diff --git a/charts/guardrails/Chart.yaml b/charts/guardrails/Chart.yaml index c8a2349..4d94184 100644 --- a/charts/guardrails/Chart.yaml +++ b/charts/guardrails/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 name: guardrails description: A Helm chart for WhyLabs Guardrails type: application -version: 0.3.1 +version: 0.4.0 appVersion: "2.0.1" diff --git a/charts/guardrails/README.md b/charts/guardrails/README.md index 057c59d..b100f27 100644 --- a/charts/guardrails/README.md +++ b/charts/guardrails/README.md @@ -1,6 +1,6 @@ # guardrails -![Version: 0.3.1](https://img.shields.io/badge/Version-0.3.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.1](https://img.shields.io/badge/AppVersion-2.0.1-informational?style=flat-square) +![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.0.1](https://img.shields.io/badge/AppVersion-2.0.1-informational?style=flat-square) A Helm chart for WhyLabs Guardrails @@ -110,14 +110,14 @@ release_name="" # the working directory or --destination path helm pull \ oci://ghcr.io/whylabs/guardrails \ - --version 0.3.1 + --version 0.4.0 # Requires the helm-diff plugin to be installed: # helm plugin install https://github.com/databus23/helm-diff helm diff upgrade \ --allow-unreleased \ --namespace "${target_namespace}" \ - "${release_name}" guardrails-0.3.1.tgz + "${release_name}" guardrails-0.4.0.tgz ``` After you've installed the repo you can install the chart. @@ -126,7 +126,7 @@ After you've installed the repo you can install the chart. helm upgrade --install \ --create-namespace \ --namespace "${target_namespace}" \ - "${release_name}" guardrails-0.3.1.tgz + "${release_name}" guardrails-0.4.0.tgz ``` ## Exposing Guardrails Outside Kubernetes @@ -196,6 +196,10 @@ utilization. |-----|------|---------|-------------| | affinity | object | `{}` | Affinity settings for `Pod` [scheduling](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/). If an explicit label selector is not provided for pod affinity or pod anti-affinity one will be created from the pod selector labels. | | autoscaling | object | `{"enabled":false,"maxReplicas":100,"minReplicas":1,"targetCPUUtilizationPercentage":70}` | [Horizontal Pod Autoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/) configuration for the `guardrails` container. | +| cache.annotations | object | `{}` | | +| cache.enable | bool | `false` | | +| cache.labels | object | `{}` | | +| cache.replicaCount | int | `1` | | | commonLabels | object | `{}` | Labels to add to all chart resources. | | env | object | `{}` | [Environment variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/) for the `guardrails` container. | | envFrom | list | `[{"secretRef":{"name":"whylabs-guardrails-api-key","optional":true}},{"secretRef":{"name":"whylabs-guardrails-api-secret","optional":true}}]` | Create environment variables from Kubernetes secrets or config maps. | diff --git a/charts/guardrails/templates/configmap-cache.yaml b/charts/guardrails/templates/configmap-cache.yaml new file mode 100644 index 0000000..fb68d6c --- /dev/null +++ b/charts/guardrails/templates/configmap-cache.yaml @@ -0,0 +1,63 @@ +{{- if .Values.cache.enable }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Release.Name }}-cache +data: + nginx.conf: | + pid /tmp/nginx.pid; + events { + worker_connections 1024; + } + http { + proxy_cache_path /tmp/nginx_cache levels=1:2 keys_zone=my_cache:10m max_size=1g + inactive=60m use_temp_path=off; + client_body_temp_path /tmp/client_temp; + proxy_temp_path /tmp/proxy_temp_path; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + server { + listen 8080; + server_name localhost; + location /v1/policy/list { + include cache_config.conf; + include common_proxy.conf; + proxy_cache_key "$request_uri|$http_x_whylabs_organization"; + } + location /v1/organizations/managed-organizations { + include cache_config.conf; + include common_proxy.conf; + proxy_cache_key "$request_uri|$http_x_whylabs_organization"; + } + location /v1/policy { + include cache_config.conf; + include common_proxy.conf; + proxy_cache_key "$request_uri|$http_x_whylabs_organization"; + } + location /v1/api-key/validate { + include cache_config.conf; + include common_proxy.conf; + proxy_cache_key "$request_uri|$http_x_api_key"; + } + location / { + include common_proxy.conf; + } + } + } + cache_config.conf: | + proxy_cache my_cache; + proxy_cache_valid 200 403 1m; + proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504; + add_header X-Cache-Status $upstream_cache_status always; + common_proxy.conf: | + proxy_pass https://songbird.development.whylabsdev.com; + proxy_set_header Host songbird.development.whylabsdev.com; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Accept $http_accept; + proxy_set_header Accept-Encoding $http_accept_encoding; + proxy_set_header X-API-Key $http_x_api_key; + proxy_set_header X-WhyLabs-Organization $http_x_whylabs_organization; +{{- end }} diff --git a/charts/guardrails/templates/deployment-cache.yaml b/charts/guardrails/templates/deployment-cache.yaml new file mode 100644 index 0000000..c86d92d --- /dev/null +++ b/charts/guardrails/templates/deployment-cache.yaml @@ -0,0 +1,76 @@ +{{- if .Values.cache.enable }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Release.Name }}-cache + labels: + {{- include "guardrails.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.cache.replicaCount }} + selector: + matchLabels: + app: {{ .Release.Name }}-cache + template: + metadata: + {{- with .Values.cache.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "guardrails.labels" . | nindent 8 }} + app: {{ .Release.Name }}-cache + spec: + serviceAccountName: {{ include "guardrails.serviceAccountName" . }} + containers: + - name: nginx + securityContext: + privileged: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 101 + runAsGroup: 101 + fsGroup: 101 + capabilities: + drop: ["ALL"] + image: "nginxinc/nginx-unprivileged:latest" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + volumeMounts: + - name: nginx-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + - name: nginx-config + mountPath: /etc/nginx/cache_config.conf + subPath: cache_config.conf + - name: nginx-config + mountPath: /etc/nginx/common_proxy.conf + subPath: common_proxy.conf + - name: nginx-temp + mountPath: /tmp + - name: nginx-cache + mountPath: /var/cache/nginx + volumes: + - name: nginx-temp + emptyDir: {} + - name: nginx-cache + emptyDir: {} + - name: nginx-config + configMap: + name: {{ include "guardrails.fullname" . }}-cache + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/guardrails/templates/service-cache.yaml b/charts/guardrails/templates/service-cache.yaml new file mode 100644 index 0000000..4965a64 --- /dev/null +++ b/charts/guardrails/templates/service-cache.yaml @@ -0,0 +1,15 @@ +{{- if .Values.cache.enable }} +apiVersion: v1 +kind: Service +metadata: + name: {{ .Release.Name }}-cache +spec: + type: ClusterIP + ports: + - name: http + protocol: TCP + port: 80 + targetPort: 8080 + selector: + app: {{ .Release.Name }}-cache +{{- end }} diff --git a/charts/guardrails/values.yaml b/charts/guardrails/values.yaml index a9de091..6e90368 100644 --- a/charts/guardrails/values.yaml +++ b/charts/guardrails/values.yaml @@ -1,3 +1,9 @@ +cache: + enable: false + replicaCount: 1 + annotations: {} + labels: {} + # -- Number of replicas for the service. replicaCount: 4