From 855fba4a0459a4e62c7fe395e9aa7f90a6164196 Mon Sep 17 00:00:00 2001 From: AnchorArray Date: Wed, 14 Feb 2024 12:38:26 -0700 Subject: [PATCH] Add managed ServiceAccount --- charts/langkit/CHANGELOG.md | 7 ++++ charts/langkit/Chart.yaml | 2 +- charts/langkit/README.md | 40 +++++++++++--------- charts/langkit/templates/_helpers.tpl | 11 ++++++ charts/langkit/templates/deployment.yaml | 1 + charts/langkit/templates/serviceaccount.yaml | 13 +++++++ charts/langkit/values.yaml | 40 +++++++++++++------- 7 files changed, 82 insertions(+), 32 deletions(-) create mode 100644 charts/langkit/templates/serviceaccount.yaml diff --git a/charts/langkit/CHANGELOG.md b/charts/langkit/CHANGELOG.md index 47fa610..b615fdb 100644 --- a/charts/langkit/CHANGELOG.md +++ b/charts/langkit/CHANGELOG.md @@ -6,6 +6,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning] (https://semver.org/spec/v2.0.0.html). +## [0.8.0] - 2023-02-14 :heart: + +### Added + +- Added managed `ServiceAccount` with configurations for `annotations` to + support authentication methods such as AWS IRSA. + ## [0.7.0] - 2023-02-12 ### Changed diff --git a/charts/langkit/Chart.yaml b/charts/langkit/Chart.yaml index e6e134a..e9aca40 100644 --- a/charts/langkit/Chart.yaml +++ b/charts/langkit/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 name: langkit description: A Helm chart for LangKit container deployment type: application -version: 0.7.0 +version: 0.8.0 appVersion: "1.0.2.dev4" diff --git a/charts/langkit/README.md b/charts/langkit/README.md index a1f2f56..ec4deb0 100644 --- a/charts/langkit/README.md +++ b/charts/langkit/README.md @@ -55,7 +55,7 @@ View the difference between the current state and desired state. # helm plugin install https://github.com/databus23/helm-diff helm diff upgrade \ --allow-unreleased \ - langkit langkit-0.7.0.tgz + langkit langkit-0.8.0.tgz ``` ### Install/Update @@ -63,14 +63,14 @@ helm diff upgrade \ helm upgrade --install \ --create-namespace \ --namespace langkit \ - langkit langkit-0.7.0.tgz + langkit langkit-0.8.0.tgz ``` ### Uninstall ```shell helm uninstall \ --namespace langkit \ - langkit langkit-0.7.0.tgz + langkit langkit-0.8.0.tgz ``` ## Development @@ -88,6 +88,11 @@ helm-docs --dry-run | Key | Type | Default | Description | |-----|------|---------|-------------| +| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].key | string | `"app.kubernetes.io/name"` | | +| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].operator | string | `"In"` | | +| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.labelSelector.matchExpressions[0].values[0] | string | `"langkit"` | | +| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].podAffinityTerm.topologyKey | string | `"kubernetes.io/hostname"` | | +| affinity.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution[0].weight | int | `100` | | | containers.env[0].name | string | `"HOME"` | | | containers.env[0].value | string | `"/home"` | | | containers.env[1].name | string | `"HF_HOME"` | | @@ -96,13 +101,11 @@ helm-docs --dry-run | containers.securityContext.runAsUser | int | `1000` | | | containers.volumeMounts[0].mountPath | string | `"/tmp"` | | | containers.volumeMounts[0].name | string | `"temp-dir"` | | -| containers.volumeMounts[1].mountPath | string | `"/root/.config"` | | -| containers.volumeMounts[1].name | string | `"root-config"` | | -| containers.volumeMounts[2].mountPath | string | `"/home"` | | -| containers.volumeMounts[2].name | string | `"home"` | | +| containers.volumeMounts[1].mountPath | string | `"/home"` | | +| containers.volumeMounts[1].name | string | `"home"` | | | fullnameOverride | string | `""` | | | image.containerPort | int | `8000` | | -| image.pullPolicy | string | `"IfNotPresent"` | | +| image.pullPolicy | string | `"Always"` | | | image.repository | string | `"whylabs/whylogs"` | | | image.tag | string | `"py-llm-1.0.2.dev4"` | | | imagePullSecrets | list | `[]` | | @@ -113,10 +116,11 @@ helm-docs --dry-run | ingress.hosts[0].paths[0].path | string | `"/"` | | | ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | | ingress.tls | list | `[]` | | -| initContainers.volumeMounts[0].mountPath | string | `"/root/.config"` | | -| initContainers.volumeMounts[0].name | string | `"root-config"` | | -| initContainers.volumeMounts[1].mountPath | string | `"/home"` | | -| initContainers.volumeMounts[1].name | string | `"home"` | | +| initContainers.command[0] | string | `"sh"` | | +| initContainers.command[1] | string | `"-c"` | | +| initContainers.command[2] | string | `"cp -R /opt/whylogs-container/.cache /home/"` | | +| initContainers.volumeMounts[0].mountPath | string | `"/home"` | | +| initContainers.volumeMounts[0].name | string | `"home"` | | | livenessProbe.initialDelaySeconds | int | `15` | | | livenessProbe.periodSeconds | int | `10` | | | livenessProbe.tcpSocket.port | int | `8000` | | @@ -133,17 +137,19 @@ helm-docs --dry-run | resources.limits.memory | string | `"16Gi"` | | | resources.requests.cpu | string | `"4"` | | | resources.requests.memory | string | `"8Gi"` | | -| secrets.langkitApiSecret.name | string | `"langkit-api-secret"` | | -| secrets.whylabsApiKey.name | string | `"whylabs-api-key"` | | +| secrets.langkitApiSecret | object | `{"name":"langkit-api-secret"}` | from-literal=CONTAINER_PASSWORD= | +| secrets.whylabsApiKey | object | `{"name":"whylabs-api-key"}` | from-literal=WHYLABS_API_KEY= | | service.port | int | `80` | | | service.type | string | `"ClusterIP"` | | +| serviceAccount.annotations | object | `{}` | | +| serviceAccount.automount | bool | `true` | | +| serviceAccount.create | bool | `true` | | +| serviceAccount.name | string | `""` | | | tolerations | list | `[]` | | | volumes[0].emptyDir | object | `{}` | | | volumes[0].name | string | `"temp-dir"` | | | volumes[1].emptyDir | object | `{}` | | -| volumes[1].name | string | `"root-config"` | | -| volumes[2].emptyDir | object | `{}` | | -| volumes[2].name | string | `"home"` | | +| volumes[1].name | string | `"home"` | | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/langkit/templates/_helpers.tpl b/charts/langkit/templates/_helpers.tpl index a4571d0..031dec9 100644 --- a/charts/langkit/templates/_helpers.tpl +++ b/charts/langkit/templates/_helpers.tpl @@ -49,3 +49,14 @@ Selector labels app.kubernetes.io/name: langkit app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "langkit.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "langkit.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/langkit/templates/deployment.yaml b/charts/langkit/templates/deployment.yaml index 2d09ceb..b2c410b 100644 --- a/charts/langkit/templates/deployment.yaml +++ b/charts/langkit/templates/deployment.yaml @@ -25,6 +25,7 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + serviceAccountName: {{ include "langkit.serviceAccountName" . }} securityContext: {{- toYaml .Values.pod.securityContext | nindent 8 }} initContainers: diff --git a/charts/langkit/templates/serviceaccount.yaml b/charts/langkit/templates/serviceaccount.yaml new file mode 100644 index 0000000..5b404a9 --- /dev/null +++ b/charts/langkit/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "langkit.serviceAccountName" . }} + labels: + {{- include "langkit.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automount }} +{{- end }} diff --git a/charts/langkit/values.yaml b/charts/langkit/values.yaml index 9c2d041..d9b5697 100644 --- a/charts/langkit/values.yaml +++ b/charts/langkit/values.yaml @@ -3,17 +3,26 @@ replicaCount: 3 nameOverride: "" fullnameOverride: "" +serviceAccount: + # Specifies whether a service account should be created + create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + ingress: enabled: false className: "" annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific + hosts: [] + # - host: chart-example.local + # paths: + # - path: / + # pathType: ImplementationSpecific tls: [] # - secretName: chart-example-tls # hosts: @@ -36,6 +45,7 @@ pod: # runAsUser: 1000 containers: + # containers.securityContext -- (object) Container security context securityContext: readOnlyRootFilesystem: true runAsUser: 1000 @@ -44,11 +54,13 @@ containers: # - ALL # runAsNonRoot: true # runAsUser: 1000 + # containers.env -- (list) Environment variables for the containers env: - name: HOME value: "/home" - name: HF_HOME value: "/home/.cache/hf_home" + # containers.volumeMounts -- (list) Volume mounts for containers volumeMounts: - name: temp-dir mountPath: /tmp @@ -56,7 +68,9 @@ containers: mountPath: /home initContainers: + # initContainers.command -- (list) Command for init container command: ["sh", "-c", "cp -R /opt/whylogs-container/.cache /home/"] + # initContainers.volumeMounts -- (list) Volume mounts for init container volumeMounts: - name: home mountPath: /home @@ -74,15 +88,11 @@ resources: memory: 16Gi secrets: - # kubectl create secret generic whylabs-api-key \ - # --namespace=langkit \ - # --from-literal=WHYLABS_API_KEY= - whylabsApiKey: + whylabsApiKey: + # -- Name of the secret that stores the WhyLabs API Key name: whylabs-api-key - # kubectl create secret generic langkit-api-secret \ - # --namespace=langkit \ - # --from-literal=CONTAINER_PASSWORD= langkitApiSecret: + # -- Name of the secret that stores the WhyLabs LangKit API Secret name: langkit-api-secret livenessProbe: @@ -104,6 +114,7 @@ tolerations: [] # operator: Equal # value: spot +# @ignored affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: @@ -117,6 +128,7 @@ affinity: values: - langkit +# volumes -- (list) Volumes to create volumes: - name: temp-dir emptyDir: {}