Conversation
| } | ||
|
|
||
| // Log vLLM authentication status | ||
| if instructAPIKey, ok := values["instruct"].(map[string]any); ok { |
There was a problem hiding this comment.
I think somehow we need to push this info to applications/workload, any application specific content in the orchestration is a big NO!
| } | ||
|
|
||
| // Log vLLM authentication status | ||
| if instructAPIKey, ok := values["instruct"].(map[string]any); ok { |
There was a problem hiding this comment.
I think somehow we need to push this info to applications/workload, any application specific content in the orchestration is a big NO!
| # @description API key for vLLM instruct service authentication. If empty, authentication is disabled. Provide a key to enable authentication. | ||
| apiKey: "" |
There was a problem hiding this comment.
What is the format the key should be in?
There was a problem hiding this comment.
Plain text format, there is no validation on length or type of characters as of now
| value: ibm-granite/granite-3.3-8b-instruct | ||
| - name: RERANKER_ENDPOINT | ||
| value: http://reranker-predictor:8080 | ||
| value: http://reranker-predictor:8000 |
There was a problem hiding this comment.
Why bringing this change? without spyre it runs on 8080
| {{- if .Values.instruct.apiKey }} | ||
| - name: VLLM_INSTRUCT_API_KEY | ||
| valueFrom: | ||
| secretKeyRef: | ||
| name: vllm-instruct-api-key | ||
| key: apiKey | ||
| {{- end }} |
There was a problem hiding this comment.
Just a query, in case of OpenShift, dont we need to use Service Account?
There was a problem hiding this comment.
I don't think so, this is a static injection similar to opensearch-credentials
There was a problem hiding this comment.
No I meant with RHOAI you could use Token-Based Authentication right?
This uses Seervice Account and you mount the token on service whichever needs communicate with models right?
I havent tried, but I do remember an option of enabling auth while deploying models in RHOAI dashboard
There was a problem hiding this comment.
Hmm, yes, OpenShift AI does support an additional layer through some operators, such as authorino. Perhaps you could reach out to the OpenShift AI team to learn more about that approach? However, it would certainly involve more work like install those additional operator part of the application deployment with an additional specs etc..
I would vote for get started with this in this release and explore the operator way be next release(or add option shift support next release)
sats-23
force-pushed
the
vLLMImpl
branch
2 times, most recently
from
733b81c to
a22d60c
Compare
sats-23
force-pushed
the
vLLMImpl
branch
3 times, most recently
from
4d0981b to
d706a72
Compare
|
@sats-23 how are we exposing the api key to the user if they want to consume the key post running? |
Currently we are passing the API key and consuming it both from backend server and vLLM pod side. So, currently, there is no exposing/showing api key to user. Only in case they want to consume directly from vLLM pod (pod network interface), they will have to pass the api key which is not the general practice in our app. |
| value: "{{ .Values.opensearch.auth.username }}" | ||
| - name: OPENSEARCH_PASSWORD | ||
| value: "{{ .Values.opensearch.auth.password }}" | ||
| {{- if .Values.instruct.apiKey }} |
There was a problem hiding this comment.
Not required for similarity service, since instruct is not used by this service.
There was a problem hiding this comment.
Many methods use /v1/chat/completion API, please analyse all the usage of instruct LLM and add auth header.
- Table summary
- Summarize (stream & non-stream)
- Q&A stream query
There was a problem hiding this comment.
Now, there is a pass through auth for digitize and summarize API.
Only chatbot UI and backend requires user to mention API Key, in all other cases, the key is automatically propagated
There is no neat way to get this now. But it would be great if we can get the values configured for the current deployment via a cli command. |
I assume we should also explain to the user that they need to use it only in case of access vLLM within pod networking. |
|
@dharaneeshvrd @mkumatag @manju956 |
Signed-off-by: Sathvik <Sathvik.S@ibm.com>
Signed-off-by: Sathvik <Sathvik.S@ibm.com>
Signed-off-by: Sathvik <Sathvik.S@ibm.com>
Signed-off-by: Sathvik <Sathvik.S@ibm.com>
Signed-off-by: Sathvik <Sathvik.S@ibm.com>
Signed-off-by: Sathvik <Sathvik.S@ibm.com>
Signed-off-by: Sathvik <Sathvik.S@ibm.com>
Signed-off-by: Sathvik <Sathvik.S@ibm.com>
Signed-off-by: Sathvik <Sathvik.S@ibm.com>
Signed-off-by: Sathvik <Sathvik.S@ibm.com>
Signed-off-by: Sathvik <Sathvik.S@ibm.com>
Signed-off-by: Sathvik <Sathvik.S@ibm.com>
Signed-off-by: Sathvik <Sathvik.S@ibm.com>
Signed-off-by: Sathvik <Sathvik.S@ibm.com>
Signed-off-by: Sathvik <Sathvik.S@ibm.com>
Signed-off-by: Sathvik <Sathvik.S@ibm.com>
Signed-off-by: Sathvik <Sathvik.S@ibm.com>
Signed-off-by: Sathvik <Sathvik.S@ibm.com>
| import uvicorn | ||
|
|
||
| from fastapi import FastAPI, UploadFile, File, HTTPException, BackgroundTasks, Query, status, Request | ||
| from fastapi import FastAPI, UploadFile, File, HTTPException, BackgroundTasks, Query, status, Request, Header |
| } | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
Sry, please remove the changes here too
6 participants
-When Chatbot is loaded, user is prompted with this menu.
-Upon correct API key, user can proceed to use chatbot as usual
-Key remains valid until page refresh
-Wrong API key redirects to same prompt box expecting API key
-Similarly updated Swagger docs as well
-Curl requests with and without auth header when auth is enabled
