Seldon Core 2 can integrate with Azure Event Hub via Kafka protocol.
Warning: You need at least Standard tier for your Event Hub Namespace as Basic tier does not support Kafka protocol.
Warning: Seldon Core 2 creates 2 Kafka topics for each pipeline and model plus one global topic for errors. This means that total number of topics will be 2 x (#models + #pipelines) + 1 which will likely exceed the limit of Standard tier in Azure Event Hub. You can find more information on quotas, like the number of partitions per Event Hub, here.
Prerequisites
To start you will need to have an Azure Event Hub Namespace. You can create one following Azure quickstart docs. Note that you do not need to create an Event Hub (topics) as Seldon Core 2 will require all the topics it needs automatically.
Create API Keys
To connect to Azure Event Hub provided Kafka API you need to obtain:
Kafka Endpoint
Connection String
You can obtain both using Azure Portal as documented here.
You should get the Connection String for a namespace level as we will need to dynamically create new topics.
You may need to tweak replicationFactor and numPartitions to your cluster configuration. The username should read $ConnectionString and this is not a variable for you to replace.
If you have set the local model folder as above then this would be looking at /home/seldon/models/iris.
Tracing
The default local install will provide Jaeger tracing at http://0.0.0.0:16686/search.
Metrics
The default local install will expose Grafana at http://localhost:3000.
Undeploy
From the project root run:
makeundeploy-local
Kubernetes Installation
Prerequisites
Ensure that the version of the Kubernetes cluster meets the requirement listed below. You can create a KinD cluster on your local computer for testing with Ansible.
Here is a list of components that Seldon Core 2 depends on, with minimum and maximum supported versions.
Component
Minimum Version
Maximum Version
Notes
Kubernetes
1.27
1.31
Required
Envoy*
1.32.2
1.32.2
Required
Rclone*
1.68.2
1.68.2
Required
Kafka**
3.4
3.8
Recommended
Prometheus
2.0
2.x
Optional
Grafana
10.0
***
Optional
Prometheus-adapter
0.12
0.12
Optional
Opentelemetry Collector
0.68
***
Optional
* These components are shipped as part of Seldon Core 2 docker images set, users should not install them separately but they need to be aware of the configuration options that are supported by these versions.
** Kafka is only required to operate Seldon Core 2 dataflow Pipelines. If not required then users should not install seldon-modelgateway, seldon-pipelinegateway, and seldon-dataflow-engine.
*** Not hard limit on the maximum version to be used.
Install Ecosystem Components
You also need to install our ecosystem components. For this we provide directions for Ansible to install these.
Component
Summary
Kafka
Required for inference Pipeline usage.
Prometheus
(Optional) Exposes metrics.
Grafana
(Optional) UI for metrics.
OpenTelemetry
(Optional) Exposes tracing.
Jaeger
(Optional) UI for traces.
Install
To install Seldon Core 2 from the source repository, you can choose one of the following methods:
Ansible (recommended for testing, development, or trial)
The Kubernetes operator that is installed runs in namespaced mode so any resources you create need to be in the same namespace as you installed into.
Kustomize
Seldon recommends installing Seldon Core 2 using Helm or Ansible. If you prefer to use Kustomize, you can base your configuration on the raw YAML files you generate in the k8s/yaml folder. Alternatively, you can follow the steps in the k8s/Makefile, which demonstrates how to build the YAML files from the Kustomize bases.
Note: Some dependencies may require that the (virtual) machines on which you deploy, support the SSE4.2 instruction set or x86-64-v2 microarchitecture. If lscpu | grep sse4_2 does not return anything on your machine, your CPU is not compatible, and you may need to update the (virtual) host's CPU.
Seldon Core can be installed either with Docker Compose or with Kubernetes:
By default the standard installation will deploy MLServer and Triton inference servers which provide support for a wide range of machine learning model artifacts including Tensorflow models, PyTorch models, SKlearn models, XGBoost models, ONNX models, TensorRT models, custom python models and many more. For advanced use, the creation of new inference servers is manged by two resources:
Servers - for deploying sets of replicas of core inference servers (MLServer or Triton by default).
ServerConfigs - for defining server configurations including custom servers.
API for Inference
Once deployed models can be called using the Seldon V2 inference protocol. This protocol created by Seldon, NVIDIA and the KServe projects is supported by MLServer and Triton inference servers amingst others and allows REST and gRPC calls to your model.
Your model is exposed via our internal Envoy gateway. If you wish to expose your models in Kubernetes outside the cluster you are free to use any Service Mesh or Ingress technology. Various examples are provided for service mesh integration.
Inference Metrics
Metrics are exposed for scraping by Prometheus. For Kubernetes we provide example instructions for using kube-prometheus.
Pipeline requirements
Pipelines are built upon Kafka streaming technology.
AWS MSK SASL
New in Seldon Core 2.5.0
Seldon Core 2 can integrate with Amazon managed Apache Kafka (MSK). You can control access to your Amazon MSK clusters using sign-in credentials that are stored and secured using AWS Secrets Manager. Storing user credentials in Secrets Manager reduces the overhead of cluster authentication such as auditing, updating, and rotating credentials. Secrets Manager also lets you share user credentials across clusters.
Note: Configuration of the AWS MSK instance itself is out of scope for this example. Please follow the official AWS documentation on how to enable SASL and public access to the Kafka cluster (if required).
Setting up SASL/SCRAM authentication for an Amazon MSK cluster
To setup SASL/SCRAM in an Amazon MSK cluster, please follow the guide from Amazon's Official documentation.
Do not forget to also copy the bootstrap.servers which we will use it in our configuration later below for Seldon.
Create Kubernetes Secret
Seldon Core 2 expects password to be in form of K8s secret.
Set the kafka config map debug setting to all. For Helm install you can set kafka.debug=all.
Ansible
Warning: The Ansible installation of a Seldon Core and associated ecosystem is meant for dev/testing purposes. For production use cases follow Helm installation.
Installing Ansible
Provided Ansible playbooks and roles depends on kubernetes.core Ansible Collection for performing kubectl and helm operations. Check Ansible [documentation] for further information.
If you simply want to install into a fresh local kind k8s cluster, the seldon-all playbook allows you to do so with a single command:
ansible-playbookplaybooks/seldon-all.yaml
This will create a Kind cluster and install ecosystem dependencies (kafka, prometheus, opentelemetry, jager) as well as all the seldon-specific components. The seldon components are installed using helm-charts from the current git checkout (../k8s/helm-charts/).
Internally this runs, in order, the following playbooks (described in more detail in the sections below):
kind-cluster.yaml
setup-ecosystem.yaml
setup-seldon.yaml
You may pass any of the additonal variables which are configurable for those playbooks to seldon-all. See the Customizing Ansible Instalation section for details.
Running the playbooks individually, as described in the sections below, will give you more control over what gets run and when (for example, if you want to install into an existing k8s cluster).
Create Kind Cluster
It is recommended to first install Seldon Core 2 inside Kind cluster. This allow to test and trial the installation in isolated environment that is easy to remove.
ansible-playbookplaybooks/kind-cluster.yaml
Setup Ecosystem
Seldon runs by default in seldon-mesh namespace and a Jaeger pod and and OpenTelemetry collector are installed in the chosen namespace. Run the following:
ansible-playbookplaybooks/setup-ecosystem.yaml
The most common change will be to install in another namespace with:
will only install Kafka when setting up the ecosystem.
type
default
comment
seldon_mesh_namespace
string
seldon-mesh
namespace to install Seldon Core 2
seldon_kafka_namespace
string
seldon-mesh
namespace to install Kafka Cluster for Seldon Core 2
full_install
bool
yes
enables full ecosystem installation
install_kafka
bool
{{ full_install }}
installs Strimzi Kafka Operator
install_prometheus
bool
{{ full_install }}
installs Prometheus Operator
install_grafana
bool
{{ full_install }}
installs Grafana Operator
install_certmanager
bool
{{ full_install }}
installs Cert Manager
install_jaeger
bool
{{ full_install }}
installs Jaeger
install_opentelemetry
bool
{{ full_install }}
installs OpenTelemetry
configure_kafka
bool
{{ install_kafka }}
configures Kafka Cluster for Seldon Core 2
configure_prometheus
bool
{{ install_prometheus }}
configure Prometheus using Seldon Core 2 specific resources
configure_jaeger
bool
{{ install_jaeger }}
configure Jaeger using Seldon Core 2 specific resources
configure_opentelemetry
bool
{{ install_opentelemetry }}
configure OpenTelemetry using Seldon Core 2 specific resources
Seldon Core 2 configuration options
type
default
comment
seldon_kafka_namespace
string
seldon-mesh
namespace to install Kafka
seldon_mesh_namespace
string
seldon-mesh
namespace to install Seldon
seldon_crds_namespace
string
default
namespace to install Seldon CRDs
full_install
bool
yes
enables full ecosystem installation
install_crds
bool
{{ full_install }}
installs Seldon CRDs
install_components
bool
{{ full_install }}
install Seldon components
install_servers
bool
{{ full_install }}
install Seldon servers
Custom Seldon images and private registries
By default, the container images used in the install are the ones defined by the helm charts (referring to images publicly available on dockerhub).
If you need to customize the images (i.e pull from private registry, pull given tag), create a custom images config file following the example in playbooks/vars/set-custom-images.yaml and run with:
If, instead of pulling images from an external repository you want to build certain components locally, please read README.dev.md
Private registries
When using private registries, access needs to be authenticated (typically, via a service account key), and the k8s cluster will need to have access to a secret holding this key to be able to pull images.
The setup-seldon.yaml playbook will create the required k8s secrets inside the cluster if it is provided with an auth file in dockerconfigjson format. You provide the path to this file by cusomizing the custom_image_pull_secrets.dockerconfigjson variable and define the secret name via custom_image_pull_secrets.name in the custom images config file (the one passed to the playbook via -e @file).
By default, docker creates the dockerconfigjson auth file in ~/.docker/config.json after passing the service-account key to docker login.
The docker login command would look like this (key in json format):
Because the additional custom images config file (starting from the playbooks/vars/set-custom-images.yaml example) overrides values in the helm-charts available in the repo, there's also a playbook option of saving those overrides as a separate values file, which could be used if deploying manually via helm.
This is controlled via two variables:
type
default
comment
save_helm_components_overrides
bool
false
enable saving helm values overrides
save_helm_components_overrides_file
string
~/seldon_helm_comp_values.yaml
path/filename for saving overrides
You can either pass those within the custom images config file or directly when running the playbook. For example, for just saving the helm-chart overrides (without installing seldon components), you would run:
Please note that when deploying outside ansible via helm using this saved overrides file, and using private registries, you will have to manually create the service-account key secret with the same name as the one defined in your custom image config file under custom_image_pull_secrets.name.
Uninstall
To fully remove the Ansible installation delete the created Kind cluster
kinddeletecluster--nameseldon
This will stop and delete the Kind cluster freeing all of the resources taken by the dev/trial installation. You may want to also remove cache resources used for the installation with
rm-rf~/.cache/seldon/
If you used Ansible to install Seldon Core 2 and its ecosystem into K8s cluster other than Kind you need to manually remove all the components. Notes on how to remove Seldon Core 2 Helm installation itself you can find here.
At present we support mTLS authentication to MSK which can be run from a Kubernetes cluster inside or outside Amazon. If running outside your MSK cluster must have a public endpoint.
You will need to setup Kafka ACLs for your user where the username is the CommonName of the certificate of the client and allow full topic access. For example, to add a user with CN=myname to have full operations using the kafka-acls script with mTLS config setup as described in AWS MSK docs:
Create a secret for the client certificate you created. If you followed the AWS MSK mTLS guide you will need to export your private key from the JKS keystore. The certificate and chain will be provided in PEM format when you get the certificate signed. You can use these to create a secret with:
Create a secret for the broker certificate. If following the AWS MSK mTLS guide you will need to export the trusstore of Amazon into PEM format and save as ca.crt.
Set the kafka config map debug setting to "all". For Helm install you can set kafka.debug=all.
If you see an error from the producer in the Pipeline gateway complaining about not enough insync replicas then the replication factor Seldon is using is less than the cluster setting for min.insync.replicas which for a default AWS MSK cluster defaults to 2. Ensure this is equal to that of the cluster. This value can be set in the Helm chart with kafka.topics.replicationFactor.
Confluent Cloud Oauth 2.0 Example
New in Seldon Core 2.7.0
Seldon Core 2 can integrate with Confluent Cloud managed Kafka. In this example we use Oauth 2.0 security mechanism.
Configure Identity Provider in Confluent Cloud Console
Set the kafka config map debug setting to all. For Helm install you can set kafka.debug=all.
Helm
We provide several Helm charts.
seldon-core-v2-crds : cluster wide install of custom resources.
seldon-core-v2-setup : installation of the manager to manage resources in the namespace or clusterwide. This also installs default SeldonConfig and ServerConfig resources which allow Runtimes and Servers to be installed easily on demand.
seldon-core-v2-runtime : this installs a SeldonRuntime custom resource which creates the core components in a namespace.
seldon-core-v2-servers : this installs Server custom resources which provide example core servers to load models.
seldon-core-v2-certs : a default set of certificates for TLS.
The Helm charts can be found within the k8s/helm-charts folder and they are published here
Assuming you have installed any ecosystem components: Jaeger, Prometheus, Kafka as discussed here you can follow the following steps.
Note that for Kafka follow the steps discussed here
You can install into any namespace. For illustration we will use seldon-mesh. This will install the core manager which will handle the key resources used by Seldon including the SeldonRuntime and Server resources.
This will install the operator namespaced so it will only control resources in the provided namespace. To allow cluster wide usage add the --set controller.clusterwide=true, e.g.
Cluster wide operations will require ClusterRoles to be created so when deploying be aware your user will require the required permissions. With cluster wide operations you can create SeldonRuntimes in any namespace.
This will install the core components in your desired namespace.
Install example servers
To install some MLServer and Triton servers you can either create Server resources yourself or for initial testing you can use our example Helm chart seldon-core-v2-servers:
By default this will install 1 MLServer and 1 Triton in the desired namespace. This namespace should be the same namespace you installed a Seldon Core Runtime.
If you have installed Strimzi we have an example Helm chart to create a Kafka cluster for seldon and an associated user in kafka/strimzi folder. Ensure the tls is enabled with:
The Ansible setup-ecosystem playbook will also install Strimzi and include a mTLS endpoint. See here.
mTLS Example
Create a Kafka User seldon in the namespace seldon was installed. This assumes Strimzi Kafka cluster is installed in the same namespace or is running with cluster wide permissions. Our Ansible scripts to setup the ecosystem will also create this user if tls is active.
Install seldon with the Strimzi certificate secrets using a custom values file. This sets the secret created by Strimzi for the user created above (seldon) and targets the server certificate authority secret from the name of the cluster created on install of the Kafka cluster (seldon-cluster-ca-cert).
Configure Seldon Core 2 by setting following Helm values:
This will use the Strimzi Helm chart provided in Seldon Core 2. This will call the Strimzi cluster Helm chart provided by the project with overrides for the cluster authentication type and will also create a user seldon with password credentials in a Kubernetes Secret.
Install Seldon Core 2 with SASL settings using a custom values file. This sets the secret created by Strimzi for the user created above (seldon) and targets the server certificate authority secret from the name of the cluster created on install of the Kafka cluster (seldon-cluster-ca-cert).
Configure Seldon Core 2 by setting following Helm values:
# k8s/helm-charts/seldon-core-v2-setup/values.yamlsecurity:controlplane:protocol:PLAINTEXTssl:server:secret:seldon-controlplane-serverclientValidationSecret:seldon-controlplane-clientkeyPath:/tmp/certs/cps/tls.keycrtPath:/tmp/certs/cps/tls.crtcaPath:/tmp/certs/cps/ca.crtclientCaPath:/tmp/certs/cpc/ca.crtclient:secret:seldon-controlplane-clientserverValidationSecret:seldon-controlplane-serverkeyPath:/tmp/certs/cpc/tls.keycrtPath:/tmp/certs/cpc/tls.crtcaPath:/tmp/certs/cpc/ca.crtserverCaPath:/tmp/certs/cps/ca.crtkafka:protocol:PLAINTEXTsasl:mechanism:SCRAM-SHA-512client:username:seldonsecret:passwordPath:passwordssl:client:secret:brokerValidationSecret:keyPath:/tmp/certs/kafka/client/tls.keycrtPath:/tmp/certs/kafka/client/tls.crtcaPath:/tmp/certs/kafka/client/ca.crtbrokerCaPath:/tmp/certs/kafka/broker/ca.crtendpointIdentificationAlgorithm:envoy:protocol:PLAINTEXTssl:upstream:server:secret:seldon-upstream-serverclientValidationSecret:seldon-upstream-clientkeyPath:/tmp/certs/dus/tls.keycrtPath:/tmp/certs/dus/tls.crtcaPath:/tmp/certs/dus/ca.crtclientCaPath:/tmp/certs/duc/ca.crtclient:secret:seldon-upstream-clientserverValidationSecret:seldon-upstream-serverkeyPath:/tmp/certs/duc/tls.keycrtPath:/tmp/certs/duc/tls.crtcaPath:/tmp/certs/duc/ca.crtserverCaPath:/tmp/certs/dus/ca.crtdownstream:server:secret:seldon-downstream-serverclientValidationSecret:keyPath:/tmp/certs/dds/tls.keycrtPath:/tmp/certs/dds/tls.crtcaPath:/tmp/certs/dds/ca.crtclientCaPath:/tmp/certs/ddc/ca.crtclient:mtls:falsesecret:serverValidationSecret:seldon-downstream-serverkeyPath:/tmp/certs/ddc/tls.keycrtPath:/tmp/certs/ddc/tls.crtcaPath:/tmp/certs/ddc/ca.crtserverCaPath:/tmp/certs/dds/ca.crt# A list of image pull secretsimagePullSecrets:
Environment variables
Kubernetes secrets and mounted files can be used to provide the certificates in PEM format. These are controlled by environment variables for server or client depending on the component:
Control Plane
EnvVar
Value
CONTROL_PLANE_SECURITY_PROTOCOL
SSL or PLAINTEXT
For a server (scheduler):
EnvVar
Value
CONTROL_PLANE_SERVER_TLS_SECRET_NAME
(optional) the name of the namespaced secret which holds the certificates
CONTROL_PLANE_CLIENT_TLS_SECRET_NAME
(optional) the name of the namespaced secret which holds the validation ca roots to verify the client certificate
CONTROL_PLANE_SERVER_TLS_KEY_LOCATION
the path to the TLS private key
CONTROL_PLANE_SERVER_TLS_CRT_LOCATION
the path to the TLS certificate
CONTROL_PLANE_SERVER_TLS_CA_LOCATION
the path to the TLS CA chain for the server
CONTROL_PLANE_CLIENT_TLS_CA_LOCATION
the path to the TLS CA chain for the client for mTLS verification
For a client (agent, modelgateway, hodometer, CRD controller):
EnvVar
Value
CONTROL_PLANE_CLIENT_TLS_SECRET_NAME
(optional) the name of the namespaced secret which holds the certificates
CONTROL_PLANE_SERVER_TLS_SECRET_NAME
(optional) the name of the namespaced secret which holds the validation ca roots to verify the server certificate
CONTROL_PLANE_CLIENT_TLS_KEY_LOCATION
the path to the TLS private key
CONTROL_PLANE_CLIENT_TLS_CRT_LOCATION
the path to the TLS certificate
CONTROL_PLANE_CLIENT_TLS_CA_LOCATION
the path to the TLS CA chain for the client
CONTROL_PLANE_SERVER_TLS_CA_LOCATION
the path to the TLS CA chain for the server for mTLS verification
Kafka
EnvVar
Value
KAFKA_SECURITY_PROTOCOL
PLAINTXT, SSL, or SASL_SSL
EnvVar
Value
KAFKA_CLIENT_TLS_SECRET_NAME
(optional) the name of the namespaced secret which holds the Kafka client certificate
KAFKA_CLIENT_SERVER_TLS_KEY_LOCATION
the path to the TLS private key
KAFKA_CLIENT_SERVER_TLS_CRT_LOCATION
the path to the TLS certificate
KAFKA_CLIENT_SERVER_TLS_CA_LOCATION
the path to the CA chain for the client
KAFKA_BROKER_TLS_SECRET_NAME
(optional) the name of the namespaced secret which holds the validation ca roots for the kafka broker
KAFKA_BROKER_TLS_CA_LOCATION
The path to the broker validatiob CA chain
KAFKA_CLIENT_SASL_USERNAME
SASL username
KAFKA_CLIENT_SASL_SECRET_NAME
the name of the namespaced secret which holds the SASL password
KAFKA_CLIENT_SASL_PASSWORD_LOCATION
the path to the file containing the SASL password
Envoy
Envoy xDS server will use the control plane server and client certificates defined above.
Downstream server
EnvVar
Value
ENVOY_DOWNSTREAM_SERVER_TLS_SECRET_NAME
(optional) the name of the namespaced secret which holds the certificates
ENVOY_DOWNSTREAM_CLIENT_TLS_SECRET_NAME
(optional) the name of the namespaced secret which holds the validation ca roots to verify the client certificate
ENVOY_DOWNSTREAM_SERVER_TLS_KEY_LOCATION
the path to the TLS private key
ENVOY_DOWNSTREAM_SERVER_TLS_CRT_LOCATION
the path to the TLS certificate
ENVOY_DOWNSTREAM_SERVER_TLS_CA_LOCATION
the path to the TLS CA chain for the server
ENVOY_DOWNSTREAM_CLIENT_TLS_CA_LOCATION
the path to the TLS CA chain for the client for mTLS verification
Downstream client
EnvVar
Value
ENVOY_DOWNSTREAM_CLIENT_TLS_SECRET_NAME
(optional) the name of the namespaced secret which holds the certificates
ENVOY_DOWNSTREAM_SERVER_TLS_SECRET_NAME
(optional) the name of the namespaced secret which holds the validation ca roots to verify the server certificate
ENVOY_DOWNSTREAM_CLIENT_TLS_KEY_LOCATION
the path to the TLS private key
ENVOY_DOWNSTREAM_CLIENT_TLS_CRT_LOCATION
the path to the TLS certificate
ENVOY_DOWNSTREAM_CLIENT_TLS_CA_LOCATION
the path to the TLS CA chain for the server
ENVOY_DOWNSTREAM_SERVER_TLS_CA_LOCATION
the path to the TLS CA chain for the server for mTLS verification
Upstream server
EnvVar
Value
ENVOY_UPSTREAM_SERVER_TLS_SECRET_NAME
(optional) the name of the namespaced secret which holds the certificates
ENVOY_UPSTREAM_CLIENT_TLS_SECRET_NAME
(optional) the name of the namespaced secret which holds the validation ca roots to verify the client certificate
ENVOY_UPSTREAM_SERVER_TLS_KEY_LOCATION
the path to the TLS private key
ENVOY_UPSTREAM_SERVER_TLS_CRT_LOCATION
the path to the TLS certificate
ENVOY_UPSTREAM_SERVER_TLS_CA_LOCATION
the path to the TLS CA chain for the server
ENVOY_UPSTREAM_CLIENT_TLS_CA_LOCATION
the path to the TLS CA chain for the client for mTLS verification
Upstream client
EnvVar
Value
ENVOY_UPSTREAM_CLIENT_TLS_SECRET_NAME
(optional) the name of the namespaced secret which holds the certificates
ENVOY_UPSTREAM_SERVER_TLS_SECRET_NAME
(optional) the name of the namespaced secret which holds the validation ca roots to verify the server certificate
ENVOY_UPSTREAM_CLIENT_TLS_KEY_LOCATION
the path to the TLS private key
ENVOY_UPSTREAM_CLIENT_TLS_CRT_LOCATION
the path to the TLS certificate
ENVOY_UPSTREAM_CLIENT_TLS_CA_LOCATION
the path to the TLS CA chain for the server
ENVOY_UPSTREAM_SERVER_TLS_CA_LOCATION
the path to the TLS CA chain for the server for mTLS verificatio
Confluent Cloud SASL Example
New in Seldon Core 2.5.0
Seldon Core 2 can integrate with Confluent Cloud managed Kafka. In this example we use SASL security mechanism.
Create API Keys
In your Confluent Cloud environment create new API keys. The easiest way to obtain all required information is to head to Clients -> New client (choose e.g. Go) and generate new Kafka cluster API key from there.
This will generate for you:
Key (we use it as username)
Secret (we use it as password)
Do not forget to also copy the bootstrap.servers from the example config.
See Confluent Cloud documentation in case of issues.
Create Kubernetes Secret
Seldon Core 2 expects password to be in form of K8s secret
kubectlcreatesecretgenericconfluent-kafka-sasl-nseldon-mesh--from-literalpassword="<Confluent Cloud API Secret>"
Configure Seldon Core 2
Configure Seldon Core 2 by setting following Helm values:
Set the kafka config map debug setting to all. For Helm install you can set kafka.debug=all.
Managed Kafka
Seldon recommends managed Kafka for production installation. On this page we will demonstrate how you can integrate and configure your managed Kafka with Seldon Core 2.
Securing managed Kafka services
You can secure your Seldon Core 2 integration with managed Kafka services by setting up encryption and authenticaion.
Kafka Encryption (TLS)
In production settings, always set up TLS encryption with Kafka. This ensures that neither the credentials nor the payloads are transported in plaintext.
Note: TLS encryption involves only single-sided TLS. This means that the contents are encrypted and sent to the server, but the client won’t send any form of certificate. Therefore, it does not take care of authenticating the client. Client authentication can be configured through mutual TLS (mTLS) or SASL mechanism, which are covered in the Kafka Authentication section .
When TLS is enabled, the client needs to know the root CA certificate used to create the server’s certificate. This is used to validate the certificate sent back by the Kafka server.
Create a certificate named ca.crt that is encoded as a PEM certificate. It is important that the certificate is saved as ca.crt. Otherwise, Seldon Core 2 may not be able to find the certificate. Within the cluster, you can provide the server’s root CA certificate through a secret. For example, a secret named kafka-broker-tls with a certificate.
In production environments, Kafka clusters often require authentication, especially when using managed Kafka solutions. Therefore, when installing Seldon Core 2 components, it is crucial to provide the correct credentials for a secure connection to Kafka.
The type of authentication used with Kafka varies depending on the setup but typically includes one of the following:
Simple Authentication and Security Layer (SASL): Requires a username and password.
Mutual TLS (mTLS): Involves using SSL certificates as credentials.
OAuth 2.0: Uses the client credential flow to acquire a JWT token.
These credentials are stored as Kubernetes secrets within the cluster. When setting up Seldon Core 2 you must create the appropriate secret in the correct format and update the components-values.yaml, and install-values files respectively.
When you use SASL as the authentication mechanism for Kafka, the credentials consist of a username and password pair. The password is supplied through a secret.
Note:
Ensure that the field used for the password within the secret is named password. Otherwise, Seldon Core 2 may not be able to find the correct password.
This password must be present in the seldon-logs namespace (or whichever namespace you wish to use for logging) and every namespace containing Seldon Core 2 runtime.
To create a password for Seldon Core 2 in the namespace seldon, run the following command:
security.kafka.sasl.client.secret - Created secret with password
security.kafka.ssl.client.brokerValidationSecret - Certificate Authority of Kafka Brokers
The resulting set of values to include in components-values.yaml is similar to:
security:
kafka:
protocol: SASL_SSL
sasl:
mechanism: SCRAM-SHA-512
client:
username: <kafka-username> # TODO: Replace with your Kafka username
secret: kafka-sasl-secret # NOTE: Secret name from previous step
ssl:
client:
secret: # NOTE: Leave empty
brokerValidationSecret: kafka-broker-tls # NOTE: Optional
The security.kafka.ssl.client.brokerValidationSecret field is optional. Leave it empty if your brokers use well known Certificate Authority such as Let’s Encrypt.
When you use OAuth 2.0 as the authentication mechanism for Kafka, the credentials consist of a Client ID and Client Secret, which are used with your Identity Provider to obtain JWT tokens for authenticating with Kafka brokers.
The security.kafka.ssl.client.brokerValidationSecret field is optional. Leave it empty if your brokers use well known Certificate Authority such as Let’s Encrypt.
When you use mTLS as authentication mechanism Kafka uses a set of certificates to authenticate the client.
A client certificate, referred to as tls.crt.
A client key, referred to as tls.key.
A root certificate, referred to as ca.crt.
These certificates are expected to be encoded as PEM certificates and are provided through a secret, which can be created in teh namespace seldon:
This secret must be present in seldon-logs namespace and every namespace containing Seldon Core 2 runtime.
Ensure that the field used within the secret follow the same naming convention: tls.crt, tls.key and ca.crt. Otherwise, Seldon Core 2 may not be able to find the correct set of certificates.
Reference these certificates within the corresponding Helm values for both Seldon Core 2.
Values for Seldon Core 2 In Seldon Core 2 you need to specify these values:
security.kafka.ssl.client.secret - Secret name containing client certificates
security.kafka.ssl.client.brokerValidationSecret - Certificate Authority of Kafka Brokers
The resulting set of values to include in components-values.yaml is similar to:
security:
kafka:
protocol: SSL
ssl:
client:
secret: kafka-client-tls # NOTE: Secret name from earlier step
brokerValidationSecret: kafka-broker-tls # NOTE: Optional
The security.kafka.ssl.client.brokerValidationSecret field is optional. Leave it empty if your brokers use well known Certificate Authority such as Let’s Encrypt.
Example configurations for managed Kafka services
Here are some examples to create secrets for managed Kafka services such as Azure Event Hub, Confluent Cloud(SASL), Confluent Cloud(OAuth2.0).
Prerequisites:
You must use at least the Standard tier for your Event Hub namespace because the Basic tier does not support the Kafka protocol.
Seldon Core 2 creates two Kafka topics for each model and pipeline, plus one global topic for errors. This results in a total number of topics calculated as: 2 x (number of models + number of pipelines) + 1. This topic count is likely to exceed the limit of the Standard tier in Azure Event Hub. For more information, see quota information.
Creating a namespace and obtaining the connection string
These are the steps that you need to perform in Azure Portal.
Create an Azure Event Hub namespace. You need to have an Azure Event Hub namespace. Follow the Azure quickstart documentation to create one. Note: You do not need to create individual Event Hubs (topics) as Seldon Core 2 automatically creates all necessary topics.
Connection string for Kafka Integration. To connect to the Azure Event Hub using the Kafka API, you need to obtain Kafka endpoint and Connection string. For more information, see Get an Event Hubs connection string
Note: Ensure you get the Connection string at the namespace level, as it is needed to dynamically create new topics. The format of the Connection string should be:
Creating secrets for Seldon Core 2 To store the SASL password in the Kubernetes cluster that run Seldon Core 2, create a secret named azure-kafka-secret for Core 2 in the namespace seldon. In the following command make sure to replace <password> with a password of your choice and <namespace> with the namespace form Azure Event Hub.
These are the steps that you need to perform in Confluent Cloud.
Navigate to Clients > New client and choose a client, for example GO and generate new Kafka cluster API key. For more information, see Confluent documentation.
Confluent generates a configuration file with the details.
Save the values of Key, Secret, and bootstrap.servers from the configuration file.
Creating secrets for Seldon Core 2 These are the steps that you need to perform in the Kubernetes cluster that run Seldon Core 2 to store the SASL password.
Create a secret named confluent-kafka-sasl for Seldon Core 2 in the namespace seldon. In the following command make sure to replace <password> with with the value of Secret that you generated in Confluent cloud.
Obtain these details from your identity providers such as Keycloak or Azure AD.
Client ID
Client secret
Token Endpoint URL
If you are using Azure AD you may will need to set scope: api://<client id>/.default.
Creating Kubernetes secret
Create Kubernetes secrets to store the required client credentials. For example, create a kafka-secret.yaml file by replacing the values of <client id>, <client secret>, <token endpoint url>, <cluster id>,<identity pool id> with the values that you obtained from Confluent Cloud and your identity provider.
Provide the secret named confluent-kafka-oauth in the seldon namespace to configure with Seldon Core 2.
kubectl apply -f kafka-secret.yaml -n seldon
This secret must be present in seldon-logs namespace and every namespace containing Seldon Core 2 runtime.
Configuring Seldon Core 2
To integrate Kafka with Seldon Core 2.
Update the initial configuration.
Note: In these configurations you may need:
to tweak the values for replicationFactor and numPartitions that best suits your cluster configuration.
set the value for username as $ConnectionString this is not a variable.
replace <namespace> with the namespace in Azure Event Hub.
Update the initial configuration for Seldon Core 2 in the components-values.yaml file. Use your preferred text editor to update and save the file with the following content:
to tweak the values for replicationFactor and numPartitions that best suits your cluster configuration.
replace <username> with thevalue of Key that you generated in Confluent Cloud.
replace <confluent-endpoints> with the value of bootstrap.server that you generated in Confluent Cloud.
Update the initial configuration for Seldon Core 2 Operator in the components-values.yaml file. Use your preferred text editor to update and save the file with the following content:
to tweak the values for replicationFactor and numPartitions that best suits your cluster configuration.
replace <confluent-endpoints> with the value of bootstrap.server that you generated in Confluent Cloud.
Update the initial configuration for Seldon Core 2 Operator in the components-values.yaml file. Use your preferred text editor to update and save the file with the following content:
To enable Kafka Encryption (TLS) you need to reference the secret that you created in the security.kafka.ssl.client.secret field of the Helm chart values. The resulting set of values to include in components-values.yaml is similar to:
Learn about installing Seldon command line tool that you can use to manage Seldon Core 2 resources.
Note: The Seldon CLI allows you to view information about underlying Seldon resources and make changes to them through the scheduler in non-Kubernetes environments. However, it cannot modify underlying manifests within a Kubernetes cluster. Therefore, using the Seldon CLI for control plane operations in a Kubernetes environment is not recommended. For more details, see Seldon CLI.
Installing Seldon CLI
To install Seldon CLI using prebuild binaries or build them locally.
Download from a recent release from https://github.com/SeldonIO/seldon-core/releases.
It is dynamically linked and will require and *nix architecture and glibc 2.25+.
Move to the seldon folder and provide the permissions.
The various communication points between services are shown in the diagram below:
Control Plane
TLS control plane activation is switched on and off via the environment variable: CONTROL_PLANE_SECURITY_PROTOCOL whose values can be PLAINTEXT or SSL.
Certificates will be loaded and used for the control plane gRPC services. The secrets or folders will be watched for updates (on certificate renewal) and automatically loaded again.
Helm Control Plane Install
When installing seldon-core-v2-setup you can set the secret names for your certificates. If using cert-manager example discussed below this would be as follows:
TLS Data plane activation is switched on and off via the environment variable: ENVOY_SECURITY_PROTOCOL whose values can be PLAINTEXT or SSL.
When activated this ensures TLS is used to communicate to Envoy via the xDS server as well as using the SDS service to send cretificates to envoy to use for upstream and downstream networking. Downstream is the external access to Seldon and upstream is the path from Envoy to the model servers or pipeline gateway.
Helm Data Plane Install
When installing seldon-core-v2-setup you can set data plane operations to TLS as below. This assumes the secrets installed by the helm chart at the end of this section.
The above uses default secret names defined for the certificates installed. You can change the names of the required certificate secrets as shown in a longer configuration below (again using the default names for illustration).
For this we use the following updated Helm values (k8s/samples/values-tls-dataplane-example.yaml):
We use Envoy internally to direct traffic and in Envoy's terminology upstream is for internal model servers called from Envoy while the downstream server is the entrypoint server running in Envoy to receive grpc and REST calls. The above settings ensure mTLS for internal "upstream" traffic while provides a standard SSL non-mTLS entrpoint.
To use the above with the seldon CLI you would need a custom config file as follow:
{"dataplane": {"tls":true,"skipSSLVerify":true }}
We skip SSL Verify as these are internal self-signed certificates. For production use you would change this to the correct DNS name you are exposing the Seldon entrypoint.
Cetificate Providers
The installer/cluster controller for Seldon needs to provide the certificates. As part of Seldon we provide an example set of certificate issuers and certificates using cert-manager.
Helm
You can install Certificates into the desired namespace, here we use seldon-mesh as an example.
topicPrefix : the prefix to add to kafka topics created by Seldon
consumerGroupIdPrefix : the prefix to add to Kafka consumer group IDs created by Seldon
bootstrap.servers : the global bootstrap kafka servers to use
consumer : consumer settings
producer : producer settings
streams : KStreams settings
For topicPrefix you can use any acceptable kafka topic characters which are a-z, A-Z, 0-9, . (dot), _ (underscore), and - (dash). We use . (dot) internally as topic naming separator so we would suggest you don't end your topic prefix with a dot for clarity. For illustration, an example topic could be seldon.default.model.mymodel.inputs where seldon is the topic prefix.
The consumerGroupIdPrefix will ensure that all consumer groups created have a given prefix.
Kubernetes
For Kubernetes this is controlled via a ConfigMap called seldon-kafka whose default values are defined in the SeldonConfig custom resource. For more details see the componets.yamlfile
When the SeldonRuntime is installed in a namespace a configMap will be created with these settings for Kafka configuration.
To customize the settings you can add and modify the Kafka configuration via Helm, for example below is a custom Helm values file that add compression for producers:
If you use a shared Kafka cluster with other applications you may want to isolate the topic names and consumer group IDs from other users of the cluster to ensure there is no name clash. For this we provide two settings:
topicPrefix: set a prefix for all topics
consumerGroupIdPrefix: set a prefix for all consumer groups
An example to set this in the configuration when using the helm installation is showm below for creating the default SeldonConfig:
You can create alternate SeldonConfigs with different values or override values for particular SeldonRuntime installs.
Tracing Configuration
We allow configuration of tracing. This file looks like:
The top level keys are:
enable : whether to enable tracing
otelExporterEndpoint : The host and port for the OTEL exporter
otelExporterProtocol : The protocol for the OTEL exporter. Currently used for jvm-based components only (such as dataflow-engine), because opentelemetry-java-instrumentation requires a http(s) URI for the endpoint but defaults to http/protobuf as a protocol. Because of this, gRPC connections (over http) can only be set up by setting this option to grpc
ratio : The ratio of requests to trace. Takes values between 0 and 1 inclusive.
Kubernetes
For Kubernetes this is controlled via a ConfigMap call seldon-tracing whose default value is shown below:
Note, this ConfigMap is created via our Helm charts and there is usually no need to modify it manually.
At present Java instrumentation (for the dataflow engine) is duplicated via separate keys.
