diff --git a/charts/langkit/CHANGELOG.md b/charts/langkit/CHANGELOG.md index b6594ff..fb4f612 100644 --- a/charts/langkit/CHANGELOG.md +++ b/charts/langkit/CHANGELOG.md @@ -6,6 +6,27 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning] (https://semver.org/spec/v2.0.0.html). +## [0.6.0] - **Breaking Changes** - 2023-02-01 + +### Breaking + +- :warning: changed the structure of the `values.yaml` file for better + organization with the introduction of an init container and running as a + non-root user by default + +### Changed + +- Updated the `securityContext` to run the container as a non-root user + +### Added + +- Added an `initContainer` +- Added support for configuring container environment variables + +### Removed + +- Removed default `root-config` volume and volume mount + ## [0.5.0] - 2023-01-30 ### Changed diff --git a/charts/langkit/Chart.yaml b/charts/langkit/Chart.yaml index a41020d..82bf9d8 100644 --- a/charts/langkit/Chart.yaml +++ b/charts/langkit/Chart.yaml @@ -2,5 +2,5 @@ apiVersion: v2 name: langkit description: A Helm chart for LangKit container deployment type: application -version: 0.5.0 -appVersion: "1.0.2.dev1" +version: 0.6.0 +appVersion: "1.0.2.dev2" diff --git a/charts/langkit/README.md b/charts/langkit/README.md index fb5d919..45c50a0 100644 --- a/charts/langkit/README.md +++ b/charts/langkit/README.md @@ -88,11 +88,23 @@ helm-docs --dry-run | Key | Type | Default | Description | |-----|------|---------|-------------| +| containers.env[0].name | string | `"HOME"` | | +| containers.env[0].value | string | `"/home"` | | +| containers.env[1].name | string | `"HF_HOME"` | | +| containers.env[1].value | string | `"/home/.cache/hf_home"` | | +| containers.securityContext.readOnlyRootFilesystem | bool | `true` | | +| containers.securityContext.runAsUser | int | `1000` | | +| containers.volumeMounts[0].mountPath | string | `"/tmp"` | | +| containers.volumeMounts[0].name | string | `"temp-dir"` | | +| containers.volumeMounts[1].mountPath | string | `"/root/.config"` | | +| containers.volumeMounts[1].name | string | `"root-config"` | | +| containers.volumeMounts[2].mountPath | string | `"/home"` | | +| containers.volumeMounts[2].name | string | `"home"` | | | fullnameOverride | string | `""` | | | image.containerPort | int | `8000` | | | image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"whylabs/whylogs"` | | -| image.tag | string | `"py-llm-1.0.2.dev0"` | | +| image.tag | string | `"py-llm-1.0.2.dev1"` | | | imagePullSecrets | list | `[]` | | | ingress.annotations | object | `{}` | | | ingress.className | string | `""` | | @@ -101,14 +113,18 @@ helm-docs --dry-run | ingress.hosts[0].paths[0].path | string | `"/"` | | | ingress.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | | ingress.tls | list | `[]` | | +| initContainers.volumeMounts[0].mountPath | string | `"/root/.config"` | | +| initContainers.volumeMounts[0].name | string | `"root-config"` | | +| initContainers.volumeMounts[1].mountPath | string | `"/home"` | | +| initContainers.volumeMounts[1].name | string | `"home"` | | | livenessProbe.initialDelaySeconds | int | `15` | | | livenessProbe.periodSeconds | int | `10` | | | livenessProbe.tcpSocket.port | int | `8000` | | | nameOverride | string | `""` | | | nodeSelector | object | `{}` | | -| podAnnotations | object | `{}` | | -| podLabels | object | `{}` | | -| podSecurityContext | object | `{}` | | +| pod.annotations | object | `{}` | | +| pod.labels | object | `{}` | | +| pod.securityContext | object | `{}` | | | readinessProbe.initialDelaySeconds | int | `15` | | | readinessProbe.periodSeconds | int | `10` | | | readinessProbe.tcpSocket.port | int | `8000` | | @@ -119,18 +135,15 @@ helm-docs --dry-run | resources.requests.memory | string | `"8Gi"` | | | secrets.langkitApiSecret.name | string | `"langkit-api-secret"` | | | secrets.whylabsApiKey.name | string | `"whylabs-api-key"` | | -| securityContext.readOnlyRootFilesystem | bool | `true` | | | service.port | int | `80` | | | service.type | string | `"ClusterIP"` | | | tolerations | list | `[]` | | -| volumeMounts[0].mountPath | string | `"/tmp"` | | -| volumeMounts[0].name | string | `"temp-dir"` | | -| volumeMounts[1].mountPath | string | `"/root/.config"` | | -| volumeMounts[1].name | string | `"root-config"` | | | volumes[0].emptyDir | object | `{}` | | | volumes[0].name | string | `"temp-dir"` | | | volumes[1].emptyDir | object | `{}` | | | volumes[1].name | string | `"root-config"` | | +| volumes[2].emptyDir | object | `{}` | | +| volumes[2].name | string | `"home"` | | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/langkit/templates/deployment.yaml b/charts/langkit/templates/deployment.yaml index 899c1d7..2d09ceb 100644 --- a/charts/langkit/templates/deployment.yaml +++ b/charts/langkit/templates/deployment.yaml @@ -11,13 +11,13 @@ spec: {{- include "langkit.selectorLabels" . | nindent 6 }} template: metadata: - {{- with .Values.podAnnotations }} + {{- with .Values.pod.annotations }} annotations: {{- toYaml . | nindent 8 }} {{- end }} labels: {{- include "langkit.labels" . | nindent 8 }} - {{- with .Values.podLabels }} + {{- with .Values.pod.labels }} {{- toYaml . | nindent 8 }} {{- end }} spec: @@ -26,11 +26,23 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml .Values.pod.securityContext | nindent 8 }} + initContainers: + - name: init + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{- toYaml .Values.containers.securityContext | nindent 12 }} + command: + {{- toYaml .Values.initContainers.command | nindent 12 }} + {{- with .Values.initContainers.volumeMounts }} + volumeMounts: + {{- toYaml . | nindent 12 }} + {{- end }} containers: - name: {{ .Chart.Name }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml .Values.containers.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: @@ -41,12 +53,14 @@ spec: {{- toYaml .Values.readinessProbe | nindent 12 }} resources: {{- toYaml .Values.resources | nindent 12 }} + env: + {{- toYaml .Values.containers.env | nindent 12 }} envFrom: - secretRef: name: {{ .Values.secrets.whylabsApiKey.name }} - secretRef: name: {{ .Values.secrets.langkitApiSecret.name }} - {{- with .Values.volumeMounts }} + {{- with .Values.containers.volumeMounts }} volumeMounts: {{- toYaml . | nindent 12 }} {{- end }} diff --git a/charts/langkit/values.yaml b/charts/langkit/values.yaml index f5e384c..ca690f5 100644 --- a/charts/langkit/values.yaml +++ b/charts/langkit/values.yaml @@ -1,12 +1,5 @@ replicaCount: 3 -image: - repository: whylabs/whylogs - pullPolicy: IfNotPresent - tag: py-llm-1.0.2.dev1 - containerPort: 8000 - -imagePullSecrets: [] nameOverride: "" fullnameOverride: "" @@ -26,31 +19,47 @@ ingress: # hosts: # - chart-example.local -podAnnotations: {} -podLabels: {} +image: + repository: whylabs/whylogs + pullPolicy: Always + tag: py-llm-1.0.2.dev2 + containerPort: 8000 -podSecurityContext: {} - # fsGroup: 2000 +imagePullSecrets: [] -securityContext: - readOnlyRootFilesystem: true - # capabilities: - # drop: - # - ALL - # runAsNonRoot: true - # runAsUser: 1000 +pod: + annotations: {} + labels: {} + securityContext: {} + # fsGroup: 2000 + # runAsNonRoot: true + # runAsUser: 1000 -secrets: - # kubectl create secret generic whylabs-api-key \ - # --namespace=langkit \ - # --from-literal=WHYLABS_API_KEY= - whylabsApiKey: - name: whylabs-api-key - # kubectl create secret generic langkit-api-secret \ - # --namespace=langkit \ - # --from-literal=CONTAINER_PASSWORD= - langkitApiSecret: - name: langkit-api-secret +containers: + securityContext: + readOnlyRootFilesystem: true + runAsUser: 1000 + # capabilities: + # drop: + # - ALL + # runAsNonRoot: true + # runAsUser: 1000 + env: + - name: HOME + value: "/home" + - name: HF_HOME + value: "/home/.cache/hf_home" + volumeMounts: + - name: temp-dir + mountPath: /tmp + - name: home + mountPath: /home + +initContainers: + command: ["sh", "-c", "cp -R /opt/whylogs-container/.cache /home/"] + volumeMounts: + - name: home + mountPath: /home service: type: ClusterIP @@ -63,6 +72,18 @@ resources: limits: cpu: "8" memory: 16Gi + +secrets: + # kubectl create secret generic whylabs-api-key \ + # --namespace=langkit \ + # --from-literal=WHYLABS_API_KEY= + whylabsApiKey: + name: whylabs-api-key + # kubectl create secret generic langkit-api-secret \ + # --namespace=langkit \ + # --from-literal=CONTAINER_PASSWORD= + langkitApiSecret: + name: langkit-api-secret livenessProbe: tcpSocket: @@ -99,11 +120,5 @@ affinity: volumes: - name: temp-dir emptyDir: {} - - name: root-config + - name: home emptyDir: {} - -volumeMounts: - - name: temp-dir - mountPath: /tmp - - name: root-config - mountPath: /root/.config