage:latest",
73 | registry_creds=myacr)
74 |
75 | }
76 | }
77 | \seealso{
78 | \link{get_aci}, \link{delete_aci}, \link{list_acis}
79 |
80 | \link{az_container_instance}
81 |
82 | \href{https://learn.microsoft.com/en-us/azure/container-instances/}{ACI documentation} and
83 | \href{https://learn.microsoft.com/en-us/rest/api/container-instances/}{API reference}
84 |
85 | \href{https://docs.docker.com/engine/reference/commandline/cli/}{Docker commandline reference}
86 | }
87 |
--------------------------------------------------------------------------------
/man/create_acr.Rd:
--------------------------------------------------------------------------------
1 | % Generated by roxygen2: do not edit by hand
2 | % Please edit documentation in R/add_acr_methods.R
3 | \name{create_acr}
4 | \alias{create_acr}
5 | \title{Create Azure Container Registry (ACR)}
6 | \description{
7 | Method for the \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} class.
8 | }
9 | \section{Usage}{
10 |
11 |
12 | \if{html}{\out{}}\preformatted{create_acr(name, location = self$location,
13 | admin_user_enabled = TRUE, sku = "Standard", ...)
14 | }\if{html}{\out{
}}
15 | }
16 |
17 | \section{Arguments}{
18 |
19 | \itemize{
20 | \item \code{name}: The name of the container registry.
21 | \item \code{location}: The location/region in which to create the container registry. Defaults to this resource group's location.
22 | \item \code{admin_user_enabled}: Whether to enable the Admin user. Currently this must be \code{TRUE} for ACI to pull from the registry.
23 | \item \code{sku}: Either "Basic", "Standard" (the default) or "Premium".
24 | \item \code{wait}: Whether to wait until the ACR resource provisioning is complete.
25 | \item \code{...}: Other named arguments to pass to the \link[AzureRMR:az_resource]{AzureRMR::az_resource} initialization function.
26 | }
27 | }
28 |
29 | \section{Details}{
30 |
31 | An ACR resource is a Docker registry hosted in Azure. See the \href{https://learn.microsoft.com/en-us/azure/container-registry/}{documentation for the resource} for more information. To work with the registry (transfer images, retag images, etc) see the \link[=docker_registry]{documentation for the registry endpoint}.
32 | }
33 |
34 | \section{Value}{
35 |
36 | An object of class \code{az_container_registry} representing the registry resource.
37 | }
38 |
39 | \examples{
40 | \dontrun{
41 |
42 | rg <- AzureRMR::get_azure_login()$
43 | get_subscription("subscription_id")$
44 | get_resource_group("rgname")
45 |
46 | rg$create_acr("myregistry")
47 |
48 | }
49 | }
50 | \seealso{
51 | \link{get_acr}, \link{delete_acr}, \link{list_acrs}
52 |
53 | \link{az_container_registry}
54 |
55 | \link{docker_registry} for the registry endpoint
56 |
57 | \href{https://learn.microsoft.com/en-us/azure/container-registry/}{ACR documentation} and
58 | \href{https://learn.microsoft.com/en-us/rest/api/containerregistry/registries}{API reference}
59 |
60 | \href{https://docs.docker.com/registry/spec/api/}{Docker registry API}
61 | }
62 |
--------------------------------------------------------------------------------
/man/create_aks.Rd:
--------------------------------------------------------------------------------
1 | % Generated by roxygen2: do not edit by hand
2 | % Please edit documentation in R/add_aks_methods.R
3 | \name{create_aks}
4 | \alias{create_aks}
5 | \title{Create Azure Kubernetes Service (AKS)}
6 | \description{
7 | Method for the \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} class.
8 | }
9 | \section{Usage}{
10 |
11 |
12 | \if{html}{\out{}}\preformatted{create_aks(name, location = self$location,
13 | dns_prefix = name, kubernetes_version = NULL,
14 | enable_rbac = FALSE, agent_pools = agent_pool("pool1", 3),
15 | login_user = "", login_passkey = "",
16 | cluster_service_principal = NULL, managed_identity = TRUE,
17 | private_cluster = FALSE,
18 | properties = list(), ..., wait = TRUE)
19 | }\if{html}{\out{
}}
20 | }
21 |
22 | \section{Arguments}{
23 |
24 | \itemize{
25 | \item \code{name}: The name of the Kubernetes service.
26 | \item \code{location}: The location/region in which to create the service. Defaults to this resource group's location.
27 | \item \code{dns_prefix}: The domain name prefix to use for the cluster endpoint. The actual domain name will start with this argument, followed by a string of pseudorandom characters.
28 | \item \code{kubernetes_version}: The Kubernetes version to use. If not specified, uses the most recent version of Kubernetes available.
29 | \item \code{enable_rbac}: Whether to enable Kubernetes role-based access controls (which is distinct from Azure AD RBAC).
30 | \item \code{agent_pools}: The pool specification(s) for the cluster. See 'Details'.
31 | \item \verb{login_user,login_passkey}: Optionally, a login username and public key (on Linux). Specify these if you want to be able to ssh into the cluster nodes.
32 | \item \code{cluster_service_principal}: The service principal that AKS will use to manage the cluster resources. This should be a list, with the first component being the client ID and the second the client secret. If not supplied, a new service principal will be created (requires an interactive session). Ignored if \code{managed_identity=TRUE}, which is the default.
33 | \item \code{managed_identity}: Whether the cluster should have a managed identity assigned to it. If \code{FALSE}, a service principal will be used to manage the cluster's resources; see 'Details' below.
34 | \item \code{private_cluster}: Whether this cluster is private (not visible from the public Internet). A private cluster is accessible only to hosts on its virtual network.
35 | \item \code{properties}: A named list of further Kubernetes-specific properties to pass to the initialization function.
36 | \item \code{wait}: Whether to wait until the AKS resource provisioning is complete. Note that provisioning a Kubernetes cluster can take several minutes.
37 | \item \code{...}: Other named arguments to pass to the initialization function.
38 | }
39 | }
40 |
41 | \section{Details}{
42 |
43 | An AKS resource is a Kubernetes cluster hosted in Azure. See the \link[=aks]{documentation for the resource} for more information. To work with the cluster (deploy images, define and start services, etc) see the \link[=kubernetes_cluster]{documentation for the cluster endpoint}.
44 |
45 | The nodes for an AKS cluster are organised into \emph{agent pools}, also known as \emph{node pools}, which are homogenous groups of virtual machines. To specify the details for a single agent pool, use the \code{agent_pool} function, which returns an S3 object of that class. To specify the details for multiple pools, you can supply a list of such objects, or a single call to the \code{aks_pools} function; see the examples below. Note that \code{aks_pools} is older, and does not support all the possible parameters for an agent pool.
46 |
47 | Of the agent pools in a cluster, at least one must be a \emph{system pool}, which is used to host critical system pods such as CoreDNS and tunnelfront. If you specify more than one pool, the first pool will be treated as the system pool. Note that there are certain \href{https://learn.microsoft.com/en-us/azure/aks/use-system-pools}{extra requirements} for the system pool.
48 |
49 | An AKS cluster requires an identity to manage the low-level resources it uses, such as virtual machines and networks. The default and recommended method is to use a \emph{managed identity}, in which all the details of this process are handled by AKS. In AzureContainers version 1.2.1 and older, a \emph{service principal} was used instead, which is an older and less automated method. By setting \code{managed_identity=FALSE}, you can continue using a service principal instead of a managed identity.
50 |
51 | One thing to be aware of with service principals is that they have a secret password that will expire eventually. By default, the password for a newly-created service principal will expire after one year. You should run the \code{update_service_password} method of the AKS object to reset/update the password before it expires.
52 | }
53 |
54 | \section{Value}{
55 |
56 | An object of class \code{az_kubernetes_service} representing the service.
57 | }
58 |
59 | \examples{
60 | \dontrun{
61 |
62 | rg <- AzureRMR::get_azure_login()$
63 | get_subscription("subscription_id")$
64 | get_resource_group("rgname")
65 |
66 | rg$create_aks("mycluster", agent_pools=agent_pool("pool1", 5))
67 |
68 | # GPU-enabled cluster
69 | rg$create_aks("mygpucluster", agent_pools=agent_pool("pool1", 5, size="Standard_NC6s_v3"))
70 |
71 | # multiple agent pools
72 | rg$create_aks("mycluster", agent_pools=list(
73 | agent_pool("pool1", 2),
74 | agent_pool("pool2", 3, size="Standard_NC6s_v3")
75 | ))
76 |
77 | # deprecated alternative for multiple pools
78 | rg$create_aks("mycluster",
79 | agent_pools=aks_pools(c("pool1", "pool2"), c(2, 3), c("Standard_DS2_v2", "Standard_NC6s_v3")))
80 |
81 | }
82 | }
83 | \seealso{
84 | \link{get_aks}, \link{delete_aks}, \link{list_aks}, \link{agent_pool}, \link{aks_pools}
85 |
86 | \link{az_kubernetes_service}
87 |
88 | \link{kubernetes_cluster} for the cluster endpoint
89 |
90 | \href{https://learn.microsoft.com/en-us/azure/aks/}{AKS documentation} and
91 | \href{https://learn.microsoft.com/en-us/rest/api/aks/}{API reference}
92 |
93 | \href{https://kubernetes.io/docs/reference/}{Kubernetes reference}
94 | }
95 |
--------------------------------------------------------------------------------
/man/delete_aci.Rd:
--------------------------------------------------------------------------------
1 | % Generated by roxygen2: do not edit by hand
2 | % Please edit documentation in R/add_aci_methods.R
3 | \name{delete_aci}
4 | \alias{delete_aci}
5 | \title{Delete an Azure Container Instance (ACI)}
6 | \description{
7 | Method for the \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} class.
8 | }
9 | \section{Usage}{
10 |
11 |
12 | \if{html}{\out{}}\preformatted{delete_aci(name, confirm=TRUE, wait=FALSE)
13 | }\if{html}{\out{
}}
14 | }
15 |
16 | \section{Arguments}{
17 |
18 | \itemize{
19 | \item \code{name}: The name of the container instance.
20 | \item \code{confirm}: Whether to ask for confirmation before deleting.
21 | \item \code{wait}: Whether to wait until the deletion is complete.
22 | }
23 | }
24 |
25 | \section{Value}{
26 |
27 | NULL on successful deletion.
28 | }
29 |
30 | \examples{
31 | \dontrun{
32 |
33 | rg <- AzureRMR::get_azure_login()$
34 | get_subscription("subscription_id")$
35 | get_resource_group("rgname")
36 |
37 | rg$delete_aci("mycontainer")
38 |
39 | }
40 | }
41 | \seealso{
42 | \link{create_aci}, \link{get_aci}
43 |
44 | \link{az_container_instance}
45 |
46 | \href{https://learn.microsoft.com/en-us/azure/container-instances/}{ACI documentation} and
47 | \href{https://learn.microsoft.com/en-us/rest/api/container-instances/}{API reference}
48 |
49 | \href{https://docs.docker.com/engine/reference/commandline/cli/}{Docker commandline reference}
50 | }
51 |
--------------------------------------------------------------------------------
/man/delete_acr.Rd:
--------------------------------------------------------------------------------
1 | % Generated by roxygen2: do not edit by hand
2 | % Please edit documentation in R/add_acr_methods.R
3 | \name{delete_acr}
4 | \alias{delete_acr}
5 | \title{Delete an Azure Container Registry (ACR)}
6 | \description{
7 | Method for the \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} class.
8 | }
9 | \section{Usage}{
10 |
11 |
12 | \if{html}{\out{}}\preformatted{delete_acr(name, confirm=TRUE, wait=FALSE)
13 | }\if{html}{\out{
}}
14 | }
15 |
16 | \section{Arguments}{
17 |
18 | \itemize{
19 | \item \code{name}: The name of the container registry.
20 | \item \code{confirm}: Whether to ask for confirmation before deleting.
21 | \item \code{wait}: Whether to wait until the deletion is complete.
22 | }
23 | }
24 |
25 | \section{Value}{
26 |
27 | NULL on successful deletion.
28 | }
29 |
30 | \examples{
31 | \dontrun{
32 |
33 | rg <- AzureRMR::get_azure_login()$
34 | get_subscription("subscription_id")$
35 | get_resource_group("rgname")
36 |
37 | rg$delete_acr("myregistry")
38 |
39 | }
40 | }
41 | \seealso{
42 | \link{create_acr}, \link{get_acr}
43 |
44 | \link{az_container_registry}
45 |
46 | \link{docker_registry} for the registry endpoint
47 |
48 | \href{https://learn.microsoft.com/en-us/azure/container-registry/}{ACR documentation} and
49 | \href{https://learn.microsoft.com/en-us/rest/api/containerregistry/registries}{API reference}
50 |
51 | \href{https://docs.docker.com/registry/spec/api/}{Docker registry API}
52 | }
53 |
--------------------------------------------------------------------------------
/man/delete_aks.Rd:
--------------------------------------------------------------------------------
1 | % Generated by roxygen2: do not edit by hand
2 | % Please edit documentation in R/add_aks_methods.R
3 | \name{delete_aks}
4 | \alias{delete_aks}
5 | \title{Delete an Azure Kubernetes Service (AKS)}
6 | \description{
7 | Method for the \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} class.
8 | }
9 | \section{Usage}{
10 |
11 |
12 | \if{html}{\out{}}\preformatted{delete_aks(name, confirm=TRUE, wait=FALSE)
13 | }\if{html}{\out{
}}
14 | }
15 |
16 | \section{Arguments}{
17 |
18 | \itemize{
19 | \item \code{name}: The name of the Kubernetes service.
20 | \item \code{confirm}: Whether to ask for confirmation before deleting.
21 | \item \code{wait}: Whether to wait until the deletion is complete.
22 | }
23 | }
24 |
25 | \section{Value}{
26 |
27 | NULL on successful deletion.
28 | }
29 |
30 | \examples{
31 | \dontrun{
32 |
33 | rg <- AzureRMR::get_azure_login()$
34 | get_subscription("subscription_id")$
35 | get_resource_group("rgname")
36 |
37 | rg$delete_aks("mycluster")
38 |
39 | }
40 | }
41 | \seealso{
42 | \link{create_aks}, \link{get_aks}
43 |
44 | \link{az_kubernetes_service}
45 |
46 | \link{kubernetes_cluster} for the cluster endpoint
47 |
48 | \href{https://learn.microsoft.com/en-us/azure/aks/}{AKS documentation} and
49 | \href{https://learn.microsoft.com/en-us/rest/api/aks/}{API reference}
50 |
51 | \href{https://kubernetes.io/docs/reference/}{Kubernetes reference}
52 | }
53 |
--------------------------------------------------------------------------------
/man/docker_registry.Rd:
--------------------------------------------------------------------------------
1 | % Generated by roxygen2: do not edit by hand
2 | % Please edit documentation in R/docker_registry.R
3 | \name{docker_registry}
4 | \alias{docker_registry}
5 | \title{Create a new Docker registry object}
6 | \usage{
7 | docker_registry(server, tenant = "common", username = NULL,
8 | password = NULL, app = .az_cli_app_id, ..., domain = "azurecr.io",
9 | token = NULL, login = TRUE)
10 | }
11 | \arguments{
12 | \item{server}{The registry server. This can be a URL ("https://myregistry.azurecr.io") or a domain name label ("myregistry"); if the latter, the value of the \code{domain} argument is appended to obtain the full hostname.}
13 |
14 | \item{tenant, username, password, app, ...}{Authentication arguments to \link[AzureAuth:get_azure_token]{AzureAuth::get_azure_token}. See 'Details' below.}
15 |
16 | \item{domain}{The default domain for the registry server.}
17 |
18 | \item{token}{An OAuth token, of class \link[AzureAuth:AzureToken]{AzureAuth::AzureToken}. If supplied, the authentication details for the registry will be inferred from this.}
19 |
20 | \item{login}{Whether to perform a local login (requires that you have Docker installed). This is necessary if you want to push or pull images.}
21 | }
22 | \value{
23 | An R6 object of class \code{DockerRegistry}.
24 | }
25 | \description{
26 | Create a new Docker registry object
27 | }
28 | \details{
29 | There are two ways to authenticate with an Azure Docker registry: via Azure Active Directory (AAD), or with a username and password. The latter is simpler, while the former is more complex but also more flexible and secure.
30 |
31 | The default method of authenticating is via AAD. Without any arguments, \code{docker_registry} will authenticate using the AAD credentials of the currently logged-in user. You can change this by supplying the appropriate arguments to \code{docker_registry}, which will be passed to \code{AzureAuth::get_azure_token}; alternatively, you can provide an existing token object.
32 |
33 | To authenticate via the admin user account, set \code{app=NULL} and supply the admin username and password in the corresponding arguments. Note that for this to work, the registry must have been created with the admin account enabled.
34 |
35 | Authenticating with a service principal can be done either indirectly via AAD, or via a username and password. See the examples below. The latter method is recommended, as it is both faster and allows easier interoperability with AKS and ACI.
36 | }
37 | \examples{
38 | \dontrun{
39 |
40 | # connect to the Docker registry 'myregistry.azurecr.io', authenticating as the current user
41 | docker_registry("myregistry")
42 |
43 | # same, but providing a full URL
44 | docker_registry("https://myregistry.azurecr.io")
45 |
46 | # authenticating via the admin account
47 | docker_registry("myregistry", username="admin", password="password", app=NULL)
48 |
49 | # authenticating with a service principal, method 1: recommended
50 | docker_registry("myregistry", username="app_id", password="client_creds", app=NULL)
51 |
52 | # authenticating with a service principal, method 2
53 | docker_registry("myregistry", app="app_id", password="client_creds")
54 |
55 | # authenticating from a managed service identity (MSI)
56 | token <- AzureAuth::get_managed_token("https://management.azure.com/")
57 | docker_registry("myregistry", token=token)
58 |
59 | # you can also interact with a registry outside Azure
60 | # note that some registry methods, and AAD authentication, may not work in this case
61 | docker_registry("https://hub.docker.com", username="mydockerid", password="password", app=NULL)
62 |
63 | }
64 | }
65 | \seealso{
66 | \link{DockerRegistry} for methods available for interacting with the registry, \link{call_docker}
67 |
68 | \link{kubernetes_cluster} for the corresponding function to create a Kubernetes cluster object
69 | }
70 |
--------------------------------------------------------------------------------
/man/figures/logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cloudyr/AzureContainers/e1c3644eb2dd4e4167ad79d5816f1ef06a7011eb/man/figures/logo.png
--------------------------------------------------------------------------------
/man/get_aci.Rd:
--------------------------------------------------------------------------------
1 | % Generated by roxygen2: do not edit by hand
2 | % Please edit documentation in R/add_aci_methods.R
3 | \name{get_aci}
4 | \alias{get_aci}
5 | \alias{list_acis}
6 | \title{Get Azure Container Instance (ACI)}
7 | \description{
8 | Method for the \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} class.
9 | }
10 | \section{Usage}{
11 |
12 |
13 | \if{html}{\out{}}\preformatted{get_aci(name)
14 | list_acis()
15 | }\if{html}{\out{
}}
16 | }
17 |
18 | \section{Arguments}{
19 |
20 | \itemize{
21 | \item \code{name}: For \code{get_aci()}, the name of the container instance resource.
22 | }
23 | }
24 |
25 | \section{Details}{
26 |
27 | The \code{AzureRMR::az_resource_group} class has both \code{get_aci()} and \code{list_acis()} methods, while the \code{AzureRMR::az_subscription} class only has the latter.
28 | }
29 |
30 | \section{Value}{
31 |
32 | For \code{get_aci()}, an object of class \code{az_container_instance} representing the instance resource.
33 |
34 | For \code{list_acis()}, a list of such objects.
35 | }
36 |
37 | \examples{
38 | \dontrun{
39 |
40 | rg <- AzureRMR::get_azure_login()$
41 | get_subscription("subscription_id")$
42 | get_resource_group("rgname")
43 |
44 | rg$get_aci("mycontainer")
45 |
46 | }
47 | }
48 | \seealso{
49 | \link{create_aci}, \link{delete_aci}
50 |
51 | \link{az_container_instance}
52 |
53 | \href{https://learn.microsoft.com/en-us/azure/container-instances/}{ACI documentation} and
54 | \href{https://learn.microsoft.com/en-us/rest/api/container-instances/}{API reference}
55 |
56 | \href{https://docs.docker.com/engine/reference/commandline/cli/}{Docker commandline reference}
57 | }
58 |
--------------------------------------------------------------------------------
/man/get_acr.Rd:
--------------------------------------------------------------------------------
1 | % Generated by roxygen2: do not edit by hand
2 | % Please edit documentation in R/add_acr_methods.R
3 | \name{get_acr}
4 | \alias{get_acr}
5 | \alias{list_acrs}
6 | \title{Get Azure Container Registry (ACR)}
7 | \description{
8 | Method for the \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} class.
9 | }
10 | \section{Usage}{
11 |
12 |
13 | \if{html}{\out{}}\preformatted{get_acr(name)
14 | list_acrs()
15 | }\if{html}{\out{
}}
16 | }
17 |
18 | \section{Arguments}{
19 |
20 | \itemize{
21 | \item \code{name}: For \code{get_acr()}, the name of the container registry resource.
22 | }
23 | }
24 |
25 | \section{Details}{
26 |
27 | The \code{AzureRMR::az_resource_group} class has both \code{get_acr()} and \code{list_acrs()} methods, while the \code{AzureRMR::az_subscription} class only has the latter.
28 | }
29 |
30 | \section{Value}{
31 |
32 | For \code{get_acr()}, an object of class \code{az_container_registry} representing the registry resource.
33 |
34 | For \code{list_acrs()}, a list of such objects.
35 | }
36 |
37 | \examples{
38 | \dontrun{
39 |
40 | rg <- AzureRMR::get_azure_login()$
41 | get_subscription("subscription_id")$
42 | get_resource_group("rgname")
43 |
44 | rg$get_acr("myregistry")
45 |
46 | }
47 | }
48 | \seealso{
49 | \link{create_acr}, \link{delete_acr}
50 |
51 | \link{az_container_registry}
52 |
53 | \link{docker_registry} for the registry endpoint
54 |
55 | \href{https://learn.microsoft.com/en-us/azure/container-registry/}{ACR documentation} and
56 | \href{https://learn.microsoft.com/en-us/rest/api/containerregistry/registries}{API reference}
57 |
58 | \href{https://docs.docker.com/registry/spec/api/}{Docker registry API}
59 | }
60 |
--------------------------------------------------------------------------------
/man/get_aks.Rd:
--------------------------------------------------------------------------------
1 | % Generated by roxygen2: do not edit by hand
2 | % Please edit documentation in R/add_aks_methods.R
3 | \name{get_aks}
4 | \alias{get_aks}
5 | \alias{list_aks}
6 | \title{Get Azure Kubernetes Service (AKS)}
7 | \description{
8 | Method for the \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} class.
9 | }
10 | \section{Usage}{
11 |
12 |
13 | \if{html}{\out{}}\preformatted{get_aks(name)
14 | list_aks()
15 | }\if{html}{\out{
}}
16 | }
17 |
18 | \section{Arguments}{
19 |
20 | \itemize{
21 | \item \code{name}: For \code{get_aks()}, the name of the Kubernetes service.
22 | }
23 | }
24 |
25 | \section{Details}{
26 |
27 | The \code{AzureRMR::az_resource_group} class has both \code{get_aks()} and \code{list_aks()} methods, while the \code{AzureRMR::az_subscription} class only has the latter.
28 | }
29 |
30 | \section{Value}{
31 |
32 | For \code{get_aks()}, an object of class \code{az_kubernetes_service} representing the service.
33 |
34 | For \code{list_aks()}, a list of such objects.
35 | }
36 |
37 | \examples{
38 | \dontrun{
39 |
40 | rg <- AzureRMR::get_azure_login()$
41 | get_subscription("subscription_id")$
42 | get_resource_group("rgname")
43 |
44 | rg$get_aks("mycluster")
45 |
46 | }
47 | }
48 | \seealso{
49 | \link{create_aks}, \link{delete_aks}
50 |
51 | \link{az_kubernetes_service}
52 |
53 | \link{kubernetes_cluster} for the cluster endpoint
54 |
55 | \href{https://learn.microsoft.com/en-us/azure/aks/}{AKS documentation} and
56 | \href{https://learn.microsoft.com/en-us/rest/api/aks/}{API reference}
57 |
58 | \href{https://kubernetes.io/docs/reference/}{Kubernetes reference}
59 | }
60 |
--------------------------------------------------------------------------------
/man/is.Rd:
--------------------------------------------------------------------------------
1 | % Generated by roxygen2: do not edit by hand
2 | % Please edit documentation in R/is.R
3 | \name{is_acr}
4 | \alias{is_acr}
5 | \alias{is_aks}
6 | \alias{is_aci}
7 | \alias{is_docker_registry}
8 | \alias{is_kubernetes_cluster}
9 | \title{Utility functions to test whether an object is of the given class.}
10 | \usage{
11 | is_acr(object)
12 |
13 | is_aks(object)
14 |
15 | is_aci(object)
16 |
17 | is_docker_registry(object)
18 |
19 | is_kubernetes_cluster(object)
20 | }
21 | \arguments{
22 | \item{object}{An R object}
23 | }
24 | \value{
25 | TRUE or FALSE depending on whether the object is an R6 object of the specified class.
26 | }
27 | \description{
28 | Utility functions to test whether an object is of the given class.
29 | }
30 | \details{
31 | These functions are simple wrappers around \code{R6::is.R6} and \code{inherits}.
32 | }
33 |
--------------------------------------------------------------------------------
/man/kubernetes_cluster.Rd:
--------------------------------------------------------------------------------
1 | % Generated by roxygen2: do not edit by hand
2 | % Please edit documentation in R/kubernetes_cluster.R
3 | \name{kubernetes_cluster}
4 | \alias{kubernetes_cluster}
5 | \title{Create a new Kubernetes cluster object}
6 | \usage{
7 | kubernetes_cluster(config = NULL)
8 | }
9 | \arguments{
10 | \item{config}{The name of the file containing the configuration details for the cluster. This should be a YAML or JSON file in the standard Kubernetes configuration format. Set this to NULL to use the default \verb{~/.kube/config} file.}
11 | }
12 | \value{
13 | An R6 object of class \code{KubernetesCluster}.
14 | }
15 | \description{
16 | Create a new Kubernetes cluster object
17 | }
18 | \details{
19 | Use this function to instantiate a new object of the \code{KubernetesCluster} class, for interacting with a Kubernetes cluster.
20 | }
21 | \examples{
22 | \dontrun{
23 |
24 | kubernetes_cluster()
25 | kubernetes_cluster("myconfig.yaml")
26 |
27 | }
28 | }
29 | \seealso{
30 | \link{KubernetesCluster} for methods for working with the cluster, \link{call_kubectl}, \link{call_helm}
31 |
32 | \link{docker_registry} for the corresponding function to create a Docker registry object
33 | }
34 |
--------------------------------------------------------------------------------
/man/list_kubernetes_versions.Rd:
--------------------------------------------------------------------------------
1 | % Generated by roxygen2: do not edit by hand
2 | % Please edit documentation in R/add_aks_methods.R
3 | \name{list_kubernetes_versions}
4 | \alias{list_kubernetes_versions}
5 | \title{List available Kubernetes versions}
6 | \description{
7 | Method for the \link[AzureRMR:az_subscription]{AzureRMR::az_subscription} and \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} classes.
8 | }
9 | \section{Usage}{
10 |
11 |
12 | \if{html}{\out{}}\preformatted{## R6 method for class 'az_subscription'
13 | list_kubernetes_versions(location)
14 |
15 | ## R6 method for class 'az_resource_group'
16 | list_kubernetes_versions()
17 | }\if{html}{\out{
}}
18 | }
19 |
20 | \section{Arguments}{
21 |
22 | \itemize{
23 | \item \code{location}: For the az_subscription class method, the location for which to obtain available Kubernetes versions.
24 | }
25 | }
26 |
27 | \section{Value}{
28 |
29 | A vector of strings, which are the Kubernetes versions that can be used when creating a cluster.
30 | }
31 |
32 | \examples{
33 | \dontrun{
34 |
35 | rg <- AzureRMR::get_azure_login()$
36 | get_subscription("subscription_id")$
37 | get_resource_group("rgname")
38 |
39 | rg$list_kubernetes_versions()
40 |
41 | }
42 | }
43 | \seealso{
44 | \link{create_aks}
45 |
46 | \href{https://kubernetes.io/docs/reference/}{Kubernetes reference}
47 | }
48 |
--------------------------------------------------------------------------------
/man/list_vm_sizes.Rd:
--------------------------------------------------------------------------------
1 | % Generated by roxygen2: do not edit by hand
2 | % Please edit documentation in R/add_vmsize_methods.R
3 | \name{list_vm_sizes}
4 | \alias{list_vm_sizes}
5 | \title{List available VM sizes}
6 | \description{
7 | Method for the \link[AzureRMR:az_subscription]{AzureRMR::az_subscription} and \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} classes.
8 | }
9 | \section{Usage}{
10 |
11 |
12 | \if{html}{\out{}}\preformatted{## R6 method for class 'az_subscription'
13 | list_vm_sizes(location, name_only = FALSE)
14 |
15 | ## R6 method for class 'az_resource_group'
16 | list_vm_sizes(name_only = FALSE)
17 | }\if{html}{\out{
}}
18 | }
19 |
20 | \section{Arguments}{
21 |
22 | \itemize{
23 | \item \code{location}: For the subscription class method, the location/region for which to obtain available VM sizes.
24 | \item \code{name_only}: Whether to return only a vector of names, or all information on each VM size.
25 | }
26 | }
27 |
28 | \section{Value}{
29 |
30 | If \code{name_only} is TRUE, a character vector of names. If FALSE, a data frame containing the following information for each VM size: the name, number of cores, OS disk size, resource disk size, memory, and maximum data disks.
31 | }
32 |
33 | \examples{
34 | \dontrun{
35 |
36 | sub <- AzureRMR::get_azure_login()$
37 | get_subscription("subscription_id")
38 |
39 | sub$list_vm_sizes("australiaeast")
40 |
41 | # same output as above
42 | rg <- sub$create_resource_group("rgname", location="australiaeast")
43 | rg$list_vm_sizes()
44 |
45 | }
46 | }
47 |
--------------------------------------------------------------------------------
/tests/resources/hello.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: hellodep
5 | spec:
6 | selector:
7 | matchLabels:
8 | app: hellodep
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: hellodep
14 | spec:
15 | containers:
16 | - name: acrname
17 | image: acrname.azurecr.io/hello-world
18 | imagePullSecrets:
19 | - name: acrname.azurecr.io
20 | ---
21 | apiVersion: v1
22 | kind: Service
23 | metadata:
24 | name: hellodep-svc
25 | spec:
26 | selector:
27 | app: hellodep
28 | type: LoadBalancer
29 | ports:
30 | - protocol: TCP
31 | port: 80
32 |
--------------------------------------------------------------------------------
/tests/resources/hello_dockerfile:
--------------------------------------------------------------------------------
1 | FROM alpine
2 |
3 |
--------------------------------------------------------------------------------
/tests/testthat.R:
--------------------------------------------------------------------------------
1 | library(testthat)
2 | library(AzureContainers)
3 |
4 | test_check("AzureContainers")
5 |
--------------------------------------------------------------------------------
/tests/testthat/setup.R:
--------------------------------------------------------------------------------
1 | make_name <- function(n=20)
2 | {
3 | paste0(sample(letters, n, TRUE), collapse="")
4 | }
5 |
--------------------------------------------------------------------------------
/tests/testthat/test00_tools.R:
--------------------------------------------------------------------------------
1 | context("Tools interface")
2 |
3 | if(.AzureContainers$docker == "" ||
4 | .AzureContainers$dockercompose == "" ||
5 | .AzureContainers$kubectl == "" ||
6 | .AzureContainers$helm == "")
7 | skip("Tests skipped: external tools not found")
8 |
9 | echo <- getOption("azure_containers_tool_echo")
10 | options(azure_containers_tool_echo=FALSE)
11 |
12 | test_that("Docker works",
13 | {
14 | cmd <- "--help"
15 | obj <- call_docker(cmd)
16 | expect_is(obj, "list")
17 | expect_true(grepl("docker --help", obj$cmdline, fixed=TRUE))
18 | })
19 |
20 | test_that("Docker compose works",
21 | {
22 | cmd <- "--help"
23 | obj <- call_docker_compose(cmd)
24 | expect_is(obj, "list")
25 | expect_true(grepl("docker-compose --help", obj$cmdline, fixed=TRUE))
26 | })
27 |
28 | test_that("Kubectl works",
29 | {
30 | cmd <- "--help"
31 | obj <- call_kubectl(cmd)
32 | expect_is(obj, "list")
33 | expect_true(grepl("kubectl --help", obj$cmdline, fixed=TRUE))
34 | })
35 |
36 | test_that("Helm works",
37 | {
38 | cmd <- "--help"
39 | obj <- call_helm(cmd)
40 | expect_is(obj, "list")
41 | expect_true(grepl("helm --help", obj$cmdline, fixed=TRUE))
42 | })
43 |
44 | teardown({
45 | options(azure_containers_tool_echo=echo)
46 | })
47 |
--------------------------------------------------------------------------------
/tests/testthat/test01_acr.R:
--------------------------------------------------------------------------------
1 | context("ACR interface")
2 |
3 | tenant <- Sys.getenv("AZ_TEST_TENANT_ID")
4 | app <- Sys.getenv("AZ_TEST_APP_ID")
5 | password <- Sys.getenv("AZ_TEST_PASSWORD")
6 | subscription <- Sys.getenv("AZ_TEST_SUBSCRIPTION")
7 |
8 | if(tenant == "" || app == "" || password == "" || subscription == "")
9 | skip("Tests skipped: ARM credentials not set")
10 |
11 | rgname <- make_name(10)
12 | rg <- AzureRMR::az_rm$
13 | new(tenant=tenant, app=app, password=password)$
14 | get_subscription(subscription)$
15 | create_resource_group(rgname, location="australiaeast")
16 |
17 | echo <- getOption("azure_containers_tool_echo")
18 | options(azure_containers_tool_echo=FALSE)
19 |
20 | acrname <- make_name(10)
21 |
22 | test_that("ACR works",
23 | {
24 | expect_true(is_acr(rg$create_acr(acrname)))
25 | acr <- rg$get_acr(acrname)
26 | expect_true(is_acr(acr))
27 |
28 | acr2 <- rg$list_acrs()[[1]]
29 | expect_true(is_acr(acr2))
30 |
31 | reg <- acr$get_docker_registry()
32 | expect_true(is_docker_registry(reg))
33 |
34 | cmdline <- "build -f ../resources/hello_dockerfile -t hello-world ."
35 | output <- call_docker(cmdline)
36 | expect_equal(output$cmdline, paste("docker", cmdline))
37 |
38 | reg$push("hello-world")
39 |
40 | cmdline <- paste0("image rm ", acrname, ".azurecr.io/hello-world")
41 | call_docker(cmdline)
42 |
43 | expect_equal(reg$list_repositories(), "hello-world")
44 | })
45 |
46 | test_that("ACR works with app login",
47 | {
48 | acr <- rg$get_acr(acrname)
49 | expect_true(is_acr(acr))
50 |
51 | acr$add_role_assignment(
52 | principal=AzureGraph::get_graph_login(tenant)$get_app(app),
53 | role="owner"
54 | )
55 |
56 | reg <- acr$get_docker_registry(username=app, password=password, app=NULL)
57 | expect_true(is_docker_registry(reg))
58 | expect_identical(reg$username, app)
59 |
60 | cmdline <- "build -f ../resources/hello_dockerfile -t hello-world-sp ."
61 | output <- call_docker(cmdline)
62 | expect_equal(output$cmdline, paste("docker", cmdline))
63 |
64 | reg$push("hello-world-sp")
65 |
66 | cmdline <- paste0("image rm ", acrname, ".azurecr.io/hello-world-sp")
67 | call_docker(cmdline)
68 |
69 | expect_equal(reg$list_repositories(), c("hello-world", "hello-world-sp"))
70 | })
71 |
72 | teardown({
73 | options(azure_containers_tool_echo=echo)
74 | suppressMessages(rg$delete(confirm=FALSE))
75 | })
76 |
--------------------------------------------------------------------------------
/tests/testthat/test02_aci.R:
--------------------------------------------------------------------------------
1 | context("ACI interface")
2 |
3 | tenant <- Sys.getenv("AZ_TEST_TENANT_ID")
4 | app <- Sys.getenv("AZ_TEST_APP_ID")
5 | password <- Sys.getenv("AZ_TEST_PASSWORD")
6 | subscription <- Sys.getenv("AZ_TEST_SUBSCRIPTION")
7 |
8 | if(tenant == "" || app == "" || password == "" || subscription == "")
9 | skip("Tests skipped: ARM credentials not set")
10 |
11 | rgname <- make_name(10)
12 | rg <- AzureRMR::az_rm$
13 | new(tenant=tenant, app=app, password=password)$
14 | get_subscription(subscription)$
15 | create_resource_group(rgname, location="australiaeast")
16 |
17 | echo <- getOption("azure_containers_tool_echo")
18 | options(azure_containers_tool_echo=FALSE)
19 |
20 | test_that("ACI works",
21 | {
22 | acrname <- make_name(10)
23 | acr <- rg$create_acr(acrname, admin_user_enabled=TRUE)
24 | reg <- acr$get_docker_registry(as_admin=TRUE)
25 | expect_true(is_docker_registry(reg))
26 | expect_false(is.null(reg$username) || is.null(reg$password))
27 |
28 | cmdline <- "build -f ../resources/hello_dockerfile -t hello-world ."
29 | call_docker(cmdline)
30 |
31 | reg$push("hello-world")
32 |
33 | cmdline <- paste0("image rm ", acrname, ".azurecr.io/hello-world")
34 | call_docker(cmdline)
35 |
36 | # from local image
37 | aciname <- make_name(10)
38 | expect_true(is_aci(rg$create_aci(aciname,
39 | image="hello-world",
40 | env_vars=list(MYVAR="myvalue")),
41 | secure_env_vars=list(MYSECUREVAR="mysecurevalue"),
42 | command=c("/bin/sh", "-c", "ls"))
43 | )
44 |
45 | aci <- rg$get_aci(aciname)
46 | expect_true(is_aci(aci))
47 | expect_true(is_aci(rg$list_acis()[[1]]))
48 |
49 | expect_silent(aci$stop())
50 | Sys.sleep(2)
51 | expect_silent(aci$start())
52 | Sys.sleep(2)
53 | expect_silent(aci$restart())
54 |
55 | # from Resource Manager object
56 | aciname2 <- make_name(10)
57 | aci2 <- rg$create_aci(aciname2,
58 | image=paste0(reg$server$hostname, "/hello-world"),
59 | registry_creds=reg)
60 |
61 | expect_true(is_aci(aci2))
62 |
63 | # from Docker registry object
64 | aciname3 <- make_name(10)
65 | aci3 <- rg$create_aci(aciname3,
66 | image=paste0(reg$server$hostname, "/hello-world"),
67 | registry_creds=aci_creds(reg$server$hostname, app, password))
68 |
69 | expect_true(is_aci(aci3))
70 | })
71 |
72 |
73 | teardown({
74 | options(azure_containers_tool_echo=echo)
75 | suppressMessages(rg$delete(confirm=FALSE))
76 | })
77 |
--------------------------------------------------------------------------------
/tests/testthat/test03a_aks_msi.R:
--------------------------------------------------------------------------------
1 | context("AKS interface with managed identity")
2 |
3 | tenant <- Sys.getenv("AZ_TEST_TENANT_ID")
4 | app <- Sys.getenv("AZ_TEST_APP_ID")
5 | password <- Sys.getenv("AZ_TEST_PASSWORD")
6 | subscription <- Sys.getenv("AZ_TEST_SUBSCRIPTION")
7 |
8 | if(tenant == "" || app == "" || password == "" || subscription == "")
9 | skip("Tests skipped: ARM credentials not set")
10 |
11 | rgname <- make_name(10)
12 | rg <- AzureRMR::az_rm$
13 | new(tenant=tenant, app=app, password=password)$
14 | get_subscription(subscription)$
15 | create_resource_group(rgname, location="australiaeast")
16 |
17 | echo <- getOption("azure_containers_tool_echo")
18 | options(azure_containers_tool_echo=FALSE)
19 |
20 | test_that("AKS works with managed identity",
21 | {
22 | aksname <- make_name(10)
23 |
24 | expect_is(rg$list_kubernetes_versions(), "character")
25 |
26 | expect_true(is_aks(rg$create_aks(aksname, agent_pools=agent_pool("pool1", 1), managed_identity=TRUE)))
27 | expect_true(is_aks(rg$list_aks()[[1]]))
28 | aks <- rg$get_aks(aksname)
29 | expect_true(is_aks(aks))
30 |
31 | # no SP password with svc identity
32 | expect_error(aks$update_service_password())
33 |
34 | pool1 <- aks$get_agent_pool("pool1")
35 | expect_is(pool1, "az_agent_pool")
36 |
37 | pools <- aks$list_agent_pools()
38 | expect_true(is.list(pools) && length(pools) == 1 && all(sapply(pools, inherits, "az_agent_pool")))
39 |
40 | pool2 <- aks$create_agent_pool("pool2", 2, disksize=500, wait=TRUE, autoscale_nodes=c(1, 5))
41 | expect_is(pool2, "az_agent_pool")
42 | expect_true(pool2$properties$enableAutoScaling)
43 | expect_equal(pool2$properties$minCount, 1)
44 | expect_equal(pool2$properties$maxCount, 5)
45 |
46 | pools <- aks$list_agent_pools()
47 | expect_true(is.list(pools) && length(pools) == 2 && all(sapply(pools, inherits, "az_agent_pool")))
48 |
49 | expect_message(pool2$delete(confirm=FALSE))
50 |
51 | clus <- aks$get_cluster()
52 | expect_true(is_kubernetes_cluster(clus))
53 | })
54 |
55 |
56 | teardown({
57 | options(azure_containers_tool_echo=echo)
58 | suppressMessages(rg$delete(confirm=FALSE))
59 | })
60 |
--------------------------------------------------------------------------------
/tests/testthat/test03b_aks_acr_msi.R:
--------------------------------------------------------------------------------
1 | context("AKS-ACR interop with managed identity")
2 |
3 | tenant <- Sys.getenv("AZ_TEST_TENANT_ID")
4 | app <- Sys.getenv("AZ_TEST_APP_ID")
5 | password <- Sys.getenv("AZ_TEST_PASSWORD")
6 | subscription <- Sys.getenv("AZ_TEST_SUBSCRIPTION")
7 |
8 | if(tenant == "" || app == "" || password == "" || subscription == "")
9 | skip("Tests skipped: ARM credentials not set")
10 |
11 | rgname <- make_name(10)
12 | rg <- AzureRMR::az_rm$
13 | new(tenant=tenant, app=app, password=password)$
14 | get_subscription(subscription)$
15 | create_resource_group(rgname, location="australiaeast")
16 |
17 | echo <- getOption("azure_containers_tool_echo")
18 | options(azure_containers_tool_echo=FALSE)
19 |
20 | aksname <- make_name(10)
21 | aks <- rg$create_aks(aksname, agent_pools=agent_pool("pool1", 1), managed_identity=TRUE)
22 |
23 | test_that("AKS/ACR works with managed identity",
24 | {
25 | acrname <- make_name(10)
26 | acr <- rg$create_acr(acrname, admin_user_enabled=TRUE)
27 | reg <- acr$get_docker_registry(as_admin=TRUE)
28 | expect_true(is_docker_registry(reg))
29 |
30 | cmdline <- "build -f ../resources/hello_dockerfile -t hello-world ."
31 | call_docker(cmdline)
32 |
33 | reg$push("hello-world")
34 |
35 | cmdline <- paste0("image rm ", acrname, ".azurecr.io/hello-world")
36 | call_docker(cmdline)
37 |
38 | expect_true(is_aks(aks))
39 |
40 | clus <- aks$get_cluster()
41 | expect_true(is_kubernetes_cluster(clus))
42 |
43 | hello_yaml <- gsub("acrname", acrname, readLines("../resources/hello.yaml"))
44 | clus$create_registry_secret(reg, email="me@example.com")
45 | clus$create(hello_yaml)
46 | })
47 |
48 |
49 | test_that("AKS/ACR works with managed identity/RBAC",
50 | {
51 | acrname <- make_name(10)
52 | acr <- rg$create_acr(acrname, admin_user_enabled=FALSE)
53 | reg <- acr$get_docker_registry(as_admin=FALSE)
54 | expect_true(is_docker_registry(reg))
55 |
56 | cmdline <- "build -f ../resources/hello_dockerfile -t hello-world ."
57 | call_docker(cmdline)
58 |
59 | reg$push("hello-world")
60 |
61 | cmdline <- paste0("image rm ", acrname, ".azurecr.io/hello-world")
62 | call_docker(cmdline)
63 |
64 | acr$add_role_assignment(aks, "Acrpull")
65 |
66 | clus <- aks$get_cluster()
67 | expect_true(is_kubernetes_cluster(clus))
68 |
69 | hello_yaml <- gsub("acrname", acrname, readLines("../resources/hello.yaml"))
70 | hello_yaml <- gsub("hellodep", "hellodep-rb", hello_yaml)
71 | clus$create(hello_yaml)
72 | })
73 |
74 |
75 | teardown({
76 | options(azure_containers_tool_echo=echo)
77 | suppressMessages(rg$delete(confirm=FALSE))
78 | })
79 |
--------------------------------------------------------------------------------
/tests/testthat/test03c_aks_sp.R:
--------------------------------------------------------------------------------
1 | context("AKS interface with service principal")
2 |
3 | tenant <- Sys.getenv("AZ_TEST_TENANT_ID")
4 | app <- Sys.getenv("AZ_TEST_APP_ID")
5 | password <- Sys.getenv("AZ_TEST_PASSWORD")
6 | subscription <- Sys.getenv("AZ_TEST_SUBSCRIPTION")
7 |
8 | if(tenant == "" || app == "" || password == "" || subscription == "")
9 | skip("Tests skipped: ARM credentials not set")
10 |
11 | rgname <- make_name(10)
12 | rg <- AzureRMR::az_rm$
13 | new(tenant=tenant, app=app, password=password)$
14 | get_subscription(subscription)$
15 | create_resource_group(rgname, location="australiaeast")
16 |
17 | echo <- getOption("azure_containers_tool_echo")
18 | options(azure_containers_tool_echo=FALSE)
19 |
20 | test_that("AKS works with service principal",
21 | {
22 | aksname <- paste0(sample(letters, 10, TRUE), collapse="")
23 | expect_true(is_aks(rg$create_aks(aksname, agent_pools=agent_pool("pool1", 1), managed_identity=FALSE)))
24 | aks <- rg$get_aks(aksname)
25 | expect_true(is_aks(aks))
26 |
27 | expect_message(aks$update_service_password())
28 |
29 | pool1 <- aks$get_agent_pool("pool1")
30 | expect_is(pool1, "az_agent_pool")
31 |
32 | pools <- aks$list_agent_pools()
33 | expect_true(is.list(pools) && length(pools) == 1 && all(sapply(pools, inherits, "az_agent_pool")))
34 |
35 | pool2 <- aks$create_agent_pool("pool2", 1, disksize=500, wait=TRUE)
36 | expect_is(pool2, "az_agent_pool")
37 |
38 | pools <- aks$list_agent_pools()
39 | expect_true(is.list(pools) && length(pools) == 2 && all(sapply(pools, inherits, "az_agent_pool")))
40 |
41 | expect_message(pool2$delete(confirm=FALSE))
42 |
43 | clus <- aks$get_cluster()
44 | expect_true(is_kubernetes_cluster(clus))
45 | })
46 |
47 |
48 | teardown({
49 | options(azure_containers_tool_echo=echo)
50 | suppressMessages(rg$delete(confirm=FALSE))
51 | })
52 |
--------------------------------------------------------------------------------
/tests/testthat/test03d_aks_acr_sp.R:
--------------------------------------------------------------------------------
1 | context("AKS-ACR interop with service principal")
2 |
3 | tenant <- Sys.getenv("AZ_TEST_TENANT_ID")
4 | app <- Sys.getenv("AZ_TEST_APP_ID")
5 | password <- Sys.getenv("AZ_TEST_PASSWORD")
6 | subscription <- Sys.getenv("AZ_TEST_SUBSCRIPTION")
7 |
8 | if(tenant == "" || app == "" || password == "" || subscription == "")
9 | skip("Tests skipped: ARM credentials not set")
10 |
11 | rgname <- make_name(10)
12 | rg <- AzureRMR::az_rm$
13 | new(tenant=tenant, app=app, password=password)$
14 | get_subscription(subscription)$
15 | create_resource_group(rgname, location="australiaeast")
16 |
17 | echo <- getOption("azure_containers_tool_echo")
18 | options(azure_containers_tool_echo=FALSE)
19 |
20 | aksname <- make_name(10)
21 | aks <- rg$create_aks(aksname, agent_pools=agent_pool("pool1", 1), managed_identity=FALSE)
22 |
23 | test_that("AKS/ACR works with service principal",
24 | {
25 | acrname <- make_name(10)
26 | acr <- rg$create_acr(acrname, admin_user_enabled=TRUE)
27 | reg <- acr$get_docker_registry(as_admin=TRUE)
28 | expect_true(is_docker_registry(reg))
29 |
30 | cmdline <- "build -f ../resources/hello_dockerfile -t hello-world ."
31 | call_docker(cmdline)
32 |
33 | reg$push("hello-world")
34 |
35 | cmdline <- paste0("image rm ", acrname, ".azurecr.io/hello-world")
36 | call_docker(cmdline)
37 |
38 | expect_true(is_aks(aks))
39 |
40 | clus <- aks$get_cluster()
41 | expect_true(is_kubernetes_cluster(clus))
42 |
43 | hello_yaml <- gsub("acrname", acrname, readLines("../resources/hello.yaml"))
44 | clus$create_registry_secret(reg, email="me@example.com")
45 | clus$create(hello_yaml)
46 | })
47 |
48 |
49 | test_that("AKS/ACR works with service principal/RBAC",
50 | {
51 | acrname <- make_name(10)
52 | acr <- rg$create_acr(acrname, admin_user_enabled=FALSE)
53 | reg <- acr$get_docker_registry(as_admin=FALSE)
54 | expect_true(is_docker_registry(reg))
55 |
56 | cmdline <- "build -f ../resources/hello_dockerfile -t hello-world ."
57 | call_docker(cmdline)
58 |
59 | reg$push("hello-world")
60 |
61 | cmdline <- paste0("image rm ", acrname, ".azurecr.io/hello-world")
62 | call_docker(cmdline)
63 |
64 | acr$add_role_assignment(aks, "Acrpull")
65 |
66 | clus <- aks$get_cluster()
67 | expect_true(is_kubernetes_cluster(clus))
68 |
69 | hello_yaml <- gsub("acrname", acrname, readLines("../resources/hello.yaml"))
70 | hello_yaml <- gsub("hellodep", "hellodep-rb", hello_yaml)
71 | clus$create(hello_yaml)
72 | })
73 |
74 |
75 | teardown({
76 | options(azure_containers_tool_echo=echo)
77 | suppressMessages(rg$delete(confirm=FALSE))
78 | })
79 |
--------------------------------------------------------------------------------
/tests/testthat/test03e_aks_oldnodes.R:
--------------------------------------------------------------------------------
1 | context("AKS interface with availability set")
2 |
3 | tenant <- Sys.getenv("AZ_TEST_TENANT_ID")
4 | app <- Sys.getenv("AZ_TEST_APP_ID")
5 | password <- Sys.getenv("AZ_TEST_PASSWORD")
6 | subscription <- Sys.getenv("AZ_TEST_SUBSCRIPTION")
7 |
8 | if(tenant == "" || app == "" || password == "" || subscription == "")
9 | skip("Tests skipped: ARM credentials not set")
10 |
11 | rgname <- make_name(10)
12 | rg <- AzureRMR::az_rm$
13 | new(tenant=tenant, app=app, password=password)$
14 | get_subscription(subscription)$
15 | create_resource_group(rgname, location="australiaeast")
16 |
17 | echo <- getOption("azure_containers_tool_echo")
18 | options(azure_containers_tool_echo=FALSE)
19 |
20 | test_that("AKS works with availability set",
21 | {
22 | aksname <- make_name(10)
23 | expect_true(is_aks(rg$create_aks(aksname, agent_pools=agent_pool("pool1", 1, use_scaleset=FALSE),
24 | managed_identity=TRUE)))
25 |
26 | aks <- rg$get_aks(aksname)
27 | expect_true(is_aks(aks))
28 |
29 | pool1 <- aks$get_agent_pool("pool1")
30 | expect_is(pool1, "az_agent_pool")
31 |
32 | pools <- aks$list_agent_pools()
33 | expect_true(is.list(pools) && length(pools) == 1 && all(sapply(pools, inherits, "az_agent_pool")))
34 |
35 | expect_error(aks$create_agent_pool("pool2", 1, disksize=500, wait=TRUE))
36 |
37 | clus <- aks$get_cluster()
38 | expect_true(is_kubernetes_cluster(clus))
39 | })
40 |
41 |
42 | teardown({
43 | options(azure_containers_tool_echo=echo)
44 | suppressMessages(rg$delete(confirm=FALSE))
45 | })
46 |
--------------------------------------------------------------------------------
/tests/testthat/test03f_aks_private.R:
--------------------------------------------------------------------------------
1 | context("AKS interface with managed identity/private cluster")
2 |
3 | tenant <- Sys.getenv("AZ_TEST_TENANT_ID")
4 | app <- Sys.getenv("AZ_TEST_APP_ID")
5 | password <- Sys.getenv("AZ_TEST_PASSWORD")
6 | subscription <- Sys.getenv("AZ_TEST_SUBSCRIPTION")
7 |
8 | if(tenant == "" || app == "" || password == "" || subscription == "")
9 | skip("Tests skipped: ARM credentials not set")
10 |
11 | rgname <- make_name(10)
12 | rg <- AzureRMR::az_rm$
13 | new(tenant=tenant, app=app, password=password)$
14 | get_subscription(subscription)$
15 | create_resource_group(rgname, location="australiaeast")
16 |
17 | echo <- getOption("azure_containers_tool_echo")
18 | options(azure_containers_tool_echo=FALSE)
19 |
20 | test_that("AKS works with private cluster",
21 | {
22 | aksname <- make_name(10)
23 | expect_true(is_aks(rg$create_aks(aksname, agent_pools=agent_pool("pool1", 1),
24 | managed_identity=TRUE, private_cluster=TRUE)))
25 | aks <- rg$get_aks(aksname)
26 | expect_true(is_aks(aks))
27 |
28 | # no SP password with svc identity
29 | expect_error(aks$update_service_password())
30 |
31 | pool1 <- aks$get_agent_pool("pool1")
32 | expect_is(pool1, "az_agent_pool")
33 |
34 | pools <- aks$list_agent_pools()
35 | expect_true(is.list(pools) && length(pools) == 1 && all(sapply(pools, inherits, "az_agent_pool")))
36 |
37 | clus <- aks$get_cluster()
38 | expect_true(is_kubernetes_cluster(clus))
39 | })
40 |
41 |
42 | teardown({
43 | options(azure_containers_tool_echo=echo)
44 | suppressMessages(rg$delete(confirm=FALSE))
45 | })
46 |
--------------------------------------------------------------------------------
/vignettes/perms2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/cloudyr/AzureContainers/e1c3644eb2dd4e4167ad79d5816f1ef06a7011eb/vignettes/perms2.png
--------------------------------------------------------------------------------
/vignettes/vig01_plumber_deploy.Rmd:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Deploying a prediction service with Plumber"
3 | Author: Hong Ooi
4 | output: rmarkdown::html_vignette
5 | vignette: >
6 | %\VignetteIndexEntry{Plumber model deployment}
7 | %\VignetteEngine{knitr::rmarkdown}
8 | %\VignetteEncoding{utf8}
9 | ---
10 |
11 | This document shows how you can deploy a fitted model as a web service using ACR, ACI and AKS. The framework used is [Plumber](https://www.rplumber.io), a package to expose your R code as a service via a REST API.
12 |
13 |
14 | ## Fit the model
15 |
16 | We'll fit a simple model for illustrative purposes, using the Boston housing dataset which ships with R (in the MASS package). To make the deployment process more interesting, the model we fit will be a random forest, using the randomForest package.
17 |
18 | ```r
19 | data(Boston, package="MASS")
20 | library(randomForest)
21 |
22 | # train a model for median house price as a function of the other variables
23 | bos_rf <- randomForest(medv ~ ., data=Boston, ntree=100)
24 |
25 | # save the model
26 | saveRDS(bos_rf, "bos_rf.rds")
27 | ```
28 |
29 | ## Scoring script for plumber
30 |
31 | Now that we have the model, we also need a script to obtain predicted values from it given a set of inputs:
32 |
33 | ```r
34 | # save as bos_rf_score.R
35 |
36 | bos_rf <- readRDS("bos_rf.rds")
37 | library(randomForest)
38 |
39 | #* @param df data frame of variables
40 | #* @post /score
41 | function(req, df)
42 | {
43 | df <- as.data.frame(df)
44 | predict(bos_rf, df)
45 | }
46 | ```
47 |
48 | This is fairly straightforward, but the comments may require some explanation. They are plumber annotations that tell it to call the function if the server receives a HTTP POST request with the path `/score`, and query parameter `df`. The value of the `df` parameter is then converted to a data frame, and passed to the randomForest `predict` method.
49 |
50 |
51 | ## Create a Dockerfile
52 |
53 | Let's package up the model and the scoring script into a Docker image. A Dockerfile to do this would look like the following. This uses the base image supplied by Plumber (`trestletech/plumber`), installs randomForest, and then adds the model and the above scoring script. Finally, it runs the code that will start the server and listen on port 8000.
54 |
55 | ```dockerfile
56 | # example Dockerfile to expose a plumber service
57 |
58 | FROM trestletech/plumber
59 |
60 | # install the randomForest package
61 | RUN R -e 'install.packages(c("randomForest"))'
62 |
63 | # copy model and scoring script
64 | RUN mkdir /data
65 | COPY bos_rf.rds /data
66 | COPY bos_rf_score.R /data
67 | WORKDIR /data
68 |
69 | # plumb and run server
70 | EXPOSE 8000
71 | ENTRYPOINT ["R", "-e", \
72 | "pr <- plumber::plumb('/data/bos_rf_score.R'); pr$run(host='0.0.0.0', port=8000)"]
73 | ```
74 |
75 | ## Build and upload the image
76 |
77 | The code to store our image on Azure Container Registry is as follows. If you are running this code, you should substitute the values of `tenant`, `app` and/or `secret` from your Azure service principal. Similarly, if you are using the public Azure cloud, note that all ACR instances share a common DNS namespace, as do all ACI and AKS instances.
78 |
79 | For more information on how to create a service principal, see the [AzureRMR readme](https://github.com/cloudyr/AzureRMR).
80 |
81 | ```r
82 | library(AzureContainers)
83 |
84 | # create a resource group for our deployments
85 | deployresgrp <- AzureRMR::get_azure_login()$
86 | get_subscription("sub_id")$
87 | create_resource_group("deployresgrp", location="australiaeast")
88 |
89 | # create container registry
90 | deployreg_svc <- deployresgrp$create_acr("deployreg")
91 |
92 | # build image 'bos_rf'
93 | call_docker("build -t bos_rf .")
94 |
95 | # upload the image to Azure
96 | deployreg <- deployreg_svc$get_docker_registry(as_admin=TRUE)
97 | deployreg$push("bos_rf")
98 | ```
99 |
100 | If you run this code, you should see a lot of output indicating that R is downloading, compiling and installing randomForest, and finally that the image is being pushed to Azure. (You will see this output even if your machine already has the randomForest package installed. This is because the package is being installed to the R session _inside the container_, which is distinct from the one running the code shown here.)
101 |
102 | All Docker calls in AzureContainers, like the one to build the image, return the actual docker commandline as the `cmdline` attribute of the (invisible) returned value. In this case, the commandline is `docker build -t bos_rf .` Similarly, the `push()` method actually involves two Docker calls, one to retag the image, and the second to do the actual pushing; the returned value in this case will be a 2-component list with the command lines being `docker tag bos_rf deployreg.azurecr.io/bos_rf` and `docker push deployreg.azurecr.io/bos_rf`.
103 |
104 |
105 | ## Deploy to an Azure Container Instance
106 |
107 | The simplest way to deploy a service is via a Container Instance. The following code creates a single running container which contains our model, listening on port 8000.
108 |
109 | ```r
110 | # create an instance with 2 cores and 8GB memory, and deploy our image
111 | deployaci <- deployresgrp$create_aci("deployaci",
112 | image="deployreg.azurecr.io/bos_rf",
113 | registry_creds=deployreg,
114 | cores=2, memory=8,
115 | ports=aci_ports(8000))
116 | ```
117 |
118 | Once the instance is running, let's call the prediction API with some sample data. By default, AzureContainers will assign the container a domain name with prefix taken from the instance name. The port is 8000 as specified in the Dockerfile, and the URI path is `/score` indicating we want to call the scoring function defined earlier.
119 |
120 | The data to be scored---the first 10 rows of the Boston dataset---is passed in the _body_ of the request as a named list, encoded as JSON. A feature of Plumber is that, when the body of the request is in this format, it will extract the elements of the list and pass them to the scoring function as named arguments. This makes it easy to pass around relatively large amounts of data, eg if the data is wide, or for scoring multiple rows at a time. For more information on how to create and interact with Plumber APIs, consult the [Plumber documentation](https://www.rplumber.io/docs/).
121 |
122 | ```r
123 | response <- httr::POST("http://deployaci.australiaeast.azurecontainer.io:8000/score",
124 | body=list(df=MASS::Boston[1:10,]), encode="json")
125 | httr::content(response, simplifyVector=TRUE)
126 | #> [1] 25.9269 22.0636 34.1876 33.7737 34.8081 27.6394 21.8007 22.3577 16.7812 18.9785
127 | ```
128 |
129 |
130 | ## Deploy to a Kubernetes cluster
131 |
132 | Deploying a service to a container instance is simple, but lacks many features that are important in a production setting. A better alternative for production purposes is to deploy to a Kubernetes cluster. Such a cluster can be created using Azure Kubernetes Service (AKS).
133 |
134 | ```r
135 | # create a Kubernetes cluster with 2 nodes, running Linux (the default)
136 | deployclus_svc <- deployresgrp$create_aks("deployclus", agent_pools=agent_pool("pool1", 2))
137 | ```
138 |
139 | Unlike an ACI resource, creating a Kubernetes cluster can take several minutes. By default, the `create_aks()` method will wait until the cluster provisioning is complete before it returns.
140 |
141 | Having created the cluster, we can deploy our model and create a service. We'll use a YAML configuration file to specify the details for the deployment and service API. The image to be deployed is the same as before.
142 |
143 | ```yaml
144 | apiVersion: apps/v1
145 | kind: Deployment
146 | metadata:
147 | name: bos-rf
148 | spec:
149 | selector:
150 | matchLabels:
151 | app: bos-rf
152 | replicas: 1
153 | template:
154 | metadata:
155 | labels:
156 | app: bos-rf
157 | spec:
158 | containers:
159 | - name: bos-rf
160 | image: deployreg.azurecr.io/bos_rf
161 | ports:
162 | - containerPort: 8000
163 | resources:
164 | requests:
165 | cpu: 250m
166 | limits:
167 | cpu: 500m
168 | imagePullSecrets:
169 | - name: deployreg.azurecr.io
170 | ---
171 | apiVersion: v1
172 | kind: Service
173 | metadata:
174 | name: bos-rf-svc
175 | spec:
176 | selector:
177 | app: bos-rf
178 | type: LoadBalancer
179 | ports:
180 | - protocol: TCP
181 | port: 8000
182 | ```
183 |
184 | The following code will obtain the cluster endpoint from the AKS resource and then deploy the image and service to the cluster. The configuration details for the `deployclus` cluster are stored in a file located in the R temporary directory; all of the cluster's methods will use this file. Unless told otherwise, AzureContainers does not touch your default Kubernetes configuration (`~/kube/config`).
185 |
186 | ```r
187 | # grant the cluster pull access to the registry
188 | deployreg_svc$add_role_assignment(deployclus_svc, "Acrpull")
189 |
190 | # get the cluster endpoint
191 | deployclus <- deployclus_svc$get_cluster()
192 |
193 | # create and start the service
194 | deployclus$create("bos_rf.yaml")
195 | ```
196 |
197 | To check on the progress of the deployment, run the `get()` methods specifying the type and name of the resource to get information on. As with Docker, these correspond to calls to the `kubectl` commandline tool, and again, the actual commandline is stored as the `cmdline` attribute of the returned value.
198 |
199 | ```r
200 | deployclus$get("deployment bos-rf")
201 | #> Kubernetes operation: get deployment bos-rf --kubeconfig=".../kubeconfigxxxx"
202 | #> NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
203 | #> bos-rf 1 1 1 1 5m
204 |
205 | svc <- read.table(text=deployclus$get("service bos-rf-svc")$stdout, header=TRUE)
206 | #> Kubernetes operation: get service bos-rf-svc --kubeconfig=".../kubeconfigxxxx"
207 | #> NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
208 | #> bos-rf-svc LoadBalancer 10.0.8.189 52.187.249.58 8000:32276/TCP 5m
209 | ```
210 |
211 | Once the service is up and running, as indicated by the presence of an external IP in the service details, let's test it with a HTTP request. The response should be the same as it was with the container instance. Notice how we extract the IP address from the service details above.
212 |
213 | ```r
214 | response <- httr::POST(paste0("http://", svc$EXTERNAL.IP[1], ":8000/score"),
215 | body=list(df=MASS::Boston[1:10, ]), encode="json")
216 | httr::content(response, simplifyVector=TRUE)
217 | #> [1] 25.9269 22.0636 34.1876 33.7737 34.8081 27.6394 21.8007 22.3577 16.7812 18.9785
218 | ```
219 |
220 | Finally, once we are done, we can tear down the service and deployment. Depending on the version of Kubernetes the cluster is running, deleting the service may take a few minutes.
221 |
222 | ```r
223 | deployclus$delete("service", "bos-rf-svc")
224 | deployclus$delete("deployment", "bos-rf")
225 | ```
226 |
227 | And if required, we can also delete all the resources created here, by simply deleting the resource group (AzureContainers will prompt you for confirmation):
228 |
229 | ```r
230 | deployresgrp$delete()
231 | ```
232 |
233 | ### Security note
234 |
235 | One important thing to note about the above example is that it is **insecure**. The Plumber service is exposed over HTTP, and there is no authentication layer: anyone on the Internet can contact the service and interact with it. Therefore, it's highly recommended that you should provide at least some level of authentication, as well as restricting the service to HTTPS only (this will require deploying an ingress controller to the Kubernetes cluster). You can also create the AKS resource as a private cluster; however, be aware that if you do this, you can only interact with the cluster endpoint from a host which is on the cluster's own subnet.
236 |
237 |
238 | ## See also
239 |
240 | Plumber is a relatively simple framework for creating and deploying services. As an alternative, the [RestRserve](https://restrserve.org) package is a more comprehensive framework, built on top of functionality provided by Rserve. It includes features such as automatic parallelisation, support for HTTPS, and support for basic and bearer authentication schemes. See the vignette "Deploying an ACI service with HTTPS and authentication" for more information.
241 |
--------------------------------------------------------------------------------
/vignettes/vig02_restrserve_deploy_aci.Rmd:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Deploying an ACI service with HTTPS and authentication"
3 | Author: Hong Ooi
4 | output: rmarkdown::html_vignette
5 | vignette: >
6 | %\VignetteIndexEntry{RestRserve model deployment to ACI}
7 | %\VignetteEngine{knitr::rmarkdown}
8 | %\VignetteEncoding{utf8}
9 | ---
10 |
11 | This document shows how you can deploy a fitted model as a web service to an Azure Container Instance, using the [RestRserve](https://restrserve.org) package. RestRserve has a number of features that can make it more suitable than Plumber for building robust, production-ready services. These include:
12 |
13 | - Automatic parallelisation, based on the Rserve backend
14 | - Support for HTTPS
15 | - Support for basic and bearer HTTP authentication schemes
16 |
17 | In particular, we'll show how to implement the latter two features in this vignette.
18 |
19 | ## Deployment artifacts
20 |
21 | ### Model object
22 |
23 | For illustrative purposes, we'll reuse the random forest model and resource group from the Plumber deployment vignette. The code to fit the model is reproduced below for convenience.
24 |
25 | ```r
26 | data(Boston, package="MASS")
27 | library(randomForest)
28 |
29 | # train a model for median house price as a function of the other variables
30 | bos_rf <- randomForest(medv ~ ., data=Boston, ntree=100)
31 |
32 | # save the model
33 | saveRDS(bos_rf, "bos_rf.rds")
34 | ```
35 |
36 | Basic authentication requires that we provide a list of usernames and passwords that grant access to the service. In a production setting, you would typically query a database, directory service or other backing store to authenticate users. To keep this example simple, we'll just create a flat file in the standard [Apache `.htpasswd` format](https://en.wikipedia.org/wiki/.htpasswd). In this format, the passwords are encrypted using a variety of algorithms, as a security measure; we'll use the bcrypt algorithm since an R implementation is available in the package of that name.
37 |
38 | ```r
39 | library(bcrypt)
40 |
41 | user_list <- list(
42 | c("user1", "password1"),
43 | c("user2", "password2")
44 | )
45 | user_str <- sapply(user_list, function(x) paste(x[1], hashpw(x[2]), sep=":"))
46 | writeLines(user_str, ".htpasswd")
47 | ```
48 |
49 | ### TLS certificate/private key
50 |
51 | To enable HTTPS, we need to provide a TLS certificate and private key. Again, in a production setting, the cert will typically be provided to you; for this vignette, we'll generate a self-signed cert instead. If you are running Linux or MacOS and have openssl installed, you can use that to generate the cert. Here, since we're already using Azure, we'll leverage the Azure Key Vault service to do it in a platform-independent manner.
52 |
53 | ```r
54 | library(AzureRMR)
55 | library(AzureContainers)
56 | library(AzureKeyVault)
57 |
58 | deployresgrp <- AzureRMR::get_azure_login()$
59 | get_subscription("sub_id")$
60 | get_resource_group("deployresgrp")
61 |
62 | # create the key vault
63 | vault_res <- deployresgrp$create_key_vault("mykeyvault")
64 |
65 | # get the vault endpoint
66 | kv <- vault_res$get_endpoint()
67 |
68 | # generate the certificate: use the DNS name of the ACI container endpoint
69 | kv$certificates$create(
70 | "deployrrsaci",
71 | "CN=deployrrsaci",
72 | x509=cert_x509_properties(dns_names=c("deployrrsaci.australiaeast.azurecontainer.io"))
73 | )
74 | secret <- kv$secrets$get("deployrrsaci")
75 | key <- sub("-----BEGIN CERTIFICATE-----.*$", "", secret$value)
76 | cer <- sub("^.*-----END PRIVATE KEY-----\n", "", secret$value)
77 | writeLines(key, "cert.key")
78 | writeLines(cer, "cert.cer")
79 | ```
80 |
81 | ### App
82 |
83 | Unlike Plumber, in RestRserve you define your service in R code, as a web app. An app is an object of R6 class `Application`: it contains various middleware and backend objects, and exposes the endpoint paths for your service. The overall server backend is of R6 class `BackendRserve`, and has responsibility for running and managing the app.
84 |
85 | The script below defines an app that exposes the scoring function on the `/score` path. Save this as `app.R`:
86 |
87 | ```r
88 | library(RestRserve)
89 | library(randomForest)
90 |
91 | bos_rf <- readRDS("bos_rf.rds")
92 |
93 | users <- local({
94 | usr <- read.table(".htpasswd", sep=":", stringsAsFactors=FALSE)
95 | structure(usr[[2]], names=usr[[1]])
96 | })
97 |
98 | # scoring function: calls predict() on the provided dataset
99 | # - input is a jsonified data frame, in the body of a POST request
100 | # - output is the predicted values
101 | score <- function(request, response)
102 | {
103 | df <- jsonlite::fromJSON(rawToChar(request$body), simplifyDataFrame=TRUE)
104 | sc <- predict(bos_rf, df)
105 |
106 | response$set_body(jsonlite::toJSON(sc, auto_unbox=TRUE))
107 | response$set_content_type("application/json")
108 | }
109 |
110 | # basic authentication against provided username/password values
111 | # use try() construct to ensure robustness against malicious input
112 | authenticate <- function(user, password)
113 | {
114 | res <- FALSE
115 | try({
116 | res <- bcrypt::checkpw(password, users[[user]])
117 | }, silent=TRUE)
118 | res
119 | }
120 |
121 | # chain of objects for app
122 | auth_backend <- AuthBackendBasic$new(FUN=authenticate)
123 | auth_mw <- AuthMiddleware$new(auth_backend=auth_backend, routes="/score")
124 | app <- Application$new(middleware=list(auth_mw))
125 | app$add_post(path="/score", FUN=score)
126 |
127 | backend <- BackendRserve$new(app)
128 | ```
129 |
130 | ### Dockerfile
131 |
132 | Here is the dockerfile for the image. Save this as `RestRserve-aci.dockerfile`:
133 |
134 | ```dockerfile
135 | FROM rexyai/restrserve
136 |
137 | # install required packages
138 | RUN Rscript -e "install.packages(c('randomForest', 'bcrypt'), repos='https://cloud.r-project.org')"
139 |
140 | # copy model object, cert files, user file and app script
141 | RUN mkdir /data
142 | COPY bos_rf.rds /data
143 | COPY .htpasswd /data
144 | COPY cert.cer /data
145 | COPY cert.key /data
146 | COPY app.R /data
147 |
148 | WORKDIR /data
149 |
150 | EXPOSE 8080
151 |
152 | CMD ["Rscript", "-e", "source('app.R'); backend$start(app, http_port=-1, https.port=8080, tls.key=normalizePath('cert.key'), tls.cert=normalizePath('cert.cer'))"]
153 | ```
154 |
155 | ## Create the container
156 |
157 | We now build the image and upload it to an Azure Container Registry. This assumes a fresh start; if you have created an ACR in this resource group already, you can reuse that instead by calling `get_acr` instead of `create_acr`.
158 |
159 | ```r
160 | call_docker("build -t rrs-aci -f RestRserve-aci.dockerfile .")
161 |
162 | deployreg_svc <- deployresgrp$create_acr("deployreg")
163 | deployreg <- deployreg_svc$get_docker_registry(as_admin=TRUE)
164 | deployreg$push("rrs-aci")
165 | ```
166 |
167 | We can now deploy the image to ACI and obtain predicted values from the RestRserve app. Because we used a self-signed certificate in this example, we need to turn off the SSL verification check that curl performs by default. There may also be a short delay from when the container is started, to when the app is ready to accept requests.
168 |
169 | ```r
170 | # ensure the name of the resource matches the one on the cert we obtained above
171 | deployresgrp$create_aci("deployrrsaci",
172 | image="deployreg.azurecr.io/bos-rrs-https",
173 | registry_creds=deployreg,
174 | cores=2, memory=8,
175 | ports=aci_ports(8080))
176 |
177 | Sys.sleep(30)
178 |
179 | # tell curl not to verify the cert
180 | unverified_handle <- function()
181 | {
182 | structure(list(
183 | handle=curl::handle_setopt(curl::new_handle(), ssl_verifypeer=FALSE),
184 | url="https://deployrrsaci.australiaeast.azurecontainer.io"),
185 | class="handle")
186 | }
187 |
188 | # send the username and password as part of the request
189 | response <- httr::POST("https://deployrrsaci.australiaeast.azurecontainer.io:8080/score",
190 | httr::authenticate("user1", "password1"),
191 | body=MASS::Boston[1:10, ], encode="json",
192 | handle=unverified_handle())
193 |
194 | httr::content(response, simplifyVector=TRUE)
195 | #> [1] 25.9269 22.0636 34.1876 33.7737 34.8081 27.6394 21.8007 22.3577 16.7812 18.9785
196 | ```
197 |
--------------------------------------------------------------------------------
/vignettes/vig03_securing_aks_traefik.Rmd:
--------------------------------------------------------------------------------
1 | ---
2 | title: "Securing an AKS deployment with Traefik"
3 | Author: Hong Ooi
4 | output: rmarkdown::html_vignette
5 | vignette: >
6 | %\VignetteIndexEntry{Securing an AKS deployment with Traefik}
7 | %\VignetteEngine{knitr::rmarkdown}
8 | %\VignetteEncoding{utf8}
9 | ---
10 |
11 | The vignette "Deploying a prediction service with Plumber" showed you how to deploy a simple prediction service to a Kubernetes cluster in Azure. That deployment had a number of drawbacks: chiefly, it was open to the public, and used HTTP and thus was vulnerable to man-in-the-middle (MITM) attacks. Here, we'll show how to address these issues with basic authentication and HTTPS. To run the code in this vignette, you'll need the helm binary installed on your machine in addition to docker and kubectl.
12 |
13 | ## Model object and image
14 |
15 | We'll reuse the image from the Plumber vignette. The code and artifacts to build this image are reproduced below for convenience.
16 |
17 | Save the model object:
18 |
19 | ```r
20 | data(Boston, package="MASS")
21 | library(randomForest)
22 |
23 | # train a model for median house price as a function of the other variables
24 | bos_rf <- randomForest(medv ~ ., data=Boston, ntree=100)
25 |
26 | # save the model
27 | saveRDS(bos_rf, "bos_rf.rds")
28 | ```
29 |
30 | Scoring script:
31 |
32 | ```r
33 | bos_rf <- readRDS("bos_rf.rds")
34 | library(randomForest)
35 |
36 | #* @param df data frame of variables
37 | #* @post /score
38 | function(req, df)
39 | {
40 | df <- as.data.frame(df)
41 | predict(bos_rf, df)
42 | }
43 | ```
44 |
45 | Dockerfile:
46 |
47 | ```dockerfile
48 | FROM trestletech/plumber
49 |
50 | # install the randomForest package
51 | RUN R -e 'install.packages(c("randomForest"))'
52 |
53 | # copy model and scoring script
54 | RUN mkdir /data
55 | COPY bos_rf.rds /data
56 | COPY bos_rf_score.R /data
57 | WORKDIR /data
58 |
59 | # plumb and run server
60 | EXPOSE 8000
61 | ENTRYPOINT ["R", "-e", \
62 | "pr <- plumber::plumb('/data/bos_rf_score.R'); pr$run(host='0.0.0.0', port=8000)"]
63 | ```
64 |
65 | Build and upload the image to ACR:
66 |
67 | ```r
68 | library(AzureContainers)
69 |
70 | # create a resource group for our deployments
71 | deployresgrp <- AzureRMR::get_azure_login()$
72 | get_subscription("sub_id")$
73 | create_resource_group("deployresgrp", location="australiaeast")
74 |
75 | # create container registry
76 | deployreg_svc <- deployresgrp$create_acr("deployreg")
77 |
78 | # build image 'bos_rf'
79 | call_docker("build -t bos_rf .")
80 |
81 | # upload the image to Azure
82 | deployreg <- deployreg_svc$get_docker_registry()
83 | deployreg$push("bos_rf")
84 | ```
85 |
86 | ## Deploy to AKS
87 |
88 | Create a new AKS resource for this deployment:
89 |
90 | ```r
91 | # create a Kubernetes cluster
92 | deployclus_svc <- deployresgrp$create_aks("secureclus", agent_pools=agent_pool("pool1", 2))
93 |
94 | # grant the cluster pull access to the registry
95 | deployreg_svc$add_role_assignment(deployclus_svc, "Acrpull")
96 | ```
97 |
98 | ### Install traefik
99 |
100 | The middleware we'll use to enable HTTPS and authentication is [Traefik](https://traefik.io/traefik/). This features built-in integration with Let's Encrypt, which is a popular source for TLS certificates (necessary for HTTPS). An alternative to Traefik is [Nginx](https://www.f5.com/go/product/welcome-to-nginx).
101 |
102 | Deploying traefik and enabling HTTPS involves the following steps, on top of deploying the model service itself:
103 |
104 | - Install traefik
105 | - Assign a domain name to the cluster's public IP address
106 | - Deploy the ingress route
107 |
108 | The following yaml contains the configuration parameters for traefik. Insert your email address where indicated (it will be used to obtain a certificate from Let's Encrypt), and save this as `traefik_values.yaml`.
109 |
110 | ```yaml
111 | # traefik_values.yaml
112 | fullnameOverride: traefik
113 | replicas: 1
114 | resources:
115 | limits:
116 | cpu: 500m
117 | memory: 500Mi
118 | requests:
119 | cpu: 100m
120 | memory: 200Mi
121 | externalTrafficPolicy: Local
122 | kubernetes:
123 | ingressClass: traefik
124 | ingressEndpoint:
125 | useDefaultPublishedService: true
126 | dashboard:
127 | enabled: false
128 | debug:
129 | enabled: false
130 | accessLogs:
131 | enabled: true
132 | fields:
133 | defaultMode: keep
134 | headers:
135 | defaultMode: keep
136 | names:
137 | Authorization: redact
138 | rbac:
139 | enabled: true
140 | acme:
141 | enabled: true
142 | email: "email.addr@example.com" # insert your email address here
143 | staging: false
144 | challengeType: tls-alpn-01
145 | ssl:
146 | enabled: true
147 | enforced: true
148 | permanentRedirect: true
149 | tlsMinVersion: VersionTLS12
150 | cipherSuites:
151 | - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
152 | - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
153 | - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
154 | - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
155 | - TLS_RSA_WITH_AES_128_GCM_SHA256
156 | - TLS_RSA_WITH_AES_256_GCM_SHA384
157 | - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
158 | ```
159 |
160 | We can now install traefik:
161 |
162 | ```r
163 | # get the cluster endpoint
164 | deployclus <- deployclus_svc$get_cluster()
165 |
166 | deployclus$helm("repo add stable https://kubernetes-charts.storage.googleapis.com/")
167 | deployclus$helm("repo update")
168 | deployclus$helm("install traefik-ingress stable/traefik --namespace kube-system --values traefik_values.yaml")
169 | ```
170 |
171 | ### Assign domain name
172 |
173 | Installing an ingress controller will create a public IP resource, which is the visible address for the cluster. It takes a minute or two for this resource to be created; once it appears, we assign a domain name to it.
174 |
175 | ```r
176 | for(i in 1:100)
177 | {
178 | res <- read.table(text=deployclus$get("service", "--all-namespaces")$stdout, header=TRUE, stringsAsFactors=FALSE)
179 | ip <- res$EXTERNAL.IP[res$NAME == "traefik"]
180 | if(ip != "