Merge branch 'main' into 706-lint-uds-helm-docker-zarf-lints

.github/actions/uds-cluster/action.yaml

@@ -11,12 +11,16 @@ runs:
   using: composite
   steps:
     - name: Setup UDS Environment
-      uses: defenseunicorns/uds-common/.github/actions/setup@05f42bb3117b66ebef8c72ae050b34bce19385f5
+      uses: defenseunicorns/uds-common/.github/actions/setup@822dac4452e6815aadcf09f487406ff258756a0c # v0.14.0
       with:
         username: ${{ inputs.registry1Username }}
         password: ${{ inputs.registry1Password }}
+        udsCliVersion: 0.14.0
+
+    - name: Checkout Repo
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     - name: Create UDS Cluster
       shell: bash
       run: |
-        make create-uds-cpu-cluster
+        UDS_CONFIG=.github/config/uds-config.yaml make create-uds-cpu-cluster

.github/config/uds-config.yaml

@@ -0,0 +1,3 @@
+variables:
+  core-slim-dev:
+    INSECURE_ADMIN_PASSWORD_GENERATION: "true"

.github/scripts/createUser.sh

@@ -0,0 +1,57 @@
+KEYCLOAK_ADMIN_PASSWORD=$(uds zarf tools kubectl get secret -n keycloak keycloak-admin-password -o jsonpath={.data.password} | base64 -d)
+echo "::add-mask::$KEYCLOAK_ADMIN_PASSWORD"
+
+KEYCLOAK_ADMIN_TOKEN=$(curl --location "https://keycloak.admin.uds.dev/realms/master/protocol/openid-connect/token" \
+--http1.1 \
+--header "Content-Type: application/x-www-form-urlencoded" \
+--data-urlencode "username=admin" \
+--data-urlencode "password=${KEYCLOAK_ADMIN_PASSWORD}" \
+--data-urlencode "client_id=admin-cli" \
+--data-urlencode "grant_type=password" | uds zarf tools yq .access_token)
+echo "::add-mask::$KEYCLOAK_ADMIN_TOKEN"
+
+
+curl --location "https://keycloak.admin.uds.dev/admin/realms/uds/users" \
+--http1.1 \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer ${KEYCLOAK_ADMIN_TOKEN}" \
+--data "{
+  \"username\": \"doug\",
+  \"firstName\": \"Doug\",
+  \"lastName\": \"Unicorn\",
+  \"email\": \"doug@uds.dev\",
+  \"attributes\": {
+    \"mattermostid\": \"1\"
+  },
+  \"emailVerified\": true,
+  \"enabled\": true,
+  \"requiredActions\": [],
+  \"credentials\": [
+    {
+      \"type\": \"password\",
+      \"value\": \"${FAKE_E2E_USER_PASSWORD}\",
+      \"temporary\": false
+    }
+  ]
+}"
+
+CONDITIONAL_OTP_ID=$(curl --location "https://keycloak.admin.uds.dev/admin/realms/uds/authentication/flows/Authentication/executions" \
+--http1.1 \
+--header "Authorization: Bearer ${KEYCLOAK_ADMIN_TOKEN}" | uds zarf tools yq '.[] | select(.displayName == "Conditional OTP") | .id')
+
+curl --location --request PUT "https://keycloak.admin.uds.dev/admin/realms/uds/authentication/flows/Authentication/executions" \
+--http1.1 \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer ${KEYCLOAK_ADMIN_TOKEN}" \
+--data "{
+\"id\": \"${CONDITIONAL_OTP_ID}\",
+\"requirement\": \"DISABLED\"
+}"
+
+USER=$(curl --location "https://keycloak.admin.uds.dev/admin/realms/uds/users?user=doug" \
+--http1.1 \
+--header "Content-Type: application/json" \
+--header "Authorization: Bearer ${KEYCLOAK_ADMIN_TOKEN}" \
+)
+
+echo "User: $USER"

.github/workflows/e2e-playwright.yaml

@@ -17,6 +17,8 @@ on:
       - "!.github/**"
       - ".github/workflows/e2e-playwright.yaml"
       - ".github/actions/uds-cluster/action.yaml"
+      - ".github/actions/scripts/createUser.sh"
+      - ".github/actions/config/uds-config.yaml"
 
       # Ignore docs and website things
       - "!**.md"
@@ -64,20 +66,27 @@ jobs:
           with:
             node-version-file: 'src/leapfrogai_ui/package.json'
 
-        - name: Install UI/Playwright Dependencies
-          run: |
-            npm --prefix src/leapfrogai_ui ci
-            npx --prefix src/leapfrogai_ui playwright install
-
         - name: Setup Python
           uses: ./.github/actions/python
 
+        - name: Generate Fake Playwright User Password
+          id: generate-password
+          run: |
+            PASSWORD=$(cat <(openssl rand -base64 32 | tr -dc 'a-zA-Z0-9!@#$%^&*()_+-=[]{}|;:,.<>?' | head -c 20) <(echo '!@1Aa') | fold -w1 | shuf | tr -d '\n')
+            echo "::add-mask::$PASSWORD"
+            echo "FAKE_E2E_USER_PASSWORD=$PASSWORD" >> $GITHUB_ENV
+
         - name: Setup UDS Cluster
           uses: ./.github/actions/uds-cluster
           with:
             registry1Username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
             registry1Password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
 
+        - name: Create Test User
+          run: |
+            chmod +x ./.github/scripts/createUser.sh
+            ./.github/scripts/createUser.sh
+
         - name: Setup LFAI-API and Supabase
           uses: ./.github/actions/lfai-core
 
@@ -89,21 +98,31 @@ jobs:
           run: |
             python -m pytest ./tests/e2e/test_api.py -v
 
+
         ##########
         # UI
         ##########
+        - name: Install UI/Playwright Dependencies
+          run: |
+            npm --prefix src/leapfrogai_ui ci
+            npx --prefix src/leapfrogai_ui playwright install
+
         - name: Deploy LFAI-UI
           run: |
             make build-ui LOCAL_VERSION=e2e-test
             docker image prune -af
-            uds zarf package deploy packages/ui/zarf-package-leapfrogai-ui-amd64-e2e-test.tar.zst --confirm
+            uds zarf package deploy packages/ui/zarf-package-leapfrogai-ui-amd64-e2e-test.tar.zst --set DISABLE_KEYCLOAK=false --confirm
             rm packages/ui/zarf-package-leapfrogai-ui-amd64-e2e-test.tar.zst
 
         # Run the playwright UI tests using the deployed Supabase endpoint and upload report as an artifact
         - name: UI/API/Supabase E2E Playwright Tests
           run: |
             cp src/leapfrogai_ui/.env.example src/leapfrogai_ui/.env
-            TEST_ENV=CI PUBLIC_DISABLE_KEYCLOAK=true PUBLIC_SUPABASE_ANON_KEY=$ANON_KEY npm --prefix src/leapfrogai_ui run test:integration:ci
+            mkdir -p playwright/auth
+            touch playwright/auth.user.json
+            SERVICE_ROLE_KEY=$(uds zarf tools kubectl get secret -n leapfrogai supabase-bootstrap-jwt -o jsonpath={.data.service-key} | base64 -d)
+            echo "::add-mask::$SERVICE_ROLE_KEY"
+            SERVICE_ROLE_KEY=$SERVICE_ROLE_KEY TEST_ENV=CI USERNAME=doug PASSWORD=$FAKE_E2E_USER_PASSWORD PUBLIC_SUPABASE_ANON_KEY=$ANON_KEY npm --prefix src/leapfrogai_ui run test:integration:ci
 
         # Upload the Playwright report as an artifact
         - name: Archive Playwright Report

README.md

@@ -4,9 +4,9 @@
 
 ## Table of Contents
 
-- [Table of Contents](#table-of-contents)
 - [Overview](#overview)
 - [Why Host Your Own LLM?](#why-host-your-own-llm)
+- [Demo Video](#demo-video)
 - [Structure](#structure)
 - [Getting Started](#getting-started)
 - [Components](#components)
@@ -39,14 +39,15 @@ Large Language Models (LLMs) are a powerful resource for AI-driven decision maki
 ## Demo Video
 
 <a href="https://www.youtube.com/watch?v=BowOJttHyPU" target="_blank">
- <img src="website/assets/img/walkthrough_thumbnail.jpg" alt="2 minute demo of features of LeapfrogAI" width="540"/>
+ <img src="docs/imgs/walkthrough_thumbnail.jpg" alt="2 minute demo of features of LeapfrogAI" width="540"/>
 </a>
 
-LeapfrogAI, built on top of [Unicorn Delivery Service (UDS)](https://github.com/defenseunicorns/uds-core), which includes several features including:
+LeapfrogAI is built on top of [Unicorn Delivery Service (UDS)](https://github.com/defenseunicorns/uds-core), Defense Unicorns' secure runtime environment, and includes several features such as:
 
 - **Single Sign-On**
 - **Non-proprietary API Compatible with OpenAI's API**
 - **Retrieval Augmented Generation (RAG)**
+- **Transcription and Translation**
 - **And More!**
 
 ## Structure

packages/k3d-gpu/Makefile

@@ -18,7 +18,7 @@ create-uds-gpu-cluster: build-k3d-gpu
 	--set K3D_EXTRA_ARGS="--gpus=all \
 	--image=ghcr.io/defenseunicorns/leapfrogai/k3d-gpu:${LOCAL_VERSION}" --confirm
 
-create-uds-cpu-cluster: build-k3d-gpu
+create-uds-cpu-cluster:
 	@uds deploy k3d-core-slim-dev:${UDS_VERSION} \
 	${ZARF_FLAGS} \
 	--confirm

packages/supabase/bitnami-values.yaml

@@ -75,6 +75,22 @@ realtime:
   resourcesPreset: "none"
   podLabels:
     sidecar.istio.io/inject: "false"
+  extraEnvVars:
+    - name: APP_NAME
+      value: "supabase-realtime"
+    - name: DB_AFTER_CONNECT_QUERY
+      value: "DO $body$ BEGIN CREATE SCHEMA IF NOT EXISTS _realtime; ALTER SCHEMA _realtime OWNER TO postgres; SET search_path TO _realtime; END $body$;"
+    - name: DB_ENC_KEY
+      valueFrom:
+        secretKeyRef:
+          name: supabase-realtime-extra
+          key: dbEncKey
+    - name: DNS_NODES
+      value: "supabase-realtime"
+  args:
+    - -ec
+    - |
+      realtime eval Realtime.Release.migrate && realtime eval 'Realtime.Release.seeds(Realtime.Repo)' && realtime start
 
 rest:
   enabled: ###ZARF_VAR_ENABLE_REST###
@@ -107,7 +123,7 @@ volumePermissions:
   resourcesPreset: "none"
 
 psqlImage:
-  tag: 15.1.1-debian-12-r69
+  tag: 15.6.1-debian-12-r2
 
 kong:
   enabled: ###ZARF_VAR_ENABLE_KONG###
@@ -172,9 +188,11 @@ kong:
 postgresql:
   enabled: ###ZARF_VAR_ENABLE_POSTGRES###
   image:
-    tag: 15.1.1-debian-12-r69
+    tag: 15.6.1-debian-12-r2
     debug: true
   primary:
+    extendedConfiguration: |
+      wal_level = logical
     resourcesPreset: "none"
     podLabels:
       sidecar.istio.io/inject: "false"
@@ -184,4 +202,4 @@ postgresql:
   ## @param postgresql.postgresqlSharedPreloadLibraries Set the shared_preload_libraries parameter in postgresql.conf
   ## Setting an empty value in order to force the default extensions of supabase-postgres
   ##
-  postgresqlSharedPreloadLibraries: "pg_stat_statements, pg_stat_monitor, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, timescaledb, auto_explain, vector"
+  postgresqlSharedPreloadLibraries: "pg_stat_statements, pg_stat_monitor, pgaudit, plpgsql, plpgsql_check, pg_cron, pg_net, pgsodium, timescaledb, auto_explain, vector"

packages/supabase/chart/templates/supabase-realtime-secret.yaml

@@ -0,0 +1,18 @@
+{{- $dbEncKey := randAlphaNum 16 }} # This needs to be exactly 16 characters
+{{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace "supabase-realtime-extra") }}
+apiVersion: v1
+kind: Secret
+metadata:
+ name: supabase-realtime-extra
+ namespace: {{ .Release.Namespace }}
+ {{- if $existingSecret }}
+ annotations:
+   "helm.sh/resource-policy": keep
+ {{- end }}
+type: Opaque
+data:
+ {{- if $existingSecret }}
+ dbEncKey: {{ $existingSecret.data.dbEncKey }}
+ {{- else }}
+ dbEncKey: {{ $dbEncKey | b64enc | quote }}
+ {{- end }}

packages/supabase/manifests/declarative-conf-configmap.yaml

@@ -95,11 +95,31 @@ data:
                 - admin
                 - anon
 
-      - name: realtime-v1
-        _comment: "Realtime: /realtime/v1/* -> ws://supabase-realtime:80/socket/*"
-        url: http://supabase-realtime:80/socket
+      - name: realtime-v1-ws
+        _comment: "Realtime: /realtime/v1/* -> ws://supabase-realtime:80/socket/websocket/*"
+        url: http://supabase-realtime:80/socket/websocket
         routes:
-          - name: realtime-v1-all
+          - name: realtime-v1-ws
+            strip_path: true
+            paths:
+              - /realtime/v1/websocket
+        plugins:
+          - name: cors
+          - name: key-auth
+            config:
+              hide_credentials: false
+          - name: acl
+            config:
+              hide_groups_header: true
+              allow:
+                - admin
+                - anon
+
+      - name: realtime-v1-api
+        _comment: "Realtime: /realtime/v1/* -> http://supabase-realtime:80/*"
+        url: http://supabase-realtime:80
+        routes:
+          - name: realtime-v1-api
             strip_path: true
             paths:
               - /realtime/v1/

packages/supabase/migrations/20240808093300_v0.10.0_realtime_tenant.sql

@@ -0,0 +1,22 @@
+-- Disable the foreign key constraint
+ALTER TABLE _realtime.extensions
+DROP CONSTRAINT extensions_tenant_external_id_fkey;
+
+-- Update the external_id and name for the realtime tenant
+UPDATE _realtime.tenants
+SET external_id = 'supabase-realtime',
+    name = 'supabase-realtime'
+WHERE external_id = 'realtime-dev'
+  AND name = 'realtime-dev';
+
+-- Update the tenant_external_id for the realtime extension
+UPDATE _realtime.extensions
+SET tenant_external_id = 'supabase-realtime'
+WHERE tenant_external_id = 'realtime-dev';
+
+-- Re-enable the foreign key constraint
+ALTER TABLE _realtime.extensions
+ADD CONSTRAINT extensions_tenant_external_id_fkey
+FOREIGN KEY (tenant_external_id)
+REFERENCES _realtime.tenants(external_id)
+ON DELETE CASCADE;

packages/supabase/zarf.yaml

@@ -66,7 +66,7 @@ components:
         namespace: leapfrogai
         url: oci://registry-1.docker.io/bitnamicharts/supabase
         releaseName: supabase-bootstrap
-        version: 4.0.5
+        version: 5.3.3
         valuesFiles:
           - "bitnami-values.yaml"
           - "bitnami-values-bootstrap.yaml"
@@ -81,21 +81,21 @@ components:
         namespace: leapfrogai
         url: oci://registry-1.docker.io/bitnamicharts/supabase
         releaseName: supabase
-        version: 4.0.5
+        version: 5.3.3
         valuesFiles:
           - "bitnami-values.yaml"
     images:
-      - docker.io/bitnami/gotrue:2.150.1-debian-12-r1
-      - docker.io/bitnami/jwt-cli:6.0.0-debian-12-r20
-      - docker.io/bitnami/kubectl:1.30.0-debian-12-r0
-      - docker.io/bitnami/os-shell:12-debian-12-r19
-      - docker.io/bitnami/postgrest:11.2.2-debian-12-r15
-      - docker.io/bitnami/supabase-postgres:15.1.1-debian-12-r69
-      - docker.io/bitnami/supabase-postgres-meta:0.80.0-debian-12-r3
-      - docker.io/bitnami/supabase-realtime:2.28.32-debian-12-r2
-      - docker.io/bitnami/supabase-storage:0.48.4-debian-12-r2
-      - docker.io/bitnami/supabase-studio:0.24.3-debian-12-r3
-      - docker.io/bitnami/kong:3.6.1-debian-12-r18
+      - docker.io/bitnami/gotrue:2.155.6-debian-12-r3
+      - docker.io/bitnami/jwt-cli:6.1.0-debian-12-r5
+      - docker.io/bitnami/kubectl:1.30.3-debian-12-r4
+      - docker.io/bitnami/os-shell:12-debian-12-r27
+      - docker.io/bitnami/postgrest:11.2.2-debian-12-r31
+      - docker.io/bitnami/supabase-postgres:15.6.1-debian-12-r2
+      - docker.io/bitnami/supabase-postgres-meta:0.83.2-debian-12-r3
+      - docker.io/bitnami/supabase-realtime:2.30.14-debian-12-r2
+      - docker.io/bitnami/supabase-storage:1.8.2-debian-12-r2
+      - docker.io/bitnami/supabase-studio:1.24.5-debian-12-r4
+      - docker.io/bitnami/kong:3.7.1-debian-12-r5
   - name: supabase-post-process
     description: "Perform necessary post processing here"
     required: true

packages/vllm/src/main.py

@@ -178,7 +178,11 @@ async def iterate_outputs(self):
                 async for request_output in self.random_iterator:
                     request_id = request_output.request_id
 
-                    if request_output.finished:
+                    # At least one iteration must be done for each request_id
+                    if (
+                        self.delta_queue_by_id.get(request_id)
+                        and request_output.finished
+                    ):
                         # Signal that the "generate" function can stop waiting for additional inputs
                         logging.info(
                             f"Generated {num_tokens_by_id[request_id]} tokens in {time.time() - t0_by_id[request_id]:.2f}s"

src/leapfrogai_ui/.gitignore

@@ -20,4 +20,5 @@ zarf-sbom/
 
 
 playwright/.auth
-test-results/
+test-results/
+e2e-report/