Memgraph Platform Via Helm

[bwhartlove]

The Memgraph documentation mentions how to deploy Memgraph itself via a Helm chart. Is there something similar available for Memgraph platform? There is, at least as far as I can tell, no documentation on that. I've been having issues with my current deployment where all services appear to be up inside the container, but the front-end says that Memgraph Lab cannot detect Memgraph running in the container.

[bwhartlove]

I was able to get passed this. However, my current issue is the inability to create any user via the -init-file flag. Even running the mgconsole < init.cypherl manually does not work.

[katarinasupe]

Hi @bwhartlove, can you tell me which image you used? Memgraph, Memgraph MAGE or Memgraph Platform? How are you passing values to the config settings to Memgraph? Can you explain your process of setting the flags and connecting to a running Memgraph instance? Btw. for quicker and easier communication, join our Discord server and ping me there :)

[bwhartlove]

Hello! I am using the Memgraph Platform Image and deploying it via a Helm Chart I modified from the Memgraph Helm chart example provided here.

Since I am trying to run the container as a non-root user (i.e., as the memgraph user), I had to re-roll the image as so:

FROM memgraph/memgraph-platform:latest

USER root
COPY supervisord.conf /etc/supervisor/conf.d/
COPY init.cypherl /etc/memgraph/init.cypherl
RUN chown -R memgraph:memgraph /run/ && \
    chown -R memgraph:memgraph /etc/supervisor && \
    chown -R memgraph:memgraph /etc/memgraph && \
    chown -R memgraph:memgraph /var/log/supervisor/
USER 101
CMD ["/bin/bash", "-c", "/usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf >> /dev/null & echo \"Memgraph Lab is running at localhost:3000\\n\"; while true; do sleep 1; done;"]

My supervisord.conf looks as so:

[supervisord]
nodaemon=true
logfile=/var/log/supervisor/supervisord.log

[program:lab]
directory=/lab
command=/bin/bash -c "node dist-backend/server.js"

[program:memgraph]
directory=/usr/lib/memgraph
command=/bin/bash -c "/usr/lib/memgraph/memgraph --data-directory=/var/lib/memgraph/data --log-level=DEBUG \ 
                    --bolt-cert-file=/etc/memgraph/ssl/cert.pem --bolt-key-file=/etc/memgraph/ssl/key.pem \ 
                    --init-file=/etc/memgraph/init.cypherl"

And my init.cypherl file:

CREATE USER myuser IDENTIFIED BY "password";

This does not appear to pre-populate the database with the user. My intention is to have the container come up so that a user must use a username/password to login.

[katarinasupe]

Can you send me the modified Helm Chart too?

[bwhartlove]

Sure thing. Here's the helm chart (I haven't finished my values file yet, so it's all verbose):

# StatefulSet
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: memgraph
  namespace: pipeline
  labels:
    app.kubernetes.io/name: memgraph
    app.kubernetes.io/managed-by: Helm
spec:
  replicas: 1
  serviceName: memgraph-svc
  selector:
    matchLabels:
      app.kubernetes.io/name: memgraph
  podManagementPolicy: OrderedReady
  updateStrategy:
        type: RollingUpdate
  template:
    metadata:
      labels:
        app.kubernetes.io/name: memgraph
    spec:
      securityContext:
        fsGroup: 101
      containers:
        - name: memgraph
          image: "mycontainerregistry/memgraph-platform-custom"
          securityContext:
            runAsUser: 101
            runAsGroup: 101
          imagePullPolicy: Always
          ports:
            - name: db-port
              containerPort: 7687
            - name: lab-port
              containerPort: 3000
          volumeMounts:
            - name: memgraph-lib-storage
              mountPath: /var/lib/memgraph
            - name: memgraph-log-storage
              mountPath: /var/log/memgraph
      volumes:
        - name: memgraph-lib-storage
          persistentVolumeClaim:
            claimName: memgraph-lib-storage
        - name: memgraph-log-storage
          persistentVolumeClaim:
            claimName: memgraph-log-storage
---
# Service
apiVersion: v1
kind: Service
metadata:
  name: memgraph-svc
  namespace: pipeline
  labels:
    app.kubernetes.io/name: memgraph
    app.kubernetes.io/managed-by: Helm
spec:
  type: ClusterIP
  ports:
    - port: 7687
      targetPort: 7687
      protocol: TCP
      name: bolt
  selector:
    app.kubernetes.io/name: memgraph

---
# Service
apiVersion: v1
kind: Service
metadata:
  name: memgraph-lab-svc
  namespace: pipeline
  labels:
    app.kubernetes.io/name: memgraph
    app.kubernetes.io/managed-by: Helm
spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: 3000
      protocol: TCP
      name: bolt
  selector:
    app.kubernetes.io/name: memgraph

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: memgraph-lab-ingress
  namespace: pipeline
spec:
  rules:
  - host: memgraph.mydomain.com
    http:
      paths:
      - backend:
          service:
            name: memgraph-lab-svc
            port:
              number: 80
        path: /
        pathType: Prefix

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  labels:
    app.kubernetes.io/managed-by: Helm
  name: allow-to-memgraph-lab
  namespace: pipeline
spec:
  ingress:
  - ports:
    - port: 3000
      protocol: TCP
  podSelector:
    matchLabels:
      app.kubernetes.io/name: memgraph
  policyTypes:
  - Ingress

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: memgraph-lib-storage
  namespace: pipeline
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: memgraph-log-storage
  namespace: pipeline
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi

[katarinasupe]

Thank you for sharing. I will check this and get back to you. If you notice anything new or can provide any additional info meanwhile, let me know. What is the urgency on your side?

[bwhartlove]

I'll provide any insights as I run into them. Urgency is low, though I would like to get this resolved within the next week or so if possible. Thanks!

[bwhartlove]

Small edit to the Helm Chart:

I've noticed that I have to connect manually to the database. It does not detect the db on localhost, so I have to use the service to connect, which requires adding the port 7687 to the Network Policy as well.

[bwhartlove]

I've noticed that the user is not present at spin up of the container, but if I hop in and manually import the cypher file, it creates the user just fine:
mgconsole -use_ssl < /etc/memgraph/init.cypherl

The logs do say it's Running init file.

[bwhartlove]

I was able to accomplish what I was trying to do without the -init-file flag, albeit in a 'hacky' way. I removed the -init-file flag from my supervisord config for memgraph and modified the CMD for the container to import the query via mgconsole:

CMD ["/bin/bash", "-c", "/usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf >> /dev/null & echo \"Memgraph Lab is running at localhost:3000\\n\"; while ! nc -z localhost 7687; do sleep 1; done; mgconsole --use_ssl < /etc/memgraph/init.cypherl; while true; do sleep 1; done;"]

I'd still like to understand what is going wrong with the -init-file flag, but this accomplished what I wanted it to.

[katarinasupe]

It's great to hear you managed to accomplish what you wanted to, and I'll check what happened with the --init_file flag and report back. Btw. what are you using Memgraph for? Maybe we talked already but it's a bit hard with GitHub usernames :)

[bwhartlove]

Just doing some development work for my own knowledge. It's a really awesome tool, and I wanted to learn more about graph databases. Thanks for checking on this!

[bwhartlove]

Apologies for taking this in a different direction - is there any way with Memgraph Lab to set up SSL? I know you can use certs with the memgraph.conf to encrypt traffic to the backend, but what about the front end service?

[tonilastre]

Regarding the SSL with Memgraph Lab, currently, the only way is to have a reverse proxy in front, e.g. a reverse proxy that holds SSL information and proxies everything toward/from Memgraph Lab endpoint. Is that doable in your case?

[bwhartlove]

Yes, that is something I've done with other services in the past, and it's doable in my case. Thanks for the confirmation!

[katarinasupe]

@antejavor not sure what happened here and if there's any update. I noticed the issue is a bit stale and that you assigned it yourself, so can you check it when you're back from vacation?

Besides that, @bwhartlove we are working on a new way of running the Memgraph Platform and that's why we haven't been that active in creating a new helm chart for the Memgraph Platform. Hopefully, we'll manage to improve the process soon enough. How are you doing and did you make any progress in your project?